Fundamentals of Internal Auditing

Essentials  of Internal Auditing  

The essentials for effective internal auditing are:

1. Independence: The internal auditor should have the independence in terms of organizational status and personal objectivity which permits the proper performance of his duties.
2. Staffing and Training: The internal audit unit should be appropriately staffed in terms of numbers, grades, qualifications and experience, having regard to its responsibilities and objectives. The internal auditor should be properly trained to fulfill all his responsibilities. The effectiveness of internal audit depends substantially on the quality, training and experience of its staff. The aim should be to appoint staff with the appropriate background, personal qualities and potential. Thereafter, steps should be taken to provide the necessary experience, training and continuing professional education.
   1. Staffing:  The internal audit unit should be managed by a head of internal audit who should be suitably qualified and should possess wide experience in internal audit and its management. He should plan, direct, control and motivate the resources available to ensure that the responsibilities of the internal audit unit are met. The full range of duties may require internal audit staff to be drawn from a variety of disciplines. The effectiveness of internal audit may be enhanced by the use of specialist staff, particularly in the internal audit of activities of a technical nature. The internal audit unit should employ staff with varying types and levels of skills, qualifications and experience in order to satisfy the requirements of each internal audit task.
   2. Training:  The organization has a responsibility to ensure that the internal auditor receives the training necessary for the performance of the full range of duties. Training should be tailored to the needs of the individual. It should include both theoretical knowledge and its practical application under the supervision of suitably competent and experienced internal auditors. Account should be taken of: a) internal audit objectives and priorities; b) the type of internal audit work; c) previous training, experience and qualifications; and d) personal development in the light of the needs of the organization and the internal audit unit. The internal auditor should keep abreast of current developments, improvements, new techniques and practices in auditing. The head of internal audit should co- ordinate, and keep under review, the training requirements of internal auditors. He should be responsible for preparing training profiles which identify the training requirement for different grades of internal auditors, and should maintain personal training records for each individual. In large organizations this may be performed by a designated training officer.
3. Relationships: The internal auditor should seek to foster constructive working relationship and mutual understanding with management, with external auditors, with any other review agencies and, where one exist, the audit committee. In order that the internal auditor may properly perform all his tasks, it is necessary for all those with whom he has contact to have confidence in him. Constructive working relationships make it more likely that internal audit work will be accepted and acted upon, but the internal auditor should not allow his objectivity to be impaired.
   1. Organizational Relationships: The head of internal audit should prepare the internal audit plan in consultation with senior management. The internal auditor should arrange the timing of internal audit assignments in consultation with the management concerned, except on those rare occasions where an unannounced visit is a necessary part of the audit approach. Consultation can lead to the identification of areas of concern or of other interest to management. Matters which arise in the course of the audit are confidential and discussion should be restricted to management directly responsible for the area being audited unless they have given express agreement to broaden the discussion. Discussions with management are necessary when preparing the audit report. This is an essential feature of the good relationship between the auditor and the management.
   2. Relationship with External Audit: The relationship between internal and external audit needs to take account of their differing roles and responsibilities. Internal audit is an independent appraisal function within the organization and internal auditors are direct employees. The external auditor usually has a statutory responsibility to express an independent opinion on the financial statements and stewardship of the organization. The aim should be to achieve mutual recognition and respect, leading to a joint improvement in performance and the avoidance of unnecessary over-lapping of work. It should be possible for the external and internal auditors to rely on each other’s work, subject to limits determined by their different responsibilities, respective strengths and special abilities. Consultations should be held and consideration given to whether any work of either auditor is adequate for the purpose of the other. The internal auditor does not automatically have a right of access to the records of the external auditor. However, the relationship between the internal and external auditor will usually be such that the external auditor will be able to allow access to the necessary records. Since internal audit evaluates an organization’s internal control system the external auditor may need to be satisfied that the internal audit function is being planned and performed effectively. This review needs to be seen by both parties as a necessary part of the working relationship (Institute’s International Auditing Guideline No: 10 on “Using the work of an Internal Auditor”). Regular meetings should be held between internal and external auditors at which joint audit planning, priorities, scope and audit findings are discussed and information exchanged. The benefits of joint training programmes and joint audit work should also be considered.
   3. Review  Agencies and Specialists:  Certain information obtained during an internal audit assignment may assist a review agency, such as management services or consultants, which are seeking to secure improvements in the organization’s performance. Management’s formal approval should be obtained before releasing any audit report or other information to the review agencies. The internal auditor should establish a regular dialogue with review agencies and obtain their reports for information, review and comment where proposals may affect internal control arrangements. Where it is necessary for the internal auditor to have contact with other specialists the same basic principles about information apply as in the case of review agencies.
4. Due Care: The internal auditor should exercise due care in fulfilling his responsibilities. The internal auditor cannot be expected to give total assurance that control weaknesses or irregularities do not exist. In order to demonstrate that due care has been exercised the internal auditor should be able to show that his work has been performed in a way which is consistent with this guideline. The internal auditor should possess a thorough knowledge of the aims of the organization and the internal control system. He should also be aware of the relevant laws and the requirements of relevant professional and regulatory bodies. The internal auditor must be impartial in discharging all responsibilities; bias, prejudice or undue influence must not be allowed to limit or over-ride objectivity. At all times, the integrity and conduct of the internal auditor must be above reproach. He should not place himself in a position where responsibilities and private interests conflict and any personal interests should be declared. The internal auditor should not improperly disclose any information obtained during the course of his work.
5. Planning, Controlling And Recording: The internal auditor should adequately plan, control and record his work. The main purposes of internal audit planning are:- a) To determine priorities and to establish the most cost-effective means of achieving audit objectives; b) To assist in the direction and control of audit work; c) To help ensure that attention is devoted to critical aspects of audit work; and d) To help ensure that work is completed in accordance with pre-determined targets. Control of the internal audit unit and of individual assignments is needed to ensure that internal audit objectives are achieved and work is performed effectively. The most important elements of control are the direction and supervision of the internal audit staff and review of their work. This will be assisted by an established audit approach and standard documentation. The degree of control and supervision required depends on the complexity of assignments and the experience and proficiency of the internal audit staff. Internal audit work should be properly recorded because: a) The head of internal audit needs to be able to ensure that work delegated to staff has been properly performed. He can generally do this only by reference to detailed working papers prepared by the internal audit staff who performed the work; b) Working papers provide, for future reference, evidence of work performed, details of problems encountered and conclusions drawn; and c) The preparation of working papers encourages each internal auditor to adopt a methodical approach to his work.
6. Evaluation of the Internal Control System: The internal auditor should identify and evaluate the organization’s internal control system as a basis for reporting upon its adequacy and effectiveness.
7. Evidence: The internal auditor should obtain sufficient, relevant and reliable evidence on which to base reasonable conclusions and recommendations. Internal audit evidence is information obtained by an internal auditor which enables conclusions to be formed on which recommendations can be based. The internal auditor should determine what evidence will be necessary by exercising judgement in the light of the objectives of the internal audit assignment. This judgement will be influenced by the scope of the assignment, the significance of the matters under review, the relevance and the reliability of available evidence and the cost and time involved in obtaining it. The collection and assessment of internal audit evidence should be recorded and reviewed to provide reasonable assurance that conclusions are soundly based and internal audit objectives achieved.
8. Reporting and Follow-Up: The internal auditor should ensure that findings, conclusions and recommendations arising from each internal audit assignment are communicated promptly to the appropriate level of management and he should actively seek a response. He should ensure that arrangements are made to follow up audit recommendations to monitor what action has been taken on them. Internal audit reports provide a formal means of communicating to management the results arising from audits undertaken. Such reports should include audit findings, recommendations and conclusions relating to the adequacy of and compliance with the system of internal control and the efficiency, effectiveness and economy of operations in the area covered by the audit. From the point of view of completeness, management response to the audit findings should preferably also be included in the report. The aim of every internal audit report should be: a) To prompt management action to implement recommendations for change leading to improvement in performance and control; and b) To provide a formal record of points arising from the internal audit assignment and, where appropriate, of agreements reached with management.

Different Roles of Internal Auditing in Business

1. Role in Internal Control: Internal auditing activity is primarily directed at improving internal control. Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories: a) Effectiveness and efficiency of operations. b) Reliability of financial reporting. c) Compliance with laws and regulations. Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement.
2. Role in Risk Management: Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization’s risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives. Risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive pay out structure, and credit/lending practices. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward looking operating measures to the Board, to help identify emerging risks. In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management’s reporting is effective for that purpose. Internal auditors may help companies establish and maintain Enterprise Risk Management processes.
3. Role in Corporate Governance: Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage and monitor the organization’s resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the “four pillars” of corporate governance, the other pillars being the Board of Directors, management, and the external auditor. A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee’s meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information.