CHAPTER 6:

INTERNAL AUDIT
By Ayesha Munir
 Purpose and functions of internal audit
Internal audit consists of audit, investigation or review work carried out on a voluntary
basis by an entity, for its own control purposes.
The internal audit work may be carried out by the entity’s own full-time internal audit
staff, or by an external accountancy firm.
There is no regulatory or statutory requirement for internal audit; therefore an entity will
only carry out internal audit work if it considers the benefits sufficient to justify the cost.

INTERNAL AUDIT FUNCTION

ISA 610 Using the work of internal auditors, states that internal auditing activities will
usually include one or more or the following:

Monitoring of internal control:

 The establishment of an adequate internal control system is a responsibility of
management and is an important aspect of good corporate governance. Because the
internal control system needs to be monitored on a continuous basis, large companies
are likely to establish an internal audit function to assist management in this role.
 Internal audit is therefore usually given specific responsibility by management for
reviewing internal controls, monitoring their operation and recommending
improvements via a report to the directors.
Examination of financial and operating information:
 This may include review of the means used to identify, measure, classify and report
such information or specific inquiry into individual items including detailed testing of
transactions, balances and procedures
Review of the economy, efficiency and effectiveness of operations:
 This could include a review of non-financial controls.
Review of compliance:
 Review of compliance with laws, regulations and other external requirements and
with internal requirements such as management policies and directives.
Special investigations:
 Special investigations into particular areas such as suspected fraud.

Internal auditors may also asked to perform different range of duties like:
 Auditing the adequacy of controls in the entity’s IT systems.
 Reviewing the economy, efficiency and effectiveness of particular operations or
activities: these reviews are called value for money (VFM) audits.
 Benefits of internal audit
Internal audit work costs money and should therefore provide benefits to justify the costs.
The justification for internal audit may come from:
Improvements in financial controls or operational controls within the entity
Improvements in compliance with key laws and regulations, thereby reducing the risk of
legal action or action by the regulators against the entity
Improvements in the economy, efficiency or effectiveness of operations

There may be other benefits of internal audit.

If the internal auditors carry out checks into the effectiveness of financial controls within
the entity, the external auditors may decide that they can rely to some extent on the work
done by internal audit. This would save time and effort when carrying out their own audit
work. If the external auditors do rely to some extent on the work of internal audit, there
may be a reduction in the external audit fee.

The existence of an internal audit department may enhance the reputation of the entity
for sound corporate governance in the opinion of customers and investors.
 Weaknesses and limitations of internal audit

It is a matter for the entity setting up the internal audit function what qualifications or
experience it requires of the members of its internal audit team. In contrast, the external
auditor has to comply with regulations set by government and his professional body
covering technical and professional standards and qualifications. However an internal
auditor who is a member of a professional body (such as the ACCA) will need to comply
with the requirements of that body in any work that they do.
Further arguments against having an internal audit department, include:
 the cost of having one
 the problems that may arise with ensuring the independence of the internal auditors.
Methods of trying to ensure independence of Internal Auditors
For full-time internal auditors, one of the biggest problems with independence is
that the auditors must report to someone within the entity. Although various
measures can be taken to try to protect the independence of the internal auditors

Reporting lines. The chief internal auditor may report to the audit committee
and not to the finance director or chief accountant.
Deciding the scope of internal audit work. The scope of work carried out by
the internal auditors should not be decided by the fiancé director or line
management responsible for the operations that might be subjected to audit. The
scope of internal audit work should be decided by the chief internal auditor or by
the audit committee.
Rotation of internal audit staff. Internal auditors should not be allowed to
become too familiar with the operations that they audit or the management
responsible for them. To reduce the familiarity threat, internal auditors should be
rotated every three to five years.
Appointment of the chief internal auditor. The chief internal auditor should
not be appointed by a senior executive who may have some self-interest in wishing
to appoint a ‘yes man’ who will not ‘cause trouble’. Instead, the audit committee
should be responsible for appointing a new chief internal auditor, subject perhaps
to approval by the board of directors.
Methods of trying to ensure independence of Internal Auditors
Designing internal controls. The internal auditors should not be responsible for
the design of internal controls within the entity. If they did, they would be required
to audit their own work, which is unacceptable. Senior management in accounting
and finance or line management should have responsibility for the design and
implementation of internal controls, taking advice where appropriate from the
external auditors when control weaknesses are identified during the external audit.
 Internal audit assignments
1. Operational internal audit assignments
Operational internal audit assignments involve the internal auditor being asked by
management to look at a particular aspect of the entity’s operations, such as marketing
activities or the human resources department.
Operational internal audit assignments are therefore defined as audits of specific
processes and operations performed by an organisation. They are also known as
management audits, or efficiency audits.
The purpose of an operational internal audit assignment is to assess management’s
performance in the specific area of operations that is subject to the audit.
The general approach to an operational internal audit assignment will be determined
by the purpose of the audit. For each area of operations that is subject to an operational
internal audit assignment, the internal auditor should assess:
 the adequacy of the policies, procedures and controls adopted, and
 the effectiveness of the policies, procedures and controls.
For any area of operations subject to an operational internal audit assignment, the
internal auditor needs to consider:
 the risks
 the control procedures for managing and limiting the risk, and whether these are adequate
 how the control procedures can be tested, to make sure that they are working effectively.
 Internal audit assignments
1. Operational internal audit assignments (cont.)
Specific processes
Procurement: operations concerned with purchasing.
Marketing: operations associated with obtaining information about customer needs
and trying to increase sales demand.
Treasury: Treasury operations are concerned with management of the entity’s short-
term and long-term financing. A Treasury department may be responsible for managing
the long-term and short-term borrowing of the entity, the investment of short-term surplus
cash, the management of the entity’s cash, and managing financial risks such as exchange
rate risks and interest rate risks.
Human resources management: operations concerned with managing people – the
employees of the entity.
 Internal audit assignments
2. Value for money audits
The value for money (VFM) audit originated in public sector organisations as a way of
assessing financial performance.
 Value for money, as the term suggests, means getting good value from the money that
an entity spends. Value for money is obtained from a combination of the ‘3 Es’:
 Economy
 Efficiency
 Effectiveness.
Economy means not spending more than is necessary to obtain the required resources
Efficiency means getting a high volume of output from the resources that are used. The
efficiency of employees is often referred to as ‘productivity’
Effectiveness means achieving the objectives of the entity with the resources that it
uses. Using resources efficiently has no value if the resources are not used in a way that
achieves objectives.
 Overall, VFM therefore provides a link between money spent and objectives achieved.
Good overall performance is dependent on a high level of achievement on all of the
3Es. For example, it is no good saving money by purchasing low grade materials (good
economy) if those materials break and are wasted in the production process (poor
efficiency).
 Internal audit assignments
2. Value for money audits
 Internal audit assignments
3. Best value audits
The fundamental concept of best value is ‘continuous improvement’. Organisations can
attempt to achieve continuous improvement by focusing on the ‘4Cs’, as set out below:
Challenge – Ask how a service is provided and, more importantly, why it is provided.
If there is no satisfactory answer to these questions, consider withdrawing the service.
Compare – Make comparisons with other (similar) organisations. Use comparisons to
look for ways of improving.
Consult – Discuss the services provided with the users of those services. Meet with
your customers. Make sure that the services provided meet the needs of their users.
Compete – Use fair competition as a means of improving performance.
For example, when two companies would like to provide a service, use fair competition
between the two companies to obtain best value. The two companies may be asked to
tender for the work, and the contract should be awarded to the company offering the best
value (which may be the lower price).
The internal auditor’s role in best value auditing is to establish:
 whether the organisation has best value procedures in place, and
 whether those procedures are achieving their objective of promoting continuous
improvement.
 Internal audit assignments
4. Financial audits
Performing financial audits is the traditional role of the internal auditor. Internal
auditors may be asked by management to review accounting records and other records to
substantiate figures appearing in financial statements and management accounts.
This work overlaps with the work of the external auditor. Consequently this aspect of
internal audit work is now seen as a relatively minor part of the total work of an internal
audit department.
However, it is important to remember that by performing financial audits, the internal
auditor is able to look at the internal controls that are in place to minimise risks, to
identify weaknesses and to recommend improvements in the internal control system.
5. Information technology (IT) audits
IT audits are a specific application of one of the key roles of the internal audit function,
which is to assess internal controls.
In the case of IT audits, the controls involved are those that operate within the
organisation’s computer systems.
IT systems are a key aspect of the modern business environment, and assessing and
monitoring computer controls is often a key role for the internal auditor.
Organisations may employ one or more computer specialists in their internal audit
department to perform this role.
 Internal audit assignments
6. Fraud investigations
The purpose of a fraud investigation may vary but one will normally be performed:
To determine whether fraud risk management controls are adequate to ensure that fraud
is prevented and/or detected and to make recommendations if they are not
To determine whether a fraud has actually occurred based on information which has
come to light.
 Internal audit reports
Status of internal audit reports
Internal auditors are normally employees of the entity, who therefore work on behalf of
management. When they prepare an audit report, they report their findings to management.
Reports by auditors to management are sometimes called ‘private reports’. There are no
legal requirements or other formal requirements regulating internal audit reports.
A report from the internal auditors may therefore take any appropriate form. Internal
audit reports should be prepared in the same way as any other internal business report
Structure of the internal audit report
A possible structure for an internal audit report is the same as for any other business report:
 Introductory items:
 Title of the report
 The person or group of people to whom the report is addressed
 The person or department that has prepared the report (the internal auditor)
 Date of the report / Possibly its status (for example, ‘Confidential’)
 Internal audit reports (cont.)
Executive summary: The executive summary of a report sets out the purpose of the
report, the main points in the report, and the conclusions and recommendations.
Main text of the report: The main text of the report follows the executive summary.
This goes into more detail than the executive summary, and so is longer. However, it
should be structured in the same way as the executive summary, presenting findings and
conclusions in the same order. The main part of the report should avoid excessive detail.
Supplementary details should be provided in appendices.
Appendices: Appendices provide additional detailed information and analysis that the
reader of the report can refer to if he or she wishes. Appendices may include valuable
detailed information, but should not contain vital information that is not also included in
the main body of the report and the executive summary.
 Regulation of internal audit
There are no specific legal requirements regulating the internal audit process. Rather
than being controlled by statute, internal audit is controlled by management in the same
way that other functional departments in the organisation are controlled by management.
ISAs do not have mandatory authority for internal auditors. However, they can be seen as
indicative of good audit practice, and are therefore frequently adopted by internal audit
departments.
Internal auditors are not required to be a member of a regulatory body such as the
ACCA. However, in recruiting internal auditors, management will often look for qualified
accountants
The Institute of Internal Auditors (IIA) is a global body to which internal auditors may
belong. However, membership is not mandatory.
 Outsourcing internal audit

Outsourcing means giving the work that was previously done by the entity’s own
employees to an external entity. When internal audit work is outsourced, the work is usually
given to the audit firm that does the external audit for the company, or to another firm of
accountants.
The main reasons for outsourcing internal audit work are as follows:
 The cost of maintaining a permanent internal audit function may be very high.
 Smaller companies may have a need for an internal audit function, but not on a
permanent basis.
Benefits of outsourcing
There are several advantages of outsourcing internal audit work:

Staff recruitment. There is no need for the company to recruit and train its own
internal audit staff. An internal audit function can be instantly available by hiring
the services of an accountancy firm.

Auditor skills. The outside supplier is likely to have specialist staff available,
such as computer audit experts. Internal auditors with an IT specialisation may be
difficult to recruit as full-time employees.

Costs and flexibility. The cost of the internal audit function is a variable cost
rather than a fixed cost. A company therefore only pays for the internal audit time
that it uses.

Outsourcing is likely to be more economical for a small entity that does not have
enough audit work to justify a full time internal audit team.
Possible problems of outsourcing
There are also other problems with outsourcing internal audit work:

Changing personnel. The internal auditors provided by an external firm may

change continually, and there may be a lack of continuity as a consequence. The
internal auditors who are used may not have an understanding of the client’s
business.

Cost. An accountancy firm will charge high fees for internal audit services.

Confidentiality. The internal auditors provided by an external firm will be

expected to maintain complete confidentiality about the client’s affairs. However,
the risk of a ‘leak’ may be higher than if full-time internal auditors are employed.

Control. An entity may not have the same control over its internal audit work if
the work is outsourced.

Conflict of interest. If internal audit work is carried out by the entity’s firm of
external auditors, the internal auditors and external auditors may have a conflict of
interest (affecting their independence and objectivity).