1. What are the pre-requisites for internal audit activity?
Internal audit is a management function which is undertaken to assure the management that agreed and documented policies are followed and that there are adequate controls in place to mitigate the risk of non compliance with established standards or regulations, fraud and ineffective administration and unit performance. Internal auditors are expected to provide recommendations for improvement in those areas where opportunities or deficiencies are identified. While management is responsible for internal controls, the internal audit activity provides assurance to management and the audit committee that internal controls are effective and working as intended.
2. What is an indicative time frame for conducting an internal audit?
Time required to complete an internal audit activity depends upon the activities to be covered, scope of the review and consideration of relevant systems, records and personnel access that may be involved. Typically, in a medium-sized operation, internal audit process is generally completed within a few weeks.
3. Can internal auditor’s advice be sought on an area on which I need guidance to carry out the activity?
The fundamental purpose of internal audit is to ensure that internal controls and procedures adopted are adequate to mitigate risk. Internal auditor’s role is to provide guidance and recommendations to strengthen the ability of units to meet their operational and administrative goals, not to just report on the obvious or known problems. Seeking guidance earlier on is the most cost-effective way to utilize the resources.
4. What are internal controls and how is internal audit different from internal controls?
Internal control activities are the policies and procedures designed to ensure that management directives are carried out as planned. Controls are put into place by management to ensure efficiency of operations, adequacy of financial reporting, assets are safe-guarded, and procedures adopted comply with laws, rules, and regulations. Whilst internal controls are processes designed by management to meet the organizational objectives, internal audit on the other hand is an independent activity carried out by a set of individuals, to provide assurance to management that the design of internal controls are appropriate, they are working effectively and consistently at all times.
5. How is an internal audit undertaken?
Best-in-class internal auditors adopt a risk-based approach to conduct internal audit. This approach ensures that only matters of utmost importance that pose a significant risk to the attainment of organisational objectives are considered for internal audit. An annual risk assessment is carried out and internal audits are prioritized and planned for execution. This helps utilise limited resources optimally.
6. What is the meaning of fraud and how is fraud detected?
Fraud is defined as use of one’s position for personal enrichment through the deliberate misuse or misapplication of the organisation’s resource or assets. Fraud can be found using many methods. Most frauds are detected based on tips received from individuals. Fraud surveys have also highlighted that fraud is also identified by accidental identification and from internal audits. Generally, individuals report suspicious activities or “red flags” which are pointers that could indicate fraud.
7. What is internal auditing’s role in preventing, detecting, and investigating fraud?
Management must be aware of “red flags” to monitor a situation and take any corrective action if needed. When something suspicious is identified, internal auditors can help determine its impact and evaluate the situation to assess the adequacy of internal controls which could not detect or prevent the fraud. If a review confirms a potential fraud, a formal investigation is often the next step. If the review finds a weakness or an error in the process, the auditor can take steps to correct the process and a procedure or follow-up recommendation can be implemented to prevent future occurrence.
8. How do internal and external auditors differ?
Although they are independent of the activities they audit, internal auditors are integral to the organization and provide ongoing monitoring and assessment of all activities. External auditors on the other hand are independent of the organization and provide an annual opinion on the financial statements. The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency.
9. I have a business with limited size operations. Do I need to consider internal audit in my business?
You may not need a full-fledged internal audit function. However, you must assess what are the key risks faced by your business and consider if there are adequate safeguards to prevent misuse of assets and resources and mitigate risk of fraud. This introspection will help you to decide whether you need to perform an internal audit to evaluate a particular business process which is key to your business. This assessment will help you to manage your business more efficiently.
10. Can I outsource the task of internal audit to an independent firm?
Outsourcing internal audit task is certainly one of the options available when you decide to institute an internal audit department for your organisation. An outsourced internal audit function will help you to reign in the cost of setting up the department and provide you with access to wide range of professionals who have the necessary skill sets and expertise to execute the function effectively. This ensures that you reap the benefits of skilled professionals from day one, with very limited supervision.
11. How often should I conduct internal audit?
Unless you have a regulatory requirement, there is no mandatory timeline of how often to conduct internal audit. It will to a large extent be dictated by the size of your organization, complexities and risks of the processes and results of previous audits conducted. At the least, internal audits should be carried out annually to provide comfort to management that internal control systems and processes are functioning smoothly. Also, if you have made significant changes to your systems, you should increase the audit frequency to assess the effectiveness of those changes.
12. Is it mandatory for me to have an internal audit activity?
Requirement for internal audit function depends on the regulatory requirements that govern your organization. For example, if an entity is regulated by the Dubai Financial Services Authority, internal audit function is mandatory. Although private companies in the UAE are not required to have internal auditing, many of them have established an internal audit activity as a core governance requirement. A well functioning, adequately resourced internal audit activity that works with management is a key resource in identifying risks and recommending improvements to governance, risk management, internal controls, and operations of a business.
13. What is the difference between a policy and a procedures manual and how long does it take to prepare it?
A policy is a set of rules or guidelines for your organization and employees to follow in or to achieve a specific goal (i.e., compliance). An effective policy should outline what employees must do or not do, directions, limits, principles, and guidance for decision making. Procedures, on the other hand, explain the “how.” They provide step-by-step instructions for specific routine tasks. They may even include a checklist or process steps to follow. A typical policy and procedures manual covering major aspects of a medium-sized the business can take around 8-12 weeks to prepare.
14. What are the components of risk assessment and how do I build a risk register?
Risk management process covers matters relating to identification of possible risk sources and categories of risk, assessment of likelihood and impact of risk, evaluation of risk, setting threshold and metrics and action plan to manage the risk and continuous feedback to ensure measure taken are effective and risks are managed within parameters set. All these segments would be documented as a risk manual. Typically, risk would be segmented across strategic, financial, operational and compliance area thereby ensuring that risk identification process is comprehensive.
15. My internal audit is focused only on compliance checks to ensure documents are in order. A large portion of time goes in correcting errors. What is the best way to improve value of internal audit?
Risk-based internal audit will set apart things that need to be assessed closely. Internal audit should be proactive to stay ahead of the curve. To upgrade the scope of the function, you could consider doing a process review of key processes. A process review will improve and strengthen how tasks are being currently done, identify the gaps or weaknesses and provide measures to improve the internal control systems of the processes. In this way, you will gain significant value through the internal audit process.