Professional Documents
Culture Documents
Internal Audit: Session 32
Internal Audit: Session 32
Internal Audit
FOCUS
This session covers the following content from the ACCA Study Guide.
Session 32 Guidance
Note that internal audit can be examined in any question on the examination paper (see Session 00).
Learn the definition and the areas in which internal audit assists management (s.1.1).
Learn the main areas of difference between the roles and responsibilities of internal audit as compared
with external audit (s.1.2).
Note the factors which may limit the effectiveness of internal audit (s.1.4) and those which affect the
need for an internal audit function (s.1.6).
(continued on next page)
F8 Audit and Assurance (INT) Becker Professional Education | ACCA Study System
INTERNAL AUDIT
• Terminology
• Relationship Between External
and Internal Auditors
• Scope of Work
• Limitations
• Approach to Assignments
• Assessing Need for Function
OUTSOURCING
• Factors to Consider
• Benefits
CORPORATE GOVERNANCE
• Disadvantages to the Company
• Session 3
• Service Provider Issues
RISK MANAGEMENT
• Assurance Role
• Contribution
OTHER ASSIGNMENTS
• Value for Money (VFM)
• Best Value
• IT Audit
• Financial Processes Audit
• Operational Audit
Session 32 Guidance
Understand the benefits and disadvantages and outsourcing internal audit (s.2) and the role of
internal audit in risk management (s.3).
Understand the nature of the other assignments which may be undertaken by internal
auditors (s.4).
Read the sample internal audit report and appreciate the similarities to an external auditor's
report to management (s.5).
1 Internal Audit
Internal audit—an independent, objective assurance and consulting *For companies listed
activity designed to add value and improve an organisation's on a recognised stock
operations. It helps an organisation accomplish its objectives by exchange it is regarded
bringing a systematic, disciplined approach to evaluate and improve as good practice to
the effectiveness of risk management, control and governance establish internal audit
processes.* functions to undertake
—Institute of Internal Auditors IIA regular monitoring
of key controls and
procedures.
1.1 Terminology
This definition usefully outlines the relationship between
internal audit and the management of an entity. Key
elements that have not been covered elsewhere in the Study
System are:
External Internal
The skills of the internal auditor do not match (or are not
greater than) those of the employees being audited.*
*In the Barings Bank fraud of 1995, Nick Lesson (the perpetrator of
the fraud) considered the bank's internal auditor to be "an idiot" in
that she did not understand the systems she was auditing and he
was easily able to mislead her. In addition, her work programme
was limited and she was recalled to London by senior management
before being able to complete her work.
Solution
2 Outsourcing
The outsourcing of internal audit has increased as the need for
internal audit has increased (e.g. to better meet requirements
of corporate governance):
Small companies may outsource because they do not have
the resources to set up their own department.
Larger companies may decide that resources are best used
elsewhere and not invest in this non-core (though essential)
area.
Such services are offered by specialised internal audit
providers as well as the "global" and other accounting firms.
2.2 Benefits
Costs—a company with an in-house internal audit service
must pay salaries, training and overheads. Although
contractors' fees also will be set to cover these, there may
be economies of scale. The company only would pay for
resources when required (e.g. environmental auditing) so the
total cost may be cheaper.
Consistency with external audit—if outsourced (e.g. to
the external auditors) there may be greater consistency in
approach between internal and external audit. External audit
may be able to place more reliance on internal audit (see
Session 33) and hence the company would benefit from a
lower fee.
Skills—outsourcing provides access to new skills. External
providers will have a wider range of available skills and
experience gained by auditing other companies.
New techniques—both the internal and external audit
markets are very competitive. This encourages firms to
develop new techniques which are more efficient and effective.
Contracting out gives the company access to these techniques
without a high level of investment.
Management time—time and resources can be freed to
concentrate on core areas of the business.
Liability—legal action may be brought against an external
service provider if its standards are not acceptable.
3 Risk Management
4 Other Assignments
Value for money (VFM) audits are carried out to ensure that
corporate resources, shareholders' funds and taxpayers'
contributions are not wasted. However, the VFM audit process
may or may not be empowered to question whether the
objectives set was justified.
Very often a benchmark is required. VFM only can be
judged by comparison; external or internal (e.g. between
departments or divisions). Present methods of operation and
use of resources must be compared with alternatives to see
whether value for money is being obtained.
Top management is responsible for committing the
organisation to a VFM review process.
Advantages Disadvantages*
4.3 IT Audit
Information systems are pervasive through most organisations
and would, in most cases, be considered a significant risk
through, for example:
no IS strategy or a strategy that does not fit the business
strategy;
poor project management;
poor system design (including controls) development and
implementation;
acceptance of an inappropriate system;
significant expenditure for a system that does not deliver;
poor security, transaction integrity and process alignment;
corruption of data used by management for decision-
making;
access to sensitive information by unauthorised personnel;
unexpected (non-scheduled) downtime;
breaches of laws and regulations; and
no (or inappropriate) disaster recovery procedures.
Solution
5.4 Timing
An interim report, orally or in writing, should be made where:
it is necessary to alert management to the need to
take immediate action to correct a serious weakness in
performance or control; or
where there are reasonable grounds for suspicion of
malpractice.
Consideration also should be given to interim reporting where
there is a significant change in the scope of the assignment or
where it is desirable to inform management of progress.*
The internal auditor should normally meet with management
to discuss the audit findings at the completion of fieldwork for *Interim reporting
does not diminish or
each internal audit assignment and the formal written report
eliminate the need for
should be presented to management as soon as possible
final reporting.
thereafter.
Before issuing the final report, the internal auditor
would discuss its contents with the appropriate levels of
management. In addition, it may usually be necessary to
include management comment in the body of the report. A
draft report for management comment and confirmation of
factual accuracy may also be issued prior to finalising the
formal report.
SCOPE
The systems review at … took place from 17 September to 5 October 20X6. The objectives of
the assignment were:
i) To assess the adequacy of internal controls.
ii) To ensure adherence to statutory legislation and company policies.
iii) To review the efficiency and effectiveness of operations.
iv) To assess the quality of management reporting and information.
CONCLUSION
The branch has been operationally and financially poorly controlled. Branch management have
reacted positively to the draft report and are actively addressing the issues raised. All the points
raised in this report and subsequent recommendation made need to be implemented.
MAIN FINDINGS (References in brackets are to Appendix I)
Inventory
1. There is no investigation of "no stocks"1. No stocks have been very high—up to 20%. This
has led to considerable customer dissatisfaction.
Formal investigation of no stocks should be introduced to improve the service level to clients.
(1.1)
2. There is insufficient control over the warehouse systems. Before further liability for inventory
loss is assumed, the access of staff to the systems must be restricted.
A report of adjustments cannot be produced by the inventory system to ensure all
adjustments are legitimate. The production of this report should be prioritised to stop this
aspect of the operation running blind.
Payroll
1. Not reproduced.
2. There has been an apparent lack of supervision and review of the work of the payroll clerk
who left the company at the end of August. There is a risk that unauthorised amounts may
have been paid. A full reconciliation to assess the situation further will be performed at the
beginning of December. (2.2)
Etc …
Security
1. It remains possible to gain unauthorised access into the warehouse on account of the lack
of security presence on the route between the car park and the warehouse. This should be
addressed immediately following the audit. (3.1)
Etc …
Purchases
1. Purchases have been poorly controlled at the branch. Typically, invoices have arrived in the
accounts department and have been authorised for payment by the former finance manager
without reference to the operational management to confirm the legitimacy of the expense.
The temporary Finance staff have now addressed this situation. (6.1)
APPENDIX I (EXTRACT)
1.1 Observations There is currently no investigation or recording of no stocks.
Inventory department are not aware of any "no stock" report
available from the system.1
Effect Stores orders are not fulfilled.
Recommendation The level of no stocks should be traced using either the "issues
not confirmed report" or, more crudely, the number of issues
physically returned to the office.
Management's Agreed
comments
Target date Immediate
Summary
Internal audit is an independent, objective assurance and consulting activity designed to
add value and improve an organisation's operations.
Internal auditors are appointed by the highest level of management with responsibility for
internal audit and, for listed companies, should report to the audit committee.
Internal auditors report on operational and financial risk management, internal control and
quality of performance.
Internal auditors appear to be less objective than external auditors (because they are
employees).
The effectiveness of the internal audit function may be limited if, for example:
• It is not allowed to operate independently.
• Scope of work is determined by management.
• Reporting lines are to management (rather than the audit committee).
• Access to information/key personnel is denied.
• Skills are below those of the employees who are being audited.
Internal audit is needed as organisations become large, complex, geographically diverse and
develop new products or enter new markets.
The benefits of outsourcing internal audit include lower cost, consistency with external audit
and access to a wider range of skills and new techniques.
Disadvantages of outsourcing include loss of specialist skills in-house, service constraints,
less flexibility, conflicting reporting lines, expectation gap, possible lower standard of service
and possible negative effect on corporate culture.
Other assignments which may be carried out by internal auditors include value for
money auditing.
Internal auditors may issue reports which provide management with an opinion or which
inform management of significant findings, conclusions and recommendations.
There is no formal structure for the reports of internal auditors.
Session 32 Quiz
Estimated time: 10 minutes
2. List the benefits to a company which outsources its internal audit. (2.2)