Question

Explain the linkages between internal controls, internal auditors, external auditors, and controllers.

Answer 1

The logical approach to this topic starts from the Internal Control, which is defined by several specialist professional institutes such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Institute of Internal Auditors (IIA) and the American Institute of Certified Public Accountants (AICPA), etc. We will quote here the COSO definition, which states the following:

“Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide “reasonable assurance regarding the achievement of objectives in the following categories: operations, reporting and compliance”.

A part of the philosophy in this definition purports that the internal control can never be limited to financial and accounting activities only since it covers all aspects of the organization and encompasses all levels of employees, the executive management and the board of directors.

Apart from engaging in theoretical details, the internal controls include but are not limited to:

1. The integrated Report (IR).

2. Strategic plan (strategic objectives and business plan).

3. Organizational structure manual (designed according to the corporate governance rules and includes risk committee and management function).

4. Job structure manual (including compliance function).

5. Framework of competencies and integrity that incumbents should have.

6. Delegation of authority matrix.

7. Policies and procedures manual for the organizational units (designed according to four eyes principle for a single activity).

8. Clear-cut job descriptions.

9. Regular reporting systems for organizational units.

10. Appraisal system for the executive management and board of directors.

11. Board of directors’ charter.

12. Code of professional conduct and ethics for the executive management (which should include a whistleblowing channel for the employees along with ensuring protection for them).

13. Annual training plan for the board of directors and the executive management.

14. Employee guide.

15. Deployment of IT systems for the operations based on cost-benefit principle.

Responsibility for update and maintenance of internal controls

Each incumbent of jobs in the organizational structure will be responsible for updating and maintaining the internal controls. An employee shall report to the head of organizational unit and the head of organizational unit shall report to CEO who in turn shall report to the board of directors.

Conclusion

The internal control is a preventive tool employed to achieve specific objectives, namely:

1. Operation objectives

These are related to effectiveness and efficiencies of operations including financial and operations performance objectives, and protection of assets against loss.

1. Reporting objectives

These are related to internal and external financial and non-financial reports, which would include reliability, compliance with deadlines, transparency and any other requirements set by the organizational authorities, regulators or recognized standard setters or set forth in the organization’s policies.

1. Compliance objectives

These are related to compliance with laws and regulations governing the organization’s business.

Internal Audit

The Institute of Internal Auditors (IIA) defines the internal audit as:

“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

Further, the Association of Chartered Certified Accountants (ACCA) defines the internal audit – the control of controls – as the independent and objective evaluation of an organization’s internal controls to effectively manage risk within its risk appetite.

It is worth mentioning that the internal audit activity is carried out by an organizational unit reporting to the audit committee, which in turn reports to the board of directors. The internal audit function develops an annual action plan, which should be approved by the audit committee, and submits periodic reports on the internal audit activities.

It should be also noted that the internal audit report shall contain a section on the review and evaluation of the internal controls, and assurance of its adequacy or requirement to introduce further controls, which achieve an adequate level of internal control.

Conclusion

The internal audit is a detective tool employed to verify the extent of executive units’ compliance with established controls.

Relationship between Internal Control and Internal Audit

In light of the above highlights of internal control and internal audit, it clear that there is a complementary relationship where the internal control establishes the controls based on which a business entity should be managed while the internal audit represents a detective activity, which verifies the implementation of internal controls. This complementary relationship is further confirmed by the matching objectives of internal control and internal audit as both disciplines are ultimately intended to protect the shareholders – the entity’s owners.

Internal audit Vs External audit

There are multiple differences between the internal audit and external audit functions, which are as follows:

· Internal auditors are company employees, while external auditors work for an outside audit firm.

· Internal auditors are hired by the company, while external auditors are appointed by a shareholder vote.

· Internal auditors do not have to be CPAs, while a CPA must direct the activities of the external auditors.

· Internal auditors are responsible to management, while external auditors are responsible to the shareholders.

· Internal auditors can issue their findings in any type of report format, while external auditors must use specific formats for their audit opinions and management letters.

· Internal audit reports are used by management, while external audit reports are used by stakeholders, such as investors, creditors, and lenders.

· Internal auditors can be used to provide advice and other consulting assistance to employees, while external auditors are constrained from supporting an audit client too closely.

· Internal auditors will examine issues related to company business practices and risks, while external auditors examine the financial records and issue an opinion regarding the financial statements of the company.

· Internal audits are conducted throughout the year, while external auditors conduct a single annual audit. If a client is publicly-held, external auditors will also provide review services three times per year.

In short, the two functions share one word in their names, but are otherwise quite different. Larger organizations typically have both functions, thereby ensuring that their records, processes, and financial statements are closely examined at regular intervals.

Every company keeps the details of their financial transactions for future use. These financial statements prepared by the accountants are verified during the statutory audit and internal audit. Statutory Audit is conducted to ensure that all the financial details of the company are perfect without any scam. Reports regarding this audit will be submitted to the shareholders. Internal Audit is conducted by the management itself to ensure that they are following the specified rules and regulations. Statutory Auditor performs the statutory audit while Internal Auditor is responsible for doing the internal audit. Statutory Auditor and its opportunities Statutory Auditors are usually employed in the National Audit offices. It is their responsibility to perform mandatory audits in governmental bodies and public sector companies. They also perform audit in certain private companies for its shareholders. There are private firms which offer statutory audit service to the required clients. Statutory Auditors can look for lucrative opportunities in these firms. Several companies are hiring experienced statutory auditor for the managing the auditing related works. Director Statutory Auditor belongs to such kind of job profile offered by various organizations for independently handling the statutory audit. Internal Auditor and its opportunities Internal Auditors can find lucrative opportunities in the private accounting firm which performs internal auditing for the companies. They can also work in the accounting department of various private companies. High profile organizations employ only experienced internal auditors having exceptional skills in verifying the financial documents. They can specialize in certain fields according to their experience and interest. Key difference between Statutory Auditor and Internal Auditor Statutory Auditors are appointed by the shareholders of the concerned company while the Internal Auditors are appointed by the company itself. Statutory Auditors must be a chartered accountant while no such qualifications are prescribed for an Internal Auditor Even though both of them do the same job, objectives specified for them are different. Statutory Auditors work for the shareholders and give their audit reports to them. Internal Auditors submit their audit reports to the company as they work for the sake of the company. Statutory Auditors can be removed only with the consent of the government while Internal Auditors can be removed by the company.

In relation to Controller auditor general (CAG) incase of government companies

The general auditing standards describe the qualifications of the auditor and the auditing institution so that they may carry out the tasks related to field and reporting standards in a competent and effective manner.

The general auditing standards include standards, which apply both to the auditors and to the audit institutions, and standards, which apply to audit institutions. The standards common to auditors and audit institutions are:

· (a) The auditor and the audit institutions must be independent.

· (b) The auditor and the audit institutions must possess the required competence.

· (c) The auditor and the audit institutions must exercise due care and concern in complying with these auditing standards. This embraces due care in planning, specifying, gathering and evaluating evidence, and in reporting findings, conclusions and recommendations.

1 The general auditing standards for the audit institutions are that they should adopt policies and procedures to

· (a) Recruit personnel with suitable qualifications.

· (b) Develop and train employees to enable them to perform their tasks effectively, and to define the basis for the advancement of auditors and other staff.

· (c) Prepare manuals and other written guidance notes and instructions concerning the conduct of audits.

· (d) Support the skills and experience available within the audit institutions, and identify the skills which are absent; provide a good distribution of skills to auditing tasks and assign a sufficient number of persons for the audit; and have proper planning and supervision to achieve its goals at the required level of due care and concern.

· (e) Review the efficiency and effectiveness of internal standards and procedures.

2. Independence

2.1 The general standards for the auditor and the audit institutions include independence from the legislature, independence from the executive, and independence from the audited entity.

2.2 Whatever the form of government, the need for independence and objectivity in audit is vital. An adequate degree of independence from both the legislature and the executive branch of government are essential to the conduct of audit and to the credibility of its results.

2.3 The legislature is one of the main users of audit services. It is from the Constitution that SAI derives his mandate, and a frequent feature of the audit function is its reporting to the legislature. The SAI works closely with the legislature, including with committees empowered by the legislature to consider audit reports.

2.4 The SAI may give members of the legislature factual briefings on audit reports, but it is important that the SAI maintains his independence from political influence, in order to preserve an impartial approach to its audit responsibilities. This implies that the SAI not be responsive, nor give the appearance of being responsive, to the wishes of particular political interests.

2.5 While the SAI must observe the laws enacted by the legislature, adequate independence requires that it not otherwise be subject to direction by the legislature in the programming, planning and conduct of audits. The SAI needs freedom to set priorities and program its work in accordance with his mandate and adopt methodologies appropriate to the audits to be undertaken.

2.6 It is essential that the legislature provide the SAI with sufficient resources, for which the SAI is accountable, as well as for the effective exercise of his mandate. While the expenditure of SAI's office is charged to the Consolidated Fund, the expenditure on the other offices of the Indian Audit and Accounts Department is subject to the vote of the central legislature.

2.7 The executive branch of government and the SAI may have some common interests in the promotion of public accountability. But the essential relationship with the executive is that of an external auditor. As such the SAI's reports assist the executive by drawing attention to deficiencies in administration and recommending improvements. Care should be taken to avoid participation in the executive's functions of the kind that would militate against the SAI's independence and objectivity in the discharge of his mandate.

2.8 It is important for the independence of the SAI that there be no power of direction by the executive in relation to the SAI's performance of his mandate. The SAI is not be obliged to carry out, modify or refrain from carrying out, an audit or suppress or modify audit findings, conclusions and recommendations.

2.9 A degree of co-operation between the SAI and the executive is desirable in some areas. The SAI should be ready to advise the executive in such matters as accounting standards and policies and the form of financial statements. The SAI must ensure that in giving such advice it avoids any explicit or implied commitment that would impair the independent exercise of his audit mandate.

2.10 Maintenance of the SAI's independence does not preclude requests to the SAI by the executive proposing matters for audit. But if it is to enjoy adequate independence, the SAI must be able to decline any such request. It is fundamental to the concept of SAI independence that decisions as to the audit tasks comprising the program should rest finally with the SAI.

2.11 A sensitive area in relationships between the SAI and the executive concerns provision of resources to the SAI. In varying degrees, reflecting constitutional and institutional differences, arrangements for the SAI's resource provision may be related to the executive branch of government's financial situation and general expenditure policies. As against that, effective promotion of public accountability requires that the SAI be provided with sufficient resources to enable it to discharge its responsibilities in a reasonable manner.

2.12 Any imposition of resource or other restrictions by the executive, which would constrain the SAI's exercise of its mandate, would be an appropriate matter for report by the SAI to the legislature.

2.13 The legal mandate provided in the Comptroller and Auditor General's (Duties, Powers and Conditions of Service) Act, 1971 provides for full and free access for the CAG and his auditors to all premises and records relevant to audited entities and their operations and provides adequate powers to the CAG to obtain relevant information from persons or entities possessing it.

2.14 By legal provision and accepted convention, the executive permits access by the SAI to sensitive information, which is necessary and relevant to the discharge of the SAI's responsibilities.

2.15 In order that the SAI not only exercise his functions independently of the executive but also be seen to do so, it is important that his mandate and his independent status be well understood in the community. The SAI should, as appropriate opportunities arise, undertake an educational role in that regard.

2.16 The SAI's functional independence need not preclude arrangements with executive entities in regard to the SAI's administration in matters such as industrial relations, personnel management, property management or common purchasing of equipment and stores, though executive entities should not be in a position to take decisions that would jeopardise the SAI's independence in discharging his mandate.

2.17 The SAI must remain independent from audited entities. The audit department under the SAI should, however, seek to create among audited entities an understanding of its role and function, with a view to maintaining amicable relationships with them. Good relationships can help the SAI to obtain information freely and frankly and to conduct discussions in an atmosphere of mutual respect and understanding. In this spirit, the SAI, while retaining his independence, can agree to be associated with reforms which are planned by the Administration in areas such as public accounts or financial legislation or agree to be consulted about the preparation of draft laws or rules affecting his competence or his authority. In these cases it is not, however, a matter of the SAI interfering in administrative management but a matter of co-operating with certain administrative services by giving them technical assistance or by putting SAI's financial management experience at their disposition.

2.18 In contrast to private sector audit, where the auditor's agreed task is specified in an engagement letter, the audited entity is not in a client relationship with the SAI. The SAI has to discharge his mandate freely and impartially, taking management views into consideration in forming audit opinions, conclusions and recommendations, but owing no responsibility to the management of the audited entity for the scope or nature of the audits undertaken.

2.19 The SAI should not participate in the management or operations of an audited entity. Audit personnel should not become members of management committees and, if audit advice is to be given, it should be conveyed as audit advice or recommendation and acknowledged clearly as such.

2.20 Any SAI personnel having close affiliations with the management of an audited entity, such as social, kinship or other relationship conducive to a lessening of objectivity should not be assigned to audit that entity.

2.21 Personnel of the SAI should not become involved in instructing personnel of an audited entity as to their duties. In those instances where the SAI decides to establish a resident office at the audited entity with the purpose of facilitating the ongoing review of its operations, programs and activities, SAI personnel should not engage in any decision making or approval process which is considered the auditee's management responsibility.

2.22 The SAI may co-operate with academic institutions and enter formal relationships with professional bodies, provided the relationships do not inhibit its independence and objectivity, in order to avail of the advice of experienced members of the profession at large.

3. Competence

3.1 The auditor and the SAI must possess the required competence.

3.2 The following paragraphs explain competence as an auditing standard:

3.2.1 The mandate of a SAI generally imposes a duty of forming and reporting audit opinions, conclusions and recommendations.

3.2.2 Discussions within the Audit Department promote the objectivity and authority of opinions and decisions.

3.2.3 Since the duties and responsibilities thus borne by the SAI are crucial to the concept of public accountability, the SAI must apply to his audits, methodologies and practices of the highest quality. It is incumbent upon it to formulate procedures to secure effective exercise of its responsibilities for audit reports, unimpaired by less than full adherence by personnel or external experts to its standards, planning procedures, methodologies and supervision.

3.2.4 The audit department needs to command the range of skills and experience necessary for effective discharge of the audit mandate. Whatever the nature of the audits to be undertaken under that mandate, persons whose education and experience is commensurate with the nature, scope and complexities of the audit task should carry out the audit work. The audit department should equip itself with the full range of up-to-date audit methodologies, including systems-based techniques, analytical review methods, statistical sampling, and audit of automated information systems.

3.2.5 Since the nature of audit mandate is wide and discretionary and leaves the SAI discretion in the frequency of audits to be carried out and the nature of reports to be provided, there is a high standard of management expected within the audit department.

4. Due Care

4.1 The general standards for the auditor and the SAI include due care in specifying, gathering and evaluating evidence, and in reporting findings, conclusions and recommendations.

4.2 The following paragraphs explain due care as an auditing standard:

4.2.1 The SAI must be, and be seen to be, objective in its audit of entities and public enterprises. It should be fair in its evaluations and in its reporting the outcome of audits.

4.2.2 Performance and exercise of technical skill should be of a quality appropriate to the complexities of a particular audit. Auditors need to be alert for situations, control weaknesses, inadequacies in record keeping, errors and unusual transactions or results, which could be indicative of fraud, improper, or unlawful expenditure unauthorised operations, waste, inefficiency or lack of probity.

4.2.3 Where an authorised or recognised entity sets standards or guidelines for accounting and reporting by public enterprises, the SAI may use such guidelines in the course of his examination. The Accounting Standards and Standard Audit Practices issued by the Institute of Chartered Accountants of India (ICAI) should be kept in view by SAI while carrying out the audit of companies registered under the Companies Act 1956.

4.2.4 If the SAI employs external experts as consultants he must exercise due care to assure him of the consultants' competence and aptitude for the particular tasks involved. This standard applies also where outside auditors are engaged on contract with the SAI. In addition care must be taken to ensure that audit contracts include adequate provision for the SAI to determine the planning, the audit scope, the performing, and the reporting on the audit.

4.2.5 Should the SAI, in the performance of his functions, need to seek advice from specialists external to the SAI, the standards for exercise of due care in such arrangements have a bearing also on the maintenance of quality of performance. Obtaining advice from an external expert does not relieve the audit department of responsibility for the opinions formed or conclusions reached on the audit task.

4.2.6 When the audit department uses the work of another auditor(s), it must apply adequate procedures to provide assurance that the other auditor(s) has exercised due care and complied with relevant auditing standards, and may review the work of the other auditor(s) to satisfy itself as to the quality of that work.

4.2.7 Information about an audited entity acquired in the course of the auditor's work must not be used for purposes outside the scope of an audit and the formation of an opinion or in reporting in accordance with the auditor's responsibilities. It is essential that the audit department maintain confidentiality regarding audit matters and information arising from its audit task. However, the SAI should report offences against the law to proper prosecuting authorities.

5. Quality Assurance Review

5.1 SAI should have an appropriate quality assurance system in place.

5.2 The following paragraphs explain quality assurance reviews as an auditing standard:

5.2.1 Because of the importance of ensuring a high standard of work by the audit department, it should pay particular attention to quality assurance programs in order to improve audit performance and results. The benefits to be derived from such programs make it essential for appropriate resources to be available for this purpose. It is important that the use of these resources be matched against the benefits to be obtained.

5.2.2 The SAI should establish systems and procedures to:

· Confirm that internal quality assurance processes have operated satisfactorily;

· Ensure the quality of the audit report; and

· Secure improvements and avoid repetition of weaknesses.

5.2.3 As a further means of ensuring quality of performance, additional to the review of audit activity by personnel having line responsibility for the audits concerned, it is desirable for the audit departments to establish their own quality assurance arrangements. That is, planning, conduct and reporting in relation to a sample of audits may be reviewed in depth by suitably qualified SAI personnel not involved in those audits, in consultation with the relevant audit line management regarding the outcome of the internal quality assurance arrangements and periodic reporting to the SAI's top management.

5.2.4 It is appropriate for audit institutions to institute their own internal audit function with a wide charter to assist the audit department to achieve effective management of its own operations and sustain the quality of its performance.

5.2.5 The quality of the work done by the audit department can be enhanced by strengthening internal review and by the independent appraisal of its work.

6. Other General Standards for Audit Institutions

6.1 The SAI should adopt policies and procedures to recruit personnel with suitable qualifications and train them professionally.

6.1.1 SAI personnel should possess suitable qualifications and be equipped with appropriate training and experience. The SAI should establish, and regularly review, minimum training requirements for the appointment of auditors at each level within the organisation.

6.2 The SAI should adopt policies and procedures to develop and train SAI employees to enable them to perform their task effectively and to define the basis for the advancement of auditors and other staff.

6.2.1 The following paragraphs explain training and development as an auditing standard:

6.2.2 The SAI should take adequate steps to provide for continuing professional development of its personnel, including, as appropriate, provision of in-house training and encouragement of attendance at external courses.

6.2.3 The SAI should identify professional development needs of its personnel.

6.2.4 The SAI should establish and regularly review criteria, including educational requirements, for the advancement of auditors and other staff of the SAI.

6.2.5 The SAI should also establish and maintain policies and procedures for the professional development of audit staff regarding the audit techniques and methodologies applicable to the range of audits it undertakes.

6.2.6 SAI personnel should have a good understanding of the government environment, including such aspects as the role of the legislature, the legal and institutional arrangements governing the operations of the executive and the charters of public enterprises. Likewise, trained audit staff must possess an adequate knowledge of the SAI's auditing standards, policies, procedures and practices.

6.2.7 Audit of financial systems, accounting records and financial statements requires training in accounting and related disciplines as well as a knowledge of applicable legislation and executive orders affecting the accountability of the audited entity. Further, the conduct of performance audits may require, in addition to the above, training in such areas as administration, management, economics and the social sciences.

6.2.8 The SAI should encourage his personnel to become members of a professional body relevant to their work and to participate in that body's activities.

6.3 The SAI should adopt policies and procedures to prepare manuals and other written guidance and instructions concerning the conduct of audits.

6.3.1 The following paragraph explains written guidance as an auditing standard:

6.3.2 Communication to staff of the SAI by means of circulars containing guidance, and the maintenance of an up-to-date audit manual setting out the SAI's policies, standards and practices, is important in maintaining the quality of audits.

6.4 The SAI should adopt policies and procedures to support the skills and experience available within the SAI and identify those skills which are absent; provide a good distribution of skills to auditing tasks and a sufficient number of persons for the audit; and have proper planning and supervision to achieve its goals at the required level of due care and concern.

6.4.1 The following paragraphs explain the use of skills as an auditing standard:

6.4.2 Resources required for undertaking each audit need to be assessed so that suitably skilled staff may be assigned to the work and a control placed on staff resources to be applied to the audit.

6.4.3 The extent to which academic attainments should be related specifically to the audit task varies with the type of auditing undertaken. It is not necessary that each auditor possess competence in all aspects of the audit mandate. However, policies and procedures governing the assignment of personnel to audit tasks should aim at deploying personnel who have the auditing skills required by the nature of the audit task so that the team involved on a particular audit collectively possesses the necessary skills and expertise.

6.4.4 It should be open to the SAI to acquire specialised skills from external sources if the successful carrying out of an audit so requires in order that the audit findings, conclusions and recommendations are perceptive and soundly based and reflect an adequate understanding of the subject area of the audit. It is for the audit institution to judge, in its particular circumstances, to what extent its requirements are best met by in-house expertise as against employment of outside experts.

6.4.5 Policies and procedures governing supervision of audits are important factors in the performance of the SAI's role at an appropriate level of competence. The SAI should ensure that audits are planned and supervised by auditors who are competent, knowledgeable in the SAI's standards and methodologies, and equipped with an understanding of the specialties and peculiarities of the environment.

6.4.6 Where the SAI's mandate includes the audit of financial statements which cover the executive branch of government as a whole, the audit teams deployed should be equipped to undertake a coordinated evaluation of departmental accounting systems, as well as of central agency co-ordination arrangements and control mechanisms. Teams will require knowledge of the relevant governmental accounting and control systems, and an adequate expertise in the auditing techniques applied by the SAI to this type of audit.

6.4.7 Unless the SAI is equipped to undertake, within a reasonable time-scale, all relevant audits, including performance audits covering the whole of every audited entity's operations, criteria are needed for determining the range of audit activities which, within the audit period or cycle, will give the maximum practicable assurance regarding performance of public accountability obligations by each audited entity.

6.4.8 In determining the allocation of its resources among different audit activities, the SAI must give priority to any audit tasks, which must, by law, be completed within a specified time frame. Careful attention must be given to strategic planning so as to identify an appropriate order of priority for discretionary audits to be undertaken.

6.4.9 Assignment of priorities compatible with maintaining the quality of performance across the mandate involves exercise of the SAI's judgement in the light of available information. Maintenance of a portfolio of data pertaining to the structure, functions and operations of audited entities will assist/the SAI in identifying areas of materiality and vulnerability and areas holding potential for improvements in administration.

6.4.10 Before each audit is undertaken designated personnel within the SAI should give proper authorisation for its commencement. This authorisation should include a clear statement of the objectives of the audit, its scope and focus, resources to be applied to the audit in terms of skills and quantum, arrangements for reviews of progress at appropriate points, and the dates by which fieldwork is to be completed and a report on the audit is to be provided.

6.5 Standards with ethical significance:

These standards apply to individual auditors, head of the SAI, executive officers and all individuals working for and on behalf of the SAI. The SAI has the responsibility to ensure that all its auditors acquaint themselves with the values and principles contained in the Conduct Rules for government servants in India and they act accordingly. The following audit standards have ethical significance:

· The auditor and the SAI should be independent and should avoid conflicts of interest with the audited entity on matters that may impair their independence materially.

· The auditor and the SAI must possess the required competence.

· The auditor must exercise due care and concern in complying with the auditing standards.

· The auditor should at all times maintain absolute integrity and devotion to duty.

· Auditors should not disclose information obtained in the auditing process to third parties, either orally or in writing.