Managing risks from within

What is an internal audit?

In general, an internal audit involves two major activities:

1. Obtaining an understanding of management's process for evaluating the effectiveness of the entity's internal control.

2. Performing procedures to obtain sufficient evidence about the design effectiveness and operating effectiveness of the entity's internal control.

The Committee of Sponsoring Organizations (COSO) defines internal control as 'a process effected by an entity's board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.'

In simple words, an internal audit is an audit of an entity's internal control systems and procedures and how the system and procedures are implemented.

How do internal and external audits differ?

Looking through the financial statements of large-scale corporations, it is noticeable the amount of funds allocated to independent auditors and to carrying out statutory, external audits. Equally noticeable and considerable, are the efforts and resources deployed to deal with internal issues, and this is where the internal audit function comes in. At a fundamental level, an internal auditor assists senior management in maintaining effective internal controls and ultimately in reducing business risks.

The primary responsibility of an independent auditor is to express opinion on the financial statements, based on the audit findings, and to report his opinion to shareholders. His audit involves obtaining evidence about the amounts and disclosures contained in the financial statements. Accordingly, independent auditor's audit risk is a function of the risk of material misstatement, comprising inherent risk and control risk, and detection risk. 
The independent auditor views internal control in terms of an entity's true and fair preparation and presentation of the financial statements, but does not express an opinion on the effectiveness of the entity's overall internal controls.

In contrast to an independent auditor, internal auditors are established within the entity itself and carry out appraisal activities as a service to the entity. An internal auditor is primarily responsible for examining, evaluating and monitoring the adequacy and effectiveness of internal control of the entity. Internal control consists of the following components:

a) The control environment.

b) The entity's risk assessment process.

c) The information system, including the related business processes, relevant to financial reporting and communication.

d) Control activities.

e) Monitoring of controls.

Is an internal audit a must?

In China, the financial statements of all Foreign Invested Enterprises (FIEs) should be prepared in accordance with the Accounting Laws of the People's Republic of China and the Accounting Standards for Enterprises. Statutory audit repost is required to be submitted to the relevant government authorities during annual corporate income tax reconciliation and annual inspection of licenses. Furthermore, statutory audit of financial statements is required in most overseas jurisdictions.

In contrast, an internal audit is non-statutory and thus it is not a compulsory activity. Internal audit is a function or an activity, which assists management in maintaining effective internal controls and in reducing business risks. Although internal auditors are effectively part of the entity, they work independently from the management team and often report directly to the board of directors. The chief tasks of an internal auditor are to identify and to manage the entity's risks.

How does an internal audit help an entity?

The management of an entity should use risk management and its understanding of risks as an integral part of running the entity and its business, and should take action in respect of the associated risks and opportunities.

A comprehensive risk management model should include assurances, that tell the management how well the processes are working and how well risks are managed. Assurances comprise both of internal and external factors. Internal audit can provide management with independent assurance on a diverse range of tasks, including but not limited to fair presentation of financial statements that external auditor will do. An effective audit committee will seek assurances on the entity's key risk areas, so that the management can assess whether the risks associated with the entity are managed appropriately.

In summary, an internal audit can help to identify risks, which may lead an entity to fail in achieving its performance and profitability targets. Internal audits also aid in preventing a loss of assets and resources, in ensuring reliable financial reporting, and in complying with laws and regulations.

This article was created on: 2017.09.05