Thursday 21st April 2005


Internal audits add value

Online Community
Death Notices
Classified Ads
Jobs in T&T
Contact Us
Privacy Policy

By Arnold Niranjan

In our last article we highlighted the role of the audit committee as the engine of an effective board. In this article we will examine the internal audit as an important tool of the audit committee.

The responsibilities of the audit committee go far beyond simply reviewing internal control management letters and comprises oversight responsibility for internal control exercised by means of reports from management and both external and internal audit.

This function, by necessity, requires committee members to understand the nature of the risks to which the company is exposed and how it manages these risks.

In face of the list of their responsibilities, it is difficult to see how the audit committee members could discharge their responsibilities effectively, even if they were to meet monthly. Clearly, they could only do so with considerable assistance from internal audit.

As the European Commission’s green paper on auditing states—“Companies without a strong internal audit function will be unable to provide an audit committee with sufficient information to fulfill its responsibilities”

Changing internal audit

It is now clearly established, given recent world corporate failures and best practice legislation (SOX 404), that the demands on the internal auditor are changing as companies strive to enhance governance, manage their risk more effectively and create a sustainable compliance process.

The chief internal auditor, in particular, is in the corporate spotlight much more frequently.

For the internal audit team, the current environment presents a unique set of challenges, as well as an exciting opportunity to contribute to the organisational agenda and add real value.

To succeed in this environment, internal audit may have to change old staffing models and more effectively navigate the often-conflicting expectations of its stakeholders.

In advising all levels of management and the board (through the audit committee), on the company’s systems of internal control and management of business risk it is evident that internal audit is expected to add value specifically in the areas of risk management processes, internal control effectiveness, opportunities for process improvement, implementation of recommendations, corporate governance, systems development, management of change, acquisition and divestments and cost reduction opportunities

The audit work plan

Each financial year, internal audit should be required to prepare an audit work plan which should be submitted to the audit committee for approval.

This plan should be sufficiently comprehensive to ensure a complete and effective review of the company’s operations on a cyclical basis while at the same time being flexible to accommodate special assignments requested by the audit committee.

Essential to the audit plan is an audit schedule which should be based on a credible business process risk assessment. This should be used to prepare an audit schedule specifying which audit projects are to be undertaken each month together with an estimate of the time and resources required to complete.

In prioritising the audit schedule, the degree of risk attributable to individual activities will be assessed taking into consideration factors such as: materiality, the significance of the activity in terms of the company’s goals, the effectiveness of manual and automated system controls, importance in terms of sensitivity and public accountability and the findings of previous external and internal audit reviews.

Given the current drivers, internal audit functions are expected to meet higher performance standards and contribute more to the quality of an organisation’s governance process.

In the Caribbean, and in particular Trinidad and Jamaica, we are witnessing a shift by some of the leading companies towards greater effectiveness and accountability in the internal audit process.

Next week we will examine some of the best practices within internal audit.

Arnold Niranjan is the leader of Business Risk Services at Ernst & Young Caribbean. EYC is a regional firm providing assurance, tax and business advisory services to a diverse portfolio of clients. This article forms part of a series on governance issues and emerging best practices.

The charter

What the audit committee expects of internal audit is usually set out in detail in the internal audit charter, a document which should either be drafted or at least approved by the audit committee. The following items should be addressed in the charter:


The internal audit department is created by and exists as an extension of the audit committee of the board of directors for the purpose of assisting the committee, and the board, in satisfying their legal obligations for ensuring proper and reasonable operations of the company. In order to promote independence and enable internal auditors to render unbiased judgements, it reports functionally to the audit committee of the board and administratively to the chief executive.


Internal audit operates with the full, direct authority and guidance of the audit committee. It is entitled to audit all systems, activities, projects, subsidiaries and business units of the company. It has unrestricted access to all records, reports, personnel and premises for audit purposes. In essence, internal audit is an arm of the audit committee.


The following, while not exhaustive, spells out what the audit committee should expect from internal audit:

To perform in accordance with the standards applicable to the professional practice of internal auditing

To examine and evaluate the adequacy and effectiveness of the company’s systems of internal control which should include:

— Reviewing the reliability and integrity of financial and operating information and the means used to compile and report on such information

— Evaluating the company’s systems to ensure compliance with company policies and procedures as well as laws and regulations

— Reviewing the means of safeguarding assets and verifying their existence

— Auditing significant business processes to determine if they are operating efficiently and effectively. Identifying key performance indicators within the process and measuring results against those key performance indicators

— Undertaking special investigations and reviews of the related areas of fraud control, risk management and security as well as any other area focused on by the audit committee

— Participation in information technology systems design to determine whether adequate controls are incorporated into the system

Specifically, what the chief internal auditor is not expected to do is exercise any executive or managerial authority except within the department itself or get involved with the day-to-day operations of the company.

E-mail: [email protected]





©2004-2005 Trinidad Publishing Company Limited

Designed by: Randall Rajkumar-Maharaj · Updated daily by: Sheahan Farrell