PowerPoint Presentation

INTERNAL AUDIT 0IntroductionRecent events including global financial crises have emphasised need for internal auditing within corporate governance structuresInternal audit function is now mandatory by most stock exchangesDonors increasingly demand improved accountability & financial transparency in development projectsFurthermore, internal audit is considered good practice & advisable as part of underlying control framework & financial management capacity of a project, particularly if complex &/ or decentralised1DefinitionInternal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The Institute of Internal Auditors2

IA Code of EthicsPrinciplesInternal auditors are expected to apply & uphold the following principles:IntegrityThe integrity of internal auditors establishes trust & so provides the basis for reliance on their judgmentObjectivityInternal auditors exhibit the highest professional objectivity in gathering, evaluating & communicating information. Internal auditors make a balanced assessment of all relevant circumstances & are not unduly influenced by their own interests or others in forming judgments 3ConfidentialityInternal auditors respect the value and ownership of information they receive & do not disclose information without appropriate authority unless there is a legal or professional obligation to do soCompetencyInternal auditors apply knowledge, skills, & experience neededWhat is Internal Audit?Internal Audit is a professional activity which helps organisations to achieve their stated objectives by:Analyzing key processes, procedures & operationsIdentifying key controls in each such operation, procedure & processEvaluating the adequacy of these controlsTesting compliance of sample transactions against these controlsReporting results of the evaluation of controls and compliance testing of transactionsRecommending stronger controls wherever necessarySuggesting methods to improve compliance with key controlsFollow up of action taken on recommendations made in previous reports5What are Internal Controls?Internal Controls are important checks instituted by management to have reasonable assurance that:Operations are carried out in an efficient & effective mannerTransactions are recorded accurately & completelyAssets are properly recorded & safeguardedLaws are complied withReliable reports are generated6Some examples of Internal ControlBudgetary ControlFixed Assets RegisterBank & Special Account Reconciliations Reconciliation of Financial & Physical M & E Reports7How are Internal Audit & External Audit different?Internal audit is focused at internal management support and improving systems, procedures and processesExternal audit (EA): normally statutory requirement, unlike internal audit (IA) EA reports are addressed to stakeholders: IA reports are addressed to ManagementEA reports express an opinion on the financial statements prepared by the entity for a specified period: IA reports evaluate and check compliance against key internal controlsEA reports are usually public documents which are available to all stakeholders. IA reports are for use only by ManagementEA reports do not make recommendations, although may have a Management Letter: IA reports are incomplete withoutEA is basically a review of financial statements for compliance: IA seeks to ensure value for money to Management8Benefits of IAExternal audit checks overall compliance to internal controls related to financial transactions.Supervision Missions conduct only spot checks.9Internal audit is inherent in government structures in most developing countries.Sample IA Terms of Reference enclosed

IA has a key role in Risk management of IFAD ProjectsInternal Audit (IA) MandateWhat does it not do?

Perform management activities/ responsibilities (these include establishing internal controls)Compliance & Advisory rolesWhat does it do?Primary role in improving internal control, accuracy, reliability & integrity of information including financial & operational reportingMonitoring & evaluation of effectiveness of risk management processesRole in corporate oversight, safeguarding of assets, economical & efficient use of resources, compliance with laws & regulations, deterring fraud10

Internal Control PracticesHow?Internal control is a process. It's a means to an end, not an end in itselfInternal control is effected by people as a team, not by internal auditor. It's not merely policy manuals & forms, but people at every level of an organizationInternal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and governing bodies/ committeesUses systematic methodology for analysing business processes, procedures & activitiesThe cost of IA should not exceed expected benefits to be derived11

Role in Internal ControlCompliance audit: review of financial & operating controls & transactions for conformity with laws, regulations & procedures, e.g.,Access to IT system appropriate to users roleSegregation of duties in high risk areasBalancing & reconciliation between systemsSystems back up & recoveryPhysical safeguard & access restriction controlsReconciliations, comparison budget of actualOperational audit: review of various functions within project to evaluate efficiency, effectiveness, & economy12

IA Role in Corporate OversightFour pillars internal audit, executive management, external audit, & Board of directors/ steering committeeCombination of processes & organisational structures implemented by management to inform, direct, manage and monitor the projects resources, strategies & policies towards the achievement of its objectivesPublic sector governance Principles - transparency, integrity, accountabilityMay include review of sufficiency of human resources, training needs, policies, etc.13

Nature of Internal Audit ActivityEstablish scope & activities for audit to ManagementDescribe key risks facing the business activities within scope of auditIdentify control procedures used to ensure each key risk is properly controlled & monitoredDevelop & execute risk based sampling & testing approach to determine whether most important controls are operating as intended (NB: input from Management required e.g. 100% sampling of WA review)Report issues/make recommendations/negotiate action plans with Management to address issuesFollow up on reported findings periodically 14

Contents of Audit PlanUpdated annuallyRisk based audit plan developed with input from project staff including ManagementSummary of key goals, risks & corresponding major audits, to illustrate alignmentBased on risk assessment & available resourcesAppendix materials, such as planning approach, assumptions & brief descriptions of all planned audits & related prioritizationApproved by management/ appropriate oversight Committee15

Contents of Audit Report ObservationsNarration/ descriptionRemedial actionConsequences/ fall outRecommendation for improvement (prioritized between high and normal)Response (action plan) who, when and how16

IAs Proactive RoleIdentify RisksFind Better Ways and Best PracticesPartner With Management to Find SolutionsPrevent ProblemsProvide trainingRespond to policy & technical accounting questionsOffer suggestions for improvementAdvisory role

17

The Audit SchedulePrepare an audit schedule. Each area must be audited at least one a year, but for an effective program plan on auditing each area at least twice.

Audit StepsInternal audit steps:Create audit scheduleComplete audit planHold opening meetingConduct auditDocument FindingsPrepare audit reportHold closing meetingPrepare audit fileFollow up Performing the AuditAfter the opening meeting you will start your audit. Using your checklists and procedures as references, go out to observe the process and talk to people in the departmentYou are looking for evidence that the Company Safety Management System is working effectivelyAn effective audit will depend on your ability to put people at ease and encourage open honest communicationKey Auditor AttributesCommunication skillsTactfulAbility to listenReword questions when neededUse local terminologyObjectiveFlexiblePersistentCuriousTechniquesThe auditee may be stressedSmile, relaxPoint out good things that you seeSummarize with Everything looks good here when you canAs the auditor, you are creating the audit culture for your organizationTechniquesUse open ended questions, they provide more information. AskWhatWhereWhyWhoWhenAsk for clarification or more information if you do not understand.

TechniquesKeep people informed of what you are findingPoint out nonconformances as you goMake sure the auditee understands what you see as the nonconformanceThere should not be surprises at the closing meeting when you present your findingsPerforming the AuditAs an auditor you will:Check documents and recordsAsk questionsObserve processes and compare them with documented procedures and work instructionsInvestigate any differencesFollow audit trails, be curiousTake good notesPerforming the AuditThroughout the audit, you will take detailed notes on what you find. Be specific on what is reviewed and what is found

The information you write down will be used to identify nonconformance and to assist the department in finding and understanding what you observedDocumenting the AuditOnce you complete your audit, you will prepare an audit report. The report will also include:General informationDocuments reviewedPersons interviewedGeneral summary and assessment of how the system is performingDocumenting the AuditWhen your documentation is complete you will be ready to hold your closing meeting. The lead auditor will lead the meeting.

Thank the group for their cooperationRemind them that this is an evaluation of the processes not the peopleThe Closing MeetingSummarize the findingsHighlight areas that are working wellReview each of the nonconformances, allow questions and discuss the finding to make sure that the group understands the non conformancesDiscuss any corrective actions that you followed up on that were not found to be effectiveHave the group sign the audit report as a record of attendanceGive a copy of the table of nonconformances to the area managementThe Audit FileFinal audit file includes:Audit planAudit checklistsAudit report