Investment in The Coconut Industry by Nancy Cheruiyot
Internal audit article
1. Internal Audit-Best Practices
Sonali Singh
The Cambridge dictionary defines best practice as a working method (or set of working
methods), which is officially accepted as being the best to use in a particular business or
industry. These methods or best practices are usually described formally or in detail.
Therefore, best practices are those generally understood operational characteristics of
organizations, or procedures that have proved to be successful in practice.
The concept of best practice belongs to the field of management and is described by
management ‘gurus’ as the most efficient and effective way of accomplishing a task,
based on repeatable procedures that have proven themselves over time for large numbers
of people. About a hundred years ago Fredrick Taylor stated that “among the various
methods and implements used in each element of each trade there is always one method
and one implement which is quicker and better than any of the rest”. However, by its very
definition, best practice is a dynamic concept, an approach based around continuous
learning and improvement, rather than a static, inflexible, unchanging method of doing
things. Best practices also change and/or improve as times change and things evolve.
What is critical is the adoption of good processes and proper planning, even following a
standard way of doing things that other successful organizations are doing, but at the
same time, the adaptation and molding of these best practices to suit the particular needs
and to balance the uniqueness of an organization with practices it has in common with
other organizations. Therefore while best practices do not have one template or form for
everyone to follow, it can certainly be the idea that with the proper processes and
planning, the organization can achieve the desired result with fewer problems and
unforeseen complications. What is needed is the commitment to using all the knowledge
and technology at ones disposal to ensure success of the organization.
1
2. Internal Audit and Good Governance
“An effective internal audit function is a fundamental component of good governance”-
Canada Office of the Auditor General.
The terms governance and good governance are widely used today. Traditionally
governance refers to forms of political systems and the manner in which power is
exercised in utilizing a country’s economic and social resources for development. It has
also been described as a process of decision making and the process by which decisions
are implemented or not implemented. It involves public institutions in the conduct of
public affairs and the management of public resources, which should be utilized most
efficiently and effectively. Good governance has been described as an ideal which can be
understood as a set of eight characteristics i.e. participation, rule of law, transparency,
responsiveness, consensus orientation, equity and inclusiveness, effectiveness and
efficiency, and accountability. It involves transparency which means that the decisions
taken and their enforcement done in a manner that follows rules and regulations. Good
governance means responsiveness. It means effectiveness and efficiency in ensuring that
processes and institutions produce results that meet the needs of society while making the
best use of resources at their disposal. It necessitates accountability which means that
government institutions will be accountable to the public, and to all those who are
affected by their decisions.
The 1992 World Bank report entitled “Governance and Development” identified seven
specific aspects of ‘good governance’, which became a concern in considering projects
for assistance and these included public sector management, accountability, transparency
etc. Good governance therefore became very much a part of the reforms agenda and
entered the lexicon of governments of developing countries. India was no exception. The
process however had started somewhat earlier worldwide, with governments embarking
on an ambitious journey to improve government performance- the New Public
Management, under which reformers have sought to radically change the manner in
which the public business is conducted. All the initiatives whether under the banner of
2
3. ‘New Public Management’ in New Zealand and the United Kingdom or “reinventing
government” in the United States, seek to improve governmental performance by
emphasizing customer service, decentralization, market mechanisms, cross functional
collaboration and accountability for results.
While public sector reforms are pervasive in the developing countries, what is required is
a citizen centric governance framework which combines participatory decentralization,
with results oriented management and evaluation. Traditionally evaluations have tended
to be uni- dimensional, concentrating only on fiscal probity and rule adherence. These
trends are in evidence in India as well since the government has embarked upon reforms.
The Fiscal Responsibility and Budget Management (FRBM) Act seeks to put in place
stringent fiscal controls in government, the Right to Information Act seeks to bring about
transparency and accountability in governments functioning. With the introduction of the
Outcome Budget the Government has addressed the need to track not just the
intermediate physical outputs of schemes/programmes but also the outcomes which are
the end objectives of State interventions. In this scenario internal audit can act as a
powerful tool to improve accountability, it can give the required inputs which can be fed
into the planning process, inputs that can be utilized to monitor implementation.
The audit function has traditionally been seen as being part of the governments financial
management function, and increasingly as a way for improving the performance of the
government sector. It has provided assurance that public funds received and spent are in
compliance with appropriations and other relevant laws, and that the reported use of
funds is a fair and accurate representation of the financial position of the government.
Beyond this, audit in many countries has evolved to take a more comprehensive view of
the economic and social implications of governments operations or value-for-money or
performance audit. In recent years the demand for greater transparency and accountability
in governments, has resulted in a move by managers within government organizations, to
improve internal audit procedures in a way that would ensure some protection from
adverse reports of external audit and also so that internal audit gives them so minimal
level of assurances.
3
4. Against the background of the plethora of reforms in monetary and fiscal management
and the complex challenges being thrown up by the second generation of reforms within
the country, the Government felt the need to have a re look at some of the
institutionalized financial management systems. Acknowledging the need for change and
perhaps the potential of the Internal Audit Wing (IAW) within the ministries/
departments the Ministry of Finance (MoF) recently reviewed the scheme of ‘Integrated
Financial Advisor(IFA)’ and issued a Revised Scheme of IFA on June 1, 2006 which
envisages a larger role for the Chief Controller of Accounts( CCA)/ Controller of
Accounts(CA) In so far as internal audit is concerned the new guidelines mandate that the
Internal Audit Wings working under the control and supervision of the CCAs/CAs shall
assist the Financial Advisers in the appraisal, monitoring and evaluation of individual
schemes. It specifies that internal audit would focus on:
v Assessment of adequacy and effectiveness of internal controls in general, and
soundness of financial systems and reliability of financial and accounting reports
in particular;
v Identification and monitoring of risk factors (including those contained in the
Outcome Budget);
v Critical assessment of economy, efficiency and effectiveness of service delivery
mechanism to ensure value for money; and
v Providing an effective monitoring system to facilitate and course corrections.
What the IA can do
With the enlarged mandate and given the scope, objectives and functions of IAW under
the CGA’s organization internal audit in Government today is of critical value for several
reasons all of which are well known to us:
v It is potentially of major importance as an effective internal audit system leads to
improved accountability, ethical and professional practices.
v It can improve the quality of output, support decision making and performance
tracking.
4
5. v It has the potential to act as an independent and objective appraisal mechanism
within the organization whose findings and recommendations can act as a tool
enabling the ministry or department within which it functions, to take suitable
corrective action with respect to service delivery and also procedures.
v It can be used to examine and evaluate activities, as a service to the organization
promoting effective control at a reasonable cost.
v If internal audit can become an inherent part of management reporting by
suggesting remedies for the problem areas identified, it can truly fit into the
fundamental and critical area of financial reform which focuses on outcomes, of
objectives being achieved at a reasonable cost. It will integrate internal auditing
with the ongoing public financial management reforms.
What sets Government Audit Apart?
It is necessary to bring out the differences that exist between auditing in the government
sector, and auditing in the private sector.
v The environment of the audited government organization is vastly different from
what exists in the private sector, and is a significant reason for the difference
between the two. The government audit is carried out in an environment
determined by legal rules and a great deal of importance is attached to lawful and
rightful conduct within the governments flowing from the need for governments
to act in accordance with laws and regulations laid down by the government itself
v In the public sector moreover, the auditor’s opinion serves the interest of the
public in general and is not confined to only providing a full and fair view to the
stakeholders as is the case with the private sector audit.
v By extension therefore, the primary purpose of an auditor’s opinion is to serve in
the formal discharging procedure in the democratic process. Effectively then, the
stakeholders are many in case of the government audit
v It is also a fact that the decision making process in government is much more
complex when compared to the private sector where decisions are predominantly
5
6. determined by technical and scientific factors concerning the primary processes of
the entity and the economically limiting conditions .
v In the government arena, success cannot be translated in terms of the bottom line
of income and expenditure account but rather needs other criteria as a measure of
performance.
v The auditing of the accounting system of a government organization is important
not only as a track to the financial report but also because the accounts contain
important information which is vital for the process of decision making which in
the government sector, by its very nature, has wider implications.
v Auditing in the government sector therefore has a substantive importance.
Attention for the processes like acquisition of resources (economy), use of
resources (efficiency), satisfaction of needs of society (effectiveness) which
implies that audit of financial management as such, including compliance of laws
and regulations in the rightfulness audit, is often defined as a substantive object of
audit in the audit assignment.
v Financial reporting in the public sector is also different from that in the private
sector because the laws and regulations regarding financial reporting in the public
sector are different on account of the need for transparency on part of the
government regarding the government’s plans and the resource allocations.
Therefore the laws and regulations on financial reporting in the public sector start
with regulating the procedure of the budgeting process and the structure of the
presentation of information in the budget documents.
v Furthermore, as far as the government is concerned, its primary goal is not to earn
a profit over and above the cost of production as is the case with private entities.
Rather the goal of government is to realize the maximal possible usefulness for
society from a limited amount of resources and the performance indicators are
also different since the success of government entities is not expressed only in
financial terms.
For a government organization, a system of internal controls is of key importance as a
precondition for better government performance because the system of internal control is
6
7. often the only instrument available, unlike in the private sector where the market signals
act as warning signals. Furthermore the principle in the new governance model in the
modernization of governments which stresses on integrity and objectivity for services and
the stewardship of funds requires more effective internal controls. With a shift from the
traditional centralized controls to a greater delegation and a more distributive control
where the management is responsible for the checking and monitoring, effective internal
controls are necessary.
Best Practices
With the expanded and extended role of internal audit now stretching beyond its
traditional focus on compliance and financial audit, to encompass an assessment of the
organizations efficiency and effectiveness in achievement of its objectives, internal audit
has become a management tool. In the over all scheme of financial reform aimed at better
financial management, best practices in internal control and internal audit, will generate
key benefits. The overall design of the internal audit system, including best practices,
should be geared towards the specific priorities of the organizations taking into account
each organizations own circumstances and requirements. But an overall Best Practices
Framework is necessary to evaluate the adequacy of internal controls and the
performance of the organization as well as of the internal audit. Best practices could
include those relating to roles, responsibilities and authorities and oversight of internal
audit, resourcing the internal audit function, planning internal audit’s activities, audit
processes, and evaluating internal audit’s performance
Internal Audit practitioners talk about an appropriate “tone at the top” as being a key
component of the internal control structure of the organization. Best practice emphasizes
the responsibility of the Board/CEO to establish an appropriate ‘corporate’ culture,
including codes of ethics and standards of conduct to enhance the organizations
reputation for fair and responsible dealings and to help maintain high standards of
behaviour throughout the organization. (TPP). These attributes include: acting with
honesty and good faith; exercising due care and diligence; using information and position
7
8. properly; employing discretion; avoiding conflict of interest; meeting public obligations;
managing financial obligation prudently and maintaining confidentiality. Since internal
controls and internal audit is a process rather than an end in itself, and more importantly,
it is a process driven or effected by people at every level of the organization, the key
attributes and attitudes of the most senior level within the organization, are critical not
only to the effectiveness of the audit but also to the achievement of the organizations
goals. Documenting and implementing a code of conduct or a code of ethics would serve
to address the importance of maintaining confidentiality, avoiding conflict of interest,
explain the nature and significance of illegal or other improper acts.
Best practices now encourage the organization to establish effective audit committees
which would help preserve the independence of the internal audit function and ensure
appropriate and timely action is taken on audit findings. “The Audit Committee serves in
a special capacity as an important communication link between external and internal
auditors and operating management, and as a means of reducing the risk that management
will override key elements of an agency’s internal control structure”.
Designing effective internal control procedures which provide reasonable assurance
regarding the achievement of the organizations objectives is important to a Best Practice
Framework. The identification of the functions performed by the organization in the
achievement of its strategic objectives, and the breaking down into individual tasks and
related risks and the control procedures built in to mitigate these risks are important. Best
Practice therefore requires the preparation of a Risk Management Plan which will provide
the framework for monitoring the risk management activities. Once the whole array of
risks has been identified, the next step is to rank the risks and draw up an audit plan
accordingly. One way to effectively prioritize the processes for audit purposes is to look
at the matrix of probability of occurrence versus severity of loss for each of the processes
and develop a risk based audit plan according to this classification (Moody). It is also
desirable if the audit plan is devised with a holistic view as to the nature and significance
of the risks facing the organization/activity rather than focusing only on the financial
reporting risks. While in the process of identifying these risks the audit team may use
8
9. intelligence gathered by other functions within the organization, in devising the audit
plan the internal auditors should have an independent view on risks. Best practices also
demand timely and comprehensive coverage by audit across a spectrum of risks While
we grade risks using simple ranking of high, medium and low risk, timeliness of the audit
as per this categorization is important, with high risk areas being covered annually and so
on. This does not imply that there should be slippage in covering the low risk areas
because even these can create problems. In fact internal audit practitioners consider it
advisable to annually re assess the organizations’ risk profile annually. Given that the
risks to the organization/activity would change over time, with new risks emerging,
revisiting the risk based plan is imperative to an effective audit function.
The effectiveness of audit is dependent on its ability to not only spot problem areas or
areas where improvements can be suggested, but also on its ability to ensure speedy
remedial action after audit has been completed. This in turn is dependent on timely
completion and submission of the audit report. Any delay in this would defeat the very
purpose and function of internal audit. It is considered a best practice if audit
professionals rank or grade their reports, using a simple system, to enable the clients
distinguish problematic audit reports from others. There could for instance be one
category of reports that are highly critical where significant remedial actions are
recommended; others that list out deficiencies that need to be corrected but where the
lapses are not too significant; and a third category of those reports that are by and large a
‘clean bill of health’ though some improvement opportunities are identified. Effective
and timely follow up to reports is essential particularly the speedy implementation of
remedial actions recommended in highly critical reports. Best practices calls for such
units that receive highly critical reports or those units that have significantly delayed
implementation of recommendations of audit, to report the reasons for the problems and
proposed corrective actions, to the highest level over seeing the internal audit function
within the organization. An effective tracking system for audit reports would ensure an
effective and timely follow up to audit. A rigorous audit follow up process could for
instance include a Follow up Action Report form to be attached for the audited
department to use for reporting when the audit recommendations are implemented. The
9
10. follow up by internal audit to verify the implementation could be done within six months
and if necessary a second follow up could be done within one year, depending on various
factors. The follow up process however ensures the timely and effective implementation
of audit recommendations in addition to ensuring management’s responsibility and
accountability and is therefore a critical element.
Upgrades to the internal audit function capabilities in terms of increased manpower and
resources available as well as capacity building, will contribute to a more effective
control environment. Best practices support greater independence for the internal audit
function and this can be achieved though a significant audit committee role in setting and
approving the audit functions staffing and budget; periodic benchmarking of audit
functions with peers and industry best practices; clarity in internal audits role in
operational risk and pre-implementation control development matters; reporting by the
audit head to the audit committee(functionally) and to the CEO( administratively);
empowerment of the audit function by communicating the importance of internal audit
throughout the organization; adopting a balanced staffing model and maintaining an
effective working relationship between internal and external audit.
According to the IIA, appropriate reporting relationships are critical if internal audit is to
achieve independence, objectivity and organizational stature necessary to fulfill its
obligations and mandate. On the reporting lines for the chief audit executive, the IIA
states that best practice indicates that the internal audit activity should have a dual
reporting relationship The IIA International Standards for the Professional Practice of
Internal Auditing (Standards) require that the chief audit executive (CAE) report to a
level within the organization that allows the internal audit activity to fulfill its
responsibilities. To achieve necessary independence, best practices suggest the CAE
should report directly to the audit committee or its equivalent. For day to day
administrative purposes, the CAE should report to the most senior executive (i.e., the
chief executive officer [CEO]) of the organization. This reporting line is stated to be the
ultimate source of its independence and authority.
10
11. Internal audit practitioners point to the need for independence of the internal audit
function by citing the lesson learnt from the challenges faced by the internal audit
function at the now defunct WorldCom .Here since the internal audit function was not
fully accepted and supported by top management, the function diverted from its role and
focused on finding ways to assist the company to maximize revenues, reduce costs and
improve efficiencies. The internal auditors did not fulfill their role as the company’s
“internal audit police” but rather sought to gain acceptance as team players by focusing
on operational audits and projects that would be seen to be adding value to the company.
In the end the function failed to detect the accounting improprieties that were reported at
an earlier stage by WorldCom. Other cases cited are of Enron and Global Crossing,
where the accounting misrepresentations and dealings of the top executives cost
stockholders tens of billions of dollars, and could have been avoided had the internal
auditors performed their traditional roles as “watchdogs” instead of succumbing to
pressure to de emphasise audits of sensitive and high risk areas and focus instead on
advising management on ways to increase the bottom line. IIA standards which guide the
professional practice of internal auditing list independence of the internal audit function
as the first standard and on this is dependent the success of any internal audit function its
effectiveness and its organizational status. The higher the level within the organization to
which the auditor reports, the more effective the auditor is in selecting areas to audit and
reporting the findings without fear of retaliation or peer pressure.
Best practices also require that the right internal audit methodology is designed and used
to facilitate effective and efficient delivery of high quality services. This can be done
once the expectations of the organization are understood so that the right audits are
executed at the right time with the right resources. According to the methodology
prescribed by the Committee of Sponsoring Organisations (COSO) there should be three
components namely, risk assessment, control evaluation and reporting. Risk assessment
is done at the organizational level and from this emerges the internal audit plan. Since
effective reporting is a key element in the methodology and since significant delays can
undermine the organizations perception of the internal audits values and efficiency as
well as impact the completion of planned work, it is best practice to agree on reporting
11
12. protocols before hand so that communication and agreements of audit results can take
place in a timely manner.
The IIA standards and the GAO Government Accounting Standards require an external
quality assessment to assess internal audit compliance with standards and appraisal of the
quality of operations of internal audit While a periodic external quality assessment or
peer review of the internal audit function is essential for a comprehensive quality
assurance programme, a self assessment can also contribute to quality assurance. This
provided the self assessment addresses all attribute and performance standards, duly
supported with relevant documentation. Best practices require that the indicators used for
measuring internal audit performance should be linked to the organizations objectives.
Internal audit should therefore develop and implement a system of performance
indicators to measure its own performance. The Statement of Best Practice Internal
Control and Internal Audit developed by the New South Wales treasury Department
includes as performance indicator service delivery benchmarks such as percentage of
internal audits actually completed as per the original plan for the period, the future dollar
costs saved or revenues earned as a result of implementation of audit recommendations or
the number of internal audit findings implemented as a percentage of the numbers raised
in their reports etc. Costs control benchmarks include the actual costs of internal audit as
a percentage of internal audits budgeted costs for the period. A survey of management
expectations or a “customer survey” sent to key managers after each audit or after issue
of report can be used to measure audit performance. It will help focus internal audit effort
and for this purpose the key performance measures suggested in the Statement include
effectiveness of the audit in covering key areas, feedback on the findings of audit,
duration of audit, timeliness of audit, accuracy of findings and value of audit
recommendations, clarity of the audit report, professionalism of the auditors and value
added by the audit. The list could be expanded depending on the requirements. The point
is to develop a concise structured list of performance indicators to review performance,
the results of the review being reported to the audit committee, at regular intervals.
12
13. The IIA has identified key elements of an effective public sector audit activity which can
serve as a starting point to developing best practices for internal audit in the public sector.
The importance of the internal audit activity in the public sector has been highlighted in
the foregoing section. IIAs professional guidance document on the Role of Auditing in
Public Sector Governance, states that “Auditors perform an especially important function
in those aspects of governance that are crucial in the public sector for promoting
credibility, equity, and appropriate behavior of government officials, while reducing the
risk of public corruption.” The key elements listed by IIA as the minimum for
Government audit activity to achieve its mandate and to act with integrity and produce
reliable services, are:
v • Organizational independence.
v • A formal mandate.
v • Unrestricted access.
v • Sufficient funding.
v • Competent leadership.
.
v • Competent staff.
v • Stakeholder support.
v • Professional audit standards
While the need for improving processes over time is necessary as is the need to adopt or
develop those processes which are the most efficient and effective way of accomplishing
a task, it is equally important to take into account individual need or circumstances. Due
care needs to be exercised to ensure that best practices do not result in practice that is in
fact not the best when the results of the best practice are in fact contrary to the real ideal
situation or when best practice is used to prevent challenges to rules and systems that are
in reality not best practice. A Wikipedia article cites the case of Dick Fosbury, who
revolutionized high jumping technique-we have all heard of the Fosbury Flop. He
challenged the existing best practice by going over the bar back first instead of head first
13
14. and in the process, by ignoring best practice, he not only raised the performance bar but
also created the new best practice.
Best practice can be exchanged, adopted, adapted and developed. The key issue is ‘what
is possible?’ and not merely ‘what is somebody else doing?’
14