The Objectives and Benefits of an Internal Audit
[3rd April, 2009 Issues 2]
What is an internal audit?
An internal audit is fundamentally a review. This can encompass any aspect or part of the business where management believes there might be risk or where they could find improvement in efficiency. An internal audit generally involves the following activities:
-
Performing procedures to obtain sufficient evidence to understand the design of the entity's internal controls, procedures and processes and to evaluate the effectiveness and efficiency.
-
Obtaining an understanding of management's process for evaluating the effectiveness of the entity's internal controls, procedures and processes.
-
Determining risk, detection of fraud from evidence, presentation of weakness and recommendation of improvements.
- Testing of improvements following implementation of changes.
The Committee of Sponsoring Organizations (COSO) defines internal control as 'a process effected by an entity's board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.'
In simple words, an internal audit is an audit of an entity's internal workings; it's systems and procedures and how these are implemented.
How do internal and external audits differ?
All foreign invested companies in China are required to have an independent auditor carry out an annual statutory audit in line with the Chinese accounting regulations. The primary responsibility of an independent auditor is to express an opinion on the financial statements, based on the audit findings, and to report this opinion to shareholders. This audit involves obtaining evidence about the amounts and disclosures contained in the financial statements and accordingly, the independent auditor's audit risk is a function of the risk of material misstatement, comprising inherent risk and control risk, and detection risk. The independent auditor might review internal controls in conjunction with an entity's true and fair preparation and presentation of the financial statements, but they are not required to express an opinion on the effectiveness of the entity's overall internal controls. Therefore, whilst the accounts might look fine and be prepared in accordance with the regulations, they will not provide details of where business risks lie nor of weaknesses in processes or inefficiencies.
This is the role of an 'internal auditor', to assist senior management in maintaining effective internal controls and ultimately in reducing business risks. An internal auditor is not though, by definition necessarily someone who works for the company, but more it is a description of the nature and scope of their work. It is common for companies to outsource their internal audit work, in order to reduce any risk of collusion due to employee relationships within the organisation. Furthermore, the reporting line of the internal auditor is often direct to senior management, the board or an audit committee.
Examples of an internal audit scope are:
-
Review of supply chain contracts for reasonableness to market price, purchasing procedures and segregation of decisions.
-
Review of management expense claim forms and their adherence to company policy and sign-off procedures.
-
Review of petty cash and banking procedures, authorisations and levels of segregation of authority and controls.
-
Review of the IT environment to check whether proper controls are in place.
-
Review of the organisational structure to check whether there is proper segregation of duties.
-
Review of inventory management systems, goods received, goods out etc.
Is an internal audit a must?
Although companies in China are not required by law to perform internal audits, more and more companies are becoming aware of the importance of internal audit as an effective tool to ensure the companies are operating in an effective and efficient way, the financial reports submitted to the government authorities and public are reflecting the true position and performance of the companies, and most importantly the companies are in compliance with the relevant laws and regulations, such as tax laws and regulations, labor law etc. Companies are now facing growing uncertainty due to the current world economic situation, and with this comes greater risks. In order to better protect a company's interests, management should adopt a risk management approach to its internal workings and link this with an internal audit strategy.
How does an internal audit help an entity?
A comprehensive risk management model should include assurances that advise the management on how well the processes are working and how well the risks are managed. Assurances comprise both internal and external. Internal audit can provide management with independent assurance on a diverse range of tasks, including but not limited to fair presentation of financial statements that external audit will do. An effective audit committee will seek assurances on the entity's key risk areas, so that the management can assess whether the risks associated with the entity are managed appropriately.
Internal audit helps the entity to answer questions like:
-
Is the organisational structure of the entity appropriate?
-
Is there pressure for management to meet unrealistic performance targets -- particularly for short-term results-- and to what extent is compensation based on achieving those performance targets?
-
Is there adequate definition of key managers' responsibilities, and how do you ensure that there is an understanding of these responsibilities? Is there adequate knowledge and experience in key managers in light of their responsibilities? Are there control-related standards and procedures, including employee job descriptions?
-
How do you answer the question 'What can go wrong?' in terms of financial reporting?
-
Have procedures been established over the capture of all transactions and events relevant to financial reporting? Are there procedures over the accuracy of estimating processes?
-
Is the accounting system designed to work from the capturing of transactions or events to the recording in the general ledger?
-
Are there procedures in place to make all the necessary information available and communicated to the right people on a timely basis and to make good financial reporting decisions beyond just the recording of transactions?
-
What are the controls that are designed to prevent or detect errors or fraud in financial statement elements?
-
Is there proper segregation of duties in sensitive areas?
-
Is there high decentralisation that leaves top management unaware of actions taken at lower organisational levels, and thereby reduces the chances of getting caught?
-
Who monitors internal controls and how do they do this? Is it sufficiently directed to specific controls and identifying deficiencies in them?
-
Is there an effective channel for employees to communicate with senior management?
Summary
Internal audit can help to identify risks which may lead an entity to fail in achieving its performance and profits targets, preventing loss of assets and resources, ensuring reliable financial reporting, and that it complies with the various laws and regulations. It should be an integral part of an organisation's management tools and it's reach should be to all parts of the organisation, without limitation.
|
