We are testing a new beta website for gov.scot go to new site

Internal Audit

INTERNAL AUDIT

Contents:

Scope

Key Points

Background

Internal Control System

Internal Audit Process

Internal Audit Assurance

Internal / External Audit Relationship

Scope

1. This section gives guidance on internal audit arrangements and procedures. The guidance is aimed at all organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable, including the core Scottish Government (SG), the Crown Office and Procurator Fiscal Service, SG Executive Agencies, non-ministerial departments and bodies sponsored by the SG.

Key Points

2. Internal audit should provide an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It should provide an appraisal of an organisation's internal control system and take the action needed to provide Accountable Officers with a continuing assurance that the organisation's risk management, control and governance arrangements are adequate and effective.

3. Accountable Officers are responsible for ensuring that appropriate internal control systems exist within their own organisations (or parts thereof), and for deciding whether or not to accept and implement internal audit findings and recommendations.

4. Internal audit evaluates compliance with an organisation's internal control system - including relevant regulations, guidance and procedures - as part of its review process. However, the primary responsibility for monitoring compliance rests with operational areas and their line management, up to and including the relevant Accountable Officer.

5. Entities or individuals involved in the external audit of an organisation should undertake non-external audit related work for the same organisation only in exceptional circumstances.

Background

6. Internal audit should provide an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It should provide an appraisal of an organisation's internal control system and take the action needed to provide Accountable Officers with a continuing assurance that the organisation's risk management, control and governance arrangements are adequate and effective. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The operation and conduct of internal audit should comply with Public Sector Internal Audit Standards.

7. Accountable Officers are responsible for ensuring that appropriate internal control systems exist within their own organisations (or parts thereof), and for deciding whether or not to accept and implement internal audit findings and recommendations. Accountable Officers have overall responsibility for ensuring that prompt and effective action is taken on recommendations, and that the risks resulting from inaction are recognised and accepted. The organisation's Head of Internal Audit should have the right of direct access to the Accountable Officer and the organisation's Audit Committee.

8. Internal audit evaluates compliance with an organisation's internal control system - including relevant regulations, guidance and procedures - as part of its review process. However, the primary responsibility for monitoring compliance rests with operational areas and their line management, up to and including the relevant Accountable Officer.

Internal Control System

9. The internal control system comprises the whole network of systems established in an organisation to provide reasonable assurance that organisational objectives will be achieved, with particular reference to:

  • risk management;

  • the effectiveness of operations;

  • the economical and efficient use of resources;

  • compliance with applicable policies, procedures, laws and regulations;

  • safeguards against losses, including those arising from fraud, irregularity or corruption; and

  • the integrity and reliability of information and data.

10. Internal audit should not have responsibility for executive functions or for the development or implementation of systems. Internal audit may, however, serve as a valuable source of advice on systems of risk, governance and control without impairing its objectivity and independence.

Internal Audit Process

11. Internal audit should:

  • analyse the internal control system and establish a a risk based assurance programme;

  • identify and evaluate the controls which are established in systems to achieve objectives in the most economic, effective and efficient manner;

  • report findings and conclusions and, where appropriate, make recommendations for improvement;

  • provide an opinion on the reliability of the controls in the system under review; and

  • provide an assurance based on the evaluation of the internal control system within the organisation as a whole. 

Internal Audit Assurance

12. An annual audit assurance is provided to Accountable Officers through the professional opinion of the Head of Internal Audit (or equivalent) on the adequacy and effectiveness of the internal control system and the extent to which it can be relied upon. That opinion is contained in an annual report from the Head of Internal Audit to the organisation's Audit Committee, and forms part of the assurance required by Accountable Officers to enable them to sign a governance statement as part of the accounts for which they are directly responsible. The assurance framework relating to the SG is described in the section of the SPFM on Certificates of Assurance.

Internal / External Audit Relationship

13. Close working relationships should be established and maintained between an organisation's internal and external auditors. The two types of auditor should consult each other and co-operate in order to seek opportunities to avoid duplication of work and achieve an efficient use of audit resources. However, entities or individuals involved in the external audit of an organisation should undertake non-external audit related work for the same organisation only in exceptional circumstances. Arguments which support the separation of external audit and non-external audit related work include the need to avoid conflicts of interest and the possible loss of objectivity and independence.

Back to top

Page Published / Updated: November 2009