ACCA P1考官文章 INTERNAL AUDIT 

 

Internal audit - the control of controls - can feature as a key part of the corporate governance framework of an organisation, and can be viewed as a high level control in response to risk or by considering the detailed work required of internal audit

​Thinking about the internal audit (IA) function as the control of controls is useful for making sense of the way in which the topic appears in Paper P1. IA features in the Paper P1 Study Guide in the section on internal control and review – specifically internal control, audit and compliance in corporate governance – but you will find it mentioned in almost all the chapters of a Paper P1 study text. 

Think about how the topic of control arises when Paper P1 covers the board of directors. It is best practice that ‘the board should maintain sound risk management and internal control systems’ and ‘should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles’ (UK Corporate Governance Code). The detailed provisions of the code then specify that there should be an audit committee that ‘review[s] the company’s internal control and risk management systems’ and ‘should monitor and review the effectiveness of the internal audit activities’. It goes on to say that ‘where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report’. 

Internal audit - the control of controls - can feature as a key part of the corporate governance framework of an organisation, and can be viewed as a high level control in response to risk or by considering the detailed work required of internal audit 

Thinking about the internal audit (IA) function as the control of controls is useful for making sense of the way in which the topic appears in Paper P1. IA features in the Paper P1 Study Guide in the section on internal control and review – specifically internal control, audit and compliance in corporate governance – but you will find it mentioned in almost all the chapters of a Paper P1 study text. 

Think about how the topic of control arises when Paper P1 covers the board of directors. It is best practice that ‘the board should maintain sound risk management and internal control systems’ and ‘should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles’ (UK Corporate Governance Code). The detailed provisions of the code then specify that there should be an audit committee that ‘review[s] the company’s internal control and risk management systems’ and ‘should monitor and review the effectiveness of the internal audit activities’. It goes on to say that ‘where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report’. 

Internal audit - the control of controls - can feature as a key part of the corporate governance framework of an organisation, and can be viewed as a high level control in response to risk or by considering the detailed work required of internal audit 

Thinking about the internal audit (IA) function as the control of controls is useful for making sense of the way in which the topic appears in Paper P1. IA features in the Paper P1 Study Guide in the section on internal control and review – specifically internal control, audit and compliance in corporate governance – but you will find it mentioned in almost all the chapters of a Paper P1 study text. 

Think about how the topic of control arises when Paper P1 covers the board of directors. It is best practice that ‘the board should maintain sound risk management and internal control systems’ and ‘should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles’ (UK Corporate Governance Code). The detailed provisions of the code then specify that there should be an audit committee that ‘review[s] the company’s internal control and risk management systems’ and ‘should monitor and review the effectiveness of the internal audit activities’. It goes on to say that ‘where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report’. 

TABLE 1: THE TURNBULL CRITERIA TO ASSESS THE NEED FOR INTERNAL AUDIT

Scale, diversity and complexity of the company’s operations

Number of employees

Cost-benefit considerations

Changes in organisational structure

Changes in key risks

Problems with internal control systems

Increased number of unexplained or unacceptable events 

REPORTING TO THE AUDIT COMMITTEE

Let’s return to the idea that the internal audit department is carrying out the delegated work of the audit committee. This is a fruitful area to explore because it explains some of the characteristics of effective (and ineffective) IA. The audit committee is made up of independent non-executive directors (NEDs). This isn’t the place to explore the concept of independence in detail, but independence is central to an effective IA department. The work of IA becomes meaningless if it is compromised by management influence. Achieving independence is difficult, and made more so because internal auditors are usually employees of the company. 

The audit committee is one of the vital parts of the committee structure of sound corporate governance. Its role in overseeing IA is important because it is the audit committee that ensures that the IA function actually supports the strategic objectives of the company (and doesn’t act purely on its own initiative). In addition, though, it is likely that the audit committee – at the strategic level – will not only provide the IA function with the authority it needs to scrutinise the internal controls, but also to ensure that its work is actually supporting and providing the compliance needs of the company. It is part of ensuring the hierarchical congruence or consistency necessary in sound governance and strategic management. 

Members of the IA function may encounter ethical threats (such as familiarity, self review, independence threats, and so on). An accountant working as an internal auditor, for example, may be unwilling to criticise the CFO if he believes the CFO has an influence on his future prospects with the company. Someone coming into IA from an operational position could also be exposed to a self-review threat. Even where external contractors are used to carry out the IA function, they are acting on behalf of management. To avoid this, and other ethical threats, internal audit work is one of the jobs expressly forbidden to external auditors under the terms of the Sarbanes–Oxley Act in the US, indicating just how valuable a characteristic independence is for all auditors (other codes have similar provisions). 

There are some inherent limitations in what an IA department can achieve. Although corporate scandals sometimes arise from failings in operational level controls, there are also examples where the problem is a failure of strategic level controls, either arising from management override of controls (as at Enron) or through poor strategic level decisions (as at some of the banks that required state support in the 2008 banking crisis). Even in companies where excellent procedures are put in place to assess operational level controls, it is hard to imagine how IA can fully monitor strategic controls. It would be very hard to design a corporate governance structure in which even the most independent IA department had a mechanism to do much more than check that procedures have been followed at board level. The board ultimately has to be responsible for the proper working of strategic level controls. This is also illustrative of the way IA fits in to overall corporate governance. The corporate governance big picture has to be addressed if IA is going to be effective. A domineering CEO cannot be countered by the existence of an IA department. Indeed, interference in the work of internal audit would indicate broader corporate governance problems. 

DAY-TO-DAY INTERNAL AUDIT

In Paper F8 you will have studied the types of work carried out by internal auditors: 

Value for money audits

Information technology audits

Best value audits

Financial audits

Operational audits

One of the key differences between internal and external audit is that the scope of internal audit work in an unregulated industry is determined by the company (specifically by the audit committee) while the scope of the external auditors’ work is determined by the fact that they are undertaking a statutory audit, a legal requirement. IA will mean something different in each organisation. In one company, the ‘internal audit’ department might only carry out quality control checks, while in another it is a sophisticated team of specialists with different expertise that reflect the risks faced by that organization, including the regulatory requirements placed upon it. 

Whether the IA department is carrying out a review of the process of designing systems, or a review of the operation of controls within those systems, will depend on the current concerns of the organisation. In an exam it would be wise to tailor the suggestions made for IA to the concerns hinted at in the scenario. For example, in a highly regulated business where compliance failures are a significant risk, monitoring compliance might be a key task assigned to IA. If safeguarding assets is a key concern you could discuss how IA might be involved in a review of the safeguarding of assets. You may have noted that the last two suggestions both relate to the Turnbull statements about a sound system of internal controls. Any of those could be related to the work of internal audit – for example, IA might need to review the implementation of corporate objectives. 

Paper P1 also covers issues of sustainability, environmental and social responsibility. IA is a resource that could be deployed to monitor how effective a company’s corporate social responsibility (CSR) policies are. This could mean monitoring how well the policies have been implemented or it could mean IA monitoring how well CSR policies and wider corporate objectives are aligned with each other. Schemes like the European Union’s Eco-Management and Audit Scheme (EMAS) provide an example of an instance where specific monitoring of targets (by IA) is an externally imposed requirement on a company. ISO 14000, another environmental standard, also explicitly requires internal audits and reports to management.

To sum up, internal audit is the control of controls. It can feature in Paper P1 as a key part of the corporate governance framework of an organisation, and it can be viewed through the lens of risk management as a high level control in response to risk or by considering the detailed work required of IA. Finally, as a key component of the control system, it is important to maintain the integrity of internal audit and, from this perspective, issues of professional ethics and characteristics such as independence come into play.

温馨提示:2016年新考季,泽稷网校ACCA名师为大家准备了2016 ACCA学习资料大礼包(内含ACCA历年真题、考官文章、考官报告、备考宝典等实用学习资料),关注微信公众号:ACCA考友论坛(ID:ACCA-CHN)即可领取: