Differences between internal and external audit - Essay Example

? Internal vs. External Auditing Introduction “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management control, and governance processes” (The Institute of Internal auditors, “The Professional Practices Framework”, June 2002, qtd. in Charlesworth and Veselov n.d.) The internal audit function seeks determine to express an opinion on whether an entity’s financial statements show a true and fair view of the companies operations. Inclusive in showing a fair view is the need to ensure that it has been prepared in accordance with geberally accepted accounting standards. Differences between internal and external audit Internal and external audit differs in terms of objectives, scope, level of independence of the auditor, and methodology. Objectives The internal auditor’s objective is to ensure that sound risk management and control systems are in place to prevent errors and fraud from occurring. The external auditor’s objective on the other hand is to ensure that the accounts show a true and fair view. Therefore the necessary tests should be carried out to ensure that the financial statements can be relied upon to give a true and fair view. Scope of Work The scope of the internal auditors work is dependent on the management and directors of the organization. It is normal that less emphasis is placed on materiality considerations. The scope of the external auditor’s role is laid down in the state. Their primary concern is to ensure that the financial statements are free from material misstatements. Independence The internal auditor’s is employed by the organisation and the internal audit function is determined by management. However, the International Standards for the Professional Practice of Internal Auditing requires that their members exercise their independence in carrying out their role. The external auditor is independent of the organization and Generally Accepted Auditing Standards requires that this independence be seen to exist. Internal Audit Procedures at a University The internal audit at a University would report to the University Council through the Audit Committee on the systems of governance, internal control, value for money and the extent to which strategic initiatives that have been undertaken at the University are achieving their goals. The scope of the internal auditors work is wide as it covers non financial areas within the University. It consists of multiple audits in any one year and involves a range of areas in the University’s operations. Internal audit is would be part of the internal control system of the organization. The internal auditor would be required to prepare a risk based plan annually. The work will be performed on the most risky aspects of the University’s operating environment first. External Audit Procedures at a University The external auditor’s procedures which represents a statutory requirement checks whether the University’s accounts present a true and fair view of the financial position. A plan is prepared based on an assessment of the University’s operating environment. This activity is normally performed at after the end of the financial year. However, the external auditor may seek to carry out an interim audit during the course of the year so as to lessen the amount of work done at the final year end audit. The interim work normally include risk assessments to determine where weaknesses exists that could result in material misstatements of the financial statements. The external auditor would also evaluate the work of the internal auditor to determine if the external audit work could be reduced (CICA 2010). Similarities between Internal and External Auditors Both internal and external auditors are required to plan their work in relation to their objectives in carrying out the audit. The CAS 300 refers to the planning the audit of the financial statements. The International Standards for the Professional Practice of Internal Auditing indicates the internal auditor should establish risk-based plans to determine the priorities of the internal audit activity such that they are consistent with the organisation’s goals (Theiia 2010). Reliance of the external auditor on the work of the internal auditor The extent to which the external auditor should rely on the work of the internal auditor depends on a number of factors which should be carefully evaluated by the external auditor. Reliance on such work does not reduce the external auditor’s responsibility. However, reliance on the internal auditor’s work will reduce the amount of work carried out by the external auditor. According to CICA (2010), Canadian auditing Standards (CAS) 610 requires that in order to determine whether the internal auditor’s work is adequate for the purposes of the audit the external auditor should consider the following in its evaluation: the level of objectivity and independence of the internal auditor; the technical competence of the internal auditor; the level of professional care with which the internal auditor carries out the role; whether there is likely to be effective communication between the internal auditor and the external auditor. Level of Objectivity and Independence Objectivity and Independence are two of the fundamental requirements of an auditor. The internal auditor must be independent and objective in carrying out their role. Theiia (2010) defines independence as: the freedom from any condition that threaten the internal auditor’s ability to carry out the internal audit function. The degree of independence ascertained will depend on the level of access the internal auditor has to the senior management and the board. If this access is limited then independence will not exist. Theiia (2010) also defines objectivity as the ability of the internal auditor to perform work without any bias attached and in a manner which indicates confidence in the work performed in relation to the quality of the work done. It requires that the internal auditor relies on his/her own judgement. Theiia (2010) further points out that a report on the organisational independence of the activities carried out by the internal auditor needs to be confirmed annually. The external auditor should determine the objectivity of the internal audit function with reference to the degree of independence of the external auditor before making a decision of whether to rely on internal audit reports. The internal auditor employed by the organisation and is answerable to its management. However, Theiia (2010) requires that the internal auditors should exercise objectivity and objectivity in carrying out their role. Due professional care Theiia (2010) requires that the internal auditor carry out the internal audit function with due professional care. The standards states that the internal auditor should apply the necessary care and skill required of a reasonably prudent and competent internal auditor (Theiia 2010). The International Standards for The Professional Practice of Internal Auditing also indicates that in exercising due professional care the internal auditor must consider: The extent of work that is required to achieve the objectives of the audit; The complexity, significance and materiality of the items to which to which audit assurance procedures are being applied; the adequacy and effectiveness of the governance, risk management and control procedures; the possibility of significant errors, fraud or noncompliance with procedures; and The cost of assurance in relation to the benefits to be derived from carrying out the procedures. Additionally, International Standards for The Professional Practice of Internal Auditing requires that the use of technology and other data analysis techniques be considered in carrying out the audit (Theiia 2010). The technical competence of the internal auditor This area is of prime importance and gives due regard to training and qualification. Theiia (2010) require the internal auditor to be in possession of the skills knowledge and other competencies that are required for the responsibilities attached to the internal audit function. The internal auditor is required to demonstrate this proficiency by obtaining the necessary professional certifications and qualifications. One such qualification is the Certified Internal Auditor designation. There are other designations that are offered by Theiaa and other accounting bodies. Though the standard requires the auditor to have sufficient knowledge to evaluate the risk of fraud and the way in which it is managed by the organisation, the internal auditor is not expected to have the level of expertise expected of a professional whose primary role is to detect and investigate fraud. The internal auditor is also expected to have knowledge of key risks associated with the use of information technology (IT) but not necessarily to the level of a professional whose main role is to carry out (Theiia 2010). Theiia (2010) also stresses the importance of the internal auditor enhancing knowledge, skills and other competences through involvement in continual professional development programs whether internally or externally. To this end a quality assurance and improvement program needs to be developed and maintained. This should cover all aspects of the internal audit activity. Possibility of effective communication The external auditor is only able to give due regard to the internal auditor’s work if effective communication is possible. If the external auditor is not able ot get answers to questions asked then it suggests doubts and therefore the internal auditors work should not be relied on. The status of internal audit position The external auditor should consider the status given to the internal auditor in the organisation to determine the level of importance and how management responds to the internal audit report. If the internal audit report is considered by the organisation in the implementation of policies and procedures it indicates that the function is substantive and therefore should be considered. The quality of the work The external auditor should review the internal auditor’s work files to determine the quality of the work carried out. If the quality is up to the standard required by the external auditor in his role then the work can be relied on. The quality will depend on the objectivity, independence and technical competence of the internal auditor. The external auditor should determine whether quality assurance procedures exist. Theiia (2010) indicates that the quality assurance should include both internal and external assessments. The internal assessment will include regular ongoing monitoring and assessment and periodic reviews through self assessment by other persons in the organisation with the necessary skills and knowledge of auditing practices to do so. Sufficient knowledge here relates to an understanding of the elements of the International Professional Practices Framework (Theiia 2010). According to Theiia (2010), the standard requires that external assessments be carried out at least once every five years by an independent reviewer from outside the organisation. This reviewer should have the necessary skills and competence in this area. Theiia (2010) also points out that a qualified external assessor should demonstrate competence in the area of internal auditing as well as the external assessment process. There should be no real or apparent conflict of interest between the assessor and the organisation. Additionally, Theiia (2010) points out that the internal auditor may only state that the internal activity conforms with the International Standards for the Professional Practice of Auditing only if the results of the quality assurance and improvement programs support the statement. Additional requirements The Canadian Auditing Standard (CAS) 315 requires that the external auditor should obtain an understanding of the internal audit function’s responsibility once the organisation has this function (CICA 2010). CAS 315 also indicates that the external auditor needs to determine how the internal audit function fits into the structure of the organisation, and the activities performed or to be performed by the external auditor (CICA 2010). The requirements of the internal audit activity are stringent and it is a waste if the management of the organisation does not allow the auditor to exercise the responsibilities of the auditor as outlined in the International Standards for the Professional Practice of Auditing. Duplication of work is costly and the organisation has to pay whenever this takes place. How do their duties overlap? The duties of the internal and external auditors overlap in a number of instances. Both auditors carry out compliance audits to determine whether the system can be relied upon. Both the internal auditor and the external auditor would want to ensure that there is no over or understatement of income and expenditures. The auditor should check to determine if the tests that the internal auditor carries out satisfies the objectives of completeness in the recording of income and expenditure as well as assets and liabilities. If the methodology used in carrying out compliance tests measures up to the external auditor’s standard then as required by the standards then it can be relied on. This does not take away the external auditor’s responsibility of ensuring that the account gives a true and fair view, having no material errors or misstatements and having being prepared in accordance with generally accepted accounting standards that were applicable at the time of preparation. The auditor should assess the internal auditors risk assessment to determine whether they are reasonable. The International Standards for the Professional Practice of Internal Auditing requires that the internal auditor carries out risk assessment annually (Theiia 2010). Barriers to maintaining independence in both internal and external audit The internal auditor faces many obstacles in maintaining independence. The person who performs the function is employed by the organisation and if not ‘sure footed’ may be influenced in such a way that both objectivity and independence is negatively affected. It is important that the necessary structure be put in place to ensure that there is an audit committee in place which is made up of persons who do not receive a salary from the organisation. This will allow for good governance to take effect. The reporting relationship can be a barrier to the auditor’s independence. A survey done in 2003 indicated internal auditors reported to CFO’s, company president’s and many other persons in the organisation (Charlesworth and Veselov n.d.). This has serious implications for the independence and objectivity of the internal audit process. The external auditor, though being an outsider also faces many barriers. The need to sustain the business requires that the auditor obtains appointments. In some cases, in order to maintain these appointments the auditor is forced by the circumstances and possibility of losing the audit due to disagreements. However, the standards speak to how this can be handled and the procedures which auditors should follow in accepting appointments. Once these standards are followed then the external auditor should have no fear of losing an audit due to potential disagreements. The difference between the Internal and external Auditing Standards External auditors are bound by statute. The role that they play has been outlined in legislation. This is not so for internal auditors even though they are members of a body. The external auditor is guided by generally accepted auditing and accounting standards as well as the legislation requiring that an audit be done by an independent and objective auditor who is not employed by the organisation but appointed to carry out that special task of determining whether the financial statements give a true and fair view and whether they have been prepared in accordance with generally accepted accounting standards. Requirements for an internal audit department Whether or not an internal audit department is not required in an organisation depends on the size of the operations. Small organisations that are operated by their owners, such as proprietorships and partnerships have their own controls in place even though to a lesser extent for the partnership. However, the larger organisations because of their size require an internal auditor or department as part of its operations. The company could also assess the costs and benefits of outsourcing the internal audit function to an audit firm. In that way it will be easier to ensure independence and objectivity. If the company has an internal audit department the staff employed would have to be paid their regular salary like any other staff. If the work is outsourced the auditors would visit the organisation in the initial stages to determine whether policies and procedures are in place and are being complied with where they exist. Make the necessary recommendations for policies to be implemented and strengthened where necessary. Recommendation and Conclusion The work of the internal and external auditors could be properly coordinated so that the external audit activity can become a less costly procedure. However, this would mean that the external auditors and the management of the organisation, preferably an audit committee would determine how the internal auditor could reduce the level of the work required to be performed by the external auditor. There is a level of risk involved but the external auditor on all occasions need to perform some checks to determine the reliability of the internal audit function. This means that the external auditor would review internal audit reports and determine if the internal auditor has the skills and knowledge is required. The internal audit work could also be outsourced to the same audit firm who would then ensure that the carry out its role in such away that there is no duplication in the external audit process. Another audit firm could be use but the possible exists that they may be reluctant to coordinate their activities. Using the same audit firm is the best option but it could negatively impact the independence and objectivity of the external auditors. The internal audit function is a very important activity in most organisation especially the very large ones. Charlesworth and Veselov (2009) points out that establishing audit committees, internal audit functions are some of the ways in which companies seek to address corporate governance issues. In order to prevent corporate failures and unnecessary financial collapse internal audit function is a very important function. However, the independence of the internal auditor function is negatively affected if the internal auditor is not given the necessary freedom to act independently and objectively. A good internal audit department would definitely raise the level of efficiency of the external audit function in any organisation. References Charlesworth, R. & Veselov, B. (n.d.) Audit Battle: Internal vs. external Audit. Deloitte Touche Tohmatsu CICA. (2009). The CICA’s Guide to New Canadian Auditing Standards. Retrieved from: http://www.cica.ca/cas/item37023.pdf The Institute of Internal Auditors (2010) International Standards for the Professional Practice of Internal Auditing (Standards). Retrieved from: http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/ Read More