Having strong internal control systems is also a great way to secure growth and scalability

What is an internal audit?

An internal audit is an independent review of the internal control factions of an organisation by a regulated audit and assurance firm.

Are you required to have an internal audit?

If you are licensed by the Cyprus Securities and Exchange Commission (CySEC) or by the Central Bank of Cyprus then you are required to have an internal audit on an annual basis. The internal audit function must be outsourced to a regulated audit and assurance firm.

Internal audit is also a very good practice undertaken by larger organisations usually which have more than 100 employees in Cyprus as it provides extra assurance or it pinpoints specific weaknesses of their internal control functions.

What does it entail?

The internal audit is a process of gathering data and information from the organisation and assessing their compliance with local regulations such as its compliance with CySEC, VAT, Tax Employment Law.

It is also a testing function of the organisations internal control functions.

Once the audit is completed the Company will submit the findings to its regulator.

Can you assist us?

CYAUSE Audit Services has more than 20 years of experience in the field servicing Cyprus Investment Firms and Funds licensed by the local regulator. Our frequent collaboration with CySEC ensures that we are always proactive to new regulations, local and EU developments which are factors in the design and implementation of our audit work.

Detail explanation of the Audit Procedure:

A. The process

  1. Assignment to the Audit Firm
  2. Design of the Internal Audit
  3. Execution / Testing
  4. Provision of Internal Audit Report
  5. Submission of the Report to the Regulator
  6. The board assigns to an Audit and Assurance Firm this Internal Audit Engagement.
  7. The Internal Auditor Designs the Internal Audit based on the requirements of the Regulator or the Client.
  8. The internal audit usually takes 5 - 8 working days to be completed and includes several visits at clients premises and the examination of a significant amount of paperwork, discussions with management and visits onsite and offsite.
  9. At the end of the fieldwork, once all clarifications and assertions are collected the internal auditor issues the internal audit report.
  10. 10. The Internal Audit Report contains an extensive checklist of the areas mentioned above together with the Findings of the Internal Auditor. For each finding the client (the organisation) is required to respond for the weakness or deficiency identified.

A. Areas Examined by the Internal Auditors

a) Department procedures.

b) Execution of department procedures.

d) Sales, purchase cycle

e) Receipts and Payments Cycle

f) 3rd Party- Agreements

g) Infrastructure

  1. Security access through the organisation and computerised software.
  2. Fixed assets register nicely organised and updated; how, by who, what is the policy.
  3. Logs - shipping logs, dispatch logs, sick leave locks, annual leave, orders, consignment goods any many more. Who keeps track, how, is it sufficient.
  4. Website and IT Systems assessed and scrutinised (assistance by experts usually obtained).
  5. Personnel and Infrastructure (who does what, why, how, objectives, achievements, change needed, does it work).
  6. Back Office Operations and Systems (set up, structure assessed, controls, systems, operations, objectives met, targets met)

h) Compliance matters

  1. With regulations affecting your company; if for instance you are an investment firm we would assess whether you comply with MIFID II requirements and relevant provisions and requirements such as the preparation of Capital Adequacy Reports, ICAAP Reporting, Handling Clients Own Funds, Internal Audit Engagement, to mention a few.
  2. With Tax - Assessment of Tax and VAT return preparation and Company submissions to the authorities
  3. With GDPR Regulation
  4. Payroll and Employee remuneration and company obligations
  5. Insurance required by the Cyprus Republic
  6. Health & Safety
  7. Any other compliance laws, regulation or directive applicable to the specific business.

h) Statutory Compliance

  1. Review of board and directorships
  2. Review of committees and how they operate
  3. Authorised bank signatories; who actually signs, are protocols followed
  4. Submissions to regulators; for instance Investment Firms must submit on a monthly, quarterly and annual basis a plethora of reports and workings to CySEC.

i) Accounting Matters

  1. Review of Companies Trial Balance and Detailed Ledgers
  2. Review of the processing of accounting records
  3. Review of the reconciliations with banks, creditors, debtors statements
  4. Own funds preparation and reconciliation by investment firms
  5. Review and assertion of compliance of statutory submissions of tax forms, audited financial statements, issuance of payslips

j) Additional Testing

Internal audit engagements are designed on the risk profile of the organisation and aim to cover the weaknesses or risk areas of the entire organisation. As a result each internal audit engagement is different depending on the entity type, size and operations. To cover all risk areas the internal auditors are required to carefully plan and come up with specific tests against each risk.

Originally Published 06 April 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.