Chapter 10 - Audit Flashcards
Compare risk management with internal audit
Risk management:
- A risk management team would be considered to own the entire risk management process
- they would be ultimately responsible for all aspects of this process including identification and maintenance of the company’s risk register, assessment, prioritisation, treatment of risks and establishment of controls to manage these risks
- the team would lead the company in developing a risk response strategy and would act in an advisory capacity supporting all areas of the business
- provision of training and development by risk staff would facilitate operational managers’ ability to identify risks in their area of work and devise controls by which to manage them
Internal audit:
- The role of internal audit is that of monitoring and reviewing the effectiveness of the controls implemented by operational managers
- in the context of risk management their key activity is in the testing and evaluation of the risk controls (hence ensuring that those who design controls should not test them)
- in a wider context the internal audit department can carry out special investigations as directed by management, and can assist the organisation in review of the efficient use of resources
- internal audit teams can provide support and assistance to senior management in a range of projects, some of which may fall outside the risk management arena
- they are often able to contribute to the work of operational teams in identifying risks due to their extensive knowledge of the business, but this is not their primary responsibility
Briefly summarise the difference between risk management team and internal audit team
Risk management identify risks or problems, management devise controls which they think will prevent the risk or problem and the auditors check that the control works. If it doesn’t, then i tis still a problem and management will implement further or different controls which audit will check again. And so the process goes on until the risk or problem is minimised to the satisfaction of management i.e. it is within the companies attitude to risk.
What is the scope of internal audit?
- Examine financial and operating information
- Review accounting and internal control systems
- Assist in carrying out external audit procedures
- Assisting with identification of significant risks
- Special investigation
- Review compliance with laws, regulations or internal policies
- Review economy, efficiency and effectiveness of operations
Internal auditors can follow the same standards as external auditors. However, there also International Standards for Internal Audit issued by the Internal Auditing Standards Board (IASB) of the Institute of Internal Auditors. What are those standards? Briefly explain
- Attribute standards - deal with the characteristics of organisations and the parties performing internal auditing activities.
- Performance standards - describe the nature of internal auditing services
What are 3 attributes of standards for internal audit?
- Independence
- Objectivity
- Professional care
What are the performance standards for internal audit? (Areas of work)
- Managing internal audit
- Risk management
- Control
- Governance
- Internal audit work
- Communicating results
To ensure that the internal audit function provides an objective assessment of control systems, and their weaknesses, there should be measures in place to protect the independence of the internal audit department. What are those?
- the internal auditors must be independent of executive management and should not have any involvement in the activities or systems that they audit
- the head of internal audit should report directly to a senior director
- in addition, however, the head of internal audit should have direct access to the chairman of the board of directors, and to the audit committee, and should be accountable to the audit committee
- The audit committee should approve the appointment and termination of appointment of the head of internal audit
- In large organisations the internal audit function will be a separate department
- in a small company it might be the responsibility of individuals to perform specific tasks even though there will not be a full-time position
- some organisations outsource their internal audit function, often to one of the large accountancy firms
- the internal auditor will review the accounting and control systems, perform testing of transactions and balances, review the 3E’s, implementation of corporate policies, carry out special investigations, and assist the external auditors where necessary
- They should be technically competent and exercise due professional care by planning, supervising and reviewing any work performed. Documentation should be kept, results communicated to management and recommendations made.
What are the advantages of outsourcing internal audit?
- greater focus on cost and efficiency of the internal audit
- staff may be drawn from a broader range of expertise
- risk of staff turnover is passed to outsourcing firm
- specialist skills may be more readily avaialble
- costs of employing permanent staff are avoided
- may improve independence
- access to new market place technologies, e.g. audit methodology software without associated costs
- reduced management time in administering an in-house department
What are the disadvantages of outsourcing internal audit?
- possible conflict of interest if provided by the external auditors
- pressure on the independence of the outsourced function due to, for example, a threat by management not to renew contract
- risk of lack of knowledge and understanding of the organisation’s objectives, culture or business
- the decision may be based on cost with the effectiveness of the function being reduced
- flexibility and availability may not be as high as with an in-house function
- lack of control over standard of service
- risk of blurring of roles between internal and external audit, losing credibility for both
How to minimise risks associated with outsourcing of internal audit?
- controls over acceptance of internal audit contracts to ensure no impact on independence or ethical issues
- regular reviews of the quality of audit work performed
- separate departments covering internal and external audit
- clearly agreed scope, responsibilities and reporting lines
- performance measures, management information and risk reporting
- procedure manuals for internal audit
How to assess efficiency and effectiveness of internal audit?
The efficiency of internal audit can be assessed by comparing actual costs and output against a target, such as:
- the cost per internal audit day
- the cost per audit report
- the number of audit reports produced
The effectiveness of internal audit needs to be measured in a way that indicates the extent to which it provides assurance to management, the audit committee and the board about the effectiveness of the system of internal control.
- this can be done by identifying evidence of improvements of internal control
What is general layout of internal audit report?
- Executive summary
- The scope of the assignment
- Observations and recommendations
- Recommendation graded by importance
- Statement of responsibility
The audit plan of the external auditors should be drawn up taking into consideration the work of internal audit, and the extent to which the external auditors can rely on the findings of the internal auditors in reaching their audit opinion. What are the factors that the external auditor should consider?
- the status of internal audit within the organisation
- the scope of the internal audit function
- whether management act on the recommendations of the internal auditor
- the technical competence of the internal auditors
- whether the objectives of the internal audit work are aligned with that of the external auditor
- whether the work of the internal audit function appears to have been planned, supervised, reviewed and documented with due professional care
In a large company which complies with the UK Corporate Governance Code, the head of internal audit should report directly to who?
A senior director
Compare external and internal audit according to following points:
- Role required by
- Appointed by
- Reports to
- Reports on
- Forms opinions on
- Scope of assignment
External audit:
- Role required by: Statute, for limited companies
- Appointed by: Shareholders or directors
- Reports to: Shareholder and management
- Reports on: Financial statements
- Forms opinions on: True and fair view and proper presentation
- Scope of assignment: Unlimited, to fulfil statutory obligation
Internal audit:
- Role required by: Directors and shareholder, usually in large organisations
- Appointed by: Directors, via the Chief Internal Auditor (CIA)
- Reports to: Directors, via the CIA
- Reports on: Internal controls mainly
- Forms opinions on: Adequacy of ICS as a contribution to the economic, efficient and effective use of resources
- Scope of assignment: Prescribed by directors
The primary scope of an internal auditor’s work includes: (Select all that apply.)
A Examining financial operating information
B Reviewing compliance with laws and regulations
C Identifying risk
D Assisting with external audit procedures
A, B, D
Internal audit can be outsourced. A disadvantage of this might be:
D
The external auditor is responsible for identifying material misstatements in the financial statements in order to ensure that they give a true and fair view. By definition then, the external auditor is responsible for detecting any material fraud that may have occurred. However, they have no specific responsibility with regard to immaterial fraud. If they identify them they will be reported to those charged with governance, but there is no duty to identify them.
What assignments they can give to an internal auditor?
- to assess the likelihood of fraud, or if a fraud has been discovered
- to assess its consequences and
- to make recommendations for prevention in the future
Fraud investigation can be carried out by an auditor. It is not their primary objective when carrying out an audit, but they are duty bound to report a fraud if during the course of their work they identify fraudulent activities.
It is the company directors who are responsible for identifying fraud. What are the steps in fraud investigation?
- Ascertaining the facts of the fraudulent activity
- Gathering evidence of the crime, documentary, interviews with witnesses, observational, etc.
- Corroborating the evidence
- Consider whether you have the right of access to the evidence you require. Many cases have been thrown out of court because evidence has been improperly obtained.
- Maintaining confidentiality so that the perpetrator doesn’t realise they are being investogated
- Consider the cost of the investigation versus the value of the fraud, although ethically all frauds should be stopped
- Ascertain the value of the fraud
- Consider the loss of reputation if the fraud becomes public
What are the types of audit work?
- Compliance audit
- Transactions audit
- Risk-based audit
- Quality audit
- Post-completion audit
- Value for money audit
- Social, and environmental audit
- Management audit
- Systems-based audit