Internal Audit
An independent appraisal activity established within an organization as a service to it. A control in itself
which functions by examining and evaluating the adequacy and effectiveness of other controls.
It functions by, amongst other things, examining, evaluating and reporting to management and the
directors on the adequacy and effectiveness of components of the accounting and internal control
systems
(Internal Audit is NOT a regulatory requirement BUT is a corporate governance best practice guideline)
There is NO requirement for internal auditor to be professionally qualified.
INDEPENDENCE
Internal auditors should:
• monitor and review controls, not design and implement them;
• report to the audit committee
• be free to decide on the nature and scope of their work;
• be free to communicate fully with the external auditors.
Steps to conduct internal audit
1. Identify the risks which may occur if there are no controls in place
2. Identify controls in place
3. Evaluate whether the controls in place reduce the risk to an acceptable level, i.e. they are adequate.
4. Evaluate whether the controls are working effectively.
5. Report
Functions of Internal Audit
1. Reviewing adequacy and effectiveness of financial and operational internal control systems
2. Helping management with risk assessment
3. Examining operating and financial information (is it reliable, adequate, timely? How is it identified
and communicated?)
4. Review of compliance with laws, regulations and other external requirements and with
management policies and directives and other internal requirements.
Page | 192
, 5. Special assignments- some examples
- Value for Money audit (VFM)
- Mystery shopping
- Financial audit
- Financial statement audit
- IT system audit
- HR audit
- Undertake inventory counts
6. Internal audit’s role in preventing and detecting fraud and error
- Can help by assessing the main areas of fraud risk
- Can help by assessing the adequacy and effectiveness of control systems.
- Can undertake regular reviews of compliance of these controls.
- Where fraud is suspected, the internal audit department can undertake a detailed fraud
investigation to identify who is involved, likely sums stolen and gather evidence for any
subsequent police investigation.
- The presence of an internal audit department can itself act as a fraud deterrent, as the risk of
being discovered means individuals are less likely to undertake fraudulent activities.
Factors determining need of internal audit
Before establishing an internal audit department, consider the following:
Will it be cost-beneficial?
Consider the size and complexity of operations as well as number of employees- is more monitoring
needed due to increased chances of fraud and error?
Have key risks and processes changed? Internal audit can help in risk assessment and in reviewing
controls.
Problems with existing controls- is there a history of control deficiencies?
Need of special assignments that normally internal audit carries out. The ability of current
management to carry out these assignments will need to be considered. If they do not have the
ability, an IA department may be needed.
What does corporate governance say about Internal Audit?
IA should report to the Audit Committee. The AC will monitor if internal audit is effective. If there is
no IA department, the AC should determine whether there is need for one. In case they believe the
internal audit, department is not required, it needs to explain the reason for this in the annual
report.
Assistance to the board of directors:
The IA department checks reports that are not audited by the external auditors.
It can help the board with regards to accounting and auditing standards when required.
IA can liaison with external auditors which can reduce the time and cost of external audit.
Page | 193
An independent appraisal activity established within an organization as a service to it. A control in itself
which functions by examining and evaluating the adequacy and effectiveness of other controls.
It functions by, amongst other things, examining, evaluating and reporting to management and the
directors on the adequacy and effectiveness of components of the accounting and internal control
systems
(Internal Audit is NOT a regulatory requirement BUT is a corporate governance best practice guideline)
There is NO requirement for internal auditor to be professionally qualified.
INDEPENDENCE
Internal auditors should:
• monitor and review controls, not design and implement them;
• report to the audit committee
• be free to decide on the nature and scope of their work;
• be free to communicate fully with the external auditors.
Steps to conduct internal audit
1. Identify the risks which may occur if there are no controls in place
2. Identify controls in place
3. Evaluate whether the controls in place reduce the risk to an acceptable level, i.e. they are adequate.
4. Evaluate whether the controls are working effectively.
5. Report
Functions of Internal Audit
1. Reviewing adequacy and effectiveness of financial and operational internal control systems
2. Helping management with risk assessment
3. Examining operating and financial information (is it reliable, adequate, timely? How is it identified
and communicated?)
4. Review of compliance with laws, regulations and other external requirements and with
management policies and directives and other internal requirements.
Page | 192
, 5. Special assignments- some examples
- Value for Money audit (VFM)
- Mystery shopping
- Financial audit
- Financial statement audit
- IT system audit
- HR audit
- Undertake inventory counts
6. Internal audit’s role in preventing and detecting fraud and error
- Can help by assessing the main areas of fraud risk
- Can help by assessing the adequacy and effectiveness of control systems.
- Can undertake regular reviews of compliance of these controls.
- Where fraud is suspected, the internal audit department can undertake a detailed fraud
investigation to identify who is involved, likely sums stolen and gather evidence for any
subsequent police investigation.
- The presence of an internal audit department can itself act as a fraud deterrent, as the risk of
being discovered means individuals are less likely to undertake fraudulent activities.
Factors determining need of internal audit
Before establishing an internal audit department, consider the following:
Will it be cost-beneficial?
Consider the size and complexity of operations as well as number of employees- is more monitoring
needed due to increased chances of fraud and error?
Have key risks and processes changed? Internal audit can help in risk assessment and in reviewing
controls.
Problems with existing controls- is there a history of control deficiencies?
Need of special assignments that normally internal audit carries out. The ability of current
management to carry out these assignments will need to be considered. If they do not have the
ability, an IA department may be needed.
What does corporate governance say about Internal Audit?
IA should report to the Audit Committee. The AC will monitor if internal audit is effective. If there is
no IA department, the AC should determine whether there is need for one. In case they believe the
internal audit, department is not required, it needs to explain the reason for this in the annual
report.
Assistance to the board of directors:
The IA department checks reports that are not audited by the external auditors.
It can help the board with regards to accounting and auditing standards when required.
IA can liaison with external auditors which can reduce the time and cost of external audit.
Page | 193
