Internal Audit and Risk Assurance Overview
The role of internal audit is to offer self-governing assurance so that a business's governance, risk supervision, and internal control procedures are functioning effectively. The internal audit process is essentially concerned with assessing an organisation’s administration risk. All associations face risks. For example, risk to an association’s repute if it treats clients wrongly, cyber security, risk of supplier failure, health and safety risk, risk associated with market failure, financial risks etc.
The key to a business’s success is to tackle such risks efficiently – more effectually than competitors and as effectually as stakeholders demand. In order to assess how effectively risks are being managed, an internal auditor will evaluate the risk management process quality, corporate governance processes, and systems of internal control.
What is Risk?
- Risk is the possible loss resulting from a given activity or action
- Audit Risk Model: Audit Risk = Control Risk x Detection Risk x Inherent Risk
- Audit Risk: Risk of an auditor in providing an incorrect estimation
- Inherent Risk: Risk related to the nature of business or deal. For instance, transactions relating to give-and-take of cash may have greater Inherent Risk as compared to transactions relating to payment by checks
- Control Risk: Risk that is incorrectly stated could take place but may not be noticed and amended or disallowed by an organisation’s internal control mechanism. Control Risk depends on the strength or weakness of the internal control measures
- Detection Risk: Likelihood that the audit processes may fail to identify presence of a fraud or material error
- Detection Risk is either due to human errors or sampling error
- Detection Risk is low – Auditor test less evidence
- Detection Risk is high – Auditor will test supplementary suitable evidence
Process risk treatment
- Once risks have been recognised and evaluated, all methods to manage the risk fall into below mentioned four chief classes:
- Risk Avoidance: Not carrying out an activity that could involve risk. For instance, not purchasing assets or a business in order to evade the legal obligation that comes with it
- Risk Mitigation: Moderating the risk through executing control
- Risk Transfer: Sharing the risk with third party. For instance, Fidelity Insurance - A kind of insurance which is intended to safeguard a firm from losses that may occur due to dishonest acts of its employees
- Risk Retention: Encompasses accepting the loss from a risk when it happens
Conclusion: Risk management process belongs to the management or Process Owner within an organisation and not with an auditor. An internal auditor can only recommend measures to avoid risk but final operation authority lies with management
What does an internal auditor check for process control?
- Controls are aimed at mitigating risks
- Auditor conducts a test for designed and operating efficiency of the control
- If the control is not considered, then there is a “Design GAP/Control GAP” in the procedure
- If the control is designed but discrepancies are noted while testing, then the control is not functioning efficiently
Internal Audit process
Each audit is exclusive. However, the audit process is comparable for most engagements and largely consists of 4 phases:
- Planning
- Field Work/Execution
- Reporting
- Follow-up
- Planning Stage
- Complete objective of the audit is defined
- Required team is decided based on the skill set of the workforce
- Process owners are informed about the dates of audit for collaboration throughout the process walkthrough and field work/execution
- Process documentation and walkthrough needs to be performed with the process owner and documented correctly to recognise risk, design controls, and manage gap in the process
- Audit scope is discussed with seniors for any other risk/control to be tested
- Audit program needs to be shaped to describe fieldwork that will be performed to attain the objectives
- Field work/execution
Setting up of Kick-off call/meeting:
- Introduction of Audit Team and Process Owner
- Communication criteria is established with Process Owner (daily/weekly update, discussion on issues and findings, communication of unresolved queries etc.)
- Reconfirm the scope of arrangement, as well as describe the methodology that will be followed
As an Auditor, an individual is required to convince the Process Owner that he/she is not a “Fault Finder” rather is there to aid them by making the process more well-organized and effective
- Transaction Testing:
- In this stage, transactions will be tested using numerous techniques, including sampling
- Ensure whether intended controls are functioning efficiently
- Technique of Expert Skepticism should be used – An attitude that comprises an interrogative mind and a critical valuation of audit substantiation
- Continuous Communication:
- Communicate to Audit Superior on regular basis about any observations noted during the field work
- Discuss with process owner for any reimbursing controls to lessen the risk for which another designed control is functioning unproductively
- Document Workpaper (W/P) Effectively:
- Workpaper are of two types: Test Workpaper and Supporting Workpaper
- Well documented Workpaper is used as an audit trail
- The same can be used next year by Auditor for reference
- Conducting Exit Meeting:
- Exit Meeting is conducted individually with Process Owner prior to leaving for field work
- This meeting provides the opportunity to both parties to decide on the most viable recommendation and to avoid any disagreeable surprises during the audit recording phase
- Reporting
- This phase is where the prime product from the audit occurs
- It states an auditor’s opinion, presents audit findings, and debates recommendations for enhancement
- Final Audit Report is drafted to comprise management action plans for the recorded observation with timeline
- Few provisions, as an auditor, are good to mention while drafting Audit Reports. Selection of words in presenting observation should be taken care of
- Follow-up
- An auditor must follow-up with a client on the implementation of the suggestion as the deadlines approach
- A follow-up report will be issued to the management and a copy sent to the audit committee, telling the issue followed-up on, the management’s control implementation, the assessment of the suitability of the control and a listing of unsettled finding, including their deadline
Audit Program
Particulars |
W/P Reference |
Auditor Sign-Off With Date |
I. AUDIT INTENTIONS: |
1. All-inclusive policies and measures speaking about accomplishments that have been established and recognised |
|
|
2. HR department is in agreement with the recognised policies and controlling requests |
|
|
3. Access to records is restricted to official personnel |
|
|
4. Documents are properly organised, sanctioned and verified |
|
|
5. Recorded balances are repeatedly validated and reviewed |
|
|
II. PRELIMINARY WORK: |
1. Prepare an appointment memo to pronounce the audit |
|
|
2. Prepare Auditor’s Independence Declaration |
|
|
3. Obtain an understanding of the operations through investigation and meetings |
|
|
4. Carry out a general outline of the internal control situation and define the scope of the audit |
|
|
5. Develop suitable audit tests to offer assurance that management’s aims are being met |
|
|
III. AUDIT PROCEDURES & TESTING: |
1. General audit statement |
Payroll Processing Procedure |
New Hire Employees – based on skill-set |
Sacked Employees |
Access of Employee Master File |
|
IV. WORK PAPERS: |
1. Consolidate all applicable work papers in a logical manner |
|
|
2. Make a final index for the work-paper package |
|
|
3. Accumulate and protect current year audit files for reference |
|
|
V. AUDIT FINDINGS & REPORTING: |
1. Document synopses of all audit findings |
|
|
2. Recommend any appropriate adjustments, internal controle |
|
|
3. Determine whether to take into account each audit finding in final audit report, and the relative risk exposure |
|
|
4. Prepare the draft audit synopses for review |
|
|
5. Share tentative and preliminary audit report |
|
|
6. Assemble the final audit report with responses, and review for errors, and share it with the management |
|
|
Auditor Signature: |
Date: |
Our Internal Audit & Risk Assurance
Can a business, in the United Kingdom, establish the correct controls and safety measure if a little goes erroneous? As most of the businesses find such tasks difficult, and our firm, DNS Accountants, can help to address such queries through our internal audit team. Internal audit has turned out to be an ever more indispensable characteristic of performing business undertakings in both public and private sector, and hence, many more organisations are investing in internal audits. Whether an organisation is focusing on outsourcing its internal audit operations totally or requires to enhance its skills, our professional team can assist in achieving the desired results. Our team begins with evaluating the audit requirements, taking into consideration the size, nature, and complication of a business. From there, the team at DNS moulds its services and develops a bespoke strategy to meet the specific needs of a business. Our team will be constantly in touch with the business to persistently assess, benchmark and monitor the performance against other best practice methodologies and propose ongoing developments.
Speak with an expert
Any questions? Schedule a call with one of our experts.
About the author
Sumit Agarwal
Sumit Agarwal (ACMA ACA India), the Managing partner of dns accountants is a highly respected accountant with expertise in helping owner-managed businesses.