Using the results of the work of internal auditors
Many business entities that have a legal obligation to audit financial statements have an internal audit function in their organizational structure, while some establish an internal audit function as part of internal control and management. Internal audit helps in the effective operation of the company every day, and its important responsibility is to supervise the functioning of internal controls.
Most internal audit engagements (as opposed to external) are focused on non-financial processes. The information on risks collected by the external auditor is typically limited to the area of financial reporting (which is also an area where the objectives of the external and internal audit overlap), while the internal audit provides senior management and the governing body with insight into the manner in which strategic and business risks are managed and monitored, as well as the risks of compliance of the entity's operations with legal regulations.
We, as external auditors, when auditing financial statements, for greater efficiency of our work and reduction of audit risk, must be able to use the results of the work of the internal auditor, which includes the annual report of the internal audit function (regulated by the International Auditing Standard ISA 610). In those cases, we consider and use the internal audit findings as input for our work, where we apply professional judgment in deciding whether internal audit work can be used, as well as in what way and to what extent it is possible in the given circumstances.
I must mention that an essential precursor to the successful engagement of an external auditor is familiarity with the functioning of the entity's internal controls. The procedures we perform when we review an entity's internal control include reviewing the results of the procedures performed by the internal auditors when reviewing, evaluating, and monitoring controls to provide information about whether the controls are working. After an initial introduction to the functioning of the same, we consider the functions and activities of the internal audit that are relevant to "our" audit of the financial statements, namely those that provide evidence of the effectiveness of controls, or those that provide direct evidence of possible material misstatements.
We also expect the client, that is, the internal audit function, to provide us with direct assistance during our engagement, if necessary. By providing direct assistance, we monitor and review the results of the work performed by internal auditors, to a level that is appropriate for the given circumstances (regulated by the International Auditing Standard ISA 220).
By applying these procedures, as external auditors, we make sure that the internal auditors have provided enough appropriate audit evidence to draw conclusions based on their work. In addition, we inform the internal auditors of their responsibilities and procedures to be followed, as well as any significant accounting and auditing issues identified during the audit that were significant to us.
The important fact is that we assess the status of the internal audit function in the entity, the quality and efficiency of the internal auditors' work, whether it applies a systematic and disciplined approach, as well as whether the relevant business policy and procedures support the objectivity of the internal auditors and the level of competence of the internal audit. In other words, we assess whether internal auditors performed their tasks without bias, conflict of interest or undue influence on professional judgment, and also whether they possess adequate knowledge and skills, at the level necessary to carry out their duties diligently and in accordance with applicable professional standards.
In practice
In accordance with by the Law on Business Companies, Article 451, public joint-stock companies, i.e. at least one person in charge of internal business supervision is obliged to fulfill the conditions prescribed for the internal auditor.
We, as external auditors, have encountered a different case countless times in practice. With the case that we had no or minimal cooperation or benefit from the internal audit function in the entity. Also, it is often the case that there is a case of lack of communication with the management. These were entities with poor or non-existent internal controls and internal controls that were not established at an adequate level. All of the above at the entity results in weak supervision over control activities and therefore weak and inadequate risk management.
Often in those cases, the segregation of duties within the internal controls function is not established at an adequate level, at a level that can enable the existence of each necessary function that will independently and promptly carry out its duties.
It happened that, at the entity, i.e. its management, there was a lack of reaction to knowledge about the weaknesses of internal controls, even if in the previous engagement we drew attention to possible omissions and gave our recommendations for the sake of more adequate and better functioning of the internal controls that are implemented in the specific company.
Weakness of internal controls is always a big problem for an entity. For us, external auditors, weak internal controls are always a call for the highest possible attention, while on the other hand, it also reflects on us with the need to expand the scope of engagement, which further leads us to a greater volume of time spent when auditing financial statements.
Recommendation
The internal audit function is a key element of the entity's management system and control activities, that is, essentially, an important factor in its effective operation. That function is of great importance also because certain procedures it performs can provide direct evidence of materially significant misstatements.
But, certainly due to frequent omissions and deficiencies in its functioning, entities should ensure an adequate level of interaction or cooperation between internal and external audit during audit engagement.
Cooperation in the mentioned relationship as an opportunity for external auditors, offers attention to possible omissions, which would lead to the elimination of duplication of audit work, and would also result in what is certainly the most significant, ensuring the highest level of minimization of the risks faced by the entity.
Our cooperation is also important to the management bodies of the company, because as a result of it, the management gets a more comprehensive view of the operations, controls and risks that the entity faces.
Fact
Finally, I present an important fact regarding the importance of the internal audit function, where we take the results of the Report for 2016, prepared by the Association of Authorized Embezzlement Investigators (Association of Certified Fraud Examiners - ACFE), and which indicate that internal audit departments in organizations played an important role in detecting embezzlement, misuse of property and corruption.
Fraud cases detected by internal auditors represent 16.5% against 3.8% detected by external auditors for the total number of cases detected in 2016.
Zorana Ciraković
Audit Manager
