The History Of Internal Audit Accounting Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In the course of defining the term internal audit by researchers, many different views were found and in the study of Unegbu and Obi, they pointed out that Internal audit "measures, analyses and evaluates the efficiency and effectiveness of other controls established by management in order to ensure smooth administration, control cost minimisation, ensure capacity utilisation and maximum benefit derivation." Likewise, Nagy and Cenker (2002), in their research, stated that the internal auditing function is "an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations." Therefore, as mentioned in the Commercial Bank Examination Manuel (2006), "professional internal auditors can contribute a wealth of information to their organisations over and above the assurance they provide by evaluating the quality of control systems and ongoing operations."

The technological developments around the world have greatly increased the growth in auditing tools and software. In this context, it was discussed by John Siltow (2003) that, "…, the average internal auditor receives considerably more exposure to IT systems than in the past, Technology plays a fundamental role in the way modern organisations function, and it has become integrated to the degree that virtually every type of audit requires at least some consideration of IT issues." Additionally, Chrismastuti and Sitawati (2010) argued that internal auditor should be involved in the development of the company information system in order to minimise the risks associated with system development project. Thus, "as technological changes occur more quickly, auditors must keep pace with emerging technological changes and their impacts on their client's data processing system as well as their own audit procedure" and this point was brought forward in a study conducted by Rezaee and Reinstein (1998).

Furthermore, IT auditing can be referred to as a specialist type of internal auditing including reviewing and reporting on all aspects of the systems, that is, hardware, applications, IT environment and system development. In short, according to Moorthy et al. (2011), there are four factors that need to be considered when applying IT to internal auditing and these factors are: identify guidelines available to best practices, software and hardware to assist auditing process, accounting standards and the roles of internal auditor. Moreover, an internal auditor usually makes sure that the internal control system is running smoothly and that all risks are minimised in an organisation thus, in a study, Ratcliffe and Landes (2009) believe that "internal control promotes efficiency, reduces risks of asset loss, and helps ensure the reliability of financial statements and compliance with laws and regulations." In addition, they also identified five components of internal control which are: the control environment, risk assessment, control activities, information and communication and monitoring.

Accordingly, auditors make use of Computer-Assisted Audit Techniques (CAATs) to carry out their work which can be divided into 3 main categories namely: audit software, test data and other techniques. In this manner, Romas Staciokas and Rolandas Rupsys (2005) aimed to understand the internal audit functions, explore implication of information technology (IT) and analyze the advantages of internal audit in the organisational governance. Moreover, Yang et al. (2011) concluded in their study that "the adaptation capability of computerised internal controls had a significant influence on internal control efficacy and operating performance" but with the implementation of new technological tools, auditors responsibilities keep increasing. This can be supported with the research made by Jayalakshmy et al. (2005) who discussed the pressures that auditors would face in the era of globalization and challenges in order to maintain trust and integrity. Additionally, John Siltow (2003) has explored the interconnection of internal audit practice and exposure to IT risks in a general way and almost every path of the auditors in performing their job, pointed out that "internal auditors need to pay more attention towards authorisation processes. In this essence, access control represents as the "front door" to the organisation." However, Tongren (1997) argued that "Advances in IT continuously render control procedures obsolete; and the "value" of traditional internal audit becomes seriously questioned."

Undoubtedly, internal auditors should be well versed with a computerised system and this will definitely be an advantage to both the companies and the internal auditors. Indeed, Kopp and Bierstaker (2006) stated in their article that the "identification of internal control strengths is important to avoid unnecessary substantive testing" and Moorthy et al. (2011) also argued that the "effective use of audit technology tools is critical to the success of audit activity…" Given, the benefits that internal auditors are getting from computerised system, they should also be prepared technologically in order to be able to cope with these changes competently. Correspondingly, in a study carried out by Dr Ahmad A. Abu-Musa (2005), it was concluded that internal auditors need to improve their skills and knowledge of computerised information systems in order to be in a better position to plan, direct and review the work performed. Accordingly, it has also been specified in the International Standards for the Professional Practice of Internal Auditing (2008), that "internal auditors must enhance their knowledge, skills and other competencies through continuing professional development."

Interestingly, the banking and insurance sectors are growing rapidly and are coping with all related technological advancements. In fact, Hermanson et al. (2012) conducted a sector by sector analysis where they came to the point that, "… banks and other financial services firms appear to have a more robust monitoring controls than do healthcare and other services." For instance, in a consultative paper brought forward by the Basel Committee (2000), it can be noted that "the internal audit function is part of the ongoing monitoring of the system of internal controls and of banks' internal capital assessment procedure, because it provides an independent assessment of the adequacy of, and compliance with the banks' established policies and procedures." In this connection, Xu Zhi-Di (1997) found that the banking internal audit can be sub divided into four parts: comprehensive audit, various types of particular audit (including: emergency audit, lending audit and investment profile audit), continuous audit and appraisal of auditee. Hence, according to Adela Socol (2011), banks need to be resilient in case of severe shocks that can affect economies like the recent financial crisis. Undeniably, a strong internal control system is essential in the financial sector.

Subsequently, professional competence (most importantly nowadays, the use of information technology tools, software and continuous professional development in the field of auditing) of the internal auditors is very important for the proper functioning of the banks and insurance companies internal control system and this point was proved in a research brought forward by Adela Socol (2011), where it was concluded that "a key element of a strong internal control system is realisation by each employees of necessity of fulfilling his/here responsibilities in an efficient manner…" Hence, Moorthy et al. (2011) reported on a key role of the auditor that is, auditors should not only be involved in coping with changes in technology but they should also explain the effects of those changes to others. Similarly, according to Fadzil et al (2005), "…performance of audit work, professional proficiency and objectivity significantly influence the control environment aspect of the internal control system." On the other hand, in a research conducted by Shing-Han Li et al. (2007), the problem identified concerning the implementation of an effective continuous auditing was that "auditors usually cannot thoroughly carry out continuous E-auditing because of their lack of IT proficiency and inefficient communication and interaction with IT personnel and information system."

Consequently, according to Rezaee and Reinstein (1998), "most accounting transactions should soon be in electronic form without any paper documentation" but, technology continues to increase the strategic importance and risk to organisations thus, rapid deployment of emerging technologies creates risk (top 10 emerging IT audit issues by Deloitte 2011). Besides, after an analysis made by the International Monetary Fund (2008), it was deduced that the insurance industry in Mauritius "continues to be focused on rule compliance rather than assessing the effectiveness of internal controls and risk management." Although, it was stated by Rezaee and Reinstein (1998) that, "the use of electronic commerce changes the way business transactions are processed and accordingly the nature of audits", there is high risk of the failure of the computerised internal control system. Evidently, in order to avoid the stated risk, Thomas P. Dinapoli (2007) stated that the "internal audit units should maintain documentation for each audit and subsequent follow-up" and also "the formation of paperless transactions means computerised controls should make adjustments accordingly, in order to ensure consistency between internal control techniques and the IT environment" (Yang et al. 2011)

Likewise, Kopp and Bierstaker (2006) found that "the user involvement in internal control documentation performed by auditors in the complete condition could increase the level of consistency…" Continuously, another important aspect of risk relating to a computerised internal control system is the electronic penetration and lack of information security. Certainly, as specified by Jamal Adel Sharain (2011), "the internal auditor has a significant role in the protection of computerised accounting information systems from electronic penetration, represented in testing the security controls against the contained information with an unknown source…" In this particular concept, it was discovered that there is a lack of qualified and competent staff and that "little progress has been made in developing and implementing an early warning system…" concerning insurance regulation and supervision in Mauritius (Mauritius Financial System Stability Assessment report 2008).The same author that is, Jamal Adel Sharain found that "…the more the auditor has knowledge and skill, his role will be more effective in the protection of the computerised accounting information systems." Nevertheless, Shing-Han Li et al. (2007) discussed another problem with continuous auditing, that is, "a database system usually only stores the most updated record of a transaction without keeping its updating trail."

Conversely, in order to minimise the risks outlined in the previous paragraph, efficient software can be used by the financial sector that are efficient and effective and in fact, in an article written by Bruce I. Winters (2004), it was argued that "document management and workflow tools are more capable of interacting with other software and can address relatively straight forward functions such as report tracking." In addition, this software "allow users to perform detailed indexing and searching of multiple document types, including e-mail, flowcharts and narratives, to organize and retrieve text, images and numeric data" and examples of such software are: Documentum, IBM/Lotus, FileNet. The same article outlined other software like business-performance management (examples: Fuego, SAS) and real-time compliance tools (examples: Certus, Microsoft's SharePoint Portal Server) and according to the author all these tools are used to analyse risk and controls. Further, Richard B. Lanza (2005) pointed out that "controls testing software analyses the database that support a company's accounting software" and it was also deduced that "risk management database maintain documentation around internal controls, and controls testing software helps automate the testing of particular controls such as computer controls." However, the accounting software is very expensive but Max Weber concluded that "…large corporations apply complex accounting systems which cost millions dollars but the effect for their application exceeds all the expectations."

Another important aspect of the well functioning of the computerised internal control system is the independence of the internal auditors and it was recommended in a report by Thomas P. Dinapoli (2007) that "professional audit standards require each internal audit organisation to periodically undergo an independent review of the quality of their audit activities" in order to ensure consistency and compliance with the audit standards. Moreover, in a study, Jamal Adel Sharain (2011) concluded that "the enhancement of internal auditor's understanding and realizing to the nature of bank's work in order to implement his role in the protection of the computerised accounting information." Alternatively, the independence of the internal auditor is very important in order to be able to protect the confidentiality of information especially when considering banking and insurance activities. In short, for the computerised internal control system to function properly, "the bank's internal audit function must be independent of the audited activities, which require the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their assignment with objectivity (Basel Committee on Banking Supervision 2011).

Therefore, as stated by Moorty et al. (2011), "emerging technologies will continuously change the shape of and approach to business controls, and audit approaches and techniques must change accordingly." In addition, "the adaptation capability of computerised internal controls had a significant influence on internal control efficacy and operating performance" (Yang et al. 2011) and it was suggested in the same study that "computerised controls will gradually replace manual controls, in order to establish an automated and timely control mechanism." Thus, according to Rishel and Ivancevich (2003), "internal auditors can and should provide input with regard to system configuration in order to ensure that the proper integral controls are in place." Likewise, the same author explained that in order to minimise the risks, proper documentation should be made by internal auditors so that changes in the Computer Information System could be traced easily and also for better control. Nevertheless, the objectives of the auditor regarding the work to be carried out for the proper running of the internal control system of the banks and insurance companies do not change in a computerised environment.

Finally, a general point would be that the banks' and the insurance companies' computerised internal control system need to be constructed on key elements in order to: ensure compliance with laws and regulations, achieve long-term profitability, maintain reliable and consistent financial reporting and reduce the various risks. Hence, the internal auditors who are responsible for the proper functioning of the computerised internal control system of the banks and insurance companies indirectly preserve these companies' reputation. Each of these theoretical definitions and researchers' views did make an important contribution to the understanding of the: internal audit function and the computerised internal control system and despite the criticisms made about the computerised internal audit control system, it's popularity in the banking and insurance sectors in particular remain largely undiminished in Mauritius.