Internal Audit and internal controls Khawar Shahzad Jaffar ACCA, CPA
Internal Auditing – Definition
The Institute of Internal Auditors (IIA) defines internal auditing as: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Internal Auditing – Definition 
IFAC defines internal auditing in ISA 610 as:
"An appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control."
Difference between Internal and External Audit
The main differences between internal and external audit is the overall scope of the audit. The potential scope of an internal audit covers the total conduct of business. This includes the examination and evaluation of the adequacy and effectiveness of the organization’s governance, its risk management process, systems of internal control structure, and the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. The scope of the external audit is usually confined to a financial and compliance audit to satisfy the statutory responsibilities of the external auditor, which requires examination of the accounts and providing an opinion as to whether the financial statements produced provide a ‘true and fair picture’. Over and above issues of scope, there are three other key differences between internal and external audit.
Difference between Internal and External Audit
Appointment:
External auditors are appointed by the shareholders (although they are usually only ratifying the directors’ choice) and must be independent of the company, whereas internal auditors are usually employees of the organization.
Responsibility:
External auditors are responsible to the owners (i.e. shareholders, the public, etc.), whereas internal auditors are responsible to senior management.
Objectives:
The objectives for external auditors are defined by statute, whereas those for internal auditors are set by management. In other words, management decide what parts of the organization or what systems internal auditors are going to look at and what type of internal audit
Internal Auditing – Objective and Scope
Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations.
Internal Auditing – Objective and Scope 
Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.
Internal Auditing – Objective and Scope 
To perform their role effectively, internal auditors require organizational independence from management, to enable unrestricted evaluation of management activities and personnel. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the Audit Committee, a sub-committee of the Board of Directors. To provide independence, most Head of Internal Audit report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual.
Internal Audit – Types 
There are several types of internal audits. There are financial audit, operational audit, management audit, compliance audit, IS audit and investigation audit. Each audit has different purpose and characteristic. Financial Audit
The purpose is express opinion on financial condition based on analysis, comparisons and test of accuracy. Its scope is on the financial records. The expected results from this audit is to give opinion on the accuracy and reliability of the financial statements. Operational Audit The purpose is to analyze and improve methods of operations and performance. Its scope on the operational activities of a unit or department. The expected results from this audit is to give recommendations to management for the improvement of operations.
Internal Audit – Types Management Audit The purpose is to review and evaluate business and management issues to enhance profitability. Its scope is on the business support activities of a unit or the entire organization. The expected results from this audit is to give opinion on strategic issues and recommendations or solutions. Compliance Audit The purpose is to express opinion as to adherence to internal policies and regulatory rules and requirements and applicable laws. Its scope on the specific aspects of operations and business. The expected results from this audit to make immediate rectification and compliance thereafter.
Internal Audit – Types IS/IT Audit The purpose is to audit on the computer systems and the provision and management of information. Its scope is on the technical reviews on computer systems and their peripherals. The expected results from this audit is to give recommendations on computerization and information systems related. Investigation Audit The purpose is to audit in depth into irregularities such as misappropriation of organization’s assets or reported fraud or allegations. Its scope is in the area specified to determine modus operandi. The expected results from this audit is to give conclusion to findings with recommendations to prevent recurrence.
Internal Auditing – Role in Internal Control
Internal auditing activity is primarily directed at improving internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with laws and regulations.
Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement.
Internal Auditing – Role in Risk Management 
Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives.
Internal Auditing – Role in Corporate Governance 
Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.
Internal Auditing – Conducting the Assignment 
A typical internal audit assignment involves the following steps:
1.
Establish and communicate the scope and objectives for the audit to appropriate management.
2.
Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.
3.
Describe the key risks facing the business activities within the scope of the audit.
4.
Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored.
Internal Auditing – Conducting the Assignment 5.
Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended.
6.
Report problems identified and negotiate action plans with management to address the problems.
7.
Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.

Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
Internal Auditing – Reports 
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's":
Internal Auditing – Reports 1. Condition: What is the particular problem identified? 2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark. 3. Cause: Why did the problem occur? 4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding? 5. Corrective action: What should management do about the finding? What have they agreed to do and by when?
Internal Auditing – Reports 
The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs).

Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
Internal Controls – Introduction 
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).
Internal Controls – Introduction 
At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes.
Internal Controls - Definition
There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation.
Under the COSO Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with laws and regulations.
Internal Controls – Responsibilities Management 
The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions.
Internal Controls – Responsibilities 
In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.
Internal Controls – Responsibilities Board of Directors 
Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.
Internal Controls – Responsibilities Auditors 
The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization.
Internal Controls – Limitations 
Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures.

Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.
Internal Controls – Description 
Internal Controls may be described on the basis of: Objective categorization 
Internal control activities are designed to provide reasonable assurance that particular objectives are achieved, or related progress understood. The specific target used to determine whether a control is operating effectively is called the control objective. Control objectives fall under several detailed categories; in financial auditing, they relate to particular financial statement assertions, but broader frameworks are helpful to also capture operational and compliance aspects:
Internal Controls – Description –
Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions)
–
Occurrence (Cutoff): Transactions occurred during the correct period or were processed timely.
–
Completeness: All transactions are processed that should be (i.e., no omissions)
–
Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate.
–
Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date.
–
Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described.
–
Reasonableness-transactions or results appears reasonable relative to other data or trends.
Internal Controls – Description 
For example, a control objective for the accounts payable function may be stated as: "Payments are made only for authorized products and services received." This is a validity objective. A typical control procedure designed to achieve this objective is: "The accounts payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment." Multiple controls may be applicable to achieve a given control objective with a reasonable level of assurance.

Management is responsible for implementing appropriate controls that apply to transactions in their areas of responsibility. Internal auditors perform their audits to evaluate whether the controls are designed and implemented effectively to address the relevant objectives.
Internal Controls – Description Activity categorization
Control activities may also be explained by the type or nature of activity. These include (but are not limited to):
Segregation of duties - separating authorization, custody, and record keeping roles of fraud or error by one person.
Authorization of transactions - review of particular transactions by an appropriate person.
Retention of records - maintaining documentation to substantiate transactions.
Supervision or monitoring of operations - observation or review of ongoing operational activity.
Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property, such as merchandise inventory.
Internal Controls – Description –
Top-level reviews-analysis of actual results versus organizational goals or plans, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs).
–
IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel.
–
Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives.
–
Controls over information processing-A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs.
Internal Controls – Description Control precision  Control
precision describes the alignment or correlation between a particular control procedure and a given control objective or risk. A control with direct impact on the achievement of an objective (or mitigation of a risk) is said to be more precise than one with indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple controls with varying degrees of precision may be involved in achieving a control objective or mitigating a risk.
Test of Controls
Tests of Controls are audit procedures performed to test the operating effectiveness of controls in preventing or detecting material misstatements at the relevant assertion level.
An auditor might use inspection of documents, observation of specific controls, reperformance of the control, or other audit procedures to gather evidence about controls.