CHAPTER 4

Internal audit
EXAM FOCUS
Internal audit is now a valued part of the control system s operated by the managem ent of
significant companies. It is also an important mechanism in regulating the behaviour of
executive directors (the people w ith the full-time jobs) to ensure that they behave in an ethical
manner.

This chapter introduces you to the im portance of internal audit and its role in corporate
governance. This term is used to define the system of checks and balances that exist in
managing companies which hold a public interest because they rely on investment from the
public. In this chapter you w ill deal with topics specifically identified by the examiner such as
the importance of corporate objectives and risk managem ent. You are only expected to be
aware of these concepts. Finally internal audit can deal with audit for non-financial purposes.
This aspect (known as value for m oney or best value audit) is increasingly important today.

SYLLABUS AND STUDY GUIDE COVERAGE

This chapter covers the following elements of the ACCA study guide:

3 Internal Audit and Internal Review I

Explain the:

¨ development and role of internal audit in achieving corporate objectives and as

part of good corporate governance practice.

¨ function of internal audit in the context of corporate risk management and

organisational control.

¨ relative merits of out-sourcing internal audit and internal review services to

external auditors and others, and the associated problem s.

¨ difference between the role of external audit and internal audit.

4 Internal Audit and Internal Review II

Describe the:

¨ scope of internal audit w ork and the lim itations of the internal audit function.

¨ nature and purpose of internal review assignments including:

- value for money

- best value
- IT
- financial

¨ nature and purpose of operational internal audit and review assignments

including:

- procurement
- marketing
- treasury

49
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

- HR

¨ types of report provided in internal audit and internal review assignments.

27 Reporting II

Describe, illustrate and analyse the format and content of:

¨ unm odified and m odified internal review reports

¨ reports dealing with recommendations for the enhancem ent of business

performance

In order to cover these elements the follow ing topics are included:

ISA 610 Considering the w ork of internal auditing

The Turnbull recommendations on corporate governance in the UK

1 The nature of internal audit

1.1 Introduction
The Institute of Internal Auditors defines internal audit as follows:

Internal auditing is an independent appraisal function established within an organisation to

examine and evaluate its activities as a service to the organisation. The objective of internal
auditing is to assist members of the organisation in the effective discharge of their
responsibilities. To this end internal auditing furnishes them with analyses and appraisals,
recommendations, counsel and information concerning the activities reviewed.

1.2 Achieving corporate objectives

Internal audit (IA) can be delivered in a num ber of different ways. It is part of the system of
managerial review that is associated with the features of internal control. It form s a significant
part of the system and methods used by the management of a business to direct the activities of
their personnel towards the achievement of business goals or corporate objectives. Every
significant enterprise (eg, a company whose shares are quoted on a Stock Exchange) recognises
the need to work for various goals or objectives. Typically these objectives are:

¨ Improving shareholder wealth.

¨ Improving or maintaining market position.
¨ Developing new products and services.
¨ Improving the quality of its processes.
¨ Demonstrating social responsibility.

The task of top management is to direct or control the activities of the business so that these
corporate goals are achieved.

Internal audit therefore has a very broad scope for operations and embraces both financial and
non-financial issues.

1.3 Differences between external audit and internal audit

Although the external auditor and internal auditor may carry out many of the same
procedures, it is instructive to highlight the differences between their roles:

¨ Internal auditors are employees of the company; external auditors are independent persons
working for a separate audit firm.

50
 Chapter 4 Internal audit

¨ External audit is required for large and public companies by the statute in m ost countries.
Internal auditors may (or may not) be appointed by the management of a company at their
choice.

¨ The activities of an external auditor are decided by them selves. The activities of an internal
auditor are ultimately decided by management.

¨ External auditors report to shareholders, while internal auditors report to management.

¨ The purpose of external audit is to give an opinion on w hether the financial statements
give a true and fair view; the purpose of internal audit is to advise management on the
systems of control.

¨ External audit is focused on financial matters. Internal audit can be as w idely focused as
management wishes.

1.4 Guidance for internal auditors

Internal auditors need to be clear about the main issues and procedures which they need to
consider as part of their work. The essentials for effective internal auditing may be listed as:

¨ LQGHSHQGHQFH²LQWHUPVRIRUJDQLVDWLRQDOVWDWXVDQGSHUVRQDOREMHFWLYLW\

¨ staffing and training;

¨ UHODWLRQVKLSV²VKRXOGEHFRQVWUXFWLYHZLWKPDQDJHPHQWDQGZLWKWKHH[WHUQDODXGLWRUV

¨ due care;

¨ planning, controlling and recording;

¨ evaluation of the internal control system;

¨ HYLGHQFH ² EHIRUH UHSRUWLQJ WKH LQWHUQDO DXGLWRU VKRXOG JDWKHU VXIILFLHQW UHOHYDQW DQG
reliable evidence;

¨ reporting and follow-up.

2 Scope of internal audit

2.1 Activities associated with IA
The internal audit staff of a significant entity w ould be expected to carry out a variety of tasks:

¨ Review ing internal controls and financial reports.

¨ Review ing the system s of corporate risk management.
¨ Carrying out special exercises such as investigations into fraud.
¨ Conducting reviews of operations in order to comply with certain statutory matters.
¨ &RQGXFWLQJ´RSHUDWLRQDOµDXGLWV

Operational audits can cover management audits and value for money (VFM ) audits (see
below).

M any of the tasks carried out by the internal auditor are sim ilar to those of an external auditor
appointed under statute. But internal auditors have a greater right of access in that they are
allowed to investigate and review areas of business activity that are outside the scope of the
external audit.

2.2 Independence and reporting

The IA function m ust enjoy a considerable degree of independence if it is to be part of an
effective control framework. Typically the head of the IA function reports to the Chief
Executive Officer of the enterprise. This ensures that the IA function is independent of all

51
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

business activities. The head of the IA function also reports to the Audit Com mittee, which is
made up of at least three non-executive directors w hose brief is to ensure that the Board runs
the company w ith due regard for good business ethics and takes account of the interests of the
various stakeholder groups.

2.3 Special considerations affecting the financial services industry

Certain businesses such as banks, building societies and investment companies operate in a
strict regulatory framew ork. Internal audit is often a legal requirement in such com panies and
WKH,$IXQFWLRQLVJHQHUDOO\FDOOHG´FRPSOLDQFHDXGLWµ)RUH[DPSOHWKH PDQDJHUVRIFOHDULQJ
banks are regularly visited by bank inspectors who investigate and report on the way in w hich
staff comply with internal policies and regulations on lending and credit management.
Internal audit may also be a legal requirement in certain public sector organisations such as
local authorities and healthcare providers.

2.4 Staffing and competence

IA staff have a duty of care to their employers and in turn m ust dem onstrate com petence and
technical skill. They have an ethical duty of confidentiality and integrity.

IA departments are often staffed by persons w ith competence in a variety of backgrounds. A

strong financial orientation is essential but this is coupled w ith competence in other areas of
business. This multidisciplinary approach is often necessary in carrying out operational or
management audits where financial com petence is only one dimension of the audit function.
For example, if the IA function carries out a review of the transport and distribution functions
they w ill need to be capable of understanding the complexities of operating a fleet of heavy
goods vehicles across national boundaries. This will involve a degree of expertise w hich is
broader than traditional financial audit.

2.5 Limitations of internal audit

There is an inherent tension in the role of an internal auditor. He is employed by the
management of a company, and yet is expected to be able to give an objective judgement on
the systems for which management is responsible. M anagement can understandably be
unw illing to pay large amounts of money to internal auditors who they see as doing nothing
but criticising them and their previous decisions.

It is therefore best if internal audit can report their findings to an independent channel of
com munication such as an audit com mittee to ensure that their findings are not suppressed.

3 Operational audit
3.1 Definition of terms
The term operational audit is used to distinguish IA activities that are not focused on the
´WUDGLWLRQDOµDXGLWRIWKHILQDQFLDOVWDWHPHQWV

´2SHUDWLRQDO DXGLWµ LV VRPHWLPHV XVHG DV D V\QRQ\P IRU ´PDQDJHPHQW DXGLWµ RU ´YDOXH IRU
PRQH\DXGLWµ&RP PRQO\WKHWHUPRSHUDWLRQDODXGLWDQGYDOXHIRUPRQH\DXGLW will refer to
the same activity w hich is a performance review which focuses on three essential issues:

Economy

The activity has been planned and executed with due concern for incurring the lowest possible
cost.

Efficiency

52
 Chapter 4 Internal audit

The activity has been carried out w ith concern for maxim ising outputs for any given inputs or
alternatively minimising inputs to avoid any waste or extravagance.

Effectiveness

The activity was carried out in order to satisfy managem ent that their objectives w ill be or have
been achieved.

These 3 Es (as they are called) demonstrate concern for value for money.

3.2 The nature of VFM audit

3URIHVVRU-RKQ*O\QQGHVFULEHV9)0 DXGLWDV´DEOHQGRIWKHWUDGLWLRQDOGLVFLSOLQHVRIILQDQFLDO
DXGLWZLWKWKHSUREOHPVROYLQJVNLOOVRIPDQDJHPHQWFRQVXOWDQF\µ9)0 DXGLWVGRQRWIROORZ
the traditional tasks of the financial audit cycle but are m ore rigorous and searching in their
DSSURDFK1R9)0 DXGLWLVOLNHDQ\RWKHUEXWP RVW´SHUIRUPDQFHUHYLHZVµIROORZDSDWWHUQRI
procedures w hich are part of standard practice. However there is one aspect of the VFM audit
which differs markedly from financial audit and this is the concept of designing performance
indicators to assess the 3 Es.

3.3 Measuring Economy, Efficiency and Effectiveness (the 3 Es)

In a traditional financial audit there are various tests that can be used in order to establish if a
transaction is properly authorised or if there is adequate evidence to support the legitimacy of
a transaction. For example if a company car is purchased the transaction can be validated by
examining the authority for the transaction (a director signs the purchase order) with the
evidence of payment (a bank draft in favour of the dealer) as well as the evidence of purchase
(the invoice itself). VFM audit is different in that there are rarely any standard tests that can be
applied in order to establish if there has been concern for econom y, efficiency and effectiveness
or best value. VFM audit is really concerned with the ability of an independent reviewer to
challenge the existing way of doing things in order to bring about an im provement.

Economy

7KHFRQFHSWRI´HFRQRP\µLVHDV\WRXQGHUVWDQGDQGLOOXVWUDWH,IWKHPDQDJHURI'HSDUWPHQW
A wants to refurnish its offices he w ould be well advised to seek competitive quotations from,
say, three suppliers, in order to choose the one that offers the best deal, rather than simply
accept the $100,000 quoted by the first supplier he contacts. If a later investigation reveals that
careful buying could have reduced this cost to $80,000 the person who sanctioned the
expenditure w ould have some explaining to do! It is a feature of business life today that no
significant expenditure should be incurred before obtaining a competitive quote or tender.
Compulsory competitive tendering is an essential part of many Government expenditure
systems because there is often a legal requirement to consider the impact of value for m oney on
any transaction.

Efficiency and Effectiveness

Efficiency and effectiveness are subjective concepts and the VFM auditor has to design or
create a key performance indicator (in shorthand KPI) w hich can measure waste, extravagance
or satisfaction. The design of KPIs requires skill, insight and experience of the business area.

3.4 Example 1
The Human Resources (H R) Division of X plc has an annual budget of $500,000 for the year
20X2. This covers salaries, telephone and stationery costs. The objectives of the division are to:

¨ Obtain quality staff.

¨ Reduce absenteeism.
¨ Reduce staff turnover (staff are costly to replace).

In 20X0 and 20X1, the operating data of the division showed the following:

53
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

Key performance indicators (KPI) Economy and Efficiency

20X0 20X1 Difference Forecast 20X2
Staff salaries $400,000 $410,000 $(10,000) $400,000
Telephone $50,000 $60,000 $(10,000) $40,000
Stationery $50,000 $53,000 $(3,000) $60,000
Total cost $500,000 $523,000 $(23,000) $500,000
Average cost of a $3,233 $4,333 $(1,100) $3,000
placement of staff
Cost of 1 HR member $34,000 $35,677 $(1,677) $33,000

Key performance indicators (KPI) Effectiveness

Actual 20X0 Actual 20X1 Forecast 20X2

Staff numbers for establishment 5,000 4,900 6,000
Absentee rate per annum 10% 12% 5%
Staff turnover (% of staff replaced) 10% 17% 9%
Staff grievance factor (% of staff making complaints) 7% 9% 8%
Dismissal factor (% of staff dismissed for misconduct) 2% 4% 3%
Satisfaction score by directors** 5 4 8

**Scoring system
1-4 Poor
5-7 Fair
8-10 Good

If the director of H R wants to impress in her job she will have to achieve or surpass the KPIs
for the year 20X2.

3.5 Example 2
The Nausica Swimming Baths Ltd has introduced a system of KPI to evaluate its services to the
com munity. It is required to do this as it receives a grant from the London Borough of Ithaca.

Swimming Baths Activity M easures

Use of indoor pool Forecast 20X1 Actual 20X0

Adult swimmers 45,000 45,000
Child swimmers 75,000 73,000

Key performance measure Target 20X1 Actual 20X0

Economy and efficiency
Cost per 1,000 swimmers $x $x
Cost per user taught to swim $x $x
Income as % of expenditure x% x%
% use x% x%
Admin and supervisory cost per user $x $x
Effectiveness
Customer satisfaction score 1-9 1-9
Accident rate not exceeding x% x%
% small children taught to swim x% x%

1 = poor
9 = excellent

Budget Actual 20X0 Budget 20X1

$000 $000

54
 Chapter 4 Internal audit

Employees 210,364 200,000

Running expenses 176,555 174,000
Supplies and services 120,000 100,000
Transport and plant 45,323 45,000
Establishment expenses 50,111 48,000
Interest payable 10,000 0
Total expenditure 612,353 567,000
Income 1,000,000 1,400,000
Net profit 387,647 833,000

3.6 Pre-event or post-event auditing

Traditional audit of the financial statements is oriented at the past. The auditor is examining
history. Operational or VFM audit can be either past oriented or concerned with events that
are about to happen. It can be used to validate future courses of action. For example, a
company may decide to enter into a contract with a supplier of computer services (now called
an application service provider) as they are dissatisfied with their present IT system . The
contract w ill run for five years and will cost $1m annually. They would conduct a VFM audit
of the proposed course of action and compare it with the results of a VFM audit of the existing
IT system. They may then decide that the old system is better after all! (From a practical
YLHZSRLQWWKH8.,QODQG5HYHQXH6HOI$VVHVVPHQW6\VWHPZDV´FRQWUDFWHGRXWµLQWKLVZD\WR
DQ $PHULFDQ FRQWUDFWRU FDOOHG ('6 ² SUHVXPDEO\ DIWHU FRQGXFWLQJ D 9)0  VWXG\ RQ ZKHWKHU
such a scheme would be viable!)

3.7 Conducting a VFM audit

The VFM audit bears a certain resemblance to the traditional financial audit but it differs in its
scope. The VFM reviewer has the freedom to investigate widely in order to establish if the
objectives of management are being attained.

Example

XYZ have decided that they will close dow n their transport department which employs a fleet
of 50 heavy goods vehicles. In future they will use the well known transport company Steady
5REDUW /WG Z KR ZLOO VXSSO\ D IOHHW RI ORUULHV ´GHGLFDWHGµ WR VHUYH WKH QHHGV RI ;<=  7KH
directors are reluctant to make a final decision until they receive a report from the internal
audit department as to whether the decision will deliver value for m oney.

This type of business decision is very com mon today and is often referred to as the process of
´FRQWUDFWLQJRXWµRU´RXWVRXUFLQJµVHUYLFHVWRH[WHUQDOFRQWUDFWRUV

W hat follow s illustrates an overview of the stages of a VFM audit.

1 The IA staff obtain the policy documents relating to the change. This will include any
financial plans made by the directors to evaluate the new policy. The operating
statistics of the existing transport fleet will also be available.

2 The IA staff familiarise them selves with the w orkings of the transport department.
They w ould interview key staff members as part of this process.

3 The IA staff and the managers of the transport department will agree the scope of the
proposed investigation.

4 The IA department w ill plan the investigation and will notify the interested parties of
the agreed scope. The agreement will include the identification of the objectives of the
study and the various KPI that will be used to validate activities.

5 The investigation will take the shape of a field study to examine and evaluate the key
areas of concern.

55
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

Economy Efficiency Effectiveness

Costs measured against KPI developed from industry KPI developed from industry
industry standards practice standards and internal
expectations of staff
Capital and revenue costs of Average costs per transaction Satisfaction scores on:
operation viz: % down time Meeting deadlines
Plant % breakdown time Errors and omissions
Licensing % accidents Safety of goods
Fuel Road traffic infringements
Tyres
Insurance

6 The investigator will evaluate and compare the internal service against his review of
the likely external service.

7 Conclusions and recom mendations are form ulated.

8 A report is drafted for management discussion. Any challenges to the report on errors
of fact are reviewed and rectified.

9 A final report is submitted to management.

3.8 Best value audit

,QVLGH ORFDO DXWKRULWLHV WKH WUHQG LQ UHFHQW \HDUV KDV EHHQ WR VHFXUH ¶EHVW YDOXH· IRU WKH ORFDO
government stakeholders, w hich requires a demonstration of the achievement of the 4Cs of
Challenge, Compare, Consult and Compete. For example, w ith effect from 1 April 2000 all
local authorities in England and W ales are required to plan to meet these standards.

Challenge - The current position must be questioned in order to review the

possibility of better options.

Compare - The reporting authority should compare its performance with other
comparable service providers.

Consult - All users and providers of services should have an open channel of
com munication to the authority.

Compete - Demonstrate that the m ost efficient and effective service delivery is
being maintained.

3.9 Information technology audit

Internal auditors may be requested to carry out an information technology (IT) audit, covering
all aspects of hardware, applications and the IT environment, in order to report on the risks in
the IT systems including the controls over inputs, outputs and processing.

3.10 Financial internal audit

Financial internal audit is the traditional work of the internal audit department of ten or m ore
years ago. It involves the same audit procedures that the external auditor w ill carry out,
covered in later chapters of this text. W here an internal audit department has carried out
effective work on the financial accounting system, the external auditor may be able to cut dow n
the amount of detailed testing that he will carry out.

3.11 Specific areas of operational auditing

(a) Procurement

Procurement is the process of obtaining goods and services from external suppliers. Clearly
most businesses spend large sums of money buying in goods and services from external

56
 Chapter 4 Internal audit

suppliers, so the procurement system must be effectively controlled to m inimise the risk of
fraud and the overall cost to the company.

(b) M arketing

0 DUNHWLQJLVWKHSURFHVVRISULFLQJDQGSURPRWLQJWKHFRPSDQ\·VRXWSXWVJRRGVDQGVHUYLFHV
to the external customers. It includes advertising and branding activities as well as pricing
SROLF\  ,QWHUQDO DXGLW KDV WUDGLWLRQDOO\ DYRLGHG ¶FUHDWLYH· DUHDV RI EXVLQHVV VXFK DV PDUNHWLQJ
and human resources, but the trend is now for operational auditing to encompass all
significant systems.

57
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

(c) Treasury

Treasury management is the corporate handling of all financial matters, the generation of
external and internal funds for business, the management of currencies and cashflow s, and the
complex strategies, policies and procedures of corporate finance. There have been so many
high-profile disasters in treasury departments over the past fifteen years that the risks involved
are now widely appreciated. Internal audit m ust develop (or buy in) the specialist skills
required to review controls in this area.

(d) Human resources

Human resources (H R) is the modern development of the old traditional personnel function. It
encom passes recruitment, training, remuneration policy (including pensions and benefits),
grievance procedures and leavers. It is much more than just the payroll administration
department (the traditional role).

Since in the final analysis a business is its people, the im portance of H R cannot be
overestimated. Internal audit should determine the controls in place and test their
effectiveness.

4 Corporate governance and internal audit

4.1 Corporate governance
This term is used to describe the systems of control and direction exercised by the Board of
directors of a company w hose shares are listed on a recognised Stock Exchange. Such
FRPSDQLHV DUH GHVFULEHG DV ´SXEOLF LQWHUHVW FRP SDQLHVµ EHFDXVH WKH\ DUH UXQ WR LQFUHDVH WKH
wealth of investors (primary stakeholders) as well as to generate benefits for other interested
parties such as em ployees, loan creditors, government agencies etc (secondary and tertiary
stakeholders). It is not enough to consider the well-being of investors alone. Significant
companies must recognise an ethical obligation to act in a socially responsible fashion.

Appropriate policy must be form ulated in the following areas:

¨ The constitution of the Board of directors and the separation of roles of chief executive and
chairman.

¨ The recruitment of non-executive directors to balance the influence of executive directors.

¨ 2SHQQHVVDQGLQWHJULW\RQGLUHFWRUV·SD\DQGEHQHILWV

¨ Responsible system s of control through such mechanism s as audit committees and

remuneration com mittees.

¨ Directors to report on internal control system s.

¨ Directors to report on the systems and checks to manage risks and give an insight on how
risks are managed.

A lot of w ork on improving system s of corporate governance has been carried out in the UK,
following a series of high-profile corporate collapses in the 1980s. Several reports were
developed to prevent future collapses arising from loose control systems.

The Greenbury Report (1995) recommended the practice of preparing detailed remuneration
reports to explain how directors are rewarded. This practice is now implemented by all U K
listed companies. The Hampel Report (1997) sought to clarify an ideal code in relation to
internal control and risk management but it was left to the Turnbull Report (1998) to formally
endorse the need for reliable control through an internal audit service.

58
 Chapter 4 Internal audit

4.2 Audit committees

The concept is N orth American in origin but is now part of the listing rules of m ost
international Stock Exchanges. An audit comm ittee is a body made up of at least three non-
executive directors. The com mittee generally meets on a quarterly basis and is responsible for
the following:

1 The remuneration and effectiveness of the external auditors.

2 5HFHLYLQJWKHILQGLQJVRIWKHH[WHUQDODXGLWRUV·PDQDJHP HQWUHSRUWV
3 The role of internal auditors.
4 Receiving the findings of any internal audit investigation.
5 Review ing the publication of any unaudited financial reports.
6 Review ing the annual report and accounts.
7 Review ing the performance and conduct of executive directors.

7KHDXGLWFRP PLWWHHPHP EHUV·QDPHVDUHIRXQGLQWKHDQQXDOUHSRUW

Advantages of audit committees

¨ To reassure shareholders that the Board operates to safeguard their interests.

¨ To reassure the business com m unity that the company acknowledges an element of social
responsibility.

¨ To make both internal and external audit functions subject to a more rigorous evaluation.

Criticisms

¨ A costly cosmetic exercise to create an appearance of regularity.

¨ Audit com mittees could split the board by creating a division between directors.

¨ Audit com mittees may not have the strength to control strong personalities am ong the
executive directors.

4.3 Remuneration committees

This com mittee is made up of around three non-executive directors w ho can be joined by a
SDUWQHURIWKHDXGLWILUPKROGLQJRIILFHDVWKHFRP SDQ\·VDXGLWRU7KHWDVNRIWKHFRPP LWWHHLV
to review the following issues in relation to fairness and good practice.

1 The structure of executive director salaries.

2 The scale of benefits in kind.
3 The mechanism for calculating any profit related pay.

The com mittee prepares a detailed remuneration report w hich is published as part of the
annual report. The analysis is often more detailed than the requirements of statute; each
GLUHFWRU·VUHP XQHUDWLRQLVGLVFORVHGLQFRQVLGHUDEOHGHWDLO

4.4 The Turnbull recommendations on internal control and risk m anagem ent
The internal auditor today is m ore than just a part of the internal control system. H is
department is required to be pro-active in risk managem ent and in ensuring that the board is
aware of the need for strong controls and dem onstrating ethical values by example.

An extract is reproduced below w hich gives the flavour of the Turnbull Report.

7KHERDUG·VVWDWHPHQWRQLQWHUQDOFRQWURO

35 In its narrative statement of how the company has applied code principle D.2, the
board should, as a minimum, disclose that there is an ongoing process for identifying,
evaluating and managing the significant risks faced by the company, that it has been in
place for the year under review and up to the date of approval of the annual report and

59
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

accounts, that it is regularly reviewed by the board and accords w ith the guidance in
this document.

36 The board may wish to provide additional information in the annual report and
DFFRXQWV WR DVVLVW XQGHUVWDQGLQJ RI WKH FRPSDQ\·V ULVN PDQDJHPHQW SURFHVVHV DQG
system of internal control.

37 The disclosures relating to the application of principle D.2 should include an

DFNQRZOHGJHPHQW E\ WKH ERDUG WKDW LW LV UHVSRQVLEOH IRU WKH FRPSDQ\·V V\VWHP RI
internal control and for review ing its effectiveness. It should also explain that such a
system is designed to manage rather than eliminate the risk of failure to achieve
business objectives, and can only provide reasonable and not absolute assurance
against material misstatement or loss.

38 In relation to code provision D.2.1, the board should sum marise the process it (w here
applicable, through its comm ittees) has applied in reviewing the effectiveness of the
system of internal control. It should also disclose the process it has applied to deal
with material internal control aspects of any significant problem s disclosed in the
annual report and accounts.

39 W here a board cannot make one or more of the disclosures in paragraphs 35 and 38, it
should state this fact and provide an explanation. The Listing Rules require the board
WR GLVFORVH LI LW KDV IDLOHG WR FRQGXFW D UHYLHZ RI WKH HIIHFWLYHQHVV RI WKH FRPSDQ\·V
system of internal control.

40 The board should ensure that its disclosures provide meaningful, high-level
information and do not give a misleading impression.

41 W here material joint ventures and associates have not been dealt with as part of the
group for the purposes of applying this guidance, this should be disclosed.

Internal audit

42 Provision D.2.2 of the code states that companies w hich do not have an internal audit
function should from time to time review the need for one.

43 The need for an internal audit function will vary depending on com pany-specific
IDFWRUV LQFOXGLQJ WKH VFDOH GLYHUVLW\ DQG FRPSOH[LW\ RI WKH FRPSDQ\·V DFWLYLWLHV DQG
the number of employees, as well as cost/benefit considerations. Senior management
and the board may desire objective assurance and advice on risk and control. An
adequately resourced internal audit function (or its equivalent where, for example, a
third party is contracted to perform some or all of the w ork concerned) may provide
such assurance and advice. There may be other functions w ithin the company that
also provide assurance and advice covering specialist areas such as health and safety,
regulatory and legal com pliance and environmental issues.

44 In the absence of an internal audit function, management needs to apply other

monitoring processes in order to assure itself and the board that the system of internal
control is functioning as intended. In these circumstances, the board will need to
assess w hether such processes provide sufficient and objective assurance.

45 W hen undertaking its assessment of the need for an internal audit function, the board
should also consider whether there are any trends or current factors relevant to the
FRPSDQ\·V DFWLYLWLHV PDUNHWV RU RWKHU DVSHFWV RI LWV H[WHUQDO HQYLURQPHQW WKDW KDYH
increased, or are expected to increase, the risks faced by the com pany. Such an
increase in risk may also arise from internal factors such as organisational
restructuring or from changes in reporting processes or underlying information
systems. Other matters to be taken into account may include adverse trends evident
from the monitoring of internal control systems or an increased incidence of
unexpected occurrences.

60
 Chapter 4 Internal audit

46 The board of a company that does not have an internal audit function should assess the
need for such a function annually having regard to the factors referred to in
paragraphs 43 and 45 above. W here there is an internal audit function, the board
should annually review its scope of w ork, authority and resources, again having
regard to those factors.

47 If the company does not have an internal audit function and the board has not
reviewed the need for one, the Listing Rules require the board to disclose these facts.

Appendix to the Turnbull Report

$VVHVVLQJWKHHIIHFWLYHQHVVRIWKHFRPSDQ\·VULVNDQGFRQWUROSURFHVVHV

Some questions which the board may wish to consider and discuss w ith management w hen
regularly review ing reports on internal control and carrying out its annual assessment are set
out below. The questions are not intended to be exhaustive and will need to be tailored to the
particular circumstances of the company.

This Appendix should be read in conjunction with the guidance set out in this document.

1 Risk assessment

¨ Does the company have clear objectives and have they been com municated so as to
provide effective direction to employees on risk assessment and control issues? For
example, do objectives and related plans include measurable performance targets and
indicators?

¨ Are the significant internal and external operational, financial, compliance and other
risks identified and assessed on an ongoing basis? (Significant risks may, for example,
include those related to market, credit, liquidity, technological, legal, health, safety and
environmental, reputation and business probity issues.)

¨ Is there a clear understanding by management and others w ithin the company of w hat
risks are acceptable to the board?

2 Control environment and control activities

¨ Does the board have clear strategies for dealing with the significant risks that have
been identified? Is there a policy on how to manage these risks?

¨ 'RWKHFRPSDQ\·VFXOWXUHFRGHRIFRQGXFWKXPDQUHVRXUFHSROLFLHVDQGSHUIRUPDQFH
reward system s support the business objectives and risk management and internal
control system?

¨ Does senior management dem onstrate, through its actions as well as its policies, the
necessary comm itment to com petence, integrity and fostering a climate of trust w ithin
the company?

¨ Are authority, responsibility and accountability defined clearly such that decisions are
made and actions taken by the appropriate people? Are the decisions and actions of
different parts of the company appropriately co-ordinated?

¨ Does the company com municate to its employees what is expected of them and the
scope of their freedom to act? This may apply to areas such as customer relations;
service levels for both internal and outsourced activities; health, safety and
environmental protection; security of tangible and intangible assets; business
continuity issues; expenditure matters; accounting; and financial and other reporting.

¨ Do people in the company (and in its providers of outsourced services) have the
NQRZOHGJH VNLOOV DQG WRROV WR VXSSRUW WKH DFKLHYHPHQW RI WKH FRPSDQ\·V REMHFWLYHV
and to manage effectively risks to their achievement?

¨ How are processes/controls adjusted to reflect new or changing risks, or operational

deficiencies?

61
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

3 Information and com munication

¨ Do management and the board receive timely, relevant and reliable reports on
progress against business objectives and the related risks that provide them with the
information, from inside and outside the com pany, needed for decision-making and
management review purposes? This could include performance reports and indicators
of change, together with qualitative information such as on customer satisfaction,
employee attitudes etc.

¨ Are information needs and related information systems reassessed as objectives and
related risks change or as reporting deficiencies are identified?

¨ Are periodic reporting procedures, including half-yearly and annual reporting,

HIIHFWLYH LQ FRP PXQLFDWLQJ D EDODQFHG DQG XQGHUVWDQGDEOH DFFRXQW RI WKH FRPSDQ\·V
position and prospects?

¨ Are there established channels of communication for individuals to report suspected

breaches of laws or regulations or other improprieties?

4 M onitoring

¨ $UH WKHUH RQJRLQJ SURFHVVHV HPEHGGHG ZLWKLQ WKH FRPSDQ\·V RYHUDOO EXVLQHVV
operations, and addressed by senior management, which m onitor the effective
application of the policies, processes and activities related to internal control and risk
management? (Such processes may include control self-assessment, confirmation by
personnel of compliance with policies and codes of conduct, internal audit review s or
other management reviews.)

¨ 'R WKHVH SURFHVVHV P RQLWRU WKH FRP SDQ\·V DELOLW\ WR UHHYDOXDWH ULVNV DQG DGMXVW
controls effectively in response to changes in its objectives, its business, and its external
environment?

¨ Are there effective follow-up procedures to ensure that appropriate change or action
occurs in response to changes in risk and control assessm ents?

¨ Is there appropriate communication to the board (or board com mittees) on the
effectiveness of the ongoing monitoring processes on risk and control matters? This
should include any significant failings or weaknesses on a timely basis.

¨ Are there specific arrangements for management monitoring and reporting to the
board on risk and control matters of particular importance? These could include, for
example, actual or suspected fraud and other illegal or irregular acts, or matters that
FRXOGDGYHUVHO\DIIHFWWKHFRPSDQ\·VUHSXWDWLRQRUILQDQFLDOSRVLWLRQ"

5 Relationship with the external auditor

5.1 ISA 610±&RQVLGHULQJWKHZRUNRILQWHUQDODXGLWLQJ
The relationship between the external auditor and the internal auditor must be clearly
understood. The external auditor is appointed in order to report to the shareholders w hether
the financial statements are properly prepared and give a true and fair view. M anagement as
part of a system of quality assurance appoints the internal auditors. The scope of their w ork is
decided by management and may be m ore narrowly defined. It may also be m ore specialised
LQ WKDW WKH H[WHUQDO DXGLWRU LV QRW UHTXLUHG WR H[DPLQH LVVXHV UHODWHG WR ´YDOXH IRU P RQH\µ
when reporting under ISAs. There are two important statements in ISA 610 that reflect
mandatory practice.

´7KHH[WHUQDODXGLWRUVKRXOGREWDLQDVXIILFLHQWXQGHUVWDQGLQJRILQWHUQDODXGLWDFWLYLWLHVWR
DVVLVWLQSODQQLQJWKHDXGLWDQGGHYHORSLQJDQHIIHFWLYHDXGLWDSSURDFKµ

62
 Chapter 4 Internal audit

This means that the external auditors should consider the following:

Organisational status. The internal auditor should be free to report as independently as

possible and is generally in a line relationship w ith the chief executive officer.

Scope of work. H ow are internal auditors employed and how are their recommendations
implemented?

Technical competence. People of good quality, w ho are properly trained and supervised, staff
the internal audit function.

Due professional care. The internal audit department demonstrates care and diligence in the
way that they plan, record and m onitor their w ork.

7KHQH[WVWDWHPHQWKDVLPSRUWDQWEHDULQJRQWKHH[WHUQDODXGLWRU·VZRUN

´: KHQ WKH H[WHUQDO DXGLWRU LQWHQGV WR XVH VSHFLILF ZRUN RI LQWHUQDO DXGLWLQJ WKH H[WHUQDO
DXGLWRUVKRXOGHYDOXDWHDQGWHVWWKDWZRUNWRFRQILUPLWVDGHTXDF\IRUWKHH[WHUQDODXGLWRU·V
SXUSRVHVµ

This evaluation may significantly reduce the am ount of detailed checking that the external
auditors w ould normally carry out. Typical issues to be identified are these:

1 The nature and timing of the tests reflects sound judgem ent of risk and materiality.

2 The work is done by technically competent persons.

3 The work is documented with a high standard of care.

4 Any unusual features that are discovered are suitably investigated and drawn to
PDQDJHPHQW·VDWWHQWLRQ

5 The work of assistants is suitably supervised and docum ented.

6 The audit conclusions are appropriate and suitably reported.

7 The work of the internal auditors is tested and the external auditor is satisfied with the
quality of w ork done.

5.2 Outsourcing internal audit

How should a company com ply with the codes of corporate governance if it does not have an
LQWHUQDODXGLWGHSDUWPHQW"7KHDQVZHUFRXOGEHWR´FRQWUDFWRXWµWKHLQWHUQDODXGLWVHUYLFHWR
DWKLUGSDUW\ZKRLVQRWQHFHVVDULO\WKHH[WHUQDODXGLWRU7KHWHUP´FRQWUDFWLQJRXWµLP SOLHVD
process w here a number of service providers make a bid to supply a service for a period of
years by what is know n as a service level agreement (SLA). The provider undertakes certain
services and charges accordingly. The scope of the w ork is determined by the contractee (the
company) and the provider agrees to adhere to the scope of the work. Any deviations from the
scope through deficiencies in performance are dealt with by a system of penalties which the
customer levies on the provider. Subcontracted service provision is generally undertaken in
the following circumstances:

¨ There is a skills shortage in the organisation.

¨ The provider possesses som e special expertise that is required on an irregular basis eg, a
review of specialised computer system s.

¨ A service is provided at a geographically rem ote location where a local capacity does not
exist.

¨ The service is provided as and when it is needed.

63
$&&$3DSHU)7H[W²$XGLWDQG$VVXDUDQFH,QWHUQDWLRQDO

As a general rule internal audit provided by full time em ployees offers the benefit of a loyal
corporate culture at the expense of a heavy comm itment to an annual salary cost.

6 Types of report provided in internal audit assignments

W hereas ISA 700 lays down standard wordings for external audit reports, the contents of an
internal audit report is not standardised and will depend on the nature of the assignment.

Typically an internal audit report will be addressed to the audit com mittee and should be
formal in nature. The contents could be:

¨ executive summary.
¨ key findings and recom mendations.
¨ agreed actions and timescales for implementation.
¨ appendices containing the detailed findings of the audit procedures undertaken.

Internal auditors may also be called on to make informal reports on an ad hoc basis, for
H[DPSOHJLYLQJDSUHVHQWDWLRQRQVRPHDVSHFWRIWKHFRP SDQ\·VDFWLYLWLHV

Practice question 1 (The answer is in the final chapter of this book)

Byzantium

You are the newly appointed internal auditor of Byzantium H otels plc. You have received a
copy of a management letter from the external auditors to the Board pointing out that there is
no internal audit service to provide quality assurance to management and consequently the
systems of internal control are less than satisfactory. You have also discovered a variety of
practices carried out by staff which you consider as fraudulent. These include pilferage of
LQYHQWRU\DQGDEXVHRIWKHKRWHOV·FRPSXWHUIDFLOLWLHV7KHFKDLUPDQRI%\]DQWLXP+RWHOVSOF
VWXQJE\WKHVHFULWLFLVPVKDVDVNHGIRU\RXUFRP PHQWVDQGKRZ\RXZ LOO´XVHLQWHUQDODXGLWWR
KHOSXVWRILJKWIUDXGDQGLPSURYHRXUV\VWHPVµ

Required

'UDIWDPHPRUDQGXPWRWKHDXGLWFRPP LWWHHLQRUGHUWRFRPSO\ZLWKWKHFKDLUPDQ·VUHTXHVW

7 Summary
A company may choose to appoint internal auditors to contribute towards securing internal
control within the company. The tasks that the internal auditors carry out are in the final
DQDO\VLVGHFLGHGE\WKHFRP SDQ\·VGLUHFWRUV

W here a company has an effective internal audit function, the external auditors may be able to
reduce the amount of their detailed testing, since they can rely on the control granted by
internal audit.

Internal audit can be asked to carry out activities that w ould not be carried out by external
auditors, such as VFM audits or special investigations w here fraud is suspected.

Both internal auditors and external auditors should report to the audit comm ittee, since this
offers a dedicated channel of com munication between auditors and the Board.

64
Chapter 4 Internal audit

65