Mobile Edition
Print
Get the Mag
Weekly UpdatesThis checklist is designed to help managers tackle the process of an internal audit within their organisation or department. Internal audit is an essential part of business life, but not all organisations are large enough to have a designated internal audit function. This checklist is aimed primarily at those who are either undertaking an internal audit themselves or are responsible for selecting and managing a member of staff who has this responsibility. It applies equally to organisations in the public and private sectors.
In the wake of a number of recent spectacular cases of fraud, the 1998 Combined Code (on corporate governance) and the 1999 Turnbull report (on internal controls) both give internal auditing a much higher profile. Turnbull in particular, lays down the key internal controls that companies listed on the Stock Exchange, or those that are planning to become listed, must adopt. The recommendations serve as a model for other companies.
Management Standards
This checklist has relevance to the MSC National Occupational Standards for Management: Key Roles A, B and F--Manage Activities, Manage Resources and Manage Quality.
Definition
There is a clear distinction between internal and external audit. Internal auditing is defined by the Institute of Internal Auditors as an independent appraisal function established within an organisation to examine and evaluate its activities, the objective being to assist staff in the effective discharge of their responsibilities. To this end internal auditing furnishes staff with analyses, appraisals and recommendations concerning those activities. Internal auditing is usually carried out by staff from within the organization.
Advantages of internal audit
Internal audit should be a continuous process, from which many advantages can be discerned. These may include:
* management's attention will be directed to the key business issues--it gives an analysis of weaknesses in the system of control, from which practical recommendations for improvement can be made
* it leads to positive assurance when controls are operating satisfactorily
* it identifies opportunities for improved efficiency and effectiveness
* it gives early notice of potential problems. Management can then take action as necessary.
Disadvantages of internal audit
* It can be time-consuming and takes managers away from their day-to-day work.
* If handled insensitively, it can be threatening to staff who may feel that they are being scrutinised with the intention of finding fault.
Action checklist
1. Select internal audit objectives relevant to the assignment
Internal audits primarily look at key controls:
* financial--how is money handled within the organisation? Who authorises payment, and what are the checks and balances to stop unauthorised spending and fraud?
* administrative controls--are these conducive to meeting strategic objectives?
* systems--which ones are there in a department and across the organisation--and how do they fit together?
as well as:
* value for money--is this being achieved through the systems in place, or do the systems fail to measure this?
The first step is to make sure your broad audit objectives reflect whichever of these are your priorities.
2. Prepare a detailed brief
An internal audit looks at a variety of aspects of the way an organisation works. It does not only focus on financial issues. Write an audit brief or strategy to set detailed priorities in accordance with the main issues, and give some indication of the proportion of time you expect to be accorded to highlighted aspects.
3. Choose your auditor
It is usual to appoint another individual from within the organisation as internal auditor. Dependent on the issues to be examined, a formal qualification, for example, in accountancy, may be appropriate.
The growing use of external certification systems for issues such as quality control (ISO9000), environmental control (ISO14000) and staff development (IIP) may require other members of staff to have responsibility for the continuous review of those systems.
4. Brief your auditor
You need to make sure that you have all the background information you need before you brief your auditor. This would include your organisation's:
* strategic or business plans
* standing orders
* articles and memoranda of association
* internal procedure manuals
* lists of key personnel
* structure chart.
Arrange a meeting to ensure you have provided the auditor with sufficient information; in particular, even if he or she is an employee of the organisation do not make assumptions about his or her level of knowledge.
At the meeting the aim is to agree the objectives of the audit. Find out how the auditor will meet these objectives, agree a timetable and a plan of action and find out if further information is needed.
5. Identify the key controls to meet audit objectives
The next stage is to start to look at detail. The auditor needs to look at the organisation's existing procedures for controlling the key areas to be examined.
6. Evaluate the controls
Next, evaluate how effective the controls are. Could they be improved? Are there any omissions? Questions worth thinking about are:
* if someone wanted to commit a fraud, where and how would they do it?
* if I had bought this item personally, would I be happy with the price paid and the level of service offered?
7. Test the system
Now, test the controls in action. Choose a number of activities or transactions at random and trace back all the steps that took place. Ask:
* are there any procedures or rules in place?
* did people follow the procedures?
This will show how far the existing rules and procedures are complied with.
8. Select areas needing in-depth investigation
From random tests the auditor may find areas of concern which need further investigation. The audit should now investigate these areas in depth--for example every transaction will be examined over a number of months to see if the random sample was an exception or a real problem.
9. Consider whether value for money is being achieved
Whatever the overall audit objectives, it is always an internal auditor's job to test whether value for money is being achieved. The kind of things to look for are:
* has the market been tested by getting quotes and tenders for goods and services?
* are the systems working in the most efficient way?
10. Prepare a draft report
Make a report of all findings with a set of recommendations. This should be in draft format and should be discussed with everyone who took part in the audit--to ensure that the auditor hasn't misinterpreted any information.
11. Produce the final report
The final report should include an action plan to tackle the areas requiring strengthening. It should have a timetable and an agreed time to meet again to monitor what has happened. Use the knowledge of the auditor as a guide towards best practice. Make sure the recommendations in the report are of a practical nature.
12. Take action
Act on the findings to put things right and monitor how effective the actions taken are. This may well involve changing written instructions, manuals or procedures, alerting staff to the changes and ensuring adequate training is given to staff in those areas.
13. Communicate
Keep everyone throughout the organisation fully informed of the programme, and what changes have been, or are being, made to tighten up procedures. Make sure that the wording of any announcements do not point the finger of blame at any individuals, but emphasise that the procedures themselves are being strengthened.
Dos and don'ts for internal audits
Do
* Brief staff on the benefits of internal audit.
* Keep staff informed of the findings of the audit and any positive action that has been taken as a result of it.
* Concentrate on the high risk elements identified.
* Set an action plan that is realistic.
* Monitor progress towards meeting the action plan.
Don't
* Rely on internal audit as a day-to-day management control mechanism.
* Expect internal audit to pick up all the potential weak links in your systems.
Useful reading
Books
Useful addresses
Related checklists
* Managing risk
* Spotting fraud
Thought starters
* Have you defined the nature and scope of the internal audit?
* Have you established what the system is trying to achieve?
* Have you identified the key controls?
* Are your staff fully informed of what is happening and the actions you are going to take?
Further Information
Checklists are available in the following formats:
* Individual checklists.
* A complete set of 195 on CD-ROM or in hard copy.
* Checklists with permission to photocopy.
Full details of the range of checklists available can be obtained from:
Lavis Marketing, 73 Lime Walk, Headington, Oxford, OX3 7AD Tel: 0845 702 3736 (local rate call) Fax: + 44 1865 750079 or from Checkpoint on the Chartered Management Institute's website at www.managers.org.
FEED