- 30 Marks
AA – L2 – Q12 – Internal Audits
Question
CleanSweep
Internal auditors often assist management in performing internal review assignments covering, for example, human resources, procurement (purchasing), marketing and treasury activities. Such reviews involve:
the identification of risks;
the identification of systems of internal control and procedures implemented to manage those risks;
tests of controls to ensure that internal controls are operating effectively;
an evaluation of the overall effectiveness of the design and operations of controls in managing the risks identified.
You are the internal auditor for a private company, CleanSweep. CleanSweep provides cleaning services to shops and offices and has a reputation for high quality work. You have been asked to review the human resources, procurement and marketing functions within the company.
CleanSweep employs about 500 cleaning staff, all of whom are on the payroll, and most of whom work part time. CleanSweep does not employ sub-contractors. CleanSweep has a high turnover of staff.
The company buys its computers, office stationery and furniture, cleaning materials, equipment and work clothes for staff, from a variety of different suppliers. It processes its payroll in-house.
The company has recently decided to out-source its marketing to a large, aggressive, third party company that will advertise CleanSweep’s services by means of direct mail, sometimes by offering discounts. This company has been criticised in the past for breaching advertising regulations. There is growing price competition in CleanSweep’s market. CleanSweep is struggling to maintain its profitability and would like to expand its client base.
CleanSweep has three main functions:
human resources;
procurement; and
marketing.
Required
(a) For each of the three main functions at CleanSweep describe the:
(i) risks that you expect the company to face;
(ii) controls you expect to be in place to manage the risks you have identified in (i), above;
(iii) tests of control you should perform to check that the controls you have identified in (ii) above are operating effectively.
Marks will be awarded as follows:
(1) Human resources;
(2) Procurement;
(3) Marketing.
You may present your answer in tabular format, if you wish.
(b) Internal audit also perform other work on behalf of management, such as value for money (VFM) audits, best value audits, financial audits and information technology (IT) audits.
Explain what is meant by each of the above four types of audits
Answer
CleanSweep
(a) (i)
| Risks | Controls | Tests of control |
|---|---|---|
| Human resources | ||
| There is a risk that staff without proper experience or training are employed (and might cause damage to client property). | All staff should be required to fill in proper application forms and submit references with them. References should be checked for all new staff employed. To the extent permitted by law, staff should be asked to provide details of criminal convictions. All staff, particularly those without experience, should receive proper training. | The auditor should: Take a representative sample of staff from the payroll and inspect the relevant application forms to ensure that they have been properly completed. References should also be inspected. |
| Inappropriate staff, such as those with criminal convictions, perhaps, might be employed in high security environments. | Systems for allocating staff to assignments should ensure that only appropriate staff are allocated to high risk clients – by means of a staff classification system. | For a sample of high risk clients, ensure that only appropriately classified staff have been utilised. |
| Staff might misappropriate company or client property. | There should be documentary controls over the movement of cleaning materials and reviews of the usage of cleaning materials. The company should ask clients regularly about the levels of satisfaction with the service provided (and have investigation and disciplinary procedures in place where allegations of misappropriation are made). | Take a sample of entries in the documentation showing movements of materials and ensure that appropriate entries in systems have been made. Review the overall usage of cleaning materials and investigate any unusual variations. Review the result of client satisfaction surveys and establish if appropriate management responses have been made. |
| There is a risk that staff are paid for hours not worked, or that incorrect payroll deductions are made. | All normal payroll controls such as the use of timesheets, reconciliations and regular reviews of payroll costs should be in place. Personnel controls should ensure that new staff can only be entered onto the payroll system with appropriate authorisation from an independent official. | For a representative sample of entries in the payroll, re-perform calculations to ensure that they are made correctly, ensure that appropriate authorisation has been made and review the overall level of payroll cost, investigating variations. |
| A high turnover of staff increases all of the risks noted above. | Staff should receive feedback on their performance and be rewarded for good performance and long service. | Inspect the documentary evidence of staff reviews, review and assess the processes by which good performance and long service are rewarded, and for a sample of staff with good reviews and/or long service records, determine whether rewards have been forthcoming. |
| Procurement | ||
| There is a risk of fictitious or excessive payment to suppliers (i.e. fraudulent payments). | Authorisation controls should ensure that an appropriate, independent official authorises the acceptance of new suppliers onto the system and that only authorised suppliers can be used. | The auditor should: Review a representative sample of suppliers on the system and inspect written evidence of authorisation for them. |
| There is a risk of inaccurate, delayed or incorrect payments. | Authorisation checks on invoices should ensure that only goods that have been received are paid for and that agreed prices are being paid. | Analytically review the level of payments for, and utilisation of, goods on a periodic basis and investigate any significant variations. |
| Marketing | ||
| There is a risk of extensive marketing expenditure not resulting in new business. | There should be proper budgeting for advertising costs, and a regular review of such costs by comparison with new business obtained. Cost controls should ensure that discounts offered are not so great as to make contracts unprofitable, after marketing costs have been taken into account. | Review budgets and management accounts to ensure that advertising costs have been controlled and are resulting in an appropriate level of increased business at appropriate prices. |
Note: There are several other issues that might be dealt with in the answer to this question, for example risks, controls and tests relating to health and safety procedures.
(b) Four types of internal audits
(i) VFM audits
VFM means getting good value from the money that an entity spends. It is obtained from a combination of the ‘3Es’:
Economy – ‘doing it cheaply’ – measured by comparing money spent with inputs acquired;
Efficiency – ‘doing it well’ – measured by comparing inputs used with output achieved;
Effectiveness – ‘doing the right thing’ – measured by comparing output achieved with objectives.
Measuring the 3Es is important for the purpose of a VFM audit. The internal auditor should measure each of the three Es in order to assess whether sufficient value for money is being achieved, or whether improvements can be made.
VFM audits focus on the organisation’s performance in a given area by looking at each of the 3Es with the objective of identifying areas where VFM might be improved. The internal auditor can then make suitable recommendations to management.
(ii) Best value audits
The fundamental concept of best value is ‘continuous improvement’. Organisations can attempt to achieve continuous improvement by focusing on the ‘4Cs’, as set out below:
Challenge – Ask how a service is provided and, more importantly, why it is provided. If there is no satisfactory answer to these questions, consider withdrawing the service. In other words, challenge the need to provide any service and challenge the way in which it is provided.
Compare – Make comparisons with other (similar) organisations. Use comparisons to look for ways of improving.
Consult – Discuss the services provided with the users of those services. Meet with your customers. Make sure that the services provided meet the needs of their users.
Compete – Use fair competition as a means of improving performance. For example, when two companies would like to provide a service, use fair competition between the two companies to obtain best value. The two companies may be asked to tender for the work, and the contract should be awarded to the company offering the best value (which may be the lower price).
The internal auditor’s role in best value auditing is to establish:
- whether the organisation has best value procedures in place; and
- whether those procedures are achieving their objective of promoting continuous improvement.
(iii) Financial audits
Performing financial audits is the traditional role of the internal auditor. Internal auditors may be asked by management to review accounting records and other records to substantiate figures appearing in financial statements and management accounts.
This work overlaps with the work of the external auditor. Consequently this aspect of internal audit work is now seen as a relatively minor part of the total work of an internal audit function.
However, it is important to remember that by performing financial audits, the internal auditor is able to look at the internal controls that are in place to minimise risks, to identify deficiencies and to recommend improvements in the system of internal control.
(iv) IT audits
IT audits are a specific application of one of the key roles of the internal audit function, which is to assess internal controls. In the case of IT audits, the controls involved are those that operate within the organisation’s computer systems.
IT systems are a key aspect of the modern business environment, and assessing and monitoring computer controls is often a key role for the internal auditor. Organisations may employ one or more computer specialists in their internal audit function to perform this role.
- Topic: Internal Audits
- Uploader: Samuel Duah