CPA P1 AUDITING

TOPIC 8: INTERNAL AUDIT

The Role of Internal Audit Function

Company directors have a legal requirement to produce true and fair annual
financial statements. To help ensure this is done, companies are required to
have their published financial statements audited by an external team of
experts.

Directors also need assurance on other financial matters. This assurance is

primarily for their own internal use, although in recent years pressure has grown
for more and more of such work to be made more publicly available.

This additional work is carried out by internal auditors, who may be company

employees or outside experts from a firm of accountants. In this Session, we

examine what internal auditors do and how they do it.

The UK Corporate Governance Code highlights the need for entities to maintain
good systems of internal control (RACE CAM I). An internal audit function is
part of the control environment

Assessing the need for Internal Audit

Factors to consider when assessing the need for an internal audit function
include:

 Set up cost
 Predicted savings by not having to engage external consultants , where
such work will now be carried out by the internal audit department
1
© Cenit Online 2015
CPA P1 AUDITING
 Management’s perceived need for assessing risk and internal control
 Whether it is more cost effective to outsource the work

Achieving Corporate Objectives

Internal audit is part of the organisational control of a business; it is one of the

methods used by management to ensure the efficient and orderly running of the
business as a whole, and is part of the overall control environment.

Internal auditors’ work has expanded in recent years, and the role of internal
audit often now includes:

 Helping to set corporate objectives

 Helping to design and monitor performance measures for these
objectives

Responsibility for Fraud and Error

The directors of a company are responsible for the detection and prevention of
fraud.

Internal auditors assist in this regard, by assessing the adequacy and

effectiveness of the internal control systems. The very existence of an internal
audit department may act as a deterrent to fraud.

It is not the responsibility of the external auditors to prevent and detect

fraud, although, they must consider fraud as a potential reason for identifying
misstatements in the financial statements.

2
© Cenit Online 2015
CPA P1 AUDITING
Internal Audit v External Audit

Internal Audit External Audit

Reporting To Those Charged With Members of the Company

Governance or Audit (aka shareholders)
Committee

Objective Add Value/Improve Express Opinion on the

Operations FS

Planning & Collection of Strategic long term Planning carried out to

Evidence planning ( no materiality) help achieve objective re
true and fair view
(Materiality set during
planning - maybe
amended during audit)

External Audit Work is

risk based
Audits mainly risk based
(although can be
procedural)

Evidence gathered (OAR

ICE I) as per ISA’s to
obtain sufficient
Evidence gathered mainly appropriate audit
internal evidence

Relationship Generally Direct Appointed by

employees (maybe Shareholders
outsourced)

Scope Work relates to the Work relates to the

operations of the Financial Statements

3
© Cenit Online 2015
CPA P1 AUDITING
organisation

Use the mnemonic “ROPERS” to remember the headings under which to compare
Internal Audit and External Audit

Corporate Governance Practice and Internal Audit

A properly functioning internal audit department is part of good corporate

governance, as recognised by all national and international corporate governance
codes.

Internal audit enables management to perform proper risk assessments

(another central theme of corporate governance codes) by means of properly
understanding the strengths and weaknesses of all parts of the control systems
in the business.

Corporate Risk Management & The Function of Internal Audit

Internal audit has a particular interest in evaluating the company’s risk

management structures.

Internal audit can:

 Manage the basic data used by management to identify risks

 Identify techniques for prioritising and managing risks
 Report on the effectiveness of risk management solutions (e.g. internal
controls)

4
© Cenit Online 2015
CPA P1 AUDITING

Types of Risk

A common classification is:

 Business/Industry risks – relating to the Economy, technology,

competitors
 Financial risks – interest rates, cashflow, exchange rates
 Compliance risks – breach of laws (including accounting standards)
 Operational risks – loss of key staff, reliance on one product/customer

Prioritising Risk

When prioritising risks, auditors are likely to consider the:

 Likelihood of the risk occurring

 Impact of the risk on the business

Clearly, high likelihood, high impact risks cannot be ignored and need to be
managed in some way. However, risk management is partly a cost/benefit
exercise, so low likelihood, low impact risks may not be addressed at all.

5
© Cenit Online 2015
CPA P1 AUDITING
Managing Risk

There are 4 common methods for managing risk:

 Reduce the risk, by using internal controls

 Avoid the risk, by not entering the business activity
 Accept the risk (i.e. do nothing)
 Transfer the risk to another party (e.g. insurance, sub-contracting, joint
ventures)

Example: A company that trades overseas is subject to an element of exchange

risk, in that their fortunes (and those of their competitors) are partly
dependent on exchange rate movements.

This risk could be addressed by:

 Reducing the risk by employing experts in exchange rates (likely to be

expensive, especially if the experts decide to gamble with the company’s
money)
 Avoiding the risk, by ceasing to trade overseas, or staying within
exchange zones (e.g. the Euro)
 Accepting the risk, and doing nothing
 Transferring the risk, by using hedging techniques (options, forward
contracts), or by insisting that all sales and purchase invoices are in their
own currency

Best Practice in the Structure and Operation of an Internal Audit function.

The UK Corporate Governance Code on corporate governance states that

companies without an internal audit function should regularly review the need
for one.

6
© Cenit Online 2015
CPA P1 AUDITING

Where there is an internal audit function, the audit committee should annually
review its scope of work, authority and resources, again having regard to those
factors.

Where there is no internal audit function, the audit committee should consider
annually whether there is a need for this function and make a recommendation
to the board.

Ideally, the internal audit function should be staffed with qualified,

experienced staff, whose work is closely monitored by an audit committee.

Scope & Limitations of Internal Audit Function

Internal audit staff are typically expected to carry out a variety of tasks:

 Reviewing internal controls and financial reports

 Reviewing risk management systems
 Carrying out special assignments (e.g. fraud investigation)
 Conducting operational reviews (e.g. into efficiency of parts of the
business)

Limitations of Internal Audit

 As noted earlier in these Notes, internal auditors have an unavoidable

independence problem. They are employed by the management of the

7
© Cenit Online 2015
CPA P1 AUDITING
company and yet is expected to give an objective opinion on matters for
which management are responsible
 Internal audit will only succeed if it is properly staffed and resourced
 If internal auditors identify fraud, they may be unwilling to disclose it
for fear of the repercussions (which could involve the collapse of the
company and the loss of their job)

These limitations can be reduced if an audit committee:

 Sets the work agenda for internal audit

 Receives internal audit reports
 Is able to ensure internal audit is properly resourced
 Has a “voice” at main board level

INTERNAL AUDIT ASSIGNMENTS

Internal auditors are often expected to perform operational audit on areas of

the business. Whilst specific business areas are covered, we also need to
examine types of operational audit:

VALUE FOR MONEY (VFM)

A simpler term for VFM is a “performance audit”. It tends to focus on the “3

E’s”:

8
© Cenit Online 2015
CPA P1 AUDITING
1) Economy

Attaining the appropriate quantity and quality of physical, human and financial
resources (inputs ) at the lowest cost

Regular competitive tendering and review of market prices should help to

achieve this goal.

2) Efficiency

This is a measure of the relationship between goods and services produced

(outputs) and the resources used to produce them (inputs)

Internal auditors will help management to design performance indicators that

can be measured to assess efficiency.

3) Effectiveness

How well an activity is achieving its policy objectives or other intended effects.

When performance indicators are designed, they should have such objectives in

mind.

9
© Cenit Online 2015
CPA P1 AUDITING

Value for Money Audit in a School:

1) Economy - Are school textbooks of the required standard supplied at the

lowest cost?
2) Efficiency – Can more children be taught to the same standard for the
same cost? Relating Inputs to Outputs
3) Effectiveness - Are school examination results improving as a result of
additional spending?

Example of Value for Money Audit: Busy Buses operates a number of bus routes
around the country. Its objectives are to gain market share and maximise
profits, whilst being known as the best provider of public transport in the
country. It is performing a VFM audit.

10
© Cenit Online 2015
CPA P1 AUDITING
ECONOMY

The company’s largest costs are likely to be new buses, maintenance,

petrol/diesel, staff costs. Any new bus purchases should preferably be in bulk
(to reduce the cost) and will be put out to tender. Maintenance may be sub-
contracted to a specialist firm (again, after a tender process).

Petrol/diesel may best be supplied by having their own private petrol pumps
where the buses are garaged.

Staff costs will be monitored against other bus companies, to ensure that they
are competitive (to encourage good staff) but not too high.

Given the company’s objective to be the best, it may be wise to pay staff rates
that are higher than the industry average.

EFFICIENCY / EFFECTIVENESS

Key resources are the buses and staff.

Performance indicators could include: - (Analytical Review)

• Miles per litre of petrol, on a bus-by-bus, and route-by-route basis

• % occupancy by route

• profitability of each route

• market research to establish public perception in each area

11
© Cenit Online 2015
CPA P1 AUDITING
• season ticket repeat rate (to show customer loyalty)

Internal audit will be required to maintain the data to support this ongoing
analysis, as well as suggesting additional measures.

BEST VALUE

Particularly popular in local government, where public money is being spent and
there must be a public demonstration that value is being achieved. Commonly
known as the “4 C’s”:

1) Challenge

The current position is challenged to establish whether better options may

exist

2) Compare

Performance is compared with similar service providers to establish how good

the current position is

12
© Cenit Online 2015
CPA P1 AUDITING
3) Consult

All users and providers of the service are invited to put forward their views

4) Compete

Embrace fair competition as a means of securing efficient and effective

services

Information Technology Audits

Internal auditors (likely to be computer specialists) may be required to carry

out an IT audit, covering hardware, software, internet, and the overall IT
environment in order to report on risks over input, output and processing.

Financial Audits

The most traditional part of internal audit work, involving monitoring of financial

accounting systems and management accounts to ensure they are running

efficiently and accurately.

It is this area of work that external auditors are most likely to want to rely on
in order to reduce their own work.

OPERATIONAL AUDITS

Operational audits are audits of the operational processes of the organisation.

Their prime objective is the monitoring of management’s performance ensuring
company policy is adhered to.

13
© Cenit Online 2015
CPA P1 AUDITING

Regulatory Compliance

There will be a number of regulations a company will need to comply with. Some
will be specific to the industry the client operates in (e.g. regulations over
disposing of hazardous waste in the nuclear industry) and some will apply to
companies operating in a particular region or country (e.g. tax laws). Internal
audit may assist with or review compliance with these laws and regulations.

Fraud Investigations

Fraud can range from theft/misappropriation of assets to fraudulent financial

reporting. Internal audit may be asked to investigate specific instances of
suspected fraud.

Customer Service Reviews

Internal auditors may be asked to assess the level of customer service . They
could do this by phoning in or visiting stores/outlets and pretending to be
customers.

Testing Operational or financial controls

This may include testing controls operating centrally (at head office) or at
branches

Information Technology System reviews

As already discussed

Value for Money Reviews

As already discussed
14
© Cenit Online 2015
CPA P1 AUDITING

Procurement

Better known as purchasing, procurement involves obtaining goods and services

from outside suppliers. The procurement processes must be carefully controlled
to reduce the risk of fraud and minimise purchase costs to the company.

Primary risks are:

 Fictitious or excessive payments made to suppliers (fraud)

 Inaccurate or delayed payments
 Best value not achieved from current suppliers

OUTSOURCING THE INTERNAL AUDIT FUNCTION

Outsourcing (aka sub contracting) – Use of External Suppliers

The Internal Audit Dept may consist of employees of the company or the
function may be outsourced to a service provider

Advantages of Outsourcing Disadvantages of Outsourcing

Entity does not have to recruit staff Independence and Objectivity issues if
the entity uses the same firm to
provide both internal and external
audit services

15
© Cenit Online 2015
CPA P1 AUDITING
The service provider has different Cost of outsourcing may be so high (i.e.
specialist skills redundancy cost of existing IA staff
and rates charged by Outsourcing
firm) that the directors may choose
not to have any Internal Audit
Function

An immediate internal audit dept can Staff may oppose outsourcing if it

be provided results in redundancies

Costs such as staff training are Service Provider staff may only have a
eliminated limited knowledge of the entity

Can be used on a short term basis Loss of in house skills

Service Contract can be for the

appropriate time scale

Types of Internal Audit Report

External audit reports are governed by audit standards, to ensure consistency

in reporting to shareholders.

However, different companies will require different forms of report, so

guidance is very limited for internal auditors.

Typically, an internal audit report will be addressed to the audit committee and
is likely to have the following structure, or something similar:

16
© Cenit Online 2015
CPA P1 AUDITING
 Terms of Reference
 Executive summary
 Key recommendations
 Actions, with responsibilities and timescale
 Appendices with detailed findings from the procedures undertaken

Earlier, we examined the process by which external auditors report control

weaknesses, consequences and recommendations to clients. Internal auditors
could report their findings in a similar format to that used when “Communicating
Significant Deficiencies in Internal Control” as per ISA 265.

As well as these formal reports, internal auditors may be asked to produce

specific forms of report for special investigations – e.g. in the form of a
presentation

EXTERNAL AUDITOR PLACING RELIANCE ON THE WORK OF INTERNAL

AUDITOR

ISA 610 – Using The Work Of Internal Auditors provides guidance to the
external auditor when the external auditor expects to use the work of the
internal audit function to modify the nature or timing, or reduce the extent , of
audit procedures to be performed directly, by the external auditor.

The role of internal audit is determined by management and the directors and
its objectives differ from those of the external auditors who are engaged to
report independently on the financial statements. The external auditors’
17
© Cenit Online 2015
CPA P1 AUDITING
primary concern is whether the financial statements are free from material
misstatement. The internal audit function’s objectives vary according to the
requirements of management and the directors and, generally, less emphasis is
placed on materiality considerations.

Nevertheless some of the means of achieving their respective objectives are

often similar and thus certain work of internal auditors may be useful in
determining the nature, timing and extent of external audit procedures.

There are a number of important statements in ISA 610 that reflect mandatory
practice:

The external auditor should obtain a sufficient understanding of internal audit

activities to identify and assess the risks of misstatement of the financial
statements and to design and perform further audit procedures.

The external auditor should perform an assessment of the internal audit

function when internal auditing is relevant to the external auditor’s risk
assessment.

This means the external auditors should consider the following:

S Scope of work: How are internal auditors employed and how are their
recommendations implemented?

T Technical competence: People of good quality, who are properly trained

and supervised, staff the internal audit function.

R Reports and resources: Adequately resourced with suitable staff and

technology, producing reliable reports.

I Independence: Should be free to report as independently as possible to

audit committee or chief executive.

P Professional care demonstrates care and diligence in the way that they
plan, record and monitor their work.
18
© Cenit Online 2015
CPA P1 AUDITING

‘When external auditor intends to use specific work of internal auditing, the
external auditor should evaluate and perform audit procedures on that work to
confirm its adequacy for the external auditor’s purposes’.

This evaluation may significantly reduce the amount of detailed testing that the
external auditors would normally carry out. Typical issues to be identified are
these:

 The nature and timing of the tests reflects sound judgement of risk and
materiality.
 The work is done by technically competent persons
 The work is documented with a high standard of care.
 Any unusual features that are discovered are suitably investigated and
drawn to management’s attention.
 The work of assistants is suitably supervised and documented.
 The audit conclusions are appropriate and suitably reported.
 The work of the internal auditors is tested and the external auditor is
satisfied with the quality of work done.

19
© Cenit Online 2015
CPA P1 AUDITING
Exercise - Reliance On Internal Audit

Your firm is the newly appointed external auditor to a large company that sells,
maintains and leases office equipment and furniture to its customers and you
have been asked to co-operate with internal audit to keep audit costs down. The
company wants the external auditors to rely on some of the work already
performed by internal audit.

The internal auditors provide the following services to the company:

i) A cyclical audit of the operation of internal controls in the company’s major

functions (operations, finance, customer support and information services);

ii) A review of the structure of internal controls in each major function every
four years;

iii) An annual review of the effectiveness of measures put in place by

management to minimise the major risks facing the company.

During the current year, the company has gone through a major internal
restructuring in its information services function and the internal auditors have
been closely involved in the preparation of plans for restructuring, and in the
related post-implementation review.

Required:
20
© Cenit Online 2015
CPA P1 AUDITING

a) Explain the extent to which your firm will seek to rely on the work of the
internal auditors in each of the areas noted above. (6 marks)

b) Describe the information your firm will seek from the internal auditors in
order for you to determine the extent of your reliance. (6 marks)

c) Describe the circumstances in which it would not be possible to rely on the

work of the internal auditors. (4 marks)

d) Explain why it will be necessary for your firm to perform its own work in
certain audit areas in addition to relying on the work performed by internal
audit.

(4 marks)

(Total: 20 marks)

21
© Cenit Online 2015
CPA P1 AUDITING
SOLUTION: RELIANCE ON INTERNAL AUDIT

Key answer tips

This question focuses on the relationship between the internal and external
audit functions. This is a standard area which should have been covered
thoroughly in your studies – however, as always, the examination question as set
gives the topic a specific emphasis which must be fully reflected in your answer.

In dealing with part (a) it is important to appreciate that the objectives of the
external auditors are more concerned with the true and fair view presented by
the financial statements than are the internal auditors. Consider the situations
given in the question in this context.

Much of your answer to part (b) can be based on standard material – but note
that a good answer must make some specific reference to the cyclical aspect
of the work of the internal auditors.

Parts (c) and (d) are dealing with reasonably standard aspects of the
relationship between the internal and external audit functions – these should
not produce major difficulties in answering the question.

22
© Cenit Online 2015
CPA P1 AUDITING

a. Reliance on work of internal auditors

i. As requested, the external auditors will seek to rely on the work of internal
audit to the maximum extent possible. This might cover planning, risk
assessment, tests of controls and substantive testing.

ii. In all cases, the external auditor should be aware that the purpose of
internal audit’s work will not be primarily directed towards the financial
statements.

iii. In relation to the cyclical audit of internal controls, it may be possible to rely
on the work of internal audit in relation to all of the areas noted, but only if
the internal controls audited affect the financial statements. It may be that
internal audit’s work on operations and customer support is less relevant than
its work in other areas.

iv. In relation to the four-year review of internal controls – the extent of

reliance will depend on how long ago the last review was conducted. If it was
conducted recently, it will provide help in relation to the external auditors’
assessment of the accounting and internal control systems.

v. In relation to risk management – the relevance of internal audit work depends

on the extent to which risks in relation to reporting in general, and the
financial statements in particular, have been addressed separately by
management. This work will be relevant to the external auditors’ risk
assessment and planning.

b) Information required

i. The information required to determine the extent of external audit reliance

on internal audit’s cyclical audit will be:

23
© Cenit Online 2015
CPA P1 AUDITING
 internal audit’s systems documentation (the work on information systems
and finance may include documentation of the company’s accounting and
internal control systems);

 internal audit’s planning documentation which may cover a risk analysis,

tests of controls and substantive procedures;

 the results of tests of control and substantive procedures;

 documentation on the four-year review of internal controls, particularly in

relation to the finance and information services functions.

ii. The external auditors should ask to see all documentation relating to the
work performed by internal audit on information services restructuring
during the year because the external auditors’ assessment and testing of
systems will be split into two parts, pre- and post-restructuring.

iii. Other documentation requested will include internal audit’s operating

procedures manuals and documentation relating to the recruitment, training
and development of internal audit staff, and management responses to
internal audit recommendations. This information is required to enable the
external auditor to form an opinion on the competence and effectiveness of
the internal audit function.

24
© Cenit Online 2015
CPA P1 AUDITING
c) Circumstances in which it would not be possible to rely on the work of internal

audit

i. It may not be possible to rely on the work of internal auditors if they:

 are not competent (this relates to experience as well as qualifications);

 lack integrity;
 do not properly plan or document their work, or if management does not
act on (or at least respond to) recommendations made;
 do not perform work relevant to the external auditor.

ii. It will also not be possible to rely on internal audit if internal audit is

insufficiently independent within the organisation, i.e. where internal

auditors have insufficient operational freedom, where they are reporting to

those who control the functions that they work on, or where they are

reporting on their own work.

d) External auditor work

i. External auditors will wish to perform work independently, regardless of

internal audit work, in all areas that are material to the financial statements.
For immaterial areas in which internal audit work can be shown by testing and
review to be adequate, it may be possible to rely on the work of internal audit
without performing any other work.

ii. Areas material to the financial statements are likely to be long and short-
term leasing receivables and inventory. Leases may be complex and the
auditors will wish to ensure that accounting policies are appropriate and that

25
© Cenit Online 2015
CPA P1 AUDITING
they have been properly applied. The valuation of inventory will have a direct
effect on the profit for the period.

This is an area that is easy to manipulate and external auditors will wish to
ensure that this has not happened.

iii. External auditors will also wish to perform their own risk analysis and final

review of financial statements in order to ensure that no high risk areas

have been overlooked.

26
© Cenit Online 2015