Internal audits are great at identifying problematic or even fraudulent transactions, whether in audits of payables to third parties, travel and expense audits, or other assessments. But when an internal audit uncovers improper transactions, it’s often too late. The funds have already been spent and reversing that process is never easy.
If only there was a way to review transactions, particularly large ones, before the funds are released. Well there is. Pre-audits are reviews of invoices, contracts, purchase orders, and other requests for funds to substantiate a transaction or series of transactions before they are executed and recorded. The pre-audit has been widely used to ensure that transactions are accurate in all respects and deficiencies are identified and rectified even before cash ever leaves a company’s account.
While there is widespread agreement that pre-audits are useful, there is less agreement about who should be responsible for them. There has been varying opinions as to where exactly the pre-audit function falls within a firm’s organizational chart. Is it an activity to be performed by management or to be left to the internal auditors?
Faced with this dilemma, companies often entrust the pre-audit role to internal audit. Is this the right way to go, given the tenets of a sound corporate governance structure?
While there is widespread agreement that pre-audits are useful, there is less agreement about who should be responsible for them.
To answer that question, we will need to take a deep dive to provide a clearer distinction of pre-audits, internal controls, and internal audit to help ensure that the internal audit unit is in the best position to deliver on its core responsibilities as an independent, objective assurance and consulting activity.
What are Internal Controls?
Internal control, as defined by the Turnbull Report, which provides guidance to U.K. companies on internal controls, refers to “the policies, procedures, tasks, behaviors, and other aspects of an organization that taken together:
- Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial, compliance, and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and managed;
- Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that generate a flow of timely, relevant, and reliable information from both internal and external sources; and
- Ensure compliance with applicable laws and regulations and also with internal policies.”
Simply put, internal control processes, if implemented well, add value to the organization by considering outcomes against plans and then proposing ways in which deficiencies might be addressed.
As defined in the book, Internal Controls Policies and Procedures, by Rose Hightower (Wiley 2008), “It is a program of activities established to catch and monitor potential exposure that could result in a significant error, omission, misstatement, or a fraud.”
According to the foundational Internal Control—Integrated Framework, by the Commission of Sponsoring Organizations (COSO), “a sound internal control reduces, but cannot eliminate, the possibility of poor judgement in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls, and the occurrence of unforeseeable circumstances.”
In the accounting space, internal control procedures can be broken into seven categories, with each designed to prevent fraud and identify errors even before they become problems. Below are the seven categories:
- Separation of Duties: This involves splitting responsibility for bookkeeping, deposits, and reporting. The further duties are separated, the lesser the chance of any single employee committing fraudulent acts.
- Access Controls: This involves controlling different parts of an organization’s accounting system through passwords, lockouts, and electronic access logs. This will not only keep unauthorized users out of the system, but also provide a way to audit the system to identify sources of discrepancies.
- Physical Audits: This includes hand-counting cash and any physical assets tracked in the accounting system, such as inventory, materials, and tools.
- Standardized Documentation: Standardizing documents used for financial transactions—such as invoices, internal materials request, inventory receipts, and travel expense reports—can help maintain consistency in record-keeping over time. Standard document formats also make it easier to review past records for discrepancy or fraud.
- Trial Balances: Using double-entry accounting system adds reliability by ensuring that the books are always balanced.
- Periodic Reconciliations: Performing occasional reconciliations ensure that balances in the accounting system match up with those held by other entities including banks, suppliers, and credit customers.
- Approval Authority: Requiring specific managers to authorize certain types of transactions can add a layer of responsibility to accounting records by proving that transactions have been seen, analyzed, and approved by appropriate authorities.
The Internal Audit Function
Part of the implementation of a sound internal control system is the review of internal controls to assess their effectiveness. For management, this review should be done with the highest level of objectivity and reported to the board or governing council on timely basis. A separate, independent unit within the organization—the internal audit function—is responsible for performing this review, among other duties.
Internal audit is a function performed at specific times to assess if the organization has a good understanding of the risks that it faces and if the controls put in place to mitigate risks are effective and working as designed.
“A sound internal control reduces, but cannot eliminate, the possibility of poor judgement in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls, and the occurrence of unforeseeable circumstances.”
—Internal Control—Integrated Framework, COSO
According to the Institute of Internal Auditors (IIA), “the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.”
There is a professional duty for internal auditors to provide an unbiased and objective view in the performance of their roles. To ensure this, internal auditors must be independent of the operations they evaluate.
Jean-Grégoire Manoukian, an analyst at risk management software provider Enablon, provided a succinct analysis on the difference between internal control and internal audit in his 2016 article, “What’s the Difference Between Internal Audit & Internal Control?” He writes, “While the internal audit function is performed by internal auditors, internal control is the responsibility of operational management functions. Another point of contrast is frequency. An internal audit is a check that is conducted at specific times, whereas internal control is responsible for checks that are on-going to make sure operational efficiency and effectiveness are achieved through the control of risks.”
Pre-audit Activities
There are various descriptions given to pre-audit as an accounting or audit practice.
First, some define pre-audit as an accounting practice used prior to the official examination of the accuracy of an organization’s financial statements. This preliminary phase of an audit is used to establish the audit’s scope and any special areas of concern. It is also used to gather background information and to request needed documents, records, and information. A pre-audit may be conducted in the form of a written questionnaire that the auditor gives to the client.
The second widely used definition explains pre-audit as a system designed for the examination of vouchers, contracts, etc., in order to substantiate a transaction or a series of transactions before they are paid for and recorded. For the purposes of this article we shall restrict the meaning of pre-audit to the latter definition.
As the first line of defense, operational managers own and manage risks. They are responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.
This practice has gained more popularity because of the need to identify and correct illegal activity or fraud even before they occur. The focus by regulators on bribery and money laundering has only increased the need for pre-audits. But the bone of contention here is who is really charged with performing this role? Is it the job of management, as part of their internal control activities, or the role of the internal auditors, as part of their independent assurance role?
Answering these questions requires a more in-depth look at pre-audits. We shall adopt The Three Lines of Defense model to determine where to appropriately place the pre-audit role.
In this model, management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third.
This 3LoD model basically defines three main shields to guard against things going wrong in the organization. To effectively identify and manage the risks of things going wrong, all these lines of defense have to be highly efficient and effective in executing their core functions.
Who Owns the Risk?
As the first line of defense, operational managers own and manage risks. They are responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.
The second line of defense seeks to provide additional reinforcement to the first line. It seeks to ensure that all those risks of inappropriate activity or fraud that have bypassed the first line are identified and addressed.
For all these initial controls to work effectively comes the independent unit—internal audit—to continually assess the efficacy and effectiveness of these initial controls and report the results of such assessments to management and the board.
Internal auditors provide both the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. Internal audit provides assurance on the effectiveness of governance and the controls put in place by management in the first line of defense.
From this we can confidently say that the pre-audit role falls under the first and second lines of defense and part of the operations of the organization. Internal auditors are supposed to review these controls and report to the governing body. Can the internal auditor be in the position to give an objective evaluation of the internal control measures if he or she is part of the control operations? Certainly not!
Unfortunately, this has been the practice seen in many of our private and public sector companies with regard to pre-audits. Internal auditors become involved in the daily operations of the organization by way of pre-audits and at the same time are also tasked with reviewing the effectiveness of these controls (which they are part of) to the governing bodies of those organizations. The result is a deficient, less objective evaluation report.
The Importance of Independence
The IIA defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process.”
The definition by the IIA emphasizes the key word “independent.” But how would an internal auditor be independent if he or she is part and parcel of the performance of the same internal control activities that he or she is to evaluate for effectiveness. To provide an independent and objective assurance service requires that internal auditors are detached from the operational activities of the organization in all respect including control activities such as checking payments and contracts before such payments are made.
As Jonathan Cann writes in his article, The Canker of Pre-Auditing Practices in Ghana: “The important role of pre-checking of supporting documents, contracts, and other payments are the prerogative of management. This prerogative is normally delegated to the finance department.” Most internal auditors, however, in countries that do pre-auditing are of the concerns that asking the finance department to do pre-auditing increases the incidence of financial misappropriations because of laxity of finance staff in stopping false transactions.
Cann continues, “Asking internal audit to be part of the internal processes of approving and authorizing payments and contracts is an attempt to make internal auditors part of the operational side of the organization. This has the tendency to incapacitate the internal audit unit to offer an independent and professional assurance service to management on the very activity to which they are a part of its implementation.” Many have argued that the self-review threat and potential compromise of internal audit’s independence and objectivity can be managed with the proper separation of the pre-audit and post-audit functions within the internal audit activity.
“The important role of pre-checking of supporting documents, contracts, and other payments are the prerogative of management.”
—Jonathan Cann, Managing Consultant at JPCann Associates
Proponents of the performance of pre-audit functions by the internal audit unit opine that any threats can be managed by ensuring that internal auditors with pre-audit responsibility do not participate in the post-audit of the activities they pre-audit. Although the separation of pre- and post-audit functions within the internal audit activity can lower the threats to independence and objectivity, it cannot eliminate them. Ultimately the chief audit executive who oversees the internal audit function has responsibility for all internal audit activities and is answerable for the independence and accuracy of audit activities.
Management, in reducing the threat of asking finance departments to conduct pre-audits and at the same time providing platforms for internal audit departments to be independent and objective in their assurance and consulting roles, should delegate the important role of pre-auditing to an examination unit or any other designated unit independent of finance and internal audit departments, which has the training and capacity to offer such services on behalf of management.
As much as internal auditors appreciate the faith that management hold in them when it asks them to vouch for the existence and completeness of transactions before financial commitments are made, I would implore internal auditors to explain to management the compromising nature of implementing internal controls (such as pre-audits) on the integrity of internal audits. That independence and objectivity is the very purpose that enables management and the board to have confidence in internal audit assessments.
Kwame Boakye is an internal auditor at the University of Cape Coast in Cape Coast, Ghana.
Great piece
Agree! However, when the business/operations wants you to route a request directly to the person who handles that topic, is it reasonable to do so or should they be responsible for redirecting requests to the appropriate contact? Seems like there is a lot of added time spent routing by function or task so a single point of contact makes sense. Thoughts on a best practice?
Good work done Kwame. Separatiing the Internal Audit function from pre- audit activity will surely help guard the IA’s independence
Hi
We as practitioners articulate the and independence of the Internal Audit function, management hasn’t evolved in its view of role of IA. We are still seen as transaction assurance function and many a times custodian of process and controls.
Till the time we invest in advocacy of IA role and make organization understand the IA role, our function will suffer from lack of foresight and vision of corporate leadership.
A great piece. This is to avoid un-biasness in the post-audits and also to ensure independence of the internal auditors office.
It beats logic to be part of the pre-audit which is operational function and then at the same time do the audit of the same.
Does this account for why some organization these days now have a department called Internal Control Unit or department?
Re: Should Internal Audit or Management Conduct Pre-Audits?
Your article is insightful, however, I have a contrary opinion and view and I will express it from the perspective of the public sector.
Ministries/Departments/Agencies internal control system in most cases are centralized, Internal auditors are employed to monitor compliance with established control and any changes are effected through circulars from government..
The major role of Internal Auditors is Pre-Auditing: meaning internal audit function integration into every process and procedure of each MDA’s. In this situation the Internal Auditors provides the objective assurance and consulting function.
Internal auditor role in Pre Auditing is a also a risk management process and value addition, The internal auditor is not initiator and owner of the function what he does is to check if things are done correctly. This makes the internal audit to have a proactive function and prevents errors and fraud tohappren iinmthe first place.
Well if pre-auditing function is removed then I do not think the Internal audit service is required or necessary because there activities will amount to duplication of function conducted of the external auditor. And the management may eventually do away with them.
Re: Should Internal Audit or Management Conduct Pre-Audits?
Your article is insightful, however, I have a contrary opinion and view and I will express it from the perspective of the public sector.
Ministries/Departments/Agencies internal control system in most cases are centralized, Internal auditors are employed to monitor compliance with established control and any changes are effected through circulars from government..
The major role of Internal Auditors is Pre-Auditing: meaning internal audit function integration into every process and procedure of each MDA’s. In this situation the Internal Auditors provides the objective assurance and consulting function.
Internal auditor role in Pre Auditing is a also a risk management process and value addition, The internal auditor is not initiator and owner of the function what he does is to check if things are done correctly. This makes the internal audit to have a proactive function and prevents errors and fraud to happen in the first place.
Well if pre-auditing function is removed then I do not think the Internal audit service is required or necessary because there activities will amount to duplication of function conducted by the external auditor. And the management may eventually do away with internal auditors services.
Greatly articulated. And that’s exactly my thinking. Opened this page coz am facing the same challenge where we are doing post audit of invoices. Am of the suggestion that pre audits be done but it seems my colleagues are not of the idea. My thinking is why not stop an error from occurring and only try to reverse it when the company would have already spent?
The only way out of this mess of misappropriation is by doing pre audit coz internal.auditors are part of the organisation and are there to manage risk of misappropriation. This can only be greatly done if they are allowed to do pre audits
I agree with you.. The internal audit should play preventive role. as pre auditor. What if preventive control is weak and we chase behind bad events.
Similarly how management will prevent their own weaknesses.
I think I support your augment.First of all,if internal auditors are to help organisation minimize it’s risk then pre-audit is the best function to utilize.
Gbenga Oluwa…..Please read the article carefully. You do not seem to understand the role of the internal audit or the now ‘three lines model’ which the author referred to. There isnt much more to say about what the article reads so I suggest you read it a couple more times. Value addition can be achieved by conducting post-audits and engaging in consulting activities which do not compromise the independence and objectivity of the internal audit function and for sure is not a duplication of effort.
Management hire competent professionals to handle the various aspects of the business and are responsible for ensuring the controls and the people employed mitigate the risk of fraud and errors.
Nice Article. However some confusion is there, if someone can clarify.
I have questions : a) What to do in a scenario where the internal audit identify deficiencies but until when the payment will be stopped. I mean some of the deficiencies are irreversible and in the meanwhile liability is created by management as the work is done until the bill reach the internal audit section for pre-audit. In no way the bill can be stopped for ever. How the internal auditor will approve such bills when there are irreversible deficiencies but liability is created.
b) I am doing both pre and post audits. I have to report to the Board on quarterly basis. Now if I am doing the pre-audits what type of observations should be part of my report. i.e just internal control deficiencies only? Also any pre-audit objections be part of the quarterly report.
c) If we receive a bill say for 500$ but in that bill we just agree with the value of $200. Can we approve only $200?
d) Do internal audit stop the bill? If they do that might results in litigation’s.
The internal Auditor in the cause of doing it’s job have the freedom of querying any transactions that looks fraudulent or ambiguous during the pre payment Audit. This is the reason why internal Auditors should be assigned this important function.
I think in such scenario the internal auditor should record his observation and process the payment. Because he is watch dog not blood hound.
The challenge with pre-audits and probity audits in the procurement process is that Internal Audit fulfills a management responsibility and is not evaluating and improving the effectiveness of risk management, control, and governance processes.
Very very well said. If you are an internal auditor and do not understand the problem with pre-audits then you need to get certified (CIA certified). Hopefully, then, you will understand why internal auditors should not undertake pre-audits. Also take note that the author did not say pre-audit is not necessary, he only said that it should be management’s role. I can say with all confidence that if all the internal audit staff are added to, for instance, the finance team, to undertake pre audit, management will still insist on another person or team who sit under a unit called internal audit to perform pre-audits. The issue is both an issue of competence and suspicion of fraud.
Should pre-audits be performed, absolutely YES. Should they be performed by internal auditors, absolutely NO.
Very good article,
If the company uses the COSO methodology one of the objectives is “Reliability of financial reporting” so internal audit should be involved in the accounting review. In the point of “Control procedures ….” Periodic Reconciliations, this point closures are monthly, so a compliance control is required every month that could be carried out by internal audit. Monthly accounting reconciliations are the main control of accounting departments, and if the internal audit does its review based on risks, this should be included…
Now I am not sure whether to do a whole pre-audit process, but the reconciliations should be reviewed monthly by internal audit, if there is no internal control department.