Session 32

Internal Audit

FOCUS
This session covers the following content from the ACCA Study Guide.

A. Audit Framework and Regulation

5. Internal audit and governance, and the differences between external
audit and internal audit
a) Discuss the factors to be taken into account when assessing the need for
internal audit.
c) Compare and contrast the role of external and internal audit.
6. The scope of the internal audit function, outsourcing and internal audit
assignments
a) Discuss the scope of internal audit and the limitations of the internal audit
function.
b) Explain outsourcing.
c) Explain the advantages and disadvantages of outsourcing the internal audit
function.
d) Discuss the nature and purpose of internal audit assignments including value for
money, IT, financial, regulatory compliance, fraud investigations and customer
experience.
e) Discuss the nature and purpose of operational internal audit assignments.
f) Describe the format and content of audit review reports and make appropriate
recommendations to management and those charged with governance.

Session 32 Guidance
Note that internal audit can be examined in any question on the examination paper (see Session 00).
Learn the definition and the areas in which internal audit assists management (s.1.1).
Learn the main areas of difference between the roles and responsibilities of internal audit as compared
with external audit (s.1.2).
Note the factors which may limit the effectiveness of internal audit (s.1.4) and those which affect the
need for an internal audit function (s.1.6).
(continued on next page)
F8 Audit and Assurance (INT) Becker Professional Education | ACCA Study System

Ali Niaz - ali.niaz777@gmail.com

VISUAL OVERVIEW
Objective: To describe the role, scope and functions of internal audit and the nature and
extent of internal review assignments.

INTERNAL AUDIT
• Terminology
• Relationship Between External
and Internal Auditors
• Scope of Work
• Limitations
• Approach to Assignments
• Assessing Need for Function

OUTSOURCING
• Factors to Consider
• Benefits
CORPORATE GOVERNANCE
• Disadvantages to the Company
• Session 3
• Service Provider Issues

RISK MANAGEMENT
• Assurance Role
• Contribution

OTHER ASSIGNMENTS
• Value for Money (VFM)
• Best Value
• IT Audit
• Financial Processes Audit
• Operational Audit

INTERNAL AUDIT REPORTS

• Primary Purposes
• Reporting Arrangements
• Structure
• Timing
• Sample

Session 32 Guidance
Understand the benefits and disadvantages and outsourcing internal audit (s.2) and the role of
internal audit in risk management (s.3).
Understand the nature of the other assignments which may be undertaken by internal
auditors (s.4).
Read the sample internal audit report and appreciate the similarities to an external auditor's
report to management (s.5).

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-1

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

1 Internal Audit

Internal audit—an independent, objective assurance and consulting *For companies listed
activity designed to add value and improve an organisation's on a recognised stock
operations. It helps an organisation accomplish its objectives by exchange it is regarded
bringing a systematic, disciplined approach to evaluate and improve as good practice to
the effectiveness of risk management, control and governance establish internal audit
processes.* functions to undertake
—Institute of Internal Auditors IIA regular monitoring
of key controls and
procedures.

1.1 Terminology
 This definition usefully outlines the relationship between
internal audit and the management of an entity. Key
elements that have not been covered elsewhere in the Study
System are:

Add value  Organisations exist to create value or benefit to their

owners, other stakeholders, customers and clients. Value is
provided through:
 the development of products and services; and
 the use of resources to promote those products and
services.
 When gathering data to understand and assess risk, internal
auditors gain insight into operations and opportunities for
improvement that can be beneficial to the organisation.
Control  Any action taken by management, the board, etc to enhance
risk management and increase the likelihood that established
objectives and goals will be achieved.
Adequate control  Present if management provides reasonable assurance that:
 risks have been managed effectively; and
 goals and objectives will be achieved efficiently and
economically.
Governance  The procedures utilised by the representatives of the
process entity's stakeholders to provide oversight of risk and control
processes administered by management.

32-2 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

1.2 Relationship Between External and Internal

Auditors

External Internal

Role   To provide an independent   To appraise, examine and evaluate

opinion (in a report) on organisational activities and assist
financial statements (see management in discharging its
Sessions 1 and 30). responsibilities.

Required by   Statute (typically).   Management, usually in larger

organisations, will be urged/required by
best practice (e.g. governance codes)
to continually review need for internal
audit.

Appointed by   Shareholders (usually at an   Highest level of management charged

AGM) or directors. with responsibility for internal audit
(e.g. audit committee under corporate
governance codes).

Reports to   Shareholders (primary   For listed companies, usually the audit

statutory duty) and committee under corporate governance
management (professional codes. For other companies, the
responsibility). highest level of management charged
with governance (e.g. the board).

Reports on   Financial statements.   Organisational risk management,

Primary responsibility is of a internal control and quality of
financial focus. performance. Focus is operational as
well as financial.

Forms   "True and fair view"   Effectiveness of risk management

opinions on (or similar) of financial strategy and operations, operation
statements. of corporate governance, adequacy
and effectiveness of internal control
and other business functions as a
contribution to the economic, efficient
and effective use of resources (see s.3).

Status   Independent of client   Employee (therefore potentially less

company. objective).

Qualification   Usually ACCA, ICAEW, ICAI   May also be members of other

or ICAS. professional bodies (e.g. IIA) or
unqualified.

Scope of   Unlimited, to fulfil statutory   Prescribed by management, those

assignment obligation. Usually defined charged with governance or audit
by legislation as well as ISA. committee.

Conduct of   In accordance with ISAs, for   S

 imilar, Standards for the Professional
audit example. Practice of Internal Auditing, including
ethics.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-3

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

1.3 Scope of Work

 Understand the key risks (including fraud) and assess the
adequacy of the processes by which these risks are identified,
evaluated and managed (see s.3).
 Review the sufficiency of the information and the adequacy
and operation of controls used to manage those risks.
 Assess the reliability and integrity of key financial and
operating information and the means used to identify,
measure, classify and report such information.
 Review the processes and systems to ensure adherence with
those policies, plans, procedures, laws and regulations which
could affect the company and determine whether it is in
compliance.
 Review the means of safeguarding assets and other key
resources, especially information in hard copy or on computer
systems, including business contingency plans and the
security of computer systems.
 Review operations or projects (including systems under
development) to ascertain whether results are consistent with
established objectives and goals, and whether the operation or
projects are being carried out as planned.
 Monitor corrective action plans to ensure that management
implements them promptly and effectively.
 Advise management on cost-effective controls for new
systems and activities.
 Liaise with those charged with governance (e.g. the audit
committee) and the external auditors (as necessary).

1.4 Limitations of the Internal Audit Function

 Without the full support and backing of key management
elements (e.g. the board chairman and the audit committee
in listed companies and the board chairman/CEO in non-listed
entities), the authority of internal audit and the scope of its
work may be severely limited.
 The effectiveness of the internal audit function can be limited
by the following factors:
 The role is not taken seriously by management; merely a
regulatory requirement (and therefore a cost to be kept to a
minimum and tolerated). It is not considered a key element
of the control environment (see definition).
 It is not allowed to operate as an independent function in
the organisation.
 The scope of its work is dictated/limited by executive
management rather than being set by an independent
source (e.g. the audit committee).
 Reporting lines are not, initially, to those who can ensure
that appropriate action is taken (e.g. the audit committee).
 Access is denied to key personnel and information.

32-4 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

 The skills of the internal auditor do not match (or are not
greater than) those of the employees being audited.*

*In the Barings Bank fraud of 1995, Nick Lesson (the perpetrator of
the fraud) considered the bank's internal auditor to be "an idiot" in
that she did not understand the systems she was auditing and he
was easily able to mislead her. In addition, her work programme
was limited and she was recalled to London by senior management
before being able to complete her work.

1.5 Approach to Assignments

 The general framework in which internal auditors will approach
their assignments is not that dissimilar to the approach used
by external auditors.
 Both require terms of reference; the external auditor in the
letter of engagement and the internal auditor in the scope of
instructions given by management/audit committee.
 Both need to understand the entity, its environment and
internal control. In particular, the internal auditor will need to
cover all controls (not just financial) that are relevant to his
assignment.
 Both will need to plan and document their work. Materiality,
risk assessments, sampling, analytical review, use of
CAATs (especially in systems heavily reliant on information
technology) are all aspects of the internal auditor's planning
and work procedures.
 Both apply strong quality control procedures (e.g. IAASB and
IIA requirements).
 Both will report on their work, although (as noted previously)
the nature and format of the reports are different.

1.6 Assessing the Need for an Internal

Audit Function
 When the board and senior management is sufficiently close
to the business and the systems are not so complex, the
following sources of assurance about the way the business is
operated may prove to be adequate:
 the views of, and representations from, executive directors
and senior managers;
 the views of other employees through, for example, a self-
assessment process;
 results of management's internal confirmation procedures;
 regular information on financial and operational matters;
 performance indicators;
 early warning mechanisms;
 external auditor's management letters;
 reports of any relevant external regulators; and
 reports (if any) from relevant internal compliance functions.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-5

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

In such cases, there may be no immediate need for an internal

audit function.

 However, management's time and attention can be very

stretched as organisations grow and:
 become more geographically diverse;
 business is undertaken in new environments
(e.g. e-commerce);
 develop new products and competitive pressures increase;
 systems become more complex; and
 change is the norm.*

*This is especially true if corporate reorganisation has resulted in the

"delayering" of middle management, thereby removing established
or potential control mechanisms.

 In particular, when a company becomes listed, the demands

placed on management for transparency and effective running
of the business by the stakeholders are significantly increased.
 As many stock exchanges require listed companies to operate
internal control functions (or explain why they do not in their
annual reports), the key issues to consider may mainly relate
to larger, unlisted entities.
 Are the existing management processes adequate to:
— identify and monitor the significant risks facing the
company; and
— confirm the effective operation of the established internal
control systems?
 With ever-increasing pressures on management at all
levels, can those who are responsible for managing risks
and operating controls always take a wholly objective and
systematic view of their own performance?
 Does the board receive the right quality of assurance and
information from management and is it reliable?
 The board needs to obtain assurances that its risk and control
processes are effective. Management, internal audit and
others may provide such assurance. Objective assurance
and advice is provided by an internal audit function, thereby
assisting the board and senior management with their
stewardship responsibilities.
 Boards, audit committees and senior management now
recognise that what is of relevant value to their business is the
internal auditors':
 knowledge of the organisation, its systems and its
processes; and
 skills and experience (e.g. in independently reporting on
their findings and making recommendations to improve the
effectiveness of the processes).

32-6 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

Example 1 Assessing Need for Internal

Audit Function
Suggest additional matters which directors might consider when assessing the need for an
internal audit function.

Solution

2 Outsourcing
 The outsourcing of internal audit has increased as the need for
internal audit has increased (e.g. to better meet requirements
of corporate governance):
 Small companies may outsource because they do not have
the resources to set up their own department.
 Larger companies may decide that resources are best used
elsewhere and not invest in this non-core (though essential)
area.
 Such services are offered by specialised internal audit
providers as well as the "global" and other accounting firms.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-7

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

2.1 Factors to Consider

 What to outsource—the whole of internal audit services or
specific functions (e.g. environmental auditing)?
 What (and/or who) to retain—the head of internal audit
may be retained as an employee (to keep a high level of
responsibility in the company)?
 Terms of reference:
 What services will be provided?
 Whom does the service provider report to?
 What form will reports take?
 What action will be taken if problems occur?
 How will fees be determined and charged?

2.2 Benefits
 Costs—a company with an in-house internal audit service
must pay salaries, training and overheads. Although
contractors' fees also will be set to cover these, there may
be economies of scale. The company only would pay for
resources when required (e.g. environmental auditing) so the
total cost may be cheaper.
 Consistency with external audit—if outsourced (e.g. to
the external auditors) there may be greater consistency in
approach between internal and external audit. External audit
may be able to place more reliance on internal audit (see
Session 33) and hence the company would benefit from a
lower fee.
 Skills—outsourcing provides access to new skills. External
providers will have a wider range of available skills and
experience gained by auditing other companies.
 New techniques—both the internal and external audit
markets are very competitive. This encourages firms to
develop new techniques which are more efficient and effective.
Contracting out gives the company access to these techniques
without a high level of investment.
 Management time—time and resources can be freed to
concentrate on core areas of the business.
 Liability—legal action may be brought against an external
service provider if its standards are not acceptable.

2.3 Disadvantages to the Company

 Skills—an external contractor may lack the specialist skills
relevant to a particular company which an in-house service will
possess. Once a contractor is brought in these skills may be
lost forever.
 Constraints on service—the service provider will need to act
in accordance with the terms of reference. This may mean
that it is unable to follow up suspicious circumstances outside
of the duties specified without first seeking permission from
the company and renegotiating the terms of reference.

32-8 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

 Flexibility—an in-house department will provide a permanent

presence whereas contracted-out services may only be at
the company for discrete periods. In-house staff may have
more commitment to the company (e.g. willingness to work
overtime, travel, etc). Outsourcing may result in reduced staff
availability and flexibility.
 Conflicting reporting lines—internal audit should report
to the audit committee or board of directors of the company.
However, as an employee of the internal audit provider, the
employee may be expected to report to the management as
well as the client. The service firm will be responsible for
issues such as promotion and training and therefore needs
to monitor its employees. These issues are compounded
where the internal audit function is outsourced to the
external auditors.
 Expectation gap—an expectation gap has existed for
external audit for many years. If the profession cannot meet
public expectations for a narrow role which is defined by
statute, can it meet management's expectations for a wider
role when providing internal audit services to clients? The
company may discover too late that it is not getting what
it wants. If a contract has been agreed it may be difficult
to change.
 Standard of service—once an external provider has secured
the contract, the level of service provided may fall. The
audit committee/board of directors must monitor and ensure
that the quality of staff provided is satisfactory and work is
completed according to the terms of reference.
 Corporate culture—contracting out any service involves a
change to corporate culture. Unless managed sensitively,
outsourcing may lower employee morale, reduce performance,
generate a negative cultural impact and create permanent
job insecurity.

2.4 Service Provider Issues

 Skills—the service provider must have the appropriate skills
and expertise to undertake the internal audit role. Although
there are overlaps between internal and external audit,
internal audit usually fulfils a wider role.
 Staff management—undertaking internal audit functions
may improve staff management where the service provider
is an audit/accountancy practice. Internal audit work may be
conducted during slacker times when there are fewer external
audit engagements. However, internal audit must not be a
lower priority.
 Effect on external audit—although there are overlaps, the
roles of internal and external audit are different. If both roles
are performed by the same firm the distinction could become
blurred. This could lead to a reduced level of service overall
and a lower level of credibility being attached to the external
auditor's report (see Session 4 regarding ethical issues for the
external auditor).

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-9

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

 Independence issues—outsourcing increases independence,

as an in-house department can never be truly independent.
Staff from the service provider must be subject to the same
IIA Ethical Guidelines (and if from an external audit firm,
the IESBA Code) and the provider must have mechanisms to
ensure compliance. Rotation of staff is more likely, so close
relationships do not build up between internal audit staff and
the client.
 Drawbacks—the external provider could become dependent
on the client. The risk is perceived to be particularly great
where the internal auditor is the external auditor.
 Restrictions—although there are no legal restrictions on the
outsourcing of internal audit to a third-party service provider,
legal and/or ethical standards may restrict this practice to
prevent external auditors from acting in client roles. For
example, statutory auditors are precluded from serving as
the internal auditor to clients whose financial statements they
certify in many countries (e.g. United States, France, India,
Italy, New Zealand and Norway).

3 Risk Management

3.1 Assurance Role

 A proper system of internal control in practice requires a
proper system of risk management and organisational control.
 Internal auditors do not judge the appropriateness of a
company's objectives or the board's strategies to achieve
those objectives. They examine the effectiveness of the
processes by which the consequent risks are identified,
managed, mitigated and reported. Internal auditors also add
value by the identification of opportunities to improve the
cost-effective management of risk.
 The assurance role of internal audit is to deliver assessments
of the adequacy and effectiveness of the processes by which
risks are:
 identified and prioritised;
 managed, controlled and mitigated; and
 reported
such that the residual risks are recognised by and clearly
acceptable to the board.

32-10 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

3.2 Contribution to Risk Management

 Risk management is not the responsibility of the internal
audit function. Many large organisations have separate risk
management functions.
 Internal audit's job may be to assist that function or the
board by:
 providing objective assurance on the adequacy and
effectiveness of the risk management and internal control
framework;
 helping improve the processes by which risks are identified
and managed; and
 helping strengthen and improve the risk management and
internal control framework.
 Internal audit can:
 provide advice on the design, implementation and operation
of control systems;
 identify opportunities to make control cost savings;
 promote a risk and control culture in the organisation;
 act as facilitators, guiding managers and staff through a
self- assessment process (e.g. by leading workshops); and
 become a centre of expertise for managing risk by providing
enterprise-wide risk management services (ERM).
 To be effective, the management of risk requires information
which is:
 relevant;
 meaningful; and
 timely.
 Such information is required:
 to facilitate decision-making; and
 to monitor business activities, supporting processes and the
operational health of the company.
 Internal audit has a role to play providing relevant information
to alert the board and senior management to "exceptions" or
other warning signals.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-11

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

4 Other Assignments

4.1 Value for Money (VFM)

*VFM has been
prominent in the public
sector (e.g. in the UK)
since the 1980s when
Value for money auditing—the evaluation of management's "audit" was narrowly
achievements in terms of the economy, efficiency and effectiveness interpreted as a
(the "3 Es") of operations.* financial audit.

Economy  Concerned with obtaining specified resources (i.e. inputs such as

material, finance, human, time) at the lowest cost.
Efficiency  The achievement of either:
 the maximum output (at a given quality) from a given input; or
 a given output (at a given level of quality) from the minimum
input.
Effectiveness  The achievement of outputs which meet management's objectives.

 Value for money (VFM) audits are carried out to ensure that
corporate resources, shareholders' funds and taxpayers'
contributions are not wasted. However, the VFM audit process
may or may not be empowered to question whether the
objectives set was justified.
 Very often a benchmark is required. VFM only can be
judged by comparison; external or internal (e.g. between
departments or divisions). Present methods of operation and
use of resources must be compared with alternatives to see
whether value for money is being obtained.
 Top management is responsible for committing the
organisation to a VFM review process.

32-12 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

 The head of internal audit is responsible for conducting VFM

reviews and for comparisons between functions and across
time. Internal audit can report on:
 unnecessary spending (e.g. overtime guaranteed when work
is completed in normal hours);
 misdirected spending (e.g. capital expenditure outlay on
lower-quality assets requiring a higher level of revenue
expense quality);
 over-priced spending (e.g. discounts are unclaimed); and
 under-recovered revenue (e.g. failure to collect on disposals
of assets).
 Line managers should take responsibility for implementing the
VFM review, although very often the responsibility remains
with the head of internal audit. They will be responsible for
implementing the recommendations from a VFM review.

Advantages Disadvantages*

Management attention is focused Economy and effectiveness are often

on economy and efficiency but opposed (e.g. saving money may result in
this is tempered by the need for the need for lower quality). This is often
effective performance. overcome by treating one element as
It promotes the use of fixed (e.g. achieving savings based on an
performance indicators. agreed quality level).
It should eventually lead to self- It is difficult to create a balance between
measurement with audit only used short-term and long-term gains and thus
to compare performance between savings now may lead to additional costs
business units on an objective in the future.
basis. Savings in one area may create additional
Although VFM audit is often used costs to another area (e.g. reducing costs
to promote cost savings, it also of production but increasing other costs
can be used to identify revenue because of quality rejects or warranty
opportunities. repairs).
Comparisons between business units may
be spurious (e.g. one business unit may
excel at a particular process, the costs
of which are relatively high compared to
other processes carried out by other units,
so measuring the cost per process will not
be meaningful).
VFM targets may be manipulated by
managers (e.g. production is arranged
to meet the target rather than what is
actually required).
Once performance indicators have been
established, the audit work is routine and
not especially challenging.

*None of the disadvantages of a VFM audit are insurmountable, but

to overcome them requires active management.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-13

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

4.2 Best Value

Best value—a duty to deliver services to clear standards—covering

both cost and quality—by the most effective, economic and efficient
means available.
It seeks to secure continuous improvement in the way its functions
are exercised, having regard to a combination of economy, efficiency
and effectiveness.*

*Internal audit can ensure that the concept of best value is

incorporated into the risk management process of the entity in
assessing current services and setting strategies for development.
As a service provider (to management) the internal audit function
itself must be able to demonstrate best value.

 The "best value" audit has evolved from VFM auditing

in the public sector and local and central government. It
incorporates the "4 Cs":

Challenge  Why and how a service is provided.

Consult  Local taxpayers, service users, partners and the wider business
community in the setting of new performance targets.
Compare  Benchmark against the performance of others across a range of
relevant indicators to aim to improve.
Compete  Consider fair competition as a means of securing efficient and
effective services.

4.3 IT Audit
 Information systems are pervasive through most organisations
and would, in most cases, be considered a significant risk
through, for example:
 no IS strategy or a strategy that does not fit the business
strategy;
 poor project management;
 poor system design (including controls) development and
implementation;
 acceptance of an inappropriate system;
 significant expenditure for a system that does not deliver;
 poor security, transaction integrity and process alignment;
 corruption of data used by management for decision-
making;
 access to sensitive information by unauthorised personnel;
 unexpected (non-scheduled) downtime;
 breaches of laws and regulations; and
 no (or inappropriate) disaster recovery procedures.

32-14 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

4.3.1 Information Systems Auditing

 Session 12 covered CIS, CIS controls and electronic
commerce. The primary role of internal audit will be to review
and report on all aspects of IS in the organisation (e.g. ensure
that the controls and systems operate as intended).
 Application controls (i.e. controls to ensure completeness,
accuracy, security and effectiveness of processing) exercised
over input, output, processing, computer files and master
files; and
 General installation controls (i.e. controls over the
acquisition, development maintenance and operation of
computer-based systems).
4.3.2 System Development Project Audit
 The deliverable of a systems development project is a new
information system. The primary purpose of auditing a
system under development is to ensure that:
 adequate, effective controls are built into the system;
 complementary manual controls are designed to ensure
adequate and effective internal controls over the business
system as a whole; and
 the most efficient combination of manual and automated,
preventive and detective controls are designed and
implemented.
 In addition, internal audit can:
 provide assurance that IS projects are being effectively and
efficiently managed; and
 carry out appropriate testing (e.g. static, dynamic, unit,
system, performance) at each stage of the system's
development process to ensure that the deliverable from
each stage meets the specifications of that stage (e.g.
review the systems analyst notes of meetings with a user
and agree that these have been reviewed and approved
by the user; test the design and programming of the
application controls that it, internal audit, initiated).

4.4 Financial Processes Audit

 The financial process audit is effectively internal audit's
traditional role. Accounting and financial processes include:
 receiving value from sales transactions, disposals of assets,
investments (interest income);
 "bought ledger" processing (of invoices for goods and
services before suppliers are paid);
 treasury functions;
 supplying financial and management information (e.g. to
stakeholders);
 appraising new business; and
 developing and maintaining accounting systems and
financial controls.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-15

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

 The purpose of the accounting and financial process audit is

to review all available evidence to substantiate information
in management and financial reporting (such that it is not
inappropriate and inaccurate). That is, to minimise risk
by ensuring:
 the completeness and accuracy of recorded transactions;
 that assets are safeguarded;
 that complete, accurate and relevant information is provided
on a timely basis; and
 that accounting and finance functions are managed
efficiently.

4.5 Operational Audit ("Process-Based" Audit)

 An opertional audit is an audit of the operational processes of
an organisation (its primary activities and support activities)
to ensure that management has:
 adequate controls and other risk management measures
in place to achieve business objectives (risk management)
economically and efficiently; and
 adequate routine assurances which inform them that
controls and risk management measures are effective.
 Operational audits may be wholly performance-based or
compliance-based or include elements of both approaches:
 Performance-based audits relate to processes or activities
being evaluated to draw conclusions about the adequacy
of the products and the adequacy and effectiveness of the
processes associated with those products.
 Compliance-based audits use investigation, discussion,
observation, examination, or evaluation to determine the
adequacy of and systems compliance with established
procedures and the effectiveness of systems implementation
(similar to the standard systems-based audit approach, but
applied to all controls).*

*In considering the various audit areas, although specific points

have been made, the overall approach is always to understand the
business element, the risks and controls in place and to carry out
tests accordingly. In addition, many elements overlap (e.g. VFM,
best value, IS can be applied to marketing and HR).

4.6 Other Internal Audit Assignments

 Other assignments that internal auditors can perform include:
 Reviews and tests of internal controls, including testing the
cash controls of retail entities and reviewing financial and
operating controls.
 Fraud investigations, including reviews of areas of high
fraud risk, the development of controls to mitigate those
risks, and investigations of suspected frauds.
 Reviews of compliance with applicable laws and regulations.

32-16 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

5 Internal Audit Reports

5.1 Primary Purposes

 The purpose of internal audit reports will be driven by the
terms of reference of the assignment. Mostly, they:
 provide management with an opinion (e.g. on the adequacy
of the internal control system); and
 inform management of significant findings, conclusions and
recommendations arising from the work carried out.
 Depending on the type of report issued, the aim of the report
would be:
 to provide appropriate assurance to management or
recommendations to enhance business performance;
 to prompt management action to implement
recommendations for change leading to improvement in
performance and control; and
 to provide a formal record of points arising from the
assignment and, where appropriate, of agreements reached
with management.

Example 2 Business Performance Reports

Suggest differences between a review report of business performance and a report on a
systems compliance review.

Solution

5.2 Reporting Arrangements

 The format and distribution of internal audit reports should
be agreed with management. The head of internal audit
should ensure that reports are sent to managers who have a
direct responsibility for the unit or function being audited and
who have the authority to take action on the internal audit
recommendations.
 Internal audit reports are confidential documents and their
distribution should be restricted to those managers who need
the information, to the audit committee and to the external
auditor.
 While the internal auditor may clear minor matters which
do not indicate a consistent or systematic weakness with
members of staff directly involved, matters of consequence
should be reported formally in writing to management.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-17

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

5.3 Structure of the Report

 There are no formal structures, unlike the external auditor's
report, for an internal auditor's report. As with any business
report, the structure of the report suits its purpose be it
formal, informal, a discussion paper, a presentation (e.g. with
PowerPoint notes for participants) or a monthly summary.
 A typical business report would have the following elements:
 Terms of reference
 Executive summary
 Body of report:
— key findings and recommendations; and
— detailed findings and agreed action
 Appendices.
 The body of the report will depend on the terms of reference.
For example, for a report on controls the structure may be
very similar to management reports produced by the external
auditor (see Session 13). However, the content will be
very different where the internal auditor is concerned with
operational matters of economy, efficiency and effectiveness.
 The reports should be clear, constructive and concise and
based on sufficient, relevant and reliable evidence, which
should:
 state the scope, purpose, extent and conclusions of the
assignment;
 make recommendations which are appropriate and relevant
and which flow from the conclusions; and
 acknowledge the action taken, or proposed, by
management.

5.4 Timing
 An interim report, orally or in writing, should be made where:
 it is necessary to alert management to the need to
take immediate action to correct a serious weakness in
performance or control; or
 where there are reasonable grounds for suspicion of
malpractice.
 Consideration also should be given to interim reporting where
there is a significant change in the scope of the assignment or
where it is desirable to inform management of progress.*
 The internal auditor should normally meet with management
to discuss the audit findings at the completion of fieldwork for *Interim reporting
does not diminish or
each internal audit assignment and the formal written report
eliminate the need for
should be presented to management as soon as possible
final reporting.
thereafter.
 Before issuing the final report, the internal auditor
would discuss its contents with the appropriate levels of
management. In addition, it may usually be necessary to
include management comment in the body of the report. A
draft report for management comment and confirmation of
factual accuracy may also be issued prior to finalising the
formal report.

32-18 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

 If the internal auditor and management disagree about the

relevance of the factual content of the draft audit report, the
internal auditor should consider whether reference should be
made to this in the final report.
 It is management's responsibility to ensure that proper
consideration is given to internal audit reports. The internal
auditor should ensure that:
 appropriate arrangements are made to determine whether
action has been taken on internal audit recommendations; or
 management has understood and assumed the risk of not
taking action.
 See Session 3 to review the role of the Audit Committee in
relation to internal audit reports.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-19

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

5.5 Sample Internal Audit Report

INTERNAL AUDIT REPORT

Private and confidential
The contents of this report are confidential and may include comments of a sensitive nature.
Care should be taken to ensure that unauthorised personnel do not have access to the report
and that if it is circulated further, this is done with discretion.
23 November 20X6

SCOPE
The systems review at … took place from 17 September to 5 October 20X6. The objectives of
the assignment were:
i) To assess the adequacy of internal controls.
ii) To ensure adherence to statutory legislation and company policies.
iii) To review the efficiency and effectiveness of operations.
iv) To assess the quality of management reporting and information.

CONCLUSION
The branch has been operationally and financially poorly controlled. Branch management have
reacted positively to the draft report and are actively addressing the issues raised. All the points
raised in this report and subsequent recommendation made need to be implemented.
MAIN FINDINGS (References in brackets are to Appendix I)

Inventory
1. There is no investigation of "no stocks"1. No stocks have been very high—up to 20%. This
has led to considerable customer dissatisfaction.
Formal investigation of no stocks should be introduced to improve the service level to clients.
(1.1)
2. There is insufficient control over the warehouse systems. Before further liability for inventory
loss is assumed, the access of staff to the systems must be restricted.
A report of adjustments cannot be produced by the inventory system to ensure all
adjustments are legitimate. The production of this report should be prioritised to stop this
aspect of the operation running blind.

Payroll
1. Not reproduced.
2. There has been an apparent lack of supervision and review of the work of the payroll clerk
who left the company at the end of August. There is a risk that unauthorised amounts may
have been paid. A full reconciliation to assess the situation further will be performed at the
beginning of December. (2.2)
Etc …

Security
1. It remains possible to gain unauthorised access into the warehouse on account of the lack
of security presence on the route between the car park and the warehouse. This should be
addressed immediately following the audit. (3.1)
Etc …

Purchases
1. Purchases have been poorly controlled at the branch. Typically, invoices have arrived in the
accounts department and have been authorised for payment by the former finance manager
without reference to the operational management to confirm the legitimacy of the expense.
The temporary Finance staff have now addressed this situation. (6.1)

32-20 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

F8 Audit and Assurance (INT) Session 32 • Internal Audit

APPENDIX I (EXTRACT)
1.1 Observations There is currently no investigation or recording of no stocks.
Inventory department are not aware of any "no stock" report
available from the system.1
Effect Stores orders are not fulfilled.
Recommendation The level of no stocks should be traced using either the "issues
not confirmed report" or, more crudely, the number of issues
physically returned to the office.
Management's Agreed
comments
Target date Immediate

2.2 Observations There appears to have been little or no independent review

of the payroll function by senior management. The former
finance manager may have performed some checks; however,
this has not been evidenced.
19 payslips on the payroll of 29/09/06 have been checked in
detail. Five employees' overtime was overpaid because the
total hours had been incorrectly summed in input sheets.
The payroll clerk has left the company, despite an enhanced
offer to stay and with new employment to go to.
Effect The payroll does not appear to have been adequately
supervised. There is a possibility that, in addition to
processing errors, irregularity has occurred.
Recommendation Duties and controls should be segregated as described in point
2.1 above (not reproduced).
There should be full reconciliation between the schedule of
employees who have worked at the branch prepared by the
human resources department and the payrolls processed to
date to ensure persons paid are bona fide and that they have
worked the weeks paid.
The casting of basic and overtime hours by authorising
managers should be checked by payroll staff.
Management's The reconciliation will be performed in November by Mrs
comments Motley.
The accountant will review the standing data expense report
every month.
Payroll personnel will check the addition of hours.
Target date Immediate.

 Also called "stock-outs".

1

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-21

Ali Niaz - ali.niaz777@gmail.com

Session 32 • Internal Audit F8 Audit and Assurance (INT)

APPENDIX I (EXTRACT) (continued)

3.1 Observations The security of the site is currently being reviewed by Shield
Consultants who are addressing fencing, CCTV coverage and
recording and the level of searches (personnel and vehicle)
conducted.
There is still a problem with the ease with which unauthorised
persons may gain access to the warehouse without being
challenged. Also, there is uncontrolled access from the
warehouse to the staff car park.
Effect Inadequate security measures give rise to an increased risk of
damage to premises and inventory and to an increased risk of
inventory pilferage.
Recommendation All IDs should be checked when staff enter the warehouse.
Visitor access should not be permitted until management
authorisation is obtained or if visitors have been pre-notified to
the gatehouse and the visitor's IDs have been checked.
Management's Agreed. In the short-term the warehouse access store will be
comments manned full-time across all shifts and locked at night. There
will be 100% ID checks.
6.1 Observations Invoices 1129 – 1746 were checked for adequate authorisation
and supporting documentation. All invoices were authorised.
The majority, by the former finance manager. Only six invoices
were supported by POs.
POs in this sample were generally inadequately completed,
priced and dated.
GRNs were not received from the warehouse to confirm
receipts of goods.
Effect The managers initiating purchases are often not involved in
the checking or authorisation of invoices. Accruals are being
understated.
Recommendation Non-administration invoices should be checked by operational
managers.
Authorised GRNs should be received from managers who have
raised requisitions.
All purchase requisitions should be costed. POs may not be
priced unless requisitions are priced.
Management's Agreed. Invoices may be authorised by the financial manger if
comments they have been checked by the requisitioning manager.

32-22 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

 Session 32

Summary
 Internal audit is an independent, objective assurance and consulting activity designed to
add value and improve an organisation's operations.
 Internal auditors are appointed by the highest level of management with responsibility for
internal audit and, for listed companies, should report to the audit committee.
 Internal auditors report on operational and financial risk management, internal control and
quality of performance.
 Internal auditors appear to be less objective than external auditors (because they are
employees).
 The effectiveness of the internal audit function may be limited if, for example:
• It is not allowed to operate independently.
• Scope of work is determined by management.
• Reporting lines are to management (rather than the audit committee).
• Access to information/key personnel is denied.
• Skills are below those of the employees who are being audited.
 Internal audit is needed as organisations become large, complex, geographically diverse and
develop new products or enter new markets.
 The benefits of outsourcing internal audit include lower cost, consistency with external audit
and access to a wider range of skills and new techniques.
 Disadvantages of outsourcing include loss of specialist skills in-house, service constraints,
less flexibility, conflicting reporting lines, expectation gap, possible lower standard of service
and possible negative effect on corporate culture.
 Other assignments which may be carried out by internal auditors include value for
money auditing.
 Internal auditors may issue reports which provide management with an opinion or which
inform management of significant findings, conclusions and recommendations.
 There is no formal structure for the reports of internal auditors.

Session 32 Quiz
Estimated time: 10 minutes

1. Explain the role of internal audit. (1.1)

2. List the benefits to a company which outsources its internal audit. (2.2)

3. Briefly describe value for money (VFM) auditing. (4.1)

Study Question Bank

Estimated time: 40 minutes

Priority Estimated Time Completed

Q46 MonteHodge Co 40 minutes

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-23

Ali Niaz - ali.niaz777@gmail.com

EXAMPLE SOLUTIONS
Solution 1—Assessing Need for Internal Audit Function
 Corporate structure and the degree of autonomy of each of the
business units.
 Overall corporate culture and management's philosophy.
 The company's appetite for risk or its ability to tolerate risk.
 Overall control environment.
 Changes in organisational structure (including delayering), reporting
processes and/or underlying information systems.
 Changes in key risks arising from:
• changes in internal processes (e.g. product or service lines or
entry into new markets);
• alterations in external factors (e.g. regulatory requirements).
 Complexity of the company's systems, especially IT systems.
 The number of moderate- to high-risk areas which are not
appropriately controlled.
 Deteriorating trends in internal control systems evident from the
existing monitoring systems.
 Concerns about the level of "risk and control awareness" and the
need to educate senior or middle management, or staff.
 An increased incidence of unexpected or unacceptable results
or occurrences.
 The views of the company's external auditors.
 Additional reasons.*

*The UK Corporate Governance Code (Turnbull guidance), which is

not examinable, suggests the following as reasons for an internal
audit function:

 Scale, diversity and complexity of the company's activities—the

larger, more diverse and more complex a range of activities is,
the more there is to monitor (and the more scope for things to
go wrong).
 Number of employees—as a proxy for size, the number of employees
signifies that larger organisations are more likely to need internal
audit to underpin investor confidence than smaller concerns.
 Cost-benefit—management must be certain of the benefits that
will result from establishing internal audit and that they outweigh
the costs.
 Changes—for, example in the organisational structures, reporting
processes or underlying information systems. Any internal (or
external) change is capable of changing the complexity of operations
and, accordingly, the risk.
 Key risk changes—these could be internal or external, introducing a
new product, entering a new market or changes in the industry that
might trigger the need for internal audit.
 Problems with existing internal control systems—these clearly signify
the need for a tightening of systems and increased monitoring.
 Unexplained or unacceptable events—an increase in the number of
events usually means system failures and is a clear demonstration of
internal control weakness.

32-24 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - ali.niaz777@gmail.com

Solution 2—Business Performance Reports
 Are effectively consultancy in nature, style and approach.
 Have greater focus on performance, objectives and processes rather
than risks and controls.
 Deal with improvements to be made rather than mistakes already
made.
 Recommendations concentrate on improvements rather than on
actions to address mistakes found.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 32-25

Ali Niaz - ali.niaz777@gmail.com