Internal Auditing Standards and Techniques

Natalia Vasilieva

Audit activities are classified under two main headings of external auditing, performed by audit firms or individual independent auditors, and internal auditing, performed by a specialized department of an organization. The overall objectives of both types of auditing overlap in many respects, primarily in the control function. However, there are material differences in the substance and nature of their activities.
It is necessary to say a few words about external auditing in order to obtain a better understanding of internal auditing. External auditing reviews the reporting system, checks and assesses the enterprise«s assets and liabilities as well as tests existing internal controls. The major objective of external auditing is to establish whether financial statements of the enterprise present fairly economic reality and to assess its financial position and performance over a certain period. External audits are conducted on a regular basis (usually annually). The external auditor»s report is intended primarily for supervisory agencies, shareholders, creditors, etc. Internal auditors also use this report in coordinating their activities with those of the external auditors.
With respect to internal auditing, it should be noted that an internal audit department (or an internal control department, as it is sometimes called) is an independent department within the enterprise that performs systematic reviews and assessments of its operations. Its overall objective is often defined as assisting the enterprise in efficient execution of its commitments and assignments. It is a management tool intended to determine whether or not management goals are achieved. To this end, internal auditing provides managers with review findings and performance evaluation in respect of operations of individual departments as well as with relevant advice and information to assist them in running their business.
Internal audit activities depend on the objectives of the internal auditing function and of senior management of the organization, as well as on the nature of its operations. Obviously, audits of public sector enterprises, commercial banks, insurance companies, and pension funds also have their own specific features. In principle, internal audit functions in banks don't differ from those described in general terms above, but they have their own particular nature that is driven by features of bank products and accounting, organization of operations, and a specific set of risk factors.
Even though they differ in many respects, all internal auditors need some overall guidance, which is resolved through developing relevant rules or standards, as well as specific audit techniques. This article uses the term «standard» in a special meaning which differs from the one generally accepted in Russia (where the word usually is applied to a set of prescriptive regulations). In addition to «auditing standards», the title «code of ethics» is used in most countries, which can be interpreted as «standards of conduct for auditors».
Russia has a standard on internal auditing approved by the Russian President's Audit Commission. Since these rules have been published and Russian auditors are familiar with them, this article will move straight away to international standards and will not deal with the Russian rules¹.
Mention should be made of several internal audit organizations, including the International Organization of Supreme Audit Institutions (INTOSAI) which has more than ten member countries, including the USA, UK, and Japan. Special departments of government agencies are working in this area, such as the US General Accounting Office, which is similar in some respects to the Accounts Chamber of the Russian Duma. Each of these, and other similar foreign bodies, has a department that is in charge of maintaining relevant auditing standards.
The Institute of Internal Auditors (IIA) is a global organization of internal auditors, with about 100,000 members in nearly 100 countries. The standards of most other internal audit associations are based upon those of the IIA, which has recently revised and reissued its standards and code of ethics. The IIA is also in process of issuing new guidance in the form of practice directives and other standards-related materials. (Editor's Note: Accounting Report plans to have future articles, covering the new IIA Standards and related guidance to internal auditors in more detail)

Foreign accounting firms that perform audits of Russian banks and other enterprises follow international standards, so it is reasonable to familiarized Russian auditors with those standards. To this end, let's describe standards on internal auditing based on several international and other documents. These standards generally fall into three categories:

1. General Standards, covering the following assumptions and guidelines:

• Reasonable Assurance. This implies reasonable achievement of audit objectives, taking into account cost/benefit and various types of risk.

• Supportive Attitude. Internal auditing is initiated by the organization and its administration and employees should be supportive of internal audits and provide necessary information.

• Competent Personnel. Under this assumption, managers and employees of the internal audit department are presumed to be of high moral standing, have appropriate professional training, and be free of bias.

• Control Areas, Objectives, and Techniques. Internal control areas should be specified for each activity and should be logical, rational, and reasonably complete. The elements of internal control include senior management (providing policy, planning and organization, information gathering and processing, and internal auditing), financial management and information, operational activities (that enable the company to achieve its mission), and support activities. Control objectives, that are primarily driven by the enterprise's plans, should be specified within each area, to provide for security of resources, compliance with laws and directives of management, and reliable information about the enterprise. Internal control techniques must be economical and productive in order to ensure that audits are efficient and reliable.

2. Specific Standards include:

• Documentation. Existing internal controls, all transactions, and other material events should be clearly documented.

• Recording and Execution of Transactions and Events. Transactions and events should be properly recorded and classified throughout the whole life cycle of transactions or events and include their initiation and authorization. These should be executed only by those staff who act within their authority and competence.

• Supervision and Separation of Duties. Key duties and responsibilities for authorizing, performing, recording and monitoring transactions should be separated among employees; qualified and on-going supervision should be exercised over these functions.

• Access to and Accountability for Resources. Access to resources and their accounting should be limited to authorized employees, and the responsibility for the use of resources and their accounting must be specified (and should be separated).

3. Audit Resolution Standard. This standard applies to the post-audit stage, requiring managers to promptly evaluate audit findings and identify and take due measures aimed at correcting flaws and making improvements on the basis of audit recommendations.

These general internal control and audit requirements use terms which are often quite vague. For example, how can one determine, unambiguously, terms such as efficiency, reasonable assurance, accuracy, etc.? Therefore, the standards should be regarded as general guidance on audit organization, selection of audit areas, objectives, and techniques. From this starting point, both government and business internal auditors develop their own audit rules and techniques that are more detailed.

For practical reasons, the more specific guidance on audit approach is very important. We will now elaborate on this guidance by providing a brief description of general internal audit techniques in banks. The selection of audit techniques is driven by specific features of audit areas and objectives. Examples of an «audit area» are a department, a product or service offered by the bank, a computer information system, and particular major accounts. The following phases are typical of an audit approach for an individual area: preliminary planning; assessing the risk; developing an overall audit plan and program; conducting an audit and documenting audit findings; reviewing results and preparing recommendations.

• Preliminary planning includes obtaining a full understanding of an audit area, analyzing legal obligations, determining major audit risks and tasks, determining an audit schedule, and identifying additional assistance required.

• Risk assessments – A systematic evaluation of inherent risks associated with a bank department, product, transaction, or event underlies the planning of audits and allocation of needed resources. Based on a preliminary review, auditors identify key risks and formulate appropriate audit tasks.

An important element of this phase is assessing control risk, which involves evaluating the effectiveness of the internal control system in preventing or detecting errors and misstatements. This is one of the most important and complex issues of internal auditing.

• Developing an overall audit plan and program -based on the foregoing risk assessment and a selection the key controls to be tested, and also on a review the operational and accounting processes, examination and analysis of various types of audit evidence, etc. The procedures in the audit program also include independent reconciliations of account balances, analytical procedures, a detailed review of source data, and checking compliance with specific procedures.

• Performing the Audit. Audit programs generally are performed as planned, but may be modified, based on the results of reviews of previous periods, nature of operations, current objectives, changes in personnel, amendments to legislation, changes in management policy, etc. Upon completion of an audit plan and procedures, an auditor should prepare an audit summary memo for each significant area audited, which serves as overall documentation of completion of the audit plan and describes key results in each audit area.

• Reviewing and Summarizing Audit Findings. Based on results of the audit tests and analytical work, an auditor develops an idea about the materiality of detected errors, misstatements, misrepresentations, etc. The need for adjustments of accounting records and the need for corrective actions relating to controls and procedures are viewed for reporting purposes from two angles, (1) materiality for the bank as a whole and (2) materiality of amounts in respect of certain financial statement items or other exposures to loss (such as damage to reputation, loss of efficiency, etc). This perspective provides managers with substantive summaries of audit results and enables the auditor to promptly identify areas for subsequent audits. Audit findings and their review also enable the auditor and management to obtain a comprehensive understanding of the effectiveness of internal control system.

Considering the great number of detailed procedures implied by the brief summary of internal audit standards and methodology in this article, it is evident that internal auditing in banks is a complex process that requires the involvement of experienced staff. It is clear that much work needs to be done to further develop audit guidance for the banking sector. It is also apparent how much potential internal auditors have to serve management needs and add much value to their organizations.

Ms. Natalia Vasilieva, Ph.D. in Economics, is the Head of Internal Audit Department fo the Association for Restructuring of Credit Organisations (ARCO). She can be contacted by phone (095) 725 3112 or by e-mail: vasilieva@gk-arco.ru.

The English translation of this article is a summary of a complete version which is available in the Russian Edition of this newsletter and at ICAR's website http://www.icar.ru.