Document Sample
internal Powered By Docstoc
					Internal Audit
 Recent events including global financial crises have emphasised need for
    internal auditing within corporate governance structures

 Internal audit function is now mandatory by most stock exchanges
 Donors increasingly demand improved accountability & financial
    transparency in development projects

 IFAD procedures do not specifically require internal audit, however, IFAD
    Operational Procedures for Project Audits (for use by IFAD & CIs) require
    that “as part of the assessment of the borrower’s capacity to implement and
    manage the project effectively, the appraisal mission will evaluate any
    internal audit (IA) mechanism for the project/ PMU”

   Furthermore, internal audit is considered good practice & advisable as
    part of underlying control framework & financial management capacity of a
    project, particularly if complex &/ or decentralised


 “Internal   auditing is an   independent,         objective
 assurance and consulting activity designed to add
 value and improve an organization's operations.              It
 helps an organisation accomplish its objectives by
 bringing a systematic,   disciplined approach               to
 evaluate and improve the effectiveness of risk
 management, control, and governance processes. ”
                              The Institute of Internal Auditors

    IA – Code of Ethics
   Internal auditors are expected to apply & uphold the following principles:

                   The integrity of internal auditors establishes trust & so provides the
Integrity          basis for reliance on their judgment

                   Internal auditors exhibit the highest professional objectivity in
                   gathering, evaluating & communicating information. Internal auditors
                   make a balanced assessment of all relevant circumstances & are not
                   unduly influenced by their own interests or others in forming judgments

                   Internal auditors respect the value and ownership of information they
Confidentiality    receive & do not disclose information without appropriate authority
                   unless there is a legal or professional obligation to do so

Competency         Internal auditors apply knowledge, skills, & experience needed

    What is Internal Audit?
Internal Audit is a professional activity which helps organisations to achieve their
stated objectives by:
 Analyzing key processes, procedures & operations
 Identifying key controls in each such operation, procedure & process
 Evaluating the adequacy of these controls
 Testing compliance of sample transactions against these controls
 Reporting results of the evaluation of controls and compliance testing of
 Recommending stronger controls wherever necessary
 Suggesting methods to improve compliance with key controls
    Follow up of action taken on recommendations made in previous reports

  What are Internal Controls?

Internal Controls are important checks instituted by management to have
reasonable assurance that:

       Operations are carried out in an efficient & effective manner

             Transactions are recorded accurately & completely

                 Assets are properly recorded & safeguarded

                        Laws are complied with

                              Reliable reports are generated

Some examples of Internal Control

   ► Budgetary Control

   ►   Fixed Assets Register

   ► Bank & Special Account Reconciliations

   ► Reconciliation of Financial & Physical M & E Reports

    How are Internal Audit & External Audit different?

Internal audit is focused at internal management support and improving
     systems, procedures and processes

⇉    External audit (EA): normally statutory requirement, unlike internal audit (IA)

⇉    EA reports are addressed to stakeholders: IA reports are addressed to

⇉    EA reports express an opinion on the financial statements prepared by the
     entity for a specified period: IA reports evaluate and check compliance
     against key internal controls

⇉    EA reports are usually public documents which are available to all
     stakeholders. IA reports are for use only by Management
⇉    EA reports do not make recommendations, although may have a
     Management Letter: IA reports are incomplete without

⇉    EA is basically a review of financial statements for compliance: IA seeks to
     ensure value for money to Management
  Why should IFAD funded projects be subject to IA?

IFAD funded projects may be subject to Internal Audit because:

   External audit does not evaluate adequacy of internal controls.

   External audit checks overall compliance to internal controls related
      to financial transactions.

   Supervision Missions conduct only spot checks.

   Internal audit is inherent in government structures in most developing

   Sample IA Terms of Reference enclosed

   IA has a key role in Risk management of IFAD Projects
What are key concerns from a FM viewpoint?

►   Is the accounting system capable of recording financial transactions in a timely &
    accurate manner?
►   Is the accounting system capable of tracking project expenditure by category &
►   Is the accounting system capable of comparing actual expenditure to budget as
    per approved AWPB on a real time basis?
►   Are withdrawal applications prepared properly & do they contain ineligible
►   Are procurement transactions undertaken as per Schedule 4 &/or LTB of the
    financing agreement?
►   Are project assets properly recorded & safeguarded from misuse and abuse?
►   Are Special Account & Project Account operated & reconciled properly & timely?
►   Are proper audit arrangements in place?
►   Are audit reports properly followed up?
►   Does the project generate reliable & accurate financial statements & reports?
►   Are project funds flowing smoothly, timely & transparently to intended

Internal Audit (IA) Mandate
 Compliance & Advisory roles

What does it do?
   Primary role in improving internal control, accuracy, reliability &
    integrity of information including financial & operational reporting
   Monitoring & evaluation of effectiveness of risk management
   Role in corporate oversight, safeguarding of assets, economical
    & efficient use of resources, compliance with laws & regulations,
    deterring fraud

What does it not do?

  Perform management activities/ responsibilities (these include
    establishing internal controls)

Internal Control Myths and Facts
                MYTHS:                                       FACTS:

Internal control starts with a strong set    Internal control starts with a strong set
of policies and procedures                   of policies and procedures

                                             While internal auditors play a key role
Internal control: That’s why we have
                                             in the system of control, management
internal auditors!
                                             has responsibility for internal control

                                             Internal control is integral to every
Internal control is a finance thing
                                             aspect of business/operations

Internal controls are essentially            Internal control makes the right things
negative, like a list of “thou-shalt-nots”   happen the first time

Internal controls take time away from
                                             Internal controls should be built “into,”
our core activities of implementing
                                             not “onto” business processes
development objectives

Internal Control Practices
 Internal control is a process. It's a means to an end, not an end
  in itself

 Internal control is effected by people as a team, not by
  internal auditor. It's not merely policy manuals & forms, but
  people at every level of an organization

 Internal control can be expected to provide only reasonable
  assurance, not absolute assurance, to an entity's management
  and governing bodies/ committees

 Uses systematic methodology            for   analysing   business
  processes, procedures & activities

 The cost of IA should not exceed expected benefits to be

    Internal Control Structure
An internal control structure is simply a different way of viewing operations – a
perspective that focuses on doing the right things in the right way
                                                                • Reporting
• Monthly reviews of
                                                                • Corporate
  performance reports                 MONITORING                  communications
• Supervisory activities
                                                                  (e-mail, meetings)
                                    INFORMATION &
                                      INFORMATION AND
•   Purchasing limits                 COMMUNICATION
                                                            • Based on identification
•   Approvals/ segregations                                   & analysis of risks to
•   Security                       CONTROL ACTIVITIES
                                  CONTROLACTIVITIES           achievement of
•   Reconciliations                                           objectives
•   Proper operating &
                                  RISK ASSESSMENT
    accounting procedures
                                                            •    Corporate Policies
                                        CONTROL             •    Tone at the top, ethics
                                      ENVIRONMENT           •    Organisational authority
                                                            •    Skilled personnel
       In many cases, you perform controls and
     interact with the control structure every day,
           perhaps without even realising it
 Role in Risk Management

 Focus on risk of occurrences that could prevent the project from
   achieving its goals

 There are many types of risk – strategic, operational, financial
   reporting, legal/regulatory, fraud, ineffective/inefficient use of
   resources, technological, human capital, credibility, etc.

 Focus on areas with high risk & high probability that controls are
   not in place or are weak

 Don’t forget positive risks – opportunities!

   Add value by eliminating unnecessary controls, if
   underlying risks are minimal/within project’s risk
Role in Internal Control

1. Compliance audit: review of financial & operating controls &
   transactions for conformity with laws, regulations & procedures,
•   Access to IT system appropriate to user’s role
•   Segregation of duties in high risk areas
•   Balancing & reconciliation between systems
•   Systems back up & recovery
•   Physical safeguard & access restriction controls
•   Reconciliations, comparison budget of actual

2. Operational audit: review of various functions within project to
   evaluate efficiency, effectiveness, & economy

 IA Role in Corporate Oversight

 Four pillars – internal audit, executive management, external audit, &
      Board of directors/ steering committee

 Combination of processes & organisational structures implemented
      by management to inform, direct, manage and monitor the project’s
      resources, strategies & policies towards the achievement of its objectives

     Public sector governance Principles
    - transparency, integrity, accountability

 May include review of sufficiency of human resources,
      training needs, policies, etc.

Nature of Internal Audit Activity

   Establish scope & activities for audit to Management
   Describe key risks facing the business activities within scope of audit
   Identify control procedures used to ensure each key risk is properly
    controlled & monitored
   Develop & execute risk based sampling & testing approach to
    determine whether most important controls are operating as intended (NB:
    input from Management required – e.g. 100% sampling of WA review)
   Report issues/make recommendations/negotiate action plans with
    Management to address issues
   Follow up on reported findings periodically

 Contents of Audit Plan

 Updated annually

 Risk based audit plan developed with input from project
    staff including Management

   Summary of key goals, risks & corresponding major audits, to illustrate

 Based on risk assessment & available resources

   Appendix materials, such as planning approach, assumptions & brief
    descriptions of all planned audits & related prioritization

 Approved by management/ appropriate oversight Committee

Contents of Audit Report

 Observations

 Narration/ description

 Remedial action

 Consequences/ fall out

 Recommendation for improvement (prioritized between
    “high” and “normal”)

 Response (action plan) – who, when and how

IA’s Proactive Role

 Identify Risks
 Find Better Ways and Best Practices
 Partner With Management to Find Solutions
 Prevent Problems
 Provide training
 Respond to policy & technical accounting questions
 Offer suggestions for improvement
 Advisory role

Additional Resources

Why all this trouble?
 Additional comfort and “tightness” that the project is doing the right thing, the
  first time, communicating right information internally, to external auditors,
  donors, ministries, etc.
 More formal control structures reduce possibility that risks become real
 External Auditor may receive additional assurance to provide unqualified
  report on accounts
 Donor & government confidence increased, affecting financing flows

What are the next steps?
 Identify areas of high risk & opportunities
 Validation of process documentation & controls
 Communication, with PCs & project staff

Thank You

Shared By: