Difference between External and internal Audit

difference between external and internal audit report and evaluating the internal and external audit function
Dr.KiaraSimpson Profile Pic
Dr.KiaraSimpson,United States,Researcher
Published Date:05-07-2017
Your Website URL(Optional)
Comment
M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 7 Chapter 2 External and internal audit Contents Introduction 8 External audit 8 External auditor’s reports to users and to management 8 Management representation letters 9 The management letter 10 External audits in the public sector 10 Auditor liability 11 What are the auditor’s duties? 12 Relationship between external and internal audit 14 Internal audit 14 Independence 15 Staffing and training 16 Relationships 16 Due care 17 Planning, controlling and recording 17 Evaluation of the internal control systems 17 Evidence 18 Reporting and follow-up 18 The image and marketing of internal audit 20 Performance indicators for internal audit 22 External audit reviews of internal audit 22 Summary 24 Practice question 24 Objectives After reading this chapter you should: n understand the role and function of external audit; n be aware of key case law; n understand the role and function of internal audit; n be able to discuss how to measure the effectiveness of internal audit. 7M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 8 Chapter 2 · External and internal audit Introduction This chapter builds on Chapter 1 but takes the issues of external and internal audit a step further and considers the importance of a good working relationship. External audit Accountancy bodies have a responsibility for inspecting and monitoring their registered auditors on a regular basis. This is undertaken by the Professional Over- sight Board’s Audit Inspection Unit. The following features should be transparent in each accounting/audit practice: n recruitment of suitable staff; n proper training, both academically and on the job; n continuing professional development; n quality control and supervision of work; n proper planning and approach; n appropriate fee-charging policy, which is based either on an hourly rate or a percentage of turnover; n a commitment to ethical guidelines; n internal peer review at appropriate intervals. The visit during the monitoring process is substantive or compliance-based. The inspectors will assess a certain number of audit files selected at random, and also files from categories known to be high-risk. The substantive approach will seek to verify that: n planning, recording, supervision and review work have been carried out to a satisfactory professional standard; n the work recorded provides a sound basis for the audit opinion. Each inspection ends with an interview, and the findings of the inspection are fully discussed together with any recommendations. If the inspection is not satis- fied then the auditor or the firm will have their practising certificate withdrawn as a last resort. The typical structure of an audit department in an audit firm is shown in Figure 2.1. External auditor’s reports to users and to management Audit reports are the end product of the work and must be completed to the highest standard. They are governed by the 1985 Companies Act as amended by the Companies Act 1989 and 2006 and also by the international auditing stan- dard ISA 700, The Auditor’s Report on Financial Statements. The 1985 Act places a duty on auditors to examine the financial statements and to express an opinion on whether they show a true and fair view at the year end. The auditor should not express an opinion on the statements until they have been approved by the directors and the auditors have considered all available evidence. 8M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 9 External audit Figure 2.1 Structure of an audit firm Partner Audit manager Audit manager Assistant manager Assistant manager Assistant manager Assistant manager Audit seniors Audit seniors Audit seniors Audit seniors Audit juniors Audit juniors Audit juniors Audit juniors There are two types of audit report, an unqualified report and a qualified report. Unqualified reports This is the most common report issued with the financial statements. It is known as a clean report. The auditing standard ISA 700 states that ‘An unqualified opin- ion on financial statements is expressed when in the auditor’s judgement they give a true and fair view and have been prepared in accordance with relevant ac- counting or other requirements.’ This judgment concludes: n The financial statements have been prepared using appropriate accounting policies which have been consistently applied. n The financial statements have been prepared in accordance with relevant leg- islation regulations or applicable accounting standards (and that any depar- tures are adequately explained in the financial statements). n There is adequate disclosure of all information relevant to the proper under- standing of the financial statements. Qualified audit reports There are three types of qualified report, which become appropriate depending on the circumstances. These reports will contain: n an ‘except for’ opinion n an ‘adverse’ opinion n a ‘disclaimer of’ opinion. This type of reporting is covered in Chapter 17. Management representation letters As part of the completion stage of the audit, a letter is prepared by the auditor on behalf of the management of the company to remind the directors that the responsibility for the preparation of the financial statement is theirs. Because the auditor frequently has to rely on information provided by management, it is 9M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 10 Chapter 2 · External and internal audit usually good practice to confirm this in writing. The content of such a letter is as follows: n Directors acknowledge their responsibilities under the Companies Acts. n Issues arising from the audit where management judgment and opinion are noted. n The draft financial statements do not need to be revised because of post bal- ance sheet events known to the directors but not reported to the auditors. n There are no significant fixed assets held off the balance sheet which would necessitate its revision. n There are no liabilities of a material nature not included in the balance sheet. n There are no contingent liabilities of a material amount for which provision has not been made. This letter of representation is signed by the chairman and company secretary and minuted by the board of directors. The management letter An effective written report to the board of directors preceded by an executive sum- mary is an essential part of communication. Auditors will report on matters that have come to their attention during the course of the audit. These will include: n changes in risk assessment which are an issue; n weaknesses in internal controls; n weaknesses within management information systems; n comments on the work and reliance of internal audit; n issues that relate to the financial statements; n recommendations for change. Management letters are private communications which the board may well dele- gate to the Audit Committee. They are considered by all parties to be important and fundamentally useful. External audits in the public sector External audit reports of central government departments and quangos are un- dertaken by the Comptroller and Auditor General (C&AG) who is not a civil ser- vant but an officer of the House of Commons. The C&AG is responsible for the National Audit Office, with a duty not only to carry out value-for-money reviews but also to audit the government’s appropriation accounts. The C&AG is required to give an opinion that sums expended have been applied for the purposes au- thorised by parliament and that the account properly presents the expenditure and receipts for the year. Audits in local government and the National Health Service are carried out by the Audit Commission in England, a body that controls the audit and inspection process of these public sector bodies. The Audit Commission is an independent body made up of the District Audit Service, comprising civil servants with a financial background and the large firms of chartered accountants that apply for 10M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 11 Auditor liability this type of work. One significant feature in this area is that the audit is rotated and fees are paid by the Audit Commission itself. It is a commonly stated view that this system promotes audit independence and should be used by the private sector. However, this was considered by the Smith Report in January 2003 (see Chapter 5 for a discussion of this report) and rejected as inappropriate, which some might argue was a missed opportunity. (The Smith Report is now incorpo- rated into the Financial Reporting Council’s combined code.) An important difference between local government and the private sector is that financial statements and appropriate supporting documents are put on public view for inspection and query. Members of the public on the electoral roll may take this further by raising objections if they feel expenditure or income is unlawful and the local authority or its employees or elected members have acted with culpable neg- lect. The auditor has the power to issue a ‘certificate of loss’, which is a surcharge requesting the return of public money from an individual. The most famous case involved the surcharge issued to Dame Shirley Porter who was leader of Westminster City Council. She faced accusations of ‘gerrymandering’, resulting from several major housing construction projects aimed at importing affluent voters to London’s Westminster constituency. Dame Shirley later faced a surcharge of £27 million after being accused of selling houses for votes by the Audit Commission. She even- tually settled in 2004 with a payment of £12m. Once again the auditor must pro- vide an opinion which if unqualified would state that the statement of accounts presents fairly the financial position of the Council for the year end. Auditor liability A major error or oversight by the auditor can result in an incorrect opinion. If this happens, the auditor then has a liability to parties who suffer a loss. There are cases of early law which are covered here but the most recent influential contem- porary case was the House of Lords’ ruling in the Caparo case in 1990. Some of the early case law is considered briefly as this is a major subject area. Figure 2.2 outlines the auditor’s legal position. Figure 2.2 Auditor liability – legal aspects Auditor liability Statute (clients) Common law (clients, contract law, third parties, tort) Civil liability Criminal liability Negligence Payment of damages Fine, imprisonment Breach of due professional care and due diligence 11M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 12 Chapter 2 · External and internal audit Re London and General Bank (1895) In this case the company had taken credit for interest accrued on loans which were never likely to be repaid. Many of these loans were statute barred (i.e. uncol- lectable). The auditor was aware of the problem and reported only to the directors and not to the shareholders. Subsequently the financial statements did not show a true and fair view. In summing up, the judge stated that the auditor had a duty to shareholders to report any dishonest acts that had occurred. He said the auditor could not expect to find every error but had a duty to use due care and skill. Re Kingston Cotton Mill Co. Ltd (1896) In this case the accounts had been falsified to a very considerable extent by the managing director, by extensive overvaluations of stock. In this instance the auditors were deceived, and although they acted with due care, they had under- standably missed the deception. Lord Justice Lindley stated that the auditor is not bound to be a detective; he is a watchdog and not a bloodhound. In this instance the directors are liable to the shareholders for fraud. Both this case and Re London and General Bank represent a cornerstone for auditor liability. What are the auditor’s duties? The Companies Acts do not expressly state how an auditor should discharge their duty of care. L. J. Lopes, in Re Kingston Cotton Mill, stated. It is the duty of the auditor to bring to bear on the work he has to perform that skill, care and caution which a reasonably competent, careful and cautious auditor would use. What is reasonable skill, care and caution must depend on the particu- lar circumstances of each case. Donoghue v. Stevenson (1932) This case established that a duty of care is owed to parties outside a contractual relationship. This case refers to the sale of goods and relates to a situation where a customer was sold a bottle of drink with a slug at the bottom. It established the principles of duty of care. Candler v. Crane Christmas (1951) Although the court confirmed that no duty of care is owed to third parties out- side a contractual agreement, the dissenting judgment of Lord Denning signalled the way the law would develop in the future by stating that the accountant owes a duty to any third party who sees the accounts and invests money but that this duty cannot be extended to include strangers. Hedley Byrne & Co. Ltd. v. Heller & Partners (1963) The court accepted the Denning reasoning that a duty of care is owed to third parties where it can be shown that a special relationship exists. The counsel’s opinion was that there is a duty of care only if: n It is clear that the financial loss is attributable to reliance upon the negligently prepared document and no other cause. 12M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 13 Auditor liability n The party issuing the document knew the purpose for which it was being pre- pared and knew (or ought to have known) that it was to be relied upon in that particular context. Therefore, there was no duty of care to individual shareholders who place re- liance on the audit report for investment decisions. The financial statements and the audit report are prepared for the purpose of stewardship and not for future investors. Hedley Byrne v. Heller and Partners (1963) In this case it was determined that the judgment in Candler v. Crane was wrongly decided. Hedley Byrne were advertising agents who wished to extend credit to the company Easipower Ltd. They asked Heller, as the company’s bankers, for a reference in relation to the company’s creditworthiness. The refer- ence was given that the company was respectable but the reference included a disclaimer on the part of the bank if the information was relied on for any in- vestment or business decisions. The advertising agency lost money and sued the bank for negligence. The case was dismissed because of the disclaimer; however, the judge in this instance held that there was a duty of care even though no contractual or fiduci- ary relationship existed. Jeb Fasteners Ltd v. Marks, Bloom & Co. (1981) In this instance, the auditors conducted an audit for a company facing solvency difficulties. They were also subject to a takeover. The assets in the balance sheet were seriously overvalued, hence forcing the company to be taken over at an artificial price. Lord Justice Woolf said that the auditors could reasonably foresee that a takeover company would rely on the audited accounts and therefore suffer a loss if they were inaccurate. Caparo Industries plc v. Dickman & Others (1990) In 1984 Caparo Industries acquired a company called Fidelity on the basis that the company profits were in excess of £1 million. After the takeover, Caparo claimed that the accounts were inaccurate and the reported profit should have been a sub- stantial loss. Caparo claimed that the auditors Touche Ross owed a duty of care to investors and sued them. They claimed Touche Ross should have seen the vulner- ability of the company and therefore foreseen the likelihood of a takeover. How- ever, the Law Lords were unanimous that auditors do not have a duty of care to individual shareholders or future investors. They also came to the conclusion that some previous cases, including Jeb Fasteners v. Marks Bloom & Co., had been decided wrongly. However, Caparo went on to successfully pursue their action for damages against the directors of Fidelity, namely the Dickman brothers. In relation to the Caparo judgment, Lord Bridge laid down the following cir- cumstances in relation to proximity: the auditor will only be liable to the third party if the following circumstances are met: 1. The auditor is aware of the nature of the transaction which the third party is contemplating. 13M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 14 Chapter 2 · External and internal audit 2. The auditor knows that the report will be communicated to the third party either directly or indirectly. 3. The auditor knows that the third party is likely to rely on the report in decid- ing whether or not to engage in the transaction in contemplation. The Caparo judgment is a significant one since the courts are clearly reluctant to im- pose an unacceptable burden on auditors. Yet given the costs involved in lengthy court cases, it is not a surprise that so many cases in recent years, such as Barlow Clowes, BCCI, Maxwell Enterprises and Polly Peck, have been settled out of court. In recent years the collapse of Enron and WorldCom in the USA and the con- sequences for the auditors Arthur Andersen, who were implicated in the scandal, resulted in the USA introducing the Sarbanes Oxley Act 2002. In the UK the courts have been concerned about the burden placed on external auditors since the Caparo case. In order to limit this burden, some auditors have formed limited liability companies; in other cases limited liability partnerships were created as an alternative. Relationship between external and internal audit During the course of their planning, the external auditors should perform a pre- liminary assessment of the internal audit function, when it appears that certain internal audit work is relevant to their external audit. A favourable assessment might allow the external auditors to modify the nature, timing and extent of external audit procedures. External auditors may make use of the work of internal audit in forming their opinion. During the course of their work they will want to measure the effective- ness of internal audit. They do this against the Internal Audit Guidelines approved by the Auditing Practices Board (APB) in 1990. However, it must be stated that external auditors have sole responsibility for their statutory responsibility to provide an audit opinion. Internal audit The Institute of Internal Auditors define internal audit as an independent assur- ance and consulting activity designed to add value and improve the organisation’s objectives. It also helps an organisation accomplish its objectives, and it improves the effectiveness of risk management, control and governance processes. Figure 2.3 for the typical structure of an internal audit department. Internal audit is defined by the APB in its 1990 Internal Audit Guidelines as an independent appraisal function established by the management of an organisa- tion for the review of the internal control system as a service to the organisation. It objectively examines, evaluates and reports on the adequacy of internal control as a proper, economic, efficient and effective use of resources. The essential fea- tures of an effective internal audit department are as follows: n independence n appropriate staffing and training 14M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 15 Internal audit Figure 2.3 Typical structure of an internal audit department Chief executive Director of finance Chief internal auditor Group auditor Group auditor Audit team leader Audit team leader Audit team leader Audit team leader Audit assistant Audit assistant Audit assistant Audit assistant n relationships n due care n planning, controlling and recording n evaluation of the internal control system n evidence n reporting and follow-up. It is a management responsibility to determine the extent of internal control and not to depend on internal audit as a substitute for those controls. Internal audit will assist management in its assessment of risk and its corporate governance responsibility of internal control. One of internal audit’s objectives is to assist management in the pursuit of value for money. It is management’s responsibility to maintain the internal control system and to ensure that resources are properly directed. This, of course, will include a re- sponsibility for the prevention and detection of fraud. If an internal auditor dis- covers evidence of, or suspects, fraud or some other malpractice, they should report their suspicions to the appropriate level of management. It is a manage- ment responsibility to determine what further action to take. Independence This is achieved through the organisational status of internal audit. Clearly it should have freedom to function effectively. The support of management is essen- tial and internal audit should determine its own policies, in consultation with management. The head of internal audit should have direct access to, and free- dom to report to, all senior managers, including the chief executive, finance direc- tor, board of directors and, of course, the Audit Committee. The key attribute of independence is the ability to report unedited in the head of audit’s own name to 15M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 16 Chapter 2 · External and internal audit the highest level of management. Each internal auditor should have an objective attitude of mind and be able to exercise independent judgment, express opinions and make recommendations without any degree of pressure. Staffing and training The APB guidelines state that: n The effectiveness of internal audit depends substantially on the quality, train- ing and experience of its staff. The aim should be to appoint staff with the appropriate background, personal qualities and potential. Thereafter, steps should be taken to provide the necessary experience, training and continuing professional education. n The internal audit unit should be managed by a head of internal audit who should be suitably qualified and should possess wide experience of internal audit and of its management. They should plan, direct, control and motivate the resources available to ensure that the responsibilities of the internal audit unit are met. n The full range of duties may require internal audit staff to be drawn from a va- riety of disciplines. The effectiveness of internal audit may be enhanced by the use of specialist staff, particularly in the internal audit of activities of a techni- cal nature. n The internal audit unit should employ staff with varying types and levels of skills, qualifications and experience in order to satisfy the requirements of each internal audit task. Auditors need to be trained and kept up to date with changes of procedure and legislation. All audit staff should undertake continuing professional development in order to keep themselves up to date. This should be checked by the annual staff appraisal process. Source: After APB Guidelines for Internal Audit, Auditing Practices Board, © Financial Reporting Council (FRC). Adapted and reproduced with the kind permission of the Financial Reporting Council. All rights reserved. For further information please visit www.frc.org.uk or call +44 (0)20 7492 2300. Relationships Auditors have dealings with a wide range of employees and managers and it is important for them to have confidence in the audit process. Many senior man- agers feel a real need for internal audit in helping them verify that their systems work in accordance with their expectations. It is acknowledged that at the lower end of the company some first-line managers do question the need for audit as see it as a drain on their time. Audit interpersonal skills are very important in this instance. Discussions with management are an important part of the audit, and the pre- audit interview is an essential ingredient in the planning process. When the audit is completed, the auditor will want to discuss the findings and recommendations with management prior to the report being issued. This is an essential and important feature of a good working relationship between the auditor and management. 16M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 17 Internal audit Due care The auditor can never give a total assurance that control weaknesses don’t exist but they must be able to demonstrate that due care is exercised and their working papers are consistent. The ethical guidelines published by the professional accountancy bodies are particularly relevant to the work of auditors. The head of internal audit should exercise some degree of quality control over the work of the department’s staff. Planning, controlling and recording The head of internal audit will want to agree a strategic audit plan with the Audit Committee, which will address the audit approach over a period of 2–5 years, the minimum level of cover required (i.e. person-days) and the balance between value- for-money reviews, systems-based and other types of approach. The APB’s internal audit guidelines state the main purposes of internal audit planning as follows: n to determine priorities and to establish the most cost-effective means of achieving audit objectives; n to assist in the direction and control of audit work; n to help ensure that attention is devoted to critical aspects of audit work; n to help ensure that work is completed in accordance with pre-determined targets. According to the guidelines, the stages of internal audit planning are as follows: n to identify the objectives of the organisation; n to define internal audit objectives; n to take account of relevant changes in legislation and other external factors; n to obtain a comprehensive understanding of the organisation’s systems, struc- ture and operations; n to identify, evaluate and rank risks to which the organisation is exposed; n to take account of changes in structures or major systems in the organisation; n to take account of known strengths and weaknesses in the internal control system; n to take account of management concerns and expectations; n to identify audit areas by service, functions and major systems; n to determine the type of audit, e.g. systems, verification or value for money; n to take account of the plans of external audit and other review agencies; n to assess staff resources required, and match with resources available. Source: After APB Guidelines for Internal Audit, Auditing Practices Board, © Financial Reporting Council (FRC). Adapted and reproduced with the kind permission of the Financial Reporting Council. All rights reserved. For further information please visit www.frc.org.uk or call +44 (0)20 7492 2300. The audit plan is broken down into a list of weekly or monthly tasks to be undertaken by staff. Against this plan, the head of audit controls, records and approves the release of the audit report. Evaluation of the internal control systems A systems-based approach to internal audit is advised and recommended. This means that the internal auditor is a control expert. The APB guideline for internal 17M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 18 Chapter 2 · External and internal audit auditors clearly states that controls should ensure that processes meet the systems objectives. The main objectives of the internal control system, according to the guide- lines, are as follows: n to ensure adherence to management policies and directives in order to achieve the organisation’s objectives; n to safeguard assets; n to secure the relevance, reliability and integrity of information, so ensuring as far as possible the completeness and accuracy of records; n to ensure compliance with statutory requirements. When evaluating internal control systems the internal auditor should consider the effect that all the controls have on each other and on related systems. As part of the planning process, the internal auditor should identify the whole range of systems within the organisation. For those systems to be exam- ined, the internal auditor should establish appropriate criteria to determine whether the controls are adequate and assist in achieving the objectives of the system. The stages of a system audit would normally be: n to identify the system parameters; n to determine the control objectives; n to identify expected controls to meet control objectives; n to review the system against expected controls; n to appraise the controls designed into the system against control objectives; n to test the actual controls for effectiveness against control objectives; n to test the operation of controls in practice; n to test an opinion based on audit objectives as to whether the system provides an adequate basis for effective control and whether it is properly operated in practice. Source: After APB Guidelines for Internal Audit, Auditing Practices Board, © Financial Reporting Council (FRC). Adapted and reproduced with the kind permission of the Financial Reporting Council. All rights reserved. For further information please visit www.frc.org.uk or call +44 (0)20 7492 2300. Evidence Evidence is information obtained by the auditor which enables conclusions to be drawn. This will come from the output obtained by substantive testing. The head of audit must be satisfied that evidence is sufficient, reliable and relevant, because judgment will be exercised and an opinion given. Reporting and follow-up The APB Internal Audit Guidelines clearly state that the primary purposes of inter- nal audit reports are to provide management with an opinion as to the adequacy of the internal control system, and to inform management of significant audit findings, conclusions and recommendations. The aim of every internal audit report should be: n to prompt management action to implement recommendations for change leading to improvement in performance and control; n to provide a formal record of points arising from the internal audit assignment and, where appropriate, of agreements reached with management. 18M02_DAVI1735_01_SE_CH02.QXD 8/27/10 9:50 AM Page 19 Internal audit Reporting arrangements, including the format and distribution of internal audit reports, should be agreed with management. The head of internal audit should ensure that reports are sent to managers who have a direct responsibility for the unit or function being audited and who have the authority to take action on the internal audit’s recommendations. Internal audit reports are confidential docu- ments and their distribution should be restricted to those managers who need to know, to the audit committee and to the external auditor. Audit reports in the main can be issued quickly because the auditor is satisfied that system controls are working and meet the control objectives. These reports will therefore have no specific or detailed recommendations. Their formats are held on computer file and they can be quickly run off once the head of audit has approved them. Auditors are expected to report on the nature of the audit and, in particular, the remit which may come from the board but is more likely to be approved by the audit committee. The report will include details of findings, the impact and effect of the findings and, specifically, recommendations for improvement. In some cases a draft report is issued, the facts are verified and discussions held with managers. In other cases, an implementation schedule is attached (see Figure 2.4). Figure 2.4 Implementation schedule for an internal audit report SUBJECT: Vehicle Purchasing REF. NO.: TR/06/08 DATE OF PROPOSED REPORT IMPLEMENTATION PARA. RECOMMENDATION ACCEPT REJECT 6 Vehicles should be A 30/9/XX purchased from two competing organisations Suppliers should be B To be discussed asked to tender on price after a schedule of and provide a discount local suppliers is for bulk buying completed SIGNED: P. Catley DATE: 23.5.201X CODE FOR REPLY NOTE: This form should be detached A. Agreed in full from the audit report and, after B. Agreed in principle, more completion, returned to the research necessary head of audit C. Disagree in present form not later than .................. D. Disagree – reject completely Please attach separate memorandum to amplify recommendations replied to codes B, C or D 19M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 20 Chapter 2 · External and internal audit Reports are received differently according to the varying temperaments of the person being audited. However, the audit becomes a positive tool when logical, workable and pragmatic recommendations are produced. Managers are asked to give their response in writing. Reactions to audit reports should be monitored as a performance indicator for measuring the effectiveness of the internal audit division. Once recommendations have been agreed, a follow-up audit is advised in order to see that these have been implemented and whether the system has improved. In some cases it can be left until the next audit. This is important because, all too often, recommendations are quickly accepted and then forgotten once the audit has been completed. The image and marketing of internal audit Perception is a real skill for the auditor to have. It draws on instinct or gut feel- ing. While it is not, in itself, evidence, it can be used to direct time, attention and effort. The image of audit has always been a matter of some concern. In our experi- ence, some directors of finance have used internal audit as a ‘dumping ground’ for staff who could contribute very little, whose career path was horizontal and would remain so until they retired. Key staff in the audit section have tended to leave for pastures new. In some cases their posts were cut, frozen or filled with somebody unacceptable to the chief internal auditor. When it comes to promotion, chief internal auditors are judged on their work record and the positive results they have obtained, so it is interesting to note how few of them become directors of finance. Many audit sections, including some of the smaller ones, engage in a multitude of non-audit functions. They become part of the system, doing mundane work such as checking refunds, calculating pensions or issuing stationery. Cheques are examined prior to despatch and contract final accounts receive 100% of internal audit’s attention. This cannot be right and it makes one wonder what the barriers to change are. If these could be addressed perhaps chief internal auditors would have a free hand to concentrate on audit issues. The threat of competition and the changing environment mean that the in- centive for review and change is great. No matter how good a service looks, it can be improved. And service delivery, presentation and reporting are among the areas that must be addressed. Auditors must look at their own range of management skills and consider how they deal with conflict and assertiveness as well as their interpersonal skills. Con- tact, marketing and selling skills must also be developed as senior audit staff will become familiar visitors to the offices of the chief officers. The promotion of the internal audit brand is a key feature of raising the depart- ment’s image within the company. A business card and a brochure with contact details can help to do this and should be provided so that managers are aware of the range of services on offer (see Figure 2.5a–c for examples). 20M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 21 Internal audit Figure 2.5 (a) Audit card. (b) Front cover of audit brochure. (c) Inside of audit brochure. ABC INTERNAL AUDIT SERVICE Matt Ferdinandos HQ HEAD OF AUDIT Council Avenue Tel: 081-901-2090 Guildford Surrey Fax: 081-901-9898 GU1 2SA  Quality, Efficiency, Reliability (a) ABC AUDIT SERVICE FOR: Mr J. Ashtead YOUR AUDIT MANAGER WILL BE: Mrs V.F. Munny, FCA Tel.: 081 901 2999 Fax: 081 901 9898  Quality, Efficiency, Reliability (b) ABC INTERNAL AUDIT SERVICE Services offered: l Regulatory/probity audits l Systems audits l Computer audits l VFM reviews l Monitoring studies l Pre- and post-audit interviews with client l Easy access to staff throughout the week to discuss any issue, however small  Quality, Efficiency, Reliability (c) 21M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 22 Chapter 2 · External and internal audit Exhibit 2.1 Performance indicators Audit time Productive time – actual vs. planned (%) Reports produced within target time (%) Reports exceeding target time (%) Time spent on non-audit work (%) Audit cost Average cost per day Total internal audit costs – budget vs. estimate Total costs recharged Audit plans Progress against annual plan Progress against long-term plan Number of reports issued Staff and skill levels Staff in post vs. those required Staff turnover rates Numbers of professionally qualified staff vs. part-qualified Ratio of trainees to total staff Findings and recommendations Recommendations accepted vs. recommendations made (%) Recommendations implemented within 6 months (%) Client reaction Customer satisfaction survey Performance indicators for internal audit The head of internal audit is usually expected to prepare an annual report to the Audit Committee. Some of the performance indicators that might be included in such a report, for internal management information, are shown in Exhibit 2.1. External audit reviews of internal audit It is a function of external audit to evaluate the effectiveness of internal audit work. External auditors must feel a degree of assurance as to its quality, and they will want to assess the performance of internal audit. The Auditing Practices Board Internal Audit Guidelines provide an appropriate benchmark to do this. Some external auditors measure internal audit on a scale of A to D. In this in- stance, full compliance with the guidelines would receive an A, while complete non-compliance would receive a D. There is a standard, ISA 610, which requires the external auditor to assess the quality of the work of internal auditor. A checklist is provided in Figure 2.6, which can serve as a guide in measuring the effectiveness of internal audit. 22M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 23 External audit reviews of internal audit Figure 2.6 External audit’s checklist for the assessment of internal audit Internal Audit Assessment Year ending 31 March 201X Date: ................... ............................. ............................. Status Answer Reference 1. Are role and objectives clearly established? ............................. ................. 2. Does IA have unrestricted access to records? ............................. ................. 3. Is IA independent of line management? ............................. ................. 4. Is IA well regarded in the authority? ............................. ................. Staffing 5. Is staffing adequate for size and scope? ............................. ................. 6. Is complement complete in year? ............................. ................. 7. Are specialist skills available, ............................. ................. e.g. computers, contracts? 8. Do any staff have non-audit duties? ............................. ................. Planning 9. Does IA have a strategic plan? ............................. ................. 10. Is a satisfactory annual plan prepared? ............................. ................. 11. Is the plan being met in this year? ............................. ................. Scope and procedures 12. Is there a manual or equivalent? ............................. ................. 13. Are instructions/work programmes adequate? ............................. ................. 14. Are audit procedures satisfactory? ............................. ................. 15. Have matters of concern been discovered? ............................. ................. 16. Is balance of coverage satisfactory – main ............................. ................. systems, sub-systems, other regularity, projects, VFM etc.? Management 17. Is IA work properly supervised? ............................. ................. 18. Does CIA manage effectively? ............................. ................. Reporting 19. Is the method of reporting satisfactory? ............................. ................. 20. Is progress on recommendations monitored? ............................. ................. 21. Is an annual report prepared? ............................. ................. 22. Does IA have access to top management ............................. ................. Overall conclusion ...................................................... ...................................................... ...................................................... 23M02_DAVI1735_01_SE_CH02.QXD 8/9/10 1:54 PM Page 24 Chapter 2 · External and internal audit Summary This chapter builds on Chapter 1 and goes into more depth of the features of external audit and internal audit. The statutory requirement of external audit is investigated and its key function, which is to provide an opinion on the financial statements, is analysed. External audit case law is examined from early times through to the Caparo case, which is currently the legal precedent for the United Kingdom. There has always been a debate about the effectiveness and usefulness of external audit and the issue of liability should things go wrong. However, its role remains a cornerstone to certify the integrity of the financial statements. Within the regulatory framework, external auditors have a duty to shareholders to perform the role of a watchdog. They are required to check and verify internal audit’s work as part of the process, so that they can be reassured as to the reliability of internal control verification. Internal auditors, whilst having a degree of independence, are salaried employees of the company and are considered to be independent by virtue of their objectivity and provide an appraisal function as a service to management. They are an integral part of the function of internal control. PRACTICE QUESTION ? As part of their review, external auditors must comment on the reliance and effective- ness of internal audit. Discuss how they will go about doing this. 24