5 Internal audit

Question 1

What is internal auditing?

Answer 1

Internal auditing is an appraisal or monitoring activity established within an entity as a service to the entity. It functions by, among other things, examining, evaluating and reporting to management and the directors on the adequacy and effectiveness of components of the accounting and internal control systems.

Question 2

Internal audit can play a key role in assessing and monitoring internal control policies and procedures. The internal audit function can assist the board in other ways as well:

Answer 2

• By, in effect, acting as auditors for board reports not audited by the external auditors • By being the experts in fields such as auditing and accounting standards in the company and assisting in implementation of new standards • By liaising with external auditors, particularly where external auditors can use internal audit work and reduce the time and therefore cost of the external audit

Question 3

One of the principles of the UK Corporate Governance Code that was set out that:

Answer 3

The board should establish formal and transparent arrangements for considering how it should apply the corporate reporting and risk management and internal control principles, and for maintaining an appropriate relationship with the company’s auditors.

Question 4

The board should establish formal and transparent arrangements for considering how it should apply the corporate reporting and risk management and internal control principles, and for maintaining an appropriate relationship with the company’s auditors. Part of achieving this principle requires the audit committee to:

Answer 4

• Monitor and review the effectiveness of internal audit activities • Where there is no internal audit function, to consider annually whether there is a need for this function and make a recommendation to the board • Where there is no internal audit function, to explain in the annual report the absence of such a function

Question 5

Other factors an entity might consider when assessing the need for an internal audit function include:

Answer 5

The cost of setting up an internal audit department versus the predicted benefit • Predicted savings in external fees where work carried out by consultants will be carried out by the new internal audit department • The complexity and scale of the organisation’s activities and the systems supporting those activities • The ability of existing managers and employees to carry out assignments that internal audit may be asked to carry out • Management’s perceived need for assessing risk and internal control • Whether it is more cost effective or desirable to outsource the work • The pressure from external stakeholders to establish an internal audit department

Question 6

If the volume of internal audit work required is such that the price differential between employing an internal audit team and outsourcing the work is small, the company will need to consider whether there are longer-term benefits, such as:

Answer 6

• Establishing an internal audit department will help maintain a group of highly skilled people which may help the business develop faster that it would otherwise have done • Working in internal audit can be a route to providing training for future senior executives because internal auditors are likely to obtain knowledge of many aspects of the business and liaise with personnel at all levels

Question 7

What are the key differences between internal and external audit in terms of objectives:

Answer 7

Internal audit: Designed to add value to and improve an organisation’s operations.
External audit: An exercise to enable auditors to express an opinion on the financial statements.

Question 8

What are the key differences between internal and external audit in terms of Reporting:

Answer 8

Internal audit: Reports to the board of directors, or other people charged with governance, such as the audit committee. Reports are private and for the directors and management of the company.

External audit: Reports to the shareholders or members of a company on the truth and fairness of the accounts. Audit report is publicly available to the shareholders and other interested parties.

Question 9

What are the key differences between internal and external audit in terms of Scope:

Answer 9

Internal audit: Work relates to the operations of the organisation.

External audit: Work relates to the financial statements

Question 10

What are the key differences between internal and external audit in terms of Relationship:

Answer 10

Internal audit: Often employees of the organisation, although sometimes the function is outsourced.
External Audit: Independent of the company and its management. Usually appointed by the shareholders.

Question 11

What are the key differences between internal and external audit in terms of Planning and collection of evidence:

Answer 11

Internal audit: Strategic long-term planning carried out to achieve objective of assignments, with no materiality level being set. Some audits may be procedural, rather than risk-based. Evidence mainly from interviewing staff and inspecting documents (ie not external).
External Audit: Planning carried out to achieve objective regarding truth and fairness of financial statements. Materiality level set during planning (may be amended during course of audit). External audit work is risk-based. Evidence collected using a variety of procedures per ISAs to obtain sufficient appropriate audit evidence.

Question 12

There are no legal requirements associated with becoming an internal auditor. The scope and nature of internal audit’s work is more likely to be set by company policy than by any external guidelines. True/ False

Answer 12

True

Question 13

Internal audit has two key roles to play in relation to organisational risk management:

Answer 13

• Ensuring the company’s risk management system operates effectively • Ensuring that strategies implemented in respect of business risks operate effectively

Question 14

What is business risk?

Answer 14

Business risk is a risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

Question 15

Business risk cannot be eliminated, but it must be managed by the company. what does this mean?

Answer 15

Identify risks -> Determine company Policy -> Implement strategy

Question 16

The internal audit department has a twofold role in relation to risk management.

Answer 16

• It monitors the company’s overall risk management policy to ensure it operates effectively. • It monitors the strategies implemented to ensure that they continue to operate effectively.

Question 17

Internal audit may assist in the development of systems. However, its key role will be in monitoring the overall process and in providing assurance that the systems which the departments have designed meet objectives and operate effectively. True or false

Answer 17

True

Question 18

It is the responsibility of management and those charged with governance to prevent and detect fraud, and, in this respect, internal auditors may have a role to play. True/ False

Answer 18

True

Question 19

Limitations of the internal audit function

Answer 19

Internal auditors are employed by the organisation and this can impair their independence and objectivity and ability to report fraud/error to senior management because of perceived threats to their continued employment within the company.

To ensure transparency, best practice indicates that the internal audit function should have a dual reporting relationship,
Internal auditors are not required to be professionally qualified (as accountants are) and so there may be limitations in their knowledge and technical expertise. Even f they are professionally qualified, due to the perceived lack of independence compared with external professionals, internal audit work would not be accepted on many assignments where the interested party is an external stakeholder

Question 20

Define Value for money audits

Answer 20

Value for money (VFM) audits examine the economy, efficiency and effectiveness of activities and processes. These are known as the three Es of VFM audits.

Question 21

Define Economy

Answer 21

Economy: Attaining the appropriate quantity and quality of physical, human and financial resources (inputs) at lowest cost. An activity would not be economical if, for example, there was overstaffing or failure to purchase materials of requisite quality at the lowest available price.

Question 22

Define Efficiency

Answer 22

Efficiency: This is the relationship between goods or services produced (outputs) and the resources used to produce them. An efficient operation produces the maximum output for any given set of resource inputs, or it has minimum inputs for any given quantity and quality of product or service provided.

Question 23

Define Effectiveness

Answer 23

Effectiveness: This is concerned with how well an activity is achieving its policy objectives or other intended effects

Question 24

The internal auditors will evaluate these three factors for any given business system or operation in the company. Value for money can often only be judged by comparison. In searching for value for money, present methods of operation and uses of resources must be compared with alternatives. T/F

Answer 24

T

Question 25

Problems with VFM auditing

Answer 25

Measuring outputs (impact of outputs vary)
Defining objectives (In not-for-profit organisations the quality of the service provided will be a significant feature of their service)
Sacrifice of quality (Economy and efficiency can be achieved by sacrificing quality. Neither outputs nor impacts are necessarily measured in terms of quality)
Measuring effectiveness (the effectiveness of the health service could be said to have improved if hospitals have greater success in treating various illnesses and other conditions, or if the life expectancy of the population has increased, but a consequence of these changes will be overcrowded hospitals and longer waiting lists.)
Over-emphasis on cost control (There can be an emphasis with VFM audits on costs and cost control rather than on achieving more benefits and value, so that management might be pressurised into 'short-term' decisions, such as abandoning capital expenditure plans which would create future benefits in order to keep current spending levels within limits)
Measuring efficiency (In not-for-profit organisations, output does not usually have a market value, and it is therefore more difficult to measure efficiency)

Question 26

Define Best value audits

Answer 26

‘Best value’ is a performance framework introduced into local authorities by the UK Government. They are required to publish annual best value performance plans and review all their functions over a five-year period.

Question 27

As part of best value, authorities are required to strive for continuous improvement by implementing the ‘4 Cs’:

Answer 27

• Challenge. How and why is a service provided? • Compare. Make comparisons with other local authorities and the private sector. • Consult. Talk to local taxpayers and services users and the wider business community in setting performance targets. • Compete. Embrace fair competition as a means of securing efficient and effective service

Question 28

Define Operational Audits

Answer 28

Operational audits are audits of the operational processes of the organisation. They are also known as management or efficiency audits. Their prime objective is the monitoring of management’s performance, ensuring that company policy is adhered to.

Question 29

What are the two aspects of operational assignments

Answer 29

• Ensure policies are adequate • Ensure policies work effectively

Question 30

In terms of adequacy, the internal auditor will have to review the policies of a particular department by:

Answer 30

• Reading them • Discussion with members of the department

Question 31

Then the auditor will have to assess whether the policies are adequate, and possibly advise the board of improvement. The auditor will then have to examine the effectiveness of the controls by:

Answer 31

• Observing them in operation • Testing them

Question 32

Define risk based audit and performance enhancement

Answer 32

Risk-based’, where the internal auditors consider internal and external risks and discuss company operations and systems in place in respect of them

Performance enhancement’ where internal auditors consider risk and strategy on a higher level.

Question 33

What and when is an exit meeting held?

Answer 33

An exit meeting is held at the end of the internal audit engagement after a draft report has been produced.

Question 34

What are the objectives?

Answer 34

The objectives of this meeting are to: • Discuss the findings and associated recommendations • Provide management with the opportunity to give their views on, and ask for clarification of, the observations and recommendations allowing any misunderstandings to be resolved • Agree on possible solutions to the problems the internal audit assignment has identified

Question 35

What is the standard format of a final report?

Answer 35

Standard report format TERMS OF REFERENCE EXECUTIVE SUMMARY BODY OF THE REPORT APPENDICES FOR ANY ADDITIONAL INFORMATION

Question 36

The executive summary is like a condensed version of the full report and an executive summary in an internal audit report will usually include:

Answer 36

Background to the assignment • Objectives of the assignment • Major outcomes of the work • Key risks identified • Key action points • Summary of the work left to do

Question 37

Although the content and format of the final internal audit report will vary, somewhere the report should, as a minimum, describe the purpose, scope and results of the engagement. T/F

Answer 37

True

Question 38

Explain the purpose

Answer 38

The objective of the audit engagement should be clearly stated. This makes the report easier to read and helps the reader to interpret it. Findings should be linked back to this objective

Question 39

Explain the scope

Answer 39

The scope defines what specifically is audited. It identifies which activities are audited and also highlights any activities that are excluded from the audit

Question 40

Explain the results

Answer 40

This should include: • Observations • Conclusions • Opinions • Recommendations • Action plans

Question 41

In addition, the final internal audit report may include the following, optional, sections

Answer 41

Background information; Summaries ; Accomplishments ; Opinions

Question 42

High-quality internal audit reports will have the following attributes:

Answer 42

Accurate:The report should be free from error.
Objective: It should be fair, impartial and unbiased. It should be based on facts.
Clear: The report should be logical, easily understood and free from jargon
Concise:It should be to the point and free from unnecessary detail
Complete:No information essential to the intended audience should be omitted
Timely:The report should convey a sense of urgency.

Question 43

Summary reports should be provided to more senior managers. Communication may also go to:

Answer 43

• External auditors • The board • Others who are affected by, or interested in, the results

Question 44

What if there are any amendments made to the report?

Answer 44

If any amendments are made to the report after it has been issued, a new report should be issued which highlights any changes. This should be distributed to everyone who received the original report

Question 45

What about Releasing the report ?

Answer 45

Approval to release should be gained from senior management, legal counsel or both

Question 46

What about mgmt response

Answer 46

After the issue of the final report, management will be given the opportunity to provide their formal response to the report. This formally communicates back what is going to be done about the recommendations raised.

Question 47

What is outsourcing?

Answer 47

Outsourcing is the use of external suppliers as a source of finished products, components or services. It is also known as sub-contracting.

Question 48

What are the advantages of outsourcing?

Answer 48

• Staff do not need to be recruited, as the service provider has good quality staff. • The service provider has different specialist skills and can assess what management require them to do. • Outsourcing can provide an immediate internal audit department. • Associated costs, such as staff training, are eliminated. • The service contract can be for the appropriate timescale. • Because the timescale is flexible, a team of staff can be provided if required. • It can be used on a short-term basis.

Question 49

What are the disadvantages of outsourcing?

Answer 49

• There will be independence and objectivity issues if the company uses the same firm to provide both internal and external audit services.
• The cost of outsourcing the internal audit function might be high enough to make the directors choose not to have an internal audit function at all. • Company staff may oppose outsourcing if it results in redundancies. • There may be a high staff turnover of internal audit staff. • The outsourced staff may only have a limited knowledge of the company. • The company will lose in-house skills.

Question 50

A company will need to establish controls over the outsourced internal audit department. These would include:

Answer 50

(a) Setting performance measures in terms of cost and areas of the business reviewed and investigating any variances (b) Ensuring appropriate audit methodology (working papers/reviews) is maintained (c) Reviewing working papers on a sample basis to ensure they meet internal standards/guidelines (d) Agreeing internal audit work plans in advance of work being performed (e) If an external auditor is used, ensuring the firm has suitable controls to keep the two functions separate so that independence and objectivity is not impaired