What is the difference between Internal Audit Function and Internal Control

System?

What is the difference between internal audit and internal control? I am mixed
between these two and not understanding what is what? What it has to do with
auditor and what is the role of external auditor in all this? Can you arrange this
in simple words so that it is easily understandable

Lets refresh some important areas before we get to the answer to this question so
that no room is left for confusions. I will be having a quick go through each topic
that is relevant.

Users require financial statements to fulfill their information needs and in order to
reach good decisions they must have accurate information in their hands.
Information can be inaccurate to extent that it is useless if it has material
misstatements and it is the responsibility of the management to provide accurate
financial statements. Material misstatements might creep into financial statements
because of inherent risks.

To mitigate such inherent risks management implements internal control system.

Through this internal control system it is ensured that organization is meeting its
objectives of providing reliable financial statements. Though this is not the only
objective of having an internal control system. Internal control system also helps
management in following:

implementation and enforcement of policies designed by management

safeguarding of assets and resources of the business

 supporting management in efficient and effective operations of the business

Many students confuse internal control system with accounting system but this is
not correct. Accounting system is mostly a part of information system which in
itself is a part of internal control system.

But for auditing purposes, external auditor is not interested in each and every
aspect of the internal control system. Therefore, we will be restricting our
discussion only to the aspect that internal control systems major job is to provide
timely, relevant and reliable set of financial statements.

Internal audit is a function (an activity if function is too formal to understand)

through which adequacy of internal control system is judged. This function or
activity is performed by internal auditors who work FOR organization as an
employee.

So, putting it together, organization uses internal control system to reduce risks of
material misstatements in financial statements and to keep the internal control
system at its best, it is monitored through internal audit function by internal
auditors.

In all this external auditor has nothing to do with any of these and he DOES NOT
work for organization rather he is there just to express an opinion whether financial
statements are true and fair or else. However, to reach his opinion he assess the
existence of risks by checking internal control system in order to determine
whether audit risk is high or not. Because if internal control system in the opinion
of auditor is not as good as it should have been under the given situation than his
perception will be that there will be material misstatements in the financial
statements and thus increased audit risk.
So, again putting it together to make a complete sense of all these three separate
factors i.e. internal control system, internal audit and external auditor; we
understood that management uses internal control system to reduce risks of
material misstatements. And as management is depending on internal control
system to catch misstatements internal control system should be working at its best
and to ensure the same they have internal audit function which is performed by
internal auditor who monitors internal control systems workings. External auditor
checks the internal control system only to make up his mind regarding audit risk
and nothing else.

INTERNAL AUDITS

WHAT ARE INTERNAL CONTROLS?

A system of internal control consists of policies and procedures designed to

provide management with reasonable assurance that the organization achieves its
objectives and goals. These policies and procedures are often called controls, and
collectively they comprise an organizations internal control. Traditionally referred
to as hard controls, these include segregation of duties, limiting access to cash,
management review and approval, and reconciliations. Other types of internal
controls include soft controls such as management tone at the top,
performance evaluations, training programs, and maintaining established policies,
procedures, and standards of conduct.
The auditing profession has widely accepted the Committee of Sponsoring
Organizations of the Treadway Commissions report titled The Internal Control
Integrated Framework (COSO Report) as a general definition of internal control.
The COSO Report defines internal control as a process, affected by an entitys
board of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the following
three categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

Internal control consists of five interrelated components:

1. Control Environment. The organizations tone; the foundation for all other
components of internal control.

2. Risk Assessment. Management establishes activity-level objectives and

mechanisms for identifying and analyzing risk related to their achievement.

3. Control Activities. Policies and procedures that ensure managements

directives are carried out and help ensure that necessary actions are taken to
minimize risks to achievement of the entitys objectives.

4. Information and Communication. Information must be identified,

captured, and communicated in a form and time frame that enable people to
carry out their responsibilities.
 5. Monitoring. Assessing the quality of the systems performance over time.
This is accomplished through ongoing monitoring activities, separate
evaluations or a combination of the two.

Effective internal control helps an organization achieve its operations,

financial reporting, and compliance objectives.
Effective internal control is a built-in part of the management process (i.e., plan,
organize, direct, and control). Internal control keeps an organization on course
toward its objectives and the achievement of its mission, and minimizes surprises
along the way. Internal control promotes effectiveness and efficiency of
operations, reduces the risk of asset loss, and helps to ensure the reliability of
financial reporting and compliance with laws and regulations.

Roles and Responsibilities of Internal Control

State entity heads are accountable for activities carried our in their agencies. This
means that management is responsible for identifying the risks that could prevent
them from achieving their objectives, and making sure that appropriate internal
controls (policies and procedures) are in place to mitigate those risks.
Management is also responsible for ongoing monitoring of internal controls to
make sure that controls are still working and whether risks have changed requiring
new controls.

Remember:

1. Internal control is a process.

Its a means to an end, not an end in itself.
2. Internal control is affected by people at every level of the Department.
While state agency heads are accountable for activities carried out in their
organizations, internal control is, to some degree, everyone's responsibility.

3. Internal control can provide only reasonable assurance -- not absolute

assurance -- regarding the achievement of the Departments objectives.
Effective internal control helps an organization achieve its objectives; it does
not ensure success. There are several reasons why internal control cannot
provide absolute assurance that objectives will be achieved: cost/benefit
realities, collusion among employees, and external events beyond a
departments control.