THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

CHAPTER-1 General Introduction

Chapter-1
General Introduction
1|Page

1.1 Introduction
Internal auditors generally directly report to the top management of the company. As employees of the organization, they may have an inside track on noticing fraud or certain other occurrences. External auditors come from an outside accounting firm in order to evaluate the company's financial statements. Many external audits done fall into the category of the "big four," the mid-tier range, or affiliates of the big four. Auditing of financial statements of companies registered under the companies act 1994 is compulsory in Bangladesh. According to Sec 213(3), the auditor is to make a report to be presented in the annual general meeting of the company on accounts examined by him. Well-planned, properly structured auditing programs are essential to strong risk management and comprehensive internal control systems. Effective internal and external audit programs are also a critical defence against fraud and provide vital information to the board of directors about the effectiveness of internal control systems Auditors are the cornerstones of the foundation upon which effective corporate governance must be built, (Bishop, 2002). Ensuring that these entities perform their roles effectively is therefore pivotal for the survival of the organization. The financial catastrophes of the last decade revealed the extent to which ineffectiveness in any of these entities can adversely affect the business. These corporate upheavals have driven external regulators to find ways of promoting greater accountability, disclosure and transparency key components of corporate governance, in an effort to restore the trust and confidence of stakeholders and in particular shareholders. Establishing and ensuring coordination among the audit committee, executive managers, external auditors and internal auditors is therefore critical since sound corporate governance hinges on the successful interaction between these entities (Bishop, 2002). With a mandate to add value and improve an organization s operations, the internal audit function needs to take a proactive role in establishing and maintaining such coordination (Pickett, 2003). Herein is an opportunity for adding greater corporate value, through synergy at the very top, among those with tremendous potential to impact on the sustainability of the organization. This dissertation report will examine the role of the internal and External audit function in establishing and ensuring coordination between the audit committee of the board of directors, external auditors, executive management and the internal audit function. In general, coordination within an organization refers to the quality of collaboration across departments (Daft, 2000). It has the idea of organizational networking which allows for direct contact between individuals, and shared effort both internally and externally in order to achieve objectives, find solutions to problems and meet the needs of all stakeholders in a more timely and efficient manner (Hastings, 1993). It also involves the strategic use of two important organizational assets intellectual capital and information. The following discourse
2|Page

will consider whether coordination is necessary for the audit committee, executive management, external auditors and internal auditors.

1.2 Origin of the report: The BBA Dissertation Program of the Stamford University
Bangladesh is a required course for the students who are graduating from the school of Business of the university. It is a 12 credit-hour course with 12 weeks. Students who have completed all the required courses (at least 116 credit hours) are eligible for this course. In this Dissertation program, the author collected various primary and secondary data and conducted vast research to reach the goal of the report preparation.

1.3 Objectives of the Study: The basic focus of the study is to identify the relationship
between the workings of the internal and the external auditor appointed in an organization. To clarify the relationship, various aspects affecting the workings of the both internal and the external auditor has been identified. These identified aspects will fairly clarify the relationship as well as provide the in depth knowledge about the workings of both auditors. However, the specified objectives of the report areGeneral Objective: To maximize the analytical ability and apply the theoretical knowledge in the analysis. Specific Objectives: The specific objectives are the following: To know about the working procedures of the Internal Auditor and the External Auditor To Trace out the overlapping working areas of the internal auditor and the external auditor To know about the coordination process between the workings of the internal and the external auditors.

1.4 Scope of the Study:

Within the limited range of the pages, This report attempts to present a snapshot of the Relationship between the Workings of the Internal Auditor and the External Auditor of an Organization. The scope of this study is broad and attempts to address the issues relevant to the workings of the both the Internal and the External Auditors. Therefore it will address issues such as general introduction to the Internal and the External Auditor, the reliance of the external auditor on the internal auditor, required coordination between the workings of the internal and external auditors, need for coordination and doings to increase the coordination.

3|Page

1.5 Methodology:
This Dissertation Report generally starts with the collection of data from internet as well as books regarding the Dissertation topic. Vast research and brainstorming analysis has been done to reach to the goal of this dissertation report preparation.

1.6 Limitations:
It is not an easy job to trace the actual relationship between the workings of the internal and the external auditor within this limited time; thus time limitation was one of the most important factors that languished the present study. Due to time limitation, many aspects could not be discussed in the present study.

4|Page

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

CHAPTER-2

Introduction to the Internal Auditor & the External Auditor

5|Page

Chapter-2
2.1 Internal Auditor:
2.1.1. Definition:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. An internal auditor seeks to advise management on whether its major operations have sound systems of risk management and internal controls. In other words, the internal audit function is one to ensure that the internal controls are adequate enough to maintain compliance with the policies, procedures and guidelines while being ethical

2.1.2 Legal Status: Internal audit activities are performed in diverse legal and cultural
environments; within organizations that vary in purpose, size, complexity, and structure. While differences may affect the practice of internal auditing in each environment, compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met. If internal
6|Page

auditors are prohibited by laws or regulations from complying with certain parts of the Standards, they should comply with all other parts of the Standards and make appropriate disclosures.

2.1.3 Eligibility: A certified internal auditor (CIA) is an individual who has met the
requirements for certification as established by the Institute of Internal Auditors (IIA). Requirements relate to education, experience, and successful completion of an examination. Achieving the credential as a certified internal auditor is tangible evidence of meeting professional qualifications established by the IIA. Experience Requirement: In order to become a CIA, there is an experience requirement of twenty-four months of internal auditing or its equivalent. Representative equivalent experience can include quality assurance, internal control assessment, or external auditing. A master's degree can be substituted for one year of experience. The Board of Regents determines the acceptability of equivalent work experience. PERSONAL STANDARDS AND ETHICS: The following personal standards apply to all auditors assigned to Internal Auditing. An internal auditor shall: Have adequate technical training and proficiency, Maintain a sufficiently independent state of mind to clearly demonstrate objectivity in matters affecting audit conclusions, Respect the confidentiality of information acquired while performing the audit function, Only engage in activities that do not conflict with the interests of the City, Adhere to conduct that enhances the professional stature of internal auditing, and Exercise due professional care in the performance of all duties and in the fulfilment of all responsibilities. The following ethical standards which were derived from the Code of Ethics of the Institute of Internal Auditors shall be adhered to by Internal Auditing: 1. Internal auditors shall have an obligation to exercise honesty, objectivity, and diligence in the performance of their duties and responsibilities. 2. Internal auditors, in holding the trust of their employers, shall exhibit loyalty in all matters pertaining to the affairs of the organization. 3. However, an internal auditor shall not knowingly be a party to any illegal or improper activity. 4. Internal auditors shall respect and contribute to legitimate and ethical objectives of the organization.

7|Page

5. Internal auditors shall refrain from entering into any activity which may be in conflict with the interest of the organization or which would prejudice their ability to carry out objectively their duties and responsibilities. 6. Internal auditors shall not accept a fee or a gift from an employee, a customer, or a business associate of the organization without the knowledge and consent of their senior management. 7. Internal auditors shall be prudent in the use of information acquired in the course of their duties. 8. They shall not use confidential information for any personal gain nor in a manner, which would be detrimental to the welfare of the organization. 9. Internal auditors, in expressing an opinion, shall use all reasonable care to obtain sufficient factual evidence to warrant such expression. In their reporting, an internal auditor shall reveal such material facts known to them which, if not revealed, could either distort the report of the results of operations under review or conceal unlawful practice. 10. Internal auditors shall continually strive for improvement in the proficiency and effectiveness of their service. 11. Internal auditors shall be provided a copy of the Institute of Internal Auditors Code of Ethics upon employment.

2.1.4 Appointment:
HRM department.

An internal auditor of organization is appointed by the organizations

2.1.5 Organizational Status: The internal auditor is a vital part of an organization and
functions in accordance with the policies established by the President, system administration and the Board of Directors. The internal auditor reports to the President. The organizational status and the support accorded to the internal auditor by the President and senior management are major determinants of the scope and value of the internal audit function to the organization. Organizational status relates to the internal audit departments purpose, authority and responsibility within the organization to address board of director oversight and corporate governance, and to ensure the internal auditors independence and objectivity. The organizational status of internal audit must be sufficient to permit accomplishment of the objectives. Proper organizational status enhances the independence and objectivity of internal audit. Without the support of the board of directors and senior management, the internal auditors may not receive the cooperation necessary to perform their tasks.

2.1.6 Reporting Relationship:

IIA Standards on Reporting Relationship: The Internal Audit Standards Board and the Professional Issue Committee have anticipated potential conflicts associated with the audit reporting relationships. The
8|Page

scope of work is addressed in Standards for the Professional Practice of Internal Auditing (Standards) 1000: 1000 Purpose, Authority, and Responsibility: The purpose, authority, and responsibility of the internal activity should be formally defined in a charter, consistent with the standards and approved by the board. 1110 Organizational Independence: The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfil its responsibilities. 1110.A.1 The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.

The Standards are clarified by Practice Advisories. The Practice Advisory on Organizational Independence is more explicit: 1. ....The Institute believes strongly that to achieve necessary independence, the CAE should report functionally to the audit committee and its equivalent. For Administrative purposes, in most circumstances, the CAE should report directly to the Chief Executive Officer of the Organization. 2. ...Appropriate reporting lines are critical to achieve the independence, objectivity, and organizational stature for an internal audit function necessary to effectively fulfil its obligations. CAE reporting line also critical to ensuring the appropriate flow of information and access to key executives and managers that are the foundations of risk assessment and reporting of results of auditing activities. Conversely, any reporting relationship that impedes the independence and effective operations of the internal audit function should be viewed by the CAE as a serious scope limitation, which should be brought to the attention of the audit committee and its equivalent. The standards clearly indicate that the board must have a prominent role in setting the scope of the internal audit activities. The Standards suggest a reporting relationship that includes the CEO and the Board, but do not explicitly prohibit other reporting relationship such as CFO. However, any other relationship must meet the overall criterion of the ensuring board audit coverage, free from any interference in meeting the mandate stated in the internal audit charter including the scope of work, the choice of audit procedures, and the free and unfettered communication to any level within the organization needed to ensure adequate attention to the findings and appropriate follow-up action.

2.1.7 Reporting Lines: The reporting line for an internal auditor is as follow:
9|Page

Board of directors Chief executive officer Chief operating officer Chief financial officer

2.1.8 The Responsibilities:

Internal Audit activities will be carried out in a professional manner, and according to accepted standards of practice within the internal audit industry. In order to ensure this level of performance, all personnel assigned to the department must share responsibility for the completion of all assigned tasks in a professional manner. Internal Auditor: The Internal Auditor is generally responsible for the following: Disclosing or declaring any impairment to independence or objectivity that may exist. Performing assigned tasks in an independent and self-directed fashion. Completing assigned tasks in a timely, thorough, accurate and well-documented manner. Submitting all completed work papers to the Director of Internal Audit for final review and approval. Completing other tasks as assigned. Conducting oneself in a professional manner at all times; avoiding those situations that would lead to criticism by the area being audited, or by the general public. Assuming a friendly and cooperative demeanor with the audited areas staff. Disagreements should be reported to the Director of Internal Audit. Conducting work so as to minimize disruption of the audited areas workflow or ability to service their customers. Acquainting oneself with the premises, responsible employees, and the location of records early in the audit. Requesting any files that may be needed. Management of the audited area should be made aware that the Internal Auditor has those files. Safeguarding all files / records that have been entrusted to the Auditors possession. Returning all files / records to the person or area they were obtained from. Maintaining all records in the same or better condition than that in which they were found.
10 | P a g e

Retaining all records on premises - never removing vital documents from the premises. Returning all documents taken to the Internal Auditors work area to the records custodian by the end of the day if such return is requested.

Additional Responsibilities: The Internal Auditor also bears the following, higher-level responsibilities: Developing a familiarity with the organization and functions of the unit to be audited. Pre-planning the audit in accordance with the scope and complexity of the area under review. Ensuring that an assessment of risks is incorporated into, or forms the basis of all audit work planned and performed. Accepting responsibility and accountability for the audit work performed on assigned projects. Managing the audit in relation to time and resource budgets. Ensuring that audit findings and recommendations made during the course of the audit are promptly communicated to management. Ensuring that all Worksheets issued are properly constructed, supported, and communicated. As work papers are completed, ensuring that all objectives have been accomplished and all conclusions are properly supported. Ensuring that the audit or review is conducted with the least amount of disruption to the audited area as is possible. Conducting an Exit Review or briefing at the culmination of field work. Drafting and seeking approval for a formal Audit Report. Finalizing the audit file(s), and ensuring that all supporting documentation is properly retained. Performing follow-up work as necessary subsequent to the audit.

2.1.9 The scope and Nature of the work:

STANDARD 300 - SCOPE OF WORK 11 | P a g e

The scope of internal auditing should encompass the examination and evaluation of the adequacy and effectiveness of the organizations system of internal control and the quality of performance in carrying out assigned responsibilities. Review and evaluate the internal audit departments plans and confirm that the plans are defined, measurable, approved by management and the board, and related to specific operating plans and budgets. Assess progress toward achieving the audit plan. Determine if each of the five objectives included in the Standards were included as part of the audit work performed. Based on the objectives and the procedures performed, classify the scope of the audit: -- Reliability and integrity of information (Standard 310) -- Compliance with policies, plans, procedures, laws or regulations (Standard 320) -- Safeguarding assets (Standard 330) -- Economic and efficient use of resources (Standard 340) -- Accomplishment of established goals and objectives for programs or operations (Standard 350)

Standard 310 - Reliability and Integrity of Information

-- If the scope of the audit included a review of the reliability and integrity of information, determine if the audit program included appropriate procedures to detect that: . . . Records were adequate and current. . . . Transactions had been properly reviewed and approved. . . . Information systems produced data that were accurate, timely and relevant. . . . Adequate controls existed to detect or prevent errors and irregularities. -- Determine if the auditors tested the key controls identified or said why the controls were not tested. -- If the scope did not include reliability and integrity of information control objectives, determine if this omission was appropriate.

Standard 320 - Compliance with Policies, Procedures, Laws, and Regulations

-- If the scope of the audit included a review of systems established to ensure compliance with policies, procedures, laws, regulations, and other items that could have a significant impact on operations, determine whether the auditors obtained sufficient background information and legal or other expert advice to identify and interpret these items. -- Determine if the auditors tested key controls designed to ensure compliance or indicated why controls were not tested. -- If the scope did not include compliance control objectives, determine if this omission was appropriate.

Standard 330 - Safeguard Assets

-- If the scope of the audit included a review of the means to safeguard assets, determine the audit program contained adequate procedures to determine the: . . . Adequacy of the separation of duties. . . . Rotation of sensitive duties among employees. . . . Adequacy of reconciliation procedures. . . . Adequacy of managements periodic surprise reviews. . . . Review and approval of transactions by authorized individuals. . . . Adequacy of the physical protection of assets and records. 12 | P a g e

-- Determine if the auditors tested key controls designed to ensure compliance with the safeguard of assets or stated why the controls were not tested. -- If the scope did not include safeguarding assets control objectives, determine whether this omission was appropriate.

Standard 340 - Economy and Efficiency

-- If the scope of the audit included an appraisal of the economy and efficiency with which resources were employed, determine if the auditors: Identified operating standards. Determined if auditees understood these standards. Determined if the standards were appropriate in keeping with the entitys goals and objectives. Determined whether standards were met. Identified and analyzed deviations from the standards. Discussed deviations with proper individuals. Identified inefficient or non-economic uses of resources. Determine if the auditors tested key controls designed to ensure the appraisal of the economic controls were not tested. If the scope did not include economy and efficiency control objectives, determine if this omission was appropriate.

Standard 350 - Goals and Objectives

-- If the scope of the audit included a review to detect whether programs were meeting established objectives and goals, determine if the auditors: Identified relevant objectives and goals and the systems for measuring how well these were met. Established criteria for evaluating the programs effectiveness. Determined whether objectives and goals were met. Assessed techniques and data that the auditee used to measure effectiveness and the action taken in response to these measurements. Reviewed for evidence that the auditee was looking for cost-effective ways to accomplish objectives and goals. Estimated the costs and benefits of not meeting goals. -- Determine if the auditors tested the key controls designed to ensure programs were meeting established objectives and goals. -- If the scope did not include accomplishment of goals and objectives controls objectives, determine if the omission was appropriate.

Based on a risk assessment of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts. Internal auditing activity is generally conducted as one or more discrete projects. A typical internal audit project involves the following steps: 1. Establish and communicate the scope and objectives for the audit to appropriate management.
13 | P a g e

2. Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary. 3. Describe the key risks facing the business activities within the scope of the audit. 4. Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored. 5. Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended. 6. Report problems identified and negotiate action plans with management to address the problems. 7. Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose. Project length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated. By analyzing and recommending business improvements in critical areas, auditors help the organization meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls.

2.1.10 Legal Liability:

Basically, the potential for liability could be created if (1) The internal auditor undertakes to perform a task as an internal auditor for some person or entity, (2) The internal auditor performs his or her task below the standards of care of other internal auditors in the profession, (3) The other person or entity relies on the internal auditor to perform his or her task up to the standards of the profession, and (4) As a result of performing below the standards the other person or entity suffers damages (such as when the internal auditor fails to discover a problem that would have been discovered if he or she performed in accordance with internal auditor standards).

If the internal auditor is solely an employee of the company for which he or she is performing internal auditing services (the typical situation), and

14 | P a g e

If the internal auditor performs below the standard of care in the profession, the internal auditor typically gets fired, but not sued for negligence by the company. If the internal auditor is an outside entity that the company hires to perform the internal audit function of the company, it may be possible for the company to sue the internal auditor for negligent performance of services. If the internal auditor is an outside entity hired by the company to perform internal auditor services, assuming that the internal auditor is not expressing or producing an opinion, work product, or a report that can reasonably be expected to be relied on by outside entities (such as creditors or shareholders), liability, if any, would probably be limited to just the company, and not to outside people or entities. The situation could be a little more difficult if the internal auditor produces an opinion, work product, or a report that is relied on by someone outside of the company. For example, if the opinion, work product or report is relied on by the company's outside auditor, or if it is given to and relied on by creditors of the company.

(1) If the internal auditor is an employee of the company, then most likely the company, not the internal auditor, gets sued. In theory it may be possible to also sue the employee internal auditor but that would seem to be a stretch of the law. (2) If the internal auditor is an outside entity hired by the company and the internal auditor's opinion, work product or report is given to the outside auditor, or to a creditor of the company, or to shareholders, and if the opinion, work product or report is reasonably relied on by the outside auditor, or a creditor, or shareholders, it may be possible for the outside auditor, the creditor, or the shareholders to sue the internal auditor. In this situation (situation (2)) you get into a lot of discussion about whether the internal auditor knew or should have known that his or her opinion, work product or report would be provided to and relied on by the outside auditor, creditor, or shareholders.

2.1.11 Planning and Performance of auditing:

Audit Planning Planning is also required for managing audit activities and evaluating the performance of the audit group. The 1982 Standards for Internal Audit require that departments have a long-term plan (covering three to five years), an annual plan approved by the deputy head, and proper assignment plans. In this study we examined how departments carried out the processes of planning. Planning Process The audit plan is developed by identifying the audit universe, performing a risk analysis, and obtaining input from management relative to risks, controls, and governance processes. The internal control framework established by management is an integral part of audit review.

15 | P a g e

Risk or control concerns identified by audit staff or external auditors are also evaluated as the plan is developed. Flexibility of the plan is necessary in order to respond to the changing needs of the organization.
Long-range and Annual Planning Internal Audit require audit groups to sub-divide their total audit responsibility or audit universe into specific auditable units and to assess the importance of these units in terms of such factors as materiality, risk of loss, importance to management and previous audit coverage. It points out that this is a particularly important step, as it forces audit managers to focus their attention on areas where use of available resources would best achieve the departmental audit objectives. Assignment Planning After selecting an area for audit, and before beginning the audit, internal audit groups prepare specific audit assignment plans. The assignment plan is intended to identify the issues to be emphasized, the audit techniques to be used, and details of the time and costs of the project. During the course of the audit, adjustments are made as additional information is obtained.

While audit groups do develop assignment plans, they should generally have more interaction with senior management and carry out more rigorous and systematic analysis of potential audit areas to identify the major issues, weaknesses in controls, or opportunities for improvement. This is normally done in a preliminary survey phase prior to committing audit resources for the entire audit. The result of not conducting such in-depth analysis is that minor areas may be over-audited while key areas are under-audited, reducing the overall effectiveness of the audit.

Performance of the Audit work

An evaluation of the effectiveness and efficiency of internal audit work includes the following attributes: a. Planning Considerations The internal auditor is responsible for the planning and conducting the internal audit, subject to supervisory review and approval. The preplanning process includes an evaluation of various attributes that include, but not limited, to the following: i. In planning the engagement, internal auditors should consider the objectives of the activity being reviewed and the means by which the activity controls it performance. ii. The internal auditors identification and assessment of the significant risks and controls relevant to the activity under review and the means by which the potential impact of the risks is kept to an acceptable level. iii. The adequacy and effectiveness of the activitys risk management and control systems compared to a relevant control framework or model, and opportunities for making significant improvements to the activitys risk management and control systems. Internal auditors should establish an understanding with engagement clients that address objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented. b. Engagement Objectives
16 | P a g e

Objectives should be established for each engagement. Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of the risk assessment. The internal auditor should consider the probability of significant errors, irregularities, noncompliance and other exposures when developing the engagement objectives. The engagement objectives should address risks, controls and governance processes to the extent agreed upon by the client. c. Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement. d. Engagement Resource Allocation A determination of staffing resources necessary to achieve the engagement objectives should be performed. Staffing should be based on the complexity of the engagement, time constraints, and available resources. e. Engagement Work Programs Internal auditors should develop work programs that achieve the engagement objectives. The audit programs should be recorded and establish the procedures for identifying, sampling, analyzing, evaluating, and recording information during the engagement. The audit program should be approved prior to its implementation, and any adjustments approved in a timely manner. Work programs for engagements may vary in form and content depending upon the nature of the engagement. f. Performing the Engagement Internal auditors should identify and record information or produce evidence that achieves the engagements objectives and supports the auditors analyses, conclusions, and results. Specific information or evidence includes the following: i. Sufficient information-is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor; ii. Competent information-is reliable and attainable through the use of appropriate audit techniques; iii. Relevant information-supports audit findings and recommendations and is consistent with the objectives for the engagement; and iv. Useful information-helps the organization meet its goals. The audit director should control access to the workpapers. Approval should be obtained from senior management and/or legal counsel prior to the releasing such records to external

17 | P a g e

parties, as appropriate. Record retention procedures should be established that are consistent with the organizations and industry guidelines and regulatory requirements. g. Engagement Supervision The engagement should be supervised to ensure the objectives are achieved, quality is assured, and the experience and competency of the internal audit staff is developed. Evidence of supervisory review should be documented in the work papers. h. On-going monitoring and key business activities The audit director should implement a process to monitor critical business activities and key performance indicators continuously such as exception reports and interim reviews, coordinating with other risk management functions, developing the audit plan based on risk priorities and being involved in technology projects.

2.1.12 Audit Report:

Audit reports are a culmination of the work that was performed. Although audit reports do not have a prescribed format, there are several types of reports that could be utilized, which include: i. Formal-with carefully structured formats; ii. Informal-in letters or memoranda to operating management; and, iii. Interim-with brief statements of conditions requiring immediate action. The audit report should be accurate, objective, clear, concise, constructive, complete, and timely. If appropriate, satisfactory performance should be acknowledged. The report should include the engagements objectives and scope as well as applicable conclusions, recommendations, action plans, and where appropriate, contain the internal auditors overall opinion. The audit director or designee is responsible to review and approve the final audit report before issuance and should decide to whom the report will be distributed. Communication of the progress and results of engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. In addition, risk management, control and governance issues may be identified. Whenever, these issues are significant to the organization, they should be communicated to senior management and the board. If a final communication contains a significant error or omission, the internal audit director should communicate corrected information to all parties who received the original information. When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the: i. Standard(s) with which full compliance was not achieved; ii. Reason(s) for noncompliance; and, iii. Impact of noncompliance on the engagement. Nature of the Audit Report: Reports will be objective, clear, concise, constructive, and timely. Objective reports are factual, unbiased, and free from distortion. Findings, conclusions, and recommendations should be included without prejudice. Clear reports are easily understood. Clarity can be improved by avoiding unnecessary technical language and providing sufficient supportive information. Concise reports are those which, as a result of their content and tone, help the
18 | P a g e

auditee and the organization and lead to improvements where needed. Timely reports are those which are issued without undue delay and enable prompt effective action. Contents of the Audit Report: The audit director should report periodically to the audit committee and senior management on the internal audits purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. The following are examples of attributes to be included and subjects to be addressed in the report:
i.

ii.
iii.

iv.
v.

The status of the current audit plan and other audit matters such as audit department performance, personnel, training, and financial budgets; Prior audit reports and managements responses; Summaries of significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management such as new regulatory and/or accounting requirements, employee related issues, and contingent litigation; Tracking of previous reported findings and managements response; and External auditors reports, third-party examination reports and presentations, and SAS 70 reviews on key/critical outside service providers.

Reports should contain the purpose, scope, and results of the audit. Audit reports include background information and summaries. Background information may identify the organizational units and functions reviewed and provide relevant explanatory information. They may also include the status of findings, conclusions, and recommendations from prior reports. There may also be an indication of whether the report covers a scheduled audit or is in response to a request. Summaries, if included, should be balanced representations of the audit report content. Purpose statements should describe the audit objectives and may, where necessary, inform the reader why the audit was conducted and what was expected to be achieved. Scope statements should identify the audited activities and include, where appropriate, supportive information such as the time period audited. Related activities not audited should be identified if necessary to delineate the boundaries of the audit. The nature and extent of auditing steps performed should also be described. Results may include findings, conclusions (opinions), and recommendations. Findings are pertinent statements of fact. Those findings which are necessary to support or prevent misunderstanding of the Internal Auditor's conclusions and recommendations should be included in the final audit report. Less significant information or findings may be communicated orally through informal correspondence. Audit findings emerge by a process of comparing "what should be" with "what is." Whether or not there is a difference, the Internal Auditor has a foundation on which to build the report.
19 | P a g e

When conditions meet the criteria, acknowledgment in the audit report of satisfactory performance is appropriate. Findings should be based on the following attributes:

Criteria: The standards, measures, or expectations used in making an evaluation and/or verification (what should exist). Condition: The factual evidence which the Internal Auditor found in the course of the examination (what does exist).

If there is a difference between the expected and actual conditions, then:

Cause: The reason for the difference between the expected and actual conditions (why the difference exists). Effect: The risk or exposure the auditee organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference).

The reported findings may also include recommendations, auditee accomplishments, and supportive information if not included elsewhere. Conclusions (opinions) are the Internal Auditor's evaluations of the effects of the findings on the activities reviewed. They usually put the findings in perspective based upon their overall implications. Audit conclusions, if included in the audit report, should be clearly identified as such. Conclusions may encompass the entire scope of an audit or specific aspects. They may cover, but are not limited to determining, whether operating or program goals and objectives conform to those of the organization, whether the organization's goals and objectives are being met, and whether the activity under review is functioning as intended. Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action. Recommendations are based on the Internal Auditor's findings and conclusions. They call for action to correct existing conditions or improve operations. Recommendations may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. Recommendations may be general or specific. For example, under some circumstances, it may be desirable to recommend a general course of action and specific suggestions for implementation. In other circumstances, it may be appropriate only to suggest further investigation or study. Auditee accomplishments, in terms of improvements since the last audit or the establishment of a well-controlled operation, should be included in the audit report. This information may be necessary to fairly represent the existing conditions and to provide a proper perspective and appropriate balance to the audit report. The auditee's views about audit conclusions or recommendations will be included in the audit report. As part of the Internal Auditor's discussions with the auditee, the Internal Auditor should try to obtain agreement on the results of the audit and on a plan of action to improve operations, as needed. If the Internal Auditor and auditee disagree about the audit results, the audit report will state both positions and the reasons for the disagreement. Any disagreement
20 | P a g e

of a material nature should be clearly followed up with senior auditee management and possibly the Vice Chancellor's level. The auditee's written response will be incorporated into the audit report. The auditee's response must specify a time frame for implementing the audit recommendations. The Internal Auditor will review and approve the final audit report before issuance. A draft of the audit report will be distributed to the manager responsible for the area audited a week before the exit conference. The final report (including the manager's comments) will be sent within 30 days of the exit conference to the Vice Chancellor for Administrative Affairs. Internal Audit will maintain files containing issued audit reports. The final audit report must address significant findings and recommendations. Insignificant findings may be reported to lower level auditee management verbally or in a separate report. Certain information may not be appropriate for disclosure to all report recipients because it is privileged, proprietary, or related to improper or illegal acts. Such information, however, may be disclosed in a separate document such as a management letter. If the conditions being reported involve senior management, report distribution will be to the Chancellor and to the UW System Administration Internal Audit Department only.

Follow-Up The Internal Audit reports will be followed up to ascertain whether appropriate action has been taken on reported audit findings. Internal Audit will determine whether senior management has assumed the risk of not taking corrective action on reported findings. The Chancellor will be informed of senior management's decision on all significant audit findings. Follow-up is defined as a process by which the Internal Auditor determines the adequacy, effectiveness, and timeliness of actions taken by management on reported audit findings. Such follow-ups also include relevant findings made by external auditors and others. Responsibility for follow-up is defined in Internal Audit's charter. Management is responsible for deciding the appropriate action to be taken in response to reported audit findings. The Internal Auditor is responsible for assessing such management action for timely resolution of the matters reported as audit findings. In deciding the extent of follow-up, internal auditors should consider procedures of a follow-up nature performed by others in the organization. Senior management may decide to assume the risk of not correcting the reported condition because of cost or other considerations. The Chancellor will be informed of senior management's decision on all significant audit findings. The nature, timing and extent of follow-up should be determined by the Internal Auditor. Factors which should be considered in determining appropriate follow-up procedures are:
21 | P a g e

1. 2. 3. 4. 5.

The significance of the reported finding; The degree of effort and cost needed to correct the reported condition; The risks which may occur should the corrective action fail; The complexity of the corrective action; and The time period involved.

Certain reported findings may be so significant as to require immediate action by management. These conditions should be monitored by internal auditors until corrected because of the effect they may have on the organization. There may also be instances where the Internal Auditor judges that management's oral and written response shows that action already taken is sufficient when weighed against the relative importance of the audit finding. On such occasions, follow-up may be performed as part of the next audit. The Internal Auditor should ascertain whether actions taken on audit findings remedy the underlying conditions. The Internal Auditor is responsible for scheduling follow-up activities as part of developing audit work schedules. Scheduling of follow-up should be based on the risk and exposure involved, as well as on the degree of difficulty and the significance of timing in implementing corrective action. Specific follow-up procedures may include the following: 1. 2. 3. 4. 5. Management will respond to the audit findings within 30 days; The response will then be evaluated by the Internal Auditor; Verification of the response (if appropriate) will be done immediately; A follow-up audit will be performed within one year; and Unsatisfactory responses/actions, including the assumption of risk, will be reported to the appropriate levels of management upon completion of the follow-up audit.

Techniques used to effectively accomplish follow-up include:

Addressing audit report findings in the appropriate levels of management responsible for taking corrective action. Receiving and evaluating management responses to audit findings during the audit or within a reasonable time period after the report is issued. Responses are more useful if they include sufficient information for Internal Audit to evaluate the adequacy and timeliness of corrective action. Receiving periodic updates from management in order to evaluate the status of management's efforts to correct previously reported conditions. Receiving and evaluating reports from other organizational units assigned responsibility for procedures of a follow-up nature. Reporting to senior management or the Vice Chancellor for Administrative Affairs on the status of responses to audit findings.
22 | P a g e

2.1.13 Common purposes and uses of audit report:

Organizations which do not have an internal audit function are therefore missing out on the valuable benefits that professional internal auditors provide. In addition, they are also running the risk of relying on management who may not be in the best position to provide skilled, independent, and objective opinions on internal controls. Some organizations assign internal auditing on a part-time basis to an existing staff member who has other responsibilities. When this occurs, the person does not have the professional internal audit training or experience necessary for optimal effectiveness. Such organizations run the risk of poorly performed audits and reviews, and this individual, who may be relatively junior in the organization, may lack the organizational status and stature to achieve positive results. In this environment, highrisk processes may not be identified for reviews and serious internal control deficiencies may be overlooked. A primary lesson from the financial failure and collapse of numerous organizations is that good governance, risk management, and internal controls are essential to corporate success and longevity. Because of its unique and objective perspective, indepth organizational knowledge, and application of sound audit and consulting principles, a well functioning, fully resourced and independent internal audit activity is well positioned to provide valuable support and assurance to an organization and its oversight entities.

2.2 External Auditor

2.2.1 Definition:
An external auditor seeks to test the underlying transactions that form the basis of the financial statements. In other words, an external auditor reviews the control procedures and many other operations as their overall evaluation of internal controls. It is expected that the auditor would identify significant weaknesses that exist and make sure that anything material in nature be reported to management and possibly to higher authority, depending on the company. They provide an opinion on the adequacy of the companys financial statements. They review the general controls as well as the overall financial statement preparation and reporting. External auditors primary purpose is to give a company feedback on the effectiveness of the internal control system by giving an opinion with four main paragraphs. First, the introductory paragraph is written to indicate that an audit has been conducted and then identifies the financial statements that the auditors examined during the audit. The second paragraph is the scope paragraph which describes the character of the work in the audit and stating that they abided by Generally Accepted Auditing Standards (GAAS). This paragraph explains that the auditors were trained and proficient, independent, exercised due professional care, planned and supervised the work, obtained a sufficient understanding of the business
23 | P a g e

and its internal control system and gathered sufficient evidence. These are the general standards and standards of field work which make up GAAS.

2.2.2 Legal Status: Appointment & Remuneration

Section 210 Companies Act 1994

Every company shall, at each AGM appoint an auditor or auditors to hold office from the conclusion of that meeting till next AGM.

Provided that no person can be appointed as an Auditor of any company unless his written consent prior to appointment or re appointment have been obtained. The Companies Act Every Auditor appointed so , shall within 30 days of the receipt from the company shall notify the Registrar of Joint Stock Companies & Firms ( RJSCF) , in writing that he has accepted, or refused to accept the appointment. The Companies Act 1994 states. At any AGM , a retiring Auditor by whatsoever authority appointed , shall be re appointed unless: He is not qualified for re appointment. He has given notice in writing of his unwillingness to be re appointed. A resolution has been passed at the meeting appointing somebody else. Exception for such Resolution A resolution can be passed to change Auditor ONLY under the following circumstances: 1. Death of the Auditor. 2. Incapacity of the Auditor. 3. Dishonesty of the Auditor. 4. Disqualification of the Auditor. Qualification & Disqualification of Auditors

24 | P a g e

Qualification of Auditor : Section 212: No person shall be appointed as an Auditor unless he is a Chartered Accountant within the meaning of Bangladesh Chartered Accountants Order , 1973 .

Disqualification of Auditors None of the following person to be appointed as auditors: 1. An officer or employee of the company. 2. A person who is a partner/director/agent. 3. A person who is indebted to the company for an amount exceeding one thousand taka. 4. Any person who provided guarantee/ security to any third person to the company exceeding taka one thousand. 5. Any shareholder holding more than 5% of shares in FV. Powers & Duties of Auditors Section 213 : Every auditor of a company shall have a right of access at all times to the books and accounts and vouchers of the company whether kept at head office of the company or branch and shall be entitled to require from the officers of the company such information and explanations as the auditor may think necessary for the performance of his duty as an auditor.

2.2.3 Eligibility:
To be eligible as an External Auditor one needs to accomplish the CA (Chartered Accountant) course having honours degree completed major in accounting or commerce and having the CA firm with the partnership of the person having the same educational qualification. Moreover, they should be eligible according to the rules and requirements mentioned in BAS.

2.2.4 Appointment:
The Board is responsible for appointing the external auditor, subject to confirmation by shareholders at the Company's Annual General Meeting. The Audit and Risk Management Committee is responsible for implementing a selection process for appointment of the auditor and making a recommendation to the Board based on their assessment of the responses received from potential external auditors. In making any recommendation, the Audit and Risk Management Committee confers with senior
25 | P a g e

executives on the responses received. The assessment of responses from potential external auditors takes into account a number of key criteria, including audit approach and methodology, internal governance processes, global resources, key personnel and cost. Once the review process has taken place the Audit and Risk Management Committee provides the Board with information concerning the process adopted in undertaking the review, the recommended external auditor and the reasons for final recommendation.

2.2.5 Organizational Status:

The External Auditor is not employed by the organization to be audited but by the shareholders of the company; thus, the external auditor is not an employee of the company being audited having the organizational status of as an outsider who cannot influence the decision taken by the management rather the external auditor just draw an opinion regarding the truth and fairness of the books of records in favour of the shareholders.

2.2.6 Reporting Relationship:

The organization to be audited run its operation with the finance provided by the shareholders and the Board of directors represent the management; it is not necessarily mean that the shareholders cannot be the board of director. The external auditor is appointed by the Shareholders in AGM meeting and he or she works in the interest of the shareholders i.e. ensures whether the management of the organization are providing the true and fair financial report to the shareholders; the external auditor ensures this by drawing an opinion regarding the truth and fairness about the reporting by the management. Thus it is clear that there is a build up reporting-relationship between the external auditor and the shareholders of the organization.ssssss

2.2.7 Reporting Lines:

The reporting line for an external auditor is as follow: Board of Directors Audit Committee Management Internal auditor Regulators
26 | P a g e

2.2.8 The External Auditors Responsibilities:

The external auditors responsibilities under professional standards are to:

be independent of the bank in fact and appearance; exercise professional skepticism; have adequate technical training and proficiency as an auditor; exercise due care in auditing and preparing the report; plan, conduct, and report the audit results in accordance with GAAS; properly supervise the audit and the work of assistants; have a general understanding of internal controls to appropriately determine the nature, timing, and extent of any tests to perform; obtain sufficient evidence through inspection, observation, inquiries and confirmation to form an opinion on the financial statements; speak out on the fairness of the presentation of the financial statements, taken as a whole; consider potential for fraud when planning and executing the audit of the financial statement and the audit of internal controls; obtain an understanding of the banks system of internal controls, in terms of its design, existence, effectiveness and managements monitoring of those controls; examine managements documentation and evidence supporting the system of internal controls that underlie managements assertion regarding the design, existence and effectiveness of the internal controls; and speak out on managements assertion regarding the internal controls system that governs financial reporting and disclosure.

2.2.9 Common purposes and uses of audit report:

The external audit report is prepared for the organizations shareholders to ensure the fairness and truthfulness of the financial reports issued by the company management for the shareholders and for the purpose of checking whether the control activities are in a right track and the control environment is free of biasness.

2.2.10 The scope and Nature of the work:

27 | P a g e

The independent auditor generally proceeds with an audit according to a set process with three steps: planning, gathering evidence, and issuing a report. In planning the audit, the auditor develops an audit program that identifies and schedules audit procedures that are to be performed to obtain the evidence. Audit evidence is proof obtained to support the audit's conclusions. Audit procedures include those activities undertaken by the auditor to obtain the evidence. Evidencegathering procedures include observation, confirmation, calculations, analysis, inquiry, inspection, and comparison. An audit trail is a chronological record of economic events or transactions that have been experienced by an organization. The audit trail enables an auditor to evaluate the strengths and weaknesses of internal controls, system designs, and company policies and procedures.

2.2.11 Legal Liability:

A. Legal Environment: Professionals have always had a duty to provide a

reasonable level of care while performing work for those they serve. Despite efforts to address legal liability of CPAs, both the number of lawsuits and size of awards to plaintiffs remain high, including suits involving third parties under both common law and federal securities acts. There is no simple reason for this trend, but the major factors are the following: There is growing awareness of the responsibilities of public accountants by users of financial statements. There is an increased consciousness on the part of the Securities and Exchange Commission (SEC) regarding its responsibility for protecting investors interests.
Auditing and accounting are more complex because of factors such as the increasing size of business, the globalization of business, and the intricacies of business operations. Society accepts law suits by injured parties against anyone who might be able to provide compensation, regardless of who was at fault, coupled with the joint and several liabilities. Large civil court judgements against CPA have been awarded in a few cases, which have encouraged attorneys to provide legal services on a contingentfee basis. This arrangement offers the injured party a potential gain when the suit is successful, but minimal loss when it is unsuccessful. Many CPA firms are willing to settle their legal problems out of court in attempt to avoid costly legal fees and adverse publicly rather than resolving them through the judicial process.

28 | P a g e

Courts have difficulty in understanding and interpreting technical accounting and auditing matters.

B. Legal Position of an Auditor: The present company law imposes a wide responsibility upon the practising auditor not only to his client but also to third parties whom he never or who had never employed him. Charges are often, levelled against them for the following: i. ii. iii. For not detecting the misappropriation of money by the employees of the client because of incorrect accounting procedures. Errors in preparing the final accounts Dishonesty and carelessness on the part of the auditor.

The liabilities of an auditor from the legal point of view may be under two head, viz. a. When he is appointed by a private concern; and b. When he is appointed by a Joint Stock Company under the Companies act 1984.

2.2.12 Planning and control of auditing:

The external auditor has to conduct the audit in a planned manner. It is with a mission, a planned performance, meaningful and well covered reporting with a sense of time, cost and above all quality. An external auditor not only plans the areas of his or her workings, but he or she does control to his or her plan and quality. Contents of Audit Planning: The audit plan should cover the following areas: i. ii. iii. iv. v. vi. vii. viii. Clear fixing of what the audit engagement is about, what the objectives and scope of the audit are. Gaining knowledge of clients business Gaining knowledge of clients internal control system Considering of laws governing the entity of the client Considerations as to initial engagement Obtaining terms of engagement Planning for nature and extent of audit procedures, audit programming and scheduling Man power planning and quality control plan
29 | P a g e

ix. x.

Coordinating the work to be performed by others Documentation

Audit Planning
Audit Planning a continuous and permeating exercise: An auditor plans and performs and as he performs, modify his plan to make his planning conform to the situations of exigencies that emerge. An audit is, therefore, a continuous exercise. Essentially it comprise of two dimensions: a. Developing an overall audit plan-guiding the matters of audit objectives, scope, time-framework, reporting requirements etc. And b. Developing an audit programme showing the nature, timing and extent of audit procedures. Benefits of audit planning: The followings are the identified benefits of audit planning: i. ii. iii. iv. v. Appropriate attention to important areas Potential problems promptly identified Time bound progress and completion Man power utilization Coordination of work of auditor and experts.

Factors affecting audit planning: The overall audit plan takes into consideration the following aspects: i. ii. iii. iv. v. vi. vii. The terms of engagement Statutory duties connected with audit The nature of the report, timing for submission Legal and statutory milieu Accounting policies followed by the entity, any change effected thereon The effect of new accounting or auditing pronouncements by the governing body Identification of significant and special audit areas
30 | P a g e

viii. ix. x. xi. xii. xiii.

The setting of materiality level for audit purposes The probability of misstatements appearing in the financial statements due to fraud or errors Related party transactions-the transactions of the entity with those persons who are intimately related to the management The nature and the veracity of audit evidences obtainable The extant of participation in audit work by other people, - internal auditor, experts, joint auditors, The element of surprise, shift contemplated in matters and areas of audit.

Audit Programming
Contents of the Audit Programming: Audit programme is a plan of action translated into specific areas of audit works with check list of actions to be performed. An audit programmes become well knit when time units and personal responsibility are embroidered on to the specific areas of work assigned. An audit programme thus entails the following:
i.

Specific listing of audit area components in terms of related procedures: For example, the overall audit procedure of an entity may consist of the following, Vouching of cashbook, Bank book, Sales day book, Purchase day book, Scrutiny of journals, Debtors ledger, Creditors ledger, General ledger, etc. Staff Positioning: The staff who would do the specific procedures are also specified. Timing built in: The audit programme specifies the time and date by which the work should have been completed. Sequencing: Audit programming also fixes up the time values in such a way that the overall completion of audit is not hampered for want of performance of initial and routine audit procedures. Responsibility fixing: The auditor assigns duty to different staff. In token of their having their done the job, they are required to sign the plan paper against the work area allotted to them with dates.

ii. iii. iv.

v.

Audit Control
An audit control is an Exercise to ensure that the audit plan is actually carried out in the line it is thought out to be; that the audit plan is appropriately modified and adopted to meet appropriately the real life situation; the deviation in performance are promptly signalled out the corrective measures are taken for conforming; direction, supervision and review required of the auditor are duly forthcoming.

31 | P a g e

The auditor exercise the control over his assistants, coordinates the work by his interaction with the client, other experts involved in the business of the client in so far as they may relate to his audit work and subsequently taking note of the progress of the work. Simultaneously, the auditor builds up proper files of the audit matters and events to create the documentation for his plan and action. Quality Control for Audit work: AAS 17 establishes audit standards on the quality control policies and procedures. The standard deals with: i. ii. Quality control policy and procedures of an audit firm regarding audit work generally Quality control procedures regarding the work delegated to assistants on an individual audit. a. Quality Control Policy for an Audit Firm: The audit firm should implement the quality control policies and procedures designed to ensure that all audits are concerned in accordance with auditing and Assurance standards in relation to the audit generally The relevant quality control objectives are1. Professional Requirements: This is quality objective that insist that all personnel adhere to the principles of independence, integrity, objectivity, confidentiality and professional behaviour. The professional behaviour is a word of wider significance and it would require personnel to maintain a high degree of moral, ethical and work standards, whether in or about or away the work. 2. Skills and competence: The staff must be adequately attained the professional competence and skills required of them to perform the duty of the auditor. 3. Assignment: Audit work is to be assigned to the personnel who have the required technical training and proficiency required in the circumstances. 4. Delegation: A delegation must be spirited in the sense that there must be sufficient direction, supervision and review of the work delegated to ensure quality standards. 5. Consultation: Then auditor should have arrangements for access for consultation within and outside the firm with those who have appropriate expertise. 6. Acceptance and retention of a client: Decision as to accept a prospective client or retain an existing client should be based on the
32 | P a g e

considerations like the firms independence and the ability of the firm to serve the client properly. 7. Monitoring: The audit firm should ensure that quality control policy, procedures are continued to be monitored for their accuracy and effectiveness in their implementation. The quality objectives, policy, procedures should be adequately communicated to the audit staff so that they can understand them properly and attempt to conform to them in their practice.

Quality Control in an Individual Audit: The total quality policy of the firm specifies, inter alia, that the quality control is to be implemented in relation to the individual audit work. a. Staff Deployment: The auditor should ensure that the delegation of work to the assistants is done after considering the professional skills of the audit people to be at work. b. Direction of work delegated: Direction involves in leading mentally the audit assistants to the work situations with a prior sense of how and when to do audit procedures. Direction involves Informing audit assistants about the what procedures (nature) they are to perform, What their responsibility are in relation to them, What objectives the procedures seek to attain, What possible problems or audit issues in such area they may encounter, A standard solution if possible to them or if not, the reference level to solve issues, Nature of audit situation in the light of uniqueness of business, accounting system Vulnerable areas of slip, pitfall in internal control system, Timing of the audit procedure- time of start sequence of doing and elements of surprise

33 | P a g e

Extent of audit procedure and so on. The direction is conveyed to the audit people at work through audit programme, overall audit plan and time budget.

c. Supervision: Supervision by the auditor is a link exercise between direction and review. It is a tool to ensure that the audit programming is followed in substance over form. Supervision involves: Monitoring the progress of the work to ensure that the skills set of the audit staffs is appropriate to the requirements of real work. Monitoring the work to ensure that direction has reached the audit staff in correct sense. Monitoring the work to ensure that the work is carried out in accordance with overall audit plan and programming. Getting to know about accounting and audit questions raised during the audit, analysing their significance, providing appropriate further direction or modification of programme to suit them appropriately. Resolving the differences of professional judgement between personnel and considering the level of consultation where differences in judgement are sharp and require of deeper insights.

d. Review: The review is the final stage of quality testing process of audit work. The person who should review the work should be the person who has competence at least equal to the competence of the person who performed the work. That is peer or higher-ups are competent to perform review. Review of work of junior audit clerks is done by another employee or the principle auditor as the case may be. Review involves considering that Work had completed as per audit programme Work performed and the results obtained have been adequately documented The significant audit matters have been resolved Where significant matters remain not resolved or they otherwise require of disclosure they are reflected in an audit conclusion The objective of the audit procedures have been achieved

34 | P a g e

The audit conclusion are based on results of the work performed and there is no inconsistency between the two; In short, the review seeks to ensure that the links between audit opinion expressed and the audit performance and planning have been consistently and appropriately operated.

2.2.13 Audit Report:

The Auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit or evaluation performed on a legal entity or subdivision thereof (called an auditee). The report is subsequently provided to a user (such as an individual, a group of persons, a company, a government, or even the general public, among others) as an assurance service in order for the user to make decisions based on the results of the audit. An auditors report is considered an essential tool when reporting financial information to users, particularly in business. Since many third-party users prefer, or even require financial information to be certified by an independent external auditor, many auditees rely on auditor reports to certify their information in order to attract investors, obtain loans, and improve public appearance. Some have even stated that financial information without an auditors report is essentially worthless for investing purposes. The audit report communicates the results of the audit work. For that reason alone it is perhaps one of the most important parts of the audit process. It is important because it is what the department and senior management sees, and in some cases may be the only product of our work that management receives. If written and communicated well, it can act as a positive change agent prompting management to take corrective action. Writing an effective audit report starts with a clear understanding of how the report will be used, viewed, acted upon by department management. Audit reports have three major objectives:

Inform: To make department management aware of a situation by communicating the results of our audit work. Persuade: To convince department management that our comments are valid and worthwhile. Results: To convince department managers to take appropriate action.

Types of Audit Report: The audit report of an External Auditor can be of the following category:

35 | P a g e

1. Standard Unqualified: An external auditor draws the Standard Unqualified Audit

report if the following conditions are met: All statementsbalance sheet, income statement, statement of retained earnings, and statement of cash flowsare included in the financial statements. The three general standards have been followed in all respects on the engagement. Sufficient evidence has been accumulated, and the auditor has conducted the engagement in a manner that enables him or her to conclude that the three standards of field work have been met. The financial statements are presented in accordance with generally accepted accounting principles. There are no circumstances requiring the addition of an explanatory paragraph or modification of the wording of the report.

2. Unqualified with Explanatory Paragraph: The following are the most important

causes of an addition of an explanatory paragraph or a modification in the wording of the standard unqualified report: Lack of consistent application of Generally Accepted Accounting Principles Substantial doubt about going concern Auditor agrees with a departure from promulgated accounting principles Emphasis in a matter Reports involving other auditors.
3. Qualified: The auditor concludes that the overall financial statements are fairly

presented, but the scope of the audit has been materially restricted or generally accepted accounting principles were not followed in preparing the financial statements. 4. Adverse or Disclaimer: The auditor concludes that the financial statements are not fairly presented (Adverse), he or she is unable to form an opinion as to whether the financial statements are fairly presented (disclaimer), or he or she is not independent (Disclaimer). Generally, an adverse opinion is only given if the financial statements pervasively differ from GAAP. An example of such a situation would be failure of a company to consolidate a material subsidiary. The wording of the adverse report is similar to the qualified report. The scope paragraph is modified accordingly and an explanatory paragraph is added to explain the reason for the adverse opinion after the scope paragraph but before the
36 | P a g e

opinion paragraph. However, the most significant change in the adverse report from the qualified report is in the opinion paragraph, where the auditor clearly states that the financial statements are not in accordance with GAAP, which means that they, as a whole, are unreliable, inaccurate, and do not present a fair view of the auditees position and operations. In our opinion, because of the situations mentioned above (in the explanatory paragraph), the financial statements referred to in the first paragraph do not present fairly, in all material respects, the financial position of

Statements on Auditing Standards (SAS) provide certain situations where a disclaimer of opinion may be appropriate:

A lack of independence, or material conflict(s) of interest, exist between the auditor and the auditee (SAS No. 26) There are significant scope limitations, whether intentional or not, which hinder the auditors work in obtaining evidence and performing procedures (SAS No. 58); There is a substantial doubt about the auditees ability to continue as a going concern or, in other words, continue operating (SAS No. 59) There are significant uncertainties within the auditee (SAS No. 79).

2.3 Similarities & Dissimilarities between Internal and External Auditors

Similarities between internal and external auditors There are many similarities between internal and external auditors. Some of the main similarities are that both internal and external auditors carry out testing routines which may involve examining many transactions. Some of these testing routines are testing the internal controls of the company and a test of reasonableness for bad debts. Another similarity between the two is that they both will be worried if procedures were very poor and there was a basic ignorance of the importance of following them. A company creates controls for a reason and they should not be ignored. Both internal and external auditors are based in a professional discipline and operate to professional standards, seek active co-operation between the two functions and are tied up during an audit with a companys internal control system. The most important thing that internal and external auditors both do is produce formal audit reports on their activities and are both concerned with the occurrence and effect that errors have on misstating the final accounts.
37 | P a g e

Dissimilarities between internal and external auditors Besides the differences that were previously stated, a significant difference between internal and external auditors is that an external auditor is and external contract and not an employee of the organization being audited. Internal auditors, however, are typically employed at the organization but there are an increasing number of internal auditors from an external source. Another main difference between the two is that external auditors look to provide an opinion on whether or not the accounts are presented fairly and show legitimate assets, debts, etc. An internal audit forms an opinion on the adequacy and effectiveness of systems of risk management and internal control. Internal auditors are mainly concerned with overall risk management and external auditors are concerned with the final accounts and how data is presented in those accounts. One other difference between internal and external auditors is that unlike external auditors, internal auditors should have full and free access to the companys audit committee, unrestricted access to the companys records, documents, property and personnel and authority to discuss initiatives, policies and procedures regarding risk assessment, internal controls, compliance, financial reporting and governance. External auditors can have the same privileges of access as internal auditors except that external auditors need to have proper authority to do so. To be knowledge about the similarities and dissimilarities between the internal auditors and the external auditors, it is also required to know about the similarities and dissimilarities between the internal audit and the external audit. The main similarities that could be identified between internal and external audit:

Both internal audit and external audit profession are governed by one set of international standards issued by the professional organism specific for each profession. This set of international standards includes the professional standards and the ethical code; Risk is a very important element the planning process for both internal and external auditors; For both professions, the independence of the auditor is very important; Internal and external audit are both concerned over the internal control system of the organization; Both functions are interested in the cooperation between internal and external auditors; For both functions, the results of their activity are presented through audit reports;

38 | P a g e

The main differences between internal and external audit functions: No. Criterions Internal Audit 1. Position inside the organization The internal auditors' are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board.

External audit

External auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and their primary client - the board of directors.

2.

Objectives

3.

Independence

The internal auditors scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization - both financial and nonfinancial - the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. Internal audit must be independent from the audited activities. Internal audit regards all the aspects regarding the organizations internal control system.

The primary mission of the external auditors is to provide an independent opinion on the organization's financial statements, annually.

4.

Approach of internal control

External audit is independent from its client, the organization, its independence being specific to liberal professions. External audit regards the internal control system only from the materiality perspective, which permits them to eliminate those errors that arent significant, because they dont have influences over the financial results.
39 | P a g e

5.

Applying of the audit

Internal audit covers all the organization transactions.

6.

Frequency of the audit

7.

Approach of risk

Internal audit performs during the entire year, having specific missions established in according with the level of risks identified for each auditable entity. The importance of risk for the planning of internal audit activity is very high, the assessment of risk being combined with other types of information like financial and operational.

External audit covers only those operations that have a contribution at the financial results and the performances of the organization. External audit is an activity with a yearly frequency, as a rule, at the end of the year. External audit uses the information of risks for the determination of nature, period of time and necessary audit procedures that should be performed in the auditable area, taking into consideration only financial aspects.

8.

Consideration Internal audit takes into consideration of risk factors at least next risk factors: (Colbert, J.L., 1995): Ethical climate and pressure on management to meet objectives; Competency, adequacy, and integrity of personnel; Asset size, liquidity, or transaction volume; Financial and economic conditions; Competitive conditions; Impact of customers, suppliers, and government regulations; Date and result of previous audits; Degree of computerization; Geographic dispersion of operations; Adequacy and effectiveness of the system of internal control; Organizational, operational, technological, or economic changes;

External audit takes into consideration next risk factors: (Colbert, J.L., 1995): Management operating and financial decisions are dominated by a single person; Management's attitude toward financial reporting is unduly aggressive; Management, particularly senior accounting personnel, turnover is high; Management places undue emphasis on meeting earnings projections; Management's reputation in the business community is poor; Profitability of entity relative to its industry is inadequate or inconsistent; Sensitivity of operating results to economic factors is high; Rate of change in entity's
40 | P a g e

Management judgments and accounting estimates; Acceptance of audit findings and corrective action taken;

9.

Approach of fraud

Internal audit is concerned about the frauds from all activities from the organization.

industry is rapid; Entity's industry is declining with many business failures; Organization is decentralized without adequate monitoring; Internal or external matter raises substantial doubt about the entity's ability to continue as a going concern; Contentious or difficult accounting issues are prevalent; There are significant and unusual related party transactions not in the ordinary course business; The nature, cause (if known), or amount of known and likely misstatements detected in the audit of prior period's financial statements is significant; Client is new with no prior audit history or sufficient information is not available from the predecessor auditor. External audit is concerned only about the fraud from financial areas.

41 | P a g e

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

CHAPTER-3
Role of the Internal Auditor & the External Auditor in Different Aspects

42 | P a g e

Chapter-3
Role of the Internal Auditor & the External Auditor in Different Aspects:
The Roles & Responsibility of Internal auditing i.e. internal auditors serving to the organizations: The word responsible as (1) Liable to be called upon to answer for ones acts or decisions: answerable (2) Able to fulfil ones obligations: reliable, trustworthy (3) Able to choose for oneself between right and wrong and (4) Involving accountability or important duties. Hence the word responsibilities is defined as something for which one is responsible. Based on the above definitions, one should not take such responsibilities lightly and carelessly and unless one has the physical and mental prowess to bear this heavy load and competence to accomplish the given assignment as the word responsibilities encompasses more tasks and duties within this word such as answerable , reliability , liability , trust , justice , ethics , accountability and many more. Therefore, for one to accept responsibility is a serious and Herculean task otherwise he/she will have to lose their business goodwill by facing penalties , imprisonment , involvement in corporate scandals , loss of trust, misfeasance, negligence etc. Fraud Detection: Due to the number of high profile corporate failures in recent years, corporate fraud has been of significant public and regulatory interest. The penalties for fraudulent financial reporting have significantly increased to reflect societys view on this type of behaviour. Fraud is seldom witnessed firsthand. It's a crime that is often shrouded in ambiguity, and it's sometimes difficult even to determine whether or not a crime has actually been committed. Only the symptoms of fraud, the red flags or indicators, exist to alert management of wrongdoing. Unfortunately, many such fraud symptoms go unnoticed; and, in some cases, signals that are recognized are not vigorously pursued. Role of Internal Auditing
43 | P a g e

Internal auditors' roles with regard to fraud might be as identifiers, investigators, resident experts, and educators. In many organizations, the internal audit function will be better suited than any other to bring fraud to the surface, conduct or participate in investigations, and raise management awareness about fraud. Yet many internal auditors hesitate to be identified with fraud, apparently because they believe that participating in investigations will somehow damage the image and effectiveness of the internal audit department. However, proper, professional response to fraud can enhance and expand the role of the internal auditor. Proper fraud handling builds the credibility of the staff and can dramatically increase acceptance of control recommendations. Operating managers who may never have understood, appreciated, or acted upon past control recommendations may embrace suggestions based on fraud findings. Internal control recommendations presented by the person who investigated on behalf of management carry the weight of practical experience. While it is true that auditors can indeed lose credibility if they become obsessed by looking for fraud, the professional auditor does play a significant role in the control system. These controls are aimed, at least in part, at fraud. internal auditors must be knowledgeable about fraud if they are to evaluate controls or design and perform audit program steps. The challenge for the internal auditor is to discuss fraud, detect fraud, and participate in investigations without appearing to be obsessed with fraud. THE INTERNAL AUDITOR'S RESPONSIBILITY FOR DETECTION Some internal auditors believe they have no responsibility for detection. A commonly heard comment is, "We should be able to recognize fraud if we come across it in our audits, but fraud detection is not the reason for our audits." In claiming no responsibility for fraud detection, these internal auditors are echoing refrains from the public accountants. The Internal Auditing Standards Board of The IIA issued Statement on Internal Auditing Standards No. 3, Deterrence, Detection, Investigation, and Reporting of Fraud in 1985. Although this Statement clarified the intended role of the internal auditor with regard to fraud detection, there is still confusion and, in some cases, resistance to acceptance of these responsibilities. Actually, auditors have always had some responsibility for fraud detection. Program steps designed to verify financial statements (such as inventory counts and confirmations) are intended to identify either errors or irregularities. In addition, some internal auditors conduct routine monitoring activity (such as reviewing employee accounts in financial institutions) aimed at fraud. Internal auditors and public accountants using these techniques are carrying out audit work intended to identify problems, such as errors, control weaknesses, or fraud. Rather than deny responsibility for detection, internal auditors should accept reasonable responsibility while resisting actions that would hold them unreasonably accountable for detection.

44 | P a g e

Fighting Fraud: Practical Suggestions for Internal Auditors: 1. 2. 3. 4. Develop and implement a fraud policy. Commit to increasing audit effectiveness in fraud detection. Develop computer audit retrieval applications designed to identify symptoms of fraud. Improve communication between the internal auditors and those responsible for investigative activity. 5. Require audit involvement in all fraud investigations to determine the control implications of the fraud and consider the implications for future audit plans and programs. 6. Require that all fraud investigative activity be reported to the audit committee. By taking the following factors into account possible fraud and errors might be detected;

Weaknesses in the design of the accounting and internal control system; Non-compliance with internal controls; Questions with respect to management's integrity and competence; Unusual external or internal pressure on entities; Unusual transactions; Difficulty to obtain sufficient appropriate audit evidence.

The role of External Auditing Whether a fraud is designed to directly divert assets from a company (carried out by a third party, a director or an employee) or is carried out by management with the specific intention of misleading financial statements being issued (e.g. to maintain a companys share price or to disguise its losses), if such a fraud is not detected by the companys auditors, the question may arise as to how any loss should be allocated as between the company, its auditors and its directors. When an unqualified audit opinion has been given, attention is likely to focus on whether sufficient appropriate audit evidence was obtained to enable the auditors reasonably to form that opinion. The specific standards that auditors are required to observe in relation to their responsibilities to consider fraud in the audit of financial statements are set out in SAS 110. Under SAS 110, auditors are required to plan and perform their audit procedures and evaluate and report the results thereof, recognizing that fraud or error may materially affect the financial statements. [SAS 110.1] In planning and conducting their work, auditors seek to obtain reasonable assurance that financial statements are free from material misstatement, whether caused by error or fraud. Auditors plan, perform and evaluate their audit work in order to have a reasonable expectation of detecting material misstatements in the financial statements arising from error or fraud. However, an audit cannot be expected to detect all
45 | P a g e

errors or instances of fraudulent or dishonest conduct. The likelihood of detecting errors is higher than that of detecting fraud, since fraud is usually accompanied by acts specifically designed to conceal its existence [SAS 110, paras. 14 and 18] Having assessed the risk that fraud or error may cause material misstatements in the financial statements, auditors are required to design their procedures so as to have a reasonable expectation of detecting such material misstatements. [SAS 110.2 and 110.3] In complying with this procedure, SAS 110 notes amongst other things the need:

to be alert to audit evidence indicating unusual events or actions such as control overrides/unusual transactions/insubstantial responses to audit inquiries, delays or vague representations/unusual accounting judgments; to obtain sufficient reliable audit evidence that puts appropriate emphasis on external evidence that puts appropriate emphasis on external evidence or evidence created by the auditors [SAS 110, para. 26].

On becoming aware of information indicative of fraud or error, auditors should obtain an understanding of the nature of the event and circumstances in which it has occurred, and sufficient other information to evaluate the possible effect on the financial statements. If this effect is believed to be material, auditors should perform modified or additional procedures [SAS 110.4]. When auditors become aware of, or suspect, instances of error or fraudulent conduct, they should document their findings and discuss them with the appropriate level of management unless a suspected or actual instance of fraud casts doubt on the integrity of the directors in which case the auditors should make a report to the proper authority in the public interest without delay and without informing the directors in advance [SAS 110.5 and 110.12]. The auditors should consider the implications of suspected or actual error or fraudulent conduct in relation to other aspects of the audit, particularly the reliability of management representations [SAS 110.6]. The auditors should as soon as practicable communicate their findings to the appropriate level of management, the board or the audit committee if:

they discover fraud, even if the potential effect on the financial statements is immaterial except where SAS 110.12 applies (see note 17); material error is found to exist [SAS 110.7].

SAS 110 sets out how suspected or actual fraud should be addressed in the auditors report:

if the level of uncertainty concerning the error or fraud is fundamental, an explanatory paragraph concerning the matter should be included in the report [SAS 110.8];

46 | P a g e

if it has a material effect on the financial statements and the auditors disagree with the accounting treatment or with the level of disclosure in the financial statements concerning the fraud, they should issue an adverse or qualified opinion [SAS 110.9]; if they are unable to determine whether fraud or error has occurred because of a limitation in the scope of their work, they should issue a disclaimer or qualified opinion [SAS 110.9].

Finally, auditors should consider whether a suspected or actual fraud should be reported to a proper authority in the public interest [SAS 110.10].

Internal control:
Internal control is one of the principal means by which risk is managed. Other devices used to manage risk include the transfer of risk to third parties, sharing risks, contingency planning and the withdrawal from unacceptably risky activities. Specific examples of internal control are as follows: 1. Integrity and ethical values; 2. Managements philosophy and operating style; 3. Organizational structure; 4. Assignment of authority and responsibility; 5. Human resource policies and procedures; and 6. Competence of personnel. Broadly defined, internal control is a process that and encompasses all activities of the Organization, reflects the attitude of the board of directors and senior management, and is designed to: 1. Provide reasonable assurance that assets are safeguarded, and financial and operational information is timely and reliable; 2. Detect and correct errors and irregularities in a timely manner; 3. Ensure compliance with policies, plans, procedures, laws and regulations; and 4. Promote the economical and efficient use of resources. Control is an integral part of managing operations, and is any action taken by a manager to enhance the probability that established goals and/or objectives will be achieved. Those actions may be either preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which have occurred), or directive (to cause or encourage a desirable event to occur). Role of Internal Auditing: Internal auditing activity is primarily directed at improving internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting.
47 | P a g e

3. Compliance with laws and regulations. Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement. The purpose of the internal audit is to assist the Board of Directors in supervising and controlling the organization. For this purpose, the internal auditor identifies and monitors the most important operational risks of the organization, ensures the functionality and fit of the internal control mechanisms of the organization and produces reliable information for the Board of Directors and its Audit Committee. Organizational Roles: Every member of an organization has a role in the system of internal control. Internal control is people-dependent. It is developed by people; it guides people; it provides people with a means of accountability; and people carry it out. Individual roles in the system of internal control vary greatly throughout an organization. Very often, an individual's position in the organization determines the extent of that person's involvement in internal control. The strength of the system of internal control is dependent on people's attitude toward internal control and their attention to it. Executive management needs to set the organizations "tone regarding internal control. If executive management does not establish strong, clearly stated support for internal control, the organization as a whole will most likely not practice good internal control. Similarly, if individuals responsible for control activities are not attentive to their duties, the system of internal control will not be effective. People can also deliberately defeat the system of internal control. For example, a manager can override a control activity because of time constraints, or two or more employees can act together in collusion to circumvent control and "beat the system." To avoid these kinds of situations, the organization should continually monitor employee activity and emphasize the value of internal control. While everyone in an organization has responsibility for ensuring the system of internal control is effective, the greatest amount of responsibility rests with the managers of the organization. Management has a role in making sure that the individuals performing the work have the skills and capacity to do so, and, to provide employees with appropriate supervision, monitoring, and training to reasonably assure that the organization has the capability to carry out its work. The organization's top executive, as the lead manager, has the ultimate responsibility. The Internal Control Act provides that, the top executive is responsible for establishing the organizations system of internal control, and is also responsible for (1) Establishing a system of internal control review, (2) Making management policies and guidelines available to all employees, and (3)Implementing education and training about internal control and internal control evaluations.
48 | P a g e

To the extent that the top executive authorizes other managers to perform certain activities, those managers become responsible for those portions of the organizations system of internal control. The law further requires the head of the organization to designate an internal control officer who reports to him or her. Drawing on knowledge and experience with internal control matters, the internal control officer is a critical member of the management team who assists the agency head and other management officials by evaluating and improving the effectiveness of the internal control system. While the internal control officer has responsibility for both implementing and reviewing the organizations internal control efforts, the organizations managers are still responsible for the appropriateness of the internal control system in their areas of operation. The internal control officer helps establish specific procedures and requirements; the effectiveness of these procedures and requirements must be audited by someone who was not involved in the process of putting them into place. In contrast, the organizations internal auditor is responsible for evaluating the effectiveness of the system of internal control. This individual must be independent of the activities that are audited. For this reason, in most instances, the internal auditor cannot properly perform the role of internal control officer. Role of External Auditing: As the work of an external auditing is simply to draw an opinion regarding the truth and fairness of the books of records of the organization, External Auditing does not directly have impact on the internal control of the organization being audited by an external auditor; but if the external auditor find the work of the internal auditors as erroneous to an unacceptable limit it inform that the internal auditor is providing inefficient services to the organization; thus, finally informs that the organization has a weak internal control system. The purpose of appointing an internal auditor is to have a sound and strong internal control system which will intern reduce the time and effort of the external auditor given by during the course of audit work; this will save the audit fees that the organization would have to give to the external auditor.

Corporate governance:
Broad Definitions of Corporate Governance: Corporate governance is the system by which business corporations are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as, the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. Focused definition: Corporate governance is about promoting corporate fairness, transparency and accountability.Two major players in corporate governance Role of Internal Auditing Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage,
49 | P a g e

and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor. A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information. Specifically,

Review of general control environment Process evaluation and performance auditing Risk assessment, risk based audits and business monitoring Performance auditing Due diligence on internal and external reporting Financial control, health, performance auditing and self-assessment

Corporate Governance set a yardstick by which all companies should seek to be measured. The Code of Corporate Practices and Conduct is based on the principles of openness, integrity and accountability. Internal Audit is thus there to assist the company in measuring their compliance to governance issues. Role of External Auditing An external auditor is an outsider of the organization being audited who remains only for a few days required to collect evidences and information to draw an audit opinion; thus the external auditor has no impact on the corporate governance of the organization, but it is true that the opinion drawn by the external auditor do have impact on the corporate governance of the organization.

ERM (Enterprise Risk Management):

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows: Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The definition reflects certain fundamental concepts. Enterprise risk management is:
50 | P a g e

 A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entitys management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness. The Role of Internal Auditing:

Figure: Internal auditing roles in regard to ERM Core internal auditing roles in regard to ERM: Giving assurance on risk management processes. Giving assurance that risks are correctly evaluated. Evaluating risk management processes. Evaluating the reporting of key risks. Reviewing the management of key risks.
51 | P a g e

Legitimate internal auditing roles with safeguards: Facilitating identification and evaluation of risks. Coaching management in responding to risks. Coordinating ERM activities. Consolidating the reporting on risks. Maintaining and developing the ERM framework. Championing establishment of ERM. Roles internal auditing should NOT undertake. Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on management's behalf. Accountability for risk management. Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives. Under the COSO enterprise risk management (ERM) Framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, and credit/lending practices. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks. In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose. Internal auditors may help companies establish and maintain Enterprise Risk Management processes. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. In these latter two areas, internal auditors typically are part of the project team in an advisory role.

52 | P a g e

Internal auditors play an important role in evaluating the risk management processes of an organization and advocating their continued improvement. However, to preserve its organizational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function. Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and SOX top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the enterprise.

Standards

2010.A1 The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. 2120.A1 Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organizations governance, operations, and information systems. 2210.A1 When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.

The role of External Auditing: ERM is one of the major factors of the Internal Control of the organization. As external auditor involves him or herself for a very short time for the course of audit work, he or she does not directly play role in ERM of the organization. The external auditor generally uses the work of internal auditor in which his or her entry is restricted.

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION
53 | P a g e

CHAPTER-4 Audit Process & Associated Risks

Chapter-4
Audit Process & Associated Risks
54 | P a g e

4.1 The Internal Audit Process: The internal audit process contains the following
steps: Planning During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps. 1. Announcement Letter The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information. Initial Meeting During this opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed. Preliminary Survey In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He talks with key personnel and reviews reports, files, and other sources of information. Internal Control Review The auditor will review the unit's internal control structure, a process which is usually timeconsuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. Audit Program Preparation of the audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve the audit objectives.

55 | P a g e

Fieldwork The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report. Transaction Testing After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase. Advice & Informal Communications As the fieldwork progresses, the auditor discusses any significant findings with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No surprises. Audit Summary Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report discussion draft. Working Papers Working papers are a vital tool of the audit profession. They are the support of the audit opinion. They connect the clients accounting records and financials to the auditors opinion. They are comprehensive and serve many functions. Audit Report Our principal product is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report.
Discussion on Draft

At the conclusion of fieldwork, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client
56 | P a g e

for comment. This discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference.
Exit Conference

When audit management has approved the discussion draft, Internal Audit meets with the unit's management team to discuss the findings, recommendations, and text of the draft. At this meeting, the client comment on the draft and the group works to reach an agreement on the audit findings.
Formal Draft

The auditor then prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.
Final Report

Internal Audit prints and distributes the final report to the unit's operating management, the unit's reporting supervisor, the Vice President for Administration, the University Chief Accountant, and other appropriate members of senior University management. This report is primarily for internal University management use. The approval of the Internal Audit Director is required for release of the report outside of the University.
Client Response

The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client's written response to the report recommendations. In the response, the client should explain how report findings will be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit's final report.
Client Comments

Finally, as part of Internal Audit's self-evaluation program, we ask clients to comment on Internal Audit's performance. This feedback has proven to be very beneficial to us, and we have made changes in our procedures as a result of clients' suggestions.

57 | P a g e

Audit Follow-Up

Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings.
Follow-up Review

The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report. Follow-up Report The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure to Indiana University. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate. Internal Audit Annual Report to the Board In addition to the distribution discussed earlier, the contents of the audit report, client response, and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.
4.2

The External Audit Process:

Based on the type of review, each portion of the audit will take more or less time. However, all audits, except for the most basic, will include the following five steps: STEP 1: PLANNING The audit is begun with a Planning phase which does not usually require departmental involvement. The audit staff will review any past audit work, look over available literature on the department, and make a preliminary review of departmental income and expense. During this time, the auditors will also tentatively formulate their scope and audit plan, on which they will base the fieldwork. STEP 2: INTRO MEETING After the client receive his or her introductory letter announcing the audit, auditor will call the client to schedule an Introductory Meeting. These meetings typically last no longer than an hour and take place at the clients office, if possible. At this time the client have the opportunity to meet the audit staff and ask questions about the upcoming audit work and the audit process. The audit farm encourages the client to discuss any concerns he or she may
58 | P a g e

have and any areas or business functions that he or she would like auditors to review. During the meeting, the auditors will discuss the potential timeframe for the review, the audit objectives, and the audit logistics (facilities, availability of personnel, primary contacts, etc.). At this time, the client may also provide the staff with the few pieces of information the audit firm requests before each audit begins- a departmental organization chart, a contact list, and literature describing the department- if available. STEP 3: FIELDWORK In this step, the actual work of the audit is performed. The audit staff begins the Fieldwork by gathering information about the auditee's operations, gaining an understanding of departmental functions, and identifying areas of weakness and concern (as well as strengths). This work includes reviewing financial and budgeting activity, administrative and business procedures, critical departmental functions, information technology, and other activities specific to each auditee. The audit staff will conduct interviews with key personnel, observe departmental procedures, and periodically review the audit progress with the department heads and personnel. The client may contact the audit-firm at anytime throughout the audit with his or her questions or concerns regarding the audit process or audit findings. During the fieldwork, which is typically the lengthiest part of the audit, the audit staff identifies areas of risk and concern within the department's internal controls and procedures, all of which will be discussed with the client before or at the conclusion of the fieldwork. STEP 4: REPORTING After the fieldwork is completed and auditors findings and concerns have been reviewed with the client, the audit staff will first prepare a Draft Report. The draft report is transmitted to the client for his or her review and in order for him or her to prepare his or her response. Responses typically include corrective action plans, the parties responsible for the action, and the timeline to complete the process. Once the clients response is received and the audit firm agree on the report text, the report is ready to be finalized. The clients response is incorporated or attached where appropriate, and the Final Report is delivered to the client. The client will be given the opportunity to review the final report before the distribution is completed.

STEP 5: FOLLOW-UP Depending on the nature of the audit or the audit findings, the Follow-Up procedure may formal or informal. In either case, after a reasonable period of time, the auditee will be contacted regarding the departmental progress with the corrective actions identified in the audit. At this time, the auditor may perform a follow-up review concluding with a follow-up report. In most cases, the auditee is only contacted informally, possibly several times, to monitor the status of the department's progress.
59 | P a g e

Stages in the Audit Process:

1. Audit start up meeting. Copies of the audit tool and handbook for the audit process will have been circulated via the link person prior to the start up meeting. This meeting will enable the audit process to be discussed and planned in detail. On completion of the start up meeting the audit team and organisation or learning environment will have outlined a timetable for the audit visit and have identified the persons who will need to contribute to the audit process. 2. Documentation review and audit visit. On an agreed date an audit team will visit the organisation or learning environment. The audit visit will last from 0.5 - 2 days dependent on the size of the organisation or number of learning environments. The time taken to complete the audit can also be reduced if the organisation and / or learning environment has adopted a self assessment approach using the audit tool to collect evidence for continuous improvement purposes. Using the relevant audit tool, (link), the capability of the organisation and learning environment to support practice based learning will be assessed collaboratively. How well the standards have been met will be determined through review of relevant policy, strategy and operational documents, and through dialogue with practice staff and with students. Following the audit visit preliminary feedback will be given to the local audit link and other staff that are available to receive feedback. 3. Prepare draft audit results and action plan The draft audit results and action plan will be prepared by the auditors and submitted to the organisation and to the relevant learning environment(s). The draft audit results will be submitted within three weeks of the audit visit.

4. Feedback meeting and final action plan. At a pre-arranged feedback meeting the results and action plan will be discussed and any amendments agreed by the organisation or learning environment and the audit team. The meeting also enables feedback from the learning environments and organisation on the audit process. 5. Implementing action plan. The action plan component of the audit identifies the persons or committees that will be charged with taking the actions forward and the timelines for
60 | P a g e

implementing the actions. Examples of action plans and those identified to take actions forward can be seen in the pilot audit results Generally, the following steps are involved in an audit cycle:

Figure: Steps in an Audit Cycle Auditing processes for both internal auditors and external auditors have changed in the past eight to ten years (Lemon, M.W.& Tatum K.W., 2003). The main factors that prompted these changes included the globalization of business, advances in technology, and demands for value-added audits. Figure no.1 illustrates these changes in practice, which initiated changes in both internal and external auditing standards:

61 | P a g e

Figure: Convergence of Internal Audit and External Audit Functions

4.3 The reliance of external auditors on internal auditors.

Although they are independent of the activities they audit, internal auditors are integral to the organization and provide ongoing monitoring and assessment of all activities. On the contrary, external auditors are independent of the organization, and provide an annual opinion on the financial statements. The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency. Internal and external auditors have mutual interests regarding the effectiveness of internal financial controls. Both professions adhere to codes of ethics and professional standards set
62 | P a g e

by their respective professional associations. There are, however, major differences with regard to their relationships to the organization, and to their scope of work and objectives. The internal auditors' are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board. External auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and their primary client - the board of directors. The internal auditors scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization - both financial and non-financial - the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. They also are concerned with the prevention of fraud in any form. The primary mission of the external auditors is to provide an independent opinion on the organization's financial statements, annually. Their approach is historical in nature, as they assess whether the statements conform with generally accepted accounting principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period of time are accurately represented, and whether the financial statements have been materially affected. The internal and external auditors should meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other's scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk. In fulfilling its oversight responsibilities for assurance, the board should require coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.

4.4 Internal and external audit Risks:

For both external and internal auditors, risk plays an important role in the planning process. As the director of internal audit considers the work schedule for the year, the risks present in the various audit units are considered. Similarly, as the external auditor plans the engagement, areas that may prove particularly susceptible to material misstatement are evaluated. The similarities stop with planning, however. Although they are attacking the same animal, internal and external auditors each consult their own guides as they contemplate risk. Internal auditors turn to Statement on Internal Auditing Standards (SIAS) 9, "Risk Assessment" (The IIA, 1991), while external auditors look to Statement on Auditing Standards (SAS) 47, "Audit Risk and Materiality in Conducting an Audit" (AICPA, 1983) and SAS 53, "The
63 | P a g e

Auditor's Responsibility to Detect and Report Errors and Irregularities" (AICPA, 1988). The concept of risk thus takes on a different character. Not only do external and internal auditors utilize and define risk differently, but the processes and factors involved in risk assessment also differ. Since internal and external auditors often coordinate their work and exchange work papers, it is critical that each understand the perspective of the other. Utilization of Risk Because the objectives of internal and external audits differ, the utilization of risk in the two types of engagement also varies. The objective of internal auditing is to aid members of the organization in effectively discharging their duties. The broad scope of the internal auditing department encompasses operational, compliance, and financial work and involves assessments of the effectiveness, efficiency, and economy of operations. For internal auditors, risk functions as an aid for determining which activities to examine. Once auditable activities are identified, risk assessment serves to delineate the scope of the work to be performed in each area. External auditing's focus and its use of risk is much narrower. An external audit is concerned only with financial aspects of the entity; normally, compliance and operational issues are not examined. The external audit process culminates in an opinion on the fair presentation of the financial statements. Shareholders and others with a financial interest in the entity utilize the opinion and published financial statements in making economic decisions. In an external audit, the practitioner establishes the overall level of audit risk for the engagement. Audit risk is limited to an appropriately low level so that at the conclusion of the engagement, the external auditor has sufficient assurance of the fairness of the financial statements. In order to establish the nature, timing, and extent of work within the financial statements, audit risk is also set for management's assertions at the individual class of transactions or account balance level. Risk is then assessed for components of audit risk at the individual level, and the audit work is planned. Definitions Internal and external auditors also define risk according to their own terms. SIAS 9 describes risk as "the probability that an event or action may adversely affect the organization." For internal auditors, risk exists as a threat to the likelihood that an entity will achieve its established objectives. Objectives may relate to market share, environmental concerns, customer satisfaction, product pricing, employee relations, compliance with laws and regulations, financial position and results, or a myriad of other areas. The effects of not addressing objectives may be lost market share, environmental liabilities, customer dissatisfaction, inappropriate pricing, low employee morale, failure to comply with relevant laws and regulations, or fraudulent financial reporting, for example.
64 | P a g e

Management develops controls to address the risks of not achieving such objectives. In turn, the internal auditor ascertains both the entity's objectives and risk. Controls can then be assessed to determine if they appropriately address the risks. The definition of audit risk provided to external auditors by SAS 47 is more detailed than that of risk given to internal auditors in SIAS 9. For the external auditor, audit risk exists at two levels: the financial statement level and the level of the individual account or class of transactions. At the financial statement level, audit risk is "the risk that the (external) auditor may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated." In other words, although the external auditor performs an engagement according to generally accepted auditing standards (GAAS), material misstatement existing in the financial statements may not be located, and an unqualified opinion may be unwittingly issued. If the auditor had been aware of the material misstatement, the unqualified opinion would have been appropriately modified. At the individual balance or class of transactions level, audit risk is composed of inherent risk, control risk, and detection risk. Inherent risk is the risk that an account or class of transactions may contain material misstatement, assuming that controls do not address the situation. Control risk is the risk that controls do not prevent or detect material misstatement on a timely basis. Detection risk is the risk that the external auditor's detection procedures do not locate material misstatement. Risk Assessment: Internal Auditing Risk assessment entails evaluating and combining judgments about risk factors and adverse conditions. The end product of the internal auditor's risk assessment is the audit work schedule. The internal auditor begins the process of assessing risk by identifying the systems, units, or subjects that are capable of being evaluated. Auditable activities might include such areas as information systems; major contracts and programs; functions such as purchasing, payroll, human resources, production, and marketing; and financial statements and reports. According to SIAS 9, the internal auditor considers factors that might bear on the riskiness of the isolated auditable activities. Each risk factor may not be equally significant, however. The internal auditor may therefore elect to weigh the risk factors according to their importance. Besides risk factors, the internal auditor evaluates other sources of information in the process of determining the work schedule. For example, the internal auditor considers discussions with the board and management, communications with external auditors, and results of prior internal audits. Also, industry and economic trends, operating and financial data, and relevant policies, procedures, laws, and regulations are reviewed.
65 | P a g e

The internal auditor integrates the information gathered and uses it to develop audit priorities. Taking into account management requests and work that may be coordinated with the external auditors, the internal auditor establishes the audit work schedule. The schedule includes what activities will be examined during the period, when particular audits will be performed, and the approximate time required for the engagement. Risk Assessment: External Auditing The external auditor uses the risk assessment process to outline the nature, timing, and extent of audit procedures to be performed. Risk assessment begins with the establishment of an acceptably low level of audit risk at the financial statement level. The low level of audit risk at the financial statement level is apportioned to the individual balances and classes of transactions so that when the results of tests at the individual level are combined, the planned low level of audit risk at the financial statement level is achieved. Recall that audit risk at the individual level is composed of inherent risk, control risk, and detection risk. In equation form, the relationship of the four risks is: AR = IR x CR x DR, where AR is audit risk at the individual level; IR is inherent risk; CR is control risk; DR is detection risk. The external auditor sets audit risk at the individual level by considering the previously established audit risk at the financial statement level. The auditor assesses inherent risk by studying the nature of the account or class of transactions and factors suggested by SAS 47 that may impact inherent risk. To assess control risk, the external auditor studies and evaluates the internal control structure. Extensive guidance is provided by SAS 55, "Consideration of the Internal Controls Structure in a Financial Statement Audit" (1988). To determine the nature, timing, and extent of audit procedures that will be performed at the individual level, the external auditor solves the audit risk equation for detection risk: DR = AR/IR x CR A lower level of planned detection risk requires that the external auditor plan the nature, timing, and extent of procedures to achieve a high level of confidence. Conversely, a higher level of planned detection risk allows the external auditor to relax procedures, as the low level of audit risk is achieved through means other than detection procedures.
66 | P a g e

Risk Factors Both internal and external auditing standards suggest factors that should be considered by auditors when assessing risk. For internal auditors, SIAS 9 notes that the number of risk factors evaluated for the purpose of establishing the audit work schedule should be limited. Still, the factors considered should be sufficient to ensure that a comprehensive risk assessment is performed. SIAS 9 suggests general factors, shown in Exhibit 1, that are applied at the organizational level to determine the activities to be selected for audit. Although SAS 47 does not provide the external auditor with a list of factors to study in evaluating risk, SAS 53, which supplies guidance on locating material financial misstatements, fills the void. The factors suggested by SAS 53, shown in Exhibit 2, are to be considered as the external auditor contemplates risk at both the financial statement level and the level of the individual account balance or class of transactions. The SAS's risk factors are grouped into three classifications. The first classification, management characteristics, deals with management decision-making and the business environment that management establishes. The second, operating and industry characteristics, includes factors specific to the particular client within a specific industry. Engagement characteristics, which is the final classification, covers auditor concerns and relations. Risk is the driving force behind auditors' approaches to their work. For internal auditors, risk, when combined with other information, results in an audit work schedule cataloging the activities to be examined. The activities may encompass compliance, operational, or financial aspects of the organization. In contrast to the broad focus of internal audit work, external auditors concentrate on the financial statements and providing an opinion on their fair presentation. Risk is utilized to determine the nature, timing, and extent of procedures to apply in each audit area. Because the purposes and uses of risks by the two auditing disciplines differ, the official definitions of risk offered by the respective professional organizations are disparate. In addition, the processes of assessing risk vary, as do the risk factors to be considered. Although the professional standards for internal and external auditors indicate many differences in risk, one significant aspect is the same: both types of auditors use risk in an attempt to achieve appropriate audit coverage. Utilizing risk in planning the audit assures that the more significant areas are given proportionately more audit resources

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

67 | P a g e

CHAPTER-5 Audit Coordination

Chapter-5:

Audit Coordination:
5.1 Effect of the Internal Auditors Work & the Extent of the Effect of the Internal Auditors Work on the External Audit
68 | P a g e

The internal auditors' work may affect the nature, timing, and extent of the audit, including Procedures the auditor performs when obtaining an understanding of the entity's internal control Procedures the auditor performs when assessing risk Substantive procedures the auditor performs Understanding of Internal Control The auditor obtains a sufficient understanding of the design of controls relevant to the audit of financial statements to plan the audit and to determine whether they have been placed in operation. Since a primary objective of many internal audit functions is to review, assess, and monitor controls, the procedures performed by the internal auditors in this area may provide useful information to the auditor. For example, internal auditors may develop a flowchart of a new computerized sales and receivables system. The auditor may review the flowchart to obtain information about the design of the related controls. In addition, the auditor may consider the results of procedures performed by the internal auditors on related controls to obtain information about whether the controls have been placed in operation. Risk Assessment The auditor assesses the risk of material misstatement at both the financial-statement level and the account-balance or class-of-transaction level. Financial-Statement Level At the financial-statement level, the auditor makes an overall assessment of the risk of material misstatement. When making this assessment, the auditor should recognize that certain controls may have a pervasive effect on many financial statement assertions. The control environment and accounting system often have a pervasive effect on a number of account balances and transaction classes and therefore can affect many assertions. The auditor's assessment of risk at the financial-statement level often affects the overall audit strategy. The entity's internal audit function may influence this overall assessment of risk as well as the auditor's resulting decisions concerning the nature, timing, and extent of auditing procedures to be performed. For example, if the internal auditors' plan includes relevant audit work at various locations, the auditor may coordinate work with the internal auditors and reduce the number of the entity's locations at which the auditor would otherwise need to perform auditing procedures. Account-Balance or Class-of-Transaction Level At the account-balance or class-of-transaction level, the auditor performs procedures to obtain and evaluate audit evidence concerning management's assertions. The auditor assesses control risk for each of the significant assertions and performs tests of controls to support assessments below the maximum. When planning and performing tests of controls, the auditor may consider the results of procedures planned or performed by the internal auditors. For example, the internal auditors' scope may include tests of controls for the completeness of accounts payable. The results of internal auditors' tests may provide appropriate information about the effectiveness of controls and change the nature, timing, and extent of testing the auditor would otherwise need to perform. Substantive Procedures
69 | P a g e

Some procedures performed by the internal auditors may provide direct evidence about material misstatements in assertions about specific account balances or classes of transactions. For example, the internal auditors, as part of their work, may confirm certain accounts receivable and observe certain physical inventories. The results of these procedures can provide evidence the auditor may consider in restricting detection risk for the related assertions. Consequently, the auditor may be able to change the timing of the confirmation procedures, the number of accounts receivable to be confirmed, or the number of locations of physical inventories to be observed. Extent of the Effect of the Internal Auditors Work Even though the internal auditors' work may affect the auditor's procedures, the auditor should perform procedures to obtain sufficient appropriate audit evidence to support the auditor's report. Evidence obtained through the auditor's direct personal knowledge, including physical examination, observation, computation, and inspection, is generally more persuasive than information obtained indirectly. The responsibility to report on the financial statements rests solely with the auditor. Unlike the situation in which the auditor uses the work of other independent auditors,6 this responsibility cannot be shared with the internal auditors. Because the auditor has the ultimate responsibility to express an opinion on the financial statements, judgments about assessments of inherent and control risks, the materiality of misstatements, the sufficiency of tests performed, the evaluation of significant accounting estimates, and other matters affecting the auditor's report should always be those of the auditor. In making judgments about the extent of the effect of the internal auditors' work on the auditor's procedures, the auditor considers a. The materialities of financial statement amountsthat is, account balances or classes of transactions. b. The risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial statement amounts. c. The degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity increases, the need for the auditor to perform his or her own tests of the assertions increases. As these factors decrease, the need for the auditor to perform his or her own tests of the assertions decreases. For assertions related to material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is high, the auditor should perform sufficient procedures to fulfill the responsibilities. In determining these procedures, the auditor gives consideration to the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions. However, for such assertions, the consideration of internal auditors' work cannot alone reduce audit risk to an acceptable level to eliminate the necessity to perform tests of those assertions directly by the auditor. Assertions about the valuation of assets and liabilities involving significant accounting estimates, and about the existence and disclosure of relatedparty transactions, contingencies, uncertainties, and subsequent events, are examples of
70 | P a g e

assertions that might have a high risk of material misstatement or involve a high degree of subjectivity in the evaluation of audit evidence. On the other hand, for certain assertions related to less material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is low, the auditor may decide, after considering the circumstances and the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions, that audit risk has been reduced to an acceptable level and that testing of the assertions directly by the auditor may not be necessary. Assertions about the existence of cash, prepaid assets, and fixed-asset additions are examples of assertions that might have a low risk of material misstatement or involve a low degree of subjectivity in the evaluation of audit evidence.

5.2 Coordination of the Audit Work with Internal Auditors

If the work of the internal auditors is expected to have an effect on the auditor's procedures, it may be efficient for the auditor and the internal auditors to coordinate their work by Holding periodic meetings. Scheduling audit work. Providing access to internal auditors' working papers Reviewing audit reports. Discussing possible accounting and auditing issues.

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

71 | P a g e

CHAPTER-6 Audit Coordination from the Viewpoint of the Both Auditor

Chapter-6:
6.1 The Coordination from the External Auditors Viewpoint:
Relationship between Internal Auditing and the External Auditor The role of internal auditing is determined by management, and its objectives differ from those of the external auditor who is appointed to report independently on the financial statements. The internal audit function's objectives vary according to management's
72 | P a g e

requirements. The external auditor's primary concern is whether the financial statements are free of material misstatements. 1. Nevertheless some of the means of achieving their respective objectives are often similar and thus certain aspects of internal auditing may be useful in determining the nature, timing and extent of external audit procedures. 2. Internal auditing is part of the entity. Irrespective of the degree of autonomy and objectivity of internal auditing, it cannot achieve the same degree of independence as required of the external auditor when expressing an opinion on the financial statements. The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by any use made of internal auditing. All judgments relating to the audit of the financial statements are those of the external auditor. Understanding and Preliminary Assessment of Internal Auditing The external auditor should obtain a sufficient understanding of internal audit activities to assist in planning the audit and developing an effective audit approach. 1. Effective internal auditing will often allow a modification in the nature and timing, and a reduction in the extent of procedures performed by the external auditor but cannot eliminate them entirely. In some cases, however, having considered the activities of internal auditing, the external auditor may decide that internal auditing will have no effect on external audit procedures. 2. During the course of planning the audit, the external auditor should perform a preliminary assessment of the internal audit function when it appears that internal auditing is relevant to the external audit of the financial statements in specific audit areas. The external auditor's preliminary assessment of the internal audit function will influence the external auditor's judgment about the use which may be made of internal auditing in modifying the nature, timing and extent of external audit procedures. 3. When obtaining an understanding and performing a preliminary assessment of the internal audit function, the important criteria are: a. Organizational Status: specific status of internal auditing in the entity and the effect this has on its ability to be objective. In the ideal situation, internal auditing will report to the highest level of management and be free of any other operating responsibility. Any constraints or restrictions placed on internal auditing by management would need to be carefully considered. In particular, the internal auditors will need to be free to communicate fully with the external auditor. b. Scope of Function: the nature and extent of internal auditing assignments performed. The external auditor would also need to consider whether management acts on internal audit recommendations and how this is evidenced. c. Technical Competence: whether internal auditing is performed by persons having adequate technical training and proficiency as internal auditors. The external auditor may, for example, review the policies for hiring and training the internal auditing staff and their experience and professional qualifications.
73 | P a g e

d. Due Professional Care: whether internal auditing is properly planned, supervised,

reviewed and documented. The existence of adequate audit manuals, work programs and working papers would be considered. Timing of Liaison and Coordination When planning to use the work of internal auditing, the external auditor will need to consider internal auditing tentative plan for the period and discuss it at as early a stage as possible. Where the work of internal auditing is to be a factor in determining the nature, timing and extent of the external auditor's procedures, it is desirable to agree in advance the timing of such work, the extent of audit coverage, test levels and proposed methods of sample selection, documentation of the work performed and review and reporting procedures. Liaison with internal auditing is more effective when meetings are held at appropriate intervals during the period. The external auditor would need to be advised of and have access to relevant internal auditing reports and be kept informed of any significant matter that comes to the internal auditor's attention which may affect the work of the external auditor. Similarly, the external auditor would ordinarily inform the internal auditor of any significant matters which may affect internal auditing. Evaluating and Testing the Work of Internal Auditing When the external auditor intends to use specific work of internal auditing, the external auditor should evaluate and test that work to confirm its adequacy for the external auditor's purposes. The evaluation of specific work of internal auditing involves consideration of the adequacy of the scope of work and related programs and whether the preliminary assessment of the internal auditing remains appropriate. This evaluation may include consideration of whether:
1. a. The work is performed by persons having adequate technical training and proficiency

as internal auditors and the work of assistants is properly supervised, reviewed and documented;
b.

Sufficient appropriate audit evidence is obtained to afford a reasonable basis for the conclusions reached; are consistent with the results of the work performed; and

c. Conclusions reached are appropriate in the circumstances and any reports prepared

d.

Any exceptions or unusual matters disclosed by internal auditing are properly resolved.

The nature, timing and extent of the testing of the specific work of internal auditing will depend on the external auditor's judgment as to the risk and materiality of the area concerned, the preliminary assessment of internal auditing and the evaluation of the specific work by internal auditing. Such tests may include examination of items already examined by
2.

74 | P a g e

internal auditing, examination of other similar items and observation of internal auditing procedures. The external auditor would record conclusions regarding the specific internal auditing work that has been evaluated and tested.
3.

6.2 Coordination from the Internal Auditors Viewpoint:

Although coordination can add value to an organization, many internal auditors struggle with improving their coordination efforts. Following seven steps will help internal auditing departments to start moving in the right direction. Internal audit department should: 1. Take the initiative. 2. Learn professional standards. 3. Dispel myths. 4. 5. 6. Start from the top. Select appropriate targets. Increase communication.

7. Instigate training. 1. Take the Initiative The goal of external auditors is to verify that the company they audit complies with accounting standards. While internal auditors are concerned with accounting rule compliance, their scope is much larger. The IIA s definition of internal auditing illustrates this difference. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. [Emphasis added] The objectives of the internal auditor should be the same as the objectives of the company. Because the internal auditor is concerned with meeting the objectives of the company and not just satisfying accounting standards, the internal auditor should seek to improve the company more than the external auditor does. In the case of coordination, research indicates that internal auditors are not seeking to improve coordination more than external auditors; consequently, internal auditors are missing an additional opportunity to add value to their organization. The internal auditing function needs to reverse this trend and take responsibility for coordinating with the external auditor. The audit committee can encourage coordination by appointing a specific person in the internal auditing department to be in charge of coordinating efforts with the external auditor. Assigning responsibility to an individual will help focus the efforts of the company and make sure that the company continues to work to improve its coordination efforts. In
75 | P a g e

addition, the audit committee will be able to easily follow up and monitor the progress made in coordination efforts. The individual assigned to improve coordination must have authority to examine different ways to coordinate even if at first glance there are no apparent benefits. In addition, the individual should be given sufficient time and resources to convert ideas into actions, otherwise the individual will become frustrated and the entire coordination process will break down. The audit committee may choose to suggest ideas and to request feedback directly from the individual in charge of coordination to make sure the coordination efforts move forward. If companies want to improve coordination levels, the internal auditing function should take the first step. Internal auditors are vital and major stakeholders in the companies they work for, and as such, they can create value through taking the initiative to improve relationships with the external auditor. Professional Standards In order for external auditors to rely on the work performed by internal auditors, the work has to meet standards set by accounting regulators. Statement on Auditing Standard 65 (SAS) explains the evaluation process external auditors must follow before relying on internal auditors work. Specifically, this standard dictates that external auditors must assess the competence and objectivity of the internal auditors. SAS 65 requires auditors to look at seven factors relating to competence, including:

Educational level and professional experience of internal auditors. Professional certification and continuing education. Audit policies, programs, and procedures. Practices regarding assignment of internal auditors. Supervision and review of internal auditors activities. Quality of working-paper documentation, reports, and recommendations. Evaluation of internal auditors performance.

When evaluating the objectivity of internal auditors, external auditors are to search for factors under two general headings:
1. The organizational status of the internal auditor responsible for the internal

audit function. 2. Policies to maintain internal auditors objectivity about the areas audited.
76 | P a g e

The internal auditors must comply with these standards if the external auditor is to rely on the internal auditors work. The IIA encourages the internal auditors to comply with these standards through The International Standards for the Professional Practice of Internal Auditing, which states: The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts. Following this endorsement of coordination, the Standards state that internal auditors should use a systematic and disciplined approach to perform all internal auditing work. Then, in similar language to external auditor standards, the internal auditing standards explain what a systematic and disciplined approach is. The wording is so similar to what external auditors look for that by complying with the IIA standards, the internal auditors will also be complying with external auditing requirements. Internal auditors who understand the internal and the external auditing standards will be able to make sure the work they perform meets the necessary regulatory requirements so the external auditors can rely on their work. Understanding the standards will help to lessen duplicated work and thereby increase efficiencies. Dispel Myths Corporate myths destroy many coordination efforts before they begin. Two particularly damaging myths are the idea that the internal audit staffs do not have the time or the resources to coordinate with the external auditors. In a survey performed by Felix et al. the majority of internal auditors surveyed disagreed with the statements:

Internal audit did not have time available at the end of the year to provide assistance to the external auditors during the financial statement audit. Internal audit did not have resources available to complete work which could be used by the external auditors as part of the financial statement audit.

Most internal auditors recognize that the additional time and money required to perform tasks in a manner that external auditors can rely on is minimal. Often, all that is required is for the internal auditor to consider how external auditors could use test work and to document properly the test work performed so that the external auditor can rely on the internal audit function s work. Working with the external auditors may even increase the time available to the internal audit department. Respondents in organizations with exceptionally high coordination efforts indicated that internal auditors extensively relied on work performed by external auditors. The time savings from relying on work performed by the external auditors can meet or exceed the time
77 | P a g e

spent helping the external auditors perform their duties, resulting in additional time to focus on other areas. Start from the Top Once the internal audit function has decided to take responsibility to improve coordination and has dispelled any myths in its organization, it needs to recruit allies. The most powerful ally the audit committee must be on board to advance coordination significantly. The audit committee can exert a tremendous influence on external auditors; however, they often do not realize the importance of auditor coordination. The internal audit department needs to take the initiative to educate the committee on the benefits of a cooperative working relationship between external and internal auditors. To inform members of the audit committee of the potential benefits to coordination, the internal auditing function should show that coordination increases audit effectiveness for the company and efficiency for the internal auditors. There are several specific benefits that are likely to cause the committee to act.

The audit committee should understand that increased audit coverage through coordination lowers the risk of misstatement and fraud; thus, decreasing the risk of personal and corporate litigation. In addition, improved coordination can enable internal auditors to follow-up more closely on control deficiencies found by the external auditors and increase the rate at which improvements are implemented. By working together, internal and external auditors can exert greater pressure on management to keep them from using over-aggressive accounting principles than each party can exert independently. While not as critical as improving audit quality, cost savings result from coordination. The audit committee should understand the potential cost savings and could be encouraged to ask management to funnel these cost savings back into the internal auditors budget.

Once the audit committee accepts the strategy of coordination, the internal auditors can encourage the audit committee to approach the external auditors with a plan on the potential changes the organization would like to see. If the auditor does not wish to participate, the organization can seek to find an auditor who is willing to work together to provide superior audit effectiveness and greater cost savings for both parties. Select Appropriate Targets Initiating a coordination effort can be an overwhelming process. Identifying potential areas for coordination is usually not the problem; however, limiting the areas to start
78 | P a g e

on usually is a problem. Internal auditors should first focus on targeting areas that will provide the greatest benefits. When deciding where to focus, the internal auditors should consider the Public Company Accounting Oversight Board s (PCAOB) proposed audit standard concerning section 404 of Sarbanes Oxley. This proposed standard separates testing work performed by third parties, including the internal auditor, into three categories.
-

The First Category includes areas where the external auditor cannot rely on any work performed by a third party. Work in this area includes: Controls that are part of the control environment, including controls specifically established to prevent and detect fraud that is reasonably likely to result in material misstatement of the financial statements. Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (for example, consolidating adjustments, report combinations, and reclassifications). Controls that have a pervasive effect on the financial statements, such as certain information technology general controls on which the operating effectiveness of other controls depend.Walkthroughs.

i.

ii.

iii.

The Second Category in the proposed standard stipulates areas that auditors should only rely on procedures performed by a third party to a limited degree. These areas include: Controls over significant nonroutine and nonsystematic transactions (such as accounts involving significant judgments and estimates). Controls over significant accounts, processes, or disclosures where the auditor has assessed the risk of failure of the controls to operate effectively as high.

i.

ii.

The Third Category includes all other work performed by third parties, and the standard specifies that external auditors can rely on this work without specific limitation.

In order to maximize coordination, the internal audit group should not focus their time on the first category of test work stipulated by this proposed standard. External auditors have to perform the work regarding these areas and the internal audit should rely on the work performed by the external auditors. The internal audit department can focus their work on the third category of tests and thereby reduce the fee charged by the external auditor. If time permits, the internal auditor can also work in some areas of the second category always making sure the external auditor can rely on the
79 | P a g e

work and will not have to duplicate the internal auditors effort. As both groups successfully carry out targeted coordination, duplicated work will be eliminated. In addition, internal auditors will develop more skill in the areas they are auditing and will perform audits that are more effective. By understanding accounting standards and choosing a specific area of focus, internal auditors will improve the auditing process in their companies. Increase Communication Once the internal and the external auditors have agreed to improve coordination, communication becomes critical. The success of the entire effort hinges on the communication level established. Again, the internal auditing department should be proactive and initiate communication on a regular basis. Proper communication encompasses more than meetings. Although formal meetings are important, informal meetings, emails, phone calls, and other forms of communication are necessary to work together on a continuous basis. Often overlooked, communications during the early part of the year and the financial quarter will result in greater external auditor reliance when they perform the audit. Internal auditors should request to meet with key members of the external auditing team early in the financial year to coordinate a yearlong effort. The frequency of communication between internal and external auditors depends upon the size of the organization and the amount of coordination that is currently taking place. Formal meeting times should be established throughout the year where goals can be set and reviewed. In addition, relatively constant communication throughout the year should ensure both parties stay focused on improving the audit coverage in the organization. Instigate Training Research indicates that internal and external auditors differ significantly on their appraisal of internal auditors understanding of the external audit. External auditors do not believe internal auditors understand the work of the external auditor as much as internal auditors believe they understand the work. Whether warranted or not, this perception must be improved before the external auditors will place significant reliance on the internal auditors work. In order to change this perception, internal auditors should seek to follow IIA standards by honing their professional skills. Specifically, the International Standards for the Professional Practice of Internal Auditing states, Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development. Internal auditors can focus efforts to improve their competencies in external auditor methods, vocabulary, and procedures. Training should help educate internal auditors on the vocabulary and the procedures used by external auditors. While many of the procedures are the same, simple differences in vocabulary could account for the external auditors lower perceived understanding levels of the internal audit function. The perceived competence of the internal auditors will grow if internal auditors communicate using the same language as the external auditors. Internal auditors might inquire about the
80 | P a g e

possibility of attending training sessions sponsored by their external auditor. Most large CPA firms provide excellent training to their employees and adding a few internal auditors at several meetings would enable them to learn along with the external auditors. Attending external auditor training would improve the competency of the internal audit staff and increase external auditors confidence in the abilities of the internal auditors. The best way to improve the external auditors perception of the internal auditors competency is by gaining professional certifications. The Certified Internal Auditor (CIA) and Certified Public Accountant (CPA) designations prove that the internal auditor has attained to a high level of professional competency. External auditors will feel more comfortable relying on the work performed by individuals who have demonstrated their professionalism by acquiring professional certifications. Through a focused training effort, companies will increase both the perceived and the actual competency of their internal auditors. As internal auditors communicate with external auditors on their level, the external auditors will be more likely to rely on work performed by the internal auditors resulting in improved audit efficiency and effectiveness.

Neither internal nor external auditors want to duplicate work unnecessarily, waste time needlessly, or spend money fruitlessly. Coordinated efforts are not only encouraged by IIA and AICPA standards; they can also enhance the efficiency and effectiveness of both professional groups. A step to help quicken the restoration of confidence is for internal auditors to improve audit effectiveness and efficiency by coordinating their efforts with external auditors. The passing of the Sarbanes Oxley Act offers an excellent opportunity for internal auditors to improve coordination efforts. The Sarbanes Oxley Act requires companies to disclose more information and to increase the testing to make sure the disseminated information is accurate. Through coordination, the internal auditors can team with external auditors to improve shareholders trust in the information companies release. Seven steps will help the internal auditing department improve coordination efforts: -Taking the initiative, -Learning professional standards, -Dispelling myths, -Starting from the top, -Selecting appropriate targets, -Increasing communication, and -Instigating training. These steps become a cycle of continuous improvement when an organization dedicates itself to improving audit quality. Although individuals will continue to commit fraud, organization can consistently follow these seven steps to improve coordination between internal and external auditors. A coordinated audit approach will improve stakeholders trust in the organization and decrease costs thus adding long-term value to an organization.
81 | P a g e

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

82 | P a g e

CHAPTER-7 Why & How to Coordinate?

Chapter-7
Why & How Coordinate?
7.1 The Need for Coordination:
Proper coordination can lead to efficient and effective audits as there is no unnecessary duplication of efforts and auditors can focus on other tasks. With the increasing scandals and frauds, regulators are specifying newer requirements to increase the accuracy of financial reports. In this environment, coordination between auditors is one of the methods by which companies can improve their perceived trustworthiness.
83 | P a g e

Varied strengths increase effectiveness By the nature of their responsibilities, internal auditors spend a lot of time working for the same company. This gives them a better understanding of the culture and working of the organization. They notice things and come across instances, which the external auditor is unable to see during his visits. The external auditors on the other hand have exposure to wider variety of financial issues as they have multiple clients. External auditors may therefore discover and solve issues that internal auditors have not dealt with before. Increase in efficiency Coordination increases efficiency. When the audit is not properly coordinated, external auditors may duplicate work already performed by the internal auditors. This redundancy causes higher audit fees but does not increase the effectiveness of the audit. Similarly, internal auditors may duplicate external auditors work, which results in wasted internal audit time. Coordination increases the probability that the information companies release is accurate. Combined, the synergies realized through improved coordination add value to a companys shareholders. Better audit coverage It is expected that elimination of redundant work will leave time and resources for better audit coverage.

Cost reduction Coordination reduces the time and efforts which the external auditor would expend on redundant work thus, reducing the audit fees. In most cases, the savings from co-ordination are greater than the cost incurred by the internal audit function to perform the work on which the external auditors rely. Better understanding of each others work Coordination would imply that the auditors communicate and consult with each other their plans and findings. This will lead to clearer understanding of respective audit roles and requirements and a better understanding by each group of auditors.
84 | P a g e

7.2 CHALLENGES AND BARRIERS TO EFFECTIVE COORDINATION As with any effort there are challenges which internal audit will face in pursuing effective coordination. Some of these challenges or barriers to effective coordination are as follows Lack of Openness For the coordination effort to bring maximum benefit to the organization there must be a willingness to be open about weaknesses and problems as well as strengths. However due to status and power differences managers may be unwilling to share problems as they may fear how such issues will be perceived. A climate of trust will create the conditions for sharing both strengths and weaknesses (Daft, 2000). Focus on the Entity s Own Needs and Goals In particular, executive Managers, the audit committee and external auditors may be inward looking being focused on their immediate needs and goals and may fail to be interested in coordinating beyond the basic requirements. The challenge is to find innovative ways to change the philosophy, to that of thinking corporate value. Internal audit can overcome this challenge by educating each entity on the potential benefits of coordination and its importance to organizational performance. According to Powell and Yager (2004): A key defining aspect of coordination is how to efficiently bring together two or more diverse groups so their interactions with each other are favorable and outcomes are improved. While internal audit has to encourage management, the external auditors and the audit committee to consider the corporate value to be added through coordination, it must on the other hand, ensure that the it considers all entities in the coordination effort. Effective coordination should result in the enhanced performance of each role, the achievement of organizational goals and objectives and the maximization of the interests of all stakeholders. Unwillingness to Coordinate While the internal audit function can do all in its power to coordinate and facilitate coordination between itself and the other entities discussed it will be a challenge to ensure that the entities coordinate with each other. For various reasons, there may not be commitment to the coordination effort on the part of all the entities involved. As with any effort, which yields value, ensuring coordination will take persistence on the part of the internal audit function. Lack of Commitment from the Board Given the scope of the coordination effort pursued by internal audit, it may require significant changes and as such, commitment from the board is necessary. Internal audit may be unable to get the required support whether budgetary or otherwise to make coordination successful. However, internal audit can overcome this barrier by carrying out a cost benefit analysis to demonstrate that coordination is worth the investment. Once there is commitment from the very top, coordination is more likely to be successful.

85 | P a g e

THE RELATIONSHIP BETWEEN THE WORKINGS OF INTERNAL AUDITOR AND EXTERNAL AUDITOR OF AN ORGANIZATION

86 | P a g e

CHAPTER-8 Responsible Persons & Entities for a Maximum Coordination

Chapter-8:
For ensuring the maximum coordination, The Role of Internal Auditor: Internal auditors should take a proactive role in exploring how the work of internal and external auditors can be coordinated and productively utilized. A full understanding of respective professional responsibilities and concerns can help build a mutually beneficial relationship. INITIATIVES TO MAXIMIZE BENEFITS By combining the advice framed by The IIA and the AICPA, internal auditors can enhance coordination efforts with external auditors and develop a more effective strategy for collaboration. Internal auditors may want to emphasize and initiate action in three key areas: 1. Promoting internal auditor competence and objectivity;
87 | P a g e

2. Working with external auditors to maximize their reliance on internal auditors; and 3. Utilizing to a greater degree the work of external auditors. 1. PROMOTING COMPETENCE AND OBJECTIVITY Maximizing internal auditor competence and objectivity should be a top priority for any organization seeking to enhance the value it receives from its internal and external audits. At least three important benefits will be realized from a competent, objective internal audit staff: a. The staff will produce meaningful audits that significantly contribute to the achievement of organizational objectives in a wide variety of areas. b. External auditors will be able to rely on internal auditors' work, and significant reductions in external audit fees may be possible. c. Internal auditors who are intimately familiar with the organization under review are in an ideal position to provide information about the "business" behind the financial statements. As a result, fewer disagreements may occur between management and the external auditors over the application of accounting principles. Also, this enhanced understanding can lead to more valuable recommendations from the external audit. Such benefits justify a considerable organizational commitment to internal auditor competence and objectivity. The IIA Standards are an excellent source that responsible officials can turn to while developing and implementing programs designed to instill these attributes in internal auditors. Section 100 of the Standards is devoted to auditor independence and Section 200 contains valuable guidance on the acquisition and maintenance of professional proficiency. 2. MAXIMIZING EXTERNAL AUDIT RELIANCE Directors of internal auditing should work aggressively with external auditors to maximize their reliance on internal auditors. Equipped with an understanding of the relevant professional responsibilities of external auditors, directors can clearly demonstrate that their staff members can be used in a wide variety of areas. During this "marketing effort," directors can make external auditors aware of planned internal audit activity that is relevant to the external audit. Internal audit directors can also increase the extent of internal auditor usage by considering the needs of external auditors when they are developing the internal audit programs. Likewise, human resources allocations that enable "direct assistance" by internal auditors encourage the external auditors' reliance. 3. UTILIZING EXTERNAL AUDIT WORK Internal auditors should seek ways to take advantage of their many opportunities to use the work of external auditors to achieve internal audit objectives. This issue should be proactively and creatively
88 | P a g e

addressed during internal audit planning and before the external auditors begin their fieldwork. During the planning process, directors of internal auditing can scrutinize the subset of internal audit activity that is likely to overlap the activities of the external auditors. Areas of greatest opportunity will likely include the planned internal audit activity relating to the organization's financial statements; the internal controls that affect elements of the financial statements; and the accounting information system that ultimately generates the statements. This review of planned internal audit activity can then be combined with a careful study of the projected external audit programs, and an inventory of audit procedures that are relevant to the internal audit agenda can be prepared. Throughout this process, the director should look for situations where the external audit programs could be modified to maximize benefits to the internal audit function while still allowing the external auditors to accomplish their objectives. As long as the external auditors can achieve their goals, nothing in the AICPA standards prevents them from modifying their audit programs to accommodate internal audit requests. A convincing argument on the part of the director of internal auditing is totally appropriate and may result in added benefits for the internal audit staff. TAKING CHARGE The professional rule-making bodies of the internal and external audit professions encourage cooperation in a wide variety of areas. Internal auditors should ensure that this situation works to their advantage. As internal audit roles continue to expand, efficient and informed management of all subsets of their function becomes more and more important. Maximizing the relationship with external auditors can be a vital link in the operation and structure of successful internal auditing. How Internal and External Auditor Activities Overlap Both external and internal auditors are responsible for: * Evaluating the reliability and integrity of financial information. * Evaluating systems established to ensure compliance with laws and regulations impacting the financial statements. * Evaluating methods for safeguarding assets and verifying the existence of assets. Evaluating internal controls affecting the financial statements.
89 | P a g e

Coordination Initiatives Internal auditors can take the following actions - from Section 550 of the IIA Standards - to promote coordination with external auditors: * Call frequent meetings to discuss matters of mutual interest. * Provide reasonable access to the audit programs and workpapers. * Exchange audit reports and management letters. * Obtain an understanding of the audit techniques, methods, and terminology used by the external auditors. * Provide the external auditors with the information they need to properly evaluate internal audit work. * Request information about known or suspected illegal acts, disagreements with management, and other matters that external auditors are required to communicate to the board of directors. * Provide external auditors with management responses to internal audit reports and subsequent internal audit follow-up. * Attempt to use similar audit methods and terminology. Role of External Auditor: External auditors are responsible for expressing an independent objective opinion on the financial statements. Management is responsible for financial reporting and the implementation of all internal controls. With SOA Section 404, external auditors are now restricted to providing attestation of management internal controls report. They are not themselves required to evaluate internal control effectiveness (SOA, 2002). Therefore, it is necessary that the external auditors coordinate with managers and internal auditors. Being convinced that internal audit is sufficiently competent and independent the external auditors can place reliance on internal audit work carried out and as such need to coordinate with them (Engle, 1999). This can greatly assist in the planning and execution of the audit. One of the concerns addressed by SOA was the need for more regular reports of external auditors to the audit committee. Before the act, there was limited communication between external auditors and the audit committee. In some instances, reports on pertinent issues such as changes in accounting methods used, if reported on at all lacked detail (Moeller, 2002). SOA Section 204 now requires that auditors report regularly to the audit committee on accounting policies and practices used, alternative
90 | P a g e

treatments presented to management for consideration and the auditors preferred method (SOA, 2002). Coordination is necessary in this regard, as it would foster compliance to this reporting requirement of SOA by strengthening communication links between the audit committee and external auditors. Role of the Organization itself: Organizations utilize internal and external auditors to achieve several important objectives; but while the roles of internal and external auditors are distinct, their responsibilities overlap in some areas. A comparison of the scope of internal auditing, as defined in Section 300 of the IIA Standards for the Professional Practice of Internal Auditing (Standards), to the professional responsibilities of external auditors under the AICPA's Generally Accepted Auditing Standards (GAAS), dearly demonstrates this common ground. Three of the five major sections that comprise the scope of internal auditing defined in IIA Standards overlap with the responsibilities of external auditors following GAAS. Internal audit derives credibility and authority for its functions directly from its mandate and indirectly by virtue of its close relationships with the chief executive and other senior management of an organisation. Working with External Auditors Experts urge business owners to establish proactive working relationships with external auditors. In order to accomplish this, companies should make sure that they:

Select an auditing firm with expertise in their industry and a proven track record. Establish and maintain efficient recordkeeping systems to ease the task of the auditor. Make sure that owners, executives, and managers know the basics of financial reporting requirements. Establish effective lines of communication and work processes between external auditors and internal auditors (if any). Recognize the value that external auditors can have as an objective reviewer of existing and proposed operational processes. "Managers tend to dismiss auditors as bean counters," Paul Danos, dean of Dartmouth's business school, told Business Week. "However, auditors have seen many businesses and know how they survive, grow, and prosper." Focus on high-risk areas of operations, such as inventory levels Focus on periods of change and expansion, such as transitions to public ownership or expansion into new markets. Build an effective audit committee that can provide cogent financial and operational analysis based on audit results. "Aggressively seek its advice, viewing it as an asset rather than a liability," counseled Beasley, Carcello, and Hermanson. "Enlist the committee's help when you review financial reporting related matters, and provide relevant and reliable data for it to review. The audit committee's effectiveness is restricted by the quality and extent of information it receives. It needs access to
91 | P a g e

reliable financial and nonfinancial information, industry, and other benchmarking data and other comparative information that's prepared on a consistent basis." "Some question whether auditors can take on more of a consulting role and still maintain the independence required to effectively perform their auditing responsibilities," wrote Karen Kroll in Industry Week. She notes that some observers question whether audit firms that fulfill consulting roles might compromise their auditing functions if they become financially dependent on certain clients. Another concern, Kroll notes is that "when auditors also act as consultants, the risk exists that they could end up reviewing a system or process they helped to implement." But other analysts contend that auditing firms are instituting operational practices to ensure that their auditing function remains uncompromised. The Audit Committee:

In a publicly-held company, an audit committee is an operating committee of the Board of Directors, typically charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the Company's board of directors, with a Chairperson selected from among the members. An audit committee of a publicly-traded company in the United States is composed of independent and outside directors referred to as non-executive directors, at least one of which is typically a financial expert.

The Audit Committee Charter Policies and procedures should be established to facilitate communications between audit committee members and auditors, and for evaluating the independence of external auditors. A properly developed audit committee charter should establish appropriate requirements to facilitate communications and evaluations of auditor independence. In summary, the audit committee charter should contain the following:

Key components such as the purpose, authority, and responsibilities of the audit committee. Identification of the operating guidelines of the committee relative to committee composition, meeting frequency and overall guidelines. Relationship with internal and external auditors and management. Requirements for approval of both audit and non-audit services, including the overall internal audit plan.

The audit committee charter should set out guidelines for the duties of the audit committee versus those of the full board. It should be reviewed, at least on an annual basis. By elaborating on the basic duties of the audit committee, the charter serves to help both the full
92 | P a g e

board and committee members understand their obligations and the general boundaries in which they will operate and will ensure compliance with new legal and exchange requirements. A carefully-constructed audit committee charter will:

Delineate responsibilities of the board and those of the audit committee; Cover important areas such as structure, process, and membership; Incorporate new legal and exchange requirements; Assert the committee's authority to hire and fire internal auditors and external advisors to the audit committee; Be regularly refreshed, usually on an annual basis; and Be disclosed to shareholders to promote transparency.

Questions for the Audit Committee How detailed was our planning for our internal control documentation and evaluation? Have any weaknesses been identified? Have we dedicated sufficient resources? What role do our internal auditors play? Are we providing adequate training? How does internal audit report to the audit committee? What is the role of internal audit in evaluating internal control? Have any weaknesses been identified? Traditionally, the role of the Audit Committee has been to oversee, monitor, and advise company management and outside auditors in conducting audits and preparing financial statements, subject to the ultimate authority of the board of directors. But in the wake of highprofile corporate scandals, the new challenge for audit committees will be to fulfill all of the new duties and responsibilities assigned it under legislation and stock exchange rules and to shift to a more proactive oversight role. Audit committees therefore need to ensure accountability on the part of management and internal and external auditors; make certain all groups involved in the financial reporting and internal controls process understand their roles; gain input from the internal auditors, external auditors, and outside experts when needed; and safeguard the overall objectivity of the financial reporting and internal controls process.
93 | P a g e

Sarbanes-Oxley: Major Changes in How Audit Committees Operate Under Sarbanes-Oxley, the relationship between management and outside auditors is largely replaced by one between the Audit Committee and outside auditors. The Audit Committee now is directly responsible for appointment, compensation, retention, and oversight of independent auditors, who report directly to the Audit Committee. In addition, by vesting responsibility and authority for certain audit-related actions in the Audit Committeeto the exclusion of the full board, management, and shareholdersthe Act appears to alter the traditional delegation, under state law, of board power to a committee. The Audit Committee must establish specific procedures for handling complaints received by the company regarding accounting, internal accounting controls, or auditing matters including confidential submission by company employees of concerns regarding questionable accounting or auditing matters. All audit services and permitted non-audit services provided by outside accounting firms must be pre-approved by the Audit Committee, subject to a narrow de minimis exception. All approvals of non-audit services must also be disclosed in the company's periodic reports. Certain non-audit services by firms that perform audits are expressly prohibited.

Auditors are required to provide timely reports to the Audit Committee, including:

All critical accounting policies and practices to be used; All alternative treatments of financial information within generally accepted accounting principles that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred by the accounting firm; and Other material such as written communication between the accounting firm and the management of the issue, or any management letter or schedule or unadjusted differences.

Ensure open communication among management, internal auditors, external auditors, and the audit committee. The BRC recommended that the audit committee meet separately with management, internal auditors, and external auditors. The NYSE proposal requires that the audit committee meet separately with all three groups. As stated by the BRC: Since the audit committee is largely dependent on the information provided to it by management, the internal auditor, and the outside auditors, it is imperative that the committee cultivate frank dialogue with each. It is critical that the audit committee meet in private with each group, both on a regular schedule and on an as-needed basis.
94 | P a g e

Eighty-two percent of the audit committees in the study indicated that they met in private with external auditors, 61% with management, and only 46% with internal auditors. This last result may be related to the low percentage of audit committees that took responsibility for overseeing the internal audit function. These findings lend support to the contention that audit committees have underutilized the internal audit resource.

Conclusion
In this twenty first century, opportunities are opening for the internal audit function to be a truly revolutionary function within the organization. It is in a position to add value like never before. Coordination among the audit committee to the board of directors, executive management, external auditors and the internal audit function is yet another chance for the department to demonstrate its true worth to the organization. Despite the challenges, all the entities involved will benefit from coordination. In view of the fact that these entities are the cornerstones of the foundation for building a sound corporate governance structure, the internal audit function should do all in its power to both establish and ensure effective coordination among them, as this would enhance corporate sustainability. According to IIAs recommendations, the ideal situation is when the internal and external auditors meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other's scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk. In fulfilling its oversight responsibilities for assurance, the board should require coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.

95 | P a g e

Bibliography:
Books of References:

A Handbook of Practical Auditing-B.N. Tandon, S. Sudharsanam, S. Sundharabahu Principles of Auditing-Prof. Dr. Khawaja Amjad Saeed. Auditing-Alvin A. Arens, James K. Loebecke.

Websites URL:

http://www.aicpa.org/Audcommctr/guidance_resources/ia_and_audit_cmte/homepage .htm

http://www.aicpa.org/Audcommctr/guidance_resources/ia_and_audit_cmte/15.htm http://www.aicpa.org/Audcommctr/guidance_resources/ia_and_audit_cmte/24.htm http://www.theiia.org/download.cfm?file=1763

96 | P a g e

http://www.carajkumarradukia.com/articles/Coordination%20between %20auditors260707.doc

www.comptrollerofthecurrency.gov/ftp/bb/92-42a.doc www.ci.berkeley.ca.us/.../Auditor/.../AuditCoordinationandReports.pdf www.entrepreneur.com/tradejournals/pub/4153.html www.theiia.org/download.cfm?file=283 www.taxguru.in/audit/role-of-internal-auditor-in-enterprise-wide-risk-managementerm.html

www.theiia.org/guidance/standards-and-guidance/ippf/standards/ www.rustenburg.gov.za/uploads/internal_audit_charter.pdf www.ofm.wa.gov/policy/20.htm www.osbm.state.nc.us/.../LinkBetweenInternalControlandInternalAudit.ppt www.ffiec.gov/.../booklets/audit/audit_02_internal_prog.html www.journalofaccountancy.com/.../HowSarbanesOxleyWillChangeTheAuditProcess www.knowledgeleader.com/.../SRIARebalancing4!OpenDocument&Splash www.rustenburg.gov.za/uploads/internal_audit_charter.pdf www.auditnet.org/process.htm

www.auditing101.com/audit-objectives.html

97 | P a g e