An Introduction to Internal Auditing

Those who use or pay for public services, either through taxation or charges, have a reasonable expectation that those public bodies make the best use of the resources at their disposal. Therefore, there is a public responsibility on such bodies to put the necessary mechanisms in place to ensure accountability. One such mechanism or tool is internal audit.

A definition of internal audit is: "An independent objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by providing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes"

Although the process of internal audit would differ from public body to public body, basically there are three types of internal audit processes:

Regularity or compliance audit: This type of audit is responsible for the evaluation of the adequacy and effectiveness of controls which are necessary to ensure • Reliability and integrity of financial and operational information, • Effectiveness and efficiency of operations, • Safeguarding of assets, • Compliance with laws, regulations and contracts. In essence it is to test compliance and effectiveness of controls.

Performance audit: Performance audit entails examinations of the economy, efficiency and effectiveness in the use of public resources, including the evaluation of service quality and the measurement of performance. Economy means minimizing the cost of resources acquired or used, bearing in mind the quality. Efficiency covers the relationship between the output of goods or services and the resources used to produce them. Effectiveness covers the relationship between the intended and actual results of projects and programmes. In essence it is to test for economic, effective and efficient procurement and utilization of assets.

Information and communication technology audit: All abuse and fraud of information systems, including those that are computerized is a business and management issue as much as a technical issue. Any abuse and fraud results from some kind of breakdown in control, and computer abuse and fraud should not hide behind technology. It is the realization that computer abuse and fraud result from not just a breakdown of controls in IT systems, but also the controls associated with, and surrounding those information technology systems. Control failure is either unplanned or deliberate. In the case of unplanned breakdown of control, the control framework and the specific controls implemented were not robust enough for the operation. Deliberate breakdown of control is where there has been a concerted effort to override or negate a control framework, which for other circumstances would be adequate. However, it is right to point out, as already noted, that it is not sufficient to have only controls of the technical infrastructure.

There must be business and management controls as well. In carrying out the duties and responsibilities and in order to validate controls, the staff of the Internal Audit department shall be entitled to full and unrestricted access to all the public body's activities, records, property, personnel and information which they consider to be necessary to properly fulfill their function. The existence of Internal Audit does not diminish the financial and operational responsibilities of a public body's management for the proper execution and control of their activities, including responsibilities for the periodic conduct of systems appraisal. Internal Auditors will not assume operating responsibilities, that is, it will not be involved in the performance of day-to-day activities of a public body.