Question

Question 01
You are newly appointed as an internal auditor of ABC LLC, a company involved in making business to business (B2B) sales of industrial products. The CEO of the company during an official meeting stated, “Companies today increasingly face the need for transformation due to volatile, uncertain, complex and ambiguous business environment. Managing the risk created by VUCA business environment has seen as an esoteric business function. Advise me on the role played by or the importance of Internal Auditors in supporting the organisations to manage the risks”.
You are required to construct an answer by:
Explaining the scope of internal audit and discussing any five types of audit conducted by the internal auditors to provide assurance on the adequacy of internal controls and risk management with suitable examples.

(Word limit – 600 words)

Please help me and answer carefuly

Answer 1

Internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing achieves this by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

The scope of internal auditing within an organization is broad and may involve topics such as an organization's governance, risk management and management controls over: efficiency/effectiveness of operations (including safeguarding of assets), the reliability of financial and management reporting, and compliance with laws and regulations. Internal auditing may also involve conducting proactive fraud audits to identify potentially fraudulent acts; participating in fraud investigations under the direction of fraud investigation professionals, and conducting post investigation fraud audits to identify control breakdowns and establish financial loss.

Internal auditors are not responsible for the execution of company activities; they advise management and the board of directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.

Internal audits are conducted for different reasons and with varying objectives and with each type of risk exposure an organization would need to conduct a particular type of internal audit. Some audits are required by regulation or policy, while others are requested by management to help improve processes or identify internal control weaknesses.

Here are some types of internal audit:

Operational Audit. An operational audit evaluates performance of a particular function or department to assess its efficiency and effectiveness. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies may be evaluated during this type of audit. Some areas of operational audits include: organizational structure, processes and procedures, accuracy of data, management and security of assets, staffing, and productivity.

Compliance Audit. A compliance audit evaluates an area’s adherence to established laws, standards, regulations, policies, and/or procedures. Compliance audits are done because of a policy or statutory requirement. While the audit is done for regulatory reasons, the objectives are still to ensure adequate control over an important internal process.

Financial Audit. A financial audit is a historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy, and reliability of financial data. The central objective is to ensure that the financial activity of the department, unit or area is completely and accurately reflected in the appropriate financial reports.

Follow up Audit. These are audits conducted approximately six months after an internal or external audit report has been issued. They are designed to evaluate corrective action that has been taken on the audit issues reported in the original report. The purpose of a follow-up audit is to revisit a past audit’s recommendations and management’s action plans to determine if corrective actions were taken and are working, or if situations have changed to warrant different actions.

Investigative Audit. This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual. Investigations are conducted to determine the extent of loss, assess weaknesses in controls, and make recommendations for corrective actions.

The other types are, IT Audit. An Information Technology (IT) audit evaluates controls related to the institution’s automated information processing systems. And, Management Audit. Also called performance audit, are internal consulting projects. Because an internal audit is an activity independent of management. Other types of internal audits would include the integrated audit, which is a combination of the IT Audit and the Operational Audit.

Internal Controls

Internal control is all of the policies and procedures management uses to achieve the following goals.

• Safeguard University assets - well designed internal controls protect assets from accidental loss or loss from fraud.
• Ensure the reliability and integrity of financial information - Internal controls ensure that management has accurate, timely and complete information, including accounting records, in order to plan, monitor and report business operations.
• Ensure compliance - Internal controls help to ensure the University is in compliance with the many federal, state and local laws and regulations affecting the operations of our business.
• Promote efficient and effective operations - Internal controls provide an environment in which managers and staff can maximize the efficiency and effectiveness of their operations.
• Accomplishment of goals and objectives - Internal controls system provide a mechanism for management to monitor the achievement of operational goals and objectives.

The framework of a good internal control system includes:

• Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
• Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
• Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.
• Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.
• Control activities: These are the activities that occur within an internal control system.

Internal Control Examples

Internal control procedures document transactions by creating an audit trail. They limit the actions of employees by requiring authorization, approval and verification of selected transactions. They segregate duties because certain job responsibilities are mutually incompatible and, if left unchecked, allow one person too much unsupervised access to company assets. No individual should be able to initiate a transaction and then approve it, record the information in accounting records and control the proceeds that result. Internal controls are either preventive or detective. Preventive controls are designed to prevent errors, inaccuracy or fraud before it occurs. Detective controls are intended to uncover the existence of errors, inaccuracies or fraud that has already occurred.

Controls in General

Good insurance is the best "last-resort" internal control a business owner can have. Coverage of loss due to employee theft may mean the difference between recovering from fraud or closing a business. Insurers often require certain specified internal controls as a prerequisite for coverage. An example is requiring pre-employment screening of applicants for key positions. A system of business forms to track all company transactions is an example of internal controls. Business forms create an audit trail to track sales, credits, refunds or returns of merchandise; the movement of inventory; purchasing and ordering from vendors; and receipt of cash and payments.

Preventive Controls

Many prevent controls are based on the concept of separating duties. Examples include prohibiting the same person from conducting related transactions such as initiating and recording transactions; making purchases and approving payments; ordering and accepting inventory; approving vendors and making payments; receiving bills and approving payments; and authorizing returns and issuing refunds. Payroll preparation and distribution duties and approving, writing and signing checks should also be done by different people. Examples of internal controls built around the concept of authorization, approval and verification include requiring supervisory review and approval of payroll information before disbursement, requiring interdepartmental dual authorization of payroll data by accounting and human resources departments and requiring prior approval of credit customers, vendors and purchases.

Detective Controls Explained

Detective controls are internal controls designed to identify problems that already exist. Audits are an example of a detective control. Monthly reconciliation of bank accounts, review and verification of refunds, reconciliation of petty cash accounts, audits of payroll disbursements or conducting physical inventory are all examples of detective controls. Preventive and detective controls are often required in combination to provide sufficient protection. Computer systems require preventive controls through acceptable use and access control. Computer usage logs must be kept. Logs are a form of detective control to be reviewed and audited at regular intervals.