Internal Audit

What is Internal Audit ?

Meaning of Internal Audit

The internal audit is a continuous review of operations and records undertaken within the business and is normally done by specially assigned staff. It should operate independently of all the internal check and in no case should divest any one of the responsibilities placed upon him.
An ongoing appraisal of the financial health of a company's operations by its own employees. Employees who carry out this function are called internal auditors. During an internal audit, internal auditors will evaluate and monitor a company's risk management. reporting, and control practices and make suggestions for improvement. Internal auditing covers not only an organisation's finance function, but all the operations and systems in a firm. While internal auditors are typically accountants, this activity can also be carried-out by other professionals who are well-versed with a company's functions and the relevant regulatory requirements.

Definition of Internal Audit

Definition of internal audit by different authors are as follows :

The institute of Internal Auditors, U.S.A., has defined internal audit as under : 
"Internal auditing is an independent appraisal activity within an organisation for the review of operations as a service to management. It is a managerial control which functions by measuring and evaluating the effectiveness of other controls."

ICAI describes Internal Audit as :
"An independent management function, which involves a continuous and critical appraisal of the functioning of entity with a view to suggest improvements thereto and to add value and the overall governance mechanism of the entity, including the entity's strategic risk management and internal control system. Internal Audit, therefore, provides assurance that there is transparency in reporting, a part of good governance".

Features of Internal Audit 

The features of internal audit are as follows :
  1. The system of internal audit has got an independent status in the organisation. The system, therefore. maintains its independent position.
  2. Internal audit is totally free from the managerial or executive functions. However, it may help in formulating executive decisions without actually taking part in such decisions. 
  3. It maintains its regular watch and constant review over the accounting and financial matters. Thus, it can make investigations into any phase of activities of the organisation. 
  4. Internal audit is a system of audit by the internal auditor who is an employee of the organisation. But he does not work under any sort of managerial pressure. However, he must have a clear understanding of the duties assigned to him.

Objectives of Internal Audit

The objectives of the internal audit can be summarized as follows :

1) Independence : 
The internal auditor should have the independence in terms of organisational status and personal objectivity which permits the proper performance of his duties.

2) Staffing and Training : 
The internal audit unit should be appropriately staffed in terms of numbers, grades. qualifications and experience, having regard to its responsibilities and objectives. The internal auditor should be properly trained to fulfill all his responsibilities.

3) Relationships : 
The internal auditor should seek to foster constructive working relationship and mutual understanding with management, with external auditors, with any other review agencies and, where one exist, the audit committee.

4) Due Care : 
The internal auditor should exercise due care in fulfilling his responsibilities. 

5) Planning, Controlling And Recording : 
The internal auditor should adequately plan, control and record his work.

6) Evaluation of the Internal Control System : 
The internal auditor should identify and evaluate the organisation's internal control system as a basis for reporting upon its adequacy and effectiveness.

7) Evidence : 
The internal auditor should obtain sufficient, relevant and reliable evidence on which to base reasonable conclusions and recommendations.

8) Reporting and Follow-up : 
The internal auditor should ensure that findings, conclusions and recommendations arising from each internal audit assignment are communicated promptly to the appropriate level of management and he should actively seek a response. He should ensure that arrangements are made to follow up audit recommendations to monitor what action has been taken on them.

Principles of Internal Audit

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The IIA's Code of Ethics extends beyond the definition of internal auditing to include two essential components. 
  1. Principles that are relevant to the profession and practice of internal auditing.
  2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.
The Code of Ethics together with the ILA's Professional Practices Framework and other relevant Institute pronouncements provide guidance to internal auditors serving others. "Internal auditors" refers to Institute members, recipients of or candidates for IIA professional certifications, and those who provide internal auditing services within the definition of internal auditing.

Applicability and Enforcement

This Code of Ethics applies to both individuals and entities that provide internal auditing services.
For Institute members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to the Institute's Bylaws and Administrative Guidelines. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action.

Internal auditors are expected to apply and uphold these principles. 

1) Integrity : 
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

2) Objectivity : 
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating. and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

3) Confidentiality : 
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

4) Competency : 
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

Rules of Conduct

Following are the rules of conduct :

1) Integrity: Internal auditors :
  • Shall perform their work with honesty, diligence, and responsibility. 
  • Shall observe the law and make disclosures expected by the law and the profession 
  • Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.
  • Shall respect and contribute to the legitimate and ethical objectives of the organization.

2) Objectivity: Internal auditors :
  • Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.
  • Shall not accept anything that may impair or be presumed to impair their professional judgment. 
  • Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

3) Confidentiality: Internal auditors :
  • Shall he prudent in the use and protection of information acquired in the course of their duties.
  • Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

4) Competency: Internal auditors :
  • Shall engage only in those services for which they have the necessary knowledge, skills and experience. 
  • Shall perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing.
  • Shall continually improve their proficiency and the effectiveness and quality of their services.

Process of Internal Audit

The internal audit process is as follows :

Step 1: Notification : 
First, the company will receive a letter to informing about an upcoming audit. The auditor will send company a preliminary checklist. This is a list of documents (e.g., organisation charts, financial statements) that will help the auditor to learn about the unit before planning the audit.

Step 2: Planning : 
After reviewing the information, the auditor will plan the review, conduct an engagement risk assessment, draft an audit plan, and schedule an opening meeting.

Step 3: Opening Meeting : 
The opening meeting should include senior management and any administrative staff that may be involved in the audit. During this meeting, the scope of the audit will be discussed. Company should feel free to ask the auditors to review the concerned areas. The time frame of the audit will be determined, and company should discuss any potential timing issues (e.g., vacations, deadlines) that could impact the audit. It does not take as much of time as might expected.

Step 4: Fieldwork : 
After the opening meeting, the auditor will finalize the audit plan and begin fieldwork Fieldwork typically consists of talking with staff, reviewing procedure manuals, learning about business processes, testing for compliance with applicable university policies and procedures and laws and regulations. and assessing the adequacy of internal controls. Company should make their staff aware that the auditor will be scheduling meetings with them.

Step 5: Communication : 
Throughout the process, the auditor will keep company informed, and they will have an opportunity to discuss issues noted and the possible solutions.

Step 6: Report Drafting : 
After the fieldwork is completed, the auditor will draft a report. The report consists of several sections and includes the distribution list, the follow-up date, a general overview of that unit, the scope of the audit, any major audit concerns, the overall conclusion, and detailed commentary describing the findings and i recommended solutions. Company should read the draft report carefully to make sure there are no errors. If they find a mistake, inform the auditor right away so that it can be corrected before the final report is issued.

Step 7: Management Response : 
Once the report is finalized, auditor will request company management responses. The response consists of 3 components whether they agree or disagree with the problem, their action plan to correct the problem, and the expected completion date.

Step 8: Closing Meeting : 
It will be held so that everyone can discuss the audit report and review company management responses. This is an opportunity to discuss how the audit went and any remaining issues. 

Step 9: Report Distribution : 
The report is then distributed to company, their manager(s), senior university administrators, internal audit, and the university's external auditors. Auditor also distribute an audit survey to the audited unit to solicit feedback about the audit. Feedback is important to us, since it can help us improve the audit process.

Step 10: Follow-Up : 
Follow-up reviews are performed on an issue-by-issue basis and typically occur shortly after the expected completion date, so that agreed upon corrective actions can be implemented. The purpose of the follow-up is to verify that company have implemented the agreed-upon corrective actions. The auditor will interview staff, perform tests, or review new procedures to perform the verification. Company will then receive a letter from the auditor indicating whether they have satisfactorily corrected all problems or whether further actions are necessary.

Requisites of an Efficient Internal Audit Department 

Requisites of an efficient internal audit department are as follows :

1) Appoint the Right Person to be the Chief Audit Executive (CAE) : 
The audit committee of the Board of Directors is directly responsible for the appointment, compensation, and, when necessary, dismissal of the company's CAE The audit committee should also oversee the work of the CAE by approving the internal audit function's budget, audit plan, and scope and by receiving internal audit reports. The CAE's responsibilities are to provide assurance, counsel, and advice to management regarding the company's efficiency, economy, and effectiveness in risk management, financial reporting, internal controls, and governance processes under the oversight function of the audit committee. To fulfill these responsibilities effectively, the CAE should be accepted in the company's "C-Suite" as part of the senior management team. The CAE must participate in relevant management meetings and provide comments, input, and insight on managerial decisions. The CAE is administratively accountable and reports to the company's Chief Executive Officer (CEO) and also functionally accountable and reports to the audit committee. As the head of the company's internal audit function, the CAE should be competent and knowledgeable in internal auditing standards, tools, methodology, and practices; supervise the internal audit function; communicate effectively with the audit committee, management, and internal audit staff and demand productive performance and ethical conduct from the internal audit staff.

2) Establish a Written Audit Charter : 
The internal audit charter should specify the purpose, authority, and responsibility of the internal audit function as an integral component of corporate governance in adding value to the company's sustainable performance. The purpose of the function should be clearly described in the charter as providing assurance and consulting services in risk management, financial reporting, internal controls, and governance processes. The authority of the internal audit function is granted by the company's Board of Directors, particularly the audit committee, to conduct internal audit activities in adding value to the company's performance, have sufficient resources to carry out its responsibilities effectively, and have access to all records, personnel, and property required to conduct internal audits.

3) Develop an Audit Strategy : 
The internal audit function should have a sound audit strategy that is effective and efficient and adds value to the company's operations in risk management, financial reporting, internal controls, and governance processes. The internal audit strategy should be developed by the CAE in collaboration with management and approved by the audit committee. The strategy should specify audit plans, scope, nature, procedures, and timing of all internal audit activities.

4) Implement the Audit Strategy : 
An effective implementation of internal audit strategy requites - proper audit plans, sufficient resources including qualified ethical and highly specialized and competent staff, commitment from senior management, and approval of the audit committee. Internal auditors should have adequate training and proficiency in -accounting principles, policies, and practices; internal auditing standards, techniques, tools, and procedures; corporate governance reforms and management principles; and a knowledge base in accounting, economics, taxation, finance, information technology, and quantitative methods.

5) Establish Quality Assurance and Performance Evaluation : 
To ensure a high quality internal audit function that adds value to the company's operations and performance, the internal audit function should be evaluated annually. The performance of internal audit staff should be evaluated by the CAE based on predetermined evaluation benchmarks and process. The performance of the CAE should be evaluated by management (e.g., the Chief Executive Officer) and reviewed by the audit committee. The purpose of this evaluation is to improve the quality of the internal audit function and provide a basis for promotion, advancement, and compensation.

Advantages of Internal Audit

Internal audit provides the following importance :

1) Makes Staff Alert : 
Staffs remain alert because their work shall be checked by the internal auditor. So, accounting remains correct. 

2) Detect Errors and Frauds :
Internal audit helps to detect errors and frauds and provides suggestions to improve them which helps the management to take corrective action.

3) Reduce Misuse of Resources :
Internal audit detects the misuse of resources in time which helps to reduce unnecessary expenses.

4) Checks Efficiency : 
Internal audit checks the efficiency of staffs which helps to increase the efficiency of them.

5) Helps Auditor : 
Internal audit checks the books of accounts, detects errors and frauds and helps in its correction which makes the act of final auditor easier.

6) Increases Morale : 
Internal audit increases the morale of honest staff because evaluation of performance of any staffs will be made at any time.

Disadvantages of Internal Audit 

Internal audit suffers from the following limitations :
  1. Internal audit's report is not accepted by either the shareholders or tax authorities, it is the external auditor report which is required to be submitted to these parties.
  2. Since internal audit is done by the employees of the company chances are that it may be biased and therefore company cannot depend on such reports. 
  3. Since an internal audit is not done by the professional auditor chances of internal auditor not detecting the errors are high.