bea2004 notes unit 4 - internal control and internal  audit…
9 Pages
English

bea2004 notes unit 4 - internal control and internal audit…

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

BEA 2004 AUDITING 2007 Background Notes Unit 4 Internal Control and Internal Audit Internal control Internal control within a commercial enterprise has been defined as: The whole system of controls financial and otherwise, established by the management in order to carry on the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets and secure as far as possible the completeness and accuracy of the records. 1This is expanded a little in the Turnbull Guidance (first issued in 1999 a revised version issued by the FRC in October 2005) which states: An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together: facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed; help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation; help ensure compliance with applicable laws and regulations, and also with internal policies with ...

Subjects

Informations

Published by
Reads 20
Language English
1
BEA 2004
AUDITING
2007
Background Notes Unit 4
Internal Control and Internal Audit
Internal control
Internal control within a commercial enterprise has been defined as:
The whole system of controls financial and otherwise, established by the management in order
to carry on the business of the enterprise in an orderly and efficient manner, ensure adherence
to management policies, safeguard the assets and secure as far as possible the completeness
and accuracy of the records.
This is expanded a little in the Turnbull Guidance
1
(first issued in 1999 a revised
version issued by the FRC in October 2005) which states:
An internal control system encompasses the policies, processes, tasks,
behaviours and other aspects of a company that, taken together:
facilitate its effective and efficient operation by enabling it to respond
appropriately to significant business, operational, financial,
compliance and other risks to achieving the company's objectives.
This includes the safeguarding of assets from inappropriate use or
from loss and fraud and ensuring that liabilities are identified and
managed;
help ensure the quality of internal and external reporting. This
requires the maintenance of proper records and processes that
generate a flow of timely, relevant and reliable information from
within and outside the organisation;
help ensure compliance with applicable laws and regulations, and
also with internal policies with respect to the conduct of business.
1
Available at
http://www.frc.org.uk/documents/pagemanager/frc/Web%20Optimised%20Combined%20Code%203r
d%20proof.pdf
2
The traditional approach to internal control focused on specific types of control
designed to aid the in achieving these objectives. Such controls might include:
Authorisation controls to ensure that transactions take place only after suitable
authorisation, for example purchases, credit sales etc.
Segregation of duties, for example segregating responsibilities for trading and
record keeping in a foreign exchange operation.
Organizational and supervisory controls to ensure knowledge of duties, proper
conduct of those duties, lines of reporting etc.
Security controls to ensure that there is no improper access to the record
keeping system, that assets are protected from unauthorised removal etc.
Arithmetic and data controls to assist in ensuring the accuracy of record
keeping and transactions processing.
(for an example of weaknesses in traditional controls which were instrumental in the
failure of one of the UK’s best known merchant banks see the relevant section of the
1996
Bank of England Report on the collapse of Barings Bank
2
)
More recently (as evidenced by the COSO 1992 report
3
in the US and the Turnbull
report in the UK) internal control has come to be seen as integrated within the risk
management framework of commercial (and other) entities and as such embraces:
Compliance risk management and control
Operational risk management and control
2
A relevant section of this report is available at http://www.numa.com/ref/barings/bar03.htm#13.10
3
This report proposed the following definition of internal control:
A
process, effected by an organization’s
board of directors, management and other personnel, designed to provide reasonable assurance regarding the
achievement of specific objectives in effectiveness and efficiency of operations, reliability of financial reporting, and
compliance with applicable laws and regulations.
3
Financial statement risk management
with increasing emphasis being placed on the overall ‘control environment’ (which
was defined in SAS 300
Accounting and Internal Control Systems and Risk
Assessments
4
as ‘the overall attitude, awareness and actions of directors and
management regarding internal controls and their importance in the entity…Factors
reflected in the control environment include:
the philosophy and operating style of the directors and management;
the entity’s organisational structure and methods of assigning authority and
responsibility…; and
the directors’ methods of imposing control, including the internal audit
function, the functions of the board of directors and personnel policies and
procedures.’)
and less on a check list of particular specific controls.
Today internal control and the control environment is seen as being an important part
of the overall corporate governance structure. In the UK the work of the Cadbury
Committee (see Collier, 1997) as subsequently revised and taken forward by the
Greenbury and Hampel Committees led to the development of the Combined Code
5
covering various aspects of corporate governance. The Code is not statutory and
adherence to the Code is not mandatory but for listed companies the Financial
Services Authority requires disclosure of non-adherence. The Code sets out the
responsibilities of management with regard to internal controls as follows:
C2: ‘The board should maintain a sound system of internal control to safeguard
shareholders’ investment and the company’s assets’.
4
SAS 300 is now largely subsumed within ISA (UK and I)
315 (available at
http://www.frc.org.uk/images/uploaded/documents/ACF15D.pdf
) which contains similar provisions to
those previously in SAS 300.
5
Available at
http://www.frc.org.uk/documents/pagemanager/frc/Web%20Optimised%20Combined%20Code%203r
d%20proof.pdf
(this links to the 2003 version – there were minor revisions,
not relevant to these notes,
in the June 2006 version (available on the FRC website)).
4
C2.1: ‘The directors should, at least annually, conduct a review of the effectiveness of the
group’s system of internal controls and should report to shareholders that they have done
so.
The review should cover all material controls, including financial, operational and
compliance controls and risk management systems’.
Guidance on what this review should entail is provided in the Turnbull report the
original (1999) version of which required that companies should:
Understand the general control environment in which they operate
Perform risk assessment
Formulate control objectives
Design controls to alleviate high likelihood/high impact risks
Implement a controls programme
Evaluate the results of the controls programme
Assess the adequacy of the risk driven control framework
(although these requirements are not specifically repeated in the revised (2005)
version)
For most companies the statutory external auditor has a limited formal role in terms of
the assessment of the adequacy of the internal control system (statutory requirements
for certain types of financial service providers require reporting on internal controls as
do the requirements in much of public sector audit). However the courts (and auditing
standards) require that the auditor should bring to the attention of management
perceived deficiencies in the system of internal control on a timely basis – and if
management fail to act on their advice the auditor should consider whether there are
wider reporting responsibilities. The statutory requirement for companies to maintain
proper accounting records (and the requirement for the auditor to form an opinion as
to whether they have done so) may also be seen as implying at least some minimum
degree of evaluation of internal control.
Although statutory requirements in respect to mainstream company audit in the UK
are limited in nature - as are those contained within auditing standards ISA (UK & I)
5
315 merely requires the auditor to obtain ‘an understanding of internal control
relevant to the audit’ - the importance of internal control in terms of the manner in
which auditors formulate their audit opinions mean that in practice evaluating the
control environment and the quality of internal controls is a key element in the great
majority of audits of companies of any size.
(In the USA the Sarbanes-Oxley Act
6
(enacted in July 2002) following the Enron and
WorldCom debacles requires a statement by management of public companies of their
responsibility for establishing and maintaining an adequate internal control structure
together with an assessment of the effectiveness of the internal control structure and
the procedures for financial reporting. The auditor is required to ‘attest to, and report
on, the assessment made by management.’)
6
A synopsis of the Act is available at
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
6
Internal audit
Internal audit is a separate non-statutory function which has developed greatly in
standing and importance in the last twenty years. It is now seen as a significant part of
the overall corporate governance and risk management framework and the existence
of an internal audit function is now strongly encouraged for quoted companies, the
Combined Code stating:
C 3.5 The audit committee should monitor and review the effectiveness of the
internal audit activities. Where there is no internal audit function, the audit
committee should consider annually whether there is a need for an
internal audit function and make a recommendation to the board, and the
reasons for the absence of such a function should be explained in the
relevant section of the annual report.
Internal audit is wide ranging in its scope and may have a role inter alia in terms of
Compliance and system controls
Performance management
Investigation and ‘trouble shooting’
In 1999 The Institute of Internal Auditors (IIA, 1999) set out a revised definition of
internal audit ‘Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control, and
governance processes…’
A relatively recent high profile, if not necessarily typical, example of the work of the
internal auditor has been the publication by the Treasury of the report of the internal
7
auditor of the Financial Services Authority (FSA) into the role played by the FSA as
regulator of Equitable Life (the ‘Baird Report’)
7
. Another has been the focus on the
work of internal audit in the WorldCom scandal in the US and in relation to the
reported recoverable oil and gas reserves of Shell.
8
Although internal audit is now much more prominent than in previous years issues do
arise as to how effectively this function can play its ascribed role within the overall
corporate governance structure. One problem lies in the great variety in the scope and
nature of the work of the internal audit function in different companies. More specific
concerns relate to the qualifications and reporting independence of internal auditors.
Although there is a worldwide body of internal auditors the Institute of Internal
Auditors, IIA (with a separate UK offshoot) with its own standards and professional
qualification membership of this body is not mandatory in any sense, and where
membership is present problems of monitoring and enforcing standards are
significantly greater than for external auditors in the absence of any supporting
statutory framework. The fact that the internal auditor is an employee of the company
provides a clear threat to independence (although it may be noted that the external
auditor too is reliant upon clients for fee income). There are few safeguards to protect
the independence of the internal auditor although over time lines of reporting
responsibility have shifted from reporting within the finance function (typically to the
Director of Finance) toward reporting either to the main board collectively or to an
audit committee comprising non-executive directors.
In coming to their audit opinion external auditors should take cognizance of the wok
of internal audit and may, if they choose to do so, place reliance upon the work of the
internal audit function provided that they are satisfied as to its competence and
independence. Such reliance may relate to the role of internal audit within the overall
system of internal control or it may be direct in terms of reliance upon specific
compliance or substantive tests performed by the internal auditor. ISA (UK & I) 610
requires the auditor to be aware of the activities of internal audit in the context of
identifying the risk of material financial misstatement and if the activities of internal
7
The Baird Report is available by search of the Treasury’s web site
www.hm-treasury.gov.uk
8
See Gwilliam and Marnet (2006)
8
audit are relevant to that risk assessment then the auditor should appraise and assess
the activities of the internal auditor with reference to:
Organizational status (independence, freedom of reporting)
Scope of function (nature of assignments and management response thereto)
Technical competence (adequate technical training, hiring procedures,
professional qualifications)
Due professional care (appropriate planning, supervision, review and
documentation)
If, in the light of this assessment the external auditor intends to place reliance upon
specific aspects of the work of the internal auditor (and following further evaluation
of the nature and conduct of those specific procedures) then it is necessary for the
external auditor to carry out specific audit procedures in relation to that work – the
nature and extent of these procedures will depend upon the auditor’s assessment of
the risk of material misstatement in the relevant area, the assessment of internal audit
and evaluation of their specific work.
A development in recent years has been the trend for companies to outsource the
internal audit function, with typically the work being undertaken by special units
within the large accounting firms. Advantages claimed for such outsourcing include
the possibilities of economies of scale in the provision of internal audit services; a
greater and more cost effective scope of international coverage; access to leading edge
practice and specialist skills; greater flexibility for the company and a clearer market
focus from the provider. Perceived disadvantages may include a lack of institutional
knowledge and a potential loss of independence in that antagonising key management
personnel may lead to the loss of the outsourced contract. These concerns are
heightened when the internal audit services are provided by the company’s external
auditor. Issues as to both enhanced fee dependence and the possibility of impact upon
the investigative and reporting activities of the external auditor were brought into
sharp focus by the collapse of Enron for whom Arthur Andersen acted as both the
internal and external auditor.
9
This led to a number of large firms ceasing to offer
9
Although in the Appendix to the final report of the bankruptcy examiner which discusses the role of
Arthur Andersen the bankruptcy examiner was not in fact critical of the provision of internal audit
services by Arthur Andersen – and indeed suggested that there might be benefits from the provision of
9
internal audit services to audit clients and in the US the Sarbanes Oxley Act now
prohibits the provision of internal audit services to audit clients by auditors.
References
Collier, P.,1997, ‘Corporate Governance and Audit Committees’, pp.70-84 in Sherer M. and
Turley S. Current Issues in Auditing 3rd edn.
COSO, 1992,
Committee of Sponsoring Organizations of the Treadway Commission, Internal
Control – Integrated Framework.
Gwilliam, D. , and Marnet O., 2006. ‘Audit in the Corporate Governance Framework: A
Cornerstone Built on Shifting Sand’, Working paper, UWA.
IIA, 1999, Institute of Internal Auditors IIA Professional Practices Framework for Internal
Auditing.
Turnbull Committee, 1999, Guidance for Directors of Listed Companies in the United
Kingdom, ICAEW. Available by search on
www.icaew.co.uk/internalcontrol
what it termed an ‘integrated audit’. See Batson (2003) available at
http://www.enron.com/corp/por/pdfs/examinerfinal/NBFinalAppendixB1.pdf