Internal Audit Standard No. 5 - Internal Control Audits
An Internal Control Audit is an independent evaluation of how an organization’s activities, processes and functions are conducted, managed and monitored to protect its assets, and ensure compliance with relevant laws, regulations and policies. The audit objective is to provide assurance that the controls are designed properly, are sophisticated enough to manage risks, and are being employed thoroughly and consistently enough to ensure they are working.
1. Definition
Internal control is the process that provides reasonable assurance of reliable financial reports and effective and efficient operations. Effective internal control should be designed to provide management and the board of directors with reasonable assurance that the following objectives are achieved:
Adherence to applicable objectives and regulations
Protection of assets against theft, loss and improper use
Adequate compliance with management plans and strategies
Reliable financial reporting
2. Scope
An internal control audits scopes are varied and may be customized depending on the organizations specific needs. Generally, all of the audit activities, processes and functions need to be included to determine the quality of the internal control system of the organization. The scope typically includes:
Finance
Legal
Operations
Information Technology
Human Resources
Compliance
Assessment of the internal control framework and its design
Analysis of the control environment
3. Objectives
The objectives of an internal control audit should be designed to fulfill the following:
Assess fraud and abuse
Evaluate compliance with company policies and procedures
Identify control gaps
Evaluate the effectiveness of management activities
Assess the implementation of new management systems
4.Audit Methods
The determination of the audit methods should be made by the audit team. Analytical procedures and review tests will be used when appropriate. The types of audit tests used may include;
Inspection - Inspection of audit evidence such as agreements, documents, reports, records and processes.
Inquiry - Interviews/surveys of personnel, directors, and third-party vendors.
Observation - Watching activities being performed
Testing - Sampling and testing of data, processes, or other controls.
Analytical Procedures - Evaluating relationships among data and making projections to determine or understand some aspect of the business.
5. Criteria
The audit criteria should define the acceptable standards for the internal control evaluation, such as accepted practice and industry standards. The criteria should also meet the control objectives as stated in the internal control framework.
6.Follow up
After the audit is complete, the Internal Control Audit team should report their findings and suggestions to the organization’s job responsible person. The report should contain an analysis of the internal control system, based on the audit objectives that have been achieved, identified errors and abuses, a list of recommended corrective measures, and an overall assessment of the system’s effectiveness.
The follow up phase should ensure that appropriate corrective actions are taken in a timely manner. The results of the review should be reported to management and the board of directors, and a record should be maintained of the procedures taken to investigate and resolve any issues.
