There are many a time stakeholders and researchers think that internal auditors are omnipresent (all knowing) and as a result, that they have unrealistic expectations and views that, the internal auditor wears cloth of many colours. They also think that the internal auditors are watchdogs, control experts, consultants, financial advisers, compliance experts, teachers, analyst and many more. Indeed, internal auditors can audit anything but cannot audit everything.
Recent collapse of the seven indigenous banks raised inevitable question, “where were the internal auditors”? As this has always been the case, the whereabouts of the internal audit is asked, whenever a corporate entity collapses. Even though the internal auditor’s whereabouts is sought for in the event of firm collapse I strongly believe that if internal auditors design their audit procedures in such a way to effectively identify significant error and fraud it would had help to prevent or detect error and fraud and in extreme cases collapse. How the stakeholders view the duties of the internal audit is quite different from how the internal audit does their work. This create a gap know as expectation gap.
Expectation gap related to internal audit can be explained as the difference between expectation of user and internal auditor himself on the responsibilities of the internal audit. Expectation gap also refers to the difference in understanding regarding the nature of internal audit engagement i.e. what management and users believe internal audit is and what internal audit actually is. The expectation gap in auditing is defined as “the difference between what the public and financial statement users believe auditors are responsible for and what auditors themselves believe their responsibilities are” (AICPA 1993: 3). This definition is in line with the external audit; however, internal audit and the external audit intertwine as they work side by side to protect shareholders interest. Areas that expectation gap permeates are;
- Setting of Internal Control, Risk Management and Corporate Governance
The setting of internal control, risk management and corporate governance is done by managements and the board of directors; however, it is the role of internal audit to provide independent assurance as to how effective these measures are. Internal controls on sales, purchase, cashbook, payroll system and preparing risk register to cater for the risk in the various department of the organisation are the duties of the management. Internal auditor assesses, evaluates and examines the potency and efficacy these measures are and recommend better measures if the existing ones are not strong to mitigate present or future threats. As the popular saying goes “you can force a horse to the riverbank but you cannot force the horse to drink” this is the case of the internal audit, internal audit can propose or recommend better measures, however, if management fail to implement these measures internal audit can do little.
- Ensure compliance with Laws, Policies and Regulation
As some refer to the internal auditor as “compliance expert” they do little in this regard as they follow up on their recommendations, however, it is management and audit committee to ensure maximum compliance with internal control, laws, policies and regulations of the entity. Policies and rules are developed and prepared by management to ensure that organisation achieve its objectives. Regulations are developed by regulatory bodies to govern the activities of the industry where the entity operates. What the internal audit does is to evaluate the level of compliance and make recommendations in areas where there is little or no compliance but does not ensure the compliance with the laws, policies and regulation.
- Who is responsible for correction of error and detection of fraud?
The issue of who is responsible for correction of error and detection of fraud has been discussed in myriad of platforms. Management are responsible for the activities, transactions and decisions that they make. Which includes the correction of errors and detection of fraud that some of them commit. Internal auditor expresses assurance on the internal control, governance and risk management level, however, in the course of establishing the level of assurance they identify errors and detect fraud but does not necessarily or as part of their work to identify error and detect fraud.
- Internal Audit gives only reasonable assurance
Internal audit is seen as part of management because they help management in the internal control, governance and risk management. Internal audit gives reasonable assurance i.e. they do not carry out 100 per cent audit and they use sample to generalize the efficiency and effectiveness of the management activities, transactions and controls. However, some stakeholder holds the view that internal audit does 100 per cent audit hence issues absolute assurance on the audit work.
- Jack of all trades
Internal auditors are expected to be jack of all trades that is they should be watchdogs, control experts, consultants, financial advisers, compliance experts, teachers, analyst and many more, however, in reality that is not so. The internal auditors are humans and are not “super humans”. Their work is guided by audit plan and program and they following audit procedures to arrive at certain conclusions when samples are tested. Some users assume that internal auditor knows everything (omnipresent) hence must detect and identify every errors and frauds as and when it happens, ensure compliance with the internal control, risk management and corporate governance.
- Preparation of financial and other related records
Another misconception that is being carried out is that internal audit prepares the financial statements and other related financial records. This is never the case as it is the duty of management to prepare the financial statements and other related records; however, internal auditors assess the assertions underlying the preparation of the financial statement. Another notion users have with regards to financial statements is that once the internal auditor evaluate the assertions underlying the preparations of financial statements implies that the financial statements is 100 per cent accurate. This is not the case as the internal audit does not do 100 per cent but sample the transactions.
- Why should the External auditor raise negative findings after all that the Internal Auditor does?
One of the biggest expectation gaps in the internal audit profession is the view that external auditor need not raise any finding in their audit report if the internal auditor does their work well. This is untrue, however, the internal auditors over the years have failed to tell their success stories; financial savings, errors identified, fraud detected and many internal auditor controls, risk management and corporate governance measures that they had recommended and management implemented and the mess that would be created if otherwise. External auditors are able to find findings because their audit plan and programme differs from that of the internal audit. In some cases, external auditor’s findings are unimplemented recommendations of the internal auditors.
On careful analysis of the expectation gaps lack of understanding (education) is seen to widen the gap. And this is not only on the part of stakeholders but also internal auditors sometimes. If efforts are invested in this area then expectations can be bridged to a great extent. When it comes to fraud, users require auditor to act as investigator, detective and special agent to unearth even the most sophisticated, complex and difficult fraud events.
However, users do not agree on explanation that internal auditor is not responsible to detect fraud and it is management as they feel internal auditor’s role is much more than just a confirmation of management’s assertions. Users also think that internal auditors give absolute assurance instead of reasonable and that financial statements are prepared by internal auditor. They erroneously think that internal auditor ensures compliance with rules, policies and regulations.
Daniel works with the University of Cape Coast as Internal Auditor and has been practicing as internal auditor for the past fifteen years