2. LAYOUT
• Introduction to Audit function in Micro Finance Institutions (MFIs)
• Definition & description of Internal audit
• Purpose and scope of internal audit
• Need for internal audit
• Differences between internal and external audit
• Functions of Internal audit
2
3. Introduction
• IA is a key tool for ensuring effective internal control in an MFI
• An independent check on the performance of the MFI.
• MFI’s management and board of directors and the system that they put in
place must ensure effective risk management and internal audits.
• Control environment is fundamental for implementing an effective internal
audit department.
3
4. Introduction
• IA may belong to an internal audit department or the service is outsourced
• IA must be independent by;
having completely separate staff team and
Dual reporting directly either to the Board of Directors (functionally) or to
the organization’s head (Administratively).
Independence and objectivity key to Internal Audit (IA).
4
5. Introduction
• IA’s Focus is not only to catch frauds or malpractices but also;
Adds value and efficiency within the organization by mitigating the
possibilities of malpractices.
Should be very well versed with the organization policies and procedures.
Supports management's efforts to establish a culture which embraces ethics,
honesty, and integrity
5
6. Introduction
• Participate in fraud investigations.
• IA assess the effectiveness of the measures that management has
implemented to ensure effective design of internal controls to prevent,
detect, and mitigate fraud or error…….
• IA does a variety of consulting, assurance, collaborative, advisory,
oversight, and investigative roles in an organization
6
7. Definition & Purpose of Internal Audit
• IA is an independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations.
• Helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve;
the effectiveness of risk management,
control, and
governance processes.
7
8. Objectives of the Internal Audit function
Detect any fraud or misappropriation
Detect any malpractice, collusion or action on part of employees
Check if operational policies/processes are being adhered to all levels and
to detect deviations
Check unethical staff behavior and to get a sense of organizational image as
perceived by clients
8
9. Objectives of the Internal Audit function
Check the accuracy of reports, MIS and Accounting
Provide feedback on operational risks such as
staff dissatisfaction,
competition inappropriate policies or
areas of potential conflict
9
11. Role of internal audit
• IA is established by the Board of Directors, Audit Committee, or highest
level of governing body.
• The IA responsibilities are defined by the Board as part of their oversight
role.
11
12. Scope of internal Audits
Financial reports and records: receipts, vouchers, cashbooks, ledgers……
Loan documents: Loan applications, promissory notes…….
Client visits: check meeting discipline – timing, conduct, discipline, check
passbooks interact with clients can also check loan utilization.
Other observation: staff discipline, file arrangements and cataloguing
12
13. Scope of internal Audits
Overall, IA checks any kind of policy deviation or identify any situation,
which can be a risk for the organisation
13
14. Internal Auditors Professionalism
• Internal audit must adhere to the Institute of Internal Auditors(IIA)
mandatory guidance including;
the Definition of Internal Auditing,
the Code of Ethics, and
the International Standards for the Professional Practice of Internal
Auditing (Standards).
14
15. Internal Auditors Professionalism…
• The mandatory guidance constitutes principles of the fundamental
requirements for the professional practice of internal auditing and for
evaluating the effectiveness of the internal audit activity’s performance.
• The IIA Practice Advisories, Practice Guides, and Position Papers will also
be adhered to as applicable to guide operations.
• Adhere to organization relevant policies and procedures IA manual.
15
16. Internal audit authority
To ensure confidentiality and safeguard the MFIs records and information,
IA Is authorized full, free, and unrestricted access to;
any and all of organization records,
physical properties, and
personnel pertinent to carrying out any engagement.
Employees must ASSIST IA in fulfilling its roles and responsibilities.
Also free and unrestricted access to the Board.
16
17. Organization of internal audit
• The Chief Internal auditor(CIA) reports functionally to the Board and
administratively (i.e. day to day operations) to the Chief Executive Officer.
• The Board will;
Approve the internal audit charter.
Approve the risk based internal audit plan.
Approve the internal audit budget and resource plan.
Receive communications from the CIA on the internal audit activity’s
performance relative to its plan and other matters.
17
18. Organization of internal audit …
Approve decisions regarding the appointment and removal of the CIA
Approve the remuneration of the CIA.
Make appropriate inquiries of management and the CIA to determine
whether there is inappropriate scope or resource limitations.
The CIA communicates and interact directly with the Board, including in
executive sessions and between Board meetings as appropriate.
18
19. Internal Audit process
• Guided by an INTERNAL AUDIT POLICY that the organization has.
• It clearly lays down the;
frequency of audit,
objectives of audit,
scope of audit,
audit process,
formats to be used and format and frequency of reports.
19
20. Internal audit plan
• Internal Audit Manager is supposed to prepare a quarterly, six monthly or
annual audit plan.
• It discloses how IA will go about carrying the audit exercise.
• It tells which branch will be audited when, resource allocation, number of
days of audit and tentative date of submission of report.
• It’s a confidential document and shared only with the Board of Directors
or the Head of the organization for review and approval.
20
21. Internal audit plan
• Consists of a work schedule as well as budget and resource requirements
for the next fiscal/calendar year.
• The CIA communicates the impact of resource limitations and significant
interim changes to senior management and the Board.
• Developed based on a prioritization of the audit universe using a risk-based
methodology, including input of senior management and the Board.
21
22. Internal audit plan
• The CIA reviews and adjust the plan, as necessary, in response to changes
in the organization’s business, risks, operations, programs, systems, and
controls.
• Any significant deviation from the approved internal audit plan will be
communicated to senior management and the Board through periodic
activity reports.
22
23. Sampling
• As it MAY not be possible to check all transaction or meet all clients, the
internal audit has to depend on sampling by selecting out;
Transactions,
Records,
Reports to be checked and
clients to be visited.
23
24. Considerations for sample selection
Sample should be representative of entire portfolio
Should be able to cover all products, different geographic locations and all
field staff
Should put more emphasis on the vulnerable areas like cash handling,
groups having repayment problems
24
25. Considerations for sample selection…
• Different samples can be obtained for different aspects like
80% of all the passbooks will be checked,
75% entries in the cash book will be checked
20% of the borrowers will be visited, etc.
25
26. Auditing
• MFIs prepare auditing formats and have standardized auditing process.
• IA generally follow these formats for various kinds of checks and cross-
checks.
• IA have to take care that they do not mechanically fill the forms.
26
27. Auditing
• IA must be proactive, inquisitive, observant and smart to identify any
anomaly, contradiction or conflicts in reports, data or even statements made
of staff.
• Auditing is basically an exercise to find out policy deviations
• Audit process can only be effective if the MFI has detailed operational
policies and procedure in place.
27
28. Reporting, follow up and monitoring
• The Chief Internal Auditor(CIA) will periodically report to senior
management and the Board. Report on;
IA’s purpose, authority, and responsibility, performance relative to its plan.
Significant risk exposures and control issues, fraud risks, governance issues,
and other matters requested by senior management and the Board.
• Report prepared following the conclusion of each IA engagement
28
29. Reporting, follow up and monitoring…
• IA report may include management’s response and corrective action taken
• Management's response should include a timetable for anticipated
completion of action to be taken and an explanation for any corrective
action that will not be implemented.
• The IA is responsible for appropriate follow-up on engagement findings and
recommendations.
• All significant findings will remain in an open issues file until cleared.
29
30. Reporting, follow up and monitoring…
• Internal Audit Report is the most important outcome of the audit process.
• Ensure that audit report is be completely objective
• Reports all observations and findings.
• Not be judgmental of findings and taking decisions
• Management to take decision on those findings.
30
31. Features of a good audit report
• The report should contain an executive summary, highlighting key observations
and recommendations
• Sample used in the audit should be mentioned
• Detailed observations should be reported as the main text.
• Statements or clarifications given by the staff concerned should also be put.
• Annexure can have details of cause observed and the deviations found.
31
32. Reporting, follow up and monitoring…
• The report must be discussed in the board meeting as well as in the Audit
Committee meetings.
• Management should ensure that the findings are followed up properly and
required actions are initiated.
• Audit reports are also shared with the Branch so that they can know of their
shortcomings and improve them.
32
33. Reporting, follow up and monitoring…
• The auditors in the next auditing must verify if the shortcomings reported in
last report have been addressed or not.
• If not, then it should be mentioned in report that no action has been taken
despite mention in audit report last time.
• Internal audit plays very important role in managing risk of an MFI and
acting as a way for providing direct feedback to the top management.
• An effective and well-designed internal audit can considerably control
MFIs risks and is therefore and indispensable function.
33
34. Internal audit organisational status
• IA is conducted in an environment of close and sometimes dependent
associations with management;
• IA’s independence, objectivity, management support and adequacy of talent
and capable staff highly doubtable
• Why give IA appropriate status;
independence and objectivity.
Providing credible assurance
Scope of engagements to be undertaken,
Conflicts of interest
34
35. Internal audit Independence and objectivity
• Remain free from interference
• In audit selection, scope, procedures, frequency, timing, or report content
• Not implement internal controls,
• Not develop procedures, install systems, prepare records, or engage in any
other activity that may impair internal auditor’s judgment.
35
36. Internal audit Independence and objectivity…
• Exhibit highest level of professional objectivity in gathering, evaluating,
and communicating information the activity or process being examined.
• Make a balanced assessment of all the relevant circumstances.
• Not be unduly influenced by their own interests or by others in forming
judgments.
• Confirm to the board, at least annually, the organizational independence
of the internal audit activity.
36
37. How internal audit can be independent
• Functionally report directly to the audit committee
• Administratively report to executive management
• Access to records as necessary
• Employ appropriate probing techniques without impediment.
• independent budget approved by audit committee
37
38. How internal audit can be objective
• Only does its assigned duties and responsibilities in this organization
• Maintains an un-biased mind-set in regard to all audit engagements
• IA work is reviewed before they are released for use
• IA staff assignments are rotated periodically whenever it is practicable.
38
39. How management can effectively support
internal audit
• Management perceives IA as a value adding activity
• Management usually consults internal audit on fraud management
• IA recommendations are implemented by management
• IA receive adequate feedback from management on audit findings
• Management provides IA with adequate resources
39
40. Internal audit competence
• Competence means having the intelligence, education, and training to be
able to add value to the organisation through performance.
• Long and intensive preparation, including instruction in the underlying
skills and methods as well as scholarly principles, and the commitment to
continued study.
• Knowledge and skill of IA has enormous impact on the effectiveness of the
audit.
• Advanced information communication (IT)-audit techniques in conducting
internal audits, thereby increasing IT audit skills.
40
41. How IA may attain adequate competences
Adequate continuing professional development
IA carried out in accordance with international standards for professional
performance of internal audit
Full knowledge of the transaction systems of the entity
Findings are always based on documents and reliable data.
Internal auditors are normally appraised basing on set targets
41
42. How IA may attain adequate competences
Share professional ideas with accounting and auditing bodies
Secure outcomes through interpersonal interactions
Comply with the approved audit plans
Clear and well presented reports
Trainings to acquire the necessary skills to perform duties
Always mentored on performance standards
42
43. How IA may attain adequate competences
Have the strength to say no to instances that lead to fraud
Have the ability to analyze complex information to discover fraud
Often develop working schedules for our internal auditors
Rewarded by management basing on performance
Have ever discovered fraud
43
44. Internal audit activities
• IA role has shifted from the traditional oversight function to adding value to
the organization through providing a wider spectrum of assurance and
consulting activities pertaining to monitoring, evaluating, and improving
risk management, control, and governance process.
• IA is established by the Board of Directors, Audit Committee, or highest
level of governing body.
• IA’s duties and responsibilities are defined by the Board as part of their
oversight role to enhance its efficiency and they include;
44
45. Internal audit responsibility
• Evaluating risk exposure
• Evaluating the reliability and integrity of information
• Evaluating the systems established to ensure compliance
• Evaluating the means of safeguarding assets
• Evaluating the effectiveness and efficiency of resource employment
45
46. Internal audit responsibility…
• Evaluating operations or programs
• Monitoring and evaluating governance processes.
• Monitoring and evaluating the effectiveness of risk management processes.
• Evaluating the quality of performance of external auditors
46
47. Internal audit responsibility…
• Performing consulting and advisory services related to governance, risk
management and control as appropriate for the organization.
• Reporting periodically on the internal audit activity’s purpose, authority,
responsibility, and performance relative to its plan.
• Reporting significant risk exposures and control issues, fraud risks,
governance issues, and other matters needed or requested by the Board.
• Evaluating specific operations at the request of the Board or management.
47
48. Evaluating the effectiveness of
organisational governance
Internal audit;
• Monitors and evaluates governance processes
• promotes appropriate ethics within the entity
• Is an independent review of the efficient operation of the entity
• Independently evaluates the effectiveness of management
• Evaluates the systems established to ensure compliance with policies
48
49. Evaluating the adequacy and
effectiveness of risk management.
Internal audit;
• Develops risk management strategy for board approval
• Facilitates the identification of risks
• Analyses the likelihood and consequences of each identified risk
• Participates in the preparation of the risk treatment plans
• Aids the implementation of the risk management plans
• Carries out consolidated reporting of risks to the board
49
50. Internal control reviews
Internal audit;
• Promotes segregation of duties
• Ensures transactions are supported by adequate documentation
• Checks the authorisation of all expenditures
• Safeguards the organisations assets from misuse
• Encourages maintenance of accounting records with reasonable detail
• Generates periodic reports regarding the effectiveness of internal controls
50
51. Quality assurance and improvement program
• IA must maintain a quality assurance and improvement program that covers
all it aspects.
• The program will include Evaluation of ;
• IA conformance with the Definition of Internal Auditing and the Standards
• Whether internal auditors apply the Code of Ethics.
• Efficiency and effectiveness of IA and its opportunities for improvement.
51
52. Cont.…
• CIA will communicate to senior management and the Board on IA’s quality
assurance and improvement program, including results of ongoing internal
assessments and external assessments conducted.
52
53. Assessing the need for internal audit
Pressure from external stakeholders to have internal audit.
Cost
Size and complexity of the entity
Role of IA
Existing managers or employees who could perform IA tasks
Risk of fraud
53
54. Differences between internal and external audit
54
Basis External audit Internal audit
Objective Express an opinion on the
truth and fairness of the
financial statements.
Improve the entity’s operations
Reporting Report to shareholders.
Reports in financial reports
and publicized
Report to management or the
Board.
Reports are private and
confidential, normally to the
board & audit committee.
55. Differences between internal and external audit
Scope of work External auditors(EA) verify
the truth and fairness of the
financial statements,
Internal control Testing
IA has wide scope of work.
Determined by the
requirements of management
or the board.
E.g. internal control Reviews, &
other areas of operations
Relationship
with the
entity
Appointed by shareholders
which enhances
independence from
management.
Appointed by the Board or
management.
55
56. Differences between internal and external audit
Regulation External audit is regulated by
law like the Companies Act.
External auditors are
members of professional
accountancy bodies (like the
ICPAU in Uganda) and are
licensed annually.
Internal audit is not normally
required by law except in listed
companies, financial institutions
and public sector bodies.
An internal auditor belong to
professional bodies like the
Institute of Internal Auditors.
56
57. Functions of internal audit
• Assessment of the entity’s governance regarding
• Risk management
• operational audit
• Financial audit
• Value for money (VFM) audit of operating activities of an entity.
• Compliance audit – review compliance with laws and regulations e.g.
employment and environment laws.
57
58. Functions of internal audit
• Information technology audit – e.g. review the system development
process, system change management, access controls and data security
controls.
• Fraud investigations – investigate suspected fraud or test controls to
prevent or detect fraud.
• Customer service reviews – e.g. may review the level of customer
satisfaction,
58
59. Assessing internal audit by the
external auditor
The external auditor in assessing whether to rely on the work of internal
auditors considers the following factors:
• Objectivity – whether: Internal audit reports to directors directly.
• Technical competence – whether internal auditors are members of
professional bodies and have relevant qualifications and experience.
• Due professional care – whether activities of the internal audit function are
properly planned, supervised, reviewed and documented e.g. have detailed
audit manuals and internal audit documentation.
• Communication –Internal and external auditors are free to communicate
openly throughout the accounting period. The external auditor has access to
relevant internal audit reports.
59
60. Evaluating Internal audit
• Examination of items already examined by the internal auditors.
• Examination of other similar items.
• Observation of procedures performed by the internal auditors.
60
61. Examples of work of internal audit that
can be used by the external auditor
• Internal control documentation.
• Walk-through tests
• Risk assessment when planning the audit
• Testing of the operating effectiveness of controls.
• Substantive procedures involving limited judgment.
• Fraud investigations.
• Observation of cash counts
• Testing of compliance with regulatory requirements.
61
62. Personal characteristics and skills of
internal audit team members
Internal audit staff should have training and/or have completed a progression
within a recognized accounting or auditing program. They should;
Have a history free of fraud, misrepresentation, abuse of office, or other
illegal activity;
demonstration of ethics and integrity
organized and attentive to details;
good judgment—knowing what is important and using discretion wisely;
62
63. Personal characteristics and skills of
internal audit team members
excellent written and verbal communication skills;
trustworthy and respected
a pleasant personality and temperament, making them easy to work with;
objective and principled thinkers who are also creative and independent
commitment to ongoing training and personal professional development
63
64. Orientation and training of New audit
staff members on;
the MFI’s functions, structures, environment, etc.;
relevant legislation;
policies on anti-money laundering and countering the financing of terrorism
MFI procedural manuals, including the internal audit manual;
the mission, standards, and methodology of the internal audit department;
the MFI’s risk assessment methodology; and
Filing and IT systems of the MFI, including those of the internal audit department.
64
65. The annual performance review & report
of internal audit
implementation of the annual department activity plan,
any cases in which an audit scope was limited,
summary of the principal findings and recommendations of the audits undertaken
in that year,
review of the status of implementation of audit recommendations, corrective
actions, and deficiency elimination;
recommendations that remain unimplemented which the audit department
considers important, together with the associated risks of non-implementation;
65
66. The annual performance review &
report of internal audit
the sufficiency of human and material resources to carry out the audits that
were planned;
training of internal audit department staff during the year and training
planned for the subsequent year, including not only audit training, but
training in the IT systems and operations of the MFI; and
any other important information relevant to the work of the department.
66
67. AUTHOR
Frank Kabuye,
MSc Acc & Fin, BBA-Accounting (Hons) –MAK
- Lecturer - Makerere University Business School
- Auditor
frankkabuye72@yahoo.com
67