An efficient internal audit report aims to highlight areas requiring management attention. It helps to highlight the areas of weakness/deficiencies in the internal control system and the current business aspects like operational, financial, and other as-in processes.
It’s important to note that the internal audit function may be outsourced/in-house depending on the business needs and management discretion.
However, business management remains primarily responsible for ensuring the implementation of strong internal controls.
Based on the risk and control assessment, the audit function usually presents a periodic report that might be monthly, quarterly, or yearly depending on the management’s discretion and needs.
Further, the internal audit report contains different components, and we’ve discussed five main components in this article.
Objectives of the internal audit function
The internal audit report contains objectives at the start of the report. These objectives provide a clear set of actions to be taken in a certain direction.
Some of the objectives related to the internal audit function include the following.
1) An enhanced system of accounting/financial reporting
The internal audit function closely analyzes the system of accounting and financial reporting. It aims to identify the gaps and weaknesses in the financial reporting processes and improve the overall reliability of the processes.
It includes analysis of small details like checking details on the vouchers, reconciling and inspecting documents, analyzing integration, and increasing the overall efficiency of the financial reporting processes.
2) Protection of business assets
One of the essential objectives of the internal audit function is to protect assets under the ownership of the business.
It’s more focused on the verification and valuation of the assets, including transactions like purchase, sale of the assets, revaluation, authorization, and approval for purchase/sale.
3) Detection of misstatement and fraud
Active monitoring of the business operations helps fill the gaps/deficiencies in the internal controls and resist against conduction of fraud.
In other words, employees/management is less likely to conduct fraud if there is active monitoring of the business operations.
4) Efficient risk management
The business world is dynamic and exposed to several environmental factors. So, exposure of business risks in terms of currency, interest rate, business, and other factors needs to be monitored.
If the business is exposed to significant environmental risks, it can be hazardous if not monitored properly.
Similarly, the business’s internal operations might be risky and require continuous monitoring. For instance, pharmaceutical sectors must ensure compliance with internal quality testing mechanisms.
Scope of the Internal Audit Report
The scope of the audit report is defined to communicate expectations and authorization of the internal audit function.
Usually, the scope of the audit report is set around the following risks/activities.
- Identification, assessment, and reporting for the risk of material misstatement.
- It ensures compliance with the applicable provisions of the regulations.
- It ensures compliance with the internally developed standard operating procedures.
- The conduction of efficient operations leads to cost minimization and profit maximization.
- Increasing reliability of the management information system.
- They are improving the effectiveness and efficiency of the overall business processes.
- It ensures the accuracy, completeness, and reliability of the accounting-related function.
Risk identification/deficiencies in the internal audit activity
The main purpose of the internal audit function is to provide effective risk management policies and procedures.
The function observes processes and obtains complete understanding. Based on their business understanding, they identify risks in different functional areas of the business, including but not limited to the followings risk and related factors.
Areas of audit performance | Revenue, receivables, and receipt | Purchase, payable, and payments | Operating fixed assets | Human resources and payroll | Treasury and fund management |
Specific risk areas | -Sales -Product delivery -Revenue recognition -Delivery controls -Credit policies -Collection follow-ups -Cash security -Discount policies | -Receipt of supplies and services. -Accounts payable management -Purchase policies -Payment processing | -Ownership of the asset -Existence, and completeness of assets. -Acquisition and disposal -Maintenance of asset register -Accuracy of accumulated depreciation -Integration with General Ledger -Calculations of disposal | -Process of employee addition/resignation -Payroll and employee management -Appraisal policies -Training and development -Succession planning – Performance measurement | -Working capital management -Interest rate and exchange rate exposure of balance -Bank reconciliation process |
Assessment basis | -Order book/Sales order -Delivery challan -Invoice issued – Receivables aging -Credit policy | -Purchase order -Bills received -Goods received a note -Payment vouchers | -Fixed asset register | -Personnel files -Employment contracts. -List of employees -Employment form -Leaves policy -Evaluation forms | -Cashbook -Bank statement -Un presented cheques – Un credited cheques -Financing agreements |
Given aspects of the risk assessment is not exhaustive and things can be further explored based on the account balances in the financial statement.
Further, based on the nature and impact of the risk, preventative controls are assigned that help prevent the misstatement.
In addition to this, some risk areas are not limited to account balance but overall organization/entity as given below.
Areas of risk identification | Financial reporting process | Management information system and related internal reporting | Information technology | Regulatory compliance |
Applicable areas of financial statement | Complete set of financial statement | Not directly related | -Process automation – Operational integration | -Complete set of financial statements and business operations |
Basis of risk assessment | -GAAP/IFRS compliance in terms of presentation and accounting treatment. -Internal policy compliance -Board approval -Accounting policies -Applicable ordinance | Standard operating procedures | – Data security – Back up – Disaster recovery – IT-related controls | – Applicable regulation, including oversight body. |
Related functional area of the risk | All financial transactions and account balances | -Finance -Operations | Complete business processes | -Compliance |
Further, the process of risk identification can be more effectively conducted via the performance of the walkthroughs on the in-process accounting and operational controls.
Management comments
Management comments refer to the management’s response to the observation reported in the internal audit report.
It helps to understand their point of view on specific observation and their plans to control the mentioned risk.
The audit report is distributed to senior management with the final comments of management to ensure they have an enhanced understanding of the audit.
Following these guidelines can help to enhance the quality of the management comments/responses.
- Discuss all the observations with the auditor to clearly understand their point of view before forming a final opinion.
- Mention the specific set of actions with a timeline to ensure control of the risk.
- Write a clear, concise, and to-the-point response.
- It’s good to mention specific positions responsible for the implementation of the corrective actions.
Recommendations
These are the actions recommended by the auditor to reduce the impact of current observations. So, it’s an auditor’s responsibility to clearly describe the necessary actions to control the risk and avoid potential losses.
However, the recommendation must be logical, and potential benefits should exceed the cost of implementing corrective actions.
Conclusion
A good internal audit report aims to enhance business profitability via risk management. An efficient internal audit function contains five main components: objectives of the audit function, scope of the internal audit function, identification of risk/deficiencies in the internal controls, and recommendation from the auditor to improve on observation.
Frequently asked questions
What areas do stakeholders like to see in the internal audit report of the business?
The following three are the main areas stakeholders like to see in the internal audit report.
Observations regarding process improvement | Identification of the risks related to fraud/mismanagement | Risk of the compliance |
Revenue, expenses, payments, collection, cash management. Discounts, complaint handling, the process of inspection, and credit limit purchase processes. Bank and cash management process benchmarking. Financial reporting closing processes. | Misstatements in a journal entry.Delays in the updates of the accounting system. Significant deficiencies in the controls signal management fraud.Unusual transactions in the accounting system.Unusual delays in the business processes. | Events of non-compliance.Self-assessment Compliance check with internal policies and standard operating procedures. |
What are the best practices to ensure the internal audit function’s independence?
Following are some of the best practices to ensure the internal audit function’s independence.
- The internal audit function should report to an audit committee without the business management.
- The audit committee should approve the audit plan.
- The internal audit function should access business books and accounting records to inspect documents and observe the processes.
- The appropriate budget should be allocated to the function to ensure the adequacy of the audit resources.
What are the objectives of the internal audit function?
Following are some of the objectives of the internal audit function.
- Improvement in the business operational functions.
- Protection of the business assets from the risk of fraud and mismanagement.
- Installation of internal controls to detect fraud.
- The increased reliance on business-related accounting records and documents.
- Compliance with the financial reporting and the closing of accounts.
Who is responsible for ensuring efficient internal financial and operational business control?
Management of the business/board of Directors is responsible for ensuring an efficient internal control system.