Internal Auditor in Internal Audit
These guidelines provide advice to internal auditors on the main issues and procedures which they need to consider as part of their work in both the commercial and public sectors. They should also be of benefit to organisations considering establishing an internal audit function.
Internal auditors should read these guidelines in conjunction with the Approved Auditing Standards and any requirements regarding internal audit set out in the relevant statutes or regulations.
These guidelines are intended to be persuasive only.
A glossary of terms used in these guidelines are given in the appendix to the guideline.
OBJECTIVES AND SCOPE OF INTERNAL AUDIT
1. Internal audit is an independent appraisal function established by the management of an organisation for the review of the internal control system as a service to the organisation. It objectively examines, evaluates and reports on the adequacy of internal control as a contribution to the proper, economic and effective use of resources.
2. The essentials for effective internal auditing are:
The internal auditor should have the independence in terms of organisational status and personal objectivity which permits the proper performance of his duties
(b) Staffing and training
The internal audit unit should be appropriately staffed in terms of numbers, grades, qualifications and experience, having regard to its responsibilities and objectives. The internal auditor should be properly trained to fulfil all his responsibilities
The internal auditor should seek to foster constructive working relationship and mutual understanding with management, with external auditors, with any other review agencies and, where one exist, the audit committee
(d) due care
The internal auditor should exercise due care in fulfilling his responsibilities
(e) Planning, controlling and recording
The internal auditor should adequately plan, control and record his work
(f) Evaluation of the internal control system
The internal auditor should identify and evaluate the organisation’s internal control system as a basis for reporting upon its adequacy and effectiveness
The internal auditor should obtain sufficient, relevant and reliable evidence on which to base reasonable conclusions and recommendations
(h) Reporting and follow-up
The internal auditor should ensure that findings, conclusions and recommendations arising from each internal audit assignment are communicated promptly to the appropriate level of management and he should actively seek a response. He should ensure that arrangements are made to follow up audit recommendations to monitor what action has been taken on them (paragraphs 70 to 78).
3. The terms of reference for the internal audit function should be formally confirmed by the organisation and should have proper regard to the contents of this guideline; demonstrable independence of the function is crucial to its effectiveness.
4. For certain public sector organisations the need for an internal auditing function is prescribed by statute and this provides a basis for defining specific standards and guidance for the practice of internal auditing in these organisations.
5. To achieve full effectiveness the scope of the internal audit function should provide an unrestricted range of coverage of the organisation’s operations, and the internal auditor should have sufficient authority to allow him access to such records, assets and personnel as are necessary for proper fulfilment of his responsibilities.
6. It is a management responsibility to determine the extent of internal control in the organisation’s systems which should not depend on internal audit as a substitute for effective controls. Internal audit, as a service to the organisation, contributes to internal control by examining, evaluating and reporting to management on its adequacy and effectiveness. Internal audit activity may lead to the strengthening of internal control as a result of management response.
7. One of the objectives of internal auditing is to assist management in the pursuit of value for money. This is achieved through economic, efficient and effective use of resources.
8. It is a management responsibility to maintain the internal control system and to ensure that the organisation’s resources are properly applied in the manner and on the activities intended. This includes responsibility for the prevention and detection of fraud and other illegal acts.
9. The internal auditor should have regard to the possibility of such malpractice and should seek to identify serious defects in internal control which might permit the occurrence of such an event.
10. An internal auditor who discovers evidence of, or suspects malpractice should report firm evidence, or reasonable suspicions to the appropriate level of management. It is a management responsibility to determine what further action to take.
11. Independence is achieved through the organisational status of internal audit and the objectivity of internal auditors.
12. The status of internal audit should enable it to function effectively. The support of management is essential. Internal audit should be involved in the determination of its own priorities, in consultation with management. Accordingly the head of internal audit should have direct access to, and freedom to report to all senior management including the chief executive, board of directors and, where one exists, the audit committee.
Objectivity of the internal auditor
13. Each internal auditor should have an objective attitude of mind and be in a sufficiently independent position to be able to exercise judgement, express opinions and present recommendations with impartiality.
(a) The internal auditor, notwithstanding his employment by the organisation, should be free from any conflict of interest arising either from professional or personal relationships or from pecuniary or other interests in an organisation or activity which is subject to audit.
(b) The internal auditor should be free from undue influences which either restrict or modify the scope or conduct of his work or over-rule or significantly affect judgement as to the content of the internal audit report.
(c) The internal auditor should not allow his objectivity to be impaired when auditing an activity for which he has had authority or responsibility.
(d) An internal auditor should be consulted about significant proposed changes in the internal control system and the implementation of new systems and make recommendations on the standards of control to be applied. This need not prejudice the auditor’s objectivity in reviewing those systems subsequently.
(e) An internal auditor should not normally undertake non-audit duties but where he does so, exceptionally, he should ensure that management understands that he is not then functioning as an internal auditor.
14. Where any of the situations referred to in paragraphs 13(a) to (c) arise, this should be clearly declared by the internal auditor so that consideration can be given to the need for alternative arrangements for the audit assignment.
15. The effectiveness of internal audit depends substantially on the quality, training and experience of its staff. The aim should be to appoint staff with the appropriate background, personal qualities and potential. Thereafter, steps should be taken to provide the necessary experience, training and continuing professional education.
16. The internal audit unit should be managed by a head of internal audit who should be suitably qualified and should possess wide experience in internal audit and its management. He should plan, direct, control and motivate the resources available to ensure that the responsibilities of the internal audit unit are met.
17. The full range of duties may require internal audit staff to be drawn from a variety of disciplines. The effectiveness of internal audit may be enhanced by the use of specialist staff, particularly in the internal audit of activities of a technical nature.
18. The internal audit unit should employ staff with varying types and levels of skills, qualifications and experience in order to satisfy the requirements of each internal audit task.
19. The head of internal audit should participate in the recruitment and selection of his staff. New entrants to internal audit work should have time to familiarise themselves with the activities of the internal audit unit and the organisation, and to demonstrate their suitability for audit work.
20. The organisation has a responsibility to ensure that the internal auditor receives the training necessary for the performance of the full range of duties.
21. Training should be tailored to the needs of the individual. It should include both theoretical knowledge and its practical application under the supervision of suitably competent and experienced internal auditors. Account should be taken of:
(a) internal audit objectives and priorities;
(b) the type of internal audit work;
(c) previous training, experience and qualifications; and
(d) personal development in the light of the needs of the organisation and the internal audit unit.
22. Training should be a planned and a continuing process at all levels and should cover:
(a) basic training – providing the knowledge of basic auditing principles and practices which all internal auditors should possess;
(b) development training – in general audit skills and techniques and inter-personal skills, to improve the effectiveness of those currently employed in internal audit; and
(c) specialised training – for those responsible for the internal audit of activities which require special skills or knowledge.
23. Other forms of staff development should be considered according to particular needs. These may include periods of attachment to other parts of the organisation or secondment to other organisations.
24. The internal auditor should keep abreast of current developments, improvements, new techniques and practices in auditing.
25. The internal auditor should maintain technical competence through professional development which may include:
(a) private reading and study; and
(b) participation in professional activities such as attending meetings, courses and conferences, lecturing, writing articles and papers and contribution to research groups.
26. The head of internal audit should co-ordinate, and keep under review, the training requirements of internal auditors. He should be responsible for preparing training profiles which identify the training requirement for different grades of internal auditors, and should maintain personal training records for each individual. In large organisations this may be performed by a designated training officer.
27. In order that the internal auditor may properly perform all his tasks, it is necessary for all those with whom he has contact to have confidence in him. Constructive working relationships make it more likely that internal audit work will be accepted and acted upon, but the internal auditor should not allow his objectivity to be impaired.
28. The head of internal audit should prepare the internal audit plan in consultation with senior management. The internal auditor should arrange the timing of internal audit assignments in consultation with the management concerned, except on those rare occasions where an unannounced visit is a necessary part of the audit approach. Consultation can lead to the identification of areas of concern or of other interest to management.
29. Matters which arise in the course of the audit are confidential and discussion should be restricted to management directly responsible for the area being audited unless they have given express agreement to broaden the discussion.
30. Discussions with management are necessary when preparing the audit report. This is an essential feature of the good relationship between the auditor and the management.
Relationship with external audit
31. The relationship between internal and external audit needs to take account of their differing roles and responsibilities. Internal audit is an independent appraisal function within the organisation and internal auditors are direct employees. The external auditor usually has a statutory responsibility to express an independent opinion on the financial statements and stewardship of the organisation.
32. The aim should be to achieve mutual recognition and respect, leading to a joint improvement in performance and the avoidance of unnecessary over-lapping of work. It should be possible for the external and internal auditors to rely on each other’s work, subject to limits determined by their different responsibilities, respective strengths and special abilities. Consultations should be held and consideration given to whether any work of either auditor is adequate for the purpose of the other. The internal auditor does not automatically have a right of access to the records of the external auditor. However, the relationship between the internal and external auditor will usually be such that the external auditor will be able to allow access to the necessary records.
33. Since internal audit evaluates an organisation’s internal control system the external auditor may need to be satisfied that the internal audit function is being planned and performed effectively. This review needs to be seen by both parties as a necessary part of the working relationship (see the Institute’s International Auditing Guideline No: 10 on “Using the work of an Internal Auditor”).
34. Regular meetings should be held between internal and external auditors at which joint audit planning, priorities, scope and audit findings are discussed and information exchanged. The benefits of joint training programmes and joint audit work should also be considered.
Review agencies and specialists
35. Certain information obtained during an internal audit assignment may assist a review agency, such as management services or consultants, which are seeking to secure improvements in the organisation’s performance. Management’s formal approval should be obtained before releasing any audit report or other information to the review agencies.
36. The internal auditor should establish a regular dialogue with review agencies and obtain their reports for information, review and comment where proposals may affect internal control arrangements.
37. Where it is necessary for the internal auditor to have contact with other specialists the same basic principles about information apply as in the case of review agencies.
38. The internal auditor cannot be expected to give total assurance that control weaknesses or irregularities do not exist.
39. In order to demonstrate that due care has been exercised the internal auditor should be able to show that his work has been performed in a way which is consistent with this guideline.
40. The internal auditor should possess a thorough knowledge of the aims of the organisation and the internal control system. He should also be aware of the relevant laws and the requirements of relevant professional and regulatory bodies.
41. By-laws (On Professional Conduct and Ethics) [Revised January 2002] issued by the Institute are relevant to the work of internal auditors.
42. The internal auditor must be impartial in discharging all responsibilities; bias, prejudice or undue influence must not be allowed to limit or over-ride objectivity. At all times, the integrity and conduct of the internal auditor must be above reproach. He should not place himself in a position where responsibilities and private interests conflict and any personal interests should be declared.
43. The internal auditor should not improperly disclose any information obtained during the course of his work.
Quality of internal audit performance
44. The heads of internal audit unit should promote and maintain adequate quality standards. He should establish methods of evaluating the work of his staff to ensure that the internal audit unit fulfils its responsibilities and has proper regard to this guideline.
PLANNING, CONTROLLING AND RECORDING
45. Internal audit work should be planned, controlled and recorded in order to determine priorities, establish and achieve objectives, and ensure the effective and efficient use of audit resources.
46. The main purposes of internal audit planning are:
a) to determine priorities and to establish the most cost-effective means of achieving audit objectives;
b) to assist in the direction and control of audit work;
c) to help ensure that attention is devoted to critical aspects of audit work; and
d) to help ensure that work is completed in accordance with pre-determined targets.
47. The stages of internal audit planning are:
a) to identify the objectives of the organisation;
b) to define internal audit objectives;
c) to take account of relevant changes in legislation and other external factors;
d) to obtain a comprehensive understanding of the organisation’s systems, structure and operations;
e) to identify, evaluate and rank risks to which the organisation is exposed;
f) to take account of changes in structures or major systems in the organisation;
g) to take account of known strengths and weaknesses in the internal control system;
h) to take account of management concerns and expectations;
i) to identify audit areas by service, functions and major systems;
j) to determine the type of audit: e.g. systems, verification or value for money;
k) to take account of the plans of external audit and other review agencies; and
l) to assess staff resources required, and match with resources available.
48. The internal auditor should prepare strategic, periodic and operational work plans.
49. The strategic plan should usually cover a period of between two to five years during which all major systems and areas of activity will be audited. It should set out audit objectives, audit areas, type of activity and frequency of audit and an assessment of resources to be applied.
50. The periodic plan, typically for financial or calendar year, translates the strategic plan into a schedule of audit assignments to be carried out in the ensuing period. It should define the purpose and duration of each audit assignment and allocate staff and other resources accordingly and should be formally approved by management.
51. Operational work plans should be prepared for each audit assignment as it is arranged covering:
a) objective and scope of the audit;
b) time budget and staff allocation; and
c) methods, procedures and reporting arrangements, including supervision and allocation of responsibilities.
52. All internal audit plans should be sufficiently flexible to respond to changing priorities.
53. Control of the internal audit unit and of individual assignments is needed to ensure that internal audit objectives are achieved and work is performed effectively. The most important elements of control are the direction and supervision of the internal audit staff and review of their work. This will be assisted by an established audit approach and standard documentation. The degree of control and supervision required depends on the complexity of assignments and the experience and proficiency of the internal audit staff.
54. The head of internal audit should establish arrangements:
a. to allocate internal audit assignments according to the level of and proficiency of internal audit staff;
b. to ensure that internal auditors clearly understand the responsibilities and internal audit objectives;
c. to communicate the scope of work to be performed and agree the programme of work with each internal auditor;
d. to provide and document evidence of adequate supervision, review and guidance during the internal audit assignment;
e. to ensure that adequate working papers are prepared to support internal audit findings and conclusions; and
f. to ensure that internal audit’s performance is in accordance with the internal audit plan or that any significant variations have been explained.
55. The head of internal audit should establish arrangements to evaluate the performance of the internal audit unit. He may also prepare an annual report to management on the activities of the internal audit unit in which he gives an assessment of how effectively the objectives of the function have been met.
56. Internal audit work should be properly recorded because:
a. the head of internal audit needs to be able to ensure that work delegated to staff has been properly performed. He can generally do this only by reference to detailed working papers prepared by the internal audit staff who performed the work;
b. working papers provide, for future reference, evidence of work performed, details of problems encountered and conclusions drawn; and
c. the preparation of working papers encourages each internal auditor to adopt a methodical approach to his work.
57. The head of internal audit should specify the required standard of internal audit documentation and working papers and ensure that those standards are maintained.
58. Internal audit working papers should always be sufficiently complete and detailed to enable an experienced internal auditor with no previous connection with the internal audit assignment subsequently to ascertain from them what work was performed and to support the conclusions reached. Working papers should be prepared as the internal audit assignment proceeds so that critical details are not omitted and problems not overlooked. These should be reviewed by internal audit management.
EVALUATION OF THE INTERNAL CONTROL SYSTEM
59. Controls, whether they relate to financial or operational areas, ensure that processes act to meet the system ‘s objectives.
60. The main objectives of the internal control system are:
a. to ensure adherence to management policies and directives in order to achieve efficiently and economically the organisation ‘s objectives;
b. to safeguard assets;
c. to secure the relevance, reliability and integrity of information, so ensuring as far as possible the completeness and accuracy of records; and
d. to ensure compliance with statutory requirements.
61. When evaluating internal control systems the internal auditor should consider the effect which all the controls have on each other and on related systems.
62. As part of the planning process the internal auditor should identify the whole range of systems within the organisation. For those systems to be examined, the internal auditor should establish appropriate criteria to determine whether the controls are adequate and assist in achieving the objectives of the system. The stages of a systems audit would normally be:
a. to identify the system parameters;
b. to determine the control objectives;
c. to identify expected controls to meet control objectives;
d. to review the system against expected controls;
e. to appraise the controls designed into the system against control objectives:;
f. to test the actual controls for effectiveness against control objectives;
g. to test the operation of controls in practice; and
h. to give an opinion based on audit objectives as to whether the system provides an adequate basis for effective control and whether it is properly operated in practice.
63. Internal audit evidence is information obtained by an internal auditor which enables conclusions to be formed on which recommendations can be based.
64. The internal auditor should determine what evidence will be necessary by exercising judgement in the light of the objectives of the internal audit assignment. This judgement will be influenced by the scope of the assignment, the significance of the matters under review, the relevance and the reliability of available evidence and the cost and time involved in obtaining it.
65. The collection and assessment of internal audit evidence should be recorded and reviewed to provide reasonable assurance that conclusions are soundly based and internal audit objectives achieved.
66. An internal auditor should obtain the evidence considered necessary for the achievement of the internal audit assignment objectives. This is influenced by, for instance:
a. the level of assurance required;
b. the objectives and scope of the internal audit assignment;
c. the scale of activity under review and the degree of risk involved;
d. the cost and time involved in obtaining evidence; and
e. the reliability of the evidence.
67. The relevance of the internal audit evidence should be considered in relation to the objectives of the internal audit assignment.
68. Reliable evidence can be achieved through the use of the appropriate internal audit techniques which should normally be selected in advance, but which may be expanded or altered as necessary during the internal audit assignment.
69. In order to place reliance on evidence the internal auditor should be satisfied with its nature, extent, adequacy, consistency and relevance to the internal audit assignment and with the methods governing its collection.
70. Internal audit reports provide a formal means of communicating to management the results arising from audits undertaken. Such reports should include audit findings, recommendations and conclusions relating to the adequacy of and compliance with the system of internal control and the efficiency, effectiveness and economy of operations in the area covered by the audit. From the point of view of completeness, management response to the audit findings should preferably also be included in the report. The aim of every internal audit report should be:
a. to prompt management action to implement recommendations for change leading to improvement in performance and control; and
b. to provide a formal record of points arising from the internal audit assignment and, where appropriate, of agreements reached with management.
71. Reporting arrangement, including the format and distribution of internal audit reports, should be agreed with management. The head of internal audit should ensure that reports are sent to managers who have a direct responsibility for the unit or function being audited and who have the authority to take action on the internal audit recommendations. Internal audit reports are confidential documents and their distribution should be restricted to those managers who need to know and other appropriate persons on a need to be informed basis.
72. While the internal auditor may clear minor matters which do not indicate a consistent or systematic weakness with members of staff directly involved, matters of consequence should be reported formally in writing to management.
73. The internal auditor should produce clear, constructive and concise written reports based on sufficient, relevant and reliable evidence, which should:
state the scope, purpose, extent and conclusions of the internal audit assignment;
make recommendations which are appropriate and relevant, and which flow from the conclusions; and
acknowledge the action taken, or proposed, by management.
74. The internal auditor should present an interim report, orally or in writing, where it is necessary to alert management to the need to take immediate action to correct a serious weakness in performance or control, or where there are reasonable grounds for suspicion of malpractice. Consideration should also be given to interim reporting where there is a significant change in the scope of the internal audit assignment or where it is desirable to inform management of progress. Interim reporting does not diminish or eliminate the need for final reporting.
75. The internal auditor should normally meet with management to discuss the audit findings at the completion of field work for each internal audit assignment and the formal written report should be presented to management as soon as possible thereafter.
76. Before issuing the final report, the internal auditor should normally discuss the contents with the appropriate levels of management, and may submit a draft report to them, for confirmation of factual accuracy.
77. If the internal auditor and management disagree about the relevance of the factual content of the draft audit report, the internal auditor should consider whether reference should be made to this in the final report.
78. It is management’s responsibility to ensure that proper consideration is given to internal audit reports. The internal auditor should ensure that appropriate arrangements are made to determine whether action has been taken on internal audit recommendations or that management has understood and assumed the risk of not taking action. The status of implementation, in respect of matters of consequence, so determined should be reported to the appropriate levels of management to enhance internal audit effectiveness.
APPENDIX – GLOSSARY OF TERMS USED IN THESE GUIDELINES
|Organisation||The body for which the internal auditor is providing an internal audit service.|
|Audit Committee||A committee of directors, mainly without executive responsibility which consider amongst others the external and internal audit plans and activities and reviews internal control arrangements.|
|Management||A comprehensive term including all persons who have responsibility at various levels for activities which may be the subject of internal audit.|
|Internal Auditor||An individual who takes responsibility for carrying out internal audit work within an organisation whether as an employee or as an external agency.|
|System||A series of inter-related procedures, composed of processes and controls designed to operate together to achieve a planned objective.|
|Internal Control||The regulation of activities in an organisation through systems designed and implemented to facilitate the achievement of management objectives.|
|Internal Control System||The whole system of controls, financial and otherwise, Control system established by the management in order to carry on the business of an organisation in an orderly and efficient manner, ensure adherence to management policies, safe-guard assets and secure as far as possible the completeness and accuracy of records.|
|Controls||The individual components of an internal control system are known as ‘controls’ or ‘internal controls’. These ensure that processes work to meet the system’s objectives. Controls may be preventive, detective, or directive. They may include, but are not limited to, authorisation, written policies and instructions, segregation of duties, standards, charts of account, forecasts, budgets, schedules reports, records, checklists, matching of documents, supervisory review, comparing on-hand quantities with recorded balances, accounting for all documents, and reconciliation.|