Acadlore takes over the publication of JAFAS from 2023 Vol. 9, No. 4. The preceding volumes were published under a CC BY license by the previous owner, and displayed here as agreed between Acadlore and the owner.
Open AccessThe Role and Key Objectives of the Company’s Internal Audit Process
View Full Article|
Download PDFAbstract:
The role of the internal audit becomes more and more important in the process of assessing and managing the own risks that the company deals with. Consequently, the provision of a risk management system and of an effective internal control system, including the internal audit function, is probably the greatest challenge for the management; the internal auditor also has a vital part in this respect. As such, the internal auditor and the manager should be considered as partners within an entity, having the same targets; some of these targets are the effectiveness of the management process and the achievement of the proposed targets. The internal audit has an important part in creating the management’s responsibility, in the sense that the management has to undertake the proposed recommendations and the fact that they should be implemented, with the purpose of avoiding potential risks. Therefore the main purpose of the internal audit activity was oriented towards the effective management of material, human and financial resources, fraud prevention and minimisation of risks regarding the events and transactions that occur within a company.
1. Introduction
Recent decades have seen significant growth in interpretive studies of contemporary audit practice and regulation. This literature has provided valuable insights into the on-going developments in the audit field, documenting, among other things, the shifting culture within audit firms and the proliferation of the commercialistic values and incentives; motivations for, dynamics and consequences of changes in audit technology; and individual audit practitioners and firms responses to the challenges presented by the changing regulatory environments, at both national and transnational levels (Coopers and Robson 2006; Robson et al. 2007; Malsch and Gendron 2013; Spence and Carter 2014). While substantially enhancing our understanding of auditing as a social and organizational phenomenon, much of the literature has taken a predominantly explanatory stance on the above developments where scholars observe and make sense of, rather than critically appraise the significance and potential ramifications of, these dynamics and events. There is therefore a risk that, despite the growing scholarly interest in the backstage of audit work and the conduct of governance of audit firms, we are losing sight of the „bigger picture”, such as the implications of the above for the role and societal relevance of the audit function, the standing of auditing in a multi-disciplinary audit firm context, and the future of auditing as a profession.
Audit has been known since the beginning of the 18th century, however, the exact date or the geographical positioning in a certain state is not known. The economic history differentiates several stage of the audit, function of the social category requesting the audit, called audit requestors, function of the auditors and audit objectives.
The financial audit – as practice – has a certain evolution. The audit passed through several significant stages. The evolution of audit in the literature in this field is synthesised as follows:
Until 1700, the audit requestors were kings, emperors, churches and states. Clerk men or writers exercised the auditor’s function. Audit during this period was, in general, subordinated to the following objectives: punishing robbers for misuse of funds; patrimony protection. During 1700 and 1850, the audit requestors were represented by the states themselves, commercial courts and shareholders. Starting from the mentioned period, the auditors were those having the accounting position. The objectives of exercising the audit were synthesised as follows: repressing the frauds and punishing the persons committing fraud; patrimony protection. Between 1850-1900, the audit requestors were represented by the different states and by the enterprises’’ shareholders. The auditors were professional accountants and lawyers. The objectives of the audit performed during the above mentioned period envisaged the following aspects: avoidance of frauds and errors, certifying the reliability of historic financial statements. During 1900-1940, the audit was performed by audit and accounting professionals upon the request of shareholders and different states. The purpose of carrying on the audit was the avoidance of frauds and the certification of the reliability of the balance sheet.
Between 1940-1970, when international trade is developed, the commodities and services exchange process between states is amplified, the audit was exercised by audit and accounting professionals upon the request of different banks, states and shareholders. The object envisaged was represented by the wish to certify the truthfulness and regularity of the historic financial statements. During this period, due to the development of the accounting profession development and to the influences upon the conceptual accounting framework, the Anglo-Saxons develop their audit activity on the European continent.
During the period comprised between 1970-1990, the audit requestors were represented by different third party states, and enterprises shareholders. The auditors (audit professionals, accounting professionals and councillors) had as main objectives the following: certification of the internal control’s quality, observance of the accounting norms and observance of the audit norms.
After 1990, the audit is performed upon the states, third parties, enterprises, and shareholders’ request, by audit professionals and audit councillors. The current objectives of exercising the audit are much more complex and envisage the following: the certification of the accurate account image, certification of the quality of internal control, subject to the observance of the existent accounting and audit norms, protection against international frauds, permits and the global economy’s globalisation trend.
Initially, the audit was exercised upon the request of the enterprises’ owners who wanted to make sure that the accounting matters are accurately recorded and that all assets are correctly accounted for. The large enterprises created following the industrial revolution needed external financing that would complete the owners’ stocks and would allow the acquisition of expensive machinery that occurred on the market. This is the moment in which the importance of the audit increased and in which third parties replaced the owners of the enterprises as main holders of audit’s services.
Activity whose origin is at the beginning of economic history and is correspondent to the occurrence of the first state structures, the audit was limited for a long time only to the accurate and compliance control of the accounting information. The past decades are however marked, on international level, by the maturity of this activity, organised around the profession, having a solid methodology for risk assessment. Starting from the basic activity, the audit practices lead external growth strategies, for internalization and afterwards, diversification. Exceeding the strict accounting and financial acceptance, they have gradually researched the field of assessing the effectiveness of the operational functions of enterprises in order to approach the market of counselling activity. This mutation is profound and it should be analysed from the angle of concepts’ evolution, of technology regulation, market structuring but also form the education and research view point.
The economy internalization represented a driving element for the audit activity. At international level, the profound transformations that affected the audit market during the past decades are directly linked to the liberalization of international trade, opening and de- compartmenting of the stock markets. The audit market has been dominated for a long time by a number of international networks comprising of the large practices out of which the most important ones, initially called the Big Eight, enforced complex strategies of external growth, differentiation, and finally, diversification of activity. Starting from the obvious economic reasoning targets (scale economies, specialisation on a field of activity, standardisation of working methods, accompanying multinational companies), the most original consequence of this strategy is, of course, the emergence of a network effect. The creation and afterwards the animation of a real international network implied significant human and financial investments of the large practices.
The large American enterprises were already using the services provided by the External Audit Practices, independent organisms that had the mission to verify the accounts and the accounting balances, and to verify the final financial statements. In order to fulfil their attributions, the audit practices performed a series of preparatory works in this area, such as: inventory of the patrimony, inspection of accounts, verification of balances, different surveys, etc. that significantly increased the costs of auditing.
The enterprises started to organise their own Internal Audit Practices, especially for the reduction of expenses, by taking over the carrying on of the preparatory works within the entity, and for the carrying on of this certification activity they continued to revert to the External Audit Practices, that had the right to supervise the activities of enterprises. In order to make a differentiation between the auditors of the external audit practices and the auditors of the company subject to the auditing process, the first ones were called external auditors and the second ones were called internal auditors, due to the fact that they were part of the enterprise (Dobroteanu and Dobroteanu 2002, p20).
These changes were beneficial due to the fact that the external auditors do not start their activity from scrap but from the assessment of the reports issued by the internal auditors, at which new findings generated from the enforcement of specific procedures would be added and afterwards they perform the certification of the audited company’s accounts.
In time, the external auditors gave up performing inventory operations and activities related to the inspection of clients’ accounts and started performing reviews, comparisons and justifying the causes of failures, providing advice and solutions, for the ones that were responsible for the company’s activity. In this manner, objectives, instruments and distinctive reporting systems for internal auditors were settled, as compared to the external auditors.
After the overcome of the economic crisis, the auditors continued to be used, due to the fact that they had achieved the necessary knowledge and used techniques and tools that are specific to the accounting field. In time, they have continued extending the audit’s objective and modified its objectives, and so the need to have a function for the internal audit activity within companies came as an idea.
Internal audit is a profession that has constantly been redefined in time, as a request to address the continuous changing needs of companies. Focused in the beginning of accounting aspects with respect to the accountants certification activity, the objectives of the internal audit shifted to the identification of company’s main risks, to the assessment of the internal control of these accounts and increase of their efficiency. (Morariu and Amuza- Conabie 2006, p30).
The definitions of the internal auditor vary from the ones that focus on the role of the internal audit in the assessment of internal controls, towards those definitions that comprise most of the functions and the role of the internal audit (Sawyer 2003); gradually, towards the end of the 20th century, internal auditors provide consultancy and recommendations for the general management, getting to take part in the risk management processes, providing recommendations for the improvement of this process. (Staciokas and Rupsys 2005, p174). Some auditors define the internal audit as follows:
An organised and significant function in the company’s structure;
A function with diverse attributions and responsibilities;
A function that through its constant evolution allows the drafting of perspectives. (Renard 2013, p140).
Currently, the field of internal audit has recorded a significant development, and the interests related to the efficiency of this activity envisage mainly qualitative aspects of the economic –financial activity that is specific for companies. The bankruptcies of large corporations (2001-Enron, 2003-Parmalat) and the multiple financial scandals (such as, for example, WorldCom, Adelphia, Qwent Communications, Global Crossing) strongly affected the corporatist life. As an immediate repercussion to these negative aspects of the national economies in different countries, investors started to manifest their distrust in the success of companies and of their own investments. In order to protect investors and settle a rigorous internal control system, a special role and a significant need are granted to the audit process in general and to the internal one in particular.
The dynamics of the changes that put their mark on entities also determined a modification of the internal audit role from an appreciation, monitoring and assessment function to a function that provides assurance, consultancy and assistance for the company’s management. The practitioners of internal audit are requested by the managers of entities to provide their advice, in order to set up the most pertinent decisions. (Sawyer 2003, p62). Internal auditors should prove good skills in detecting fraud through procedures established prior to auditing. This was indicated by several KPMG surveys which showed that internal auditors have detected more frauds than external auditors (KPMG 2003). Thus, in 2003, 65% of frauds were revealed by internal auditors and only 12% by external auditors (KPMG 2003). These figures may be explained by the fact that typically the internal audit work foregoes the external auditing (Church, McMillan and Schneider 1998). Because internal auditors have greater knowledge about a company’s operations than external auditors, they are particularly adept at fraud risk assessment and resolving exceptions identified in an audit. (Schneider 2010, p98).
The Institute of Internal Auditors (IIA) completed the definition of the internal audit in correlation with the evolution of the corporative governance concept, as follows: „the internal audit is an independent assuring and counselling activity relate that is intended to add value and improve the operations of a company. It helps a company to fulfil its objectives by means of a systematic and methodical approach that assesses and improves the efficiency of the risk management processes, control and governance”. (IIA, 2015).
The standards developed by IIA are the only ones acknowledged and accepted at international level for the internal audit, providing the necessary framework that guarantees the enforcement of the best practices in this field. According to the international audit standards, the scope of the internal audit functions could include the following:
Monitoring of internal control. The internal audit function could receive tasks related to the review of controls, to monitor the operations and to recommend improvements.
Examination of financial and operational information. The internal audit function could be assigned to review the methods used for the identification, assessment, classification and reporting of financial and operational information, and could perform specific investigations upon certain individual elements, including all detailed tests related to transactions, balances and procedures.
Review of operational activities. The internal audit function could be assigned to examine the economy and the effectiveness of the operational activities, including the company’s non-financial activities.
Review of compliance with the laws and regulations. The internal audit function could be assigned to examine the compliance with the provisions of laws, regulations and other external requirements, and with the management’s policies, with directives and other internal requirements.
Risk management. The internal audit function could assist the company in identifying and assessing the significant risk exposures and in improving the risk management and the control systems.
Governance. The internal audit function could assess the governance process from the point of view of fulfilling its targets with respect to ethics and values, efficiency and liability, by communicating the risk and the control information to the respective areas of the company and the effectiveness of communication between persons that are responsible for governance, internal and external auditors and management. (IIA, 2015).
2. Methodology
This article will present certain considerations regarding the following matters: main rules for the organisation and operation of internal audit within the entity, the method to plan the internal audit missions and last but not least, the objectives that shall be imposed by the members of the internal audit department, with the purpose of providing an effective activity with respect to the assessment of risks related to each of the audited areas.
The first section of this article will synthesize some considerations with respect to the following stages: presentation of the aspects related to the purpose, authority and responsibility of the internal audit; the nature of internal audit missions; the principles observed by the members of the internal audit department; the programme for ensuring and improving the quality of the internal audit activity; the planning (the annual plan of the internal audit missions) through reporting to the level identified during the risk assessment process; policies and procedures used in the internal audit activity; the stages of performing an internal mission audit (planning and carrying on the missions, monitoring its evolution).
The purpose of the internal audit is to provide an assurance with respect to the degree of control upon operations carried on by a company, to guide that company in the sense of increasing the effectiveness of the activities carried on and to contribute to the addition of value to the economic and financial results achieved by the company. Therefore the authority of the internal audit department cumulates the following rights:
- Each member of the internal audit department has free access or is accompanied by a representative of the audited company in any location, office, warehouse, cashier’s office, archive, production space, dispatching space, reception etc. in which the audit member requests to enter with the purpose of carrying on his audit mission;
- The members of the internal audit department have the right to get any accounting, financial, banking document, or any other document of a different nature issued or received by the company or that refers to the company’s activity, in the period subject to auditing or in previous periods in order to clarify a current matter;
- The members of the internal audit department have the right to visualise the data bases containing accounting information provided by the informatics programme of the audited company.
The responsibilities assigned to the members of the internal audit department include mainly the following activities: (The Guide for implementation of international standards of internal audit, 2015)
- To develop and periodically update the Operating Regulation of the internal audit department, the Manual of procedures and policies of internal audit, the Annual plan for the audit activities and the Programme for ensuring and improving quality;
- To carry on the audit missions in compliance with the internal audit norms issued by CAFR and with the approved and updated Operating regulation;
- To improve their knowledge, skills and other competences that are necessary through continuous professional training;
- To observe the professional principles in exercising the position held by them;
- To have a special vigilance with respect to the significant risks that could affect the objectives, operations or the patrimony of the audited company.
The audit missions can be divided in the following categories, function of their purpose:
a) Auditing mission related to the quarterly financial statements: verification of the development of the incomes and expenses budget and verification of assets and liabilities patrimony elements; in each quarter the verification of the financial statements will be performed cumulating information from the beginning of the year;
b) Mission for the verification of the internal control procedures on certain sections (areas) of the activities carried on by the audited company; for example: auditing of internal procedures regarding stocks, auditing of taxes and contributions, auditing of investments, auditing of inventory procedures etc.;
c) Mission for the auditing of the annual financial statements, of the balance sheet, of the profit and loss account and the related annexes, prior to the submission of these documents to the financial administrations.
The members of the audit department could carry on, upon the request of a representative of the company’s shareholders or upon the request of a member of the administration board, in addition to the audit missions included in the annual audit plan, the following activities:
- Specific checking of an economic or financial aspect and the presentation of the conclusions in a simplified report; for example: detailing of the company’s turnover on types of clients, the assessment of commercial debts and receivables according to their maturity date, presentation of the computation methodology related to interests attached to a bank credit etc.;
- Accounting or fiscal consultancy for a given matter and presentation of the opinion in a simplified report.
According to the legal norms in force, the internal auditors should not breach the following principles (International Federation of Accountants-IFAC, 2009):
· Independence, principle according to which the internal audit activity should be independent, should not be subject to any interference with respect to the applicability field, the carrying on of the activity and communication of results.
· Objectivity, according to which the internal auditors must develop their activity in order to exhibit an impartial and unbiased attitude and should avoid conflicts of interests. The internal auditors will avoid assessing certain operations for which they were responsible in the past.
· Competency and professional scrupulosity, principle according to which the internal auditors will hold knowledge, skills and abilities that are necessary to exercise their individual responsibilities and to exercise the activity with cautiousness and competency. The internal audit department must refuse a consultancy mission or obtain the advice and assistance of a specialist, if the personnel within the department do not have the knowledge, skills or other abilities for carrying on the mission. Continuous professional training – internal auditors must improve their knowledge, abilities and competencies that are necessary by means of continuous professional training.
Also, the internal audit department will develop and update a programme for the assurance and improvement of quality that would cover all aspects related to the internal audit activity and will permanently monitor the effectiveness of this activity. This programme will include internal and external assessments upon the quality of the activity developed and upon the professionalism of the members of the audit department.
Each part of the programme shall be conceived in such a manner so as to help the internal audit activity to bring additional value and to improve the company’s activities, but also to provide assurance that the internal audit is developed in compliance with the Standards and the Ethical Code.
With respect to the activity related to the planning of internal audit missions, it is necessary that the internal audit department would draft an audit pan on an annual or biannual basis that is to be approved by the President of the Administration Board. Upon the planning, the following aspects shall be taken into consideration:
- Planning of the meetings for the Administration Board of the audited company;
- Objectives and decisions of the company’s management and Board;
- Significant risks dealt with by the audited company;
- Quarterly auditing of the financial statements and of the inventory concerning the budget, presented in the meetings held by the Administration Board.
The internal audit department may develop and permanently improve a Manual containing the internal audit policies and procedures that will be applied in the audit missions for the achievement of targets. The audit policies and procedures will be structured depending on the nature of the audit missions.
Internal auditors will identify, assess, review and document information that are sufficient, reliable, relevant and useful for achieving the mission’s objectives. The internal auditors must base their conclusions and the results of the mission on adequate reviews and assessments. Depending on the nature of the mission, the auditors could apply adequate policies and procedures, carrying on the following steps: identification of information, analysis and assessment of issues and of the background, documentation of information and problems encountered with evidence and supporting documents. For example, in the auditing of the financial statements specific procedures for each section will be developed: fixed assets, financial investments, stocks, debts and debtors, banks and availabilities, taxes and contributions, capital and reserves, incomes and expenses, that would review the achievement of a reasonable assurance with respect to the quality of the respective patrimony elements: existence, reality, value, appurtenance and presentation.
Following the enforcement of the adequate policies and procedures related to the development of the mission’s objectives, the internal auditors will develop an audit report in standard format for all types of missions, the structure of this report being regulated by the legal applicable norms.
Besides the mandatory elements included in the internal audit report (stating the objectives of the methodological elements used, the acknowledgements and recommendations etc.), the report will also contain the distinctive presentation of the following aspects:
- positive aspects, in order to generalise (if the case the risks that were diminished through the implementation of the positive aspects will be stated).
- negative aspects, each irregularity identified being presented in three steps:
1. Brief description of the irregularity acknowledged;
2. Stating the effects of the irregularity, of its fiscal or accounting consequences, explicit indication of the regulatory provisions that were breached or of the accounting principles that were breached, the quantification of the negative consequences (as value), to the extent possible;
3. Stating the methods for the resolution of these irregularities and of the methods to eliminate the deficiencies identified.
If the case, the introduction of a distinct paragraph with external risks at which the company is exposed is necessary, including the measures that are enforced by the company or that should be enforced by the company for diminishing / eliminating these risks. In case the company’s management accepted to undertake the risk of not enforcing the necessary measures, this fact will be distinctively specified in the following audit report.
In the second section of this article, a typology of the objectives of an internal audit mission specific for certain areas subject to auditing, that could generated a quantification of the level of risks assessment identified during the carrying on of the audit will be presented as example. The internal auditor can perform both the operational audit as well as the financial and compliance audits. In these cases, the auditor shall assess the extent to which different functions of the entities are executed in compliance with policies or requirements settled by the management or with certain regulations.
It should be mentioned that any audit mission implies risks, and the identification of these risks, starting from the works’ planning stage, is one of the main objectives of the auditor. This activity, however, is somehow difficult and does not provide full reliance. Due to this reason, no consent has been reached so far with respect to the manner in which the problem should be approached. The practitioners use mainly the model provided by the international standards, although this model is often criticised in the literature, the main arguments against it being the simplistic manner in which it deals with the problem and the incapacity to address all auditor’s requirements. On the other hand, the probabilistic models (the Bayesian model, the confidence functions model proposed by Shaver and Srivastava) are most of the time more complex and need a great amount of knowledge from other fields of activity, such as mathematics, statistics etc. The assessment of risks can also be determined through quantitative methods (in percentages) or through quantitative methods (through estimations such as low, medium and high risk).
As a result of the risk assessment activity function of the appreciation criteria settled, the auditor can present within the internal audit report, a list of factors that generated the major risks that were identified, such as:
- Weaknesses of the company’s internal control system;
- Lack of observing or lack of compliance of operations with the internal policies and procedures;
- Lack of identification in due time by the internal control system of risks that have significant impact upon the activity;
- Considering the fact that the risks identified by the internal control system will not occur, but they will have major influences during the future period;
- Lack of compliance of the transactions performed with the legal applicable provisions.
The internal auditor could determine also a total grading of risks, applying the weight at the level of appreciation of each risk factor on levels of risk in order to settle the total grading based on the equation (Ghita 2004):
P t = ∑ Pi x Ni
Where: Pt – total grading;
Pi – weight of risks for each factor;
Ni – level of risk for each of the factors employed.
For the settlement of the risk weight the importance and the severity of the risk factors in the respective field is taken into consideration. Also, the amount of weights related to the risk factors will be of 100% on each activity.
3. Results and discussion
The internal audit plan (Table 1) shows a description of the activities subject to auditing within a company, as well as some specific objectives which may be monitored by the auditor during the internal audit missions.
Areas subject to the auditing process | Internal audit objectives |
1. Auditing of incomes | - Review of the main categories of incomes and the process analysis with respect to the internal control over operations - Analytical procedures, identification and investigation of unusual elements - Settlement of prices, deviations from |
| the standard prices - Assessment of the processes automation degree, system’s interfaces - Segregation of responsibilities and control of access in physical systems and locations - Invoicing the services rendered and collection - Collection of debts (cash, bank etc.) - Collection and management of cash transactions - Tips management - Discounts and adjustments, corrections and non-standard elements - Daily controls and reconciliations (e.g. EoD review) - Analysis of fraud indicators - Management reporting |
2. Auditing of costs | - Review of the main cost elements - Analytical procedures regarding expenses transactions and investigation of unusual elements - Verification of significant cost elements - Analysis of fraud indicators - Management reporting |
3. Acquisitions, investments, suppliers | - Analysis of acquisition procedures, roles and responsibilities, approval limits - Data base of the active suppliers -Analytical procedures upon acquisition transactions and investigation of unusual elements - Testing of the process related to the selection of tenders - Conclusion of contracts with suppliers - Acquisition orders (process, approvals, analysis of tenders) - Documentation of receptions, management of differences and problems related to reception - Contractual discounts, contractual penalties - Returns, cancellations and adjustments - Approval of payments and processing of payments - Analysis of fraud indicators |
4. Stocks | - Analysis of stock levels during that period |
| and investigation of discrepancies - Analytical procedures, identification and investigation of unusual elements - The process related to the order and acquisition of stocks - Quantitative and qualitative reception, inventory inflow - Storage (administration management, physical storage, environmental conditions in the warehouse) - Analysis of using stocks (inventory outflow, on categories: consumption, normal losses, inventory losses) - Transfers of stocks between administrations - Automation of the inventory outflow - Treatment of slow movement and obsolete stocks; calculation of the net achievable value, examination of the manner in which provisions are constituted - Outage (approval of outages, inventory outflow, recovery / downfall) - Assistance during physical inventory (full process: from planning to recording deficiencies) - Manual adjustments and corrections upon stocks - Stock rotation speed, comparative analysis with the indicators obtained during previous periods - Analysis of fraud indicators - Management reporting |
5. HR and salaries | - Analysis of HR and salaries policies and procedures - Recruitment and candidates selection process - Work contracts - Management of daily workers - controls upon employees data bases - Time tracking, approval of tally sheets, overtime, leaves, etc. - Computation of salaries, including the verification of the variable component (e.g. bonus, commission) - Payment of salaries |
| - Manual adjustments and corrections of salaries (e.g. salary withdrawals, corrections, etc.) - termination of contracts, manner to terminate the collaboration, termination of debts, receivables - Analysis of fraud indicators - Management reporting |
6. Audit of the IT function | - Procedures for the development of systems (implementation, change management, user acceptance testing) - Support procedures for business (e.g. helpdesk, support) - Assessment of security of informatics systems - IT administration activities (user management, scheduled maintenance, updates) - Business continuity and disaster recovery planning (e.g. backup, recovery procedures, testing) - Review of the list of users in the systems with their related access rights - Review of the contracts concluded with IT services suppliers (scope, obligations, payment model, SLA, etc.) - Inventory of IT licences - Inventory and assessment of hardware architecture - Analysis of fraud indicators - Management reporting - Identification of main IT cost elements (services, contractors, maintenance) - Analysis of main contracts and assessment of their substance - Analysis of the budget for the planned IT investments |
7. General assessment of the control environment | - Roles and responsibilities of the management and employees - Efficiency objectives and assessment of these objectives - History of incidents, investigations, disciplinary actions |
8. Assessment of the fraud risk | - Assessment of the fraud risk within the process under review (discussions with the |
| management, analysis of potential fraud cases that occurred previously, etc.) - Identification of potential fraud schemes - Prioritization of identified fraud risks (financial impact, reputation impact, impact upon efficiency, loss of assets etc.) - Assessment of the existent controls for the minimisation of fraud risks and mapping the controls with the identified fraud schemes - Analysis of potential “fraud indicators”, that should be analysed / monitored (for example: constant exceeding of the sales targets, irrespective of the general economic conditions; high frequency of unusual transactions such as cancellations of accounting records; lack of correlation between different financial indicators or efficiency indicators etc) - Unexpected evolutions of certain classes of incomes /expenses, of variations of some balance sheet elements in time (for example: significant sold of transitory accounts; lack of periodical reconciliation of these accounts – increased number of transactions “with error” or special approvals, that did not follow the normal operational flow; internal control procedures that were not observed (for example, the access passwords for accessing the system are known by colleagues) |
As a result of the activity related to the review of the proposed objectives for verification, the auditor can draft a list of identified deficiencies, as well as the associated risks.
For example, depending on the operational activities subject to auditing, the auditor could identify a series of deficiencies and assimilated risks, such as:
Activity for collecting the incomes, may generate risks concerning the incorrect evidence of collectibility documents, various errors in the incomes registration, incorrect colection of customer payments; pricing model not aligned with market positioning and company strategy; accumulation of bad debts; ineffective collection activities; approval of transactions with customers that are not credit worthy etc.
Activity for monitoring the costs, may generate risks linked to fictitious purchases (paid and not received), payments for services which were not really done, low value for money (overpriced) purchases (e.g. from single source, no bidding), acceptance of inappropriate products (expired, poor quality), kick backs or commissions from suppliers etc.
Activity regarding general procurement, capex projects and property management, may generate risks linked to poor value for money of purchases (e.g excessive prices); invalid purchase requisitions or orders, fictitious receipt of goods and services, lack of supporting documentation for deliveries or services (e.g. contracts, etc.), procurement fraud (e.g. incentives from suppliers, unauthorised returns, price or quantity adjustments, poor quality of services, inaccurate calculation of billing, unauthorised capex investments, acceptance of inadequate works, investments without a proper business case analysis, week physical assets count process, unauthorised disposal of assets (inclusive selling price) etc.
Activity concerning stocks management, may generate risks of inaccurate recipes set-up in the system, inaccurate recording of consumption of inventory, ineffective periodic inventory count process, accumulation of slow moving inventory etc.
Activity of human resources and payroll, may give risks related to unauthorised base salary levels, unauthorised changes to employee database, ghost employees on payroll, inaccurate employee payroll cut-offs (new hires, leavers), fictitious attendance or overtime, inaccurate calculation of bonuses, incorrect payment of salaries etc.
Activity of IT management may generate risks such as inconsistent system development methodology, acquisition of hardware/software with inadequate specifications, breaches or hacks in the IT infrastructure, incorrect definition of access rights (including segregation of duties, account sharing), fraud due to lack of IT application controls, leakage or disclosure of private or confidential dat, inefficient or low quality IT support to the business, critical data losses, back-up or disaster recovery failure etc.
Activity of assessment the internal control environmental from the perspective of role played by this activity in supervision of operations conformity with the politics and financial procedures, may generate risks such as non compliance with revenue recognition principles, incorrect or poorly documented accounting policies, no accrual basis for transactions, unrecorded liabilities and supplier cut-off, inaccurate management reporting, delays in closing and producing the financial reports, management manipulation of financial statements (e.g. profitability), ineffective budgeting process, incomplete or insufficient supporting documents to prove deductibility of expenses, non-compliance with tax legislation (reporting, calculation), lack of knowledge of changes and developments in tax legislation etc.
Based on the aspects resulted from the activity related to the verification of objectives subject to audit presented in Table 1, the auditor can identify the areas or the locations susceptible to generate potential risks, as well as quantify the effects or the impact of such risks. In this respect it is important that the internal auditor would draft and present to the management a list of proposed optimisation solutions and to make a centralization of actual savings that result from the analysis of the audited activities. For example, if following the internal audit activity, the payment performed towards a fictive beneficiary is identified or even a fraud is identified, and measures are enforced for the recovery of the respective funds by the management, this represent an actual saving for the company, and consequently the efficiency of the internal audit is demonstrated.
Also, following the internal audit activity, the financial benefits generated by the operational management that performs changes within the company’s processes as a result of implementing the recommendations proposed by the internal auditor are quantified. The review of certain procedures or the implementation of new ones aiming at increasing their transparency and control level, such as improvement of some internal control activities, proposals related to the optimization of costs, and increase of incomes, documentation of the process regarding the selection of suppliers etc., could allow the internal auditor to propose other cost reductions derived accordingly, as part of the own value added programme. (Popescu and Vasile 2011).
Based on the conclusions formulated following the carrying on of an internal audit activity, the auditor can also perform an assessment of the financial impact that the identified risks could have in the future, if, following the internal audit, the internal control or the processes would be improved in a given period of time. The cost for implementing the new control activities can be demonstrated as being lower than prior to the implementation of the respective changes through the cost differences. For example, if the internal auditor recommends the development of a system, for implementing anti-fraud policies with the purpose of reducing the risk of losses generated by the abstraction of stocks from the company’s patrimony, the cost savings can be assessed during a projected period of few years, reporting to the management that the costs incurred with the losses of stocks will be reduced with a certain percentage (e.g. 25%).
In Table 2 a qualitative estimation of the risk level based on 6 selected appreciation criteria, performed through the application of a level of appreciation at each risk assessment factor, is provided.
Auditable areas/Objecti ves | C1. System prone to errors inadequ ate system | C2. Low expertise of the accoun tant in this particu lar area | C3. Complex transa-tions in their nature | C4. Risk of losses/ fraud | C5. Many professional judgments/estimate | C6. Unusual transactions | Total risks | Share in the total(%) | Risk assesments |
|---|---|---|---|---|---|---|---|---|---|
A. Intangible fixed assets | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0.00 | Very low |
B. Tangible fixed assets | 1 | 0 | 0 | 1 | 0 | 0 | 2 | 33 | Moderate |
C. Investments | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0.00 | Very low |
D. Inventories | 1 | 1 | 1 | 1 | 1 | 1 | 6 | 100 | Very high |
E. Debtors | 0 | 1 | 0 | 0 | 1 | 1 | 2 | 33 | Moderate |
F. Creditors | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 17 | Low |
G. Bank balances and cash in hand | 1 | 0 | 0 | 1 | 0 | 1 | 3 | 50 | Moderate |
H. Liabilities, contingencies and charges | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0.00 | Very low |
I. Sales and income | 1 | 1 | 1 | 1 | 1 | 0 | 5 | 83 | High |
J. Purchases and Expenditures | 1 | 0 | 1 | 1 | 0 | 1 | 4 | 67 | High |
K. Salaries and wages | 0 | 1 | 0 | 0 | 1 | 0 | 2 | 33 | Moderate |
Risk rating | Entity Level Risk Assessment |
0/6 = 0% | Very low |
1/6 = 17% | Low |
2/6 = 33% | Moderate |
3/6 = 50% | Moderate |
4/6 = 67% | High |
5/6 = 83% | High |
6/6= 100% | Very high |
As such, after the level risk was settled for the 11 areas subject to the auditing process exposed in Table 2, a classification of these activities based on a risk assessment could be performed, according to the total grades obtained previously, settled function of the impact generated upon the area subject to auditing, performing a differentiation of risks on a scale with 5 levels: very low, low, moderate, increased and very increased.
Therefore the internal auditor will take into consideration for the development of the audit plan, the activities that present a high risk, and if possible the ones with medium risk function of the importance, and the ones with low risk will be held under supervision and will be included in the audit plan, at least once a year.
Based on the total grading obtained, in compliance with the impact produced upon the audited field, the auditor will develop a classification of the audited activities, function of the level of the identified risk. As such, the fields that present significant risks will be included in the risk classification stage.
For example, if for the auditable activity called „Inventories” we settle the following risk factors hierarchy: C1-15%, C2-10%, C3-5%, C4-40%, C5-5%, C6-25%, the total grading of the risk held by this auditable area will be: 1*15% +1*10% +1*5% +1*40% + 1*5%
+1*25% = 1,00.
According to the same method, for the auditable activity called „Creditors”, the total grading of the risk held by this auditable area will be 0*15% +0*10% +0*5% +1*40% + 0*5% +0*25% = 0,40.
4. Conclusions
The implementation of an effective internal audit activity by companies generates added value, through the savings that it generates, the opportunities that it creates, the losses that could be avoided due to its actions, but also through a factor that ensures transparency in the company’s activities and contributes to the effectiveness of its policies.
The internal auditor must play an active role in determining the managers to implement an effective risk management system that could be maintained through the implementation of an internal control system, supervised in its turn by the company’s internal audit. Through the opinions and recommendations formulated during the assurance and counselling meetings, the internal audit contributes to the risk management and plays an important part in the company’s progress. Also, the value of the internal audit is represented by its capacity to improve the internal control system of the company.
It should also be considered the independence attributions of the internal auditor, conferred by the legal applicable provisions which should not represent an impediment for the management, but, on the contrary, the general management of entities should understand that the internal audit activity shall not be directed only towards the „convenient” areas, but towards a help, sometimes uncomfortable, but very necessary.
In reality, however, the practice related to the subordination of the internal audit to the company’s management is often applied; this practice however, limits and fringes the attributions of the internal audit. Due to this reason, the management of a company should appreciate the real role of the internal audit, which is to expose and analyse the risks associated to auditable activities. As such, the general management of the company must implement the recommendations proposed by the internal audit with the purpose of avoiding risks and achieving its targets. If the management refuses the proposed recommendations and does not proceed to the remedy of the deficiencies identified by the auditor, than the management undertake certain risks.
Permanent priority of the internal audit function must be oriented to the refinement of the model of risks quantification. The objectives of the internal auditor must be oriented towards an optimum allocation of audit resources, towards audits with the highest risk for the recovery of the company’s activities and the saving of resources based on risk analysis.
Views: 654