Role of Internal Audit Function in promoting Corporate Governance

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Chartered Institute of Public Finance and Accountancy, CIPFA (2008) also shares a similar meaning as the IIA for the definition of internal auditing. The above definition illustrates that internal audit is considered as one of the preliminary basis to effectively monitor and supervise the financial reporting line as well as organizational governance. The internal audit function is performed by employees who are highly specialized and directly accountable to management. The involvement or intervention of internal auditors can be of an aid to organizations in achieving their objectives. The internal audit function can effectively contributes to organizational success as it works and by providing management with suggestions and ensuring that the firm adopts good practices.

On the other hand, The Malaysian Institute of Accountants, MIA (2008) defines internal auditing as

An independent appraisal function established by the management of an organisation for the review of the internal control system as a service to the organisation. It objectively examines, evaluates and reports on the adequacy of internal control as a contribution to the proper, economic and effective use of resources.

For MIA, the indispensable elements for internal auditing have been explicitly described and they are: independence; staffing and training; relationships; due care; planning, controlling and recording; evaluation of the internal control system; and Reporting and follow ups.

2.1 The need for Internal Audit

The traditional method of internal audit enables management to control the entire organization. With the rapid expansion in the business world entailed with rise in corporate frauds and failures, there is a serious need for an internal audit function that can take up challengers of maintaining control over the organization. Such internal audit function can act as a control specialist for surveillance of management controls framework.

Deloitte and Touche (2005) mentions about the importance of internal audit to an organization in this way: "the fortunes of the company can be tied to internal audit". However, The Institute of Chartered Accountants in England and Wales, ICAEW (2004) provides that "Having an internal audit function is not mandatory for listed companies". ICAEW argues that firms having an internal audit function should set the status of the internal audit at the top of the organization, that is, by the board and, audit committee.

The IIA (2006) believes that a firm possessing an internal audit function is in a better position when equipped with fully resourced and professionally qualified staffs that add values to services. This is important for effectively and efficiently managing the organization.

2.2 Scope and Objectives of Internal Audit

A notion of the scope and objectives of the internal audit can be obtained through a document issued by The Accountancy Foundation Limited (1995). It point outs that the scope and objectives of internal audit differs in respect to the size and structure of an organizations. It also considers management's and directors' requirements. The Internal Audit Charter (2010) declares that "There are no restrictions placed upon the scope of the Internal Audit Department's work".

In general, the scope and objectives of internal audit activities include, but not limited to the following:

Review and appraise the adequacy and effectiveness of the accounting systems,

internal controls systems and risk management.

Evaluate the relevance and reliability of management, financial and operating data, and means to identify measure, organize and account such information.

Analyze the systems established by management to ensure that the policies, audit plans, procedures, laws and regulations are in conformity.

Review ways in which assets are preserved within the organization and verify their existence appropriately.

Appraise the economy in terms of effectiveness and efficiency in connection with the resources employed.

Review the consistency of results derived from operations or tasks and whether they are performed as scheduled.

Maintain regular contact with all staffs of the organization, cooperate with different divisions and audit teams and have the awareness of the plans and strategies that may affect the audit activity.

2.3 Types of Internal Audit

Most organizations follow the Standards set by the IIA. A variety of audits are performed by organizations and these audits include: financial audit, operational audit, management audit, compliance audit, Information System (IS) or Information Technology (IT) audit, and investigation audit. However, CatLady (2004) identifies only four type of internal audit in connection with the types of internal auditors and the work that they do. As such, the four types are financial, operational, compliance and IT auditors. Generally, more concern is given to financial, management and compliance audit as compared to others.

Financial audit has as aim to form an independent and expert opinion on whether the financial statements have been prepared in a true or fair manner. Such an opinion is formulated based on a company's status and after having tested and analysed all its financial transactions. Raffa (2003) states that the scope of the financial audit is mainly on the financial reliability and integrity, and, occasionally, operating information. However, Hermanson and Rittenberg (2003) argue that financial audit is used as a tool to fulfill the role of auditors as well as for investigation and advisory services.

Management audit deals with issues relating to business and management analysis. It also considers the effectiveness of controls through tests performed against procedures, with a view to increase profit. The scope of the management audit is on internal applications. Arthur (2000) suggests that if management audit is conducted properly, then it can act as a useful mechanism to bring change. This is because it provides opinions and recommendations on important business issues. Such an opinion is supported in a research conducted by Parial (2000).

Compliance Audit is used in high risks areas to ensure that the activities performed in strict compliance with rules and regulations. Both Arthur (2000) and Parial (2000) mention that compliance audit deals with the examination of written manuals, procedures and work instructions that have been implemented. The application of compliance audit leads to in assurance and stability that the business is abiding to all policies. Its scope is on particular areas of operations.

2.4 Role of Internal Audit Function to promote Corporate Governance

An article by LeRoy (2002) emphasizes on the "exceptional opportunity today's professionals have to extend beyond their comfort zones and strengthen the auditor's role in governance processes". The main focus of internal auditors, according to LeRoy (2002), is on risk and control for the soundness of the governance process. Similarly, the Turnbull Report (1999) is also of the opinion that internal audit function aims at evaluating risk and controlling the internal control system.

According to Sobel (2005) the term "Corporate Governance" is defined as follows:

"Corporate governance is the process carried out by the board of directors, and its related committee, on behalf of and for the benefit of the company's stakeholders, to provide direction, authority, and oversights to management".

Marks and Minow (2001) elaborate on the definition of corporate governance and state that it is a "relationship among various participants in determining the direction and performance of corporations". Corporate Governance, as said by MIA (2008), is well developed in many countries and those who are bestowed this responsibility have an active oversight role for assessing and monitoring risk, internal control and consistency with the law. Auditors must recognize that their oversight role and responsibility of differs from entity and country. Furthermore, the IIA (2006) states that the responsibility for corporate governance is widespread among various business entities. The cornerstone of effective governance includes namely Board of Directors, Executive Management, the Internal Auditors, and the External Auditors as illustrated in Figure 2 below.

Likewise, Chong (2009) advocates that "The pillars that play their part in maintaining an effective corporate governance framework are the internal audit function, the board of directors, executive management and external auditors".

The corporate scandals both in the Mauritian context, including Air Mauritius and MCB Ltd, and the international context like Enron and WorldCom, Tyco and Xerox are perceived as a great disaster for accounting and auditing profession. This has call for help from internal auditors concerning corporate issues on behalf of committees and boards. More than ever before, companies had to step out of traditional comfort zone and reinforce the role of internal auditing in such sphere. After such failures, auditors at all organizations should analyze such event and its cause with an in deep regard so that they can apply this notion to their own organizations. Consequently, it is has become imperative for internal auditors to focus on risks and controls for the safety and soundness of financial reporting, governance, and internal audit systems.

According to Barry (2008), "Good governance cannot be imposed; it must emerge from a changed social culture, taken down to the level of the corporation by capable and committed directors and executives". Therefore, for good governance to win through there should be an effective and collaborative working relationship between board of directors and supervisors. It takes strength, experience, and judgments to resolve governance issues satisfactorily.

The profession of auditors is at present challenged but auditors are equally capable of handling corporate governance issues by defeating such a challenge whenever a chance is presented to make their profession becomes a hinge for effective corporate governance.

2.5 Effectiveness and Efficiency of Internal Audit Function

According to Deloitte (2004), "the internal audit function best serves an organization when it operates in accordance with the professional standards and rules of conduct issued by the IIA". If internal auditing is effectively put into operation, it can prove as the most vital element of quality management system (Strouse, 2010). Similarly, The International Register of Certified Auditors, IRCA (2006) is of the opinion that organizations should favour the practice of internal audits to have appropriate and effective quality management systems that ensures proper functioning. However, KPMG (2008) is of a different opinion that internal audit function is of prime concern in that it assist the board of directors from its governance responsibilities.

The ICAEW (2004) provides that "internal audit activities play an important part in the effective governance and risk and control framework of an organization". The internal audit has as role to provide independent assurance service to the board, audit committee and management. Such service should emphasize on reviewing the effectiveness of processes such as governance, risk management and control established by management. Hence, certain important aspects must be considered which have an impact on the effectiveness and efficiency of internal audit function. They are: Objectivity and independence, Audit Committee, External Audit, and risk management and control.

2.5.1 Objectivity and Independence of Internal Audit

ICAEW (2004) states that "Internal audit is a source of independent and objective assurance". The internal audit function must be independent of the activities being audited and must also be independent from everyday internal processes (KPMG, 2008). Internal Auditors need to maintain an impartial attitude that does not override their objectivity and does not represent vested interests while conducting their internal audit function. The more internal auditors are free from any interest which might be regarded as incompatible with their objectivity and integrity, the better they can exercise with due skill, care, diligence and expeditiousness. The internal auditors must have the skill set and expertise to independently and objectively assess the internal controls in place to ensure it is adequate to mitigate risks and governance processes are effective and efficient (Chong, 2009). Chong prior concern is towards independence and objectivity of an internal auditor in respect of his duties. His arguments are based on questions and finding relevant answers to these questions. The ICAEW (2004) finds that "Internal audit's role is separate and independent from management".

2.5.2 Internal Audit and Audit Committee

Internal audit is the effective monitoring and supervising of operations, accounting and regulatory conformity of companies. The internal audit function together with management and external auditors, have to report such internal control compliance to the audit committee.

An Audit Committee (AC) is established to serve as a channel of communication as well as maintain effective relationship between Board of Directors, management, internal auditors and external auditors. With regards to the good working relationship in association to corporate governance, financial reporting framework and internal controls, internal auditor should also maintain a good reporting line with senior management level on these matters. William (2001) states that "quality financial accounting and reporting result only from effective interrelationships".

In general, the optimum number of members that forms an AC should be a minimum of five and a maximum of seven members (Gauthier, 1997). Such members should possess all the required skills and knowledge in the field of accounting and auditing to operate effectively and realize the objectives set by the committee.

AC should have adequate authority to investigate on issues found in the agreement and should have full access to relevant information in view of preserving the integrity and financial disclosures requirements. According to the IIA, this is possible with the help of the internal auditor who must provide the AC with sufficient audit coverage in terms of findings and recommendations. The committee will then mainly make recommendations to the board for its approval or final decision and not perform any management functions or assume any management responsibilities. For instance, it may recommend about the appointment of external auditors as well as assess his/her performance.

The boards of directors along with their committees should become proactive, informed, investigative and accountable in pursuance that these qualities will lead to good governance. The audit committee is more focused and better on the same wavelength with governance than any other committee of the board.

The Blue Ribbon Committee, BCR (1999) is created to improve the effectiveness of corporate AC. It magnifies the importance of internal audit function as follows: in the internal control system; as an aid to the audit committee to monitor competence of the internal control process; and the degree to which management stick to the control procedures. The IIA expresses its opinion on the findings of BCR by mentioning that "the recipient of an assessment of internal control is a significant step in improving AC effectiveness". The AC is highly reliant on information provided by the internal auditor and in order to successfully obtain the required information, support and guidance, it is necessary for the internal auditor to consult the audit committee in private. The BCR also recommended that the audit committee should hold separate meeting with management, internal auditors and external auditors.

The Combined Code on Corporate Governance (2003) states that audit committee is required to monitor and review the effectiveness of the internal audit function. AC serves as a guide and feedback for internal audit. The internal audit reports is a means by which AC can assess the quality of internal audit's works during the course of the year. With the collaboration of both the audit committee and the internal auditors within companies, a better monitoring and supervision of the financial reporting process may result. This can add more credibility to companies as higher level of vigilance and objectivity are maintained. Similarly, internal controls are strengthened with vigilance which can eventually add value to shareholders.

2.5.3 External Audit

In the words of ICAEW (2004):

"It is important for both internal and external auditors to cooperate, communicate and share their evaluations and the results of their audit work when relevant and subject to any confidentiality requirements. This dialogue should take place regularly throughout the year".

Mango (2005) defines external audit as being "an independent examination of the financial statements prepared by the organization. It is usually conducted for statutory purposes (because the law requires it). It can also be for investigative purposes (e.g. to look for a fraud)". In other words, it is an external auditor as someone outside the organization who takes up the responsibility of conducting the external audit. The Companies Act 2001 requires the information in the Financial Statements to be authenticated by an independent person- the external auditor for it to appear credible and thus considered fully reliable for decision-making purposes. This is applicable to all limited companies incorporated under such act in Mauritius. It is worth noting that it is vital that the internal auditor performs his work effectively so that the external auditor can rely upon his work.

2.5.4 Risk Management and Control

In the opinion of the IIA, "Risk is the probability that an event or action, or inaction may adversely affect the organization or activity under review". The IIA discusses on the role of internal auditors in Enterprise Risk Management (ERM) and their contribution to add value, in a position paper. Risk is inherent in the decisions that an organization takes to manage and run its business and in the business processes established to assist in the achievement of its business objectives (ICAEW, 2004).

Internal audit plays an essential role in risk management and control, and this has made organizations to place high expectations and reliance on it. Internal audit activity consists of assisting the organization to maintain controls and evaluate them in pursuance that they promote constant improvement (Armoogum, 2009). It can provide effective contributions to independent assurance, risk management and control, and corporate governance processes.

The Committee of Sponsoring Organizations of the Treadway commission, COSO (1992) defines internal control

as a process, effected by an entity's board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Corporate governance and risk management include the formulation of strategy, monitoring of operations to make sure that the strategy is being attained, and identifying, assessing, and mitigating risks to the achievement of strategy (Tanya, 2007). In 2002 the IIA in agreement with the COSO Enterprise Risk Management - Integrated Framework (1994) and IIA (Uk and Ireland) state that "Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management decisions".

From the Executive Summary (2004) of the COSO, Enterprise Risk Management embraces risks and prospects and is defined as follows:

"Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives".

Much consideration is given to enterprise-wide risk management as it makes an organization's governance processes get better. Management should manage the risk management framework on behalf of the board while the internal audit should provide assurance through ERM on the effectiveness of the risk management process to management and the board. One of the tasks dealt with by the IAF is the identification and monitoring of risks (Tanya, 2007). Similarly, The MIA (2008) suggests that "The internal audit function should regularly report to the board of directors and management on the performance of the internal control and risk management systems and on the achievement of the internal audit function's objectives".

2.6 Internal Audit Charter

The Internal Audit Charter (2010) of Buffalo City perceives that "The purpose of this charter is to set out the nature, role, responsibility, status and authority of the Internal Audit Department and to outline the scope of their work". This charter also includes the authority and responsibility bestowed by management. The Internal Audit Charter is depicted as follows:

The Practice Advisory 1000-1: Internal Audit Charter state that "The purpose, authority and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards and approved by the board." An internal audit charter requires that internal auditors consider suggestions. The charter must:

(a) "establish the internal audit activity's position within the organization

(b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and

(c) define the scope of internal audit activities".

It is required for the internal audit to be in writing to provide management with formal communication for review and approval purposes. A written internal audit charter is an aid in periodic assessment of the adequacy of the internal audit activity in terms of purpose, authority and responsibility. The Chief Audit Executive should perform periodic assessment and communicate the results to senior management and the board.

2.7 Reporting Line

The reporting line or communication of results has a significant value in the internal audit. The internal auditor must be able to report his findings and important issues to the right person at the right time. Failure to do so can be detrimental to the internal auditor himself, to his department and eventually to his organization as a whole.

Internal auditors are recommended to report regularly and internally to the board, the audit committee and management. This is what is described in the IIA's Performance Standard (2004) pertaining to communicating results.

As already mention earlier in Section 2.5.3, it is equally important that there is cooperation, communication and sharing of ideas between internal and external auditors relating to their audit works.

When internal auditors report to senior management of the organization, they still have to objectively review the effectiveness and conduct of management. This is the belief of KPMG (2008) and "The only satisfactory solution to this problem is for internal audit to report primarily and directly to the board and its audit committees rather than to senior management". KPMG (2008) also:

"believes that the internal audit function should report functionally to the chairman of the audit committee, recognizing that on a day-to-day basis it should report administratively to the CEO of the organization".

IIA (2002) has summarized a list of key measures and the important ones have been highlighted below:

The reporting line should pertain from someone who has enough powers to provide the internal audit with adequate support for its daily activities.

There should be private meeting held between head of internal audit and board or audit committee. This must exclude management in order to strengthen independence and direct nature of the reporting relationship.

The reporting line should be in such a way to render open and direct communications much better with CEO, senior executive group and line management.

2.6 Benefits of Internal Audit Department

The Dublin Institute of Technology, DIT (1988) and The Maryland-National Capital Park and Planning Commission (2009) have identified six potential benefits of internal audit. These have been summarized, simplified and presented as follows:

It provides a reasonable level of assurance with regards to the adequacy and effectiveness of internal controls in different departments.

It helps identify ways to improve organizations and ensures effective and efficient controls of operations. It also facilitates discussions among head of departments.

It ensures that all aspects of a business are running smoothly in compliance with the organization's policies and procedures.

It assists management to identify and prevent risks such as fraud, waste and abuse associated with their activity. In doing so, the strengths and weaknesses within departments can easily be determined for recommendations on corrective action.

It acts as a guide for implementing the appropriate controls for a new system or project. Consequently, useful analysis, advice and information are provided to management.

This department consists of professionals and knowledge-based staffs hence, these staffs make maximum use of their expertise in the audit activities and achieve organizational goals. These staffs are in a better position and have a better understanding of the organization compared to other employees.