Chapter 7 - Internal audit

Question 1

Overall objectives of IA:

Answer 1

Safeguard assets
Compliance
Reduce overheads
Effective controls
Accounting records
Managing risks

Question 2

What is internal audit?

Answer 2

• Provides independent assurance that an org’s risk management, governance and internal control processes are operating effectively

Question 3

What is a systems audit?

Answer 3

Tests and evaluates internal controls within any system

Determines:

• How well system is functioning
• What weaknesses there might be
• What reliance can be placed on existing controls

Objectives audit will focus on:

• Suitable and accurate management info
• Compliance with procedures, laws an regulations
• Safeguarding assets
• Securing economies and efficiencies
• Accomplishing objectives

Question 4

What is a compliance audit?

Answer 4

Form of systems audit which ensures performance conforms to a statutory, regulatory, policy or contractual requirement

Question 5

Process of internal control:

Answer 5

• Identify business objectives
• Identify risks that will threaten each objective
• Design internal controls to mitigate these risks
• Implement internal controls in accordance with their design

Question 6

IA and fraud investigations:

Answer 6

• Maintain systems of control for both prevention and detection
• Acts as both investigator and detective (watchdog and bloodhound)

Question 7

Cressey – fraud was likely to occur if three conditions were present:

Answer 7

1. Pressure:
   * Motivation to commit fraud comes from financial problems that cannot be solved by legitimate means
   * Are staff likely to be affected by external factors?
2. Rationalisation:
   * Fraudster must be able to justify decision to themselves, usually because they perceive themselves as having no other choice or have been wronged in some way
   * Are assets likely to be vulnerable and are any controls poor?
3. Opportunity:
   * Fraud can be perpetrated because someone is able to due to low perceived risk of getting caught or fraud can be easily concealed
   * Are staff disenfranchised or desperate enough to commit fraud and does recruitment procedures always check employee references?

Question 8

Value for money audit:

Answer 8

• Best value audit = performance framework used by UK public service orgs to assess how well public money is being used to provide services

Question 9

Best value can be achieved by attempting to implement four C’s:

Answer 9

• Challenge = How and why is a service provided?
• Compare = Make comparisons with other local authorities and the private sector
• Consult = Talk to local taxpayers, service users and the wider business community in setting performance targets
• Compete = Embrace fair competition as a means of securing efficient and effective services

Question 10

Management audit:

Answer 10

• Objective and independent appraisal of the effectiveness of managers and the corporate structure in achievement of entity objectives and policies
• Aim to identify existing and potential management weaknesses and to recommend ways to rectify them
• Non-routine investigation that attempts to look at all aspects of management performance
• May cover: achievement of targets, decision making, competence, workloads, delegation, relationships

Question 11

Carrying out a management audit:

Answer 11

Deciding audit objectives and carry out an investigation, gathering evidence and reporting results

Question 12

Social audit:

Answer 12

Cover sustainable use of human resources, health and safety compliance, labour conditions and equal opportunities

Involve:

• Establishing whether org has rationale for engaging in socially responsible activity and that rationale is aligned with its mission
• Assessing objectives and priorities related to these programmes
• Evaluating company involvement in such programmes past, present and future

Question 13

Environmental audit:

Answer 13

Ascertain whether org is complying with codes of best practice, internal guidelines or fulfilling wider requirement of being a good corporate citizen

Concerned with:
* Board and management having good understanding of environmental impact
* Assessment of whether environmental programmes are congruent with comp’s mission
* Adoption + communication of adequate policies and procedures to ensure compliance with relevant std’s and laws
* Adoption + review of progress against quantifiable targets
* Assessment of whether progress is being made economically and efficiently
• True, fair and complete reporting of environmental activities

Question 14

External audit (Financial audit):

Answer 14

• Examination of books and record of an org with a statutory goal of reporting on the truth and fairness of org’s financial statements
• Audit committee is responsible for making annual assessment on independence and effectiveness of external auditors and making recommendation for reappointment

Question 15

Internal vs. external audit:

Answer 15

Internal Audit:

• Responsible to = management
• Responsible for = any task required by management or directors
• Activities undertaken = anything
• Standards used = anything

External Audit:

• Responsible to = Shareholders
• Responsible for = opinion on truth, fairness and compliance with laws and regulations
• Activities undertaken = testing via evidence gathering
• Standards used = laws and regulations, auditing std’s and accounting std’s

Question 16

Comp without IA needs to review need for IA annually by considering:

Answer 16

1. Scale, diversity and complexity of org’s activities
2. No. of employees
3. Cost-benefit considerations
4. Changes in org structures
5. Changes in key risks
6. Problems with internal control systems
7. An increased no of unexplained or unacceptable risks

Question 17

Aims of audit planning:

Answer 17

• Prioritise activities for review (risk, changes, past history of problems and size)
• Establish objectives of the audit
• Ensure that IA resources are used efficiently and effectively

Question 18

Risks considered by internal auditors:

Answer 18

1. Inherent risk:
   * Susceptibility of activity being subject to risk regardless of quality of control system or effectiveness of management
2. Controls risk:
   * Risk that control systems fail, are absent or inadequate
3. Residual risk:
   * Risk that remains after controls have been implemented and is therefore deemed acceptable by management
4. Detection risk:
   * Risk that IA process does not detect errors or weaknesses and is balanced against residual risk

Question 19

Walkthrough testing:

Answer 19

• Documenting subject of an audit and tracing events or examples from start to finish in order to confirm auditor’s understanding and any controls in place
• Techniques include = narrative notes, flowcharts, questionnaires and checklists

Question 20

Tests of control:

Answer 20

Test whether controls are operating as they should

Question 21

Substantive testing:

Answer 21

• Test whether individual events are valid
• Auditors will increase level of substantive testing if controls are assessed as weak or area is considered high risk

May include:
Analytical review procedures
Confirmation
Observation
CompUtation
Recalculation
Inspection
Enquiry
Re-performance

Question 22

Analytical review:

Answer 22

• Analysing data to identify trends, errors or issues (such as gross margin, gearing return on capital employed and revenue per square foot)
• Involve comparing data with an expectation

Question 23

Benchmarking:

Answer 23

• Used alongside analytical review
• Benchmarking against org’s in same industry or of similar size or location or those org aspires to emulate or supersede

Question 24

Limitations of benchmarking:

Answer 24

• Industry info is often commercially sensitive and may not be available
• Limited to the accuracy of both the source data and any statistical analysis
• Conclusions drawn may not be appropriate

Question 25

Key principles of auditing a computer system:

Answer 25

• Understand the systems
• Identify how the systems can be tested
• Review security arrangements
• Assess all transactions of processed data output
• Consider data input
• Ensure all transactions are authorised
• Review the system back-up facilities and disaster recovery procedures

Question 26

Computer assisted audit techniques (CAATs):

Answer 26

• Applications of auditing procedures using the computer as an audit tool
• Used to review system controls and to review actual data
• Big data enabled IA to analyse larger samples if suitable audit data analytics (ADA) technology is available

Question 27

Criteria to be used by org’s to assess their own IA function: (PAIR)

Answer 27

1. Professionalism:
   * Does IA follow a systematic and organised approach when planning conduction and reporting its work? – if not there is a risk that vital info risks and controls may go unreported
2. Authority:
   * Does IA reported findings get noticed? – If IA requests action and it is not taken, will this get followed up?
3. Independence:
   * To whom does the IA function report – if it is the audit committee, it is good, but if it is the chief executive or finance director, there may be pressure for IA to be less critical of these individuals
4. Resources:
   * Are there enough employees with the right levels of training and experience to adequately complete necessary IA work programme?

Question 28

IA Reports:

Answer 28

• There is no formal requirement for IA reports

* Those charged with governance have responsibility to review IA reports and respond appropriately

Question 29

Presentation of observations and findings in individual areas can be made as follow:

Answer 29

• Business objective that manager is aiming to achieve
• Operational standard
• Observations of actual performance against std including any control weaknesses
• Cause of the weaknesses
• Effect of the weaknesses
• Recommendations to address weaknesses