Internal audit is one of the types of on-farm control of business entities. Internal audit is an independent activity of the enterprise aimed at checking and evaluating its activities in the interests of management.
The purpose of internal audit is to protect the interests of owners in the conservation and efficient use of enterprise resources, as well as obtaining reliable and complete information for making sound management decisions.
A special demand for internal audit has emerged in the last decade. Today, internal auditors provide their services to both public and private enterprises. The need for internal audit is due to a number of factors. The growth in the volume of enterprises' activities creates a problem of information exchange in a multi-level management apparatus, thus complicating the control of various levels of management by the central management, which increases the risk of errors and promotes abuse by staff. The presence of internal audit is relevant for owners who are not directly involved in the management of the representative office, but have transferred these functions to managers. Therefore, despite the professionalism of management, the issue of control over the activities of the enterprise becomes relevant, one of the main tools of which can be an internal audit.
The introduction of internal audit is especially advisable in large and medium-sized enterprises that have at least one of the following features:
Presence of branches or separate subdivisions;
Availability of various activities;
Possibility of cooperation;
The desire of top management to have objective and unbiased information about the activities of the enterprise
The subjects of internal audit are employees of internal audit departments, internal audit services that report only to the management of the enterprise
The objects of internal audit are determined by its goals and objectives. The main objects of internal audit are:
Maintenance status accounting at the enterprise;
Financial reporting and its reliability;
The state of the assets of the enterprise and the sources of their formation;
Security of the enterprise with its own working capital;
Security with own funds;
Solvency and financial stability;
Enterprise management system;
The work of economic and technical services;
Payment of taxes by the enterprise;
Reliability of design and estimate documentation;
Business processes;
The subject of internal audit is a set of information that is essential when making management decisions
Note that internal audit should in no case be taken as an alternative to external audit. The difference lies not only in the fact that the external audit is carried out by independent auditors or audit firms, and the internal audit is carried out by employees of the internal audit departments of the audited enterprise.
|
signs |
Internal audit |
External audit |
|
Check Scale |
Determined by control system |
Determined by the type of audit and regulatory documents governing its conduct |
|
Audit object |
Determined by management mainly - these are the assets and liabilities of the enterprise |
Determined by the status of the enterprise Dominated by audit financial reporting and balance sheet Business auditing is developing in some countries |
|
Qualification |
Defined in terms of governance structures Has a lower degree of independence and lower professional level of the internal auditor |
Determined by legislation m Has a high degree of independence and a high professional level of the auditor |
|
Methods used |
General methods that distinguish between the scope and accuracy of checks |
|
|
Determined by management |
Follows with legislation, as well as court decision, external needs |
|
|
Reporting |
Reporting to management |
Reporting to the customer |
Figure 31 . Comparative characteristics of external and internal audit
If we compare internal and external audit, it turns out that they differ not only in subjects (Fig. 31). So the external audit is independent, while the internal audit is controlled by the owner of the enterprise. Therefore, the users of information will be different. If the owners of the enterprise and managers are satisfied with the information provided by the internal audit service, external users (investors, creditors, government agencies, etc.) have confidence in the enterprise's reporting certified by an external conclusion, i.e. independent auditor.
In addition, external audit, unlike internal audit, is strictly regulated, based on the norms of international auditing standards and the current legislation of Ukraine. With regard to internal audit, recommendations for its conduct are set out in the standards of professional practice for internal audit developed. Based on the Institute of Internal Auditors. International Auditing Standards. And also the enterprise must be approved. Regulations on the service (department) of internal audit, which determines the tasks, functions of the right and duties and responsibilities of this structural unit.
External audit is carried out periodically, usually once a year, while internal audit is carried out continuously. Given this, internal audit uses methods of preliminary, current and subsequent control, while external audit uses only subsequent control. Also, internal and external audit differ in functions, the degree of openness of information, the volume and objects of verification, and responsibility, too.
It is clear that internal audit cannot replace external audit, but performs separate procedures that can be used for the needs of external audit. That is why these two types of audit should function in parallel, performing their functions and thus complementing each other.
Considering the above, internal audit should meet the following characteristics:
1) impartiality, that is, the auditor must make all conclusions and assessments objectively;
2) independence implies that the internal audit service reports only to the top management of the enterprise;
3) improving the activities of the enterprise, i.e. it must be clearly understood that the purpose of the internal audit service is not to identify errors and violations and subsequently punish the perpetrators, but, first of all, in the identified risks and weaknesses in the activities of the enterprise and provide recommendations to improve the efficiency of the functioning of this enterprise
4) the provision of guarantees is important for the owners of enterprises and can only be ensured as a result of the quality work of the internal audit service;
5) advisory nature provides for the possibility of managerial personnel to receive qualified assistance in solving certain problems related to the activities of the enterprise
So, the requirements for the professional level of internal auditors are growing. And although today in our country the provision of services of an internal auditor does not require him to have a special certificate of his qualification level,. The Institute of Internal Auditors (CIA), which cooperates with auditors in 60 countries, trains and certifies internal auditors. The implementation of certification of internal auditors at the global level is a confirmation of the popularity of the profession of internal auditor and recognition of its necessity and importance in modern conditions.
Internal audit is carried out at the preliminary stage of a commercial, technological or financial transaction, during its passage and after completion. It gives an expert scientifically based assessment of business operations and processes.
Internal audit is a systematic and strictly documented, continuous, universal (continuous) measure. Internal auditors work in the public and private sectors, they report to the company's top management, provide analysis, recommendations, advice and information about the activities of the company being audited.
Internal audit provides for preliminary control at the stage of consideration of primary documents, when approving contracts, orders, estimates, etc., that is, it can act as a preventive measure
Current control is carried out during the registration of business transactions and inventory
Subsequent control is carried out at the stage of generalization and analysis of accounting and reporting information
The main tasks of the internal audit system are:
Facilitate the implementation of the activities of the enterprise in an orderly and efficient manner;
Ensuring compliance with management policies;
Ensuring the safety of property;
Achievement of high-quality documentation of operations
Internal audit can be seen as an integral part of the overall management control system. It is carried out within the organization itself at the request and at the initiative of the management.
Internal audit - regulated internal activities organization created for the purpose of analyzing and evaluating the functioning of the company. Internal audit procedures allow you to determine the effectiveness of the company. In addition, this type of audit helps managers achieve their goals and improve the performance of their organization.
The purpose of internal audit is to help the managerial level solve certain tasks on a daily basis. At the same time, the difference between the external and internal types of audit is that the first controls the objectivity and correctness of the second. During the internal audit process, a consistent, systematic approach is applied regarding the analysis of effectiveness and improvement of the quality of management.
Internal audit is a help:
- in internal control
- in risk management
- in corporate governance
Internal auditors check management links, provide managers with the necessary reasoned proposals to help eliminate deficiencies in management. In addition, they give recommendations on improving the efficiency of company management. evaluates the functioning of the company from different angles, provides reasoned methods of improvement.
Today, a functional, cross-functional, organizational and technological audit of activities is used, as well as an audit for compliance with regulations. In each case, a comprehensive and complete survey, analysis of a specific structure, functions of the company or its type of activity is carried out.
Interest in this type of audit is due to several reasons. First of all, it is the need and desire of the company's managers to streamline business processes, which thereby allows significant savings. In addition, the board of directors or another supervisory body needs an internal audit as an objective and free informant. For a developing market, internal audit is especially relevant. Internal audits allow the owners of the organization to keep abreast of current affairs, while calmly transferring control to professionals.
Internal audit is a necessary tool for owners to control the activities of hired managers
The decision regarding the need for internal audit is made by the owners. Such checks are necessary not only for the owners of the organization, but also for management. The goal of managers is to manage business processes, achieving the required performance indicators with the least losses.
The success of this task depends significantly on the following factors:
- Does the manager have all the necessary information required to make the best management decisions?
- Is an effective system for monitoring the implementation of decisions made available?
Often, due to the rapid growth in the size of enterprises and the increase in the complexity of management processes, owner-managers can 100% believe that the business is under their control. However, they often do not have enough physical strength to control all processes in full.
Using the services of qualified specialists, consumers get the opportunity to more effectively analyze, control and manage the enterprise.
Internal audit services include:
- previous assessment of the internal control environment
- organization of the functioning of the audit service
- recommendations with an independent assessment of the work of the audit service
Drawing conclusions, it can be noted that internal audit is an integral part of the control system of any organization. It evaluates the overall performance of the system. This is a kind of feedback role that makes this system stable, allowing it to change based on certain circumstances. One of the best competitive advantages is internal audit.
The success of the company, the level of its profitability, the quality of its assets largely depend on the presence of a management system in the company. An important and necessary element of the management system is the day-to-day internal control. One form of such control is internal audit.
Documents regulating internal audit
Activities within the organization of special employees, aimed primarily at monitoring various aspects of the company's activities in order to provide further, based on the results of control, complete and reliable information to management bodies ( general meeting participants, the board of directors, the executive body), and is the essence of the internal audit activity.
There are no documents strictly regulating the audit at the enterprise. However, it is necessary to focus on the following prescriptive documents. First of all, the activities of internal auditors, the order of work, goals and objectives are described in international standards internal auditors, as well as in national standards audit activity. In addition, it is necessary to focus on the Federal Law of December 30, 2008 No. 307-FZ “On Auditing Activities”. The peculiarity of this procedure is that the procedure for its organization, verification processes, methodology should be determined by the regulations of the organization itself. It is the internal regulation that will determine the specific objectives of the audit for a particular company. Personal intra-company standards for internal auditing can be detailed and differ greatly from the rules of generally accepted standards, but should not contradict them.
Principles of internal audit
The main principles of internal audit include:
- consistency;
- objectivity;
- independence;
- open and complete documentation;
- courtesy.
Let's take a closer look at these principles. Consistency involves the organization and conduct of internal audit in a comprehensive and systematic manner throughout the company. The principle of objectivity means that the requirements of internal audit are the same and apply to all departments of the organization without exception. The principle of independence of the internal auditor means, first of all, the exclusion of a conflict of interest when he makes a decision regarding the conclusions within the framework of his activities. The Internal Auditor is an independent position. The principle of independence is closely related to the principle of objectivity. Only an independent internal auditor can draw objective conclusions about the state of affairs within the company. The openness of internal audit implies that the information received by the auditor during the audit is not hidden from the management bodies and is fully provided to them for analysis and management decisions. Documentation means that each revealed fact of violation or remark must be supported by documents. Well, the principle of precaution means that the auditor must offer ways and methods to eliminate identified violations.
Advantages and disadvantages of internal audit
The advantages of internal audit can clearly be attributed to:
- the possibility of conducting an audit of all internal control systems of the organization in a continuous mode;
- the possibility of a deeper and more detailed immersion of the auditor into the problems and essence of the audited areas, since he works within the organization and knows all the weaknesses and strengths.
Disadvantages of internal audit include:
- the principle of independence of the internal auditor can always be called into question, since in any case he is an employee of the company;
- a one-time external audit can be cheaper than the ongoing cost of hiring an internal auditor.
The internal audit of the company is capable of identifying shortcomings and assessing the overall performance of the company. The functions and types of internal audit may vary depending on the size of the company, its type of activity, but they are all aimed at one thing - reducing the risks of activities and increasing the efficiency of a particular organization.
One of the most effective tools to identify opportunities to improve business performance, and, therefore, one of the company's competitive advantages can be internal audit.
Until recently, internal audit in the company in many cases played a role<золушки>, which performs difficult and not always clean work and which, by and large, no one likes. But gradually this attitude miraculously changed. Today, internal audit is in vogue - many managers and owners would like to implement it in their companies, often not fully realizing how huge its potential is. Meanwhile, internal audit is faced with increasingly ambitious tasks, the requirements for it are increasing and, accordingly, the burden on internal auditors is growing. In some cases, internal audit is beginning to be treated as a lifesaver that can fix everything.
What is internal audit and how can it be useful for a company? To answer these questions is the purpose of this article.
Why internal audit has attracted attention
Internal audit is not a new concept, but it attracted special attention only at the beginning of the third millennium. The growing interest in internal audit in the world is due, in our opinion, to a number of factors.
Firstly, internal audit is one of the few currently available and at the same time underestimated resources, the proper use of which can improve the efficiency of the company. Secondly, a series of high-profile corporate scandals that swept across the United States and Western Europe gave reason to believe that the institution of external audit can cause serious failures, as a result of which even the largest firms suffer bankruptcy. Thirdly, the presence in the company of good corporate governance, one of the integral parts of which is internal audit, is a positive signal for potential investors and creditors, increasing investment attractiveness companies.
In Russian conditions, a number of others are added to the above factors. First of all, this is the desire of owners and management to streamline the structure and organization of business processes, which can lead to significant savings for the company. In addition, the presence of internal audit becomes very relevant for owner-managers who are moving away from the direct conduct of business in the company, transferring the reins of government into the hands of professional managers. Finally, plans to enter the international capital markets in the short or medium term dictate the need for companies to create internal audit services. In particular, the rules of the largest stock exchanges provide for the presence of an internal audit in the company as required condition making valuable papers companies in the stock exchange quotation lists.
The concept of internal audit
Here is the definition given to internal audit by the International Institute of Internal Auditors:<Внутренний аудит есть деятельность по предоставлению независимых и объективных гарантий и консультаций, направленных на совершенствование деятельности организации. Внутренний аудит помогает организации достичь поставленных целей, используя систематизированный и последовательный подход к оценке и повышению эффективности процессов управления рисками, контроля и корпоративного управления>. Let us briefly dwell on the main characteristics of internal audit:
1. Independence and objectivity. Independence - in this case, the concept of organizational, which is largely determined by the level of subordination of the internal audit service in the company. Objectivity refers to the individual quality of an internal auditor - impartiality in assessments and conclusions.
2. Improving the activities of the organization. The purpose of internal audit, as follows from the definition, is to improve the performance of the organization. We emphasize: not to identify violations and errors for subsequent organizational conclusions and punish the perpetrators, not to write a report of several tens of pages with hundreds of recommendations that are difficult to implement, but to see and assess the risks, weaknesses in the organization's work and give recommendations aimed at improving the efficiency of systems and processes.
3. Provision of guarantees1 and advice. The essence of the activity of internal audit is to provide guarantees (English assurance) and consultations (English consulting) to customers (clients) of internal audit. At the same time, the sphere of providing guarantees and consultations has significantly expanded in recent years and today includes the following areas: risk management, internal control, corporate governance.
The provision of guarantees in this case is an objective analysis of audit evidence in order to implement independent evaluation and expressing an opinion on the reliability and efficiency of systems, processes, operations. The main difference between consulting and providing guarantees is that in the first case, the nature and scope of the auditor's work are determined by the client.
The differences between guaranteeing and consulting are summarized in the table.
For the owners, represented by the board of directors, the activity of internal audit to provide guarantees is more important. From the point of view of line management, the greatest value of internal audit lies in the opportunity to receive advice on improving the efficiency of business processes for which line management is responsible. Senior management is interested in both internal audit assisting line management in the performance of its functions, and in helping to control the activities of line management.
Today there is intense discussion about what should be the balance between the time that internal audit spends on assurance activities and on advisory activities. Some members of the profession argue for<абсолютную чистоту>, assuming that the main value of internal audit is precisely in providing objective guarantees and therefore consultations should take a minimum of time in the schedule of the auditors. After all, the more internal audit is engaged in consulting work, the greater (in general) the potential threat to the objectivity of internal audit: projects and areas where the internal auditor participated as a consultant today are subject to review by the internal auditor tomorrow. Proponents of another point of view argue that internal audit can be most useful for a company precisely at the stage of changing and / or implementing systems / procedures, since for the company the potential benefits from such involvement of internal auditors as consultants still exceed the risk of reducing the objectivity of the results of the work of internal auditors in future. Moreover, there are many ways to offset the negative impact on the objectivity of internal auditors.
Since the main task of internal audit, in our opinion, is to provide objective guarantees (which arise as a result of those same audits, although<проверка>- not the best word in the vocabulary of an internal auditor), one should be extremely careful in increasing the relative share of consulting work in order to avoid a negative impact on the subsequent objectivity of internal audit.
The practice of different companies in this regard is very different. In foreign companies, until recently, there has been a growing trend in the importance of the internal auditor as a consultant. At the moment, we can talk about an approximate ratio of 80/20, when 80% of the time allocated for audit assignments falls on assurance activities and 20% on consulting work2. However, after high-profile corporate scandals of recent times, there is a growing conviction that the value of internal audit for a company lies precisely in providing objective guarantees.
The role of internal audit in a company
To what extent do business owners and managers need internal audit?
The decision on whether an internal audit is necessary in a company is made by the owners and the top executive management of the company. This decision is determined by many factors, which primarily include the separation of the function of owning and managing a business; size and structural branching of the company; the level of risks inherent in the company's activities.
In cases where the owners of the business are the managers of the company and have full control over all aspects of the business themselves, there may not be a need for an internal audit function. However, as the size of the company grows and the complexity of management processes increases, the owner-managers may develop an illusion of control, when it seems that the business is not changing much and all aspects of the company's activities are under control, but in fact the management no longer has the physical ability to control the situation. in its entirety. That's when internal audit will be very useful.
It should be noted that in Europe and the United States, the combination of the functions of owning and managing a business is typical for small and, to some extent, medium-sized businesses. In large and many medium-sized companies, there is a division of these functions (this objective trend is beginning to be traced in Russian organizations), when the owners are engaged in determining the strategy and directions for the development of the company, without delving into the daily details of doing business, and hire professional managers to manage the company. But no matter how professional the management is, the issue of control over the state of affairs in the company becomes relevant for the owners (<доверяй, но проверяй>). In this case, internal audit can become one of the effective control tools.
Internal audit is necessary not only for the owners, but also for the management of the company. The task of managers is to manage the business, achieving the set goals in the most effective way. The success of this task depends largely on two factors: 1) whether the manager has the information necessary to make the right management decisions; 2) whether there is an effective system for monitoring the implementation of decisions made.
Managers, for whom business management is part of their daily work, are not always able to objectively assess the situation. Even if the manager believes that he effectively controls all processes, he usually does not have the time and specific skills to collect and structure relevant information. Internal audit, in essence, has information on all aspects of the company's activities and tools for generalizing and analyzing data, so close interaction with internal audit increases the efficiency of decision-making by management. It is the internal audit that is an objective source of information that helps the manager in a new way,<не замыленным глазом>look at things and evaluate the quality of the implementation of management decisions.
But the question arises: do the owners and management of the company need internal audit, or are the functions traditionally performed in Russian companies by internal control services (ICS) and control and audit departments (CRU) more useful? (Note that in the modern practice of Western companies, internal audit services are most widely used; ICS are much less common, and analogues of KRU are not at all common.)
How many control bodies it is necessary to have in the company and which ones, determines the needs of owners and management. A significant role in decision-making is played by the state of the control environment in the company and, more broadly, the level of development of corporate culture. If the internal control and risk management systems are not built or work inefficiently, the field of activity for internal audit is very much narrowed, since its task is to evaluate the effectiveness of these systems. In this case, the primary tasks of the company's management are the design and implementation of a control system - this is traditionally done by internal control services in Russian companies.
Since building an internal control system is a laborious and lengthy process, at a certain stage (until an effective control system is built) there is an objective need for a separate division in the company - the control and audit department. In this case, the CRU will focus on identifying errors and abuses, acting as a corporate police officer<в чистом виде>. But it should be remembered that the audit activity is inherently aimed at the retrospective, that is, at the events that have already occurred and their consequences. Internal audit is focused on the future, i.e., on the analysis of future events that may adversely affect the activities of individual departments and / or the company as a whole. In other words, the audit evaluates the consequences of already materialized risks, while internal audit evaluates the opportunity and suggests ways to reduce the risks and/or negative effects of their impact. The presence of an audit department in the company does not in any way mean the uselessness of internal audit - everything is determined by the stage of its development the company is at and in which direction it will move in terms of internal corporate culture.
It should also be noted that the decision on the need for internal audit should not be determined by the presence of an external auditor in the company, since external and internal audits perform different functions.
First, an external audit is traditionally concerned with verifying the integrity of a company's financial statements and focuses on transactions and events that could have a material impact on a company's financial statements. Internal audit is aimed primarily at assessing existing systems control and management of company risks and focuses on operations and events that prevent the company from effectively achieving its goals.
Secondly, external audit as part of the provision of audit services does not assess the economic feasibility of management decisions and the efficiency of the company's divisions, which is usually one of the tasks of an internal audit.
Thirdly, external audit serves primarily the interests of external stakeholders - potential investors, creditors, etc., while internal audit primarily serves the interests of the company's boards of directors and managers.
We emphasize that an effective internal audit can reduce the company's costs for external audit, but cannot eliminate the need for external audit for the company. It is also important to consider that it is not recommended to use the services of an external auditor of the company for internal audits, since such a combination may lead to a conflict of interest of the external auditor. In the legislation of some countries, such a combination is prohibited (for example, the Sarbanes-Oxley Act in the USA).
Thus, the presence of an effective internal audit becomes critical for the successful development of a company in a rapidly changing external environment, increasing the complexity of management processes, separating the functions of ownership and business management. How useful internal audit will be for the company in this case depends to a large extent on what tasks will be assigned to it.
What tasks does internal audit solve
Modern internal audit is able and must perform diverse and large-scale tasks. First, it evaluates the internal control system in terms of the reliability of information, compliance with the law, the safety of assets, the efficiency and effectiveness of the activities of individual operating and structural divisions. Secondly, it analyzes and evaluates the effectiveness of the risk management system and suggests methods for reducing risks. Thirdly, it evaluates the compliance of the company's corporate governance system with the principles of corporate governance.
One of the most important activities of internal audit is the audit of information systems (information technology).
Internal audit can do a lot, but is not a universal solution to all company problems. For example, internal audit:
In many cases, executive management is inclined to consider internal audit as a resource that solves managerial tasks in building a control system. This cannot but raise concerns about the objectivity of internal audit, since in this case, internal auditors will actually have to evaluate what they themselves develop and implement. We emphasize once again that building an internal control system is not included in the task of internal audit, being a direct task of management. Internal audit can provide consulting support during the development of systems/procedures and thus bring invaluable benefits to the company, but should not be responsible for the establishment and maintenance of the control system.
Today, internal audit is being transformed into a risk assessment tool, there is a shift in emphasis from assessing individual operations to assessing risks in the activities of the organization as a whole. What tasks does internal audit solve in the field of risk management?
First, internal auditors during various types of audits provide audit recommendations to prevent risk or reduce it to an acceptable level. Secondly, internal auditors evaluate the reliability and effectiveness of the risk management system. Thirdly, internal auditors, subject to certain conditions, can help management in the development and implementation of a company's risk management system. However, here, as in the case of the internal control system, it should be borne in mind that risk analysis and management is the task of the company's management, in the solution of which internal audit assists management.
Conclusion
Summing up, we note that today there are favorable conditions for internal audit to demonstrate its wide capabilities and prove its necessity to both owners and management of companies. And the owners and management of companies may have a powerful tool to improve business efficiency.
Keywords:
1 -1
What are the advantages of companies using internal audit services?
Today's business environment requires the most efficient use of the resources available to the company. One of the most effective tools for identifying opportunities to improve efficiency and, therefore, one of the company's competitive advantages can be internal audit.
Modern internal audit is able and must perform diverse and large-scale tasks. Internal audit evaluates the internal control system in terms of the reliability of information, compliance with legislation, safety of assets, efficiency and effectiveness of individual functions and divisions. Internal audit analyzes and evaluates the effectiveness of the risk management system and suggests risk mitigation methods. Internal audit assesses the compliance of the company's corporate governance system with the principles of corporate governance.
In conditions of rapid changes in the competitive environment, growth in the size of companies, and increasing complexity of management processes, the company's management does not physically have the opportunity to obtain and evaluate the information necessary to make the right management decisions. Internal audit is an objective source of information, thereby helping the company's management in achieving goals and performing tasks in the most efficient way.
The presence of an internal audit is a positive signal for potential investors and creditors and increases the investment attractiveness of the company.
collapse
Why does the management of the company need an internal audit if the management itself controls all processes?
The task of managers is to manage the business, achieving the set goals in the most effective way. The success of this task depends largely on two factors: 1) whether the manager has the information necessary to make the right management decisions; 2) whether there is an effective system for monitoring the implementation of decisions made.
Managers themselves, for whom business management is part of their daily work, are not always able to objectively assess the situation. Even if the manager believes that he effectively controls all processes, he usually does not have the time and specific skills to collect and structure relevant information. Internal audit, in essence, has information on all aspects of the company's activities and tools for generalizing and analyzing data, so close interaction with internal audit increases the efficiency of decision-making by management. It is the internal audit that is the objective source of information that helps the manager to take a fresh look at things and assess the quality of the implementation of managerial decisions.
collapse
Why do owners and management of a company need an internal audit if the company has an external auditor?
It should be noted that the decision on the need for internal audit should not be determined by whether the company has an external auditor, since external and internal audits perform different functions. First, an external audit is traditionally concerned with verifying the integrity of a company's financial statements and focuses on transactions and events that could have a material effect on a company's financial statements. Internal audit is aimed primarily at assessing the company's existing control and risk management systems and focuses on operations and events that prevent the company from effectively achieving its goals. (Note, however, that recent changes in the legislation of some countries, primarily the United States, make assessing the reliability of the system of control over the financial and accounting reporting of companies a task as significant for external audit as the actual confirmation of the reliability of reporting.) Secondly, external audit serves, first of all, the interests of external stakeholders - potential investors, creditors, etc., while internal audit serves, first of all, the interests of boards of directors (audit committees) and company managers. Thirdly, an external audit, as part of the provision of audit services, does not assess the economic feasibility of management decisions and the efficiency of the company's divisions, which is usually one of the tasks of an internal audit.
Comparative characteristics of internal and external audits are presented in the table.
External audit Internal audit
| Target | Expressing an Opinion on the Reliability of the Company's Financial Statements | Improving the efficiency of the company |
|
Users (customers) |
External: potential investors, creditors, etc. Internal: owners |
Internal: board of directors (audit committee), management at all levels |
| Audit object | Financial and accounting statements of the company | Systems of internal control, risk management, corporate governance |
| Specificity | Focuses on transactions and events that could have a material effect on the company's financial statements Does not consider issues of economic feasibility of management decisions |
Focuses on events that prevent the company from effectively achieving its goals Gives an assessment of the economic feasibility of management decisions |
We emphasize that an effective internal audit can reduce the company's costs for external audit (if the external auditor will be able to rely on the results of the work of internal audit, which will reduce the volume audit procedures performed by an external auditor), but cannot eliminate the need for an external audit for a company. Also, it is important to consider that it is not recommended to use the services of an external auditor of the company for internal audits, since such a combination may lead to a conflict of interest of the external auditor. In the legislation of some countries, such a combination is prohibited (for example, the Sarbanes-Oxley Act in the USA).
collapse
What can and should not be expected from internal audit?
Internal audit can do a lot, but is not a universal solution to all company problems. For example: 1) internal audit cannot eliminate or identify all cases of human error or abuse, but can minimize their likelihood and increase the likelihood of their early detection through system/procedure audits; 2) internal audit cannot audit every business process every year, but can optimize the selection of audited business processes based on a systematic approach to risk assessment; 3) internal audit should not develop procedures for divisions / departments of the company, as this negatively affects the independence of internal audit, but can analyze the procedures developed by other divisions / departments for their effectiveness within the internal control system of the enterprise.
collapse
Does the need for an internal audit function depend on the size of the company?
The need for an internal audit function is determined by the owners and / or management of the company, as well as regulatory authorities (for financial and credit organizations and for professional participants stock market). Where the owners/management have full control over all aspects of the business, there may not be a need for an internal audit function. In general, the larger the company, the more in demand will be the function of an independent and objective assessment of the state of control, which is internal audit.
collapse
How to determine the optimal size of the internal audit service?
In general, the size of the internal audit service depends on the tasks assigned to internal audit, and, importantly, on the maturity of the enterprise's control environment and on the degree of exposure of the enterprise to various kinds of risks. The number of service is determined based on the number of departments and business processes available in the company, and the time spent on auditing each of them. In turn, time costs are calculated based on several factors, including the complexity and breadth of the audit program and the qualifications of internal auditors. Unfortunately, in many cases, the size of the internal audit service is determined by the size of the allocated budget, while the budgeting of the service does not take into account the fundamental factors listed above.
collapse
What is internal control?
Internal control is a mechanism by which the owners, board of directors, executive management of the company receive a reasonable degree of confidence that the company will achieve its goals in the most effective way. The purpose of internal control is to ensure timely identification and analysis of risks, reliability of financial and management information, safety of assets, compliance with legislation and internal policies and procedures, implementation of financial and business plans, effective use resources. Financial control, including control over the completeness and reliability of accounting records and financial statements, is an important element of internal control.
collapse
What is compliance control?
Compliance control - verification of compliance with the law, the requirements of regulatory and supervisory authorities, as well as internal documents of the organization that determine internal politics, rules, procedures, the purpose of which is to assess the quality and compliance of the established systems for ensuring compliance with the requirements of legislation and other legal acts and internal documents, as well as to develop proposals for improving these systems.
collapse
Who is responsible for the company's internal control system?
Responsibility for the state of internal control in the company lies with the board of directors, which determines general policy with regard to internal control. The Board of Directors annually conducts its own analysis and assessment of the reliability and effectiveness of the internal control system, which may be based on data from reports on the state of internal control regularly received from the company's executive management, internal and external audit reports, own observations of the Board of Directors, information from other sources. This assessment should cover all aspects of internal control, including financial control, operational control, compliance control and risk management system.
The executive management of the company is responsible to the board of directors for the establishment and operation of an effective system of internal control. Based on the internal control policy approved by the Board of Directors, the company's management develops and implements procedures and control systems and ensures the effective functioning of the internal control system. The company's management contributes to the creation of an effective control environment in the company. The company's management promptly informs the board of directors of all significant risks facing the company and significant shortcomings of the internal control system, as well as plans and results of measures to eliminate them.
collapse
What is the difference between the functions performed by the audit department and the internal audit service?
The difference is determined by the tasks that management sets for these units. In general, control and audit departments (KRU) focus on checking the safety of inventory items, the efficiency of resource use, the implementation of orders from higher authorities, as well as the investigation of fraud. Internal audit is designed to perform broader tasks of assessing the processes of internal control, risk management, and corporate governance. However, depending on the level of development of the corporate culture (including the control environment), the internal audit function may prioritize the tasks that are usually assigned to the KRU. For example, if a company does not have an effective internal control system, then internal audit will be less concerned with assessing the internal control system and more with the preservation of company assets and detecting fraud. In this case, as the internal control system is built, the need for internal audit as a function of an independent assessment of the effectiveness of control will increase over time.
collapse
What is the difference between an internal audit service and an internal control service?
The difference is determined by the tasks that management sets for these units. In general, the task of the internal control service may be to build a company's internal control system (more precisely, to actively assist management in building the system), and the task of internal audit is to assess the reliability and effectiveness of this system.
collapse
Is one of the tasks of internal audit the development and implementation of internal control systems/procedures in the company?
Building an internal control system is not an internal audit task. This is a direct and immediate task of management. Internal audit may provide advisory support during the development of systems/procedures. But the decision of what and how to build is taken by the management. I would like to note that in most cases, top executives tend to consider internal audit as a resource that solves management tasks for building a control system. This cannot but raise concerns about the objectivity of internal audit, since in this case, internal auditors will actually have to evaluate what they themselves have developed and implemented.
collapse
Is it necessary to create a separate internal audit service to carry out the function of internal audit in the company?
The internal audit function can be implemented in several ways, and in order to enjoy the benefits that an effective internal audit brings to a company, it is not necessary to create a separate service/department. The function of internal audit can be successfully performed by an external consultant or a specialized company. (Except in cases where the presence of an internal audit service in a company is required by law. For example, according to the relevant provisions of the Central Bank of the Russian Federation, the internal audit service in Russian financial and credit organizations must operate on a permanent basis and consist of employees included in the organization’s staff.) it is important to avoid conflicts of interest. For example, it is not recommended that the internal audit function be performed by an external auditor of the company.
There are three main approaches to building an internal audit function:
- creation of an internal audit service - the company has the necessary capabilities (including temporary s mi) to implement the function of internal audit within the company itself,
- outsourcing - the performance of the internal audit function is completely transferred to a specialized company (external consultant),
- co-sourcing - an internal audit service is created within the company; experts of a specialized company (external consultant) with relevant knowledge and experience are also involved in the performance of audit assignments.
Each of the options has its own advantages. The option of creating an internal audit service in a company has the following advantages:
- employees of the company are familiar with the internal organization of the company and industry specifics of the business,
- when audit assignments are performed by company employees, the acquired skills and experience remain within the company,
- the company's management can use internal audit as a "platform" for professional growth and career development of future management personnel.
Potential benefits of using outsourcing and co-sourcing include:
- the opportunity to use the services of experts in various fields,
- access to highly professional audit staff,
- flexibility in the use / attraction of audit resources (for example, when introducing a new system or the need to conduct an unscheduled audit, it will not be necessary to expand the IAS staff or divert IAS resources from other projects),
- access to advanced technologies and methods for conducting internal audits.
Outsourcing and co-sourcing opportunities are used by both small companies that do not have sufficient financial resources to create their own internal audit service, and large companies that have an internal audit service on their staff. The latter, as a rule, need such services to conduct an audit of a specific area (for example, such as Information Technology or capital construction) or during peak periods of workload on internal internal auditors.
collapse
Can the company use the services of its external auditor to also conduct internal audits?
It is not recommended to use the services of an external auditor for internal audits as well, since such a combination may lead to a conflict of interest of the external auditor. In the legislation of some countries, such a combination is expressly prohibited.
collapse
What is the role of internal audit in risk management?
First, internal auditors, in the course of performing various types of audit engagements, assist the organization in identifying and assessing risks and provide recommendations to effectively control these risks.
Second, internal auditors assist management in developing and implementing the organization's risk management system. (However, here, as in the case of the internal control system, it should be borne in mind that risk management is the task of management.) Within this area, internal audit can:
- initiate the creation of a risk management system,
- train management in the concepts of organizational risk management,
- participate in guided risk identification workshops.
Third, in many companies, internal auditors play a key role in ensuring the continued operation of the risk management process by objectively monitoring its application and effectiveness.
Speaking about risk management, it should be borne in mind that there are a number of tasks for which internal audit should not be responsible. Such tasks include, for example:
- building a risk management system,
- determination of the risk appetite of the organization (which is acceptable for the organization as a whole in terms of risks),
- development of strategies / decision-making in the field of risk management.
collapse
What documents should regulate the activities of the internal audit service in the company?
In general, it is necessary to develop and approve the "Regulations on the Internal Audit Service", job descriptions employees of the internal audit service, "Manual of the internal audit service". The Regulation defines the mission, goals and objectives, responsibility and powers of the IAS. The manual covers the issues of organizing the work of internal audit and issues of interaction with other functions of the company, and also contains standard forms and methods for conducting audits and other audit tasks.
collapse
To whom should the head of internal audit report?
The objectivity of internal audit is largely determined by the subordination of the function. A common best practice is for the head of internal audit to report functionally to the audit committee of the board of directors (the board of directors in the absence of an audit committee) and administratively to the CEO of the company. In case of impossibility of subordination to the board of directors (audit committee), functional subordination to the general director is recommended. If the company does not have a board of directors or similar body, the internal audit function should be subordinated both functionally and administratively to the top executive of the organization.
Note, however, that the issue of subordination of the head of the internal audit service as a way to ensure the independence of internal audit is one of the most controversial in the practice of both Russian and foreign internal auditors. To the question “to whom should internal audit report in order to be as effective as possible?” there is no universal answer.
The answer is determined by a combination of many factors, among which we highlight the professionalism of the board of directors and the competence of management, the nature of the relationship and the degree of interaction between the board of directors and the executive bodies of the company, the level of development of the corporate culture in the company.
It is also important what tasks the internal audit solves in the company. If its main task is to carry out control and audit activities, then it seems logical to be subordinate to the top executive management of the company, since in this case the internal audit service is an instrument of control over management activities by top executive management.
If internal audit is viewed as a component of the corporate governance system that allows the board of directors (audit committee) to effectively perform its duties, it seems justified to subordinate the internal audit service to the board of directors (audit committee). In this situation, the board of directors (audit committee) contributes to ensuring the maximum degree of independence of the internal audit service from the company's management. For its part, the internal audit service (along with the external auditor) allows the board of directors to maintain a sufficient degree of independence from management in obtaining information about the company's activities. It is obvious that these issues are interrelated, since the role of an objective source of information for the board of directors (audit committee) can be performed by internal audit only if it is maximally independent from the executive management (including issues of appointment, remuneration, evaluation of the work of the head and employees of the internal audit service and etc.).
collapse
What is an "audit committee"?
In order to control the reliability and completeness of financial statements, the reliability and efficiency of the internal control system, the independence of internal and external audit, the board of directors forms an audit committee (audit committee) from members of the board of directors. The role, goals and objectives, powers of the audit committee should be reflected in the Regulations on the audit committee, which is approved by the board of directors of the company.
It is recommended that the head of the company's internal audit function report functionally to the audit committee. The Audit Committee: a) approves Regulations on the Internal Audit Service and ensures the independence of the internal audit function from the executive management of the company; b) makes a decision on the appointment (termination of powers) of the head of the IAS, as well as on the amount of his/her remuneration; c) approves the annual activity plan, structure and budget of the IAS; d) analyzes periodic reports of internal audit; e) holds at least once every six months meetings with the head of the internal audit service without the participation of representatives of the company's management. If an audit committee is not formed within the board of directors, the board of directors performs the functions of an audit committee.
collapse
Can internal audit really be independent?
It should be taken into account that the independence of internal audit is not important in itself, but as a primary prerequisite for objectivity, since the level of organizational independence of the internal audit department has a direct impact on the objectivity of internal auditors. International Standards for the Professional Practice of Internal Auditing defines internal auditor independence as “freedom from circumstances that threaten objectivity or are perceived to threaten objectivity”. Independence is achieved through the appropriate organizational status of the internal audit department. The head of internal audit should report to a person at the appropriate level in the company who can ensure the independence of the auditors (including access to any information) and take adequate measures to implement audit recommendations.
The achievement of internal audit independence is most facilitated by the following conditions: the head of the internal audit service is functionally subordinate to the board of directors (audit committee); decisions on appointment (termination of powers), level wages, bonus payments, etc. accepted/approved by the board of directors (audit committee); the board of directors (audit committee) does not allow interference from the executive management in the activities of internal audit. But this is true only for the case when the board of directors (audit committee) includes directors who conscientiously fulfill their duties and are aware of their responsibility in ensuring proper working conditions for the internal audit service.
collapse
Can an internal auditor be objective without being independent?
An internal auditor can be objective without being formally independent, since objectivity is a personal quality of an internal auditor. However, there is a risk that, without being independent, the auditor may not be able to make objective judgments due to the possibility of adverse personal consequences.
collapse
How to act as an internal auditor in difficult situations affecting the ethical principles of internal audit?
There are no universal recommendations. In general, it is recommended to act according to the situation, taking into account the provisions of the Internal Auditor's Code of Ethics. Also, in the event of such a situation, it is necessary to immediately communicate the information to the appropriate person in the organization (up to the CEO and / or chairman of the board of directors).
collapse
What qualities and skills should an internal auditor have?
The most important qualities of an internal auditor are professional skepticism and independent thinking, which means that the internal auditor does not take various statements for granted, but tries to find confirmation for them, independently gets to the bottom of things and finds answers to questions, listens to his inner voice. An internal auditor should also possess the following qualities and skills, most of which develop over time:
- objectivity,
- the ability to be extremely accurate and accurate in assessments and statements,
- the ability to “listen” and “hear” the auditees and perceive their point of view (even if this point of view differs from the opinion of the auditor),
- the ability to approach the relationship with auditees exclusively from working positions (without projecting personal aspects of the relationship),
- good analytical skills (the auditor, as a rule, is not required to make instant decisions, but the audit involves a large amount of routine analytical work),
- the ability to clearly express thoughts and defend their point of view.
collapse
What knowledge should an internal auditor have?
First of all, the internal auditor must know the principles of management, as well as have basic knowledge in such disciplines as accounting, the financial analysis, law, information technology. An internal auditor conducts audits in various functional areas - supply, production, logistics, marketing, sales, etc. It is impossible to be a specialist in all these areas, and it is not mandatory for an internal auditor. It is desirable that the internal auditor be an expert in two or three separate areas, but at the same time have the necessary knowledge to perform at the proper professional level an audit in any of the areas.
collapse
Is accounting knowledge a requirement for an internal auditor?
Accounting knowledge is highly desirable but not required. However, the internal auditor must have at least a basic knowledge of accounting. To a lesser extent, this applies to internal auditors who specialize in certain areas of internal audit, such as, for example, audit of information systems or social audit.
collapse
What criteria should be used when evaluating the effectiveness of a company's internal audit service?
The task of determining the effectiveness of internal audit is not trivial, because: a) the result is not always quantifiable; b) efficiency depends not only on the auditors themselves, but, to a large extent, on the subsequent actions of the customers (clients) of the audit; c) the subjectivity of assessments plays a role.
To analyze the effectiveness, a set of qualitative and quantitative indicators should be used that allow you to determine the quality of internal audits, the productivity and effectiveness of internal auditors. Each company determines for itself the criteria for the effectiveness of IAS activities. The composition and target values of the indicators are established by the head of the IAS in agreement with the management. At the same time, the main customers (the board of directors and top executive management) could evaluate the activities of the IAS according to three to five indicators. The head of the IAS could evaluate the activities of the service being headed by a larger number of indicators. Indicators of internal audit performance may include, for example:
- implementation of the approved audit plan,
- the number of audits carried out in accordance with the budget,
- the number of critical audit recommendations,
- percentage of completed audit recommendations,
- direct economic effect from the implementation of audit recommendations,
- the number/frequency of requests to the internal audit service from customers (clients),
- satisfaction of customers (clients) of the audit.
Along with the procedure for periodic evaluation of the effectiveness of the internal audit service, there should be a program to improve the quality of its work, part of which will be a procedure for monitoring and evaluating the quality of work of each IAS employee.
collapse
What legislation governs internal audit?
How to start building an internal audit service?
The formation of the internal audit service should begin with the selection of a candidate for the head of the service. This figure should be of the appropriate scale, because the head of the internal audit service will have to earn the trust and respect of both the board of directors and the executive management of the company. The second step should be to determine the expectations of customers and develop the goals and objectives of the IAS. The third step is to develop an internal audit model, conduct a risk assessment and develop a strategic work plan. The fourth step is the development of the structure of the IAS and the budget of the IAS. And, finally, the fifth step is the formation of IAS (recruitment and training).
