This additional work is carried out by internal auditors, who may be company

Transcription

1 TOPIC 8: INTERNAL AUDIT The Role of Internal Audit Function Company directors have a legal requirement to produce true and fair annual financial statements. To help ensure this is done, companies are required to have their published financial statements audited by an external team of experts. Directors also need assurance on other financial matters. This assurance is primarily for their own internal use, although in recent years pressure has grown for more and more of such work to be made more publicly available. This additional work is carried out by internal auditors, who may be company employees or outside experts from a firm of accountants. In this Session, we examine what internal auditors do and how they do it. The UK Corporate Governance Code highlights the need for entities to maintain good systems of internal control (RACE CAM I). An internal audit function is part of the control environment Assessing the need for Internal Audit Factors to consider when assessing the need for an internal audit function include: Set up cost Predicted savings by not having to engage external consultants, where such work will now be carried out by the internal audit department 1

2 Management s perceived need for assessing risk and internal control Whether it is more cost effective to outsource the work Achieving Corporate Objectives Internal audit is part of the organisational control of a business; it is one of the methods used by management to ensure the efficient and orderly running of the business as a whole, and is part of the overall control environment. Internal auditors work has expanded in recent years, and the role of internal audit often now includes: Helping to set corporate objectives Helping to design and monitor performance measures for these objectives Responsibility for Fraud and Error The directors of a company are responsible for the detection and prevention of fraud. Internal auditors assist in this regard, by assessing the adequacy and effectiveness of the internal control systems. The very existence of an internal audit department may act as a deterrent to fraud. It is not the responsibility of the external auditors to prevent and detect fraud, although, they must consider fraud as a potential reason for identifying misstatements in the financial statements. 2

3 Internal Audit v External Audit Reporting Objective Planning & Collection of Evidence Internal Audit To Those Charged With Governance or Audit Committee Add Value/Improve Operations Strategic long term planning ( no materiality) External Audit Members of the Company (aka shareholders) Express Opinion on the FS Planning carried out to help achieve objective re true and fair view (Materiality set during planning - maybe amended during audit) Relationship Scope Audits mainly risk based (although can be procedural) Evidence gathered mainly internal Generally Direct employees (maybe outsourced) Work relates to the operations of the External Audit Work is risk based Evidence gathered (OAR ICE I) as per ISA s to obtain sufficient appropriate audit evidence Appointed by Shareholders Work relates to the Financial Statements 3

4 organisation Use the mnemonic ROPERS to remember the headings under which to compare Internal Audit and External Audit Corporate Governance Practice and Internal Audit A properly functioning internal audit department is part of good corporate governance, as recognised by all national and international corporate governance codes. Internal audit enables management to perform proper risk assessments (another central theme of corporate governance codes) by means of properly understanding the strengths and weaknesses of all parts of the control systems in the business. Corporate Risk Management & The Function of Internal Audit Internal audit has a particular interest in evaluating the company s risk management structures. Internal audit can: Manage the basic data used by management to identify risks Identify techniques for prioritising and managing risks Report on the effectiveness of risk management solutions (e.g. internal controls) 4

5 Types of Risk A common classification is: Business/Industry risks relating to the Economy, technology, competitors Financial risks interest rates, cashflow, exchange rates Compliance risks breach of laws (including accounting standards) Operational risks loss of key staff, reliance on one product/customer Prioritising Risk When prioritising risks, auditors are likely to consider the: Likelihood of the risk occurring Impact of the risk on the business Clearly, high likelihood, high impact risks cannot be ignored and need to be managed in some way. However, risk management is partly a cost/benefit exercise, so low likelihood, low impact risks may not be addressed at all. 5

6 Managing Risk There are 4 common methods for managing risk: Reduce the risk, by using internal controls Avoid the risk, by not entering the business activity Accept the risk (i.e. do nothing) Transfer the risk to another party (e.g. insurance, sub-contracting, joint ventures) Example: A company that trades overseas is subject to an element of exchange risk, in that their fortunes (and those of their competitors) are partly dependent on exchange rate movements. This risk could be addressed by: Reducing the risk by employing experts in exchange rates (likely to be expensive, especially if the experts decide to gamble with the company s money) Avoiding the risk, by ceasing to trade overseas, or staying within exchange zones (e.g. the Euro) Accepting the risk, and doing nothing Transferring the risk, by using hedging techniques (options, forward contracts), or by insisting that all sales and purchase invoices are in their own currency Best Practice in the Structure and Operation of an Internal Audit function. The UK Corporate Governance Code on corporate governance states that companies without an internal audit function should regularly review the need for one. 6

7 Where there is an internal audit function, the audit committee should annually review its scope of work, authority and resources, again having regard to those factors. Where there is no internal audit function, the audit committee should consider annually whether there is a need for this function and make a recommendation to the board. Ideally, the internal audit function should be staffed with qualified, experienced staff, whose work is closely monitored by an audit committee. Scope & Limitations of Internal Audit Function Internal audit staff are typically expected to carry out a variety of tasks: Reviewing internal controls and financial reports Reviewing risk management systems Carrying out special assignments (e.g. fraud investigation) Conducting operational reviews (e.g. into efficiency of parts of the business) Limitations of Internal Audit As noted earlier in these Notes, internal auditors have an unavoidable independence problem. They are employed by the management of the 7

8 company and yet is expected to give an objective opinion on matters for which management are responsible Internal audit will only succeed if it is properly staffed and resourced If internal auditors identify fraud, they may be unwilling to disclose it for fear of the repercussions (which could involve the collapse of the company and the loss of their job) These limitations can be reduced if an audit committee: Sets the work agenda for internal audit Receives internal audit reports Is able to ensure internal audit is properly resourced Has a voice at main board level INTERNAL AUDIT ASSIGNMENTS Internal auditors are often expected to perform operational audit on areas of the business. Whilst specific business areas are covered, we also need to examine types of operational audit: VALUE FOR MONEY (VFM) A simpler term for VFM is a performance audit. It tends to focus on the 3 E s : 8

9 1) Economy Attaining the appropriate quantity and quality of physical, human and financial resources (inputs ) at the lowest cost Regular competitive tendering and review of market prices should help to achieve this goal. 2) Efficiency This is a measure of the relationship between goods and services produced (outputs) and the resources used to produce them (inputs) Internal auditors will help management to design performance indicators that can be measured to assess efficiency. 3) Effectiveness How well an activity is achieving its policy objectives or other intended effects. When performance indicators are designed, they should have such objectives in mind. 9

10 Value for Money Audit in a School: 1) Economy - Are school textbooks of the required standard supplied at the lowest cost? 2) Efficiency Can more children be taught to the same standard for the same cost? Relating Inputs to Outputs 3) Effectiveness - Are school examination results improving as a result of additional spending? Example of Value for Money Audit: Busy Buses operates a number of bus routes around the country. Its objectives are to gain market share and maximise profits, whilst being known as the best provider of public transport in the country. It is performing a VFM audit. 10

11 ECONOMY The company s largest costs are likely to be new buses, maintenance, petrol/diesel, staff costs. Any new bus purchases should preferably be in bulk (to reduce the cost) and will be put out to tender. Maintenance may be subcontracted to a specialist firm (again, after a tender process). Petrol/diesel may best be supplied by having their own private petrol pumps where the buses are garaged. Staff costs will be monitored against other bus companies, to ensure that they are competitive (to encourage good staff) but not too high. Given the company s objective to be the best, it may be wise to pay staff rates that are higher than the industry average. EFFICIENCY / EFFECTIVENESS Key resources are the buses and staff. Performance indicators could include: - (Analytical Review) Miles per litre of petrol, on a bus-by-bus, and route-by-route basis % occupancy by route profitability of each route market research to establish public perception in each area 11

12 season ticket repeat rate (to show customer loyalty) Internal audit will be required to maintain the data to support this ongoing analysis, as well as suggesting additional measures. BEST VALUE Particularly popular in local government, where public money is being spent and there must be a public demonstration that value is being achieved. Commonly known as the 4 C s : 1) Challenge The current position is challenged to establish whether better options may exist 2) Compare Performance is compared with similar service providers to establish how good the current position is 12

13 3) Consult All users and providers of the service are invited to put forward their views 4) Compete Embrace fair competition as a means of securing efficient and effective services Information Technology Audits Internal auditors (likely to be computer specialists) may be required to carry out an IT audit, covering hardware, software, internet, and the overall IT environment in order to report on risks over input, output and processing. Financial Audits The most traditional part of internal audit work, involving monitoring of financial accounting systems and management accounts to ensure they are running efficiently and accurately. It is this area of work that external auditors are most likely to want to rely on in order to reduce their own work. OPERATIONAL AUDITS Operational audits are audits of the operational processes of the organisation. Their prime objective is the monitoring of management s performance ensuring company policy is adhered to. 13

14 Regulatory Compliance There will be a number of regulations a company will need to comply with. Some will be specific to the industry the client operates in (e.g. regulations over disposing of hazardous waste in the nuclear industry) and some will apply to companies operating in a particular region or country (e.g. tax laws). Internal audit may assist with or review compliance with these laws and regulations. Fraud Investigations Fraud can range from theft/misappropriation of assets to fraudulent financial reporting. Internal audit may be asked to investigate specific instances of suspected fraud. Customer Service Reviews Internal auditors may be asked to assess the level of customer service. They could do this by phoning in or visiting stores/outlets and pretending to be customers. Testing Operational or financial controls This may include testing controls operating centrally (at head office) or at branches Information Technology System reviews As already discussed Value for Money Reviews As already discussed 14

15 Procurement Better known as purchasing, procurement involves obtaining goods and services from outside suppliers. The procurement processes must be carefully controlled to reduce the risk of fraud and minimise purchase costs to the company. Primary risks are: Fictitious or excessive payments made to suppliers (fraud) Inaccurate or delayed payments Best value not achieved from current suppliers OUTSOURCING THE INTERNAL AUDIT FUNCTION Outsourcing (aka sub contracting) Use of External Suppliers The Internal Audit Dept may consist of employees of the company or the function may be outsourced to a service provider Advantages of Outsourcing Entity does not have to recruit staff Disadvantages of Outsourcing Independence and Objectivity issues if the entity uses the same firm to provide both internal and external audit services 15

16 The service provider has different specialist skills An immediate internal audit dept can be provided Costs such as staff training are eliminated Can be used on a short term basis Cost of outsourcing may be so high (i.e. redundancy cost of existing IA staff and rates charged by Outsourcing firm) that the directors may choose not to have any Internal Audit Function Staff may oppose outsourcing if it results in redundancies Service Provider staff may only have a limited knowledge of the entity Loss of in house skills Service Contract can be for the appropriate time scale Types of Internal Audit Report External audit reports are governed by audit standards, to ensure consistency in reporting to shareholders. However, different companies will require different forms of report, so guidance is very limited for internal auditors. Typically, an internal audit report will be addressed to the audit committee and is likely to have the following structure, or something similar: 16

17 Terms of Reference Executive summary Key recommendations Actions, with responsibilities and timescale Appendices with detailed findings from the procedures undertaken Earlier, we examined the process by which external auditors report control weaknesses, consequences and recommendations to clients. Internal auditors could report their findings in a similar format to that used when Communicating Significant Deficiencies in Internal Control as per ISA 265. As well as these formal reports, internal auditors may be asked to produce specific forms of report for special investigations e.g. in the form of a presentation EXTERNAL AUDITOR PLACING RELIANCE ON THE WORK OF INTERNAL AUDITOR ISA 610 Using The Work Of Internal Auditors provides guidance to the external auditor when the external auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly, by the external auditor. The role of internal audit is determined by management and the directors and its objectives differ from those of the external auditors who are engaged to report independently on the financial statements. The external auditors 17

18 primary concern is whether the financial statements are free from material misstatement. The internal audit function s objectives vary according to the requirements of management and the directors and, generally, less emphasis is placed on materiality considerations. Nevertheless some of the means of achieving their respective objectives are often similar and thus certain work of internal auditors may be useful in determining the nature, timing and extent of external audit procedures. There are a number of important statements in ISA 610 that reflect mandatory practice: The external auditor should obtain a sufficient understanding of internal audit activities to identify and assess the risks of misstatement of the financial statements and to design and perform further audit procedures. The external auditor should perform an assessment of the internal audit function when internal auditing is relevant to the external auditor s risk assessment. This means the external auditors should consider the following: S T R I P Scope of work: How are internal auditors employed and how are their recommendations implemented? Technical competence: People of good quality, who are properly trained and supervised, staff the internal audit function. Reports and resources: Adequately resourced with suitable staff and technology, producing reliable reports. Independence: Should be free to report as independently as possible to audit committee or chief executive. Professional care demonstrates care and diligence in the way that they plan, record and monitor their work. 18

19 When external auditor intends to use specific work of internal auditing, the external auditor should evaluate and perform audit procedures on that work to confirm its adequacy for the external auditor s purposes. This evaluation may significantly reduce the amount of detailed testing that the external auditors would normally carry out. Typical issues to be identified are these: The nature and timing of the tests reflects sound judgement of risk and materiality. The work is done by technically competent persons The work is documented with a high standard of care. Any unusual features that are discovered are suitably investigated and drawn to management s attention. The work of assistants is suitably supervised and documented. The audit conclusions are appropriate and suitably reported. The work of the internal auditors is tested and the external auditor is satisfied with the quality of work done. 19

20 Exercise - Reliance On Internal Audit Your firm is the newly appointed external auditor to a large company that sells, maintains and leases office equipment and furniture to its customers and you have been asked to co-operate with internal audit to keep audit costs down. The company wants the external auditors to rely on some of the work already performed by internal audit. The internal auditors provide the following services to the company: i) A cyclical audit of the operation of internal controls in the company s major functions (operations, finance, customer support and information services); ii) A review of the structure of internal controls in each major function every four years; iii) An annual review of the effectiveness of measures put in place by management to minimise the major risks facing the company. During the current year, the company has gone through a major internal restructuring in its information services function and the internal auditors have been closely involved in the preparation of plans for restructuring, and in the related post-implementation review. Required: 20

21 a) Explain the extent to which your firm will seek to rely on the work of the internal auditors in each of the areas noted above. (6 marks) b) Describe the information your firm will seek from the internal auditors in order for you to determine the extent of your reliance. (6 marks) c) Describe the circumstances in which it would not be possible to rely on the work of the internal auditors. (4 marks) d) Explain why it will be necessary for your firm to perform its own work in certain audit areas in addition to relying on the work performed by internal audit. (4 marks) (Total: 20 marks) 21

22 SOLUTION: RELIANCE ON INTERNAL AUDIT Key answer tips This question focuses on the relationship between the internal and external audit functions. This is a standard area which should have been covered thoroughly in your studies however, as always, the examination question as set gives the topic a specific emphasis which must be fully reflected in your answer. In dealing with part (a) it is important to appreciate that the objectives of the external auditors are more concerned with the true and fair view presented by the financial statements than are the internal auditors. Consider the situations given in the question in this context. Much of your answer to part (b) can be based on standard material but note that a good answer must make some specific reference to the cyclical aspect of the work of the internal auditors. Parts (c) and (d) are dealing with reasonably standard aspects of the relationship between the internal and external audit functions these should not produce major difficulties in answering the question. 22

23 a. Reliance on work of internal auditors i. As requested, the external auditors will seek to rely on the work of internal audit to the maximum extent possible. This might cover planning, risk assessment, tests of controls and substantive testing. ii. In all cases, the external auditor should be aware that the purpose of internal audit s work will not be primarily directed towards the financial statements. iii. In relation to the cyclical audit of internal controls, it may be possible to rely on the work of internal audit in relation to all of the areas noted, but only if the internal controls audited affect the financial statements. It may be that internal audit s work on operations and customer support is less relevant than its work in other areas. iv. In relation to the four-year review of internal controls the extent of reliance will depend on how long ago the last review was conducted. If it was conducted recently, it will provide help in relation to the external auditors assessment of the accounting and internal control systems. v. In relation to risk management the relevance of internal audit work depends on the extent to which risks in relation to reporting in general, and the financial statements in particular, have been addressed separately by management. This work will be relevant to the external auditors risk assessment and planning. b) Information required i. The information required to determine the extent of external audit reliance on internal audit s cyclical audit will be: 23

24 internal audit s systems documentation (the work on information systems and finance may include documentation of the company s accounting and internal control systems); internal audit s planning documentation which may cover a risk analysis, tests of controls and substantive procedures; the results of tests of control and substantive procedures; documentation on the four-year review of internal controls, particularly in relation to the finance and information services functions. ii. The external auditors should ask to see all documentation relating to the work performed by internal audit on information services restructuring during the year because the external auditors assessment and testing of systems will be split into two parts, pre- and post-restructuring. iii. Other documentation requested will include internal audit s operating procedures manuals and documentation relating to the recruitment, training and development of internal audit staff, and management responses to internal audit recommendations. This information is required to enable the external auditor to form an opinion on the competence and effectiveness of the internal audit function. 24

25 c) Circumstances in which it would not be possible to rely on the work of internal audit i. It may not be possible to rely on the work of internal auditors if they: are not competent (this relates to experience as well as qualifications); lack integrity; do not properly plan or document their work, or if management does not act on (or at least respond to) recommendations made; do not perform work relevant to the external auditor. ii. It will also not be possible to rely on internal audit if internal audit is insufficiently independent within the organisation, i.e. where internal auditors have insufficient operational freedom, where they are reporting to those who control the functions that they work on, or where they are reporting on their own work. d) External auditor work i. External auditors will wish to perform work independently, regardless of internal audit work, in all areas that are material to the financial statements. For immaterial areas in which internal audit work can be shown by testing and review to be adequate, it may be possible to rely on the work of internal audit without performing any other work. ii. Areas material to the financial statements are likely to be long and shortterm leasing receivables and inventory. Leases may be complex and the auditors will wish to ensure that accounting policies are appropriate and that 25

26 they have been properly applied. The valuation of inventory will have a direct effect on the profit for the period. This is an area that is easy to manipulate and external auditors will wish to ensure that this has not happened. iii. External auditors will also wish to perform their own risk analysis and final review of financial statements in order to ensure that no high risk areas have been overlooked. 26