The systems approach to internal audit
The Evaluation of Existing Controls
Each systems audit assignment should concentrate on an assessment of the adequacy and reliability of the controls necessary to ensure that each of the agreed control objectives is achieved. This evaluation should form the core part of the audit work. However, other significant aspects of the control environment, the efficiency of the system and the extent that best practice is adopted, should be reviewed and, if appropriate, reported upon.
The evaluation of each existing control should follow a two stage process. A control should only be relied upon if:
–Â the audit evaluation shows that, in theory, the control is adequate and it should significantly help to ensure that an agreed control objective is achieved; and
–Â there is sufficient audit evidence to provide reasonable assurance that the control is operating consistently and reliably.
If the internal auditor, after initial evaluation, concludes that a control is not effective (or is not necessary for the achievement of the relevant control objective) there is no point in testing this control.
Compare actual controls with expected controls
Once the actual controls have been identified, these should be documented and compared with the expected controls. One of the following will apply:
–Â the actual control equals the expected control;
–Â the expected control is absent but adequate compensating controls exist;
–Â the expected control is absent.
It is possible that the controls identified do not match the expected controls and this may indicate the presence of an additional control. This may be evaluated if it is considered to be significant to the achievement of the control objective. Alternatively, an expected control may be missing and, if this is the case, the significance of the omission should be assessed.
Actual and expected controls do not have to be the same; there may be several equally valid ways of controlling a particular process. For this reason internal auditors should ensure that:
–Â when evaluating actual against expected key controls, the existence of compensating controls is considered; and
–Â throughout the control evaluation process, they consider whether all the controls in place are actually necessary.
Removal or amendment of a control procedure may not significantly increase the risks associated with the operation of the system and may result in cost savings.
Evaluation of control weaknesses
The internal audit evaluation should take account of the likelihood of undesirable events occurring (risk) and their significance to the organisation (materiality). Internal auditors should use their judgement to determine what level of control is appropriate in the light of their evaluation of the risks and materiality involved.
Risk may be viewed as the chance (or probability) of one or more of the organisation�s objectives not being met. Materiality is an assessment of the significance of a failure to achieve the objective. Materiality may be measured in terms of the financial consequences, the relative importance of the objective concerned or the sensitivity of the areas concerned. In considering materiality, internal auditors should take into account:
–Â the possible direct and indirect financial consequences;
– the importance of particular management objectives in the context of the organisation�s overall objectives;
–Â the potential for embarrassment or adverse publicity.
Internal auditors should also take into account the cost of reacting to a failure, as well as the effects of the potential failure itself. Such costs may include the costs of any investigation, taking corrective action and supplying appropriate explanations to the regulatory authorities, if relevant.
Compensating controls
There will be occasions when controls internal auditors expect to find are missing. If this happens, they should search for controls that compensate for this potential weakness. For example, in auditing a purchasing system one control objective might be that ��procedures for ordering, payment and recording of expenditure are properly documented and complied with��. Internal auditors find that there are no procedure manuals (an expected control to meet the objective). However, staff operating the system are all highly experienced and knowledgeable, and are closely supervised. In these circumstances, internal auditors may consider the experience and knowledge of the staff and the level of supervision adequately compensates for the absence of manuals, and thus they may conclude that the control objective is adequately achieved despite the absence of such manuals.
Internal auditors should evaluate each existing control to consider whether it is adequate. In addition, they should evaluate the whole spectrum of controls that may help to ensure that a particular control objective is achieved.
Testing existing controls
Once the actual key controls have been identified and evaluated, internal auditors should perform tests to confirm that the controls considered to be adequate and necessary are operating as required and are reliable.
Internal auditors should consider the following points when selecting a sample of transactions to test:
–Â The sample should be selected from the total population, for example, when testing that all payments have been authorised the sample should be selected from a bank statement or payments register rather than from a file of paid invoices.
–Â The period covered by the sample should be appropriate. This should normally be the period since the last audit of the system. However, the sample should be weighted towards the current financial year, especially if the last audit was several years ago. If the system has changed significantly, the sample should only include the period since the changes were introduced.
–Â The method of sample selection should be recorded. The sample should include all significant types of transaction.
–Â Testing should be focused on high risk areas.
Compliance testing
The aim of compliance testing (i.e. test of controls) is to confirm that existing controls are operating as intended and are reliable. An example is checking that each invoice has been initialled to indicate that it was authorised by an appropriate manager. The primary aim of compliance tests is not to identify errors, mistakes or potential fraud, but to identify controls that are not always performed as required. The reasons for any errors or omissions and the reliability of controls are more important to internal auditors than any individual mistakes or omissions. Compliance testing should be the standard form of testing used during systems auditing.
Substantive testing
Substantive testing is concerned with the accuracy and completeness of outputs rather than the adequacy of controls. An example is checking that the amounts paid are the same as the value on the invoice. Substantive testing, therefore, should have a limited role to play in systems auditing. Nevertheless, internal auditors sometimes use it as a means of demonstrating the existence or seriousness of weaknesses, when they are unable to convince management by any other means. Internal auditors should bear in mind that substantive testing is usually not economical and may weaken their arguments if it fails to produce evidence of actual errors.
Testing techniques
There are a number of different ways that internal controls can be tested. Internal auditors should seek to use the most cost-effective source of evidence on the reliability of each control to be tested. The nature of the control will influence the way auditors test it, but there are five main methods of testing:
– Observation is particularly important where there is no permanent record of activities �discrete observation can reveal whether there is improper access to a restricted area.
–Â Interviewing is useful when evidence is absent or unclear. Care should be taken because the behaviour of the auditor could affect the attitude of the person being interviewed and an insensitive approach could lead to an unco-operative and defensive reaction.
–Â Verification involves independently confirming the truth, accuracy or validity of transactions.
However, internal auditor�s prime role is to evaluate and test the controls, not to confirm the validity of the data itself. When using verification tests, auditors should ensure that they are related to the operation of controls. Methods used are:
Comparison – with some ascertainable fact or standard, e.g. that instruction manuals are up-to-date or staff have attended appropriate training courses at prescribed intervals.
Confirmation – checking statements of performance, e.g. checks with customers that supply delivery response times are as stated by the supplier.
Vouching – checking a transaction against supporting documentation, e.g. a payment to a supplier against the corresponding order and goods received note.
Reperformance is particularly relevant where calculations or measurements have been supposedly checked as a control and the auditor wishes to check that the control actually operated.
Analytical review consists of reviewing the reasonableness of significant ratios, trends or other data. For example, a comparison of the ratio of payroll costs to the number of employees over several months. Thus it is primarily a substantive test but it may provide evidence of the quality of the general control environment.
Once the existing controls have been tested for reliability, internal auditors are ready for the most difficult and professional part of their audit assignment, the development of recommendations and conclusions.
Developing Recommendations and Conclusions
Internal audit has two roles which in practice are linked. Firstly, to provide reasonable assurance to the board (or comparable body) that the organisation�s significant risks are being appropriately managed, with an emphasis on the role of internal controls. Secondly, internal audit should be ensuring that the organisations risk management and internal control systems are continually being improved and optimised, in response to an ever-changing environment.
Thus internal auditors should have two essentially different outputs from their assignments. Firstly, a clear opinion or conclusion on the quality of the internal control system they have audited. Secondly, a series of recommendations to improve this system of control or to reduce the risks that the organisation faces. These should not be confused. Therefore the conclusions should not be a summary of the recommendations made. The audit opinion should be a clear message to senior management and the board on the extent that existing controls should adequately address the main risks that the organisation faces in achieving its objectives. Can they sleep safely at night or are there major concerns that should worry them?
Recommendations
Throughout each assignment internal auditors should consider recommendations that could be made. What improvements or refinements can they suggest that would ensure that the organisation achieves its objectives more efficiently or with reduced risk? Whenever they have identified a possible control failure or weakness, they should consider the following:
–Â How important is the control?
–Â Are there compensating or complementary controls which reduce its intrinsic importance?
–Â How serious are the deviations discovered and why did they occur?
–Â Is any control failure likely to be isolated or recurring?
–Â Is further testing (to confirm our opinion) necessary or feasible?
–Â Is the weakness so serious that management needs to be informed immediately?
The recommendations internal auditors make may include the following:
–Â introducing further controls;
–Â refining or amending existing controls to make them more effective;
–Â ensuring that existing controls are applied regularly and consistently;
–Â reducing unnecessary controls;
–Â introducing best practices.
It is important that internal auditors do not just recommend the introduction or strengthening of controls for the sake of it. They should only suggest that controls are improved if they consider that there are significant risks that are not currently being adequately managed or being reduced to an acceptable level. There must be a balance between the risk auditors have identified and the controls they suggest should be implemented. The controls should be proportionate to the significance and likelihood of the relevant risk. The costs of introducing controls should balance the likely costs of the risks that they are designed to manage or reduce. The costs of operating all internal controls should balance the benefits that the organisation may gain from their implementation.
All the recommendations that auditors make should be tailored to the specific circumstances of the organisation. Internal auditors need to think carefully about the sorts of controls that will work within the culture of the organisation and the section or department that they are auditing. The recommendations should be sufficiently detailed to ensure that the managers understand the precise procedures internal audit are suggesting should be introduced. Auditors may be unsure of the exact controls that may work, but this can be established through discussions with the managers when finalising the audit report. Auditors must remember that these managers should understand their systems better than auditors do and they should be prepared to amend their recommendations in the light of these discussions.
Internal auditors may consider that the recommendations they make are necessary to avoid or reduce the risks they have identified. However, the internal control system should remain the responsibility of the relevant managers. If managers agree to implement the recommendations, they should agree that the benefits will outweigh the costs of introducing the additional controls, and that other more cost effective controls are not available.
Which are the important recommendations?
Internal auditors should ensure that managers are aware of those recommendations that internal audit consider particularly important and those that are merely desirable. One way of doing this is to prioritise the internal audit recommendations as follows:
Fundamental – action considered essential to ensure that the organisation is not exposed to high risks.
Significant – action considered necessary to avoid exposure to significant risks.
Advisable – action considered to merit attention and should result in enhanced control or better value for money.
Action plans
Each internal audit report should include an action plan. Internal auditors should aim to help to improve systems of internal control rather than just commenting on its quality. The action plan should be completed by the Systems Manager to indicate their agreement (or otherwise) to each internal audit recommendation. The action plan should also include the managers responsible for implementing each recommendation and a target date for this action.
Follow up
As well as providing recommendations, internal auditors should periodically monitor the extent that their recommendations have been implemented. Where managers indicate that the more significant recommendations have been introduced, internal auditors should carry out suitable tests to confirm that these controls are now operating reliably as planned.
Conclusions
When writing the conclusions or opinions to their audit assignments, internal auditors should consider who the audit report is aimed at and what their particular concerns may be. They should indicate clearly their opinion on the quality of the existing internal controls. They should highlight areas of poor control where they consider that the organisation is at risk, but also ensure that they clearly recognise areas of good control. Internal auditors must provide balanced reports that identify good management practise rather than merely reporting the weaknesses they have identified. As a result of their audit work, internal auditors should form an overall opinion on the extent that existing controls provide adequate assurance, and that all significant risks to the achievement of the system�s objectives are being effectively managed. One way of helping to provide this overall opinion is to grade the quality of the level of assurance provided:
–Â Full assurance.
–Â Substantial assurance.
–Â Limited assurance.
–Â Little assurance.
If internal auditors, as a result of each assignment, develop clear conclusions and practical recommendations they will add value. Internal auditors can only claim to be professionals if they provide professional advice that is accepted and valued by managers. The outcome of each internal audit assignment should be that the risk management and internal control procedures are improved, optimised and refined. This should ensure that internal audit is recognised as an important management tool. Internal auditors should be the controlling conscience of their organisation, and should be working in partnership with managers.
If internal auditors adopt the systems audit approach that I have outlined in these articles they should provide a professional and valued service to their organisation. The outcome of internal audit work should be that the internal control, risk management and corporate governance processes are improved and optimised so that the organisation is better prepared to face its ever-changing environment. Systems audits should enable internal auditors to provide a significant role in the future success of their organisation and help to ensure that the effects of any risks are avoided or at least minimised.
Andy Wynne is Head of Public Sector Technical Issues at ACCA. He is editor of the ACCA e-mail Bulletin for internal auditors.