What should the relationship of internal and external audit look like?


Not every organisation has both an external audit and internal audit. In some jurisdictions you can get companies that have internal audit but no external audit, while in most countries you get quite a prevalent external audit with far less incidence of internal audits. Russia is a prime example of the latter case.

External audits done under ISAs are supposed to plan and carry out work in order to have a reasonable expectation of detecting fraud and other irregularities, and certainly the expectation of users has traditionally been that external auditors are responsible for finding fraud.

I work both as external auditor and I also carry out internal audits for clients who don’t have their own departments or who do but still need to be beefed up locally by brought-in experts. Therefore I have no particular axe to grind, but I will say this – a lot seems to be expected of external auditors with relation to fraud without giving them the tools necessary to find instances of fraud.

Internal audit departments can, within reason (they cannot supercede data protection law or labour law, etc, or contravene people’s basic human rights when monitoring them) have whatever tools they like if they are within budget. I can just imagine what my clients would think if I as an external would start installing cameras, GPS trackers on company vehicles, doing spot checks for alcohol, lifestyle checks on managers, and all the other things that internals can do. And yet if you take the standards literally I have to do a job not far off that of a policeman as an external auditor.

All we are usually given as external auditors is a couple of generic questionnaires which we try to go through with the client’s management adapting it to the specifics of their business, then we have the duty and hopefully also the ability to map out and analyse the systems of the client, including the controls and to perform walk-through tests and seek to identify key controls. The way an external auditor assesses a key control and the way an internal auditor assesses a key control are also different in a number of ways, and how we define a key control for our respective purposes differs, and then the timing and frequency of checks on that control will differ. Many people who have worked only in external audit won’t know how or why they differ and therefore their ability to get the best from internal if it is even there will be in many cases limited.

Actually most of the fraud questionnaires in use are a good start because they are based in fact on the fraud triangle originally talked about by notable criminologist Donald Cressey back in the 1960s and 70s. This is the triangle of means, motivation and rationalisation or self-justification. It is based on the idea that if a person hasn’t got the opportunity to get around the system, doesn’t really need to and thinks it would be wrong to, then the chances of that person committing fraud are extremely remote. If on the other hand a person thinks that they know how to get away with it, need the money and also think they deserve to do it, then the fraudulent activity by that person is virtually certain. Various permutations of this give varying degrees of likelihood of fraud. The questions in fraud questionnaires would be good at helping to build a “fraud triangle” exercise in a given context, but only as long as the person doing it knows what they are doing both in theory and in practice. Often it is given to quite junior people to carry out and also very often in assessing audits I have seen that the answers don’t necessarily carry through to specific tests relevant to those answers, but instead increase general risk meaning that there is a likelihood that the sample sizes for other detailed substantive tests (by the way the weakest set of tests for detecting fraud) will be higher. And sometimes you are lucky to even get that much of a response.

Externals go on to make their control tests if they do recognise a key control (and on a worldwide scale I would hazard a guess that tests of controls are still done on only a small minority of audits, with most defaulting to the substantive route based really on lack of time or confidence with control work by the external audit team) and also the other big weapon they have in the arsenal is substantive analytical review. But SAR is only as good as the in-depth knowledge of the branch or business, so externals – especially those which are not branch specific as some Big Four externals are – don’t really have the sector knowledge that the internal audit team have and so their chance of noticing something that doesn’t stack up as they go through their analyses of ratios, or building of expectations and confronting to reality is not as good as that of the internal in many cases.

And then auditors finish every section by mopping up whatever needed assurance they could not derive from the earlier procedures by other substantive procedures based if done properly on a statistical sample, which is designed to get them from the assurance they got from less time-consuming procedures through to within their tolerable error (a function of risk and materiality from their perspective, which again differs from the internal auditor’s perspective which may not even be couched in money figures but in non-monetary terms). However the chances of getting at fraud looking through sampled accounting documents is miniscule, and here many external auditors do the bulk of their work.

So naturally if there is an internal audit team, an enlightened external auditor should be ver anxious to understand how they decided their work plan, what they did, and how many key controls have been checked thoroughly and how many risks are still open. If they want to give the organisation real value for money they will design tests that supplement, rather than duplicate the work of internal auditors.

Internal auditors will encourage this – they too will want to see that the organisation’s budget for external audit work goes on procedures that help to improve the risk heat map and the overall picture for the organisation. This call only be done when each side understands the other and “speaks their language”. Many internals have worked as external but not many are continually doing both types and therefore able to think through an assurance issue from both perspectives.

The Money Value of Time


The National Audit Office building, built orig...
The National Audit Office building, built originally as the Imperial Airways Empire Terminal. The statue, “Speed Wings over the World” is by Eric Broadbent” (Photo credit: Wikipedia)

According to page 2 of today’s UK Financial Times, a UK National Audit Office report shows over 6.5m people waited more than 10 minutes to get their calls answered by HMRC, adding £33m to customer’s phone bills and wasting £103m of their time last year.

This snippet of information triggered a few things that I wanted to say to you this morning. The first of these is, that, despite the fact that it is obviously pretty dire that people need to wait so long to get their calls answered by the service they are paying taxes to fund in the first place, at least in the UK there is a body which is concerened at the loss of time and places a value, in monetary terms, on that loss of time by the customer.

Anyone who has spent any time either in government offices, or even banks or supermarkets in this part of the world will probably confirm that the idea that the customer’s time is valuable and should be respected is a rather alien concept. Not so long ago it was an utterly alien concept, but even today it is still a concept which they find rather hard to grasp.

Not as bad as China, though, from what I heard and also saw. People being expected to queue all day outside the Chinese consulate for their visa and then at the very moment that the scheduled closing time of the office came the shutters come down like with Kiosk Keith and that was that. The spare time of the employees was utterly sacrosanct, that of the customer not at all. This of course shows an elitist mentality, which can be found in almost all state sector offices to one or another degree anywhere in the world. Expect it and try somehow to deal with it.

Much less acceptable is the wasting of the customer’s time in business. If the customer is paying then they have a right to have their matters expedited and people who keep people waiting ought either to invest in more infrastructure to avoid it or to wonder if they are in the right business. Continue reading “The Money Value of Time”

It pays to avoid the BBBs (Bargain Basement Bookkeepers)


Violent Storm Strikes Western Europe
Is a storm brewing over your books and records?

I am writing to relate a story based on true events which came to light last week when one gentleman came into one of our offices and spoke to me. To keep matters confidential, I won’t say the country – the same can happen in any country – or identify anything about this company the gentleman had – even the sector. It can happen to many sectors.

This gentleman had given his company bookkeeping and tax affairs to an outsourced book-keeper for his business in that particular country. He used outsourcing back home in his own country (I’m not saying where that is either) and he appreciated the benefit of being able to have his bookkeeping professionally handled by experts without needing to employ anyone, worry about holiday cover, etc etc.

Some time ago this gentleman had included our firm in his search, and we gave him a price entirely fair for a company with our niche in the market, that is, internationally trained people, with English, with proper quality assurance, supervision and back-up.  In other words,  a peer-reviewed, branded service tailored absolutely to the needs of West European businesses in the middle tier coming to start up in East Europe, and also very good for businesses not exactly in the middle tier and from places outside West Europe.

That means that the fee offered was not nearly as high as a Big Four service would cost, but certainly higher than a purely local service.

Now I’m not knocking the purely local services – many of them are very good, but for purely local clients as they don’t tend to be claiming proficiency in foreign languages or have the ability to engage cross-culturally with the client (a source of just as many miscommunications as the language barrier on its own). They are not a great fit with the international client, and often their cheaper price becomes a false economy as frustrations rise on both sides of the desk.

The problem in this case wasn’t lack of English – this gentleman’s chosen bookkeeper spoke English, apparently.

But she was in business just on her own. With no back-up employees, probably very little insurance, probably very few resources to turn to, and very few overheads hence enabling a price no quality firm could ever compete with. That was the price that tempted this gentleman to take her bid over mine.

But since then, it became apparent that this bookkeeper was not entirely what she seemed to be.

Neither this gentleman nor myself are qualified psychiatrists, and we could only speculate on what might have gone wrong, or been wrong all along with this person. The fact is, though, that mental illness happens in the human population. We’ve probably all had employees or acquaintances who have had a mental illness, and in a larger company they quickly get noticed by colleagues, and steps taken to look after them and safeguard the clients’ affairs. When they are on their own, no such controls exist.

Suffice it to say this lady no longer was answering emails or picking up the telephone when he was calling, and when he rang from another number she didn’t know, she put the phone down when she heard his voice – the person entrusted with his company’s books and records and processing a VAT reclaim for more money than she would normally earn in many years. As you can see, the situation is now much harder – and therefore more costly – for us to repair than if he had simply given us the work in the first place.

It simply doesn’t pay to use these Bargain Basement Bookkeepers. You know what you get if you pay peanuts, and if a price looks too good to be true, it probably is.

Dlaczego potrzebujemy RMUA u lekarza?


Logo of the Social Insurance Institution of Poland
Poland's Social Insurance logo

In the following article produced for the benefit of their clients but included here for general interest, is an article by one of Luxmed’s experts showing why it is that in Poland even privately insured patients still may be required by their doctor to possess proof of social insurance under certain circumstances.

Witam,

Zgodnie z Ustawą o świadczeniach opieki zdrowotnej finansowanych ze środków publicznych, lekarz ma prawo odmówić wystawienia recepty na leki refundowane, jeżeli Pacjent nie przedstawi dowodu aktualnego ubezpieczenia. Takim dowodem może być każdy dokument potwierdzający prawo do świadczeń opieki zdrowotnej finansowanych ze środków NFZ, w szczególności dokument potwierdzający opłacenie składki ubezpieczenia zdrowotnego. Continue reading “Dlaczego potrzebujemy RMUA u lekarza?”

Domain names scam – what to do if affected


World Map Politic 2005 with ccTLDs - LQ version
CCTLD map from Wikipedia

You may have received e-mail (especially from Chinese and Hong Kong companies relating to .cn domains bearing your name if you didn’t register in China, but now more commonly in East Europe also) which says that if you use these people’s services they can prevent your name’s domain in that country from getting blocked.

Now this email gets sent out all over the world to addresses harvested from the internet page and chats and from usenet fora by robots, and of course the people behind the email cannot really afford to block every single domain that they are fishing for.  The one sure fire way of making sure that they do block your domain is if you respond to them, whether with threats or with asking for the help, even in terms of “what it would cost”. I suggest you only do this if you don’t want the domain really and have no intention of buying it, as if you are lucky it will lead the scammers into real cash outlay which they’ll never see any return on. I highly encourage that! Maybe some of these pests will stop it if they see that enough internet users are wise to them and don’t mind leading them up a garden path…

You can always search here on EuroDNS (in the interests of transparency that affiliate link earns 10% of anything you buy after you go there, but it shouldn’t cost you more and it’s the service I use myself) and see what the status is of all of your possible combinations of your name and the country endings or generic endings, as well as check the Whois status of all these countries, both Europe and Asia, all in one place. You will probably find that nobody has blocked your domain at all, and if you are interested in owning the domain you can block it there and then. They are ethical and I never had a problem with them that the owner didn’t solve within a week. If they are not contactable one day you can usually get them the next day. Continue reading “Domain names scam – what to do if affected”

Should your Company have a pro-forma audit?


Mostrador de um relógio Foto de Jose Goncalves
Tempus fugit - is it time for your proforma audit?

For businesses which have never been audited but which are growing up quickly to meet the audit thresholds in a year or two, you may wish to consider having your first audit done while it is still voluntary to do so, and the results, if less positive than expected, can at least be kept private.

Once your business has exceeded the audit thresholds (very typically in Europe this means for a private company about 50 employees, 5 million Euros turnover and 2.5 million Euros of gross assets, and it means 2 out of those three conditions – we just stated actually the Polish ones verbatim, (with the proviso that they also state a set PLN amount to avoid subjectivity for businesses that are on the cusp), but most countries are not far off that – even the Czech Republic which really needs much smaller thresholds)

Clearly this doesn’t apply at all to public limited companies, ie. the “S.A.”, “a.s.”, UK plc or German AG style companies which must be audited regardless of size – in some jurisdictions even if they are dormant – but for private limited liability companies most jurisdictions have size criteria like the ones just given – for Slovakia about 60% of the sizes given, so please note that this is divergent from the Czech ones, which are far too high for that country and result in proportionally fewer audits, which is a bad thing for corporate governance in that country.

While you are under the limits audit is voluntary. And you can have an unofficial audit whereby the audit comes and does for you all the normal work he would do if officially appointed, but it is only pro-forma. “Pro-forma” is Latin for something like the idea of “as if” so the auditor will work and report as if they had been properly appointed, but it is really a dry run for you. You do not appoint them as statutory auditors in the minuted general meeting, you do not have to file the report as the audit was voluntary, and you get all the benefit of the audit without the risk, and on top of all of that, I can get you these pro-forma audits for only 75% of the cost of a statutory audit, because the Firms we associate with want to promote good voluntary governance practice in the economy.

If you wait for your first audit until it is an obligatory one because you’ve outgrown the size criteria – and as we come out of the recession that will happen to some of you next year hopefully sooner than you dare hope for now – then if the auditor finds something wrong then the report of the auditor could be “modified” – I’ll do a separate article on what sorts of “modifications” exist and what they mean in accountancy speak, but it’s not good if you get one.

It will not help if you need a loan, and it will probably trigger a lot of interest on the part of the tax inspector. But you’ll have to publish it anyway, if there isn’t time to do the remedial work a good auditor should outline to you in time for your statutory deadline.

Now auditors get cajoled, encouraged in a friendly way or even outright threatened by desparate managers and owners to overlook things or change to an opinion that doesn’t match the facts, and there is nothing that can be done in those circumstances. Auditors are not generally anywhere near as afraid of their client as they are of their regulator, but more than that we are educated throughout our professional lives to be independent in our outlook, and so the only way to get out of some modified opinions is to do the remedial work the auditor recommends or make the adjustments that they recommend.

There’s no point in changing to another auditor you think will be more pliable – they must write to the old auditor and ask if there are any reasons why they cannot act. The best thing to do, if you are not sure how well your company will stand up to an audit is to have your first one a year or so before you need to. Then if the audit shows up a lot to be desired, you have a whole year to put it right and nobody will ever know because auditors are bound by confidentiality – it isn’t us who even publish our reports, it’s the responsibility of the client. The report is given to its addressee, which is always the shareholder, and some other corporate governance boards if they are in existence.

So it’s well worth thinking about, especially if your business has been growing fast and maybe has outgrown its systems.

Let us know if we can help.

If you haven’t appointed an auditor yet in Poland and you needed to by law, here’s what can happen…


Rzeczpospolita (newspaper)
A leading business daily in Polish

An excerpt on appointment of auditors from one of the leading Polish newspapers Rzeczpospolita.

There are a few articles here on one large page, one of them dealing with what an audit report is and what it’s supposed to contain. This is anodyne and will be what you would expect from your own country, if it is in line with IFAC standards.

Another article talks about what the audit thresholds are. I’m going to write a separate article on audit thresholds comparing different countries in our region, but Poland has the fairly sensible levels of any SA, and for an Sp. z o.o. it’s 2/3 of the following: 1) Turnover 5 million Euros in the preceding year, 2) gross assets of 2.5 million Euros in the preceding year and 3) 50 employees on average in the year. The article offers a PLN interpretation of these levels for this calendar year end. I do not really want to reproduce that as not every company has calendar year and it is also not hard to work it out whether your Company in Poland has mandatory audit or not, and if you’re not sure, ask me and I’ll tell you for free.

The most interesting article in this audit related supplement, though, is probably the one which states that in line with article 64 paragraph 1 part 4 of the Act on Accounting,  if the management needs to appoint an auditor it should be in time so that he/she can observe any material inventory counts.

So what that means in practice is that you’re probably OK if you have no stock or fixed assets. If on the other hand you do have these and they were due for a count, the auditor is risking big trouble if they come in and give an opinion on the figures not having attended the count. If this is of interest in your case, please look up the much larger on that subject below.

In the worst case there will be Companies who did their stock-counts without the observance of an auditor and they later discover they need to appoint one. Three alternative things can then happen. The first is that you chance on an ethical but unhelpful auditor, who refuses to take on an audit if the stocktake is already done. If you only meet such auditors, then you won’t be able to get the audit done and you’ll be in breach of the Act if you were over the size criterion or are a joint-stock company.

The second option is where the auditor says I can do this, but later pulls a qualification on you because of not having been able to attend the counts. You then have to file an audit report which isn’t 100% clean, and then live with the fact that you may not be able to declare a dividend and that the tax office will come breathing down you necks wondering what is going in. I don’t think it’s ethical for an auditor to lead the client into taking them by not being clear that they intend from the moment they are hired to give a modified audit report, but some people seriously justify it to themselves that it’s the client’s fault for not coming early enough.

Then there is the option where the auditor is both helpful and ethical, in that they take part in other procedures designed to make good the absence of an actual attendance at the time of the stocktake. Some auditors can use their business understanding and imagination to gain the assurance they need professionally without needing to do the whole stocktake over again. You may need to shop around to find these ones. I can certainly help you find people who approach their work in that more constructive period though.

In the very worst case, you may need to do the stock take again, but beware, you cannot do that officially after one month from year end anyway, and it involves extra work on the reconciliation afterwards, which will be on the shoulders of your chief accountant.

If you’re late appointing, don’t delay it any more – that’s the moral of the story!