INTERNAL

AUDIT

Introduction
Recent

events including global financial crises have

emphasised need for internal auditing within corporate
governance structures

Internal

audit function is now mandatory by most stock

exchanges

Donors

increasingly demand improved accountability

& financial transparency in development projects

Furthermore,

internal audit is considered good

practice & advisable as part of underlying control
framework & financial management capacity of a project,
particularly if complex &/ or decentralised

Definition
Internal

auditing

is

an

independent,

objective assurance and consulting activity

designed to
organization's

add value

and improve

operations.

It

helps

an
an

organisation accomplish its objectives by

bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control, and governance
processes.
The Institute of Internal Auditors

IA Code of Ethics
Principles
Internal auditors are expected to apply & uphold the following
principles:

Integrity

Objectivit
y

The
integrity
of
internal
auditors
establishes trust & so provides the basis
for reliance on their judgment
Internal auditors exhibit the highest
professional objectivity in gathering,
evaluating
&
communicating
information. Internal auditors make a
balanced assessment of all relevant
circumstances & are not unduly
influenced by their own interests or
others in forming judgments
4

Confidenti
ality

Compete
ncy

Internal auditors respect the value

and ownership of information they
receive
&
do
not
disclose
information without appropriate
authority unless there is a legal or
professional obligation to do so

Internal auditors apply knowledge, skills, & experience

needed

What is Internal Audit?

Internal Audit is a professional activity which helps organisations to
achieve their stated objectives by:

Analyzing key processes, procedures & operations

Identifying key controls in each such operation, procedure &

process
Evaluating the adequacy of these controls

Testing compliance of sample transactions against these controls

Reporting results of the evaluation of controls and compliance

testing of transactions

Recommending stronger controls wherever necessary

Suggesting methods to improve compliance with key controls

Follow up of action taken on recommendations made in previous

reports
6

What are Internal Controls?

Internal Controls are important checks instituted by management to
have reasonable assurance that:

Operations are carried out in an efficient & effective

manner

Transactions are recorded accurately & completely

Assets are properly recorded & safeguarded

Laws are complied with

Reliable reports are generated

Some examples of Internal Control

Budgetary Control
Budgetary Control
Fixed Assets Register
Fixed Assets Register
Bank & Special Account Reconciliations
Bank & Special Account Reconciliations
Reconciliation of Financial & Physical M & E Reports
Reconciliation of Financial & Physical M & E Reports

How are Internal Audit & External Audit different?

Internal audit is focused at internal management support and
improving systems, procedures and processes

External audit (EA): normally statutory requirement, unlike internal

audit (IA)

EA reports are addressed to stakeholders: IA reports are addressed

to Management

EA reports express an opinion on the financial statements prepared

by the entity for a specified period: IA reports evaluate and check
compliance against key internal controls

EA reports are usually public documents which are available to all

stakeholders. IA reports are for use only by Management

EA reports do not make recommendations, although may have a

Management Letter: IA reports are incomplete without

EA is basically a review of financial statements for compliance: IA

seeks to ensure value for money to Management
9

Benefits of IA

External audit checks overall compliance

controls related to financial transactions.

Supervision Missions conduct only spot checks.

Internal audit is inherent in government structures in most

developing countries.

Sample IA Terms of Reference enclosed

IA has a key role in Risk management of IFAD Projects

to

internal

10

Internal Audit (IA) Mandate

Compliance & Advisory
roles
What does it do?

Primary role in improving internal control, accuracy,

reliability & integrity of information including financial &
operational reporting

Monitoring & evaluation

management processes

Role in corporate oversight, safeguarding of assets,

economical & efficient use of resources, compliance with
laws & regulations, deterring fraud

of

effectiveness

of

risk

What does it not do?

Perform management activities/ responsibilities (these

include establishing internal controls)
11

Internal Control Practices

How?
Internal control is a process. It's a means to an
end, not an end in itself
Internal control is effected by people as a team,
not by internal auditor. It's not merely policy
manuals & forms, but people at every level of an
organization
Internal control can be expected to provide only
reasonable assurance, not absolute assurance,
to an entity's management and governing bodies/
committees
Uses systematic methodology for analysing
business processes, procedures & activities
The cost of IA should not exceed expected
benefits to be derived
12

Role in Internal Control

1. Compliance audit: review of financial & operating
controls & transactions for conformity with laws,
regulations & procedures, e.g.,

.
.
.
.
.
.

Access to IT system appropriate to users role

Segregation of duties in high risk areas
Balancing & reconciliation between systems
Systems back up & recovery
Physical safeguard & access restriction controls
Reconciliations, comparison budget of actual

2. Operational audit: review of various functions within

project to evaluate efficiency, effectiveness, & economy

13

IA Role in Corporate Oversight

Four pillars internal audit, executive management, external

audit, & Board of directors/ steering committee

Combination of processes & organisational structures

implemented by management to inform, direct, manage and
monitor the projects resources, strategies & policies towards the
achievement of its objectives

Public sector governance Principles

- transparency, integrity, accountability
May include review of sufficiency of human resources,
training needs, policies, etc.

14

Nature of Internal Audit Activity

Establish scope & activities for audit to Management

Identify control procedures used to ensure each key risk is

properly controlled & monitored

Develop & execute risk based sampling & testing approach

to determine whether most important controls are operating as
intended (NB: input from Management required e.g. 100%
sampling of WA review)

Report issues/make recommendations/negotiate action

plans with Management to address issues

Follow up on reported findings periodically

Describe key risks facing the business activities within scope of

audit

15

Contents of Audit Plan

Updated annually

Risk based audit plan developed with input from project

staff including Management

Summary of key goals, risks & corresponding major audits, to

illustrate alignment

Based on risk assessment & available resources

Appendix materials, such as planning approach, assumptions &

brief descriptions of all planned audits & related prioritization

Approved by management/ appropriate oversight Committee

16

Contents of Audit Report

Observations

Narration/ description

Remedial action

Consequences/ fall out

Recommendation for improvement (prioritized

between high and normal)

Response (action plan) who, when and how

17

IAs Proactive Role

Identify Risks
Find Better Ways and Best Practices
Partner With Management to Find Solutions
Prevent Problems
Provide training
Respond to policy & technical accounting questions
Offer suggestions for improvement
Advisory role

18

The Audit Schedule

Prepare an audit schedule. Each area
must be audited at least one a year,
but for an effective program plan on
auditing each area at least twice.

Audit Steps
Internal audit steps:
Create audit schedule
Complete audit plan
Hold opening meeting
Conduct audit
Document Findings
Prepare audit report
Hold closing meeting
Prepare audit file
Follow up

Performing the Audit

After the opening meeting you will

start your audit.

Using your checklists and procedures as

references, go out to observe the process
and talk to people in the department
You are looking for evidence that the
Company Safety Management System is
working effectively
An effective audit will depend on your ability
to put people at ease and encourage open
honest communication

Key Auditor Attributes

Communication skills
Tactful
Ability to listen
Reword questions when needed
Use local terminology

Objective
Flexible
Persistent
Curious

Techniques

The auditee may be stressed

Smile, relax
Point out good things that you see
Summarize with Everything looks
good here when you can
As the auditor, you are creating the
audit culture for your organization

Techniques

Use open ended questions, they

provide more information. Ask
What
Where
Why
Who
When

Ask for clarification or more

information if you do not understand.

Techniques

Keep people informed of what you

are finding
Point out nonconformances as you go
Make sure the auditee understands
what you see as the nonconformance
There should not be surprises at the
closing meeting when you present
your findings

Performing the Audit

As an auditor you will:
Check documents and records
Ask questions
Observe processes and compare them
with documented procedures and work
instructions
Investigate any differences
Follow audit trails, be curious
Take good notes

Performing the Audit

Throughout the audit, you will take
detailed notes on what you find.
Be specific on what is reviewed and what is
found
The information you write down will be used to
identify nonconformance and to assist the
department in finding and understanding what
you observed

Documenting the Audit

Once you complete your audit, you will

prepare an audit report.

The report will also include:

General information
Documents reviewed
Persons interviewed
General summary and assessment of

how the system is performing

Documenting the Audit

When
your
documentation
is
complete you will be ready to hold
your closing meeting. The lead
auditor will lead the meeting.
Thank the group for their cooperation
Remind them that this is an evaluation
of the processes not the people

The Closing Meeting

Summarize the findings
Highlight areas that are working well
Review each of the nonconformances, allow
questions and discuss the finding to make sure that
the group understands the non conformances
Discuss any corrective actions that you followed up
on that were not found to be effective
Have the group sign the audit report as a record of
attendance
Give a copy of the table of nonconformances to the
area management

The Audit File

Final audit file includes:
Audit plan
Audit checklists
Audit report