The origins of internal audit are as an internal check on the accuracy and validity of all payments made

icon

6

pages

icon

English

icon

Documents

Écrit par

Publié par

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

icon

6

pages

icon

English

icon

Documents

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

Pre-payment checks, compliance audit or risk-based audit what is the most effective role for internal audit? Andy Wynne is Head of Public Sector Technical Issues with the ACCA. He is editor of the ACCA e-mail bulletin for internal auditors. This bulletin is available from the ACCA web-site (www.accaglobal.com) or from info@accaglobal.com. Internal audit comes in all sorts of shapes and sizes. A wide variety of approaches may be adopted and the particular one which is used will differ from organisation to organisation and country to country. These approaches form a continuum from pre-audit, through regularity or compliance audit, to risk-based audit. This article introduces these three main approaches to internal audit, considers the relative merits of pre-audit and compliance audit and introduces risk-based audit. Future articles will provide a more detailed outline of the risk-based approach to internal audit. The origins of internal audit are as an internal check on the accuracy and validity of all payments made by an organisation. No payments could be made without them first being reviewed and stamped for payment by the staff of the internal audit section. Internal audit practice now forms a spectrum from this, original role of internal audit, to risk-based audit. The latter consists of internal audit reviewing the organisation's risk management and internal control systems and processes with only limited testing of internal controls ...
Voir icon arrow

Publié par

Langue

English

Pre-payment checks, compliance audit or risk-based audit what is the
most effective role for internal audit?
Andy Wynne
is Head of Public Sector Technical Issues with the ACCA. He is editor of
the ACCA e-mail bulletin for internal auditors. This bulletin is available from the ACCA
web-site (www.accaglobal.com) or from info@accaglobal.com.
Internal audit comes in all sorts of shapes and sizes. A wide variety of approaches may
be adopted and the particular one which is used will differ from organisation to
organisation and country to country. These approaches form a continuum from pre-
audit, through regularity or compliance audit, to risk-based audit. This article introduces
these three main approaches to internal audit, considers the relative merits of pre-audit
and compliance audit and introduces risk-based audit. Future articles will provide a
more detailed outline of the risk-based approach to internal audit.
The origins of internal audit are as an internal check on the accuracy and validity of all
payments made by an organisation. No payments could be made without them first
being reviewed and stamped for payment by the staff of the internal audit section.
Internal audit practice now forms a spectrum from this, original role of internal audit, to
risk-based audit. The latter consists of internal audit reviewing the organisation's risk
management and internal control systems and processes with only limited testing of
internal controls to ensure that they are actually applied as required.
The Combined Code of the London Stock Exchange requires the boards of all its listed
companies to "maintain a sound system of internal control to safeguard shareholders'
investment" and that "the directors should… conduct a review of the effectiveness of the
group's system of internal controls". In most companies the directors will rely on the
company's internal audit function to directly undertake this review of internal control.
Many people would agree that the objective of internal audit should be to help to ensure
that the internal control system of an entity is adequate and effective. Adequate can be
construed as meaning fit for purpose, so in the context of internal controls, that the
controls are appropriate for the risks which the organisation faces and that they are
actually implemented on a routine basis. The term effectiveness demands more than
this and infers an interest in the actual outcome of the controls, for example ensuring
that the transactions are actually appropriate, accurate and valid. As a result, if internal
audit is to conclude on whether the risk management and internal control systems are
effective, it should undertake at least some substantive testing to confirm whether or not
the internal controls have operated as expected and thus ensured that the transactions
are accurate and valid.
In addition, external audit will often rely on internal audit and as part of this reliance,
may expect internal audit to undertake a degree of substantive testing of at least a
sample of transactions that have been processed by the main financial systems.
Pre-payment audit checks (or pre-audit for short) are examinations of payment vouchers
and other documents before the associated payments are made. The objective of pre-
audit is to ensure that payments made are:
valid
necessary and accurate; and
expenditure is in line with the approved budget.
The advantages of pre-audit are said to be that it can help to:
ensure that all expenditure is necessary and appropriate
ensure that all payments are properly authorised before being made
ensure that expenditure is in accordance with relevant laws and regulations
prevent management fraud
reduce the incidence of fraud or irregularity
confirm the accuracy of the classification and the coding of expenditure
and
ensure arithmetical accuracy of the transactions which are checked.
The pre-audit approach to internal audit is found in many African governments, but also
in France, Portugal, Spain and many other continental European countries with a legal
tradition based on the Napoleonic Code. In these countries, an emphasis is put on the
controls that are exercised by a third party entity, at the centre of government, often an
agency of the ministry of finance or that ministry itself. This entity undertakes pre-audit
checks on all, or a sample of, payments to be made by the relevant public sector
organisations. It may often be combined with the internal audit function. Until recently
this was the approach adopted by the European Commission. Pre-audit, or what the
European Commission terms financial control (or ex ante checking), was undertaken by
the Commission's internal audit service.
Following criticism by the European Parliament of financial management practices within
the European Commission, which led to the resignation of the entire Commission in
March 1999, a Committee of Independent Experts was established. This Committee
concluded that “the existence of a procedure whereby all transactions must receive the
explicit prior approval of a separate financial control service has been a major factor in
relieving Commission managers of a sense of personal responsibility for the operations
they authorise while doing little or nothing to prevent serious irregularities.”
It went on to say that:
whatever the (im)practicalities of these options, the Committee continues to have
strong reservations about them on two points of principle. First, ex ante checking,
whether it be universal or on the basis of sampling, is unlikely to be a cost-effective
process: the effort put in to checking all transactions is clearly disproportionate, while
sampling is unlikely to have sufficient dissuasive effect. The second, and fundamental,
principle is that any retention of ex ante control runs up against the crucial objection
that, de facto if not de jure, it displaces responsibility for financial regularity from the
person actually managing expenditure onto the person approving it. This displacement
of responsibility, meaning in effect that no-one is ultimately responsible.
The Committee also recommended that a professional and independent Internal Audit
Service should be set up reporting directly to the President of the Commission, that the
existing centralised pre-audit function should be dispensed with, and that financial
control — as an integrated part of line management — should be decentralised to the
Directorates-General in the Commission. The Commission announced in January 2000
that it would accept this recommendation, and a reorganisation of the Commission
services began later that year including the establishment of an Internal Audit Service
which was independent of the pre-audit or financial control function.
In Nigeria there has been a debate over the approach which should be adopted by
internal audit for many years. In September 1974, for example the Public Service
Review Commission issued the Udoji Report. The Commission found that
:
checking in the civil service is excessive, and indeed is almost carried to a point
regardless of cost. A case in point is the situation in "self accounting" ministries - that
is, ministries which are themselves responsible for maintaining detailed record of
revenue and expenditure. Payrolls once prepared are immediately checked by staff,
independent of the preparation function, drawn from within the payroll area. The
internal audit division of the ministry then undertakes a further 100 per cent
prepayment check and some months later external audit carry out a test check on the
payrolls.
The Udoji Commission went on to recommend that:
internal check, provided from within the payroll area be strengthened and that a move
be made towards eliminating the prepayment or 'internal check' function of internal
audit to comply with Financial Instruction. Secondly, if this were done, internal audit
would have more time to pursue its intended functions, which should not be part of the
day-to-day control system but rather an independent review of the day-to-day controls,
so as to be able to advice management on their effectiveness and means of
improvement.
Many managers, and even some internal auditors, who have accepted the disadvantages
of pre-audit, see the main role of internal audit as a check that staff are complying with
financial regulations and other procedures or instructions. Most internal auditors now
believe, however, that internal auditors should actually be undertaking the more
sophisticated task of assessing whether all significant risks to the achievement of the
organisation's objectives are being adequately managed. Where this is not the case,
internal auditors should be advising managers on the appropriate controls that could be
introduced to manage the particular risks involved. Managers themselves should become
more involved in the day to day process of ensuring compliance by checking and
authorising individual transactions.
Figure 1: Compliance or risk-based audit?
compliance audit
Financial Regs & Procedures
Actual Practice
risk-based audit
R
i
s
k
s
A
c
t
u
a
l
C
o
n
t
r
o
l
P
r
o
c
e
d
u
r
e
s
Managers often expect internal auditors to identify breaches in financial regulations and
to inform them when staff are not following established practice. This can be a relatively
minor outcome of an internal audit assignment, however, and this approach overlooks
the wider benefits that can be achieved when internal auditors take on the more
important role of assessing the whole control environment and its adequacy and
reliability in managing risk. Under this latter approach (the risk-based approach),
internal auditors have to determine whether compliance with financial regulations and
other instructions will be sufficient to adequately mitigate the risks which the
organisation faces to the achievement of the organisation's objectives. If not, internal
audit may make recommendations to amend financial regulations or other financial
instructions.
There may also be circumstances, where staff are not complying with financial
regulations or other official instructions, but where the revised practices that they have
adopted are actually more cost effective at reducing risks to an acceptable level. In this
case internal audit may recommend that financial regulations etc are amended to require
these revised practices to be adopted. However, in the short-term, until these
amendments are introduced, staff should follow the standing regulations or instructions
unless they are given official permission otherwise.
Figure 2: Compliance checking and risk-based audit
compliance audit
actual
practice
official
instructions
amendments
cost
effective
risk
management
risk-based audit
Effective internal control systems should not only include suitable checks and other
control procedures, but they should also include review processes to ensure that the
checks and controls are actually implemented and complied with. Managers who see
internal audit's role in compliance terms believe that they can rely on internal audit to
ensure that controls are actually reliably followed in all circumstances.
For example, bank reconciliations are a fundamental control in almost all financial
systems, but an effective internal control system will also include a review of each bank
reconciliation by a supervisor or manager to ensure that it has been properly undertaken
and completed promptly. Payment systems will include authorisation processes; they
should also include checks that these have been completed for each payment by
authorised signatories. These reviews involve line management in the internal control
process independent of any internal audit presence. Managers should be responsible for
implementing effective control systems. They should also be responsible for ensuring
that these control systems are routinely complied with.
Compliance audit may be an appropriate activity in an unchanging world. A
comprehensive set of instructors and regulations are developed and reviewed by internal
audit to ensure all existing risks will be avoided. All that is then required is for a regular
check that these instructions are followed by all staff at all times.
But the problem with this approach is that we live in a fast changing world. Personnel
changes, changes in the regulatory or external environment and the introduction of new
processes, all mean that regulations that were suitable at the time they were developed
may now not be appropriate. Effective internal control systems will not only include
checks that regulations are complied with, but also periodic review of these regulations
to ensure that they remain valid. The Federal Government of Nigeria introduced revised
Financial Regulations which were applicable from 1
st
January 2000. Internal auditors
have a professional responsibility to ensure that these regulations are regularly reviewed
and amended as appropriate.
In contrast, systems audit involves the internal auditors reviewing the adequacy of the
system of control and making comments on this rather than on the accuracy or validity
of the actual outputs from the system. This systems approach does not necessarily
mean that direct substantive testing of transactions is abandoned. However, the 1996
edition of the UK's
Government Internal Audit Manual
stated that substantive testing is
"usually uneconomic" and "has a limited role to play in systems auditing".
In the aftermath of the collapse of the international accounting firm, Arthur Andersen,
resulting from its external audit work at Enron it may be that there will be increased
emphasis on the role of substantive audit work in an external audit. Similarly there has
been some talk of a greater role for internal audit and there may be comparable pressure
for internal audit to move back to more direct testing of transactions rather than
concentrating its efforts on the internal controls, their adequacy and reliability.
The full benefits of internal audit can only be achieved if managers and internal auditors
share the same perception of their mutual responsibilities. The view of internal auditors
as only compliance auditors may indicate a limited understanding of the roles of internal
audit and also a lack of understanding of the full range of responsibilities that managers
themselves should have.
Internal auditors should work with managers to facilitate the introduction of effective
control systems. These systems will include:
first order controls to address all significant risks
second order controls involving regular checks that all the first order controls are
actually implemented as required
and
third order controls involving periodic reviews of official instructions and other
internal control procedures to ensue they are revised and adapted as required in
response to the changing risk environment.
Internal auditors should also help to educate managers to ensure that they accept, and
understand, the full range of their responsibilities for internal control. These managerial
responsibilities should include:
designing adequate controls
ensuring compliance with required controls
and
regular reviews and revision of internal control procedures.
The task of internal audit is then to review these internal control systems to ensure that
managers have adequately fulfilled each of these three sets of responsibilities. Internal
auditors should also advise managers on the appropriate controls, compliance checks
and review procedures that they should adopt. Where the organisation has adopted
formal risk management procedures, internal audit should review this process and use
the results of this work to plan the remainder of its work.
This is risk-based audit. An organisation with effective risk-based audit is more likely to
have an effective control system; is less likely to suffer from the range of risks it is
exposed to; and is more likely to be successful. Future articles will provide a more
detailed outline of the methodology of risk-based internal audit.
Voir icon more
Alternate Text