Chapter One

Introduction to Internal Auditing

Training Aim
To present a brief introduction to internal auditing that will
give you an initial understanding of:
1.The
2.A

internal audit role.

brief history of internal auditing.

3.The

IIAs professional standards.

YOUR CHOICE
Internal auditors primary role is to review:
1.

The way managers behave.

2.

The way risks are managed.

3.

The performance of work teams.

YOUR CHOICE ANSWERED

Internal auditors primary role is to
review:
1.

The way managers behave.

2.

The way risks are managed.

3.

The performance of work teams.

Auditing
An examination of an organizations activities to
determine if the organization is doing what it says it is
doing.

Auditing
External auditing
Internal auditing

IIA DEFINITION

Institute of Internal Auditors

Web site: www.theiia.org

Internal auditing is an independent,

objective assurance and consulting
activity designed to add value and
improve an organizations operations.
It helps an organization accomplish
its objectives by bringing a
systematic, disciplined approach to
evaluate and improve the
effectiveness of risk management,
control and governance processes.

A short Task

Internal auditing is an independent, objective

assurance and consulting activity designed to add
value and improve an organizations operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control and governance processes.

Internal auditing: This is what we are called and this

name appears in many regulations.
independent, objective: independence is about being able
to stand back and carry out reliable audit work.
assurance and consulting activity: audit give assurance
that all is well (or otherwise) and also act as consultants
by seeking to improve things.
add value and improve an organizations operations:
everything that happens in an organization, even if
required by law, must add value to be worthwhile.

It helps an organization accomplish its objectives: all

audit work starts with what the organization is seeking
to achieve. This factor drives everything that the auditor
does.
a systematic, disciplined approach: this is about
professionalism, the cornerstone for delivering the audit
product.
evaluate and improve: evaluation is about comparing
what should be with what is and seeking to close any
gaps.
effectiveness of risk management, control and

Internal Auditing
Value is provided by providing opportunities to achieve organizational objectives,
identifying operational improvement, and/or reducing risk exposure through
assurance and consulting services.

The Evolving Role of Internal Auditor

Changing stakeholder expectation and a new way of risk management
are prompting an important shift in the role of IA.
As regulatory compliance responsibilities have expanded and the stock
exchanges have adopted new evaluation criteria including enterprise
risk management (ERM), the need for enhanced rigor and
transparency and consolidated view of risk management capabilities
has become paramount.

The Evolving Role of Internal Auditor

IA roles shift: Historical focus on value preservation (a control focus)
to encompass activities related to value creation (a performance focus)
Such a shift could enable internal audit bring value to business in new
ways.

The Evolving Role of Internal Auditor

Internal auditing has grown tremendously over the years to reflect its new highprofile position in most larger organizations.
It has shifted from back-office checking teams to become an important corporate
resource.

The Evolving Role of Internal

Auditor
The trends behind the development of IA points to the ultimate position
where the audit function becomes a high-profile autonomous
department reporting at the highest level.
Moving out audit functions currently based in accountancy.
Establish IA as a separate profession so that one would employ internal
auditors as opposed to accountants

Why Extend Financial Audit to Managerial Audit

Performance: how well a person, machine, etc. does a
piece of work or an activity.
Performance evaluation concept is expanded:
Not only financial performance
3Es: Economy, Effectiveness, Efficiency

Auditing for 3Es

The Evolution of the

Audit Function
Extension of external
audit:
testing the reliability of
accounting records

The Evolution of the

Audit Function
Internal
Check:
The testing role progressed to
cover non-financial areas

audit stamp

The Evolution of the

Audit Function
Probity work:
an adaptation of checking accounting
records where the auditors would arrive
unannounced at various locations and
local offices, and perform a detailed series
of tests according to a preconceived audit
program.

The Evolution of the Audit

Function
Non financial systems:
The shift in low-level checking arose
when audit acquired a degree of
separation from the accounting
function with internal audit sections
being purposely established.

The Evolution of the

Audit Function
Chief Auditors:
employing chief internal auditors
(or chief audit executives - CAEs)
with high organizational status.

The Evolution of the

Audit Function
Audit Committees:
Audit committees bring
about the concept of the
audit function reporting to
the highest levels

The Evolution of
the Audit Function

Professionalism

An Exercise

Expectations of internal
auditing

Expectation gap
Management

1)Check

may want internal auditors to:

on junior staff on a regular basis.

2)Investigate fraud and irregularity and present cases to the police
and/or internal disciplinaries.
3)Draft procedures where these are lacking.
4)Draft information papers on items of new legislation or practice.
5)Investigate allegations concerning internal disputes and advise on best
resolutions.
6)Advise on data privacy and security, and check that the rules are
complied with.
7)Identify key risks for senior management.

Expectation gap
It is important not to sacrifice assurance
work by diverting audit resources to
carrying out pure consulting services.

IIA STANDARDS
Attribute Standards: outline what a good
internal audit set-up
should look like.
Performance standards: set a benchmark for
the audit task
Implementation standards: provide guidance
to attribute or
performance
standards

IIA STANDARDS
Attribute Standards:
1000 Purpose, Authority, and
Responsibility
1100 Independence and Objectivity
1200 Proficiency and Due Professional
Care
1300 Quality Assurance and

IIA Standards
(1) Attribute standards
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit
activity must be formally defined in an internal audit chapter,
consistent with the Definition of Internal Auditing, the Code
of Ethics and the Standards. The CAE must periodically
review the internal audit chapter and present it to senior
management and the board for approval.

IIA Standards
(1)Attribute standards
1100 Independence and Objectivity
The internal audit activity must be independent, and
internal auditors must be objective in performing
their work.

IIA Standards
(1)Attribute standards
1200 Proficiency and Due Professional Care
Engagements must be performed with proficiency and
due professional care.

IIA Standards
(1)Attribute standards
1300 Quality Assurance and Improvement Program
The CAE must develop and maintain a quality
assurance and improvement program that covers all
aspects of the internal audit activity.

IIA STANDARDS
Performance Standards: set a benchmark
for the audit task
2000 Managing the Internal Audit Activity
2100 Nature of Work
2200 Engagement Planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Resolution of Senior Managements
Acceptance of Risks

IIA Standards
(2) Performance standards
2000 Managing the Internal Audit Activity
The CAE must effectively manage the internal audit
activity to ensure it adds value to the organization.

IIA Standards
(2) Performance standards
2100 Nature of Work
The internal audit activity must evaluate and
contribute to the improvement of governance, risk
management and control processes using a systematic
and disciplined approach.

IIA Standards
(2) Performance standards
2200 Engagement Planning
Internal auditors must develop and document a plan
for each engagement, including the engagements
objectives, scope and resource allocations.

IIA Standards
(2) Performance standards
2300 Performing the Engagement
Internal auditors must identify, analyze, evaluate and
document sufficient information to achieve the
engagements objectives.

IIA Standards
(2) Performance standards
2400 Communicating Results
Internal auditors must communicate the engagement
results.

IIA Standards
(2) Performance standards
2500 Monitoring Progress
The CAE must establish and maintain a system to
monitor the disposition of the results communicated to
managers.

IIA Standards
(2) Performance standards
2600 Resolution of Senior Managements Acceptance
of Risks
The CAE believes that senior management has accepted
a level of residual risk that may be unaccepted to the
organization, the CAE must discuss the matter with
senior management. If the decision regarding residual
risk is not resolved, the CAE must report the matter to
the board for resolution.

IIA Standards
(3) Practice Guides
GTAG 1: Information Technology Controls
GTAG 2: Change and Patch Management Controls: Critical for Organizational
Success
GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment
GTAG 4: Management of IT Auditing
GTAG 5: Managing and Auditing Privacy Risks
GTAG 6: Managing and Auditing IT Vulnerabilities
GTAG 7: Information Technology Outsourcing
GTAG 8: Auditing Application Controls

IIA Standards
(3) Practice Guides
GTAG 9: Identity and Access Management
GTAG 10: Business Continuity Management (BCM)
GTAG-11: Developing the IT Audit Plan
GTAG-12: Auditing IT Projects (Mar. 2009)
GTAG-13: Fraud Prevention and Detection in an Automated World
(December 2009)
GTAG-14: Auditing User-developed Applications (June 2010)
GTAG-15: Information Security Governance (June 2010)
GTAG-16: Data Analysis Technology (August 2011)

IA can assist top management in:

monitoring

activities top management

cannot itself monitor
identifying and minimizing risks
validating reports to senior management
protecting senior management in technical
analysis beyond its ken
providing information for the decisionmaking process
reviewing for the future as well as for the
past

Whatever the new risk-centric

jargon used to describe the audit
role much of the above benefits
described by Sawyer remain
constant. For those embarking on
a career in internal auditing,
these are exciting new times
where the contribution of the
competent auditor will be
immense in helping locate
integrity and transparency right
the forefront of the way large
organizations are governed.

Relationship between External and Internal

Audit
During the course of their planning, the external auditors should perform a
preliminary assessment of the internal audit function, when it appears that certain
internal audit work is relevant to their external audit.
A favorable assessment might allow the external auditors to modify the nature,
timing and extent of external audit procedures.

Relationship between External and Internal

Audit
External auditors may make use of the work of internal audit in forming their
opinion. During the course of their work they will want to measure the effectiveness
of internal audit.
However, it must be stated that external auditors have sole responsibility for their
statutory responsibility to provide an audit opinion.

Is IA Necessary?
The threat of competition and the changing environment mean that the incentive for
review and change is great.
No matter how good a service looks, it can be improved.