Internal Audit Internal Audit April 2012

IntroductionIntroductionIntroductionIntroduction

Recent events including global financial crises have emphasised need for

internal auditing within corporate governance structures

Internal audit function is now mandatory by most stock exchanges

Donors increasingly demand improved accountability & financial

transparency in development projects

IFAD procedures do not specifically require internal audit, however,

IFAD Operational Procedures for Project Audits (for use by IFAD & CIs)

require that “as part of the assessment of the borrower’s capacity to

implement and manage the project effectively, the appraisal mission will

evaluate any internal audit (IA) mechanism for the project/ PMU”

Furthermore, internal audit is considered good practice & advisable as

part of underlying control framework & financial management capacity of a

project, particularly if complex &/ or decentralised

2

DefinitionDefinitionDefinitionDefinition

““Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an

organization's operations. It helps an organisation

accomplish its objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk

management, control, and governance processes. ”

The Institute of Internal Auditors

3

IA – Code of EthicsIA – Code of EthicsIA – Code of EthicsIA – Code of EthicsPrinciplesPrinciples

Internal auditors are expected to apply & uphold the following principles:

Integrity The integrity of internal auditors establishes trust & so provides the basis for reliance on their judgment

Objectivity

Internal auditors exhibit the highest professional objectivity in gathering, evaluating & communicating information. Internal auditors make a balanced assessment of all relevant circumstances & are not unduly influenced by their own interests or others in forming judgments

ConfidentialityInternal auditors respect the value and ownership of information they receive & do not disclose information without appropriate authority unless there is a legal or professional obligation to do so

Competency Internal auditors apply knowledge, skills, & experience needed

4

What is Internal Audit?What is Internal Audit?What is Internal Audit?What is Internal Audit?

Internal Audit is a professional activity which helps organisations to achieve their stated objectives by:

Analyzing key processes, procedures & operations

Identifying key controls in each such operation, procedure & process

Evaluating the adequacy of these controls

Testing compliance of sample transactions against these controls

Reporting results of the evaluation of controls and compliance testing of transactions

Recommending stronger controls wherever necessary

Suggesting methods to improve compliance with key controls

Follow up of action taken on recommendations made in previous reports

5

What are Internal Controls?What are Internal Controls?What are Internal Controls?What are Internal Controls?

Internal Controls are important checks instituted by management to have reasonable assurance that:

Operations are carried out in an efficient & effective manner

Transactions are recorded accurately & completely

Assets are properly recorded & safeguarded

Laws are complied with

Reliable reports are generated

6

Some examples of Internal ControlSome examples of Internal ControlSome examples of Internal ControlSome examples of Internal Control

► Budgetary Control

► Fixed Assets Register

► Bank & Special Account Reconciliations

► Reconciliation of Financial & Physical M & E Reports

7

How are Internal Audit & External Audit different?How are Internal Audit & External Audit different?How are Internal Audit & External Audit different?How are Internal Audit & External Audit different?

Internal audit is focused at internal management support and improving systems, procedures and processes

⇉ External audit (EA): normally statutory requirement, unlike internal audit (IA)

⇉ EA reports are addressed to stakeholders: IA reports are addressed to Management

⇉ EA reports express an opinion on the financial statements prepared by the entity for a specified period: IA reports evaluate and check compliance against key internal controls

⇉ EA reports are usually public documents which are available to all stakeholders. IA reports are for use only by Management

⇉ EA reports do not make recommendations, although may have a Management Letter: IA reports are incomplete without

⇉ EA is basically a review of financial statements for compliance: IA seeks to ensure value for money to Management

8

Why should IFAD funded projects be subject to IA?Why should IFAD funded projects be subject to IA?Why should IFAD funded projects be subject to IA?Why should IFAD funded projects be subject to IA?

IFAD funded projects may be subject to Internal Audit because:

External audit checks overall compliance to internal controls related to financial transactions.

Supervision Missions conduct only spot checks.

9

Internal audit is inherent in government structures in most developing countries.

Sample IA Terms of Reference enclosed

IA has a key role in Risk management of IFAD Projects

Sample IA TOR

What are key concerns from a FM viewpoint?What are key concerns from a FM viewpoint?What are key concerns from a FM viewpoint?What are key concerns from a FM viewpoint?

► Is the accounting system capable of recording financial transactions in a timely & accurate manner?

► Is the accounting system capable of tracking project expenditure by category & component?

► Is the accounting system capable of comparing actual expenditure to budget as per approved AWPB on a real time basis?

► Are withdrawal applications prepared properly & do they contain ineligible expenditures?

► Are procurement transactions undertaken as per Schedule 4 &/or LTB of the financing agreement?

► Are project assets properly recorded & safeguarded from misuse and abuse?► Are Special Account & Project Account operated & reconciled properly & timely?► Are proper audit arrangements in place? ► Are audit reports properly followed up?► Does the project generate reliable & accurate financial statements & reports? ► Are project funds flowing smoothly, timely & transparently to intended

beneficiaries?

10

Internal Audit (IA) MandateInternal Audit (IA) MandateInternal Audit (IA) MandateInternal Audit (IA) Mandate

What does it not do?

Perform management activities/ responsibilities (these include establishing internal controls)

Compliance & Advisory Compliance & Advisory rolesroles

What does it do?

Primary role in improving internal control, accuracy, reliability & integrity of information including financial & operational reporting

Monitoring & evaluation of effectiveness of risk management processes

Role in corporate oversight, safeguarding of assets, economical & efficient use of resources, compliance with laws & regulations, deterring fraud

11

Internal Control Myths and FactsInternal Control Myths and FactsInternal Control Myths and FactsInternal Control Myths and FactsMYTHS: FACTS:

Internal control starts with a strong set of policies and procedures

Internal control starts with a strong set of policies and procedures

Internal control: That’s why we have internal auditors!

While internal auditors play a key role in the system of control, management has responsibility for internal control

Internal control is a finance thingInternal control is integral to every aspect of business/operations

Internal controls are essentially negative, like a list of “thou-shalt-nots”

Internal control makes the right things happen the first time

Internal controls take time away from our core activities of implementing development objectives

Internal controls should be built “into,” not “onto” business processes

12

Internal Control PracticesInternal Control PracticesInternal Control PracticesInternal Control Practices

How?

Internal control is a process. It's a means to an end, not an end in itself

Internal control is effected by people as a team, not by internal auditor. It's not merely policy manuals & forms, but people at every level of an organization

Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and governing bodies/ committees

Uses systematic methodology for analysing business processes, procedures & activities

The cost of IA should not exceed expected benefits to be derived

13

An internal control structure is simply a different way of viewing operations – a perspective that focuses on doing the right things in the right way

MONITORING

INFORMATION AND COMMUNICATION

CONTROL ACTIVITIES

CONTROL ENVIRONMENT

CONTROL ACTIVITIES

RISK ASSESSMENT

INFORMATION &COMMUNICATION

Internal Control StructureInternal Control Structure Internal Control StructureInternal Control Structure

In many cases, you perform controls and interact with the control structure every day, perhaps

without even realising it

• Monthly reviews of performance reports

• Supervisory activities

• Reporting• Corporate

communications (e-mail, meetings)

• Purchasing limits• Approvals/ segregations• Security• Reconciliations• Proper operating &

accounting procedures

• Based on identification & analysis of risks to achievement of objectives

• Corporate Policies• Tone at the top, ethics• Organisational authority • Skilled personnel

14

Role in Risk ManagementRole in Risk ManagementRole in Risk ManagementRole in Risk Management

Focus on risk of occurrences that could prevent the project from achieving its goals

There are many types of risk – strategic, operational, financial reporting, legal/regulatory, fraud, ineffective/inefficient use of resources, technological, human capital, credibility, etc.

Focus on areas with high risk & high probability that controls are not in place or are weak

Don’t forget positive risks – opportunities!

Add value by eliminating unnecessary controls, if underlying risks are minimal/within project’s risk appetite!

Add value by eliminating unnecessary controls, if underlying risks are minimal/within project’s risk appetite!

15

RoleRole in in InternalInternal Control Control RoleRole in in InternalInternal Control Control

1. Compliance audit: review of financial & operating controls & transactions for conformity with laws, regulations & procedures, e.g.,

• Access to IT system appropriate to user’s role

• Segregation of duties in high risk areas

• Balancing & reconciliation between systems

• Systems back up & recovery

• Physical safeguard & access restriction controls

• Reconciliations, comparison budget of actual

2. Operational audit: review of various functions within project to evaluate efficiency, effectiveness, & economy

16

IA Role in Corporate OversightIA Role in Corporate OversightIA Role in Corporate OversightIA Role in Corporate Oversight

Four pillars – internal audit, executive management, external audit, & Board of

directors/ steering committee

Combination of processes & organisational structures implemented by

management to inform, direct, manage and monitor the project’s resources,

strategies & policies towards the achievement of its objectives

Public sector governance Principles

- transparency, integrity, accountability

May include review of sufficiency of human resources, training

needs, policies, etc.

17

Nature of Internal Audit ActivityNature of Internal Audit ActivityNature of Internal Audit ActivityNature of Internal Audit Activity

Establish scope & activities for audit to Management

Describe key risks facing the business activities within scope of audit

Identify control procedures used to ensure each key risk is properly controlled & monitored

Develop & execute risk based sampling & testing approach to determine whether most important controls are operating as intended (NB: input from Management required – e.g. 100% sampling of WA review)

Report issues/make recommendations/negotiate action plans with Management to address issues

Follow up on reported findings periodically

18

Contents of Audit PlanContents of Audit PlanContents of Audit PlanContents of Audit Plan

Updated annually

Risk based audit plan developed with input from project staff

including Management

Summary of key goals, risks & corresponding major audits, to illustrate alignment

Based on risk assessment & available resources

Appendix materials, such as planning approach, assumptions & brief descriptions

of all planned audits & related prioritization

Approved by management/ appropriate oversight Committee

19

Contents of Audit Report Contents of Audit Report Contents of Audit Report Contents of Audit Report

Observations

Narration/ description

Remedial action

Consequences/ fall out

Recommendation for improvement (prioritized between “high” and

“normal”)

Response (action plan) – who, when and how

20

IA’s Proactive RoleIA’s Proactive RoleIA’s Proactive RoleIA’s Proactive Role

Identify Risks

Find Better Ways and Best Practices

Partner With Management to Find Solutions

Prevent Problems

Provide training

Respond to policy & technical accounting questions

Offer suggestions for improvement

Advisory role

21

Additional Resources Additional Resources Additional Resources Additional Resources

22

ConclusionConclusionConclusionConclusionWhy all this trouble?Why all this trouble?

Additional comfort and “tightness” that the project is doing the right thing, the first time, communicating right information internally, to external auditors, donors, ministries, etc.

More formal control structures reduce possibility that risks become real issues

External Auditor may receive additional assurance to provide unqualified report on accounts

Donor & government confidence increased, affecting financing flows

What are the next steps?What are the next steps?

Identify areas of high risk & opportunities

Validation of process documentation & controls

Communication, with PCs & project staff

23