This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The development of Internal Audit cannot be truly elaborated without a brief reference to traditional accounting and auditing.
The modern accounting era dates from 1494, when Luca Pacioli advanced the double entry system of book keeping and associated accounting principles in his book on accounting and auditing (Macve, 1996, p 7). Auditing is also an old profession, with its use being recorded even in Greek and Roman times. The existence of a rudimentary form of internal auditing is evident in English Middle Ages records, which detail that lords of English Manor houses supervised the internal audit function for their estates (Macve, 1996, p 7). Whilst the earliest external audit took place in 1720 in the UK after the collapse of the South Sea Company, the need for both internal and external auditors increased after the onset of the Industrial Revolution in England in the 18th century (Flesher 1993, p 38). The growth of private companies and the separation of ownership from management in these organisations during this period resulted in the need for specialised auditors to examine the operations and books of these companies and report to shareholders (Flesher 1993, p 38). The formation of the Institute of Chartered Accountants in England and Wales in 1880 led to significant growth in the auditing profession and to the export of auditing concepts and techniques from the UK to the USA (Flesher 1993, p 38).
The audits of the closing years of the 19th century and the early years of the 20th century were by and large devoted to book keeping accuracy, examination of vouchers and verification of footings (Macve, 1996, p 7). With banking finance for corporations coming into play in the 1910s, auditors became more concerned with balance sheet quality and valuation of assets, rather than with clerical accuracy (Macve, 1996, p 9).
The progressive development of the external audit profession was accompanied by a similar evolution in the area of internal auditing (Flesher 1993, p 38). Whilst accounting text books in the 18th century do not refer to internal auditing or control, the US congress approved the job of an auditor to examine and certify public balances. US rail road companies were the first employers of internal auditors. Known as travelling auditors they were required to visit ticketing agents and examine the appropriateness and validity of all financial transactions (Flesher 1993, p 38). Krupp, the well known German industrial organisation employed internal auditors as early as 1875. Their job was described thus in a company audit manual (Flesher 1993, p 38).
"The auditors are to determine whether laws, contracts, policies and procedures have been properly observed and if all business transactions were conducted in accordance with established policies and with success." (Cangemi & Singleton, 2003, p 10)
Whilst the origin of internal auditing goes back to the 19th century, substantial expansion of the function took place only after the closure of the First World War and the growth of large business corporations (Cangemi & Singleton, 2003, p 11). With managements having to employ thousands of people and conduct operations in different locations, incorrectly maintained accounting records and defalcations became major problems. Traditional forms of public audit were rendered inadequate for purposes of internal control and internal auditors came to be appointed for protection of assets and deter wrong doing by other employees (Cangemi & Singleton, 2003, p 11).
Internal auditors, until the 1940s, however performed essentially clerical functions without any established standards of conduct, their main objective being the early discovery of fraud. The publication of Victor Brink's book on Internal Auditing in 1941 and the formation of the Institute of Internal Auditors in the same year resulted in a sea change in the profession (Pickett, 2010, p 316). The movement to a war economy also resulted in significant expansion of the scope of internal audit. With management becoming concerned with optimisation of operations and savings in cost, internal auditors started assisting managements in various ways (Pickett, 2010, p 316).
The post Second World War era experienced significant increase in the importance of internal audit and its evolution into an essential element of the corporate governance function. Internal audit activity has over the years progressed from being a fraud detection effort to a vital element of risk assessment, internal control and corporate governance (Pickett, 2010, p 318). The enactment of the Sarbanes Oxley Act in 2002 has resulted in intense focus on the function and to its wider use as a critical tool for compliance, internal control and operational improvement (Pickett, 2010, p 318).
Section 2: Importance of Internal Audit
Internal audit (IA) has grown over the decades into a critical and strategically important organisational function. The IIA (The Institute of Internal Auditors) describes internal auditing as under:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." (Pickett, 2010, p 313)
Internal audit, as was briefly explained in the earlier section, is important to the functioning of organisations, because of its preventive and detective role in occurrence of fraud, as well as in maintenance of internal control in a range of operational and fiduciary areas (Archambeault, et al, 2008, p 376). The business world is experiencing fundamental changes that have serious implications. The impact of globalisation, privatisation, instantaneous communication and border less trade have pushed internal audit to the forefront of business management. IA has accordingly grown considerably in importance over the past decade (Archambeault, et al, 2008, p 376). Alignment of rapidly changing information technology plans with current business processes requires efficient monitoring for prevention of adverse future consequences. Such changes have altered the conventional and well defined role of internal audit with regard to compliance and control and have made it more inclusive. Internal auditors are now required to move beyond their traditional roles and assume new value based agendas that cover broad business spectrums (Archambeault, et al, 2008, p 378). The significance of internal audit has intensified because the rapidity of ongoing fundamental change in organisational working is substantially influenced by alteration in information technology compliance in functioning processes.
It is now widely accepted that IA can and should play an enabling and empowering role in helping the senior managements, especially the boards of business firms, to effectively discharge their governance responsibilities (Bradford, 2008, p 2). Corporate governance represents a combination of organisational structures and processes that are set up by the board to monitor, inform, direct, and manage organisational resources, strategies and policies for the achievement of the organisational objectives (Reding, et al, 2009, p 24). Internal audit plays a key role in intensifying management focus on opportunities to strengthen controls and improve risk management. Most responsibilities for corporate governance rest with the senior managements of business firms. Members of the BOD as well as all other senior managers, need to be aware of ethics, risk management, internal controls, policies and compliance with rules, regulations and laws in order to contribute to organisational well being and growth (Reding, et al, 2009, p 24).
IA can help managers in fulfilling their governance responsibilities by providing them with accurate, well investigated, and multiple perspective information on important corporate management issues (Pickett, 2010, p 318). The senior managements of business organisations, their audit committees and their executive managements look towards internal audit for balanced focus between business improvement and control. Studies reveal that business improvement is progressively becoming an important expectation of internal audit and the trend is expected to increase in future with the development of more challenging business conditions (Pickett, 2010, p 318). Internal audit is developing into an extremely important tool for corporate governance. It provides traditional monitoring activities for important risks and control, examination, analysis and reporting of deficiencies in internal control and in monitoring the resolution and rectification of identified deficiencies (Pickett, 2010, p 319).
The role of internal auditing has assumed significant prominence and is now being closely scrutinised by regulators, shareholders, management and media. Much of the credit for such evolution lies with developments in the area of financial reporting (Bradford, 2008, p 2). The watershed moment for such metamorphosis appears to have occurred in the early 2000s when an internal auditor acted as whistle blower for her company's accounting misdeeds and was subsequently named as one of the persons of the year by Time Magazine in 2002 for her act of integrity and courage. Her actions along with associated events resulted in the enactment of the Sarbanes Oxley Act and a movement for improvement in corporate governance and internal control (Pickett, 2010, p 320).
3. Objective and Scope of Internal Audit
Internal audit is essentially an independent assessment and appraisal function that is established by organisational managements for review and monitoring of various internal controls in different operational, fiduciary and treasury areas (Michelman & Waldrup, 2008, p 31). Internal audit examines, assesses, and reports on the sufficiency of internal controls and thereby contributes to the appropriate, efficient, and economic use of organisational resources. Internal auditing aims to help various organisational members in effectively discharging their responsibilities (Michelman & Waldrup, 2008, p 31). The IA function, to achieve such objectives, provides such organisational members with a range of services, including assessment, analysis, information, recommendations and counselling on the various activities and functions under review. Internal audit aims to promote effective organisational control at reasonable costs. It essentially aims to assist members of the board and different levels of management in ensuring appropriate and high levels of corporate governance (Michelman & Waldrup, 2008, p 31).
Internal auditors need to determine the levels of harmony and consonance between existing control systems and organisational structures. They need to ensure that existing controls for operating functions also act as measures for effective cost control (Chorafas, 2001, p 16). Internal auditors are required to review each of the existing controls and thereafter analyse them in terms of utility, benefits and costs. They need to assess and review the integrity and reliability of the various types of financial and operating information prepared by different organisational departments, managers and employees, as well as the ways and means employed for the measurement, classification and reporting of such information (Chorafas, 2001, p 16).
Internal auditors are expected to examine, assess and review existing organisational systems with regard to their effectiveness in compliance with the plans, policies, procedures, regulations and laws that could significantly impact operations and reports (Rae, et al, 2008, p 11). Whilst doing so they are required to determine the level of compliance effected by their organisations. Internal auditors are also required to investigate, assess and examine the various ways and means employed by organisations to safeguard organisational assets and verify, as suitable, the existence of all organisational assets (Rae, et al, 2008, p 11).
Organisational managements importantly aim to assure that the assets of their firms are adequately and effectively managed, accounted for, and protected against loss and damage. The safeguarding of organisational assets should thus be holistic; not restricted to theft and pilferage but also protected against different types of physical threats that could arise from fire, water, strikes and riots (Cangemi & Singleton, 2003, p 12).
Internal auditors very importantly need to assess the efficiency and economy of employment of resources, they are required to review programmes and operations and ensure that the results of such operations are in consonance with predetermined organisational objectives (Cangemi & Singleton, 2003, p 12).
Internal auditors, within their ambit of review of internal controls, specifically work towards minimisation of organisational risk, detection of fraud and maximisation of organisational efficiencies (Michelman & Waldrup, 2008, p 31). The scope of their work is thus extremely broad and covers all geographical locations, as well as all the departments of their respective organisations. Many modern day organisations are extremely large in the volume and scope of their operations (Michelman & Waldrup, 2008, p 31). Multinational organisations have operating, manufacturing and selling facilities in numerous countries, which in turn function in very different environments and with the help of locally employed workers (Rae, et al, 2008, p 11). Such breadth of diversity of operations makes such organisations extremely difficult to control and wield as cohesive units with common values, strategies and objectives. Internal auditors are required to work with senior and other managers across such organisations and help them in the formulation of effective systems of control that can eliminate fraud and minimise various types of operational and financial risks (Rae, et al, 2008, p 11).
Internal auditors need to take care to ensure that organisational systems are not just appropriate and effective, but also cost efficient (Cangemi & Singleton, 2003, p 14). They should as such take care to ensure that control systems do not become excessively elaborate, bureaucratic and expensive.
The scope of work of internal auditors is by and large laid out by the Board of Directors in consultation with the CEO and members of the senior management. It is extremely important for organisations to ensure that the actual scope of work of their internal auditors and their internal audit departments are carefully formulated and clearly articulated (Cangemi & Singleton, 2003, p 21). It is also important for internal auditors to be given adequate independence and authority to carry out their work without being obstructed by organisational attitudes, cultures and politics.
With the very nature of their functions likely to bring them into conflict situations with different organisational functions and areas, it is important for internal auditors to have the full support of the CEO and the members of the board in order to work in all areas of the organisation and achieve their various objectives (Cangemi & Singleton, 2003, p 45).
4. Types of Internal Audit
Internal audit is a broad based function and consists of different types of audit like financial audit, operational audit, management audit, project audit, information system audit, compliance audit, investigative audit and due diligence exercises (Shapiro & Matson, 2008, p 199). The broad dimensions of some of these types of audit are elaborated hereunder.
Financial audits entail thorough and comprehensive review of departmental and organisational records and reports in order to assess whether various assets and liabilities have been truly recorded on organisational balance sheets and whether profits and losses have been properly assessed (Shapiro & Matson, 2008, p 199). Significance or materiality in financial audits is normally defined in terms of monetary value. Planning decisions for financial audits consequently involve required degrees of audit assurance and the amount of audit work needed to provide such assurance.
Requirements for financial audits vary between organisations and need to be planned in line with applicable laws, rules and regulations (Shapiro & Matson, 2008, p 199). Financial audits have some common activities, i.e. (a) assessment of risk, (b) definition of materiality, (c) assertion of financial statements, (d) financial analysis, (e) cash flow analysis, (f) compliance procedures and (g) analytical procedures. The meeting of these objectives involves the verification of revenues, sales, cash and bank balances, bank reconciliations, accounts payables and accounts receivables, disbursements, petty cash dealings, assets and loans and advances (Shapiro & Matson, 2008, p 199).
Operational and Management Audit
Operational audits involve comprehensive reviews of operating procedures and processes and internal controls. Such audits concern broad performance issues and aim to assess whether organisational resources and funds have been managed with economy, efficiency and effectiveness in order to further organisational strategy and fulfil organisational objectives. Operational audits by and large include some elements of compliance audit, financial audit and information systems audit (Michelman & Waldrup, 2008, p 33).
Management audits, which are akin to operational audits, investigate and report on issues that are related to the adequacy or sufficiency of existing management system controls and processes, including the systems required for controlling and safeguarding of assets with efficiency, economy and effectiveness. Management audits also include the assessment of management of resources with economy and efficiency and the degree to which various organisational operations programmes and activities have been effective (Michelman & Waldrup, 2008, p 33).
The scope and objectives of operational audits, unlike those of financial audits, are not defined with significant clarity. Internal auditors in such circumstances need to discuss and brainstorm with members of the senior management to lay down the scope and objectives of specific operational audits. It is necessary, whilst defining such scope and objectives to decide upon exclusions (Reding, et al, 2009, p 72).
The definition of scope in such audits is followed by the setting of audit objectives. This is important because it is possible to gather suitable audit evidence only after objectives have been defined with clarity. It is important, whilst setting objectives, to identify three essential elements, namely criteria, cause and effect. These are important for meeting of the various operating objectives. The scope of operational audits is set only after identification of audit objectives; it being important to lay down audit programme boundaries and to specify inclusions as well as exclusions (Reding, et al, 2009, p 73).
The gathering of information is an important component of the conduct of operational audits. Such information is gathered from sources like organisation charts, operating standards, the nature of operations, senior management, operating reports, prior audit papers, organisational files and papers, journals and publications and the Internet (Reding, et al, 2009, p 74). Many operational audits require the conduct of preliminary surveys in order to gain working knowledge of the function or department to be audited, as well as to logically examine and assess information. Preliminary surveys involve (a) obtaining of information on broad business operations, (b) development of questionnaires for discussions with employees, (c) interviews of organisational employees, (d) learning of goals, objectives and standards of operations under investigation, (e) ascertainment of initial improvement opportunities, (f) understanding of internal controls and inherent risks, (g) learning about personnel, evaluation methods and descriptions, (h) physically inspecting operations, (i) focusing on potential cost savings, and (j) presenting of survey results (Reding, et al, 2009, p 74).
Operational audits entail detailed reviews of internal controls. Such reviews aim to determine the levels of reliance of existing internal controls and are conducted through specific audit processes that include interviewing employees on internal control issues, preparing narrative descriptions of existing operations or flow charts, limited system and walk through testing, and evaluation of manuals for policies and procedures (Schaefer & Peluchette, 2010, p 46). The results of such internal control reviews provide information on identification of controls that can be relied upon by auditors for detailed testing, analysis of controls, assessment of suitability of controls, and risk assessment. It is important at this point of the audit to assess the existence of factors that can render such controls ineffective, like deliberate or accidental avoidance, over riding by management, inadequate recovery and backup and environmental causes (Schaefer & Peluchette, 2010, p 46).
Operational audits finally require the conduct of adequate audit tests for substantiation and compliance in order to obtain adequate evidence on audit objectives. Such testing aims to assess the effectiveness of (a) important controls that have previously been found to be suitable, in order to assess their effectiveness, and (b) the controls that have previously been evaluated as insufficient in order to verify that the needed results are not achieved with consistency. The final reports of operational audits inform recipients of the results of such investigations, as well as improvement opportunities, and provide constructive recommendations for achievement of such objectives (Schaefer & Peluchette, 2010, p 46).
Information Systems Audit
Internal auditors are often required to determine the extent to which existing information systems help in safeguarding of assets, maintenance of data and systems integrity, and achievement of organisational goals. Such audits aim to assess the adequacy of internal controls in organisational information systems for the meeting of operational, business and control objectives and the timely prevention, detection and correction of unwanted events (Pickett, 2010, p 324).
Information system audits include the assessment and review of new as well as existing systems, before, during, and after implementation, in order to ensure that they satisfy user needs as well as security requirements. Project management reviews aim to ensure the existence of controls for mitigation of project risks or for identification of improvements for future projects. Organisational reviews aim to ensure the achievement of organisational objectives and goals, whereas specific technology reviews aim to ensure the existence of appropriate security and controls (Pickett, 2010, p 324).
Internal auditors are often called upon to review the performance, efficiency, effectiveness and costs of projects. Projects are often large and complex and need careful supervision and control. Internal auditors work with project managers over project lifecycles and help such managers in negotiating favourable contracts, designing and improving expenditure processes and controls, ensuring proper documentation and validity of payments, and reducing overall project costs (Shapiro & Matson, 2008, p 218).
With individual projects being unique, the scope of internal audit is dependent upon various project features and ramifications (Shapiro & Matson, 2008, p 218). Internal auditors conduct project audits with especial regard to (a) analysis of costs and benefits, (b) compliance of regulatory requirements, (c) review of internal controls for approvals, project documentation, project reporting, and construction and administration and bid and award processes, (d) risk management, and (e) management involvement. Project audits also include investigation of appropriateness of performance bonds and review of liability and insurance coverage. Internal auditors should also investigate accounting irregularities and safeguard against bid associated breakdowns of internal controls (Shapiro & Matson, 2008, p 220).
Internal audit for compliances aims to ensure that organisations are in compliance with laws and regulations, organisational policies, and various types of applicable standards and contracts. Such audits include the gathering of information about rules, regulations, standards, laws and other compliance requirements. It entails understanding auditing limitations with regard to detection of abuse and illegal acts, assessment of risks of occurrence of significant illegal acts, and design and implementation of procedures that would reasonably assure the detection of illegal acts (Reding, et al, 2009, p 81).
Compliance audits are by and large difficult investigations because of the complexity of rules, regulations and laws, changes in laws and regulations, and the difficulty of implementing appropriate internal control measures for prevention and detection of acts of non-compliance and illegalities. Whilst auditors are by and large trained in rules, regulations and laws, they are often required to take assistance from legal counsel for determining acts of illegality or non-compliance, designing of compliance tests and evaluating the results of such tests (Reding, et al, 2009, p 84).
5. Differences and Similarities between Internal Audit and External Audit
The evolution of internal audit followed the progression of external audit for many years, with tools designed by statutory auditors being used by internal auditors for their investigative and evaluative work (Flesher, 1991, p 9). Recent decades have however seen the emergence of significant differences between internal and external audit.
Internal auditors are in the first place appointed by organisational managements and are responsible to the board of directors or to the owners of businesses. External auditors on the other hand are appointed by shareholders, in the case of joint stock companies, and can be appointed by external agencies like bankers and assessors for partnership or proprietary firms (Flesher, 1991, p 9). The main areas of similarity between internal and external auditors are provided hereunder.
Internal and external auditors by and large conduct similar testing routines, which in turn involve the examination and analysis of numerous transactions. Whilst internal audit now focuses on the assessment of internal controls in all organisational areas, many of its processes and procedures are associated with finance and accounts and necessitate the use of auditing tools and techniques that are identical to those used by external auditors (Putra, 2008, p 3).
Both internal and external auditors belong to specific professional disciplines. They have to adhere to clearly determined and specific professional standards and abide by the codes of ethics and conduct of their professional bodies. Both sets of professionals are required to be deeply involved and associated in the formation of systems of their organisations, because such systems are fundamental to the process of financial reporting and otherwise constitute a major instrument of managerial control (Schaefer & Peluchette, 2010, p 49).
With both internal and external auditors being tied to organisational internal control systems, their work is likely to be adversely affected if organisational processes and controls are poor or are unknown to organisational members. Both internal and external auditors are concerned with the impact and occurrence of misstatements and errors in financial statements and accounts and need to actively cooperate with each other for the achievement of their objectives.
Both internal and external auditors furthermore produce formal reports regarding their findings to the individuals or bodies that appoint them (Putra, 2008, p 3).
Whilst the activities of internal and external auditors do overlap in a number of areas, the functions are essentially different and have very different objectives (Siers & Blyskal, 1987, p 29).
External auditors are appointed by shareholders and are responsible to them to certify the trueness and fairness of the financial accounts and statements prepared and presented by their companies. Internal audit mechanisms are on the other hand is established by organisational managements in order to improve corporate governance, monitor internal controls and assess and minimise organisational risk.
Internal auditors review internal control systems, whereas external auditors assess the level of internal controls to determine the extent of their audit work (Siers & Blyskal, 1987, p 29). Internal auditors cover all organisational operations, whereas external auditors deal mainly with financial systems that concern the preparation of financial statements. Internal audit work by and large occurs throughout the year, whereas external audit tends to be an annual process, even though some testing for financial accounts is carried out through the year.
The table provided below illustrates the basic similarities and differences between internal and external audit.
Internal Audits Vs. External Audit
Sound Risk Management and controls
Accounts = True and Fair Value
Scope of work
Overall systems VFM, Fraud, MIS and Compliance
Accounts, profit and loss a/c, balance sheet, annual report and financial systems
From operations by professionalism and status
From company via statutory rights
Risk-based systems-based audits, assurances and consulting work
Vouching and verification and some use of risk-based systems approach
Comprehensive structured reports to management and the audit committee and brief executive summaries
Brief standardised published reports to shareholders and users of accounts
Generally not mandatory apart from parts of public sector, but encouraged in most sectors
Companies' legislation and various public sector statues.
Only larger organisations
All registered companies and public sector organisations (Small companies may have exemptions)
(Source: Putra, 2008, p 2)