An efficient internal audit report aims to highlight areas requiring management attention. It helps to highlight the areas of weakness/deficiencies in the internal control system and the current business aspects like operational, financial, and other as-in processes.
It’s important to note that the internal audit function may be outsourced/in-house depending on the business needs and management discretion. However, the management of the business remains primarily responsible to ensure the implementation of strong internal controls.
Based on the risk and control assessment, the audit function usually presents a periodic report that might be monthly, quarterly, and yearly depending on the management’s discretion and needs. Further, the internal audit report contains different components, and we’ve discussed five main components in this article.
Objectives of the internal audit function
The internal audit report contains objectives at the start of the report. These objectives provide a clear set of actions to be taken in a certain direction. Some of the objectives related to the internal audit function include the following.
1) An enhanced system of accounting/financial reporting
The internal audit function closely analyzes the system of accounting and financial reporting. It aims to identify the gaps and weaknesses in the financial reporting processes and improve the overall reliability of the processes.
It includes analysis of small details like checking details on the vouchers, reconciling and inspecting documents, analyzing integration, and increasing the overall efficiency of the financial reporting processes.
2) Protection of business assets
One of the essential objectives of the internal audit function is to protect assets under ownership of the business. It’s more focused on the verification and valuation of the assets, including transactions like purchase, sale of the assets, revaluation, authorization, and approval for purchase/sale.
3) Detection of misstatement and fraud
Active monitoring of the business operations helps fill the gaps/deficiencies in the internal controls and resist against conduction of fraud. In other words, employees/management is less likely to conduct fraud if there is active monitoring of the business operations.
4) Efficient risk management
The business world is dynamic and exposed to several environmental factors. So, exposure of the business risks in terms of currency, interest rate, business, and other factors needs to be monitored. If the business is exposed to significant environmental risks, it can be hazardous for the business if not monitored properly.
Similarly, the internal operations of the business might be risky that require continuous monitoring. For instance, pharmaceutical sectors needs to ensure compliance with internal quality testing mechanisms.
Scope of the internal audit report
The scope of the audit report is defined to communicate expectations and authorization of the internal audit function. Usually, the scope of the audit report is set around the following risks/activities.
- Identification, assessment, and reporting for the risk of material misstatement.
- Ensuring compliance with the applicable provisions of the regulations.
- Ensuring compliance with the internally developed standard operating procedures.
- Conduction of efficient operations leading to cost minimization and profit maximization.
- Increasing reliability of the management information system.
- Improving effectiveness and efficiency of the overall business processes.
- Ensuring accuracy, completeness, and reliability of the accounting-related function.
Risk identification/deficiencies in the internal audit activity
The main purpose of the internal audit function is to provide effective risk management policies and procedures. The function observes as in processes and obtains complete understanding. Based on their business understanding, they identify risks in different functional areas of the business, including but not limited to the followings risk and related factors.
|Areas of audit performance||Revenue, receivables, and receipt||Purchase, payable, and payments||Operating fixed assets||Human resources and payroll||Treasury and fund management|
|Specific risk areas||-Sales|
|-Receipt of supplies and services. |
-Accounts payable management
|-Ownership of the asset |
-Existence, and completeness of assets.
-Acquisition and disposal
-Maintenance of asset register
-Accuracy of accumulated depreciation
-Integration with General Ledger
-Calculations of disposal
|-Process of employee addition/resignation |
-Payroll and employee management
-Training and development
– Performance measurement
|-Working capital management |
-Interest rate and exchange rate exposure of balance
-Bank reconciliation process
|Assessment basis||-Order book/Sales order |
|-Purchase order |
-Goods received a note
|-Fixed asset register||-Personnel files |
-List of employees
-Un presented cheques
– Un credited cheques
Given aspects of the risk assessment is not exhaustive and things can be further explored based on the account balances in the financial statement. Further, based on the nature and impact of the risk, preventative controls are assigned that help to prevent the occurrence of the misstatement.
In addition to this, some risk areas are not limited to account balance but overall organization/entity as given below.
|Areas of risk identification||Financial reporting process||Management information system and related internal reporting||Information technology||Regulatory compliance|
|Applicable areas of financial statement||Complete set of financial statement||Not directly related||-Process automation – Operational integration||-Complete set of financial statements and business operations|
|Basis of risk assessment||-GAAP/IFRS compliance in terms of presentation and accounting treatment. -Internal policy compliance -Board approval -Accounting policies -Applicable ordinance||Standard operating procedures||– Data security – Back up – Disaster recovery – IT-related controls||– Applicable regulation, including oversight body.|
|Related functional area of the risk||All financial transactions and account balances||-Finance -Operations||Complete business processes||-Compliance|
Further, the process of risk identification can be more effectively conducted via the performance of the walkthroughs on the in-process accounting and operational controls.
Management comments refer to the response of the management on the observation reported in the internal audit report. It helps to understand their point of view on specific observation and their plans to control the mentioned risk.
The audit report is distributed to senior management with the final comments of management to ensure they have an enhanced understanding of the audit.
Following these guidelines can help to enhance the quality of the management comments/responses.
- Discuss all the observations with the auditor to clearly understand their point of view before forming a final opinion.
- Mention the specific set of actions with a timeline to ensure control of the risk.
- Write a clear, concise, and to the point response.
- It’s good to mention specific positions responsible for the implementation of the corrective actions.
These are the actions recommended by the auditor to reduce the impact of current observations. So, it’s an auditor’s responsibility to clearly describe the actions necessary to control the risk and avoid any potential losses. However, the recommendation must be logical, and potential benefits should exceed the cost of implementing corrective actions.
A good internal audit report aims to enhance business profitability via risk management. An efficient internal audit function contains five main components: objectives of the audit function, scope of the internal audit function, identification of risk/deficiencies in the internal controls, and recommendation from the auditor to improve on observation.
Frequently asked questions
What areas do stakeholders like to see in the internal audit report of the business?
The following three are the main areas stakeholders like to see in the internal audit report.
|Observations regarding process improvement||Identification of the risks related to fraud/mismanagement||Risk of the compliance|
|Revenue, expenses, payments, collection, cash management.|
Discounts, complaint handling, the process of inspection, credit limit purchase processes.
Bank and cash management process benchmarking. Financial reporting closing processes.
|Misstatements in a journal entry.Delays in the updates of the accounting system.|
Significant deficiencies in the controls signaling management fraud.Unusual transactions in the accounting system.Unusual delays in the business processes.
|Events of non-compliance.Self-assessment Compliance check with internal policies and standard operating procedures.|
What are the best practices to ensure the independence of the internal audit function?
Following are some of the best practices to ensure the independence of the internal audit function.
- Internal audit function should report to an audit committee in the absence of the business management.
- The audit committee should approve the audit plan.
- Internal audit function should have access to business books and accounting records to inspect and documents and observe the processes.
- The appropriate budget should be allocated to the function for ensuring the adequacy of the audit resources.
What are the objectives of the internal audit function?
Following are some of the objectives of the internal audit function.
- Improvement in the business operational functions.
- Protection of the business assets from the risk of fraud and mismanagement.
- Installation of internal controls to detect frauds.
- The increased reliance on business-related accounting records and documents.
- Compliance with the financial reporting and the closing of accounts.
Who is responsible for ensuring efficient internal control on financial and operational business aspects?
Management of the business/board of Directors are responsible for ensuring an efficient internal control system.