What is the difference between the auditor and management responsibility for internal control?

In any business, control is of paramount importance as no entity can succeed with poor or no control measures. But when it comes to exercising control or managing risks, people often confuse themselves between two terms: internal control and internal audit. These are the two most commonly-used frameworks for monitoring and controlling the performance of all business functions. In this blog, let’s find out what these mean and how do they differ.

What do they mean?

Internal auditing is an independent and autonomous assurance activity that intends to add value to and enhance an organization’s operations. An internal audit system helps a company achieve its objectives. It brings a systematic, disciplined approach to evaluating and maximizing the efficacy of risk management, control, and governance systems. Generally, a team of experts perform internal audit. Therefore, it is an autonomous activity distinct from a company’s routine operations.

Internal control, on the other hand, is the control mechanism that is developed and adopted by a company’s management. It assists in carrying out business in an orderly and efficient manner. It aims to ensure compliance with management policies, to safeguard the assets, and to ensure the completeness of records.

Simply put, a company’s management designs internal controls as a set of procedures, measures, and policies to help achieve efficiency in operations. Internal controls seek to maintain good standards of performance. Some people also consider it to be a part of a company’s day-to-day management and administration.

Components of internal control

Normally, the following are the components of an internal control system:

• The control environment comprising the governance functions, attitudes, and actions of those charged with governance, and control consciousness of people setting out the tone of the organization
• The entity’s risk assessment process
• The information system, including the related business processes, relevant to financial reporting and communication
• Control activities such as segregation of duties, authorization, physical controls, performance reviews, and information processing.
• Monitoring of controls on an on-going basis

Does internal audit play a role in internal control?

An internal auditor must contribute towards the on-going efficacy of a company’s internal control system through evaluation and recommendations. But, it is not his primary responsibility to plan, execute, maintain, and document internal control. The sole responsibility for internal controls is entrusted with the management. An internal auditor can only add value to the internal control system of an organization by bringing a structured, disciplined approach to risk assessment and making recommendations to improve the effectiveness of risk management processes.

The role of an internal auditor in the internal control mechanism encompasses the following:

• Evaluating the efficiency and effectiveness of internal controls
• Recommending new controls wherever required or discontinuing unnecessary controls
• Using control frameworks
• Developing self-assessment on controls
• Promoting better corporate governance

Approach

The main aim of an internal control system is to prevent the occurrence of fraud. Whereas, internal audit is largely a backward-looking operation.

Necessity

For each and every organization, an internal control system is necessary. But, the internal audit system is to be enforced as per an organization’s suitability and applicability.

Scope of work

The internal control system is a broader concept and it incorporates an internal audit system as well. Comparatively, the internal audit system is a narrower concept.

There is no universal model for a system of internal control. It is up to every organization to create an internal control structure that properly tailors to its situation. Internal control must neither be confined to a set of procedures nor financial controls. Operational controls including quality control, work standards, work policies, budgetary control, periodic reporting, policy appraisal, quantitative controls, etc. are all parts of an internal control system.

When it comes to internal auditing, it can be said that it is concerned with an evaluation of both internal control structure as well as the quality of actual performance. Internal audit system offers an assurance that internal controls in place are adequate to mitigate the risks. It also assures that governance processes are effective and efficient, and that organizational goals and objectives are met. In addition, internal auditors also check the reliability and integrity of financial and operating data and the means used to identify, measure, classify, and report such data.

Performed by whom?

A team of experts, appointed by a company, usually carries out an internal audit. Internal auditors must have a thorough understanding of the culture, systems, and processes of the business. On the other hand, the internal control system is put in place and designed by a company’s management, supervisory personnel, and other board of directors.

Main functions

The functions of internal control include the following:

• Assure that an appropriate authorization of designated personnel is a pre-requisite for recording of all transactions
• Ensure that all transactions are promptly and accurately recorded in the books of account, i.e., with the correct amount, in the correct account, and the correct period
• Make sure that assets are safeguarded from any unauthorized access or use
• Oversee that recorded assets are compared at regular intervals with the existing assets so that appropriate action can be taken for differences, if any

The function of internal audits is to assess whether:

• the organization has a fair understanding of the risks that it faces
• the process enforced for risk identification is working well or not
• the internal controls put in place to minimize risks are effective or not

Relationship of internal control with statutory audit

Review of the internal control system is a very important task for an external auditor. A statutory auditor is responsible for evaluating the effectiveness of a company’s prevailing system of internal controls. He must acquire knowledge of the client’s accounting system, the extent of reliance that could be placed on internal controls, and should plan his audit accordingly.

As per SA 265 (Standard on Auditing) “Communicating Deficiencies in Internal Control to those Charged with Governance and Management”, it is the responsibility of the external auditor to communicate appropriately to those charged with governance and management personnel, the deficiencies in internal control that the auditor has identified while conducting an audit of company’s financial statements. The statutory auditor has to state his opinion on internal controls in his audit report addressed to shareholders.

Relationship of internal audit with statutory audit

Statutory auditors and internal auditors both work as independent entities. A statutory auditor cannot become the internal auditor of the same company. The relationship between the two is summed up as follows:

• The statutory auditor has to comment upon the effectiveness and suitability of the internal audit system laid down by the management. For this, he should evaluate the internal audit system, the strength of the internal audit staff, their qualifications, and experience.

• SA 610 (Standard on Auditing) “Using the work of Internal Auditors” deals with the statutory auditor’s responsibilities regarding the work of internal auditors.  This standard discusses in detail the aspects like determining whether and to what extent to use the work of the internal auditors, using specific work of the internal auditors, and documentation.

• A statutory auditor often refers to the report of the internal auditor and expresses his opinion based on such a report. He should evaluate the work done by the internal auditor and should decide the extent up to which he can rely upon the work of the internal auditor. This will ultimately determine the extent of checking by the external auditor. If the external auditor feels that the internal auditor has properly done his work, he can reduce the depth of his checking.

• But, it should be borne in mind that relying on the internal auditor’s work can merely reduce the burden of the statutory auditor. For the discharge of all his duties, the external auditor would remain responsible himself.

Comparison chart – Difference between internal audit and internal control

Final words

Both internal audit and internal control systems are crucial for an organization.

Internal control is a mechanism of policies and ways planned and developed by a company’s management and other personnel. Such controls provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting. Also, they encourage adherence to prescribed policies and procedures. In fact, in the absence of an effective internal control system, it is quite difficult for an organization to survive in a continuously changing environment.

Internal controls serve the following purpose:

• Protect a company’s resources against waste, fraud, and inefficiency
• Ensure accuracy and reliability in accounting and operating data
• Secure compliance with the organization’s policies
• Evaluate the level of performance in all organizational units

Similarly, the internal audit system has also become an important management tool that makes sure that the internal control system including the accounting control system in an organization is effective. The job of an internal auditor is to ensure that the company carries out its work smoothly, efficiently, and economically and that it complies with all rules, legislations, and regulations regulating the organization’s activities. This is in addition to ensuring that there also exists an effective internal control mechanism to avoid mistakes, frauds, and misappropriations.

Further, it is the duty of the internal auditor to identify and report any risk management issues and internal control deficiencies directly to the audit committee and provide recommendations for improving the organization’s performance.

You may also like to read: