As a student of the ACCA qualification, particularly the Audit and Assurance (AA) paper, it is crucial to grasp the nuances that distinguish internal from external audits.
This understanding not only aids in academic success but also prepares you for the professional challenges you will face in the field.
In this article, we examine the differences between internal and external audits, concluding that both functions are equally important to an organisation's financial integrity and corporate credibility while maintaining distinct focus areas.
The Role of Auditors: Guardians of Financial Truth
Internal and external auditors, while different in their approach and objectives, are both guardians of an organisation's financial truth.
Internal auditors are more like consultants working for the betterment of the organisation, providing assurance and advice to management.
External auditors serve as independent and objective evaluators, providing assurance to the stakeholders that the financial statements are free of material misstatement.
Internal Audits: Ensuring Organisational Integrity from Within
Imagine a company as a large, complex machine. Like any machine, it needs regular checks to ensure it works correctly. The internal audit function is like the company's in-house inspection service. It's a function within the company that regularly reviews different parts of the company's internal controls. The person who does this job is called an internal auditor.
Here's what makes internal auditing special:
- Internal Focus: Internal auditors look at the inner workings of the company. They check if the company's processes, controls, and systems are working well and are designed to keep the company healthy and efficient.
- Improvement Aim: They're not just looking for problems but also suggesting better ways to do things. They might find a way to make a process faster, safer, or less costly, for example.
- Direct Reporting: Internal auditors report their findings to the company's management and sometimes to a special board of directors committee. They're part of the company, so they're focused on helping the company improve from the inside.
- Broad Scope: Their work can cover a wide range of areas, from financial operations to compliance with laws, from data security to the company's environmental impact.
- Regular and Continuous: Internal audits are ongoing. They can happen at any time and as often as the company thinks necessary.
An Internal audit is an integral part of the internal control system and is designed to evaluate and improve the effectiveness of risk management, control, and governance processes. The scope of internal audits is determined by management and can be broad, covering compliance with policies and procedures, the safeguarding of assets, the efficiency of operations, and the reliability of financial reporting.
Internal auditors work closely with management to systematically review systems and operations. These reviews are aimed at identifying how well risks are managed, including whether the right processes are in place and whether agreed-upon procedures are being followed. They also provide recommendations for improvement, adding value to the organization's operations and governance.
Defining an Internal System of Controls
An internal system of controls consists of policies and procedures established by an entity's management and board to ensure the integrity of financial reporting, efficient operations, compliance with laws and regulations, and safeguarding assets. These controls are designed to prevent and detect errors and fraud, and they form the foundation of a trustworthy financial reporting environment.
The Auditor's Understanding of Internal Controls
For auditors, obtaining a thorough understanding of an organization's internal control system is crucial. This understanding helps the auditor to assess the risk of material misstatement in the financial statements and to design the nature, timing, and extent of further audit procedures.
The components of internal control relevant to the preparation of financial statements include:
- Control Environment: The overall attitude, awareness, and actions of directors and management regarding the internal control system and its importance in the entity.
- Risk Assessment: The entity's process for identifying and responding to business risks and the risks of material misstatement.
- Control Activities: The policies and procedures that ensure management directives are carried out.
- Information and Communication: The systems that support the identification, capture, and exchange of information in a form and timeframe that enable people to carry out their responsibilities.
- Monitoring of Controls: The process that assesses the quality of the internal control's performance over time.
Reporting Significant Deficiencies in Internal Control
When auditors identify significant deficiencies in internal control, they must communicate these in internal audit reports to those charged with governance and management.
Here is how an internal auditor should go about reporting these deficiencies in internal controls:
- Document the Deficiency: The auditor must clearly write down the weakness, why it's a concern, and how it was discovered. This documentation should be detailed enough so that someone reading it can understand the issue without being an expert.
- Assess the Impact: The auditor needs to evaluate how this deficiency could affect the company. This includes looking at what could go wrong and how likely it is to happen.
- Communicate with Management: The auditor should first report the findings to upper management. This is often done through a formal report or a meeting where the auditor can explain the issue and answer any questions.
- Escalate if Necessary: If the issue is very serious, or if management doesn't take appropriate action, the auditor may need to report the deficiency to the company's board of directors or its audit committee.
- Follow-Up: After reporting, the auditor should check back to make sure the deficiency is addressed. If it's not, they may need to report it again or take further steps.
Former Audit Senior at Mazars and experienced tutor, Davinia McGann, is the ideal tutor to break down the Audit and Assurance (AA) subject with simple language and real-world examples. Learn from her experience and expertise HERE.
External Audits: The Independent Examination of Financial Statements
On the other hand, an external financial audit is an independent assessment of external audit functions conducted by an external auditor. These auditors are not employees of the entity being audited and are tasked with expressing an opinion on whether the financial statements are free from material misstatement, whether due to fraud or error.
The primary purpose of an external audit is to assure the company's stakeholders, including shareholders, creditors, and regulators, that the financial statements present a true and fair view of the company's financial performance and position.
The standards of the relevant professional bodies and legal requirements determine the scope of an external audit. External auditors must adhere to strict standards of independence and objectivity to maintain the credibility of their audit opinion.
Objectives and Principles of External Audit Engagements
External audit engagements are governed by a set of objectives and principles that ensure the quality and effectiveness of the audit. The primary objective of an external audit is to enable the auditor to express an opinion on the financial statements. This opinion determines whether the financial statements are prepared, in all material respects, following an applicable financial reporting framework.
The principles guiding external audits include:
- Integrity and Objectivity: Auditors must maintain integrity and objectivity, avoiding conflicts of interest and biases.
- Professional Competence and Due Care: Auditors are expected to continuously update their knowledge and skillset to perform the audit with professional competence.
- Confidentiality: Auditors must respect the confidentiality of information acquired during the audit.
- Professional Behavior: Auditors should comply with relevant laws and regulations and avoid any action that discredits the profession.
The Concept of Assurance and Assurance Engagements
Assurance is a professional service aimed at improving the quality or context of information for decision-makers. In an assurance engagement, an auditor provides an independent opinion on a subject matter for which the responsible party is accountable.
Assurance engagements can be categorized into two types:
- Reasonable Assurance Engagements: These involve a high, but not absolute, level of assurance, resulting in a positive form of expression from the auditor, such as the opinion given on financial statements.
- Limited Assurance Engagements: These provide a moderate level of assurance and result in a negative form of expression, such as a conclusion that nothing has come to the auditor's attention to indicate that the financial statements are not fairly presented.
The Five Elements of an Assurance Engagement
According to ACCA guidelines, an assurance engagement includes five key elements:
- Three-Party Relationship: Involves the practitioner (auditor), the responsible party (usually management), and the intended users (such as shareholders).
- Subject Matter: The financial statements or other information being assured.
- Criteria: The benchmarks used to evaluate or measure the subject matter, such as International Financial Reporting Standards (IFRS).
- Evidence: The information that the auditor gathers during the engagement to provide a basis for the assurance provided.
- External Audit Reports: The written conclusion that communicates the auditor's findings to the intended users.
Internal and External Audit: A Closer Look at the Differences
In this article, we looked at the differences between internal and external auditing, giving you a look into the processes and focus areas of each function.
Here’s a quick summary of what we discussed:
If you liked this short article, you can access our premium online ACCA courses here, at a fraction of the cost of traditional tuition providers - including Audit and Assurance (AA). Explore the Audit and Assurance course here.