UNIT IV
INTERNAL AUDIT
Q1) What is Internal Audit? What are its objectives?
A1) SA 610 issued by the Institute of Chartered Accountants of India (ICAI) defines Internal Audit as follows: Internal audit is a separate component of internal Control established to determine whether other Internal controls are well designed and properly operated.
Objectives
1. Proper Control
One of the main objectives of an internal audit is to keep stringent control over all the activities of an organization. The management needs assurance of the authenticity of the financial records and the efficiency of the operations of the firm. An internal audit helps establish both.
2. Perfect Accounting System
An internal audit keeps a very close check on the accounting system of an organization. It checks everything from the vouchers, to the authority of transactions to mathematical accuracy. All entries are verified against documents and other proof. Chances of mistakes or frauds are greatly reduced.
3. Review of Business
The purpose of an internal audit is to keep a check on the financial and operational aspects of a business. So as the current financial year is ongoing, internal audit can point out the mistakes, weak points, and strengths of the business. This will allow an ongoing review, instead of waiting till the year-end.
4. Asset Protection
In the process of internal audit, there is always a valuation and verification of an asset. There is also a physical verification of the ownership and possession of the asset.
And in case of special transactions like sale, purchase or revaluation of the asset, the authorization of this is also audited in an internal audit. So the assets enjoy complete protection.
5. Keeps a Check on Errors
In a financial audit, the auditor will be able to determine if any mistakes were made in the financial records. But this only happens at the end of the financial year.
And the mistakes are corrected thereafter. But in case of an internal audit, the mistakes are spotted as soon as they are made, and corrected immediately.
6. Detection of Fraud
In case the company has an internal audit in place, the detection of fraud becomes much easier. This is because there is a year-round check on the employees.
In fact, an employee is less likely to attempt fraud in the presence of an internal auditor. He will not have any time gap between the occurrence of fraud and its detection to cover it up. This will dissuade employees from committing fraud.
Q2) What are the principles that govern Internal Audit?
A2) Basic Principles of establishing Internal Audit
The Internal Auditor shall be free from any undue influences which force him to deviate from the truth. This independence shall be not only in mind, but also in appearance. Also, the internal auditor shall resist any undue pressure or interference in establishing the scope of the assignments or the manner in which these are conducted and reported, in case these deviate from set objectives.
The independence of the internal audit function as a whole, and the Internal Auditor within the organisation, plays a large part in establishing the independence of the Internal Auditor. The overall organisation structure of key personnel, the position and reporting of the Chief Internal Auditor within this structure, along with the powers and authority which is derived from superiors further establishes the independence of the Internal Auditor.
The reporting of the Internal Auditor shall be to the Board of Directors, or the Audit Committee, who are responsible to appoint the Internal Auditors as per Rule 8 of “The Companies (Meetings of Board and its Powers) Rules, 2014”. Many times the Internal Auditor has a dual reporting responsibility, wherein the administrative reporting is to an executive officer (e.g., MD or CEO), but functional reporting to the Chairman of the Audit Committee, which is the acceptable norm. Therefore, the internal audit function shall be positioned outside the functions which are subject to internal audit (e.g., Finance and Accounts) and the Internal Auditor shall report directly to the highest governing body of the Company as stated above.
At times, the Internal Auditor is exposed to a different type of risk to independence, whereby management seeks active business support from the Internal Auditor. Apart from providing basic assurance and advisory inputs, the Internal Auditor is assigned certain operational responsibilities (such as risk management, compliance, system automation, process re-engineering, etc.). Although some limited operational role may be acceptable with due approvals, and for a short duration, the Internal Auditor shall do so only after communicating his limitations along the following lines:
(a) Unable to assume ownership or accountability of the process; and
(b) Inability to take operational decisions which may be subject to an internal audit later on.
2. Integrity and Objectivity
The Internal Auditor shall be honest, truthful and be a person of high integrity. He shall operate in a highly professional manner and seen to be fair in all his dealings. He shall avoid all conflicts of interest and not seek to derive any undue personal benefit or advantage from his position.
The Internal Auditor shall conduct his work in a highly objective manner, especially in gathering and evaluation of facts and evidence. He shall not allow prejudice or bias to override his objectivity, especially in arriving at conclusions or reporting his opinion.
3. Due Professional Care
The Internal Auditor shall exercise due professional care and diligence while carrying out the internal audit. “Due professional care” signifies that the Internal Auditor exercises reasonable care in carrying out the work to ensure the achievement of planned objectives.
The Internal Auditor shall pay particular attention to certain key audit activities, such as establishing the scope of the engagement to prevent the omission of important aspects, recognizing the risks and materiality of the areas, having required skills to review complex matters, establishing the extent of testing required to achieve the objectives within specified deadlines, etc.
“Due Professional Care”, however, neither implies nor guarantees infallibility, nor does it require the Internal Auditor to go beyond the established scope of the engagement.
4. Confidentiality
The Internal Auditor shall at all times, maintain utmost confidentiality of all information acquired during the course of the audit work. He shall not disclose any such information to a party outside the internal audit function and any disclosure shall be on a “need to know basis”.
The Internal Auditor shall keep confidential information secure from others. Under no circumstance any confidential information shall be shared with third parties outside the company, without the specific approval of the Management or Client or unless there is a legal or a professional responsibility to do so (e.g., to share information with Statutory Auditors). Internal audit reports shall be addressed to specified internal auditees and distributed to only those who appointed or engaged the Internal Auditor and as per their directions.
5. Skills and Competence
The Internal Auditor shall have sound knowledge, strong inter-personal skills, practical experience and professional expertise in certain areas and other competence required to conduct a quality audit. He shall undertake only those assignments for which he has the requisite competence.
The Internal Auditor shall either have, or shall obtain, such skills and competencies, as necessary for the purpose of discharging his responsibilities. Continuing Professional Education is a key part of this exercise. In addition to the basic technical skills, the Internal Auditor shall have the softer skills (such as interpersonal and communication skills) required to engage with a multitude of stake-holders.
Where the Internal Auditor lacks certain expertise, he shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised. The objective is to ensure that the audit team as a whole has all the expertise and knowledge required for the area under review.
6. Risk Based Audit
The Internal Auditor shall identify the important audit areas through a risk assessment exercise and tailor the audit activities such that the detailed audit procedures are prioritised and conducted over high risk areas and issues, while less time is devoted to low risk areas through curtailed audit procedures. Additionally, this approach shall ensure that risks under consideration are more aligned to the overall strategic and company objectives rather than narrowly focused on process objectives.
A risk based audit shall ensure the following three fold objectives:
(a) Audit procedures need not cover the whole process and can be limited only to the important controls in the process;
(b) Establish linkage to the aspects relevant and connected with company and functional objectives; and
(c) Findings and issues highlighted are significant and important and time is not devoted to areas with low probability of significant observations.
7. System and Process Focus
An Internal Auditor shall adopt a system and process focused methodology in conducting audit procedures. This methodology is more sustainable than the one adopted to test transactions and balances as it goes beyond “error detection” to include “error prevention”. It requires a root cause analysis to be conducted on deviations to identify opportunities for system improvement or automation, to strengthen the process and prevent a repetition of such errors.
Deployment of Information Technology by companies is widely prevalent and should be understood for effective internal audits. This is a more sustainable approach as this helps the Internal Auditor to move away from “people to process” and from “detection to prevention”.
8. Participation in Decision Making
In conducting internal audit assignments, the Internal Auditor shall avoid passing any judgement or render an opinion on past management decisions. As part of his advisory role, the Internal Auditor shall avoid participation in operational decision making which may be subject of a subsequent audit.
The focus of the Internal Auditor shall remain with the quality and operating effectiveness of the decision making process and how best to strengthen it, such that the chance of flawed or erroneous decisions is minimised. However, the Internal Auditor is at full liberty to present the lessons which can be learnt from such past decisions.
9. Sensitive to Multiple Stakeholder Interests
The Internal Auditor shall evaluate the implications of his observations and recommendations on multiple stakeholders, especially where diverse interests may be conflicting in nature. In such situations, the Internal Auditor shall remain objective and present a balanced view. This would permit senior management to make a decision using all the information and balance the strategy and objectives of the company with the expectations and interests of its multiple stakeholders.
10. Quality and Continuous Improvement
The quality of the internal audit work shall be paramount for the Internal Auditor since the credibility of the audit reports depends on the reliability of reported findings. The Internal Auditor shall have in place a process of quality control to:
(a) ensure factual accuracy of the observations;
(b) to validate the accuracy of all findings; and
(c) continuously improve the quality of the internal audit process and the internal audit reports.
The Internal Auditor shall ensure that a self-assessment mechanism is in place to monitor his own performance and also that of his subordinates and external experts on whom he is relying to complete some part of the audit work. A peer review mechanism for quality control shall be followed to adhere to all aspects of the pronouncements issued by the ICAI.
Q3) Explain evaluation of Internal Audit by Statutory Auditor?
A3) Statutory auditor should determine:
A. If the internal auditor’s work is adequate for audit purpose and evaluate:
i. Objectivity of internal audit function
ii. Internal auditor’s technical competence
iii. Internal auditor’s work is carried out with professional care
iv. Effective communication between the internal auditor and the external auditor
B. Planned effect of internal auditor’s work on the nature, timing or extent of statutory auditor’s procedures and consider:
i. Nature and scope of specific work performed or to be performed
ii. Assessed risk of material misstatement at the assertion level for a particular class of transaction, account balance and disclosure
iii. The degree of subjectivity involved in evaluating the audit evidence to support the relevant assertions.
Q4) Discuss the usefulness of Internal Audit.
A4) Some specific benefits that an Internal Audit function can provide to an organization and its management:
Q5) Differentiate between Internal Audit and External Audit.
A5) Internal Audit vs. External Audit
TOPIC | INTERNAL AUDIT (IA) | STATUTORY AUDIT (SA) |
Voluntary / Compulsory | IA is Voluntary | SA is compulsory under law e.g. under Companies Act. |
Appointment | Internal Auditor is appointed by the management itself. | Statutory Auditor is appointed by the shareholders of a Company. |
Status | Internal Auditor is an employee of the concern. | Statutory Auditor is an independent outside expert. |
Responsible & reports to | Internal Auditor is responsible and reports to management. | Statutory Auditor is responsible and reports to shareholders. |
Scope of duties | Management decides the scope of duties of internal Auditor. It includes non accounting matters. | Duties of statutory auditor are laid down by law (e.g. Companies Act) its scope limited to accounting matters. |
Removal | Internal auditor can be removed by the management on its own. | Statutory Auditor can be removed by shareholders only if approved by central Government. |
Objectives | IA aims to review the internal control system of concern. | SA aims to report to shareholders whether the accounts are true and fair. |
Period | IA is continuous. | SA is normally periodical or annual. |
Qualifications | No qualifications are prescribed by law for an Internal Auditor. | Qualifications are prescribed by law for Statutory Auditor. |
Liability for Negligence | Internal Auditor is liable only to management and not to shareholders or third parties. | Statutory Auditor is liable to shareholders and in some cases to third parties also. |
Q6) Differentiate between Internal Check and Internal Audit.
A6) Internal Check vs. Internal Audit
BASIS FOR COMPARISON | INTERNAL CHECK | INTERNAL AUDIT |
Meaning | Internal Check is a system, wherein division of work and allocation of responsibilities are organized in such a manner that the work of one employee is spontaneously looked over by another. | Internal Audit is the ongoing critical examination of the financial and operational activities of the concern, by an internal auditor. |
Method | Work of one person is automatically checked by another person. | Work performed by the employees is examined by a separate group. |
Commencement of Work | Commences from the moment a transaction is entered. | Once the transaction has been recorded in the books. |
Involved evaluation of | Accounting and clerical accuracy | Effectiveness of management control |
Performed by | Existing staff | A specially dedicated team of auditors |
Cost Involvement | Economical | Comparatively Expensive |
Thrust of System | Prevention of errors and frauds | Detection of errors and frauds |
Tool for | Arrangement of the work | Examination of the work |
Time of Checking | Checking is performed simultaneously when the work is performed. | Examination of the work takes place after the work is completed. |
Report | Summary of day to day transactions acts as a report to the supervisor. | Submits his/her report to the management. |
