Techniques of internal audit and control
How do auditors carry out internal audits and controls?
There are a number of techniques that auditors can employ. Some of these aim to prevent incorrect or illegal actions from taking place. For example, auditors may recommend increasing the security of accounting software by setting passwords that are harder to break or limiting the functions that certain categories of user can perform.
Other techniques aim to detect whether incorrect or illegal actions have taken place. For example, auditors may cross-check documents to see whether information has been recorded properly or make inspections of company warehouses to see whether the actual stock levels equal the ones recorded. Further techniques aim to rectify actions that are incorrect or illegal, for example, auditors may ask to modify a payroll entry if they believe that it is wrong.
The techniques auditors use have been codified by national or international professional bodies. One of the main international professional bodies is the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a US based joint initiative of accounting and auditing organisations formed in 1985. One of its main developments is a framework of integrated internal controls that has been widely accepted worldwide. The framework defines internal control as a “process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance”. It also contains detailed recommendations for setting up a control system, which includes attention to the role of the control environment, the risk management process, the information systems, the control activities and the monitoring of the controls.
In the public sector, guidelines for audit and control are issued at the international level by the International Auditing and Assurance Standard Board (IAASB). In its 2014 publication A Framework for Audit Quality, the IAASB describes the five key components of internal audit and control systems, and suggests that audit quality results from:
- Inputs: auditors should hold appropriate values, ethics and attitudes; and they should possess the knowledge, skills, experience and time to perform audit work;
- Process: auditors should follow a rigorous audit process and quality control procedures that apply with laws, regulations, and standards;
- Output: auditors should produce documents, in the form of reports and information, that are useful and timely;
- Contextual factors: auditors should consider the role of conditions such as business practices, information systems, corporate governance, cultural factors and the legal and regulatory environment when carrying out their activities;
- Interactions: auditors should deal with different actors, including managers, regulators, users and those charged with governance, through both formal and informal channels of communication.
Depending on these factors, auditors may find themselves in a better or worse position to carry out their tasks and deliver assurance that entities and organisations have made proper use of financial resources.