Forum for Knowledge Sharing
  • Page:
  • 1


Overivew of Internal Audit 8 years 6 months ago #97

Internal Auditing has gained so much importance that conducting it has been made mandatory by regulators for listed and other specified companies.
Internal Audit began in modest manner during the Second World War when organisations found it difficult to maintain operational efficiency and control. Companies appointed special staff (i.e. present day internal auditors) to review operations and report to them .The task assigned to internal auditors varied from routine check on finance and operations to appraisal of financial & operational activities.
Earlier, internal audit was largely voluntary, management appointed internal auditors when they felt the need. With increased complexities in business, frauds and scams internal audit has become essential for most organisations. Be it SEC in United States or SEBI in India, regulators are prescribing mandatory internal audits. The range of activities undertaken by internal audit teams has increased. They cover a whole gamut of operations ranging from review of finance & operations to providing assurance and consulting services.
This book attempts to cover some aspects of this vast body of knowledge. It includes basic procedural aspects of internal audit, standards of conduct as well as and contemporary issues like corporate governance.

I have dedicated this book to the profession and industry. I shall appreciate from our readers and all concerned, any questions on various issues which can be included in our future editions or responded through email This email address is being protected from spambots. You need JavaScript enabled to view it.

We will also appreciate from our readers friendly criticisms , suggestions and calling attention to errors which might have inadvertently crept in.
Rajkumar S. Adukia

Section I: Foundation of Internal auditing
1.1 What is internal auditing?
1.2 History and background
1.3 Purpose of internal auditing
1.4 Scope of internal auditing
1.5 Role of auditors
1.6 Organisational Independence and Objectivity
1.7 Professionalism

Section II: Types of internal Auditing
2.1 Financial Audits.
2.2 Operational Audits.
2.3 Grant Audits
2.4 Project Audits
2.5 Information System Audit
2.6 Compliance Audits
2.7 Investigative Audit
2.8 Due diligence
Section III: Managing Internal Audit
3.1 Organising the department
3.2 Audit Staff
3.3 Managing the Audit
Audit Planning
Risk Management
Engagement memorandum

Section IV: Audit programme and procedures
4.1 Field survey
4.2 Audit programme
4.3 Audit procedures
4.4 Evaluation of internal control system
4.5 Audit sampling
4.6 Audit Tests
4.7 Specimen letters

Section V: CAATs
5.1 Definition
5.2 Need
5.3 Techniques
5.4 Commonly used Audit Software
Section VI: Audit Work papers
6.1 Importance
6.2 Functions
6.3 Organisation
i. Document organisation
ii. CAAT work papers
6.4 Review of work papers
6.5 Retention and Custody

Section VII: Audit Reports and Communication

7.1 Purpose of Audit Report
7.2 Types of Audit Report
7.3 Form and content of audit report
7.4 Style and Attributes
7.5 Audit Reporting Cycle
7.6 Evaluation and Follow up
7.7 Specimen Internal audit report
Section VIII: Relationship Management
8.1 Internal Audit and Audit Committee
8.2 Relationship with management
8.3 Working with External Auditors
8.4 Relationship with regulators

Section 1. Foundation of Internal auditing

1.1 What is internal auditing?
1.2 History and background
1.3 Purpose of internal auditing
1.4 Scope of internal auditing
1.5 Role of auditors
1.6 Organisational Independence and Objectivity
1.7 Professionalism

1.1 What is internal auditing?

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
Internal Auditor can make:

• an objective assessment of operations and share ideas for best practices.
• provide guidance for improving controls, processes and procedures, performance, and risk management.

Thus, internal audit activity can play an important role and support the board and management in fulfilling an essential component of their governance mechanisms. The internal auditor furnishes analysis, appraisals, recommendations, counsel and information concerning the activities reviewed. The internal auditor can suggest ways for reducing costs, enhancing revenues, and improving profits.

A Partnership...

It is worth remembering that internal audit works in partnership with management and provides the board, the audit committee and executive management assurance that risks are held at bay and the organization’s corporate governance is strong and effective. They work in the same team and want the organisation to be and remain successful.

1.2 History and background

In 1930s, growth and expansion made it increasingly difficult for organizations to maintain control and operational efficiency. The World War further expanded organizations’ responsibilities for scheduling, managing with limited materials and labourers, complying with government regulations, and an increased emphasis on cost finding. It was difficult for management to observe all the operating areas or be in touch with everybody. Then, special staff was appointed to report on happenings in the company who later came to be known as ‘Internal Auditors’.

The internal auditing function varied greatly between organisations and a number of internal auditors pushed vigorously for greater understanding and recognition of the internal auditing function. One such person was John B. Thurston, head of the internal auditing function at the North American utility company. He is credited with being the person most responsible for the creation of The Institute. He was joined by Robert B. Milne, general auditor of the Columbia Engineering Corporation, and Victor Z. Brink, a former auditor and Columbia University educator who authored the first major book on internal auditing. They gathered friends and associates from the utilities industries, public accounting firms, and other industries, 25 of whom agreed to participate in forming a new organization for internal auditors.

On November 17, The IIA’s Certificate of Incorporation was filed which officially established The Institute of Internal Auditors’ name; recognized The Institute as a membership corporation; and identified corporation’s specific purposes

1.3 Purpose of Internal Auditing

It’s the responsibility of the Board to ensure that risks are managed and controlled. This task is delegated to the executive management which
 Determines the risk appetite of the organisation
 Establishes the risk management framework
 Identifies potential threats and assesses risks
 Decides on response to risks like implementation of control
 monitors and coordinates the risk management processes and the outcomes,
 provides assurance on the effectiveness of risk management processes

This assurance from the management is fundamental. There is a need for additional assurance from a different source. Internal audit can be the key source providing objective assurance that all the significant risks have been identified, risk management process is working effectively and efficiently, risks are being reported and controls are effective. As part of this work, the internal audit activity will provide advice, coaching and facilitation services to assist executive management in carrying out their responsibilities.

1.4 Scope of Internal Auditing

The external auditors have to express an opinion on accuracy and fairness of financial information. The scope of internal audit is much wider than statutory/external audit. It should ideally cover all the organisation’s activities. They include:
 Financial audit –accuracy, completeness and fairness of financial statements
 Operational audit- effectiveness and efficiency of operations
 Safeguarding of assets
 Review of projects
 Management audit
 Fraud detection- developing fraud exposures for every audit and detecting red flags
 Review of effectiveness of internal control
 Compliance with laws, regulations, policies and procedures
 Preservation of ethical culture – monitor the ethical climate and report on red flags that may compromise ethics
 Providing advise on reducing waste or inefficiency

1.5 Role of Auditors

The auditor’s opinion on the truth, fairness, accuracy etc. of the financial statement imposes a larger responsibility on the auditor, which transcends the relationship with the client. The external auditor has to maintain total independence from the client. The auditor is supposed to be a watchdog. Government, creditors, investors and the business and financial community rely on the independence, objectivity and integrity of the auditors for maintaining confidence in operations of a company.

Roles & responsibilities of auditors

Responsibilities of Internal Auditor

Internal Audit is a service to management. Its functions include examining and evaluating internal control and providing assurance to the management. It is a part of the organisation's system of internal control and its scope includes ALL aspects of internal control, not just financial control. The scope of internal audit is much wider than statutory/external audit as discussed in detail above. It should ideally cover all the organisation’s activities.

Responsibilities of External Auditor
External auditors have to express an opinion on accuracy and fairness of financial information. An external audit programme encompasses a full-scope financial statement audit, an attestation of internal controls over financial reporting, or other agreed-upon external audit procedures.
A typical report includes inter alia , information on :
 Whether they have obtained all the necessary information
 Whether the companies has kept all the requisite books of accounts
 Whether the financial statements are in conformity with books of accounts
 The financial statements present a true and fair view of the state of affairs
 Proper records for assets, inventory, loans etc. have been maintained by the company
 Adequacy of internal control procedures
 Existence of internal audit system commensurate with nature and size of business.
 Details of statutory dues and matters under litigation

Although internal and external auditors have different and clearly defined roles they do share the same broad purpose of serving the public by helping to ensure the highest standards of regularity and propriety for the use resources and in promoting efficient, effective and economic administration.

1.6 Organisational Independence and Objectivity

The internal audit activity should be independent from the activities it audits. It should also be free from interference in determining the scope of its work, in performing its duties and in communicating the results. To maintain its independence, it should have “solid-line” reporting relationship to the audit committee with a “dotted-line” reporting relationship to a senior executive in the organization for administrative purposes i.e. it should report functionally to those responsible for governance (which can be the audit committee, the board of directors, or another appropriate body) and administratively to an appropriately senior level within the organisation.
The audit committee should safeguard internal audit independence by regularly reviewing and approving the internal audit charter and mandate.
Administrative matters relate to the organisation’s management structure; and the reporting line for them should facilitate the activity’s day-to-day operations. The chief audit executive should have the appropriate seniority in the organisation so that the person has sufficient authority. This will reinforce the organisational status of internal auditing and support its unrestricted access to staff and information.

The activity has to safeguard its independence by getting involved in functional activities like setting the risk appetite for the organisation, decision-making, and implementation of responses. It can play the role of facilitator but should not be accountable for implementation of organisation’s response to risks or any other operational responsibility.

1.7 Professionalism
In the current scenario, the demands for professionalism, knowledge and integrity has increased manifold. To be effective, auditors must serve as objective assurance providers and advisors to the other participants in the governance process like Board of Directors and the audit committee; provide guidance on improving operational efficiency and control; evaluate risk and advise the management on risk identification, risk tolerance and risk management.
The scope on internal audit has widened and may cover the whole gamut of organisation’s activities. It is the internal auditor's task to operate within the framework of professionalism to assist the company in achieving the highest-quality results and long-term objectives. This calls for clear and concise guidance that can be readily adopted and followed regardless of the industry, audit specialty, or sector.


Internal auditors need to have the knowledge and skills to perform their individual responsibilities. If the knowledge, skills, or other competencies needed to perform all or part of the engagement are not available within the internal audit staff, then the chief audit executive should obtain competent advice and assistance from outside the activity.
Though the internal auditors are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud, they should have sufficient knowledge to identify the indicators of fraud.

Due Professional Care

The internal auditor is expected to apply due professional care which is expected from a reasonably prudent and competent internal auditor. The internal auditor should exercise due professional care by considering the:
• Extent of work
• Adequacy of risk management, internal control procedures
• Probability of errors, misstatements or irregularities.
• Cost incurred in relation to expected benefits

Continuing Professional Development

Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.

Professional Behaviour

Internal auditors need to act professionally and maintain the good reputation of the profession. The organisation should benefit from the internal audit activity in its risk management and internal control process.
An auditor’s responsibility is not limited to satisfy the needs of an individual employer. The standards of the accountancy profession are heavily determined by the public interest, for example - Internal auditors provide assurance about a sound internal control system which enhances the reliability of the external financial information of the employer. Accountancy and audit bodies like IIA and IFAC have formulated some important principles of behaviour.


Professionalism entails a heavy responsibility. It means subscribing to a Code of Conduct. The professional internal auditor needs to have independence to provide an objective, unbiased opinion. They can never have complete independence but they need sufficient independence.

The Institute of Internal Auditors Code of Ethics provides internal auditors with sufficient mechanism for reporting of audit results, findings, opinion or information. The auditor can report to the appropriate level of management and there should be no need to report in an unauthorized manner to anyone outside the organisation.
Only if the matter is not resolved satisfactorily, or the services of auditor are terminated due to that, he should secure the advice of outside counsel.

Section 2. Types of Internal Audit

2.1 Financial Audit
2.2 Operational Audit
2.3 Grant Audit
2.4 Project Audit
2.5 Information system audit
2.6 Compliance Audit
2.7 Investigative Audit
2.8 Due diligence

2.1 Financial Audit
This type of audit involves a thorough review of a department’s records and reports, in order to check that assets and liabilities are properly recorded on the balance sheet, and, all profits and losses are properly assessed.
In financial audits, significance or materiality is usually defined as a monetary value Consequently, planning decisions mainly involve the intended degree of audit assurance and the extent of audit work required to provide it. The requirements will vary from one organisation to another and applicable laws and regulations. Some activities common to most audits:
o Risk assessment
o Defining Materiality
o Financial statement assertions
o Financial analysis of cash flow statement
o Compliance and substantiative procedures
o Analytical procedures
Meeting these objectives involves verification of:
o Revenue
o Sales
o Bank deposits
o Bank reconciliation
o Accounts payable
o Accounts receivable
o Disbursements
o Petty cash transactions
o Loans & Advances
o Assets

2.2 Operational Audit
This type of audit involves a thorough review of a department’s operating procedures and internal controls. They deal with broad performance issues, focusing on whether funds and resources have been economically, efficiently and effectively managed to fulfill the mission and objectives. An operational audit includes elements of a compliance audit, a financial audit, and an information systems audit. In particular, management audits examine and report on matters related to any or all of the following:
• the adequacy of management systems, controls and practices, including those intended to control and safeguard assets, to ensure due regard to economy, efficiency and effectiveness;
• the extent to which resources have been managed with due regard to economy and efficiency; and,
• the extent to which programs, operations or activities of an entity have been effective.

Conducting operational audit
1. Scope-Unlike financial audit, the objectives and scope of operational audit are not so clear or well defined. The first step would be to brainstorm along with the client and define the scope and objectives of audit. It is also necessary to decide the exclusions to the scope.
2. Set audit objectives -The second step would be to set audit objectives. Appropriate audit evidence can be gathered only when objectives are clear. Three elements need to be identified-criteria, cause and effect. They will be concerned with whether the operating objectives will be met.
Review and update the audit objectives after the preliminary survey.

3. Set scope- To manage expectations on what will be achieved by the audit by setting the boundaries of what will and will not be included.
4. Gathering information: The sources would be
a. Operating standards
b. Organisation chart
c. Nature of operations
d. Operating reports
e. Senior management
f. Prior audit papers, if available
g. Internet
h. Industry, trade journals and publications
i. Files and papers
5. Preliminary survey: preliminary survey is essential to gain a working knowledge of the operation to be audited, to logically investigate and evaluate all information. It would be something like:
a. Information on overall business operations.
b. Develop a questionnaire for discussions with staff
c. Interview people within the operation
d. Learn the objectives, goals, and standards of the operation.
e. Ascertain any initial opportunities for improvement.
f. Understand the inherent risks and internal controls.
g. Learn about the people performing the operation –key personnel, job descriptions, evaluation methods
h. Physically inspect operations by touring the entity’s facilities
i. Focus on possible cost savings from inefficiencies
j. Present the survey results
Update (or create) audit objectives based on this larger information bases. Make the audit plan - time , resources and expertise required, audit programme, audit tests and identify audit risks

6. Review of Internal Controls: To determine what level of reliance can be placed on internal controls. This step takes place throughout the audit process. Methods to review would include
a. Responses of interviewing staff to control questions in the Internal Control Questionnaire would indicate areas of control weakness to concentrate on
b. Prepare flow charts or narrative descriptions
c. Walk-through and limited system testing
d. Evaluate policy and procedures manuals
Results of Internal Control Review: This will provide information regarding
e. Identification of the controls that the auditor will rely on during detailed testing
f. Analysis of the controls
g. Evaluation of the appropriateness of the controls
h. Risk Assessment
7. Existence of controls: It is important to consider whether there are any factors which might render controls ineffective.
a. Accidental or deliberate avoidance
b. Management override
c. Inadequate Backup and recovery
d. Environmental impact
e. Access control over computer systems
A re-analysis of risk and budget time will need to be done at this stage..
8. Detailed testing: Carry out sufficient audit tests of compliance and substantiation to gain sufficient evidence on the objective of the audit. The testing is aimed at significant controls that have previously been assessed as adequate to evaluate their effectiveness, and those controls assessed as inadequate to verify that the required results are not being consistently achieved.

9. Report: the report should inform the recipients of the issues or opportunities for improvement and provide constructive means of achieving the goals.
2.3 Grant Audit
Grant audits include financial and operational elements, but the focus is on compliance with the financial terms of grant agreements. Usually, when the grant is given, the receiver is obligated to review grants to determine whether funds are spent for the purpose for which the funds have been received.

1. Obtain copies of the Grant application and award documentation (grant file) which specify the purpose and scope of work to be done with the funds provided.
2. Review the reporting requirements, if any, included in the grant/sponsorship agreement. Determine whether the record keeping/reporting process satisfies the requirements. Note discrepancies.
3. Determine whether there are limitations on the use of these funds and test to see if they were observed. Note any exceptions.
4. Verify that the amount of the grant noted in the above documentation was actually received and deposited in the bank account maintained for that purpose. Note any exceptions.
5. Ensure that any unused funds and/or interest earned are returned to the granting agency. Test to determine compliance with such requirements. Note discrepancies.

2.4 Project Audit
Project audits include review of project cost and performance terms. Usually, project is a large and complex activity and the entity may not have the appropriate internal expertise to negotiate and manage these contracts.

Whether it is a commercial business, government entity or a non-profit organisation, all of them face potential financial hazards of fiscal irresponsibility, theft, scams, substandard materials or labour. While the organisation finds it difficult to manage the project , it is the core competency of the contractors who have dedicated staff who help them secure best terms and maximise returns. As a result, many owners end up with ineffective expenditure controls for these projects and place too much reliance on their contractors.
Here the auditors come in. They work with project owners and advise the project owner through the lifecycle of the project as well as audit transaction documentation for compliance with the terms of the contract. They help in negotiating owner favourable contract , design and improve expenditure processes and controls; ensure the accuracy and proper documentation of for payment; ensure full value is received through monthly monitoring and on-site inspections; and reduce overall project costs.
Guidelines to project audit
Each organization is unique, and the audit would be based on assessment of internal controls and the limitations of the audit scope. However, certain issues such as economic justification, regulatory requirements, policies, and controls over contractor selection etc. should also be part of the audit package. Given below are few guidelines that can help auditors to reduce costs and minimize risks to their organizations.
1. Doing a cost benefit analysis: It is necessary that the auditor ask for documented evidence justifying the project to ensure that it is not the result of poor planning or wrong assumptions.
2. Regulatory requirements: It is essential to find out regulatory requirements affecting the project. The auditor should see that all clearances and certifications are obtained.
3. Administration of project: presence of internal control would go a long way in efficient management of construction activities.The auditor should see that following control issues are addressed
a. Review and approval process
b. Project documentation and reporting
c. Construction administration process, including a right-to-audit clause, change orders, substitutions, project overruns, and lien waivers.
d. Bid and award process, including project size; contractor solicitation, reference, and selection; and controls over bid opening
e. Management involvement and risk management
4. Bid bonds: A bid bond guarantees that the contractor is insurable and can obtain a performance bond, which is procured after the bid is awarded. A contractor who does not have the financial strength to secure a bid bond will be unable to obtain a performance bond.
5. Adequate coverage by performance bond: In case the contractor fails to perform in accordance with a contract, the insurance company will reimburse the organization for the unfulfilled contract amount. If the contractor goes bankrupt, the proceeds of the bond are available to the owner to finish the project. Certain things need to be ensured in a performance bond:
a. Whether there is a policy based on acceptable level of risk regarding performance bond based on acceptable level of risk (which is usually a monetary amount)
b. Review whether bonds are for adequate amount and contract has not been broken into smaller parts to circumvent the requirement of bonds.
c. Review whether senior management is consulted regarding performance bonding coverage limits.
6. Review liability coverage and other details: Ensure that the contractor has taken liability insurance. This provides the organisation protection if an accident or damage occurs as a result of action of any contractor’s employee.
a. Ensure that certificate of insurance is taken before the contractors commence work and retained till completion of project.
b. Ensure that Certificate is current and has not expired
c. Review a sample COI for compliance with coverage in contract document
d. Confirm that :
i. General liability limits are adequate
ii. Workmen’s compensation limits are appropriate
iii. Comments and exclusions section is appropriate.
iv. the organization is named as the certificate holder.
v. The certificate is signed by the insurance company.
vi. The organization is listed as an additional insured under the "remarks section" of the COI. Being listed as an additional insured gives the organization added protection against an independent third party should someone be injured or property be damaged as a result of the contractor's operation on the organization's premises.
vii. The insurance coverage minimums or limits stated in bid and contract documents are reasonable. Also determine when these documents were last updated. The risk management department, senior management, insurance agent, and legal counsel should periodically evaluate the insurance coverage requirements.
viii. All organizational areas where contracted work can occur are identified
7. Monitor or attend relevant meetings: Problems or significant issues can often be spotted in the minutes of the meetings.
Internal auditors should try to obtain invitations to as many relevant meetings as possible as direct observations can reveal much more than minutes, which may be filtered by the manager. Additionally, some safety issues may be prevalent, and the risk management or legal departments may have discouraged documentation of certain issues for legal purposes.
8. Look for accounting irregularities -- both intentional and unintentional: Find out how projects are being coded in the general ledger account and determine whether the project should remain active. Coding to the wrong project, whether intentional or unintentional, can result in management decisions that are based on inaccurate data. Intentional coding to another construction project may be contrived to avoid scrutiny of a project-cost overrun and requisite approval and reporting.
Obtain construction project management reports and review contracted amounts, paid-to-date, and cost-to-complete to determine whether all liabilities have been properly recorded. A payment may have been made for materials that have not been received.
9. Guard against bid-related internal control breakdowns
Competitive bidding helps to ensure a wider choice of suppliers and products and higher quality goods and services at lower prices. A request for proposal, purchase order, or contract document provides adequate authorization for the purchase, clarifies the expectation of goods and services, and outlines the proper segregation of duties. This documentation also guarantees that a purchase decision analysis is made and documented for future reference.
Adherence to a sound system of internal control has never been more important, and the risks may never have been greater. Internal auditors should not be content to look only at contract payments. They should assess project-related exposures and implications from a broad perspective and act to protect and strengthen their organisations.
2.5 Information Systems Audit
This audit consists of determining whether information systems adequately safeguard assets, maintain data and systems integrity, achieve organisational goals and internal controls are adequate to assure that business, operational and control objectives will be met and unwanted events will be prevented or detected and corrected in time.
Information System reviews include the following:
• Reviews of existing or new systems, before and after implementation, to ensure their security and that they meet the needs of users;
• Project management reviews to ensure controls are in place to mitigate project risks or to identify the strengths and improvements required for future projects;
• Organizational or operational reviews to ensure the organizations goals and objectives will be achieved; and,
• Specific technology reviews to ensure security and controls are in place

2.6 Compliance Audit
Various programmes and contracts and grants have specific rules and regulations that must be followed in order to maintain funding. Audits in these areas are usually restricted to verification that recipients are in compliance with the established guidelines. Compliance audit would include compliances with:
 Laws and regulations
 Policies
 Standards
 Contracts
Compliance audit would entail:

 Gathering information about laws, regulations, and other compliance requirements.
 Understanding limitations of auditing in detecting illegal acts and abuse.
 Assessing the risk that significant illegal acts could occur.
 The auditor would design and perform procedures based on risk assessment that would provide reasonable assurance of detecting significant illegal acts.

Factors affecting risks
 complexity of laws and regulations
 newness of laws and regulations
 effectiveness of internal control in preventing and detecting illegal acts and acts of non-compliance.
Sources of obtaining information about Laws, Regulations, and Other Compliance Requirements
 Auditors' training and experience
 Auditors understanding of the programme being audited may provide a basis for recognition that some acts coming to their attention may be illegal.
 Auditors’ cannot determine whether an act, in fact, is illegal. However, auditors are responsible for being aware of vulnerabilities to fraud associated with the area being audited in order to be able to identify indications that fraud may have occurred.
Taking the help of an expert: Auditors may seek help of legal counsel in
 designing tests of compliance with laws and regulations
 evaluating the results of those tests
 Auditors also may find it necessary to rely on the work of legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements.
2.7 Investigative audits
Investigative assignments scrutinize allegations of wrongdoing or breaches of standards of conduct. Allegations may be internal or external to the organisation and may examine the records of individuals, organizations and firms with agreements between them and the organisation
Reasons for conducting Investigation:
 Internal theft,
 misappropriation of assets,
 conflicts of interest
Co-ordination for this audit is usually at the highest level in the organisation like with senior management or security department. Investigative audits differ from other audits because they are normally conducted without first notifying the personnel who may be affected by the findings.

2.8 Due diligence
Due diligence involves investigation and evaluation of a management team's characteristics, investment philosophy, and terms and conditions prior to committing capital. The entire process of research , analysis and investigation which has to be undertaken in advance of an investment, takeover, or business partnership is called due diligence. The potential investor usually takes the help of the internal audit team or hires consultants to investigate the background of the target company.
The team doing the due diligence reviews regulatory and press filings ,media reports , legal and regulatory issues ,checking for existing and pending lawsuits and other litigation involving the entity. The consulting firm may also look for conflicts of interest, insider trading and other problems. The investigative results may be prepared in a "due diligence report".
In addition to identifying risks and implications of an investment, due diligence may include data on a company's solvency and assets., due diligence is the responsibility you have to investigate and identify issues, and due care is doing something about the findings from due diligence

Section 3. Managing the Internal Audit Function

3.1 Organising the internal audit function
3.2 Audit Staff
3.3 Managing the audit

3.3.1 Preliminary survey
3.3.2 Audit Objectives
3.3.3 Risk Management
3.3.4 Engagement memorandum

3.1 Organising the internal audit function
The internal audit function may be provided by in-house staff or an outsourced team. Whether internal audit is a part of the organisation or not its structure would depend on:
o Business of the organisation
o Geographical locations
o Culture of the organisation
o Control risks
o Environment
To be effective it needs a strong leader who has the support of both the authorising body (audit committee, in most cases) and senior management. The Chief Audit Executive must be a person who understands the overall organisation and has the qualities of a leader:
o Keeps the vision clear
o Co-ordinate activities
o Mediate conflicts
o Identify needed resources
o Manage the budget
o Assure that goals are achieved on time and on budget
The first step a chief auditing executive should take to establish an internal auditing organisation is to reach an understanding with management and the board of directors on the rules that will apply to the internal auditing organisation. This understanding should be in writing in the form of a charter.
3.2 Audit Staff
Audit is a service oriented job, its biggest assets are its people . The firm needs to have policies and procedures to provide reasonable assurance that they have the sufficient personnel, with the capabilities, competence and the principles to perform their assigned responsibilities.
It should have policies to address recruitment, performance evaluation, professional advancements, compensation and career development.
The firm needs to recruit personnel with appropriate characteristics to meet their needs. Given below are certain illustrative procedures which the department/firm may adopt:
1. Designate an appropriately qualified person to manage the human resource function
2. Establishing criteria to evaluate personal characteristics such as integrity, competence, and motivation.
3. Having additional procedures for hiring experienced personnel like reference checks.
4. Deciding on methods of recruitment like media ads, professional institutions or universities or recruitment agencies and coordinating with them.
5. Training the interviewers and others participating in the recruitment process on the expectations and requirements of the firm.
Engagement Assignment

The responsibility for each engagement should be assigned to a specific partner. The partner assigned to the work has the capability, competence and time to handle the engagement and the workload and availability of the partners is monitored so that they can provide devote adequate time to discharge the responsibility There should be policies and procedures requiring that:

1. Team members: The members should be assigned based on factors such as:
o Engagement size and complexity.
o Specialized experience and expertise required.
o Personnel availability and involvement of supervisory personnel.
o Timing of the work to be performed.
o Continuity and rotation of personnel.
o Opportunities for on-the-job training.
2. The firm should assign appropriate staff with the necessary capabilities, competence and time to perform engagements in accordance with professional standards and regulatory and legal requirements.
3. The capabilities and competence considered when assigning engagement teams, and in determining the level of supervision required, would include:
1. An understanding of, and practical experience with, engagements of a similar nature and complexity through appropriate training and participation.
2. Knowledge of professional standards and regulatory and legal requirements.
3. Appropriate technical knowledge
4. Knowledge of client industry.
5. Ability to apply professional judgment.
6. An understanding of the firm’s quality control policies and procedures.

Continuing Professional Education
The firm to make arrangements so that personnel can participate in general and industry-specific continuing professional educations and professional development activities.
Promotion and career advancement
While selecting personnel for advancement, the firm should ensure that the person selected has the necessary qualifications to fulfill the responsibilities they will be called on to assume. Some procedures, which the firm may have:
1. Designating an appropriate person to frame the firm’s policy regarding the qualifications necessary to fulfill responsibilities at each professional level
2. Assigning responsibility to one of its partners for making advancement and termination decisions for staff and recommendations for manager level advancements and terminations to the firm’s designated group of partners or managing body.
3. Counseling personnel regarding their progress and career opportunities.

3.3 Managing the Audit

Internal Audit needs a mission statement or audit charter outlining the purpose, objectives, organisation, authorities, and responsibilities of the internal auditor, audit staff, audit management, and the audit committee. A big part of the management profession is creating and enforcing policies and procedures. Policies interpret and tailor laws that apply to an organisation; serving as a written record for good practices the management wants to emphasize and enforce in the organisation, whether or not there are legal implications. While policies are general, procedures are specific.
3.3.1 Audit Planning

Every audit assignment should be planned carefully prior to its start. Circumstances may occur which might call for unscheduled reviews or there might be pressures to begin special audit without delay. However, a properly planned audit will almost always have better audit results. A long-range audit plan should be developed which should be reviewed at regular intervals.
Pre engagement activity –Matters to be considered before accepting new assignment would be:
i. Gathering information on the integrity, competence of the management
ii. Past experience, if any with the management
iii. Communication with previous auditors
iv. Significant accounting policies of the client
v. Assessment of Management’s ability to have effective and efficient internal control
vi. Financial viability of the entity

The auditor should consider the following matters while planning:
o Nature of work
o Knowledge of business
o Policies and procedures of the entity
o The methods used by the entity to process significant accounting information, including the use of service organisations, such as outside service centers.
o Preliminary judgment about materiality levels for audit purposes.

i. Understanding the nature of work: The various sources would be:
- Likely impact of applicable accounting and auditing pronouncements
- Financial statements of the entity
- Prior internal audit reports, external audit reports and reports of any special audits or investigation of the area assigned.
- Discuss with auditee:
- Changes in accounting methods or policies
- Changes in information processing methods
- Timing of preliminary audit work, confirmation procedures,
- Assistance required from client personnel
- Records required
- Facilities required like physical space, computer systems etc.

ii. Knowledge of business
- review the prior audit reports
- policy and procedure manual, org chart, flowcharts etc.
- review financial statements or reports filed with various agencies or regulatory bodies
- minutes of meetings of stockholders, the board of directors and relevant committees
- effect of various laws and regulations on financial statement of auditee
- information about nature of entity’s business
- client correspondence file
- gain an understanding of type of business, products & services, capital structure, offices/branches/factories
- obtain knowledge of auditee’s industry like economic condition, government regulations, competition, financial trends.
- Other external sources such as industrial publications, ICAI standards and guidance etc.

iii. Methods used by entity to process information: The methods used need to be considered as the methods influence the design of internal control. The extent of computer processing and the complexity of processing will influence nature, timing and extent of audit procedures.

iv. Determining audit objectives: Objectives based on management’s needs, nature of prior work, available resources and time is an important aspect of planning. General objectives would be part of audit plan and they should be re-examined before each audit and defined in detail before each audit.

v. Audit Scheduling: on the basis of annual plan and preliminary survey the manpower requirements and time budgets need to be fixed. The following factors need to be considered.
- nature of audit
- complexity of work
- staff availability
- special skills required
- audit period

vi. The auditor should consider whether specialized skills are needed for any area such as the effect of computer processing on the audit, to understand the controls, or to design and perform audit procedures. If specialized skills are needed, the auditor should seek the assistance of a professional possessing such skills.

Annual Audit Plan
1. Prepare Annual Internal Audit Plan
o Conduct a preliminary risk assessment in cooperation with the senior and line management.
o Prepare a Draft Annual Internal Audit Plan based upon the results of the risk assessment process.
o Discuss with audit committee and get a formal approval.
o Review the plan on a quarterly basis to ensure that focus remains on high risk areas.
2. Communicate Annual Internal Audit Plan
o Distribute the Annual Internal Audit Plan to senior and line managers.
o Keep senior and line managers informed of any changes to the Annual Internal Audit Plan.
Specific Audit Plan

• Notify auditee of audit and arrange for a meeting.
• Identify information or documents required initially
• Find out whether there are areas which management would like to be included in the audit
• Discuss, finalise and inform auditee
o Audit period
o Estimated start date and duration
o Names of audit staff
o Facilities required like space, computer systems etc.

3.3.2 Preliminary survey

A. The objective of preliminary survey is to get familiar with the areas being audited. Some of the methods would be :
a. Information about structure and activities of areas being audited:
i. Organisational chart
ii. Key Personnel and their major areas of responsibility
b. Financial information
i. Sources of revenue
ii. Nature of expenditure
c. Prior working papers and audit reports and information about past activities
d. Information about any separate audit in the area being audited.
e. Review any departmental policies and procedures manuals, flowcharts, or control narratives that may exist.
f. Any activity /area which the management requests to be included

B. Prepare audit planning memorandum containing:
a. Planned audit scope
b. Audit objectives
c. Audit period and estimated start and completion date
d. Resources necessary for audit
e. Areas to be reviewed and reasons for exclusions of any area.

3.3.3 Audit objectives
Determining an audit’s objectives is the most crucial step in planning an internal audit. Audit objectives refer to the specific goals of the audit. An audit may have several audit objectives.
Objectives are based on management’s needs, nature of prior work, available resources and time is an important aspect of planning. General objectives would be part of audit plan and they should be re-examined before each audit and defined in detail before each audit. Audit objectives should be reviewed with the management or those who have requested the audit.
Audit objectives often focus on substantiating that internal controls exist to minimise risks These audit objectives include assurance with regard to:
o Reliability and integrity of financial and operational information.
o Effectiveness and efficiency of operations.
o Safeguarding of assets.
o Compliance with laws, regulations, and contracts

3.3.4 Risk management
Risk is a concept used to express uncertainty about events and/or their outcomes that could have a material effect on the goals of the organisation.
Every company that is in business has to take risks. In order to progress, a business entity has to identify risks, evaluate them, decide if they are at an acceptable level and, if they are not, design controls to respond to those risks. After controls have been identified to mitigate risks, the effectiveness of controls has to be evaluated on a regular basis. This is risk management.
Risk management has to be integrated into the organisation’s culture and embedded in all its day-to-day and periodic activities. Enterprise–wide risk management is a structured, consistent and continuous process across the whole organisation. The overall responsibility for risk management lies with the Board.

Internal auditing activity’s role with regard to Risk Management is to provide objective assurance to the board on the effectiveness of an organisation's ERM activities in managing key business risks and that the system of internal control is operating effectively. The Chief Audit Executive (CAE) has to ensure that the internal audit activity maintains its independence and objectivity when providing assurance and consulting services.
The Institute of Internal Auditor’s (IIA) position paper The Role of Internal Auditing in Enterprise-wide Risk Management provides guidance to the internal auditor as to what roles internal auditing should and should not play throughout the ERM process. The internal audit activity can be involved in providing assurance that risks are identified, reported, evaluated, mitigated and reviewed regularly.

The roles which auditing should NOT undertake

 Setting the risk appetite.
 Imposing risk management processes.
 Management assurance on risks.
 Taking decisions on risk responses.
 Implementing risk responses on management's behalf.
 Accountability for risk management.

Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management decisions. The nature of internal audit activity’s responsibilities should be documented in the audit charter and approved by the audit committee.

3.3.5 Engagement letter / engagement memorandum

Prepare an engagement memorandum or auditee that communicates final objectives and any changes to planned completion of audit.
The internal auditor should send a letter of engagement to the management stating: -
 Objectives of Internal Audit
 Management responsibility for preparation of the financial statements
 Scope of the Internal Audit
 Management's responsibility for selection and consistent application of appropriate accounting policies, including implementation of the applicable accounting standards along with proper explanation relating to material departures from those accounting standards.
 Unrestricted access to relevant records, documentation and other information requested in connection with the audit.
 The fact that the audit process may be subjected to a peer review under the Chartered Accountants Act, 1949.

Section 4: Audit programme and procedures

4.1 Field survey
4.2 Audit programme
4.3 Audit procedures
4.4 Evaluation of internal control system
4.5 Audit sampling
4.6 Audit Tests
4.7 Specimen letters

4.1 Field survey

This is very critical step as it allows auditor to determine the scope and extent of audit effort. It is done in advance of detailed testing and analysis work. The auditors can familiarise themselves with the system and control structure. Typically the audit team would consider:
• The organisational structure and the responsibilities of key members.
• Manuals of policies and procedures and applicable regulations.
• Management reports and minutes of meeting.
• Walkthrough of activity
• Discussions with key personnel
The field survey is the initial contact point and might take one or two days depending on the size of the audit.
The completion of field survey helps the auditor to understand key systems and processes. If the information during preliminary audit planning is imperfect , the audit team can make adjustments to planned audit scope .
4.2 Audit programme
After the conclusion of preliminary survey, the auditor has a fair idea of the audit objectives and the control systems. At this stage the audit programme should be made providing the proposed procedures, budgeting and basis for controlling the audit. The audit programme will prevent the auditor from going off the scope pursuing irrelevant items and help in completing the audit project in an efficient manner.
Things to be considered while preparing audit programme
• Needs of potential users of the audit report.
• Legal and regulatory requirements
• Management controls
• Significant findings and recommendations from previous audits that could affect the current audit objectives. Also determine whether corrective action has been taken and earlier recommendations implemented.
• Potential sources of data that could be used as audit evidence and consider the validity and reliability of these data.
• Consider whether the work of other auditors and experts may be used to satisfy some of the audit objectives.
• Provide sufficient staff and other resources to do the audit
• Criteria for evaluating areas under audit.

Framing the programme:
• Review the results of preliminary survey with audit supervisor
• The audit team holds a meeting with the audit supervisor to decide on the priority / high risk areas and tests to be conducted.
• Provide a general overview of the auditee's operations. Include in the narrative statistical and monetary information, locations, authority, staffing and main duties and responsibilities.
• The programme should consist of detailed directions for carrying out the assignment.
• Prepare draft audit programme and document transaction flows.
• Audit programmes should be consistent. Some organisation’s may have standardised audit programmes.
• It should contain an estimate of the time necessary to complete the project
• Number the audit programme steps consecutively.
• Have the final programme reviewed by Audit supervisor and Audit manager.
• All major changes must be documented in writing and the reason documented.
• The audit programme should contain a statement of the objectives of the area being reviewed. These objectives would be achieved through the detailed audit programme procedure. Objectives should fit within the overall scope of the audit.
• Every audit procedure should help answer one of the objectives and every objective should be addressed in the procedures or steps.
• The tests have to be designed in such a manner that they achieve their objectives. Use imagination, ingenuity and intelligence in creating audit steps responsive to objectives.
• The goals should be made amply clear by prefacing major steps with : to test whether . . .; or, to determine that . .
• At the planning phase an estimated time budget should be prepared to control the audit and complete it efficiently. The detailed project time budget should be completed at the conclusion of the preliminary review. The time budget should be approved by the audit manager and audit administration. This budget will include all time necessary to complete the audit, from assignment through issuance of the final report.
Planning should continue throughout the audit. Audit objectives, scope, and methodologies are not determined in isolation. They have to be determined together, as the considerations in determining each often overlap.
Audit Evidence
Evidential matter obtained during the course of the audit provides the documented basis for the auditor's opinions, findings, and recommendations as expressed in the audit report.
Types of audit evidence
Evidence may be categorized as physical, documentary, testimonial, and analytical.

Test of Evidence

Internal auditors are obligated by professional standards to collect sufficient, competent, relevant, and useful information to provide a sound basis for audit findings and recommendations.
They would usually hold true but they might not be valid in all cases.
a. Evidence obtained from a credible third party is more reliable than that secured from the auditee.
b. Evidence developed under an effective system of management controls is more competent than that obtained where such controls are weak or nonexistent.
c. Evidence obtained by the auditors themselves through direct physical examination, observation, computation, and inspection is more competent than evidence obtained indirectly.
d. Original documents provide more competent evidence than copies.
e. Person providing the evidence: Information obtained from a person having knowledge of the area would be more reliable
f. Objective evidence would be more reliable than the evidence which require judgment.

The sufficiency, competence and relevance of evidence depends on the source of information.
4.3 Audit procedures

Programme step procedures should be in enough detail so that an experienced auditor could carry out the task with normal supervision. An audit causes disruption and interruptions in the day-to-day operations of an enterprise and it is advisable that the auditors provide a tentative schedule of the planned audit work (unless it is a surprise audit ). Documentation should be kept for each step that would generally be in the form of working papers.
Review and Evaluation of Internal Control Environment
The auditor will have to review the internal control structure .The effectiveness and efficiency of the internal control will determine the extent of tests to be performed. This evaluation will also provide assurance on whether the systems are functioning properly. The auditor should provide for tests in the audit programme which could be in the form of interviews, internal control questionnaires , checklists, audit tests.
Matters to be considered while evaluating internal controls
• Identification of risks
• Internal control structure put in place to prevent, detect, correct undesired events
• Whether the control structure is functioning as desired
• Identification of weaknesses in the structure and their effect on auditing procedures .
Procedures to evaluate internal controls:
• Description of system of internal control
• Flowcharts
• Internal Control Questionnaires
• Tests of compliance are performed to obtain sufficient evidence that the system is operating in accordance with the understanding the auditor obtained from the review. The nature, timing, and extent of tests of compliance are closely related to the control procedures and methods studied by the auditor.

4.4 Audit sampling
The auditor can meet the audit objectives through detailed review of the audit evidence. Review of the entire population is not possible where the auditor has to examine large number of items .The internal auditor needs a consistent approach to draw a sample from the data and draw conclusions from that sample. The challenge here is that the sample should be representative of the entire population. Any situation in which one has to draw conclusions based on an inspection of part of a population should consider using statistical sampling techniques.
Any form of sampling, whether statistical or judgmental, is an application of a procedure to less than 100% of the population. Under sampling there is always a risk that some or all errors will not be found and the conclusions drawn (i.e. all transactions were proper and accurate) may be wrong.
Audit sampling can be of two types-statistical and non-statistical. Statistical sampling is a mathematical based method of selecting a sample representative of the population while non statistical sampling or judgmental sampling is not based on mathematics.
The type of sampling used and the number of items selected should be based on the auditor’s understanding of the relative risks and exposures of the areas audited. The description of the methods used and reason for selection should be documented in the audit programme and approved by audit administration.
Sample Selection Techniques
The manner in which the population is filed or distributed will determine the kind of selection techniques to be used to select the sample. Several techniques are available :
1. Estimation Sampling : There are two types of estimation sampling.
• Attributes Sampling.
• Variables Sampling.
2.Acceptance Sampling
3. Discovery Sampling
4. Judgment Sampling
Sampling selection technique
The more commonly used sampling selection techniques are :
1. Unrestricted Random Number.
2. Interval Sampling
3. Stratified Sampling.
4. Cluster Sampling.
Evaluation of Results
Whatever sampling plan or selection technique is used conclusion has to be drawn from the test results. The auditor should keep in mind few rules for better evaluation:
1. Findings for each characteristic being tested should be evaluated separately
2. The auditor has to decide upon the "acceptable error rate" after a full study of the surrounding circumstances.
3. When significant errors are found , the auditor should extend the examination or apply other procedures to attempt to determine the cause and effect of the exception.

4.6 Audit Tests

The Auditor performs tests to validate processes and controls. This would include performance of substantive testing which tests the efficiency of internal control to ensure completeness, accuracy or validity of the accounts or transactions .
Given below are the various tests that the auditor would perform:
Tests involving continuing interaction with client staff and other parties
• Facilitated meetings
• Interviewing
• Questioning
• Surveys
• Confirmation/Representation
Tests carried on by audit team
• Observation and Inspection
• Documentation Review
• Analytical review
• Data Analysis
• Vouching & Verifying
• Reconciliation
• Recalculation & Valuation

Facilitated Meetings
Inquiry involves meeting of concerned officials from different departments and key stakeholders affected like customers and vendors. This method requires lot of efforts in organising such a meeting. A facilitator is required so that the group does not diverge from its objectives Example: meeting of purchasing , accounts payable ,stores and user department to understand the cycle of purchases
Interview: Direct interaction facilitates greater understanding of the business processes as the interviewer can seek clarifications and details on the spot. It has all the advantages of face-to-face communication like establishment of rapport, personal opinions on issues and solutions.
The type of information received depends on the skills of the interviewer. The interviewer has to make the person feel at ease and glean significant information.

Questioning:This is the most pervasive technique and should be used with care so that the auditee is not needlessly alienated .The auditor may seek management reaction through questioning in case of deficiencies or error.

Surveys:Surveys are commonly used to gauge perceptions of a business activity. They are an efficient method of reaching a large number of people .The administrator does not require any special training and the responses can be quantified.
It requires lot of time and skills to create the survey document. People may give inappropriate or inaccurate replies, as there is less sincerity in filling up survey forms.
Confirmation/ Representation: Usually there are standard formats for confirmation which are sent by the auditor to the relevant party. The responses are mailed directly to the auditor.
Observation and Inspection: These methods are used to understand processes and activities. Observing involves a careful, knowledgeable look at documents processed, activities and assets. These tests need to be corroborated with other evidence as it would be time consuming or even impossible to observe large number of activities. Also random observation will not provide adequate evaluation.

Documentation Review: This is the most widely used method and a large number of data can be objectively verified. This involves a review of existing reports and documents to identify controls, to understand the business or process, and to provide evidence in supporting audit conclusion.
Analytical review: Analytical auditing procedures provide an efficient and effective method of comparing relationship among data. As the relationship among data is compared against a pre-defined expected relationship which is expected to continue in the absence of unusual or non recurring transactions.
Some Analytical tests are trend analysis, benchmarking and ratio analysis

Data analysis & exception tests: This involves analysis and query of historical data files to identify trends, exceptions. It can be used to understand volume or magnitude of events to understand whether they are significant. It is used for identifying duplicates or gaps in sequences or aging summary of receivables

Vouching & Verifying:It is another very popular method .The transactions or events are verified against suppo

Please Log in or Create an account to join the conversation.

  • Page:
  • 1
Time to create page: 0.274 seconds