Recommended practices: internal audit
• The governing body should assume responsibility for internal audit by setting the direction for internal audit arrangements needed to provide objective and relevant assurance that contributes to the effectiveness of governance, risk management and control processes. The governing body should delegate oversight of internal audit to the audit committee, if in place
• The governing body should approve an internal audit charter that defines the role and associated responsibilities and authority of internal audit, including addressing its role within combined assurance and the internal audit standards to be adopted
• The governing body should ensure that the arrangements for internal audit provide for the necessary skills and resources to address the complexity and volume of risk faced by the organisation, and that internal audit is supplemented as required by specialist services such as those provided by forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries
• The governing body should monitor on an on-going basis that internal audit
e. follows an approved risk-based internal audit plan
f. reviews the organisational risk profile regularly, and proposes adaptations to the internal audit plan accordingly
• The governing body should ensure that internal audit provides an overall statement annually as to the effectiveness of the organisation’s governance, risk management and control processes
• The governing body should ensure that an external, independent quality review of the internal audit function is conducted at least once every five years
• The governing body should obtain confirmation annually from the CAE that internal audit conforms to a recognised industry code of ethics
Risk-based approach
- King IV requires internal audit to be risk-based, i.e. to focus its attention on the areas of highest risk so as to provide assurance that those risks are being contained or eliminated
- Thus the internal audit plan should be prepared only after the company has analysed and ranked the risks that may prevent the realisation of the company’s strategic goals
- A written assessment to the audit committee and the board on the effectiveness of the company’s governance, risk management and control processes is an important outcome of the internal audit process
- This assessment should cover internal controls over operational, compliance and sustainability issues, as well as those of a financial nature. Moreover, the assessment by internal audit will help the board in making the statement recommended in King IV Code as to the integrity of the external reports, with reference to the assurance used
- The audit committee should provide oversight of the internal audit function, and for this to be effective, the audit committee should receive regular reports on audit findings and the progress in implementation the plan
- The scope of the internal audit should include a review of the effectiveness of the risk management function of the company, and for this reason, it is desirable that the functions of risk management and internal audit be separate
Cyber security and ‘big data’
- The evolution of IT systems and the internet has introduced new risks to which internal audit has to adapt
- Customer access to websites has become an essential way of attracting business for many companies but, unless stringent computer security is in place, can provide hackers with easy access to vital data and computer systems
- Internal auditors must either acquire or outsource the skills needed to assure the adequacy of companies’ cyber security
- The escalation of data in company databases has given internal audit new scope to monitor unusual or out-of-norm activities.
- The analysis of so-called ‘big-data’ has become a vital tool for internal auditors. It can be used to improve company efficiency by cutting down on waste as well as pointing to suspicious of fraudulent transactions that need to be investigated
- Big data refers to extremely large, complex data sets that exceed the processing capabilities of traditional IT infrastructure due to their size, format diversity and speed of generation
The outsourced option: arguments in favor
- Top quality outsourcing suppliers can ensure that up to date methodologies are used, and that the staff all have appropriate skills
- The problem of ensuring that staff is available when needed is transferred to the supplier
- If a reputable service provider is used, the work done should be reliable and in the event of negligence, the supplier becomes liable
- Given the shortage of skills in South Africa, and the difficulties of recruiting good people, this is a safe option, especially for small to medium sized companies
- Employees of the service provider are less likely to build the type of relationships within the organisation that would impede objectivity and independence than when internal audit is handled in-house
The outsourced option: arguments against
- Internal audit cannot be used as a training ground for future managers
- Outsourced staff are less attuned to developments in the company than in-house people
- Outsourced internal auditors may focus on overall risk issues rather than the less glamorous detailed work with really gets under the skin of the organisation to discover real problems
- Outsourced internal audit may be more costly
The in-house option: arguments in favor
- The skills are now resident in the company and may be used for consulting purposes from time to time
- A cadre (team) of knowledgeable managers can be built up over time to take over other roles in the company
- Internal auditors are available for the company’s purposes all year long
- Shortages of key skills can be supplemented by outsourcing selected aspects of the work
- It is usually cheaper
The in-house option: arguments against
- Difficulties of recruiting people of the right calibre
- Difficulties of obtaining scarce skills (e.g. computer auditors)
- The loss of one or two staff members can cripple an internal audit department
Recommended practices: Chief Audit Executive
- If the CAE position is provided for in the arrangements for internal audit, the governing body should ensure that the position is set up to function independently from management who designs and implements the controls that are in place, and that the position carries the necessary authority
- The governing body should approve the appointment of the CAE, including the employment contract and remuneration of the CAE, and ensure that the person who fills the position has the necessary competence, gravitas and objectivity
- For reasons of independence, the CAE should have access to the chair of the audit committee
- For reasons of independence, the CAE should not be a member of executive management, but should be invited to attend executive meetings, as necessary, to be informed about strategy and policy decisions and their implementation
- Where internal audit services are co-sourced or outsourced, the governing should ensure that there is clarity on who fulfils the role of CAE
- The CAE should report to the chair of the audit committee on the performance of duties and functions that relate to internal audit. On other duties and administrative matters, the CAE should report to the member of executive management designated for this purpose as appropriate for the organisation
- The governing body should have the primary responsibility for the removal of the CAE
Reporting by internal audit
- The primary accountability and reporting by internal audit must be to the audit committee
- For other responsibilities besides internal audit, and in respect of administrative matters, reporting will be to an appropriate member of executive management
- Finally, there will be reporting on internal audit in the integrated report, usually incorporated into the section dealing with corporate governance
Section 93 of the 2008 Companies Act
The auditor of a company—
a. has the right of access at all times to the accounting records and all books and documents of the company, and is entitled to require from the directors or prescribed officers of the company any information and explanations necessary for the performance of the auditor’s duties;
b. in the case of the auditor of a holding company, has the right of access to all current and former financial statements of any subsidiary of that holding company and is entitled to require from the directors or officers of the holding company or subsidiary any information and explanations in connection with any such statements and in connection with the accounting records, books and documents of the subsidiary as necessary for the performance of the auditor’s duties; and
c. is entitled to—
i. attend any general shareholders meeting;
ii. receive all notices of and other communications relating to any general shareholders meeting; and
iii. be heard at any general shareholders meeting contemplated in this paragraph on any part of the business of the meeting that concerns the auditor’s duties or functions.
- An auditor may apply to a court for an appropriate order to enforce the rights set out in subsection (1)(a) or (b) , and a court may—
a. make any order that is just and reasonable to prevent frustration of the auditor’s duties by the company or any of its directors, prescribed officers or employees; and
b. make an order of costs personally against any director or prescribed officer whom the court has found to have willfully and knowingly frustrated, or attempted to frustrate, the performance of the auditor’s functions.
- An auditor appointed by a company may not perform any services for that company—
a. that would place the auditor in a conflict of interest as prescribed or determined by the Independent Regulatory Board for Auditors in terms of section 44(6) of the Auditing Profession Act; or
b. as may be determined by the company’s audit committee in terms of section 94(7)(d) .
Relationship of external audit with internal audit
- While the external auditors are ultimately responsible for checking that financial statements fairly present the affairs of the company, in order to do so, they must rely on risk management and internal controls in the company, and it is here that the internal auditors’ role is vital
- Although the tasks of external and internal auditors are separate and distinct, some overlap and wasted cost is possible and is to be avoided
- To achieve this and also to ensure that no gaps are left in the overall audit coverage, it is desirable that the two teams should co-ordinate their work by sharing information and planning together to achieve the best overall result
- Before seeking to rely on the work of internal auditors for additional assurance, the external auditors will evaluate the quality of the work done by internal audit to ensure that it is of an adequate standard
- After the financial year has ended, both sets of auditors will report to the audit committee on the results of their work and on the conclusions they have reached
Mandatory audit firm rotation
• This is a case where the firm in its entirety is rotated, and not just the partner on the audit
• This rule, imposed by IRBA, applies to auditors of all public-interest entities, including
a. listed companies
b. any entity defined by regulation or legislation as a public interest company, or for which an audit is required by regulation or legislation
• The rule prohibits an audit firm from acting as auditor of the company for more than 10 consecutive financial years
• Furthermore, a firm that has rotated out will not be eligible for re-appointment for at least a further five financial years
• When the auditor determines that an audit client becomes a public interest entity, the length of time the audit firm has served the audit client as the auditor before the client becomes a public interest entity shall be included in determining the timing of audit firm rotation.
• If, at the effective date (1 April 2023), the public interest entity has appointed joint auditors and both have had audit tenure of 10 years or more, then only one audit firm is required to rotate at the effective date and the remaining audit firm will be granted an additional two years before rotation is required
(External) auditors’ relationship with management
- All company directors should make it their business to understand clearly what they can and cannot expect of their auditors
- The relationship between non-executive directors and the auditors will usually be confined to those directors who sit on the audit committee
- Non-executive directors act as representatives of the board and should ensure that they become fully aware of any concerns that the auditors may have about the company, the quality and integrity of management, the adequacy of internal controls and the accuracy and integrity of financial reporting
- Contact between auditors and the executive directors and other members of management is more frequent and intense than with the audit committee
- A successful relationship between the auditor and management needs trust and candour between the parties, as well as professionalism and skill on both sides
- The ultimate test of the relationship is whether it results in an effective audit process and a fair appraisal of the company’s internal controls and financial reporting
Companies Act on external auditor independence (s 94(8))
• In considering whether, for the purposes of this Part, a registered auditor is independent of a company, the audit committee of that company must—
a. ascertain that the auditor does not receive any direct or indirect remuneration or other benefit from the company, except—
i. as auditor; or
ii. for rendering other services to the company, to the extent permitted in terms of subsection (7)(d);
b. consider whether the auditor’s independence may have been prejudiced—
i. as a result of any previous appointment as auditor; or
ii. having regard to the extent of any consultancy, advisory or other work undertaken by the auditor for the company; and
c. consider compliance with other criteria relating to independence or conflict of interest as prescribed by the Independent Regulatory Board for Auditors established by the Auditing Profession Act, in relation to the company, and if the company is a member of a group of companies, any other company within that group
Auditing Profession Act and reportable irregularities
- The IRBA, the Standard-setting Board for Ethics (SBE) and the Standard-setting Board for Auditing regulate the auditing professions and the standards by which it operates
- In addition to being subjected to disciplinary action by the IRBA, auditors who issue false audit opinions or other reports knowingly or recklessly may be subject to a fine or imprisonment of up to 10 years
- The Act has introduced a requirement for any auditor who has reason to believe that a reportable irregularity has taken place or is taking place in respect of that client to send a written report to the IRBA without delay
- Failure to take appropriate steps on detection of a reportable irregularity renders the auditor liable for possible civil and criminal penalties
- It is important, however, for the auditor to ensure that he has a sound understanding of the facts before concluding that the incident is a reportable irregularity, to avoid cases of a mistaken opinion
Going concern – the roles of directors and auditors
- Accounting standards require that financial statements should indicate whether or not they are prepared on the going concern basis, i.e. on the assumption that the company will remain in business for the foreseeable future
- It is the duty of the board to make this determination, but the auditor, in reporting on the financial statements also has to consider whether the company is in fact a going concern
- If the auditor believes otherwise, he has a responsibility to disclose that view in his report
- Management should satisfy the auditor that the company will be viable for at least the next 12 months
- In the case of a company that is not a going concern, that fact should be stated and the auditor’s duty would be to see that financial statements are drawn up on a ‘break-up’ basis with assets shown at their value on a forced sale with provision made for any additional losses that will arise when the company goes out of business
- The auditor should express an adverse opinion if management has used the going concern basis inappropriately
- If there is material uncertainty as to the entity’s ability to continue as a going concern and this is not adequately disclosed, the auditor should express a modified or adverse opinion.
- If adequately disclosed, the auditor may provide a clean audit but alert users to the material uncertainty
Audit conclusions and reporting
• An audit report is said to express reasonable assurance that the financial statements on which it is given, fairly present the financial position, results of operations and cash flows of an enterprise.
• In comparison, a review is said to provide limited assurance regarding its subject matter
• The auditor’s opinion on financial statements may be unmodified where the auditor concludes that the financial statements are prepared in all material respects in accordance with the financial reporting framework. Where this is not the case, a modified report may be issued
• There is a relatively new requirement to communicate Key Audit Matters in the auditor’s report. These KAMs summarise the main issues considered by the auditor in arriving at his conclusion on the financial statements
• The structure of the audit report changed in that:
a. the opinion section is presented first
b. there is enhanced reporting on the issue of going concern
c. there should be a clear statement as to the auditor’s independence
d. fuller details are given as to the auditor’s responsibility
• The auditor’s report now also refers to ‘other information’ that appears in an annual report, and should state what the ‘other information’ is, that it is the responsibility of the directors, and that an opinion is not expressed on it
• The auditor’s responsibility should be spelt out and, all being well, followed by a statement that the auditor has nothing to report
Independent review
- Certain forms of report do not justify the time and cost of a full scope audit, and in such cases a review may be appropriate
- An example of such a report is the company’s interim report to its shareholders, which has to be presented in respect of the first half of the financial year
- Such a review provides limited assurance to the users of the report that it has been prepared on a basis comparable with the previous year’s annual financial statements
- The difference between an audit opinion and a review opinion is that the audit opinion is expressed in positive terms (e.g. that the auditor is of the opinion that the financial statements fairly present the financial position…) whereas a review opinion is expressed in negative terms (e.g. that nothing has come to the auditor’s attention that would cause him to believe that the financial report does not fairly present…)
Companies requiring audits
• Unlike the previous Companies Act, the 2008 Act requires certain classes of companies to prepare audited financial statements, and these are:
a. Public companies
b. State-owned companies
c. Other companies (such as private, personal liability and non-profit) that are required to do so by their Memorandum of Incorporation or by Regulation 28
• Regulation 28 makes the appointment of an auditor compulsory for companies that:
a. hold assets in excess of R5 million in a fiduciary capacity on behalf of unrelated persons
b. are non-profit companies incorporated directly or indirectly by an organ of state
c. have a public-interest score of more than 350, or
d. have a public-interest score of more than 100 and have their financial statements internally compiled
Independence issue:
Long association with the company by key partners and staff of the audit firm
• Close relationships between the auditor and the client may impair independence and cloud audit judgement
• The 2008 Companies Act now limits the period for which an individual auditor may be the designated auditor of a company to 5 consecutive years (s 92 (1)), but there is no requirement in the Companies Act for audit firms to rotate
• Another example of a close relationship that is likely to impair independence is the appointment as auditor of a recently resigned executive of the company or, conversely, the appointment of a former audit partner to an executive position in the company
• Section 92 of the Companies Act has the following to say on rotation of auditors:
a. The same individual may not serve as the auditor or designated auditor of a company for more than five consecutive financial years.
b. If an individual has served as the auditor or designated auditor of a company for two or more consecutive financial years and then ceases to be the auditor or designated auditor, the individual may not be appointed again as the auditor or designated auditor of that company until after the expiry of at least two further financial years.
c. If a company has appointed two or more persons as joint auditors, the company must manage the rotation required by this section in such a manner that all of the joint auditors do not relinquish office in the same year
Independence issue:
The use of non-audit services of auditors
• It is generally felt that inherent conflicts arise when the auditor of a company carries out significant consulting work for a client, especially on the design and implementation of information systems that are then audited by the firm that responsible for their installation
• Put differently, the external auditors should not be responsible for auditing their own homework
• The 2008 Companies Act adopted measures designed to avoid such situations by requiring that the audit committee should be responsible for determining the nature and extent of any non-audit services that the auditor may or may not provide, as well as pre-approve any proposed agreement with the auditor for the provisions of non-audit services (s 94 (7) (d) and (e))
• In this way the audit committee can ensure that no engagements are taken on that may affect the auditors’ independence, in perception or in reality
• Assignments that would generally be inappropriate include:
a. the appointment of the external auditors as internal auditors as well
b. the valuation or other assignments to prepare information on which the company’s financial statements are based
c. engagements in which the auditor acts on behalf of the company or in some way becomes identified with management
d. consulting engagements for the design or implementation of information systems which will form part of the financial records subject to audit
e. acting on behalf of the company in a dispute or as its legal representative
• The Code of Ethics gives the following examples of non-audit services that need to be carefully considered in case they lead to a loss of independence by the auditors of a company:
i. Assumption of management responsibilities
ii. Preparing accounting records and financial statements
iii. Valuation services
iv. Taxation services
v. Internal audit services
vi. IT systems services
vii. Litigation support services
viii. Legal services
ix. Recruiting services
x. Corporate finance services
