7/4/2017 Internalaudit|ACCAQualification|Students|ACCAGlobal

Theglobalbodyforprofessionalaccountants Aboutus Contactus Findanaccountant Technicalactivities Help&support Global

Search... myACCA

Learning Professional
Home Ourqualifications Employers Members Students
providers insights

Home > Students > Examresources > Professionallevel > P1Governance,RiskandEthics > Technicalarticles

INTERNAL AUDIT
1 4 192

RELATED LINKS

StudentAccountanthubpage

Internalauditthecontrolofcontrolscanfeatureasakeypartofthecorporategovernance
frameworkofanorganisation,andcanbeviewedasahighlevelcontrolinresponsetoriskor
byconsideringthedetailedworkrequiredofinternalaudit

Thinkingabouttheinternalaudit(IA)functionasthecontrolofcontrolsisusefulformakingsenseofthe
wayinwhichthetopicappearsinPaperP1.IAfeaturesinthePaperP1StudyGuideinthesectionon
internalcontrolandreviewspecificallyinternalcontrol,auditandcomplianceincorporategovernance
butyouwillfinditmentionedinalmostallthechaptersofaPaperP1studytext.

ThinkabouthowthetopicofcontrolariseswhenPaperP1coverstheboardofdirectors.Itisbest
practicethattheboardshouldmaintainsoundriskmanagementandinternalcontrolsystemsandshould
establishformalandtransparentarrangementsforconsideringhowtheyshouldapplythecorporate
reportingandriskmanagementandinternalcontrolprinciples(UKCorporateGovernanceCode).The
detailedprovisionsofthecodethenspecifythatthereshouldbeanauditcommitteethatreview[s]the
companysinternalcontrolandriskmanagementsystemsandshouldmonitorandreviewthe
effectivenessoftheinternalauditactivities.Itgoesontosaythatwherethereisnointernalaudit
function,theauditcommitteeshouldconsiderannuallywhetherthereisaneedforaninternalaudit
functionandmakearecommendationtotheboard,andthereasonsfortheabsenceofsuchafunction
shouldbeexplainedintherelevantsectionoftheannualreport.

DECISIONTOHAVEANINTERNALAUDIT
DEPARTMENT
Ateachstageoftheprocesstheboardfacesanumberof
decisions:settingthefirmsriskappetite,assessingrisks,and
thenchoosingwhichriskstoaccept,transfer,reduceor
avoid.Ifariskreductionresponseisadopted,theboardmust
thendesignanappropriatesetofcontrols,possiblyincluding
establishinganinternalauditfunction.Inmostjurisdictions,
especiallywherecorporategovernanceisprinciplesbased,
IAdepartmentsarenotrequiredbystatuteorregulation,but
areconsideredbestpractice.However,assoonasthetask
ofreviewingthecompanysinternalcontrolandrisk
managementsystemreachesevenareasonablylowlevelof
complexity,theauditcommitteewillfindthattheyneedto
delegatethiswork.Thisisclearlyasensitivetask,asitinvolvesinvestigatinganddiscoveringhow
effectivestrategicandoperationalcontrolshavebeen.Itrequiresaskilledteamofinternalauditors,who
canactindependentlyandwhowillreportbackobjectivelytotheauditcommittee.Asyoucanimagine,it
wouldbeunusualforacompanyofanysize(notjustalistedcompany)tobeabletodispensewiththe
servicesofanIAdepartment,whichiswhyanexplanationisrequiredwhentherearenointernalauditors.

http://www.accaglobal.com/ca/en/student/examsupportresources/professionalexamsstudyresources/p1/technicalarticles/internalaudit.html 1/3
7/4/2017 Internalaudit|ACCAQualification|Students|ACCAGlobal
OneobviousissuetoconsideriswhatotherfactorsapartfromsizewouldindicatethatanIAdepartment
mightberequired.Itisnothardtocomeupwithsomeoftherelevantfactorsbyreflectingthatacompany
needsacontrolwhenriskneedsreducing.Sofactorsgivingrisetoincreasedrisk,suchascomplexor
highlyregulatedtransactions,mightsuggesttheneedfortheIAcontroltobedeployed.Youwould,
therefore,expectbankstohaveIAdepartmentssincesomeofthetransactionstheyhandlearecomplex
(accountingforfinancialinstruments)andtheyoperateinaregulatedindustry.

Insomeregulatedindustriesitismandatorytohaveaninternalauditdepartment,butevenwherethisis
notthecasetheremaybeclosescrutinyofthecompanybytheregulatoryauthority,whichcanapply
significantsanctionssuchastheremovalofoperatinglicences.Whenacompliancefailing(including
timelyreportingtotheregulator)mightmeanthatthecompanycannotoperateatall,thecaseforan
internalauditdepartmentbecomesoverwhelming.Companiesinregulatedindustriesmayalsoneedthe
informationfrominternalaudittouseintheirreportsandsubmissionstoregulatorsand,so,reliableand
accurateIAinformationisalsoneededtoensuretheadequacyofthisreporting.

TheUKsinfluentialTurnbullreportprovidessomeothersuggestionsforthefactorsthatoughttobe
consideredwhenconsideringtheestablishmentofanIAfunction.Someofthemarethingsthatmight
indicaterisks.Forexample,onefactornumberofemployeesmightindicaterisksdirectly(alarge
volumeofpayrolltransactionstoprocess)but,moresignificantly,itindicatessizeandcomplexity,so
perhapswidespreadlocationswithcomplexreportinglinesandlesssharedculture(ofriskawareness,or
ofintegrity).Specificproblemswithinternalcontrolsandanincreaseinunacceptableeventsaretwoother
factorsthatmightalsobeindicativeofdeeperissueswithintheorganisation.Aswellasanimmediate
problemthatneedsinvestigating,bothsuggestfailingsintheboardimplementedprocessofrisk
assessmentandriskresponse,whichhaditbeendonemoreeffectivelymighthaveimpliedtheneed
foranIAdepartment.

Arisingoutofuncertainty,riskisfundamentaltochange.Anysignificantchangesfacedbythebusiness
willthereforeinevitablycreaterisk,andtheorganisationshouldconsideritsneedforinternalaudit.The
changeshighlightedintheTurnbullreportarechangesinkeyrisksandchangesintheinternal
organisationalstructure.

TABLE1:THETURNBULLCRITERIATOASSESSTHENEEDFORINTERNALAUDIT
Scale,diversityandcomplexityofthecompanysoperations
Numberofemployees
Costbenefitconsiderations
Changesinorganisationalstructure
Changesinkeyrisks
Problemswithinternalcontrolsystems
Increasednumberofunexplainedorunacceptableevents

REPORTINGTOTHEAUDITCOMMITTEE
Letsreturntotheideathattheinternalauditdepartmentiscarryingoutthedelegatedworkoftheaudit
committee.Thisisafruitfulareatoexplorebecauseitexplainssomeofthecharacteristicsofeffective
(andineffective)IA.Theauditcommitteeismadeupofindependentnonexecutivedirectors(NEDs).This
isnttheplacetoexploretheconceptofindependenceindetail,butindependenceiscentraltoan
effectiveIAdepartment.TheworkofIAbecomesmeaninglessifitiscompromisedbymanagement
influence.Achievingindependenceisdifficult,andmademoresobecauseinternalauditorsareusually
employeesofthecompany.

Theauditcommitteeisoneofthevitalpartsofthecommitteestructureofsoundcorporategovernance.
ItsroleinoverseeingIAisimportantbecauseitistheauditcommitteethatensuresthattheIAfunction
actuallysupportsthestrategicobjectivesofthecompany(anddoesntactpurelyonitsowninitiative).In
addition,though,itislikelythattheauditcommitteeatthestrategiclevelwillnotonlyprovidetheIA
functionwiththeauthorityitneedstoscrutinisetheinternalcontrols,butalsotoensurethatitsworkis
actuallysupportingandprovidingthecomplianceneedsofthecompany.Itispartofensuringthe
hierarchicalcongruenceorconsistencynecessaryinsoundgovernanceandstrategicmanagement.

MembersoftheIAfunctionmayencounterethicalthreats(suchasfamiliarity,selfreview,independence
threats,andsoon).Anaccountantworkingasaninternalauditor,forexample,maybeunwillingto
criticisetheCFOifhebelievestheCFOhasaninfluenceonhisfutureprospectswiththecompany.
SomeonecomingintoIAfromanoperationalpositioncouldalsobeexposedtoaselfreviewthreat.Even
whereexternalcontractorsareusedtocarryouttheIAfunction,theyareactingonbehalfof

http://www.accaglobal.com/ca/en/student/examsupportresources/professionalexamsstudyresources/p1/technicalarticles/internalaudit.html 2/3
7/4/2017 Internalaudit|ACCAQualification|Students|ACCAGlobal
management.Toavoidthis,andotherethicalthreats,internalauditworkisoneofthejobsexpressly
forbiddentoexternalauditorsunderthetermsoftheSarbanesOxleyActintheUS,indicatingjusthow
valuableacharacteristicindependenceisforallauditors(othercodeshavesimilarprovisions).

TherearesomeinherentlimitationsinwhatanIAdepartmentcanachieve.Althoughcorporatescandals
sometimesarisefromfailingsinoperationallevelcontrols,therearealsoexampleswheretheproblemis
afailureofstrategiclevelcontrols,eitherarisingfrommanagementoverrideofcontrols(asatEnron)or
throughpoorstrategicleveldecisions(asatsomeofthebanksthatrequiredstatesupportinthe2008
bankingcrisis).Evenincompanieswhereexcellentproceduresareputinplacetoassessoperational
levelcontrols,itishardtoimaginehowIAcanfullymonitorstrategiccontrols.Itwouldbeveryhardto
designacorporategovernancestructureinwhicheventhemostindependentIAdepartmenthada
mechanismtodomuchmorethancheckthatprocedureshavebeenfollowedatboardlevel.Theboard
ultimatelyhastoberesponsiblefortheproperworkingofstrategiclevelcontrols.Thisisalsoillustrativeof
thewayIAfitsintooverallcorporategovernance.Thecorporategovernancebigpicturehastobe
addressedifIAisgoingtobeeffective.AdomineeringCEOcannotbecounteredbytheexistenceofan
IAdepartment.Indeed,interferenceintheworkofinternalauditwouldindicatebroadercorporate
governanceproblems.

DAYTODAYINTERNALAUDIT
InPaperF8youwillhavestudiedthetypesofworkcarriedoutbyinternalauditors:
Valueformoneyaudits
Informationtechnologyaudits
Bestvalueaudits
Financialaudits
Operationalaudits

Oneofthekeydifferencesbetweeninternalandexternalauditisthatthescopeofinternalauditworkin
anunregulatedindustryisdeterminedbythecompany(specificallybytheauditcommittee)whilethe
scopeoftheexternalauditorsworkisdeterminedbythefactthattheyareundertakingastatutoryaudit,a
legalrequirement.IAwillmeansomethingdifferentineachorganisation.Inonecompany,theinternal
auditdepartmentmightonlycarryoutqualitycontrolchecks,whileinanotheritisasophisticatedteamof
specialistswithdifferentexpertisethatreflecttherisksfacedbythatorganization,includingtheregulatory
requirementsplaceduponit.

WhethertheIAdepartmentiscarryingoutareviewoftheprocessofdesigningsystems,orareviewof
theoperationofcontrolswithinthosesystems,willdependonthecurrentconcernsoftheorganisation.In
anexamitwouldbewisetotailorthesuggestionsmadeforIAtotheconcernshintedatinthescenario.
Forexample,inahighlyregulatedbusinesswherecompliancefailuresareasignificantrisk,monitoring
compliancemightbeakeytaskassignedtoIA.Ifsafeguardingassetsisakeyconcernyoucoulddiscuss
howIAmightbeinvolvedinareviewofthesafeguardingofassets.Youmayhavenotedthatthelasttwo
suggestionsbothrelatetotheTurnbullstatementsaboutasoundsystemofinternalcontrols.Anyof
thosecouldberelatedtotheworkofinternalauditforexample,IAmightneedtoreviewthe
implementationofcorporateobjectives.

PaperP1alsocoversissuesofsustainability,environmentalandsocialresponsibility.IAisaresourcethat
couldbedeployedtomonitorhoweffectiveacompanyscorporatesocialresponsibility(CSR)policiesare.
ThiscouldmeanmonitoringhowwellthepolicieshavebeenimplementedoritcouldmeanIAmonitoring
howwellCSRpoliciesandwidercorporateobjectivesarealignedwitheachother.Schemeslikethe
EuropeanUnionsEcoManagementandAuditScheme(EMAS)provideanexampleofaninstance
wherespecificmonitoringoftargets(byIA)isanexternallyimposedrequirementonacompany.ISO
14000,anotherenvironmentalstandard,alsoexplicitlyrequiresinternalauditsandreportsto
management.

Tosumup,internalauditisthecontrolofcontrols.ItcanfeatureinPaperP1asakeypartofthe
corporategovernanceframeworkofanorganisation,anditcanbeviewedthroughthelensofrisk
managementasahighlevelcontrolinresponsetoriskorbyconsideringthedetailedworkrequiredofIA.
Finally,asakeycomponentofthecontrolsystem,itisimportanttomaintaintheintegrityofinternalaudit
and,fromthisperspective,issuesofprofessionalethicsandcharacteristicssuchasindependencecome
intoplay.

AmandaWilliamsisatutorandsubjectspecialistatBPPProfessionalEducation

Lastupdated:17Aug2015

http://www.accaglobal.com/ca/en/student/examsupportresources/professionalexamsstudyresources/p1/technicalarticles/internalaudit.html 3/3