Internal Controls are to be an integral part of any organizations financial procedures

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Internal audit within organization


Internal Controls are to be an integral part of any organization's financial and business policies and procedures. Internal controls consists of all the measures taken by the organization for the purpose of;

(1) protecting its resources against waste, fraud, and inefficiency;

(2) ensuring accuracy and reliability in accounting and operating data

(3) securing compliance with the policies of the organization; and

(4) evaluating the level of performance in all organizational units of the organization. Internal controls are simply good business practices

The Role of Materiality in Meeting Audit Objectives

The objective of an internal audit is to form an opinion as to whether control systems provide managers with reasonable assurance that desired business outcomes will be achieved. To reach this conclusion, the auditor has to consider the issue of materiality. An effective control system should prevent, or detect and correct, "material" errors, omissions, fraud or other adversities that impact on achieving desired business outcomes.

The Internal Auditor's Role in Management Reporting on Internal Control, a research report published by the Research Foundation of the Institute of Internal Auditors, defines materiality as "any condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization".

According to the research report, the control processes for identifying material weaknesses are working if, during the course of routine operations, the control system successfully identifies and addresses:

Audit program

An institution's internal audit program consists of the policies and procedures that govern its internal audit functions, including risk-based auditing programs and outsourced internal audit work, if applicable. While smaller institutions' audit programs may not require the formality of those found in larger, more complex institutions, all audit programs should include

A mission statement or audit charter outlining the purpose, objectives, organization, authorities, and responsibilities of the internal auditor, audit staff, audit management, and the audit committee. risk assessment process to describe and analyze the risks inherent in a given line of business. Auditors should update the risk assessment at least annually, or more frequently if necessary, to reflect changes to internal control or work processes, and to incorporate new lines of business. The level of risk should be one of the most significant factors considered when determining the frequency of audits.

An audit plan detailing internal audit's budgeting and planning processes. The plan should describe audit goals, schedules, staffing needs, and reporting. The audit plan should cover at least 12 months and should be defined by combining the results of the risk assessment and the resources required to yield the timing and frequency of planned internal audits. The audit committee should formally approve the audit plan annually, or review it annually in the case of multi-year audit plans. The internal auditors should report the status of planned versus actual audits, and any changes to the annual audit plan, to the audit committee for its approval on a periodic basis.

An audit cycle that identifies the frequency of audits.

Auditors usually determine the frequency by performing a risk assessment, as noted above, of areas to be audited. While staff and time availability may influence the audit cycle, they should not be overriding factors in reducing the frequency of audits for high-risk areas. Audit work programs that set out for each audit area the required scope and resources, including the selection of audit procedures, the extent of testing, and the basis for conclusions. Well-planned, properly structured audit programs are essential to strong risk management and to the development of comprehensive internal control systems.

Written audit reports informing the board and management of individual department or division compliance with policies and procedures. These reports should state whether operating processes and internal controls are effective, and describe deficiencies as well as suggested corrective actions. The audit manager should consider implementing an audit rating system (for example, satisfactory, needs improvement, unsatisfactory) approved by the audit committee. The rating system facilitates conveying to the board a consistent and concise assessment of the net risk posed by the area or function audited. All written audit reports should reflect the assigned rating for the areas audited.

Requirements for audit work paper documentation to ensure clear support for all audit findings and work performed, including work paper retention policies. Follow-up processes that require internal auditors to determine the disposition of any agreed-upon actions to correct significant deficiencies. Professional development programs to be in place for the institution's audit staff to maintain the necessary technical expertise

Audit planning

Initial audit planning takes place before the detailed audit work begins, and in planning for a specific audit assignment an auditor must adopt a strategy with regard to the nature, timing and extent of the audit work to be carried out. The objectives of the plan are to ensure that:

· appropriate attention is devoted to the different areas of the audit;

· potential problems are identified;

· audit review is facilitated.

The above points may seem obvious, however, without a structured and developed audit plan it is probable that (although the objectives may be met) audit resources will not be used efficiently. For example, the adoption of an audit approach where equal prominence is placed on all areas of the accounts of an entity, would almost certainly not be as efficient as a risk based approach.

The detailed audit work is commonly carried out by a team of audit staff with varying degrees of skill and experience. It is therefore imperative at the planning stage that careful consideration is given to the assignment of work to the members of the team so that individuals are not required to carry out audit tasks which are beyond their level of competence. Similarly, at the planning stage, due consideration should be given to the co-ordination of work to be carried out by experts or other auditors if appropriate.

Whilst the plan for each audit assignment is unique most audit firms adopt a common method of approach on each assignment with standard documentation and check lists to ensure a comprehensive audit plan. In formulating a documented plan the following matters need to be considered:

· Knowledge of the entity's business;

· Risk and materiality;

· Nature, timing and extent of audit procedures;

· Co-ordination, direction, supervision and review of the audit.

Detailed notes on each of the above matters are outside the scope of this article, but I would recommend that students should carry out further reading to ensure that they have an understanding of them.

An audit plan should be viewed as a structured plan of action mapping out the audit procedures to be carried out with the aim of reporting on whether a specified set of accounts show a true and fair view. However, the fact that the audit assignment is the commercial activity of the audit firm should be recognised, and if the costs of carrying out the planned procedures are likely to exceed the client entity's budgeted fee then this imbalance should be addressed at the planning stage by consultation with the management of the entity.

By its very nature the plan must be flexible and subject to change, dependent on the findings and events occurring during the audit process. Examples of findings or events which might lead to a revision to an audit plan include:

· Significant errors found in the processing of invoices through a sales accounting system. This could lead to a revision of the extent of testing and audit resources to be applied to the sales area of the accounts.

· Notification from the management of an entity that audited accounts are required at a date earlier than previously notified. This could lead to revision of the timing of audit procedures with a consequent increase in audit resources being allocated to the assignment.

· The revelation during the audit of the bank and cash area, of the existence of an additional bank account held by the entity but not previously notified to the auditor. This would lead to additional audit procedures being carried out in this area.



Control of the internal audit unit and of individual assignments is needed to ensure that internal audit objectives are achieved and work is performed effectively. The most important elements of control are the direction and supervision of the internal audit staff and review of their work. This will be assisted by an established audit approach and standard documentation. The degree of control and supervision required depends on the complexity of assignments and the experience and proficiency of the internal audit staff.


The head of internal audit should establish arrangements:

a.      to allocate internal audit assignments according to the level of and proficiency of internal audit staff;

b.      to ensure that internal auditors clearly understand the responsibilities and internal audit objectives;

c.      to communicate the scope of work to be performed and agree the programme of work with each internal auditor;

d.      to provide and document evidence of adequate supervision, review and guidance during the internal audit assignment;

e.      to ensure that adequate working papers are prepared to support internal audit findings and conclusions; and

f.        to ensure that internal audit's performance is in accordance with the internal audit plan or that any significant variations have been explained.

The head of internal audit should establish arrangements to evaluate the performance of the internal audit unit. He may also prepare an annual report to management on the activities of the internal audit unit in which he gives an assessment of how effectively the objectives of the function have been met.

 How Can We Assess the Effectiveness of the Internal Control System?

When looking at any one of the three primary business objectives, all five components of the control system must be present and functioning effectively in order to conclude that internal controls over operations are effective.

While internal control is a process, its effectiveness is a state or condition of the process at a fixed point in time. When an internal control system meets the following standard, it can be deemed "effective":

"Internal Control can be judged effective for each of the three business objectives if management have reasonable assurance that they understand the extent to which the organization's objectives are being met; financial and management reports are being prepared reliably; and applicable laws and regulations are being complied with."



Internal audit work should be properly recorded because:

a.   the head of internal audit needs to be able to ensure that work delegated to staff has been properly performed. He can generally do this only by reference to detailed working papers prepared by the internal audit staff who performed the work;

b.  working papers provide, for future reference, evidence of work performed, details of problems encountered and conclusions drawn; and

c.   the preparation of working papers encourages each internal auditor to adopt a methodical approach to his work.

The head of internal audit should specify the required standard of internal audit documentation and working papers and ensure that those standards are maintained.

Internal audit working papers should always be sufficiently complete and detailed to enable an experienced internal auditor with no previous connection with the internal audit assignment subsequently to ascertain from them what work was performed and to support the conclusions reached. Working papers should be prepared as the internal audit assignment proceeds so that critical details are not omitted and problems not overlooked. These should be reviewed by internal audit management.

Internal audit functions in an organization?

Internal audit is one of the internal control procedures that are to be followed by the various departments and employees of the organization. The objectives and scope of internal audit cover the following:

Verification of compliance with established policies.

-Verification of the effective operation of established systems and other controls.

-Verification of both fixed and current assets of the organization.

-Based on the above findings, suggest improvements in the system controls in order to plug the loopholes.

An internal audit manual indicating the scope of verification of each functional area within the organization is necessary so that the responsibility entrusted to the internal audit department is clear to the functional departments and external auditors also. Whether the controls as aforesaid are operating normally without breakdown of any system is to be observed by internal auditor. In judging the adequacy or otherwise of the internal audit functions, the following aspects need to be taken into consideration:

Qualifications and experience of the internal audit staff.

- The level of the head of the department in relation to other departmental heads.

- The scope of internal audit is incorporated in the internal audit manual and its adequacy to the needs of the organization.

- Adequacy and competency of staff employed in the internal audit department.

- The frequency of reports issued to the departments and the following up till final recommendations are sent to the Chief Executive or Audit Committee.

- The coverage of internal audit in all areas as mentioned in the internal audit manual.

- Objectivity of the reports issued and the promptness with which the action taken by the company on such reports.

The cost auditor should go through the financial auditor's observations before finalizing this item. Where there is no internal audit system in the company the cost auditor should advise for instituting internal audit considering the size, etc, of the organization. Thus in order to comment on the scope and performance of internal audit the statutory cost auditor should review the work of the internal auditor with special references to his competence, objectivity and work performance. The following questionnaire will enable the cost auditor to evaluate the work of the internal auditor as well as the internal audit departmen

- What is the organizational step-up of the departments?

- Is the staff employed in the department adequate?

- Are the qualifications of staffs adequate?

- Is the staff competent?

- Is the staff independent?

- To whom do they report frequently and with what effect?

- Is there any internal audit manual?

- Is a program of internal audit drawn up before the commencement of the financial year?

Does the program cover the audit of all the important transactions and records of the company including statutory cost accounting records?

- Is the scope of the internal audit wide enough to extend to areas such as management audit, operational audit and the system analysis?

- What is the system of reporting irregularities noticed during internal audit?

- Is prompt corrective action taken by the management on the basis of internal audit reports?

- Is there much duplication of work between the statutory audit and internal audit?

The cost auditor has to study and comment on the capacity utilization. While ascertaining such capacity it may be observed that due to bottleneck in some of the departments the production is suffering. The cost auditor should point out the matter to the company and obtain explanations from the management. He then will be in a position to suggest for improvement by rectification of general imbalance in production facilities. In a particular industry it may be observed that packing is the bottleneck. If more labour or improved machinery is available in the packing department the production can be increased to a great extent to cope with the demand.

Productivity is an index of efficiency showing the effectiveness of individual or combined factors used in producing goods or services. Men, machines, capital, power and services all contribute to productivity and the extent to which each does so may be ascertained by the ratio of output to input of each individual factor. Thus the factoral productivities such as labour productivity, material productivity, etc.. should be ascertained by the cost auditor. He should then evaluate the performance of men, machines or other services and compare the present productivity with the productivity of previous year. He will be in a position to suggest for improvement in performance by concentrating on areas offering scope for increased productivity.

The cost auditor should discuss with the management of the company to ascertain the key or limiting factors which may be one or more of the following:

Evaluation of the internal control system

The internal auditor should identify and evaluate the organisation's internal control system as a basis for reporting upon its adequacy and effectiveness

. Controls, whether they relate to financial or operational areas, ensure that processes act to meet the system 's objectives.


The main objectives of the internal control system are:

a.      to ensure adherence to management policies and directives in order to achieve efficiently and economically the organisation 's objectives;

b.      to safeguard assets;

c.      to secure the relevance, reliability and integrity of information, so ensuring as far as possible the completeness and accuracy of records; and

d.      to ensure compliance with statutory requirements.

61. When evaluating internal control systems the internal auditor should consider the effect which all the controls have on each other and on related systems.


As part of the planning process the internal auditor should identify the whole range of systems within the organisation. For those systems to be examined, the internal auditor should establish appropriate criteria to determine whether the controls are adequate and assist in achieving the objectives of the system. The stages of a systems audit would normally be:

a.      to identify the system parameters;

b.      to determine the control objectives;

c.      to identify expected controls to meet control objectives;

d.      to review the system against expected controls;

e.      to appraise the controls designed into the system against control objectives:;

f.        to test the actual controls for effectiveness against control objectives;

g.      to test the operation of controls in practice; and

h.      to give an opinion based on audit objectives as to whether the system provides an adequate basis for effective control and whether it is properly operated in practice.

Internal audit Committee Composition, and Interaction with Internal Auditing

This study examines the association between audit committee composition and the committee's interaction with internal auditing. Our results, based on responses from chief internal auditors of 114 public companies, indicate that committees comprised solely of independent directors and with at least one member having an accounting or finance background are more likely to (1) have longer meetings with the chief internal auditor; (2) provide private access to the chief internal auditor; and (3) review internal audit proposals and results of internal auditing. These findings provide empirical support for the BRC's recommendations related to audit committee composition.


Everyone within the Haleeb foods has some role in internal controls. The roles vary depending upon the level of responsibility and the nature of involvement by the individual. The Haleeb foods Board of Directors, Chief executive officer and senior executives establish the presence of integrity, ethics, competence and a positive control environment.

The directors and department heads have oversight responsibility for internal controls within their units. Managers and supervisory personnel are responsible for executing control policies and procedures at the detail level within their specific unit. Each individual within a unit is to be cognizant of proper internal control procedures associated with their specific job responsibilities.

The Internal Audit role is to examine the adequacy and effectiveness of the Haleeb foods controls and make recommendations where control improvements are needed. Since Internal Auditing is to remain independent and objective, the Internal Audit Office does not have the primary responsibility for establishing or maintaining internal controls. However, the effectiveness of the internal controls are enhanced through the reviews performed and recommendations made by Internal Auditing.

Elements of Internal Control

Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgments resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Control Environment

The control environment, as established by the organization's administration, sets the tone of an institution and influences the control consciousness of its people. Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:

· Integrity and ethical values;

· The commitment to competence;

· Leadership philosophy and operating style;

· The way management assigns authority and responsibility, and organizes and develops its people;

· Policies and procedures.

Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior.

The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage.

Risks can pertain to internal and external factors. After risks have been identified they must be evaluated. Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the Haleebfoods objectives. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Control activities usually involve two elements: a policy establishing what should be done and procedures to affect the policy. All policies must be implemented thoughtfully, conscientiously and consistently.