MANAGEMENT OF THE INTERNAL AUDIT
FUNCTION
The director of internal auditing is responsible for managing
the internal audit organization so that:
Audit work accomplishes the general purposes and fulfills
the
responsibilities approved and accepted by the head of
the
agency.
Resources of the internal audit function are efficiently
and
effectively employed.
Audit work conforms to the Standards for the Professional
Practice of Internal Auditing.
This includes :1)obtaining
a statement of purpose, authority and responsibility;
2) planning; 3) establishing and implementing policies
and procedures; 4) managing and developing human resources;
5) establishing a quality assurance program.
1. Obtaining a Statement of Purpose, Authority
and Responsibility
The director of
internal auditing is responsible for seeking the approval
of management and where applicable, the acceptance by
the board of this statement.
2. Planning
The director of
internal auditing should develop plans to fulfill the
responsibilities of the internal audit organization.
These plans should be consistent with the internal audit
group's statement of purpose, authority , and responsibility,
and with the goals of the organization. The planning
process involves establishing:
Goals
Operating Plans
Staffing plans and financial budgets
Status Reporting
3. Establishing and Implementing Policies
and Procedures
The director of
internal auditing should provide written policies and
procedures to guide the audit staff. The form
and content of written policies and procedures should
be appropriate to the size and structure of the internal
audit organization. The manual should include: the
internal audit objectives; the policies to be followed;
the general scope of work to be performed and the standards
of performance. Formal administrative and technical
audit manuals may not be needed in all internal audit
groups.
4. Managing and Developing Human Resources
A program should
be established for managing and developing the human resources
of the internal audit department. The program should
provide for:
Developing written job descriptions of each level of the
audit
staff.
Selecting qualified and competent individuals.
Training and providing continuing educational opportunities.
5. Quality Assurance
A quality assurance
program should be established and maintained. The
purpose of this program is to provide reasonable assurance
that the audit work conforms with these standards;
the internal audit department's statement of purpose,
authority ,and responsibility; and the applicable auditing
standards such as those set by the American Institute
of Certified Public Accountants, the Institute of Internal
Auditors, and the United States General Accounting Office.
A quality assurance program should consist of three major
parts: supervision, internal reviews and external reviews.
LOCATION IN THE ORGANIZATION
The internal auditor
should report to an official at a sufficiently high level
i.e., the agency commissioner or an assistant commissioner,
to promote independence and to ensure broad audit coverage,
adequate consideration of audit reports and appropriate
action on audit recommendations. The internal
auditor should not report to any official who is directly
responsible for the operations to be reviewed. If
the person designated to receive the internal auditor's
report is not independent, that person cannot be expected
to implement internal audit recommendations in a manner
sufficiently objective and impartial as to best serve
the needs of top management.
STANDARDS OF INTERNAL AUDITING
The standards
of internal auditing are established by management and
set forth clearly in directives, job instructions, specifications
or laws. The Statement of Responsibilities of
the Internal Auditor, published by the Institute of
Internal Auditors, states that internal auditing "...is
a managerial control which functions by measuring and
evaluating the effectiveness of other controls'. Internal
audit looks at operations in terms of units of measurement
and standards. The units of measurement are the
discrete elements that apply to the operation-the dollars,
days, people, documents, or other quantifiable items
by which success or failure can be objectively gauged.
The standards are those qualities of acceptability with
which the measured items will be compared.
For government
entities, the United States General Accounting Office
(GAO) has developed standards applicable to audit of all
government organizations, programs, activities, and functions,
whether performed by internal auditors, independent public
accountants or others. The 1981 GAO publication,
Standards for Audit of Governmental Organizations,
Programs, Activities and Functions (commonly called
GAO Standards incorporate the generally accepted auditing
standards of he American Institute of Certified Public
Accountants AICPA) for financial audits, but go further
to include standards of compliance and programmatic review
unique to government.
Internal audits
must be approached with the thought of meeting generally
accepted auditing standards for the profession.
These standards are to apply whether audits are preformed
by or for a governmental entity. The GAO standards
conform to the AICPA standards for financial
audits which are summarized as follows:
AICPA STANDARDS
1. AICPA standards include the following
general standards, standards of field work and standards
of reporting:
a. General Standards
The examination is to be preformed by a person or persons
having adequate
technical training and proficiency as an auditor.
In all matters relating to the assignment, an independence
in mental attitude is to
be maintained by the auditor or auditors.
Due professional care is to be exercised in the performance
of the examination
and the preparation of the report.
(1) Training and Proficiency- The attainment of
proficiency in the audit is a continuing process.
Audit is a tool of management and, as modern government
seeks new ways of coping with its problems, the audit
profession must grow if it is to be of maximum benefit
to management. Thus in addition to basic technical
training and experience, the proficient auditor will bring
to the work a continuing interest in the current professional
literature, a working knowledge of relatively new audit
techniques such as statistical sampling, and the literature
of public administration, management, and the field of
the agency where employed. Membership in professional
organizations (e.g., the Institute of Internal Auditors
and the American Society for Public Administration ) and
reading of professional periodicals is, therefore strongly
encouraged.
(2) Independence and Objectivity-Independence,
objectivity, integrity - both in personal attitudes and
in organizations relationships with personnel whose operations
are being audited are essential qualities in the conduct
of any audit. Those standards are in consonance not only
with the demands of the profession, but also with the
demands of public service. It is recognized, of
course, that audit conclusions based upon an appraisal
of program performance frequently relate to matters of
judgment. Even in these cases, the maintenance of
high standards of field work and audit reporting, coupled
with these personal standards, will serve to place such
appraisals within an objective framework.
(3) Due Care and Diligence - With regard to the
subject of "due care and diligence", the following
quotation from Cooley on Torts will serve to place this
standard in perspective:
"Every man who offers his services
to another and is employed assumes the duty to exercise
in the employment such skill as he possesses with reasonable
care and diligence. In all those employments
where peculiar skill is prerequisite, if on offers his
services, he is understood as holding himself out to the
public as possessing the degree of skill commonly
possessed by others in the same employment and, if his
pretensions are unfounded, he commits a species of fraud
upon every man who whether skilled or unskilled, undertakes
that the task he assumes shall be performed successfully,
and without fault or error. He undertakes for good
faith and integrity, but not infallibility, and
he is liable to his employer for negligence, bad faith,
or dishonesty, but not for losses consequent upon mere
errors of judgment".
Due care imposes a strong responsibility upon the auditor
for the performance of all audit steps necessary to assure
sound, objective conclusions in all auditable areas having
a significant impact on the accounting aspects of the
agency.
b. Standards of
Field Work
The work is to be adequately planned and assistants, if
any, are
to be properly supervised.
There is to be a proper study and evaluation of the existing
internal control system as a basis for reliance thereon
and
for the determination of the resultant extent of the tests
to
which auditing procedures are to be applied.
Sufficient
competent evidential matter is to be obtained
through
inspection, observation , inquiries and confirmations
to afford
a reasonable basis for an opinion regarding the
financial
statements under examination.
(1)Planning and Supervision - It is exceedingly
important that individual audits will be well planned
and controlled. Examination of working papers
and audit reports on prior audits, development of knowledge
of operating controls at the developmental level, development
of knowledge of pertinent laws, regulations, and other
authorities, examination of reports prepared by other
reviewing authorities (e.g., legislative committees, special
committees, etc.), couples, of course, with an evaluation
of internal and operating controls are all essential to
the planning of the audit where inventories are a material
factor, consideration should also be given to the examination
of inventory-taking if it should occur at a time other
than during the normal course of an audit.
Effective control
and supervision of the audit also involves a number of
other elements. Estimated time requirements for
the individual audit should be established prior to commencement
of the audit, re-evaluated shortly after the audit begins,
and continuously re-examined during the course of the
audit in the light of actual time spent. Much responsibility
for effective supervision rests with the director of the
internal audit organization whose experience and judgment
must be brought to bear in outlining the audit scope and
in critically reviewing the work done and judgment exercised
by those under him.
(2) Internal and Operating Controls - The auditor
must exercise professional judgment in determining the
scope of examination and in deciding whether the agency's
interests justify the time and expense involved in pursuing
a particular line of inquiry. To a considerable
extent, the areas of audit inquiry and extent of audit
tests will be influenced by the internal and operating
controls of the agency.
The AICPA
notes that " a function of internal control, from
the viewpoint of the independent auditor, is to provide
assurance that errors and irregularities may be discovered
with reasonable promptness, thus assuring the reliability
and integrity of the financial records." The
AICPA also points out the assurance that internal control
is functioning as planned need not be determined by making
a separate task of evaluating the internal control as
a whole, rather, it is suggested that reviews of controls
applicable to the various activities be made while the
related accounts are being audited. This approach
is particularly suitable for internal audits, where development
of a preliminary survey of governing statutes and controls
may be immediately followed with a correlated approach
to the evaluation of the controls and related practices,
reports and accounts.
Operating or management
controls at a particular agency include all the policies,
programs, procedures, methods, organizations, performance
standards, reports and other measures by which management
may ascertain whether prescribed objectives are carried
out efficiently, economically and effectively. Certain
of these controls are established by related organizations
such as OSC; while still others are established at the
level of the agency Many of these controls take
the form of financial reports or other reports having
quantitative significance; some take the form of standards
( such as inventory stock age objectives or equipment
authorizations); and others take the form of procedural
requirements (such as State Finance Law for the letting
of contracts). The nature of these controls must
be understood and evaluated so that the auditor may establish
the degree to which he may rely upon them for assuring
the efficiency, economy, and effectiveness of the operations
performed.
(3) Competence of Evidential Matter - Evidential
matter consists of the underlying accounting data and
all corroborating information available to the auditor.
The AICPA points out the accounting data, by itself, cannot
be considered as sufficient support for financial statements.
Hence, the auditor must make effective use of such corroborating
data as checks, contracts, and minutes of meetings; confirmations
and other written representations by knowledgeable
people; information obtained from inquiry, observation,
inspection and physical examination; and any other information
which enables the auditor to reach conclusions.
Audits performed
by the internal audit organization lead to objective analyses,
appraisals, recommendations, and comments on the accounting,
financial, and operating controls and practices of the
activities reviewed. The auditor is, therefore,
charged with examining sufficient competent-evidential
matter to enable the rendering of informed audit conclusions
and opinions in these areas.
Evidential matter
may be obtained either within the agency or from external
sources. Internal evidence embraces such data as
books of account and related supporting documents, financial
reports and other documents having quantitative significance,
procedural manuals, management reports and other correspondence,
files or documents that have bearing upon the operations
of the agency. External evidence embraces whatever
evidence the auditor obtains to supplement the internal
evidence; it includes confirmations requested from various
sources, inspection and observation of resources
and operations, inquiries directed at officials and data
obtained at the departmental level.
In the examination
of assets, physical contact with an asset would normally
constitute more reliable evidence that would examination
of a document purporting to evidence the existence of
the asset. Documentary evidence is of greatly varying
reliability. If documents prepared by third parties are
sent directly to the auditor, they ordinarily constitute
evidence of a degree of reliability approaching that of
physical evidence. However, due precaution must
be used in securing such evidence.
Wherever appropriate,
evidential matter (whether it be in the form of documents
to be reviewed, confirmations to be solicited or some
other form) should be obtained and evaluated by means
of scientific statistical sampling. The use of statistical
sampling will in no way reduce the requirement for audit
judgment; on the contrary, the size and nature of the
sample and the interpretation of sampling results call
for a very high degree of audit judgment.
The standards for
obtaining sufficient competent evidential matter to support
an audit conclusion in operating areas are similar to
those for supporting an audit conclusion on financial
statement. In fact, it may be said that the work
of the auditor concerned with evaluating whether operation
policies are being followed and procedures are adequate,
is founded upon the audit techniques developed by the
public accounting profession. The auditor concerned
with operating efficiency, however, will tend to place
grater emphasis on evidence which will assist him in analyzing
the results of an operation. this frequently take the
form of comparisons between standards and actual performance.
The standard may be a budget, the department's standard,
policy, unit-cost, or perhaps an average (or standard)
established by the auditor by examining like operations.
The gathering of data to establish the extent of deviation
from the standard, and the caused for deviations will
then be based upon the usual audit methods for accumulating
evidence.
The data accumulated
by the auditor should be set forth in working papers which
will clearly establish the source of the data obtained,
the scope of the audit performed, the purpose of performing
the particular audit step, and the audit conclusions reached.
Working papers should be reviewed by the auditor in charge
of the examination and by the director of the internal
audit organization. Working papers should bear evidence
of this review in the form of supervisory notes, initialing
of work papers, or other means.
(4) Cost of Audit Performance - The AICPA states
that an auditor typically works within economic limits;
his opinion, to be economically useful, must be formulated
within a reasonable length of time and at a reasonable
cost. The auditor must decide, again exercising
professional judgment, whether the evidential matter available
to him within the limits of time and cost is sufficient
to justify formulation and expression of an opinion. As
a guiding rule, there should be a rational relationship
between the cost of obtaining evidence and the usefulness
of the information obtained. In determining the
usefulness of evidence, relative risk may be properly
given consideration. the matter of difficulty and expense
involved in testing a particular item is not in itself
a valid basis for omitting the test.
Obviously, many factors
must be considered in arriving at the nature of the audit
steps to be performed and at the extent to which they
are performed. Certainly, the system of internal control
is a major factor. The AICPA states there is to
be a proper study and evaluation of the existing internal
control as a basis for reliance thereon and for the determination
of the resultant extent of the tests to which auditing
procedures are to be restricted. Hence, the
auditor must have both a knowledge of the internal
procedures used by the organization under audit, and a
reasonable degree of assurance that the planned procedures
are actually in use. As the audit progresses and
the auditor learns whether the intended procedures are
actually being practiced there may be either an extension
of audit tests or the shifting of emphasis or timing of
the audit procedures. In any event, the auditor
must recognize that the system of internal control must
be evaluated in fixing the audit scope.
The cost of audit
performance depends heavily on both the nature and the
audit steps selected and the extent to which particular
audit steps will be performed. The auditor must
carefully weight what he expects to achieve with each
audit step and determine whether there may be a less costly
alternative audit step; whether the audit step will yield
a reliable conclusion in the light of alternative audit
steps; whether a lower confidence level (in fixing the
extent of the sample) might not be justified in the light
of the indicated internal control system; whether a stratified
statistical sample would yield a greater degree of confidence
in the audit conclusion; whether the step is necessary
(or whether so extensive a test is necessary ) in the
light of materiality of the item or the relative risk
involved.
The purpose of
raising these questions is not to unduly restrict the
audit scope, but rather to call attention to the need
for considering the cost of performing an audit step in
fixing the audit scope. In short, there should be
conscious measuring at all levels of auditor and supervisor
of the relationship between audit costs and the value
of the benefit or protection derived from the audit step.
c. Standards of
Reporting
The report shall state whether the financial statements
are presented in
accordance with generally accepted accounting principles
or in conformity with
the comprehensive basis of accounting used.
The report should state whether such principles have been
consistently observed
in the current period in relation to the preceding period.
Informative disclosures in the financial statements are
to be regarded as
reasonably adequate unless otherwise stated on the
report.
The report shall either contain an expression of opinion
regarding the financial statements, taken as a whole ,
or an assertion to the effect that an opinion cannot be
expressed. When an overall opinion cannot be expressed,
the reasons therefore should be stated. In all cases where
an auditor's name is associated with financial statements,
the report should contain a clear-cut indication of the
character of the auditor's examination, if any, and the
degree of responsibility he is taking.
External auditors are generally more concerned with an
expression of opinion regarding the financial statements.
The AICPA Standards of Reporting may therefore have limited
applicability in internal auditing. However, internal
auditors should be aware of agency adherence to generally
accepted accounting principles and the impact these principles
have on the presentation of financial statements and the
treatment of accounting transactions.
A restatement of the AICPA Standards of Reporting to reflect
the basic concerns of internal audit follows:
Audit reports should
be prepared on an "exception" basis; however,
the report
should point out evidence of
effective financial management and program
accomplishment as well as areas
of ineffective performance.
To the extent that
reports contain critical comments, they should
contain a clear statement of
the facts underlying the condition
reported, the causes of the condition,
illustrations and other date
supporting the audit conclusion,
and the meaningful
recommendations. The facts should
be presented in their proper
perspective so that unjustified
inferences will not be drawn.
The facts, conclusions,
and recommendations should be expressed
in a tone of quiet conviction
and objectivity; motivated by a sense of
responsibility and desire to
be constructive.
Where the report
contains an expression of opinion on the financial
statements of the agency, the
opinion should be expressed in
accordance with generally accepted
standards of reporting as
developed by the AICPA.
(1) Disclosure in Depth and Perspective -Audit
reports should contain facts, conclusions and recommendations,
rather that descriptions of audit steps. A meaningful
audit "finding" must be supported by a statement
of all relevant, significant information surrounding the
condition reported (including illustrations and effects)
so that management will clearly understand the problem
and the basis for the audit conclusion. The conclusions
contained in the audit report should be discussed with
appropriate personnel of the facts may be verified, reactions
may be obtained, and corrective actions taken during the
course of the audit may be noted in the report.
Above all, facts must be presented in their proper perspective
so that the reader will not draw unjustified conclusion.
Percentages of line items of inventory, dollar amount
of contracts affected by a particular weakness, or other
statistical or descriptive data will be used to place
the condition reported in perspective.
(2) Narrative Tone - Audit reports are of value
only insofar as they result in honest, objective disclosure
and effective corrective action and conditions reported.
Accordingly, they must be prepared in a manner which will
create a climate of confidence in an acceptance of audit
conclusions and recommendations. Sharp, critical
and inflammatory expressions often create resentment as
well as an atmosphere where challenging and debating the
auditor's conclusion are considered necessary to defend
those responsible for or involved in the conditions reported.
The responsible, independent professional auditor will
best achieve his objectives by reporting in a tactful,
tempered manner.
2. General Comments about the AICPA Standards
- Based on the preceding AICPA standard, the following
general comments can be made,
Auditing standards
differ from auditing procedures. Procedures are
acts performed during the audit, Standards guide
the auditor in selecting and performing procedures to
ensure quality and that objectives are fulfilled.
Individual standards should not
be considered in isolation, since they are interrelated
and interdependent.
"Materiality"
and "relative risk" must be considered in applying
these standards, not only when planning audits but also
when determining audit steps to be done for each audit.
REPORTING AND FOLLOW - UP OF AUDIT
FINDINGS
Internal audit
finding, observations, conclusions and recommendations
are reported to the agency's management. As previously
stated, the internal auditor should report to a management
level high enough to assure adequate consideration of
his findings. The interest of tip management in
the work of the internal auditor can contribute much to
the acceptance of such work by all management levels.
Internal audit
reports should be submitted to management officials who
are responsible for the operations reviewed as well as
the official to whom the audit function is responsible.
Copies of reports should be retained on file for use by
other organizations.
Primary responsibility
for action and follow up on audit recommendations rests
with management, but reporting of a finding, observation,
or recommendation does not end the internal auditor's
concern with the matter. As part of his continuing
review of agency operations, the internal auditor should
ascertain whether recommendations have received management
consideration, whether corrective action has been taken,
and whether the results were satisfactory. Regular
status reports should be prepared for the information
of management officials as to actions taken on audit recommendations.
Where operating
officials disagree with the internal auditor's recommendations
and the differences cannot be reconciled, the final
decision should be made at a higher level.
RELATIONSHIP TO STATE COMPTROLLER'S
AUDIT FUNCTION
The internal audit
function is not in lieu of or supplementary to OSC's audit.
Rather, it is established primarily as an aid to management
in discharging its responsibilities. The effectiveness
of the agency's internal auditing function is recognized
in setting the scope of OSC's audit. Actions taken
by the agency on internal audit recommendations are reviewed
by OSC's auditors.
OSC will evaluate
the agency's internal auditing to determine what reliance
can be placed upon it in discharging OSC's auditing and
report and reporting responsibilities. Free and unrestricted
access to internal audit working papers and reports is
essential if OSC's auditors are to effectively review
and evaluate them.
Agency internal
auditors should concern themselves with audit findings
and recommendations of OSC's auditors. Periodic
status reports on the recommendations should be prepared.
After review by management, a copy of the status reports
should be submitted to OSC.
RELATIONSHIP TO OTHER AUDIT AND REVIEW
ACTIVITIES
Internal auditing
is a staff function independent of line operations. Therefore,
internal audit review and appraisal does not relieve other
persons in the agency of the primary responsibilities
for compliance with prescribed policies and procedures,
for proper protection and use of the agency resources,
and for appropriate action in the correction of deficiencies
or unsatisfactory conditions reported by the auditor.
An internal audit organization should not replace established
lines of operating authority and responsibility, and does
not eliminate the need for continuing functional supervision.
Some agencies have
established other internal review activities, such as
inspection, appraisal and investigation. These activities
are often in the nature of management services,
and assist management in supervising and reviewing designated
functions. Maximum cooperation and common understanding
among them and with the internal audit organization are
essential to prevent duplication of effort. The internal
auditor should communicate to such groups any observations
he may have which are related t their responsibilities.
He should also receive copies of their reports.
The internal auditors
objectivity is not adversely affected when the auditor
recommends standards of control for system or reviews
procedures before they are implemented. The internal auditor's
role is to call attention to problem areas and possible
improvements. However, designing, installing and
operating systems are not audit functions. Also, the drafting
of procedures for systems is not an audit function. Performing
such activities is presumed to impair audit objectivity.
