INTERNAL AUDIT

Definition of internal audit

The role of the internal audit function has been defined as:
‘….an appraisal system established by management for the review of the accounting and
internal control systems as a service to the entity.’
There are several parts to this definition:
 Internal auditing is an appraisal system.
 It is established by management as a service to the entity.
 It involves the review of accounting systems.
 It also involves the review of internal control systems, which are systems for financial
controls, operational controls and compliance controls.
Corporate governance does not insist that companies have an internal audit department, but they
must keep the need for internal audit under review. More and more companies now have internal
audit departments. These departments carry out work such as:
 Assessment of the design and operation of the internal control system.
 Helping with inventory and cash counts.
 Verifying the physical existence of non-current assets.
 Assessing value for money of various activities.
 Carrying out special investigations, such as investigating a fraud.
 Assessing the security and operation of the IT system.

Internal auditors can be company employees but the function can also be outsourced.
Obviously the internal auditors’ work can be of assistance to external auditors, particularly in
their assessment of the internal control system, attending inventory counts and verifying the
existence and condition of assets. Internal auditors will often examine these matters in much
more detail, and perhaps with more insight, than the external auditors. However, it is important
to note that ISA 610 states that internal audit can be involved in substantive procedures only in
areas where only limited judgement is required. All areas involving significant judgement or
estimates must be handled by the external auditors.

TYPICAL FUNCTIONS OF INTERNAL AUDIT

Internal Audit activities usually include one or more of the following:
i. Monitoring of internal control. As entities increase in size and complexity, and become
global in nature, the task of monitoring controls becomes more difficult. An internal audit
function helps management to monitor these controls. Senior management need to
reassure themselves that internal controls are functioning effectively. An internal audit
department is usually given the specific responsibility by management for reviewing
controls, monitoring their operation and recommending improvements.
ii. Examination of financial and operating information. An internal audit department
might be given the responsibility for a detailed examination of financial and operating
information, and in particular, its reliability and usefulness. Internal auditors may
investigate how information is identified, measured, classified and reported, and
recommend improvements where appropriate. The audit work may involve investigations
into specific items of information, including the detailed testing of transactions, balances
and procedures.
 iii. Review of the economy, efficiency and effectiveness of operations, including non-
financial controls of an entity. Audits of economy, efficiency and effectiveness can be
carried out on any aspect of operations and are usually called value for money (VFM)
audits.
iv. Review of compliance. Senior management may ask the internal auditors to check that
operational departments are complying properly with certain laws, regulations and other
external requirements, or with management policies and directives and other internal
requirements. These investigations are often called ‘compliance audits’.

Factors to consider in evaluating the internal audit function include:

i. The quality of reports produced;
ii. The qualifications and experience of internal audit staff;
iii. Whether due professional care has been exercised;
iv. The degree of independence of the internal audit function;
v. Resources available; and
vi. The scope of work performed.

TYPES OF INTERNAL AUDIT

The internal audit function often has a much wider role than simply performing financial audits,
and in many entities (particularly large entities) the internal auditors are involved in other aspects
of auditing, such as:
Energy Audits: these are checks on how the entity is making use of energy and whether its
operations are energy-efficient;

Social Audits: these are checks on the impact of the entity on the society in which it operates;
Environmental Audits: these are checks on the effect the entity is having on its natural
environment, and considers issues such as the use of sustainable materials, re-cycling, reducing
pollution, and soon; and

Human Resource Audits: these are audits into the work force of an entity, to check whether the
entity has adequate systems for the recruitment, training and development of employees to meet
its current and future needs.

Financial Audits: This is the traditional role of the internal auditor. Internal auditors may be
asked by management to review accounting records and other records to substantiate figures
appearing in financial statements and management accounts. This work overlaps with the work
of the external auditor. Consequently, this aspect of internal audit work is now seen as a
relatively minor part of the total work of an internal audit department.
However, it is important to remember that by performing financial audits, the internal auditor is
able to look at the internal controls that are in place to minimise risks, identify weaknesses and to
recommend improvements in the internal control system.

Operational Audits: Operational audits examine the entity’s internal control procedures and
whether or not the control systems that have been established by management are operating
 effectively. Also, the internal audit department will make recommendations to management for
improvements to the system or the way in which it is operated.

Value for Money Audit (or VFM): It means using resources in the best way in order to achieve
intended objectives. There are three aspects to achieving value for money, often known as the ‘3
Es’.
 Economy. This means spending money carefully, and not paying more than necessary for
resources - materials, labour and other expenses.
 Efficiency. Efficiency means using resources in such a way that they produce the greatest
possible amount of ‘output’. It means getting more from the use of available resources. For
example, efficiency in the use of an employee means getting a high rate of output for every
hour or day worked.
 Effectiveness. Effectiveness means using resources in such a way as to achieve the desired
objectives. Efficiency is of little value unless the output from the system is what the entity
wishes to achieve.
VFM audits may be carried out by the internal audit department. Finding the best possible
combination of the 3Es is seen as a strategy for maximising profit performance. It is not usually
possible to achieve objectives (effectiveness) by using the cheapest resources (economy) in the
most productive way possible (efficiency). Sometimes, greater efficiency can only be achieved
by spending more, so a balance must be found between economy and efficiency. Sometimes, the
benefits of greater effectiveness are not justified by the extra cost, so a balance must be found
between economy and effectiveness.
One of the purposes of a VFM audit should be to check whether the most appropriate balance
between economy, efficiency and effectiveness is being achieved.

Compliance Audits: Entities are subject to a large number of laws and regulations, and they
may be exposed to the risk of regulatory action by the authorities if they fail to comply with the
regulations. The nature of important regulations varies from one industry to another. Controls
over health and hygiene are important for the food manufacturing industry, controls over
pollution are important for companies involved in oil and gas exploration and manufacturing
companies, controls over money laundering are important for financial services; and controls
over safety are important for companies in the public transport industry.
Internal audit can be used by management as a tool to confirm that significant laws and
regulations are being complied with by the company (or other reporting entity).

If seeking to rely on the work of internal audit, the external auditor must:
i. Assess the organisational status of the internal audit department. Are the internal
auditors objective? To whom do they report? (Should normally be the audit committee but
they should also have access to senior directors). The size of the internal audit department
can be relevant. A single internal auditor in a company can have a lonely existence,
unsupported by colleagues. However, a team of 10 internal auditors can provide mutual
strength. (Note that if the internal audit function is outsourced, it might be more independent
and objective than when the internal auditors are employees.)
 ii. Assess the competence of the internal audit department: are the employees members of a
professionals body? Are they qualified? Do they undergo regular training and updates? Do
they have time and resources to carry out their work adequately?
iii. Assess if the internal auditors carry out their work in a disciplined and systematic way.
Are there quality controls? Is there standard documentation? Is the work planned and
reviewed?
If any of these three qualities are absent (objectivity, competence and a systematic and
disciplined approach), the work of internal audit must NOT be used.
If all three qualities are present, the external auditor may plan to use their work and co-ordinate
their respective activities. The external auditor should assess if:
i. The internal audit work was properly planned, executed, supervised, reviewed and
documented.
ii. Sufficient appropriate evidence had been obtained to enable the internal auditors to draw
reasonable conclusions.
iii. The conclusions reached are appropriate and the reports produced are consistent with the
results of the work performed.
The assessment will involve the external auditor reviewing the working papers of the internal
audit function and making inquiries of appropriate individuals. It must also include some
reperformance of their work.

Direct assistance
Some jurisdictions (not the UK or Ireland) allow the internal auditors to provide direct assistance
to the external auditors. This means that the internal auditors perform audit procedures under the
direction, supervision and review of the external auditor. If internal auditors are to provide direct
assistance, the external auditor must assess the existence of significant threats to objectivity i.e.
can the internal auditors be regarded as independent? The external auditors must also assess and
the level of competence of internal auditors.
Even if direct assistance is not prohibited, internal audit cannot perform procedures that:
 involve significant judgments
 relate to higher assessed risks
 relate to internal audit's own work.

OUTSOURCED ACCOUNTING FUNCTIONS

Definition of Outsourcing
Outsourcing can be defined as hiring a party outside the organisation to perform services and to
create goods that would otherwise be performed internally by the organisation’s own employees.

Outsourcing’ by a company means arranging for an external entity to perform a task that would
otherwise be performed by the company’s own staff. It usually refers to routine and repetitive
procedures and operations.
Examples of outsourcing functions include:
 Logistics (e.g. delivery of products to customers)
 Marketing
 Recruitment
 Legal services
 Production/assembly
 Information technology (facilities management)
 Receivables ledger management (factoring)
 Tax planning and calculations
 Payroll
 Accounting
 Internal audit
Internal Audit outsourcing deals particularly with the last six functions on this list.
Potential Advantages of Outsourcing
 Access to specialist expertise. An external service provider may have skills and expertise for
doing the work, that the entity itself does not have ‘in-house’.
 Reduction in cost with efficiency gains. It may be cheaper to outsource work to an external
service provider than to do the work in-house.
 Flexibility in responding to uneven demand. The management of the entity are able to focus
their time and effort on ‘core activities’, and do not have to spend as much time monitoring
the outsourced activities.
 Access to the most up-to-date techniques and technology might not be readily available
within the entity, but the external agency may have them.
 Greater cost certainty through fixed-fee arrangements
 Transfer of risk
 Unburdens management from having to closely manage the out-sourced function (though the
process of out-sourcing does itself have to be managed).
 For internal audit, greater independence.

Potential Disadvantages of Outsourcing

 Loss of control
 Damage to reputation if the outsource company does not perform well
 Difficult to reverse (and hence, prices can be steep because the outsource company knows
this)
 Lack of responsiveness to new requirements
 Different aims of the outsourcer and the outsource company leading to a lack of goal
congruence
 Confidentiality. Company and client data are held by another party.
 The management of the entity needs to make sure that the service provider understands the
requirements of the entity in respect of the service that it is providing. If the work is not
properly specified, the service provider may fail to do everything that the entity requires it to
do.
 The entity relies on the service provider to do its work on time and have it ready at the time
that the entity requires it. This is particularly important, for example, when payroll operations
are outsourced.
 There may be problems with negotiating an appropriate fee for the work with the service
provider.
 Management need to ensure that the service provider gives the organisation an appropriate
level of priority and ‘customer care’. This means that management must carry out regular
reviews of the service level and service quality provided.
In general, the outsourcing arrangement needs to be effectively managed and controlled by the
organisation.

Impact on the audit

Often, the outsource company (the service company) simply becomes a supplier. For example,
outsourcing delivery of products to a logistics company will have little effect on audit work.
However, if IT and finance functions are outsourced that means that the financial information,
records and processing are the province of a third party and this will impact on the audit. The
auditor simply cannot ignore what’s is going on with client data at the service company. For
example, when assessing the valuation of receivables, the auditor would typically examine the
client’s aged receivables analysis and ensure that it was properly prepared so that it could be
used reliably. If a service provider, such as a factor, produces that analysis instead, the auditor
simply cannot assume that it has been prepared correctly and base the receivable valuation on
that.
The auditor needs an understanding of the processing and maintenance of client data by the
service organisation to be able to draw conclusions about the risk of material misstatement.
There are two situations:
i. The service company simply processes client’s transactions. Here, the client should be
able to implement its own controls e.g. compare input to output, ensure all transactions
processed.
ii. The service company additionally executes and takes responsibility for the client’s
transactions.
Then the client company will have to rely on the controls and procedures within the service
company.

The auditor can obtain the required understanding and audit evidence through:
 User manuals.
 System overviews.
 Technical manuals.
 Reports by the service organisation (e.g. internal auditor’s reports).
 Reports by the service auditor (such as letters highlighting internal control weaknesses).
 Knowledge derived from previous dealing with the service organisation (e.g. was it reliable
in the past).
 Comparing data submitted to the service company to information and data received back (for
example, are salary changes properly processed?).
 Obtain and assess a Type 1 or Type 2 Report (see below).
 Ask the service organisation for information.
 Visit (with permission) the service organisation and carry out audit procedures there.
 Use (with permission) another auditor to carry out audit procedures at the service
organisation.
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation, refers to
two types of report:

Type 1 Report:
A report which comprises:
A description, prepared by the management of the service organisation about the service
company’s control objectives and related controls that have been implemented.
A report prepared by the service auditor giving reasonable assurance on the suitability of the
service company’s systems and control objectives.
The service auditor is an auditor who at the request of the service company provides an
assurance report on the controls of the service organisation.

Type 2 Report:
A report which comprises:
A description, prepared by the management of the service organisation about the service
company’s control objectives and related controls that have been implemented and sometimes a
description of their operating effectiveness.
A report prepared by the service auditor giving reasonable assurance on the suitability of the
service company’s systems and control objectives, the effectiveness of the controls and a
description of the service auditor’s tests of the controls and the results of those tests So the Type
2 Report is more rigorous and useful to external auditors than Type 1 Reports.
The auditor can also ask management about problems and irregularities in the service company’s
work.
If the auditor cannot obtain sufficient appropriate evidence about the quality and reliability of the
processing being carried on by the service organisation, then the audit opinion will have to be
modified.