© 2024 University of South Africa

All rights reserved

Printed and published by the

University of South Africa,
Muckleneuk, Pretoria

AUI2601/1/2024-2030

10085408

Shutterstock.com images used

Editor and Styler

MNB_Style
CONTENTS
Topic 1: The purpose statement 1
Learning unit 1: Describing internal auditing 3
Learning unit 2: Origin and development of internal auditing 13
Topic 2: Internal audit stakeholders 21
Learning unit 3: General discussion and description of internal audit
stakeholders 22
Learning unit 4: The relationship between internal auditing and related
disciplines 25
Topic 3: The functional role of internal auditing 39
Learning unit 5: The functions of management in an organisation 40
Learning unit 6: The functions and role of the internal auditor in an
organisation 46
Topic 4: Professional matters relating to internal auditing 67
Learning unit 7: Introduction to the Global Internal Audit Standards 68
Learning unit 8: Global Internal Audit Standards Domain II Ethics and
Professionalism 74
Learning unit 9: Global Internal Audit Standards – Domain III, IV and V 84
Topic 5: The internal auditor’s competencies to perform their responsibilities 115
Learning unit 10: The qualifications and skills of an internal auditor 116
Learning unit 11: Personal characteristics of an internal auditor 122
Topic 6: The purpose, responsibilities and liabilities of an internal auditor 125
Learning unit 12: The purpose, responsibilities and liabilities of an internal
auditor 127
Learning unit 13: The internal auditor’s role and responsibilities with regard to
fraud 137
Topic 7: Concepts relating to internal audit 143
Learning unit 14: Governance, risk management and control 144
Topic 8: The internal audit process 165
Learning unit 15: The internal audit process 166
Topic 9: Internal audit procedures and tools 195
Learning unit 16: Internal audit procedures and tools 196

AUI2601/1/2024-2030 (iii)
TOPIC 1
The purpose statement

Contents

Learning unit 1: Describing internal auditing 3

Learning unit 2: Origin and development of internal auditing 13

INTRODUCTION TO AND PURPOSE OF THE TOPIC

In this topic, we analyse the nature and objective of internal auditing and analyse
and explain the elements of the definition of internal auditing.

LEARNING OUTCOMES

After you have studied this topic, you should be able to

● explain the theoretical concepts underlying internal auditing in the context of the
technical vocabulary associated with internal auditing with reference to context-
specific examples
● analyse the definition of internal auditing
● describe the purpose and main objectives of internal audit
● describe the main focus areas of an internal audit engagement in terms of the
definition of internal auditing
● describe the misconceptions about internal auditing
● describe the origin and development of internal auditing in terms of the
development of the theoretical basis, professionalism and practice of internal
auditing
● explain the development of internal auditing into a profession by referring to the
Institute of Internal Auditors (IIA)

AUI2601 1
TOPIC 1 THE PURPOSE STATEMENT

● describe the history and mission of the IIA as well as certification and membership
of the IIA

2
Learning unit 1
Describing internal auditing Learningunit1

Contents

1.1 BACKGROUND 3
1.2 PURPOSE OF INTERNAL AUDITING 5
1.3 DEFINITION OF INTERNAL AUDITING 6
1.4 OBJECTIVES OF INTERNAL AUDIT 9
1.5 MAIN FOCUS AREAS OF INTERNAL AUDIT 9
1.5.1 ASSURANCE SERVICES 9
1.5.2 ADVISORY SERVICES 10
1.6 MISCONCEPTIONS ABOUT INTERNAL AUDITING 10

Let us begin this introductory module with some background information about
where internal auditing fits into the organisation.

1.1 BACKGROUND
READ

The controlling body (board of directors/control board) and the executive management
(which we will refer to as management) are responsible for establishing the
organisation and then ensuring that it operates successfully and efficiently. The board
of directors is responsible mainly for the governance process (i. e., establishes and
maintains corporate policies and provides information about its stewardship
accountability), while executive management (management) is responsible for

AUI2601 3
TOPIC 1 THE PURPOSE STATEMENT

conducting the risk management and control processes. The audit committee is a
subcommittee of the board overseeing the internal audit activity and external auditors.

Management must set goals; plan what has to be done and what means are to be used;
organise to have the necessary means/people available at the right time; give guidance
(direct), and exercise control to ensure that objectives are met; and keep records of all
activities so that they can give account of their curatorship over the interests of the
stakeholders.

See: Management functions

REFLECTION

Through the adoption of good governance principles, risk management and the system
of internal control, management endeavours to ensure that assets and income are
safeguarded and protected, operational efficiency is promoted, the prescribed
managerial policy is adhered to and carried out and the operational and accounting
justification is accurate, complete, useful and reliable. However, management cannot
perform and monitor all aspects within an organisation independently. After all, many
organisations today are too large and complex.

Management therefore delegates duties and responsibilities to subordinates for

execution. This means that in most organisations, management is not involved in the
day-to-day activities, and instead functions mainly as a policy-making body. As a
result of the gap that has developed between the planning and the performance of tasks,
management needs to be kept informed of the success or failure of the prescribed
practices and to monitor performance relating to delegated tasks and responsibilities
necessary to achieve operational objectives. The board and management need the
internal audit activity to be their “eyes and ears” in evaluating and improving
governance, risk management and control processes; in this respect, the internal audit
activity adds value.

The overall objective of an internal audit is determined by the needs of the board and executive
management, and the internal auditor must ensure that these needs are satisfied by the internal
audit report, which he or she submits to the board and the audit committee.

The internal audit activity generally receives its assignments from management in the form of pre-
planned, approved areas to cover or special requests (ad hoc audits). In the course of their duties,
internal auditors can identify areas that may benefit from exposure to audit, and offer suggestions
to management about possible audit assignments. They therefore not only execute audit
assignments, but may also indirectly initiate them, and then obtain approval from the board and
the audit committee.

4
Describing internal auditing Learning unit 1

REFLECTION

The question is: How do you add value and improve operations?

Here, the job of internal auditors becomes interesting and exciting. Even though there
are managers with knowledge and expertise at all levels in any organisation, the
internal auditors must find something that can be improved upon. You have to make it
better. The advantage internal auditors have is that everything can always be better;
there is always room for improvement, and the internal auditor is in an ideal position
to make this happen, since he or she is employed with the responsibility to look for
ways to improve the whole organisation and to help the organisation accomplish its
objectives.

To enable management to discharge their responsibilities effectively, the internal auditor should
add value by consciously reviewing, analysing and appraising all possible operational variations in
an undertaking, giving constructive criticism and advice and making cost-effective
recommendations by reporting to management on the results of their examinations. Through
improved processes and by adding value to all operations, internal auditors render a service,
directly or indirectly, to all members of the organisation.

In answer to the question “What is internal auditing all about?” we could say the following:
● The internal auditor is concerned with the examination of all forms of operational and financial
activities at all levels of the entity. The internal auditor should always strive for efficiency in
the achievement of results.
● Internal auditors are bound to an organisation, and regularly report to the board and
management of the organisation.
● Internal auditors focus on accomplishing objectives, improving processes and adding value
throughout the organisation.

1.2 PURPOSE OF INTERNAL AUDITING

STUDY

The Content of the Global Internal Audit Standards

Source: www.iiasa.org.za

AUI2601 5
TOPIC 1 THE PURPOSE STATEMENT

Domain I of the Global Internal Audit Standards refers to the Purpose of Internal
Auditing. The purpose statement, according to the Global Internal Audit Standards, is
intended to assist internal auditors and internal audit stakeholders in understanding and
articulating the value of internal auditing.

Purpose Statement
Internal auditing strengthens the organisation’s ability to create, protect and sustain
value by providing the board and management with independent, risk-based and
objective assurance, advice, insight and foresight.

According to the Global Internal Audit Standards, Internal Auditing enhances the
organisation’s
● successful achievement of its objectives
● governance, risk management and control processes
● decision-making and oversight
● reputation and credibility with its stakeholders
● ability to serve the public interest
Internal Auditing is most effective when
● it is performed by competent professionals in conformance with the Global
Internal Audit Standards, which are set in the public interest
● the internal audit function is independently positioned, with direct
accountability to the board
● internal auditors are free from undue influence and committed to making
objective assessments

1.3 DEFINITION OF INTERNAL AUDITING

KEY CONCEPTS - STUDY
To understand a field of knowledge, we need to describe (define) it clearly so that we
have an accurate idea of the basic objective(s) and limiting factors relating to it as well
as the methodology followed to attain the objective (s). The definition of internal
auditing is the cornerstone of internal auditing practice. It explains what internal
auditing is and what internal auditors should do.

The Definition of Internal Auditing, as defined by the Global Internal Audit Standards:
Internal auditing is an independent, objective assurance and advisory service designed to
add value and improve an organisation's operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the effec-
tiveness of governance, risk management, and control processes.
Please memorise this definition and make sure that you understand each one of its
components.

The following aspects of the Definition of internal auditing illustrate the key concepts and services
provided by the internal audit activity:
● Independent and objective
● Assurance services and advisory services
● Add value and improve operations

6
Describing internal auditing Learning unit 1

● Risk management process

● Control process
● Governance process

DISCUSSION - STUDY
Let’s discuss some important aspects of the Definition of Internal Auditing. These
concepts will be discussed in greater detail later on in the module.

Independent and objective

With regard to independence and objectivity, the Global Internal Audit Standards state
that the board establishes and protects the internal audit function’s independence and
qualifications.

The Global Internal Audit Standards defines independence as follows:

Independence is the freedom from conditions that impair the internal audit
function’s ability to carry out its responsibilities in an unbiased manner.
The internal audit function is only able to fulfil the Purpose of Internal
Auditing when the chief audit executive reports directly to the board, is
qualified, and positioned at a level within the organisation that enables the
internal audit function to discharge its services and responsibilities without
interference.

The Global Internal Audit Standards defines objectivity as follows:

Objectivity is an unbiased mental attitude that allows internal auditors to

make professional judgements, fulfil their responsibilities, and achieve the
Purpose of Internal Auditing without compromise. An independently posi-
tioned internal audit function supports internal auditor’s ability to
maintain objectivity.

Assurance services and advisory services

The Global Internal Audit Standards defines assurance services as follows:

Services through which internal auditors perform objective assessments to

provide assurance. Examples of assurance services include compliance, fi-
nancial, operational/performance, and technology engagements. Internal
auditors may provide limited or reasonable assurance, depending on the
nature, timing and extent of the procedures performed.

The Global Internal Audit Standards defines advisory services as follows:

Services through which internal auditors provide advice to an organisa-

tion’s stakeholders without providing assurance or taking on management
responsibilities. The nature and scope of advisory services are subject to
agreement with relevant stakeholders. Examples include advising on the
design and implementation of new policies, processes, systems, and prod-
ucts; providing forensic services; providing training; and facilitating
discussions about risks and controls. “Advisory services” are also known
as “consulting services”

AUI2601 7
TOPIC 1 THE PURPOSE STATEMENT

Add value and improve operations

Adding value and, thereby, enabling continuous improvement, is a necessity for all or-
ganisations. Organisations exist to create value or benefit to their owners, other
stakeholders, customers and clients, and must constantly strive to do things better. This
concept provides purpose for their existence.

The internal audit activity adds value to the organisation (and its stakeholders) when it
provides objective and relevant assurance, and contributes to the effectiveness and effi-
ciency of governance, risk management, and control processes.

In the process of gathering data to understand and assess risk and control, internal audi-
tors develop significant insight into operations and opportunities for improvement that
can be extremely beneficial to their organisation. By stating that internal auditing “adds
value and improves”, the definition underscores the profession's commitment to serv-
ing the needs of the organisation and helping the organisation to accomplish its
objectives.

Risk management process

The internal audit activity should assist the organisation in managing risk. It should do
this by identifying and evaluating the organisation's exposure to risk, assessing risk
during engagements and improving the risk management process.

The Global Internal Audit Standards defines risk management as follows:

A process to identify, assess, manage, and control potential events or situa-

tions to provide reasonable assurance regarding the achievement of the
organisation’s objectives.

Thus, a risk is the positive or negative effect of uncertainty on objectives (organisa-

tional objectives).

Control process
The internal audit activity should evaluate the organisation's control process to deter-
mine its effectiveness and efficiency.

The Global Internal Audit Standards defines control processes as follows:

The policies, procedures, and activities designed and operated to manage

risks to be within the level of an organisation’s risk tolerance.

Thus, controls are implemented to minimise or sometimes mitigate potential risks.

Governance process
The internal audit activity should assist the organisation in achieving its goals by eval-
uating and improving the process through which (1) goals and values are established
and communicated, (2) the accomplishment of goals is monitored (3) accountability is
ensured, and (4) values are preserved.

The Global Internal Audit Standards defines governance as follows:

The combination of processes and structures implemented by the board to

inform, direct, manage, and monitor the activities of the organisation to-
ward the achievement of its objectives.

8
Describing internal auditing Learning unit 1

1.4 OBJECTIVES OF INTERNAL AUDIT

The main objective of internal auditing is determined by the needs of the board of directors and
management of an organisation to assist them in improving the governance, risk management and
control processes as well as the effective discharge of its responsibilities. The internal auditor must
ensure that these needs are addressed in the internal audit report, which should be issued after each
audit engagement.

This can be achieved through the following:

● an interpretation of factual circumstances and events in the organisation that have been
exposed by the internal auditor's examination (reactive evaluation – assurance service)
● constructive and cost-effective suggestions to identify risks and to eliminate problems and/or
to improve the efficiency and effectiveness of the organisation's governance, risk management
and control processes (proactive evaluation – advisory service)
There is a misperception in the business world that the main duty of an internal auditor is to
uncover fraud and error. If internal auditors are to win full professional status and acceptance, they
will have to correct this misperception.

The discovery of fraud and errors is, however, an important factor that an internal auditor needs to
take into consideration in the performance of his or her duties.

1.5 MAIN FOCUS AREAS OF INTERNAL AUDIT

KEY CONCEPTS - STUDY
The focus areas of internal auditing comprise assurance and advisory services. Internal
auditors must consider whether the engagement is intended to provide assurance or
advisory services because stakeholder expectations and the requirements of the Global
Internal Audit Standards differ, depending on the type of engagement.

1.5.1 ASSURANCE SERVICES

Ensure that you refer to and study the definition of assurance services as discussed
under the definition of internal auditing.

The first focus area of the internal audit function is assurance services. Assurance
services are intended to provide confidence about governance, risk management and
control processes to the organisation’s stakeholders, especially the board, senior
management and the management of the activity under review.

Through assurance services, internal auditors provide objective assessments of the

differences between the existing conditions of an activity under review and a set of
evaluation criteria. Internal auditors evaluate the differences to determine whether
there are reportable findings and to provide a conclusion about the engagement results,
including reporting when processes are effective.

Concerning providing assurance services, the role and activities of the internal auditor
may be summarised as follows:
1. reinforcement (supportive function) of all systems and controls (operational,
administrative and financial) by evaluating their adequacy and application

AUI2601 9
TOPIC 1 THE PURPOSE STATEMENT

2. reviewing the reliability of records (administrative, operational and financial)

3. assisting directly with the discovery of fraud and error (refer to the internal
auditor's role in fraud)
4. assisting indirectly with the prevention of fraud and error by recommending
and ensuring the proper function of controls
5. determining whether management policies are being complied with in all
respects
6. determining whether all applicable statutory requirements are being complied
with
7. determining whether procedures relating to reporting are being complied with

1.5.2 ADVISORY SERVICES

Ensure that you refer to and study the definition of advisory services as discussed
under the definition of internal auditing.

The second focus area of internal auditing is advisory services. Internal auditors may
initiate advisory services or perform them at the request of the board, senior
management or the management of an activity. The nature and scope of advisory
services may be subject to agreement with the party requesting the services.

The role and activities of the internal auditor in providing consulting services for
internal auditing may be summarised as follows:
1. independence from the normal policy-making function (i. e., the executive
management function) by only identifying and recommending areas of
improvement or change
2. examining and evaluating the goals, policy, decisions, standards, procedures
and controls of management
3. conducting special assignments requested by management where internal audit
can add value through their knowledge and skills, yet remain independent and
act in an advisory capacity based on the results of such assignments
4. communicating authoritatively with management by means of reporting to
improve and add value

1.6 MISCONCEPTIONS ABOUT INTERNAL AUDITING

The main misconception about internal auditing is that it is the same as external auditing (external
auditing is carried out by chartered accountants or CAs).

To clear up this misconception, let’s start by examining the objectives of internal and external
audit:
The external auditor seeks to test the underlying transactions that form the basis of the finan-
cial statements. From these tests, he or she forms an opinion as to whether or not these
statements present a true and fair view.
The internal auditor, on the other hand, seeks to advise management on whether its major
operations have sound systems of risk management and internal controls.

10
Describing internal auditing Learning unit 1

The key differences are summarised in the table below:

TABLE 1.1
The key differences between an internal audit and an external audit
Factor Internal audit External audit
Organisational structure Internal audit can be an external External audit is an external
contractor or an in-house contractor; never an employee of
function. the company.
Objectives Internal audit forms an opinion External audit seeks to provide an
on the adequacy and opinion on whether the accounts/
effectiveness of systems of risk financial statements present a true
management and internal and fair view of the organisation.
control, many of which fall
outside the main accounting
systems.
Audit coverage Internal audit covers all the External audit works primarily
organisation’s operations. with those financial systems that
have a bearing on the final
accounts.
Audit time frame Internal audit performs audits External audit tends to be a year-
throughout the year. end process, even though some
testing may be carried out during
the year.
Staff structure Staff consists of the Chief Audit Staff consists of partners,
Executive (CAE), managers, managers, seniors and trainees.
and senior and junior internal
auditors.
Staff Competent persons trained in Qualified CAs and partly qualified
internal auditing accountants
Methodology Risk-based audits – assurance Vouching and verification and
and advisory services some use of risk-based systems
approach
Certification Certified Internal Auditor (CIA) Chartered Accountant (CA)
Membership affiliation Institute of Internal Auditors South African Institute of
(IIA) Chartered Accountants (SAICA)
Legislation Legally required in the public Legally required for all registered
sector, encouraged in the companies and the public sector
private sector (small companies may have
exemptions)
Source: Adapted from Spencer Picket (2010:91–94)

AUI2601 11
TOPIC 1 THE PURPOSE STATEMENT

A more detailed discussion of the differences between internal and external audit
follows later on in the learning material.

See: Discussion forum: Learning unit 1

12
Learning unit 2
Origin and development of internal auditing Learningunit2

Contents

2.1 DEVELOPMENT OF INTERNAL AUDIT PRACTICE 13

2.1.1 DEVELOPMENT IN THE UNITED STATES OF AMERICA (USA) 14
2.2 DEVELOPMENT OF INTERNAL AUDITING INTO A PROFESSION – THE
INSTITUTE OF INTERNAL AUDITORS (IIA) 16
2.2.1 The History of the IIA 17
2.2.2 The mission of the IIA 17
2.2.3 Certifications 18
2.2.4 Membership 19
2.2.5 The IIA SA Professional Training Programme (PTP) 19

2.1 DEVELOPMENT OF INTERNAL AUDIT PRACTICE

READ

If you want to become part of a profession and be a good ambassador for your
profession, you need to know where the roots of such a profession lie. Where did it all
start and why “internal auditing”?

The concept of auditing can be traced back to biblical times. The ancient pharaohs
appointed governors to guard and monitor the building of the pyramids, and the
Greeks and Romans assigned officers to monitor and report on the progress of their
armed forces in the countries they conquered.

AUI2601 13
TOPIC 1 THE PURPOSE STATEMENT

In the Middle Ages, the King's representatives kept records of the types and quantities
of items on ships to ensure that the correct amount of tax was paid on each load and
that it had been accurately accounted for. According to research by Flesher, Greek
literature contains information regarding internal investigations performed on Egyptian
Farms owned by the Greek ruler Ptolemy Philadelphius II, approximately 500 years
BCE. During these “internal audits” the focus was on improving management's control
over operations – similar to the focus of internal auditing today (Marais 2003:2–3).

Sawyer sums up the development of internal auditing as follows:

Internal auditing evolved from an essentially accounting-oriented craft to a

management-oriented profession.

Although this quotation is so brief, it holds the key to understanding the nature of
internal auditing. Throughout your study of this subject, remember that although
internal auditing developed from accounting, it has become a management-oriented
profession, the primary aim of which is to help management achieve their objectives
and add value through improving management processes.

2.1.1 DEVELOPMENT IN THE UNITED STATES OF AMERICA (USA)

TAKE NOTE

The development of internal auditing practice in South Africa (SA) has followed a
similar process to that in the USA.

READ

The following development phases in internal auditing in the United States of America
are distinguished by MJ Barrett in his article in the Internal Auditor of June 1980. The
evolution of internal auditing in the USA is highly representative of international
developments.
● End of the 19th century: The mission of internal auditing, where it existed
was internal security: detecting theft of cash, valuable rights and goods or
services by employees and others. The company accountant and the external
auditor were responsible for the accuracy of the accounting records and
financial statements.
● The period 1900–1920: The point of view propagated by Frederick W Taylor,
namely, that productivity increases when planning and physical operations are
separated, was accepted. Management's efficiency and accounting controls
were improved by segregating the functions of authorising, executing,
recording and accountability.
● The period 1920– 1929: In addition to reporting on financial controls, the
duties of the internal auditor were expanded to include the discovery of fraud
and error. The internal auditor's contribution toward management efficiency
increased during this period.
● The period 1929–1940: The complexity of accounting accountability increased
because of the growth of organisations and the increasing demands of
management, shareholders and authorities for the timely availability of
information. Over and above the discovery of fraud and error, the internal

14
Origin and development of internal auditing Learning unit 2

auditor had to ensure that every transaction was properly authorised and
correctly documented and accounted for, which meant a further expansion of
responsibilities.
● The post-1940 period: Higher standards of business responsibility were set for
company management by the public and shareholders. The involvement of
company directors in management affairs increased inter alia through audit
committees. Businesses grew and expanded further. All these factors
contributed to an increased demand and need for the services of internal
auditors.

The establishment of the first institute of internal auditors in the USA in 1941 brought about an
important change in the internal auditing task. One of the considerations that motivated a small
group of internal auditors to establish the institute was the need to expand the task of internal
auditors to include assisting (supporting) the management of organisations with management
functions while maintaining their independence by not taking over management's responsibility.

The adoption of the Foreign Corrupt Practices Act of 1977, and the role of the Securities and
Exchange Commission (SEC) and the Inspector General Act had the greatest impact on the
demand for and acceptance of internal auditors in the USA.

Due to Enron and other scandals, members of the US Congress felt that the existing process of
establishing auditing standards was not working. The result was the Sarbanes-Oxley Act (SOA),
which was passed in 2002. With SOA, the importance of internal audit as a key component of
corporate governance was enforced.

The original goal of assisting management was only really achieved during the 1980s. Currently,
informed and responsible internal auditors regard this task as their most important function.
Conducting an auditing practice in which management assistance is the goal is very much in line
with the current Definition of Internal Auditing.

During the 1990s, the research foundation of the IIA in the USA carried out extensive research
into the function and responsibilities of internal auditors as well as the knowledge they need to
acquire. This research led to the most comprehensive report on the current nature and function of
internal auditing, which was published in 1999 under the title Competency Framework for Internal
Auditors (CFIA). These research results brought about a drastic change of direction in internal
auditing, since the emphasis shifted from reactive to proactive internal auditing.

During the 1990s, two other important research reports were published, which had an important
influence on the practice of internal auditing.

The first of these two reports, which are referred to above, was published in the USA in 1992 by
the Committee of Sponsoring Organisations of the Treadway Commission (COSO), first in four
volumes and then, in 1994, in two volumes. The second report, which took the COSO report
further, was published in 1995 by the Criteria of Control Boards of the Canadian Institute of
Chartered Accountants (the CoCo report). The content of these reports shifted the emphasis away
from the traditional internal control over the activities of an organisation to the full spectrum of
components of control of an organisation, of which internal control over the activities of the
organisation is only one. See: COSO

In both these reports, and the CFIA, major emphasis is placed on the identification and evaluation
of risk in an organisation.

AUI2601 15
TOPIC 1 THE PURPOSE STATEMENT

These developments led researchers to the conclusion that the broad development of internal
auditing practice has now moved into the third paradigm phase, namely the risk phase.

This new paradigm rests on three main pillars:

● organisational objectives
● risks associated with the achievement of these objectives
● controls for managing these risks
The publication of the COSO and CoCo reports and the Competency Framework for Internal
Auditors (CFIA) laid the foundation for the recent important new approach in internal auditing
practice as well as for the Definition of Internal Auditing and the International Professional
Practice Framework (IPPF), now the Global Internal Audit Standards (2024).

All the above developments jointly form the basis for the current proactive approach to internal
auditing practice.

See: ERM and Risk-based auditing

You can access the executive summary of this report directly at: Enterprise Risk Management |
COSO.

A serious financial fraud crisis in the USA led to the promulgation of the Sarbanes-Oxley Act in
July 2002, which dramatically curtailed many of the non-audit functions of external auditors,
further expanding and strengthening the position of internal auditors.

This Act requires the chief executive officer and chief financial officer to certify that their internal
controls operate to safeguard material financial business processes. A requirement that supports
the need for and use of internal audit is included in the Common Body of Knowledge (CBOK).

To understand, shape, and advance the profession, the Institute of Internal Auditors Research
Foundation (IIARF) has carried out the most comprehensive global study ever conducted on the
internal audit profession. This study, CBOK, has produced a rich database of information on how
the profession is being practised worldwide. For more information, see CBOK Resource Exchange
(theiia.org).

2.2 DEVELOPMENT OF INTERNAL AUDITING INTO A PROFESSION

– THE INSTITUTE OF INTERNAL AUDITORS (IIA)
The Institute of Internal Auditors supports the profession and prepares internal auditors worldwide
with a real community, relevant resources and professional development to mitigate current and
future risks, provide assurance, add real value and elevate the impact of their organisations.

Professionalism and Internal Auditors

16
Origin and development of internal auditing Learning unit 2

STUDY

Established in 1941, The Institute of Internal Auditors (IIA) is an international

professional association with global headquarters in Lake Mary, Florida, USA. The
IIA is the internal audit profession’s global voice, recognised authority, acknowledged
leader, chief advocate and principal educator. Members work in internal auditing, risk
management, governance, internal control, information technology audit, education
and security.

2.2.1 The History of the IIA

Historians have traced the origins of internal auditing back to ancient times, specifically centuries
before the birth of Christ, when merchants would authenticate receipts for grain that was being
transported to the market. The profession had significant growth during the 19th and 20th
centuries because of the expansion of corporate business. The foundation of The IIA is often
linked to the origin of contemporary internal auditing by many individuals.

The year 1941 marked a breakthrough. Victor Z Brink is the author of the inaugural book on
internal auditing. Simultaneously, John B Thurston, an internal auditor employed at the North
American Company in New York, had been considering the creation of an association for internal
auditors. He and Robert B Milne collaborated on an internal auditing subcommittee established by
the Edison Electric Institute and the American Gas Association. They concurred that the most
effective way to advance the recognition of internal auditing was to establish an autonomous
organisation for internal auditors. Upon seeing Brink's book, Thurston, along with the other two
individuals, convened and realised that they shared the same goal of advancing the importance of
internal auditing.

Brink, Milne and Thurston, as the organising committee, reached out to a select group of internal
audit practitioners across the United States who had shown interest in establishing a national, and
maybe international, organisation for internal auditors. The IIA's certificate of incorporation was
submitted on 17 November 1941. Shortly before the inaugural annual meeting on 9 December
1941, held at the Williams Club on 24 East 39th Street in New York City, 24 individuals were
granted membership as charter members. Thurston was chosen as the inaugural president of The
IIA.

Membership experienced rapid growth. The initial membership of 24 grew to 104 by the
conclusion of the first year, and further expanded to 1,018 by the end of five years. Over 70 years
later, The IIA has evolved into a thriving international organisation, with a membership of over
200,000 individuals across the globe.

2.2.2 The mission of the IIA

The IIA’s mission (obtained from www.theiia.org) is to provide dynamic leadership for the global
profession of internal auditing. Activities in support of this mission will include, but will not be
limited to:
● advocating and promoting the value internal audit professionals add to their organisations
● providing comprehensive professional educational and development opportunities, standards
and other professional practice guidance and certification programs
● researching, disseminating and promoting knowledge concerning internal auditing and its
appropriate role in control, risk management and governance to practitioners and stakeholders

AUI2601 17
TOPIC 1 THE PURPOSE STATEMENT

● educating practitioners and other relevant audiences on best practices in internal auditing.
● bringing together internal auditors from all countries to share information and experiences

2.2.3 Certifications
Why should you become certified?
Earning a professional credential is essential for strengthening your knowledge base and being
distinguished from your peers. Wherever your journey takes you, there is an IIA credential that
can certify your success.

The road to the IIA certifications

Source: https://www.theiia.org/en/certifications/

Internal audit practitioner

This certification supports students as well as new and rotational auditors on their journey into
internal auditing. The Internal Audit Practitioner designation is a great way to demonstrate internal
audit aptitude.

For more information, visit https://www.theiia.org/en/certifications/iap/.

Certified Internal Auditor (CIA)

According to the IIA, since 1974, there has only been one internal audit designation that has
garnered global recognition, career advancement and professional credibility – the CIA
certification, with 50 years of setting the gold standard. Earning the CIA credential is investing in
gold.

To obtain the CIA designation, members of the IIA need to write and pass a three-part
examination, pass all three parts in less than three years, and comply with experience requirements.

An overview of the three-part examination:

● Part 1 – Essentials of auditing – Foundations of internal auditing, independence and
objectivity, proficiency and due professional care, quality assurance and improvement
programme, governance, risk management and control, and fraud risk
● Part 2 – Practice of Internal Auditing – Managing the internal audit activity, planning the
engagement, performing the engagement, communicating engagement results & monitoring
progress

18
Origin and development of internal auditing Learning unit 2

● Part 3 – Business knowledge for Internal Auditing – Business acumen, information security,
information technology, financial management
The requirements for candidates pursuing the CIA are as follows:
● A bachelor’s degree is required (qualification requirement)
● Successfully passing each of the three exam parts in less than three years
● Obtaining two years of internal auditing or equivalent experience.
● Membership of the IIA and adhering to the IIA’s Code of Ethics
For more information, visit https://www.theiia.org/en/certifications/cia/.

Certification in Risk Management Assurance (CRMA)

This certification is for internal auditors who have already obtained the CIA designation, and have
at least five years’ experience in internal auditing and/or risk management.

Earning the CRMA helps address the impact of risk and demonstrates that you have the ability to
● provide assurance on core business processes in risk management and governance
● educate management and the audit committee on risk and risk management concepts
● offer quality assurance and control self-assessment
● add value for your organisation as a trusted advisor.
For more information, visit https://www.theiia.org/en/certifications/crma/.

2.2.4 Membership
According to the IIA (https://www. theiia. org/en/membership/), you can expect the following
benefits from being a member of the IIA:
● Networking and connecting – Enjoy local networking programs, along with national and
international conferences.
● Saving and discounts – Save on in-person, online and on-demand learning opportunities, along
with the Certified Internal Auditor (CIA) designation.
● Learning and leading – Access exclusive guidance on day-to-day issues affecting internal
auditors worldwide.
● News and views – Stay informed and up to date with the latest trends, opinions and headlines
for Internal Auditor Magazine.
● Standards and guidance – Access exclusive guidance on day-to-day issues affecting internal
auditors worldwide.
● Volunteer and contribute – Develop leadership skills and help transform the profession as an
IIA committee or board volunteer, event presenter or contributing author in one of its many
information outlets.

2.2.5 The IIA SA Professional Training Programme (PTP)

The Professional Training Programme comprises two learnership programs registered under the
jurisdiction of Higher Education and Training.

The programs include organised workplace training, targeted training modules, periodic
evaluations and a concluding assessment based on competencies. The curriculum is a preliminary
step, leading to the completion of the worldwide CIA (Certified Internal Auditor) certification.

AUI2601 19
TOPIC 1 THE PURPOSE STATEMENT

A learnership is a work-based learning program and is similar to "articles" or "training contracts"

in other employment fields. Essentially, it comprises two components - an educational component
(formal classroom instruction) and a structured practical training component (workplace
instruction). It relates to a profession and, when completed, results in the awarding of a
qualification or designation.

The two IIA SA training program are officially registered at the following NQF levels:
IAT - Internal Audit Technician - NQF level 7 # 20358
GIA - General Internal Auditor - NQF level 8 # 20359
For more information about the learnership programs, visit the IIA at the following link:

Professional Training Program (PTP) - Institute of Internal Auditors South Africa (IIA SA)

20
TOPIC 2
Internal audit stakeholders

Contents

Learning unit 3: General discussion and description of internal audit stakeholders 22

Learning unit 4: The relationship between internal auditing and related disciplines 25

INTRODUCTION AND PURPOSE OF THE TOPIC

In this topic, we explain the relationship between internal auditing and the most
important related functions with which the internal auditor comes into contact,
namely the board, the audit committee, and management.

Because of the special relationship between internal and external auditing, we also
pay particular attention to cooperation between internal and external auditors.

LEARNING OUTCOMES

When you have worked through this topic, you should be able to
● explain the relationship between internal auditing and various other related
disciplines
● explain the relationship between internal auditing and management in an
organisation
● explain the relationship between internal auditing and external auditing
● explain the relationship between internal auditing and the board
● explain the relationship between internal auditing and the audit committee

AUI2601 21
Learning unit 3
General discussion and description of internal audit
stakeholders Learningunit3

Contents

3.1 INTERNAL AUDIT STAKEHOLDERS 22

3.2 THE VALUE OF INTERNAL AUDITING FOR STAKEHOLDERS 23
3.3 BUILDING RELATIONSHIPS AND COMMUNICATING WITH
STAKEHOLDERS 23

3.1 INTERNAL AUDIT STAKEHOLDERS

REFLECTION

Internal auditors regularly engage with diverse individuals and entities both within and
outside the organisation. To accomplish their goals, they must comprehensively
understand others and the dynamics within their groups. Internal auditors, due to the
nature of their work, might potentially compromise the security of individuals within
the organisation. Internal auditors must possess a keen awareness of the requirements
of others and be skilled at harmonising the needs of specific subgroups with the
overarching needs of the organisation. Internal auditors must possess strong
communication skills, the ability to articulate their ideas coherently, and collaborate
well within a team. They need to comprehend the functioning of both individuals and
groups.

22
General discussion and description of internal audit stakeholders Learning unit 3

KEY CONCEPTS - STUDY

The Global Internal Audit Standards defines stakeholders as follows:

A party with a direct or indirect interest in an organisation’s activities and

outcomes. Stakeholders may include the board, management, employees,
customers, vendors, shareholders, regulatory agencies, financial institu-
tions, external auditors, the public and others.

3.2 THE VALUE OF INTERNAL AUDITING FOR STAKEHOLDERS

As an organisational stakeholder, you understand that effective governance, risk management, and
internal controls are crucial for the success and long-term sustainability of a corporation. Internal
auditing supports management and the governing body (such as the board, audit committee,
government entities) in fulfilling their duties by employing a methodical and rigorous approach to
evaluate the efficiency of the design and implementation of the internal control system and risk
management processes.

DISCUSSION - STUDY
Study the following article on “The value of internal auditing for stakeholders” and en-
sure that you can answer the following question:

What unique value does internal auditing bring stakeholders?

See “the-value-of-ia-for-stakeholders.pdf ” in Additional Resources

REFLECT

Refer to the purpose of internal auditing in topic 1. See: Purpose. It is clear from the
purpose statement that the internal audit function enhances the organisation’s
reputation and credibility with its stakeholders.

3.3 BUILDING RELATIONSHIPS AND COMMUNICATING WITH

STAKEHOLDERS
Assurance services are intended to provide confidence about governance, risk management and
control processes to the organisation’s stakeholders, especially the board, senior management,
and the management of the activity under review. Refer to the definitions of assurance services and
advisory services discussed in Topic 1. See: ADVISORY AND ASSURANCE SERVICES.

The Chief Audit Executive (CAE) guides the internal audit function to communicate effectively
with its stakeholders. (GIAS Principle 11: Communicate Effectively)

KEY CONCEPTS - STUDY

In the Global Internal Audit Standards, Principle 11 Communicate Effectively, refers
to the communication with the stakeholders. See: PRINCIPLE 11 DISCUSSION

AUI2601 23
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

According to Principle 11 of the Global Internal Audit Standards, the chief audit
executive (CAE) guides the internal audit function to communicate effectively with its
stakeholders. Effective communication requires building relationships, establishing
trust, and enabling stakeholders to benefit from the results of internal audit services.
The chief audit executive (CAE) is responsible for helping the internal audit function
establish ongoing communication with stakeholders to build trust and foster
relationships.

Global Internal Audit Standards - Standard 11.1 Building Relationships and

Communicating with Stakeholders (Requirements)

The chief audit executive must develop an approach for the internal audit function to
build relationships and trust with key stakeholders, including the board, senior
management, operational management, regulators, and internal and external
assurance providers and other consultants.

The chief audit executive (CAE) must promote formal and informal communication
between the internal audit function and stakeholders, contributing to the mutual
understanding of:
● Organizational interests and concerns.
● Approaches for identifying and managing risks and providing assurance.
● Roles and responsibilities of relevant parties and opportunities for
collaboration.
● Relevant regulatory requirements.
● Significant organizational processes, including financial reporting.

STUDY

Study the Considerations for Implementation and the Examples of Evidence of

Conformance that relates to Standard 11.1

Global Internal Audit Standards (theiia.org)

READ

For more detail, you can read the following article: “Drivers of stakeholders’ view of
internal audit effectiveness”.

EM-MAJJ170035 90..114 (emerald.com)

24
Learning unit 4
The relationship between internal auditing and related
disciplines Learningunit4

Contents

4.1 THE RELATIONSHIP WITH THE BOARD 25

4.2 THE RELATIONSHIP WITH THE AUDIT COMMITTEE 28
4.3 THE RELATIONSHIP WITH MANAGEMENT 30
4.4 THE RELATIONSHIP WITH EXTERNAL AUDITING 31

4.1 THE RELATIONSHIP WITH THE BOARD

The board is the authoritative group responsible for establishing the strategic vision and guiding
the operations of an organisation. The board has the responsibility for an organisation’s activities.

According to the Global Internal Audit Standards, the board oversees the internal audit function to
ensure the function’s effectiveness.

KEY CONCEPTS - STUDY

The Global Internal Audit Standards defines the board as follows:

The highest-level body charged with governance, such as:

● A board of directors.
● An audit committee.
● A board of governors or trustees.
● A group of elected officials or political appointees.
● Another body that has authority over the relevant governance functions.

AUI2601 25
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

In an organisation that has more than one governing body, “board” refers to the body/
bodies authorised to provide the internal audit function with the appropriate authority,
role, and responsibilities.

If none of the above exist, “board” should be read as referring to the group or person
that acts as the organisation’s highest-level governing body. Examples include the
head of the organisation and senior management.

Principle 6 of the Global Internal Audit Standards - Authorized by the Board states that the
board establishes, approves, and supports the mandate of the internal audit function. The internal
audit receives its mandate from the board. The mandate empowers the internal audit function to
provide the board and senior management with objective assurance, advice, insight, and foresight.

Standard 6.1 Internal Audit Mandate Standard 6.2 Board Support

● Board: The board must approve the ● Board: The board must support the internal
internal audit mandate. audit function, ensuring its recognition
● CAE: The chief audit executive (CAE) throughout the organisation.
must provide the board with the ● CAE: The chief audit executive must
information necessary to establish the provide the board with the information it
internal audit mandate. needs to support and ensure recognition of
● Joint: The board and the chief audit the internal audit mandate throughout the
executive (CAE) must discuss and agree organisation.
upon the internal audit function’s mandate.

STUDY

Study the following in the Global Internal Audit Standards:

● Domain III – Principle 6 Authorized by the Board
– Standard 6.1 Internal Audit Mandate – Requirements, considerations for
implementation, examples of evidence of conformance
– Standard 6.2 Internal Audit Charter – Requirements, considerations for
implementation, examples of evidence of conformance. See:
DISCUSSION ON INTERNAL AUDIT CHARTER
– Standard 6.3 Board and Senior Management Support – Requirements,
considerations for implementation, examples of evidence of conformance

Global Internal Audit Standards (theiia.org)

Principle 8 of the Global Internal Audit Standards – Overseen by the Board states
that the board oversees the internal audit function to ensure the function’s effectiveness.
Board oversight is essential to enable the overall effectiveness of the internal audit
function.

26
The relationship between internal auditing and related disciplines Learning unit 4

Standard 8.1 Board Interaction Standard 8.2 Resources

● Board: The board must interact with the ● Board: The board must ensure the internal
internal audit function to understand the audit function has sufficient resources to
effectiveness of the organisation’s fulfil the internal audit mandate and
governance, risk management and control achieve the internal audit plan.
processes. ● CAE: The chief audit executive (CAE)
● CAE: The chief audit executive (CAE) must propose a strategy to obtain sufficient
must provide the board with the resources and must inform the board when
information needed to conduct its oversight internal audit resources are insufficient to
responsibilities. fulfil the internal audit mandate and
achieve the internal audit plan.

Standard 8.3 Quality: The board must ensure that the CAE develops, implements, and
maintains a QA and improvement program (QAIP).
Board Responsibilities CAE Responsibilities
● The board must ensure that the CAE ● The CAE must develop, implement, and
implements and maintains a QAIP. maintain a QAIP that covers all aspects of
● The program must include two types of the internal audit function.
assessments: ● At least annually, the CAE must
– External assessments. (See Standard 8.4 communicate the results of the internal
External Quality Assessment.) quality assessment to the board. Such
– Internal assessments. (See Standard communications include:
12.1 Internal Quality Assessment.) – The internal audit function’s
conformance with the Standards and
● At least annually, the board must approve achievement of performance objectives.
the internal audit function’s performance – Plans to address the internal audit
objectives. function’s deficiencies and
● The board must conduct or participate opportunities for improvement.
with senior management in an annual
assessment of the CAE’s performance.

AUI2601 27
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

Standard 8.4 External Quality Assessment: The board must ensure an external quality
assessment of the internal audit function is conducted at least every five years.
● The external quality assessment requires a comprehensive review of the adequacy of the
internal audit function:
– Mandate, charter, strategy, methodologies, processes, risk assessment, and internal
audit plan.
– Conformance with the Global Internal Audit Standards.
– Performance criteria and measures as well as assessment results.
– Competencies, including the sufficient use of tools and techniques and focus on process
improvement.
– Integration into the organization’s governance process, including the relationships
between and among those involved in that process.
– Contribution to the organization’s governance, risk management, and control processes.
– Contribution to the improvement of the organization's operations and ability to attain its
objectives.
– Effectiveness and efficiency in meeting expectations codified by the board, senior
management, and stakeholders.

STUDY

Study the following in the Global Internal Audit Standards:

● Domain III – Principle 8 Overseen by the Board
– Standard 8.1 Board interaction – Requirements, considerations for
implementation, examples of evidence of conformance (Only part relevant
to the board)
– Standard 8.2 Resources – Requirements, considerations for implementation,
examples of evidence of conformance (Only part relevant to the board)
– Standard 8.3 Quality – Requirements, considerations for implementation,
examples of evidence of conformance (Only part relevant to the board)
– Standard 8.4 External quality assessment – Requirements, considerations
for implementation, examples of evidence of conformance (Only part
relevant to the board)

Global Internal Audit Standards (theiia.org)

4.2 THE RELATIONSHIP WITH THE AUDIT COMMITTEE

Board committees aid the board in carrying out diverse functions. The audit committee has a
special relationship with the internal audit function.

Establishing an audit committee comprising public members, independent of management,

safeguards independence and provides ongoing oversight, advice and feedback.

28
The relationship between internal auditing and related disciplines Learning unit 4

REFLECTION

Refer to learning unit. See: AUDIT COMMITTEE for background information about
the audit committee.

STUDY

To enhance a good relationship between the audit committee and the internal audit
function, the following practices should be followed.
● The chief audit executive should have the following dual-reporting
responsibilities: See: INDEPENDENCE
– functionally to the audit committee
– administratively to the chief executive officer
● The chief audit executive should have ready access to the audit committee.
● The chief audit executive should have direct and regular communication with
the audit committee.
● The chief audit executive should attend audit committee meetings.
● The chief audit executive should regularly meet privately with the audit
committee (without management's representatives in attendance).
● The audit committee should approve the appointment or removal of the chief
audit executive.
● The audit committee should be advised by the chief audit executive concerning
his or her relationship with the external auditors (and on how the internal and
external audits are progressing).
It is important that you understand the type of communication or relationship
that should be established between the chief audit executive and the audit
committee, assuming that the chief audit executive still reports to the chief
executive officer.
Functions usually performed by audit committees
To understand the relationship of the internal auditor with the audit committee of an
organisation, you need to study the function of an audit committee. Audit committees,
as a subcommittee of the board of directors, should have an audit committee charter.
Investigating the content of the charter gives a good summary of the responsibilities
and characteristics of audit committees. See: INTERNAL AUDIT CHARTER
LEARNING UNIT

Functions performed by the audit committee in relation to the internal audit

function
● Approve the internal audit charter.
● Approve decisions regarding the appointment and removal of the chief audit
executive. Ensure there are no unjustified restrictions or limitations, and review
and concur in the appointment, replacement or dismissal of the chief audit
executive.
● Approve the annual audit plan and all major changes to the plan. Review the
internal audit function’s performance relative to its plan.
● Review with the chief audit executive the internal audit budget, resource plan,
activities and organisational structure of the internal audit function.

AUI2601 29
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

● At least once per year, review the performance of the chief audit executive and
concur with the annual compensation and salary adjustment.
● Review the effectiveness of the internal audit function, including conformance
with the Global Internal Audit Standards.
● On a regular basis, meet separately with the chief audit executive to discuss any
matters that the committee or internal audit believes should be discussed
privately.

4.3 THE RELATIONSHIP WITH MANAGEMENT

To understand the relationship between internal auditing and management, you need a thorough
understanding of the nature of internal auditing and knowledge of the principles of business
management.

REFLECTION

From your understanding of the nature of internal auditing, the role and function of
internal auditing in an organisation should be clear to you. To perform his/her duties
professionally, the internal auditor should use the principles of efficient management
of an organisation as the point of departure and frame of reference when evaluating the
efficiency of the management of an organisation.

See: LEARNING UNIT 1.1 and 1.2 TOPIC 1

The achievement of suitable standards of economy, efficiency and effectiveness should be the goal
of all managers if they want to discharge their responsibilities toward their organisations to the
best of their ability. Not only is the relationship between general management and internal auditing
a close one; the two disciplines are for all intents and purposes inseparably intertwined: to a large
extent, managers and internal auditors are required to think in the same way.

This means that the internal auditor should analyse every normal management function of an
organisation into its component elements, and then evaluate them against generally accepted
management practices.

While it is the manager's primary responsibility to apply the various management functions. See:
MANAGEMENT FUNCTIONS continually according to efficient management principles, it is
the internal auditor's task to make sure that the manager has discharged his or her responsibilities
in the best possible manner, and to assist in improvements where needed. The results of the
manager's activities constitute the information that the internal auditor must evaluate. If the
internal auditor discovers any deviations, then he or she must use his or her professional
judgement to decide what to do about them in the interest of the organisation. Because of the
nature of the work internal auditors do, they have a very close relationship with management –
they discuss, recommend and consult with management after each audit to improve and correct
any findings.

The internal audit function’s administrative reporting includes activities such as

● financial resource management (Standard 10.1)
● human resources (HR) administration (Standard 10.2)
● technological resources (Standard 10.3)
● budgeting

30
The relationship between internal auditing and related disciplines Learning unit 4

● management accounting
● the administration of internal policies and procedures

4.4 THE RELATIONSHIP WITH EXTERNAL AUDITING

REFLECTION

We previously mentioned that auditing, in a broad context, is a critical review/

evaluation process to which information is subjected with the aim of reporting.
Reporting is the main objective of both external and internal auditing.

In the case of internal auditing, the critical review or evaluation is executed to report to interested
parties within the organisation. The review and reporting would cover any matter that could
assist members of the organisation in the effective discharge of their responsibilities.

In the case of external auditing, the critical review/evaluation is executed to report to interested
parties both externally and internally. The review and reporting deals mainly with the expression
of an opinion pertaining to the fairness or otherwise of the financial statements rendered, the
state of affairs of the business and the results of the client's business operations or activities.

Although internal auditing and external auditing have numerous interests and functions in
common and use the same tools and techniques, their underlying objectives, approaches and
responsibilities differ in the following respects:
● External auditors express an opinion on the acceptability of the client's financial statements,
while it is not normally expected of the internal auditor to express an opinion to third parties.
● External auditors may rely on the reviews of internal auditors as an aid in performing their own
audits.
● External auditors are responsible for evaluating the system of internal control as it relates to the
financial statements to determine whether they can rely upon it. Management is responsible for
implementing and maintaining the system of internal control. The internal audit function forms
part of the complete system of internal control and functions as a detective control but does not
itself form a direct link in the process of control. Internal auditors will extend their review of
controls to the areas not completely covered in the normal course of events by the external
auditor as well as to areas that fall outside the external auditor's normal area of responsibility.

REFLECTION

Refer back to Topic 1 and ensure that you know the differences between internal
auditing and external auditing. See: TOPIC 1 INT VS EXT AUDIT

Cooperation and coordination between the internal and external auditors to reflect the
interrelationship between the two disciplines

Although this topic deals with the relationship between internal auditing and related functions, the
relationship and cooperation between internal and external auditors is highly relevant to our
discussion.

Cooperation with external auditors constitutes an important part of the activities of internal
auditors. You, therefore, need to be fully informed about the form this cooperation takes.

AUI2601 31
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

External auditors are under increasing pressure to fulfil their duties with greater efficiency,
because of demands by organisations for lower audit fees, prompter completion of audits and
because of competition within the profession. They must, therefore, strive to provide better service
at a lower cost. This can only be achieved by making proper use of the audit aids at their disposal.
One such aid is the internal auditor.

The internal audit function serves primarily as a strengthening factor in the system of internal
control of an undertaking. Management places an obligation on the internal auditor to execute his
or her duties effectively within the limits of his or her budget. The external auditor's main
objective when examining the system of internal control is to test its compliance with presumed
control measures and to determine the extent to which it can be relied upon to produce reliable
financial information. The external and internal auditor can, therefore, be of great assistance to one
another, as their conclusions regarding the effectiveness of the system of internal control are
directly related to both their responsibilities in the area of internal control.

Interaction between the two groups evolved from the possibility of utilising one another's services
and abilities as an aid in achieving their individual audit objectives. The effectiveness of this
arrangement naturally depends on the maintenance of a strong professional relationship.

Mutual confidence
Because both groups share certain objectives and certain areas of work, it is in both their interests
to promote a cooperative relationship to render a more cost-effective and efficient service.

In their attempts to promote better relations, the parties must bear the following in mind:
1. Their interaction must have as its object the optimum utilisation of audit aids.
2. The role and responsibilities of both groups of auditors differ substantially because internal
auditors report to management and external auditors to the owners (shareholders).
3. In terms of the internal auditor's responsibility to management, he or she may not be allowed
to discuss certain matters with the external auditors.
4. The external auditor may decide not to disclose certain suspicious or confidential matters to
the internal auditor.

Right of access to records

External auditors have the right of access to all documents of a company (including the internal
auditor's records). They are also entitled to require from the personnel of a company (including the
internal auditor) such information and explanations as they deem necessary for the performance of
their duties.

The internal auditor, however, does not have the same right of access to the records of the external
auditor, or any right to obtain assistance from the external auditor in the performance of his or her
duties. There should be access to each other’s audit programs and working papers for the
determination of the degree of reliance on the others' work. Access, on both parts, must be carried
out with respect for the confidentiality of the working papers.

Nature and advantages of a good relationship

The relationship between the external auditor and the internal auditor must develop in such a way
as to promote the interaction necessary to ensure economical auditing. At the same time, this
relationship must aim to provide an efficient service to the undertaking.

32
The relationship between internal auditing and related disciplines Learning unit 4

Such a relationship is possible only if there is agreement between the external and internal auditors
regarding their mutual objectives and those matters where their interests overlap. The following
can be regarded as areas in which interests would overlap:
● the effectiveness of risk management and the system of internal control
● the effectiveness of the undertaking
● the completeness and accuracy of the financial information
A good relationship between the external and internal auditor will have the following three
advantages for the parties and the undertaking concerned:
1. An opportunity is created for interaction that is advantageous to the external auditor, the
internal auditor and the undertaking, because time and money are saved in this way.
2. The external auditor can reduce the extent of his or her audit procedures and audit tests if he or
she intends to rely on the work of the internal auditor.
3. The internal auditor has the assurance that an independent person is evaluating the internal
audit function and that he or she will provide objective recommendations. This review by the
external auditor enables the internal auditor to evaluate the results obtained in the past by the
internal audit function, and the review can also serve as a guideline for future action and
improvements.

Factors which can give rise to a poor relationship

The following factors could give rise to a poor relationship:
1. There may be lack of initiative on the part of both parties.
2. Failure on the part of the external auditor to acknowledge the role and experience of the
internal auditor.
3. The opinion of certain external auditors is that internal auditors are not capable and well-
trained.
4. Uncertainty regarding the extent to which external auditors can rely on the work of internal
auditors.
5. The policy of using internal audit personnel to assist the external auditor can disrupt the
smooth implementation of the internal audit department's own work programme, which is a
continuous, risk-based programme, not aimed at year-end audits. This could cause the
rescheduling of the internal auditor's planning in order to make personnel available to the
external auditor.
6. Internal auditors are perhaps not particularly willing to help external auditors. They may feel
that internal auditors are being used as “second class” auditors performing work that is outside
their actual work environment, which the external auditor does not want to do.

Mutual trust
The degree of trust that the external auditor is prepared to place in an undertaking's system of
internal control depends on how effective he or she finds that system to be.

The internal audit function is a vital part of the system of internal control and is a valuable aid in
ensuring that the system and procedures are efficiently maintained.

Owing to the fact that the internal audit function is part of the overall system of internal control,
the external auditor must evaluate the effectiveness of the internal audit department. The external
auditor must determine whether he or she can rely on the work of the internal audit function and
its personnel to reduce his or her audit tests.

AUI2601 33
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

The external auditor may decide to rely on the work of the internal auditor and in that way reduce
his or her own tests, or make use of the internal auditor's services to perform certain audit duties
on his or her behalf. However, where the external auditor relies on the internal auditor, he or she
must be careful not to make use of the internal auditor for activities performed or controlled by the
internal auditor personally. This is necessary to ensure that the internal auditor's objectivity will
not be affected.

The nature of the trust

The reliance which the external auditor may place on the work of the internal auditor can take two
forms:
First, the external auditor may rely on the work performed by the internal auditor in the nor-
mal course of his or her duties. By evaluating and testing the risk management process and
the system of internal control and by reporting to management, the internal auditor increases
the reliability and accuracy of financial accountability. The internal auditor's involvement in
risk management and the system of internal control will normally influence the scope and na-
ture of the tests and evaluations performed by the external auditor. The greater the confidence
that the external auditor places in the internal auditor's evaluation, the more attention can be
devoted to reviews in those areas that the internal auditors identified as problem areas.
Second, the external auditor may, at the request of the internal auditors, place reliance on
audit work performed by the internal auditors.
The first-mentioned tests are broader in scope than the second group. They are designed and
performed by the internal auditor as part of his or her own objectives and routine work, which are
compatible with the objectives of the external auditor. Tests of the second kind are more limited in
scope because only specific tests are performed (as prescribed by the external auditor for specific
purposes). When the external auditor plans to rely on the work of the internal audit function, it is
important that he or she should take the annual plan or work programme of the internal audit
department into consideration, and this is usually scheduled on a yearly basis. The nature and
scope of his or her requests and of his or her own tests should be adapted accordingly, if necessary.

Problems that may arise as a result of this can be overcome if the external auditor and the internal
auditor coordinate their work programmes early in the year. Where necessary, cooperative work
plans should be drafted to prevent unnecessary interference and/or work disruption in the internal
audit department.

Limitations in connection with the work of the internal auditor

The results of the external auditor's evaluation of the efficiency of the internal audit function, the
factors concerning the materiality of the areas or items that are to be audited, the audit risk
involved and the level of judgment required of him or her will all directly influence the degree to
which he or she will make use of the internal auditors' services in his or her examinations.
However, before relying on the work of the internal auditors, the external auditor should consider
certain restrictions and dangers, such as the following:
1. The employer/employee relationship places restrictions on the objectivity and independence of
the internal auditors because they are responsible to management, which determines the
objectives and scope of the internal audit function in the organisation.
2. External auditors are concerned primarily with the fairness of the financial statements, and
their tests must be performed in accordance with generally accepted auditing standards.

34
The relationship between internal auditing and related disciplines Learning unit 4

Internal auditors, on the other hand, are concerned primarily with the wider concept of
operational or managerial efficiency.
3. The external auditor cannot delegate responsibility for his or her professional opinion. He or
she must not rely excessively on the internal audit function, regardless of its quality and scope.
If the internal auditor becomes too closely involved, the external auditor's insight and
judgment could be detrimentally affected.
4. The decision to make use of internal audit time to reduce external audit time loses its value if
the external auditor has to perform additional tasks to determine whether his or her reliance on
the internal auditor is justifiable. Audit efficiency is not fully utilised if the external auditor
has to test a substantial part of the work performed by the internal audit function in key areas.
5. The reliance placed on the work of internal auditors by external auditors has not yet attracted
the attention of the courts. As no definite standards have been developed as yet to regulate the
relationship between the external auditor and the internal auditor, it can be assumed that the
onus will rest on the external auditor to prove
a. the extent to which he or she relied on the work of the internal auditors; and (b) that he or
she had exercised due care

Similar risks are likely to be encountered under South African conditions. Therefore, the internal
auditing profession in South Africa must formulate standards to serve as guidelines for the
external auditor in his or her relationship with the internal auditor and the utilisation of the latter's
work.

Mutual cooperation and coordination

The International Institute of Internal Auditors specifically requires the chief audit executive to
coordinate the work of the internal and external auditors to ensure sufficient audit coverage and
keep duplication to a minimum.

Standard 9.5 – Coordination

The Global Internal Audit Standards state that the chief audit executive must coordinate with
internal and external providers of assurance services and consider relying upon their work.
Coordination of services minimises duplication of efforts, highlights gaps in coverage of key risks,
and enhances the overall value added by providers.

STUDY

Study the following in the Global Internal Audit Standards:

● Domain IV – Principle 9 Plan Strategically
– Standard 9.5 Coordination and Reliance – Requirements, considerations for
implementation, examples of evidence of conformance

AUI2601 35
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

Nature and extent of cooperation

Internal and external auditors can complement each
other in many different ways. The internal auditors can
place the external auditor in a position where the latter
can use and rely on the work of the internal audit
department, since much of the work performed by the
internal audit department is useful to the external
auditor in his or her audit of the client’s financial
information. The external auditor can assess the extent
to which the internal audit department is complying
with the standards prescribed by the International
Institute of Internal Auditors and propose additional
procedures if necessary.

The following supportive actions could contribute to productive cooperation and coordination
between the external and internal auditors:
1. A common audit methodology. Both groups adopt a common approach to audit work. For
example, both groups of auditors would use similar auditing procedures and standardised audit
working papers in the performance of the financial audit process.
2. Joint training programmes. These are useful only if they occur selectively and deal with
matters of mutual interest (e. g., general audit techniques, flow charting, statistical sampling,
interviewing skills).
3. Joint planning of audit work. Planning could be undertaken by the two groups with each
other's audit plans at their disposal, and joint audit plans could be developed. The reciprocal
availability of audit plans is not all that important, however, as the external auditor needs to
maintain the element of surprise and objectivity, which are in keeping with external auditing.
It is, however, necessary to develop a joint audit plan in respect of those areas in which the
external auditor intends to use the services of the internal auditor.
4. Direct assistance with each other’s projects. An exchange of resources creates further
cooperation as the available audit skills base is added to as and when required. It is doubtful,
however, whether this proposal will receive sufficient support. Furthermore, it is doubtful
whether internal and external auditors would agree to work under each other's authority.
5. Exchange of audit reports on matters of mutual interest, and the follow-up on suggestions
and recommendations by the other party.
6. Direct support in that working papers are at each other's disposal. It is doubtful, however,
whether this proposal will receive sufficient support. External auditors, specifically, will not be
inclined to release their working papers in order to assist the internal auditors, because of
considerations of confidentiality.
7. Periodic meetings where aspects of mutual interest regarding their audit responsibilities are
discussed.
8. A professional attitude toward each other and mutual respect for each other's professional
responsibilities.
9. The evaluation by internal and external auditors of the effectiveness of each other's work
and reporting on this to management. External auditors have an interest in the efficiency
with which the internal audit function is performed, because it falls within the normal scope of
their responsibility to report to management on the efficiency and effectiveness of the internal
control system as a whole. Although internal auditors do not have a similar responsibility, a

36
The relationship between internal auditing and related disciplines Learning unit 4

sound and objective evaluation of each other's efficiency may serve as an incentive to improve
the quality of both the internal and the external audit activities.
Source: Adapted from Spencer Pickett (2010:96–97)

Advantages of cooperation
Good cooperation between the external and internal auditors has the following advantages:
1. Reports issued by the internal and external auditors and schedules of tests performed by them
support the quality of the internal control and the extent to which set procedures were
followed.
2. The internal auditor's working documents may include descriptions and assessments of the
internal control system, which could prove to be very useful to the external auditor when he or
she needs to determine which areas are to be examined.
3. If the internal auditor renders assistance with the examination of the day-to-day affairs, the
external auditor will be able to concentrate on areas of greater importance.
4. As a result of the greater inside knowledge and experience of the internal audit group, the
external auditors will be able to gain more knowledge of the business activities and operations
of their client.
5. The assistance given by the internal audit department could have a material effect on reducing
the external audit fee and could mean considerable savings for the undertaking. The degree of
saving will be directly related to the experience and effectiveness of the internal audit group,
and the materiality of the duties they perform.
6. Good cooperation and coordination promote and improve relationships between external and
internal auditors and the client.
7. Good cooperation can enhance the status of the internal audit function.

Disadvantages of cooperation
Despite the advantages listed above, there are also certain disadvantages and problems associated
with close cooperation and interdependence between the internal and external auditors. These are:
1. Cost-saving must take into consideration the actual cost of both groups of auditors. It is not
always possible to calculate the actual cost saving because the allocation of internal and
external audit time is not normally done on the same basis.
2. A decision to alter the audit work plan of the internal audit function must be taken, bearing in
mind the work that would otherwise be performed by the internal audit function. The planning
of the work of the internal audit function is normally associated with the usual business
operations of the undertaking in relation to the current year and not with the year-end work of
the external auditor. An unplanned re-scheduling of the internal auditor's work plan might
result in a delay in the normal flow of operations of the internal audit function (resulting in
additional costs for the undertaking).
3. The use of the internal auditors to perform certain duties for the external auditors may cause
resentment among the internal audit personnel. They may feel that they are being prevented
from performing their actual work, and that they are being used as “second class” auditors to
perform work in which the external auditor does not want to be involved.

AUI2601 37
TOPIC 2 INTERNAL AUDIT STAKEHOLDERS

TOPIC SUMMARY
Because of its nature and functions, internal auditing does not take place in a vacuum.
To carry out his or her function successfully, the internal auditor requires knowledge of
a variety of important related functions. In this topic, we discussed the relationship
between the most important functions related to internal auditing. The part that each of
these functions plays in internal auditing was also explained.

38
TOPIC 3
The functional role of internal auditing

Contents

Learning unit 5: The functions of management in an organisation 40

Learning unit 6: The functions and role of the internal auditor in an organisation 46

INTRODUCTION AND PURPOSE OF THE TOPIC

In this topic, the functions of management of an organisation and the place and role
of the internal audit function in an organisation are described.

LEARNING OUTCOMES

When you have worked through this topic, you should be able to
● describe the functions of management in an organisation
● demonstrate the functions of the internal auditor in an organisation in terms of the
context of the technical vocabulary associated with internal auditing and the audit
process
● explain the position of the internal audit function in the organisational plan of an
undertaking and the relationship with other parties in the organisation
● illustrate the different roles of the internal audit function in an organisation in terms
of the Standards
● identify the advantages associated with an internal audit function as well as the
need for internal auditing with reference to the internal audit process and the nature
of internal audit work

AUI2601 39
Learning unit 5
The functions of management in an organisation Learningunit5

Contents

5.1 BACKGROUND 40
5.2 PLANNING 41
5.3 ORGANISING 42
5.4 DIRECTING 43
5.5 CONTROL 44

5.1 BACKGROUND
READ

In the internal auditing environment, we often refer to concepts such as “management”,

“management's duties” and “managerial function”, and it is necessary to begin by
briefly examining these concepts.

Our objective in this section is merely to outline, as a background, some basic

concepts within the framework of management that an internal auditor often
encounters and of which he/she should know.

Management implies authority, especially in respect of policy formulation and

decision-making. The characteristics of authority are logical thinking, rational actions,
the use of all operational aids, methods and techniques as well as clear communication
of policies and decisions from the top downwards through the various ranks,
accompanied by reporting and accountability upwards along the same line of seniority.

40
The functions of management in an organisation Learning unit 5

Management is responsible for the progress maintenance and functioning of the

organisation, through adequate planning, organising, directing and control. Before
internal auditors can maximise their assistance, however, they must fully understand
each of the four management functions and how the work of the internal auditor can
provide vital support in each area.

KEY CONCEPTS
The four functions of management are the following:
● Planning
● Organising
● Directing
● Controlling

These four functions will now be discussed in more detail:

5.2 PLANNING
READ

Planning relates to the main purpose(s) of the organisation and includes the setting of
both short-term and long-term objectives. It requires knowledge of or research into the
technological aspects of the business that the organisation is in, the physical and
mechanical resources available, the operating methods, techniques or strategies, policy
and the staff situation. All these elements must be considered within the limits
imposed by the capacity and marketing potential of the products that the organisation
manufactures or trades in, or the service that the organisation renders.

Organising, directing and controlling should always be planned properly in advance to

ensure the most harmonious relationship possible between these basic elements of
successful management.

STUDY

Sawyerand Dittenhofer (2003) have the following to say about the planning function
of management:

Planning precedes all other management functions. It is necessarily the

first of the four functions of management, because from plans flow organi-
sation, direction, and control. Every organisation must fit the plans of the
entity. All direction is pointed at moving people toward planned objectives
and goals. All controls should be designed to make sure that plans will be
carried out effectively, efficiently, and economically.

All planning is strategic or tactical. Strategic planning is long-term, whereas tactical

planning is short-term. A primary purpose of strategic planning is to help managers
cope with future contingencies. It involves developing the organisational mission and
objectives, and the means to achieve them. Strategic plans include tax planning, capital
budgeting, personnel planning and product planning. Tactical plans relate to the day-
to-day operations of the enterprise; production scheduling is an example.

AUI2601 41
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

Planning involves managers at all levels of the organisation. Plans are decisions to take
certain steps. However, they should be flexible, adjusting to circumstances. If they are
to be successful, they should be coordinated among functions and be cost-effective.

Planning addresses several management fundamentals, such as setting and determining

the following:
● Mission, that is, the basic function or task of an organisation.
● Objectives and goals of the organisation that guide the enterprise toward its
mission.
● Authoritative direction and control (governance) of the organisation, of which
risk management is an important aspect.
● Strategies that implement the objectives and are the broad, overall concepts of
an operation.
● Principles that are general guides for action.
● Policies that are general guides, namely, individual thinking for action.
● Procedures, which are specific guidelines that prescribe action; a sequence of
steps to accomplish a task.
● Rules, which are the simplest form of plans; they must be followed as stated
and allow for no discretion.
● Standards, which are norms against which activities are measured.
● Premises, which are the assumptions on which plans are based.
● Budgets, which give quantitative expression to an entity's plans.
● Decision-making, which is problem-solving. It is a planning function and is
therefore future-oriented.

5.3 ORGANISING
READ

Organising brings together people and processes in logical groupings to carry out plans
and meet objectives. Good organisation is no guarantee of success, but poor
organisation will almost inevitably bring about failure, because it breeds conflict and
frustration.

Organisation charts show the structure of the organisation. However, they illustrate
only a small part of an executive's activities and interfaces. Since they are static
representations, they need to be revised constantly if the organisation is dynamic. They
may imply what is not stated, namely that departments on the same level of the
hierarchy do not have the same status. Some executives feel that organisation charts do
more harm than good because of the danger of misinterpretation, rigidity, and the
failure to record changing and complex relationships.

Organisation charts do have benefits, however: they can show the chain of command –
the hierarchy, accountability and responsibility of the organisation's executives. They
can be designed to show the basic function of each position, and they provide a
valuable overview of the organisation.

42
The functions of management in an organisation Learning unit 5

STUDY

The following basic management concepts fall under “organising”:

● Responsibility, the obligation to perform.
● Authority, the right to perform, to command, to enforce compliance, derived
from responsibility.
● Accountability, the obligation of workers and managers to give a reckoning/
feedback and take responsibility for what they have accomplished or failed to
accomplish, derived from responsibility.
● Delegation includes assigning responsibility, granting authority and exacting
accountability.
● Span of control refers to the number of subordinates a supervisor can efficiently
and effectively manage.
● Staff and line– line people make “line decisions”. Staff people advise them.
Functional authority is the assignment of some of the chief executive's
authority to a staff organisation or an individual.
● Departmentalisation divides the organisation into distinct groupings to perform
assigned tasks.
● Decentralisation divides large complex organisations into smaller business
units that are relatively compact and simple.
● Committees – a committee is a group of people who work together on some
aspect of a management function.
● Informal groups are composed of unstructured relationships among members
that disregard the organisation chart.
● Staffing includes personnel planning, recruiting, selecting and developing
people to operate the organisation competently.

5.4 DIRECTING
READ

Early theories of directing were founded on the classical school of thought and grew
out of the military concept of a commander issuing orders. This changed with the
advent of the behavioural school. Effective leadership was seen as stemming from
acceptance by subordinates of the leader and their willingness to obey. Executives
must find the link between the individual's needs and those of the organisation and
achieve harmony between them. Authority is effective only if subordinates accept it.

STUDY

Sawyer and Dittenhofer (2003:1085) define directing as:

The function of moving resources toward objectives and goals. Successful

directing depends on the motivation of those directed. The reason why peo-
ple are motivated to perform well is based on many complex factors. These
include their background and training, the group with which they work,
and the work situation itself.

AUI2601 43
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

Directing or guidance as a management function represents the following:

● Communication of organisational or managerial policy to subordinates,
especially heads of departments.
● The communication of goals and strategies through procedural manuals (or the
holding of staff meetings or even the establishment of guidance committees).
● The motivation of staff so that they adhere to managerial policy. Because of the
practice of delegation, the most important aspect of directing is the
communication along a descending line of authority of information regarding
general procedures, goals, objectives and strategies.
● Directing is also dependent upon knowledge of what is happening at the
operating levels. All forms of reporting, but especially reporting of operational
and accounting information, are essential elements since directing involves
decision-making, adaptation to changing circumstances, and the resulting
reformulation of policy, goals and strategies. A continuous two-way flow of
information is needed, which ensures feedback from the bottom up as input for
management; this in turn leads to a top-down flow of guidelines or policies to
ensure a continuous adjustment of operations to reach objectives.

5.5 CONTROL
READ

Control over all forms of delegated duties is not only a managerial aid but is actually
the achievement of efficient and successful management.

Control is exercised by managers at all levels, from the chief executive officer to
the floor supervisor. Different terms have been used to describe various forms of
control – these include management control, executive control, administrative control,
financial control and accounting control. However, they all refer to the same function;
the difference lies in the objectives they are designed to meet.

STUDY

Sawyer and Dittenhofer (2003:1093–1099) define controlling as:

The process of making certain that directed action is carried out as

planned to achieve some desired objective or goal. Controlling and plan-
ning are linked. Indeed, controlling cannot operate effectively without the
tools provided by planning. Some devices, such as budgets, are used both
to plan and to control.

Control can be described as a closed system consisting of a series of six main

elements:
1. Setting performance standards to provide a means of measuring and comparing
events and establishing permissible variations.
2. Measuring performance or progress to accumulate information on existing
conditions.
3. Analysing performance or progress and comparing it with standards to
determine variances.

44
The functions of management in an organisation Learning unit 5

4. Evaluating deviations and bringing them to appropriate attention to determine

causes and effective corrective action.
5. Correcting deviations from standards to see that objectives and goals will be
met.
6. Following up on corrective action to determine its effectiveness.
Control is associated with achieving the following objectives:
● Ensuring adherence to managerial policy
● Ensuring correct utilisation of all physical, mechanical and supervisory
resources
● Achieving compliance with planned procedures
● Ensuring obedience to the rules regarding documentation and authorisation
● Achieving the delimitation of executive powers in the decentralised and
delegated areas of authority
● Setting minimum standards of compliance
● Measuring results against expected standards
● Introducing and maintaining an efficient system of internal accounting controls
● Achieving efficient reporting on all activities
Management's control functions endorse their involvement and responsibilities
regarding the entire undertaking and all its business operations.

DISCUSSION
In conclusion, we can say that planning, organising, directing and control are the dis-
tinguishing subprocesses of active management. The success with which they are
applied is reflected in the results achieved. These results, in turn, are the measures of
the effectiveness with which management has discharged its responsibilities. When ex-
amining and evaluating the organisation’s operations, the internal auditor should take
each of these subprocesses into account.

AUI2601 45
Learning unit 6
The functions and role of the internal auditor in an
organisation Learningunit6

Contents

6.1 INTRODUCTION 47
6.2 THE PLACE OF THE INTERNAL AUDIT FUNCTION IN THE
ORGANISATIONAL STRUCTURE OF AN ENTITY 47
6.2.1 POSSIBLE REPORTING LINES FOR THE INTERNAL AUDIT
FUNCTION 56
6.3 THE ROLE OF THE INTERNAL AUDIT FUNCTION IN AN
ORGANISATION 59
6.3.1 THE INTERNAL AUDITOR AS ADVISER TO MEMBERS OF THE
ORGANISATION 60
6.3.2 THE INTERNAL AUDITOR AS A CONTROL FUNCTION 61
6.4 THE ADVANTAGES OF THE INTERNAL AUDIT FUNCTION IN AN
ORGANISATION 62
6.4.1 THE NEED FOR INTERNAL AUDITING 62
6.4.2 THE ADVANTAGES FOR INTERNAL AUDITING 63

46
The functions and role of the internal auditor in an organisation Learning unit 6

6.1 INTRODUCTION
READ

In this learning unit, we discuss in detail what is expected of an internal auditor and his
or her relationship with all levels of management. We will be covering
1. the position of the internal audit function in the organisational structure of an
undertaking
2. the role of the internal audit function in an organisation
3. the need for and advantages of an internal audit

6.2 THE PLACE OF THE INTERNAL AUDIT FUNCTION IN THE

ORGANISATIONAL STRUCTURE OF AN ENTITY
REFLECTION

Before continuing with this section reflect on Topic 1 section 1.2: the Purpose of the
Internal Audit Function.

READ

An important element in the success of an internal audit function is the extent of

support and acceptance it enjoys from top management and the board. It is unlikely
that the internal audit function will receive the necessary support and acceptance from
the rest of the staff if top management and the board do not support it. This makes
support from and acceptance at the highest level extremely important to the internal
auditor.

In both the USA and SA there is an encouraging tendency toward greater involvement
and interest in the internal audit function on the part of the board and top management.
This indicates a greater acceptance by the board and top management of the internal
audit function as a valuable tool, resulting in turn in increased wider staff support for
internal audit.

STUDY

The internal audit function should be an integral part of the organisation and should
function under the policies established by executive management and the board.
Internal audit is accountable to both the board and executive management, providing
them with reasonable assurance regarding the effectiveness of the company's corporate
governance, risk management processes and systems of internal control. In addition, as
an advisory activity, internal audit adds value and recommends improvements where
opportunities arise to do so.

Internal auditors should take full advantage of the opportunities offered by increased
contact with the board and top management. In doing this they will improve their
knowledge and skills to render a more efficient service. This, in turn, should lead to
even greater acceptance and support for internal auditors throughout the organisation.

Internal auditors render a service to the management and the board of directors of an
organisation. However, we need to remember that internal auditors work for and are

AUI2601 47
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

paid by the organisation, and it is vital that they maintain their independence. This
creates a challenge.

Given this situation, do you think it is possible for internal auditors to be totally
independent?

No, in fact, it isn’t, but internal auditors must nevertheless strive to achieve the greatest
measure of independence possible in the situation in which they find themselves.

KEY CONCEPTS
See Learning unit 1.3

The Global Internal Audit Standards – Domain I states as follows:

Internal auditing is most effective when:

● The Internal Audit Function is independently positioned with direct
accountability to the board.
● Internal auditors are free from undue influence and committed to making
objective assessments.

Independence
The Global Internal Audit Standards states as follows:

The board establishes and protects the internal audit function’s independence and
qualifications.

Principle 7 of the Global Internal Audit Standards states as follows regarding independence:
Independence the board is responsible for enabling the independence of the internal audit
function. Independence is defined as the freedom from conditions that impair the internal
audit function’s ability to carry out its responsibilities in an unbiased manner. The internal
audit function is only able to fulfil the Purpose of Internal Auditing when the chief audit exec-
utive reports directly to the board, is qualified, and is positioned at a level within the
organisation that enables the internal audit function to discharge its services and responsibil-
ities without interference.

Objectivity
The Global Internal Audit Standards states as followst:
Internal auditors maintain an impartial and unbiased attitude when performing internal
audit services and making decisions.
Principle 2 of the Global Internal Audit Standards states as follows regarding objectivity:
Objectivity is an unbiased mental attitude that allows internal auditors to make professional
judgments, fulfil their responsibilities, and achieve the Purpose of Internal Auditing without
compromise. An independently positioned internal audit function supports an internal audi-
tor’s ability to maintain objectivity.

48
The functions and role of the internal auditor in an organisation Learning unit 6

STUDY

So, what does independence mean for internal auditors?

Independence means that internal auditors

● must not be involved in or be responsible for any performance matters within
an activity being audited
● must be able to develop auditing programmes without being influenced
● must have full access to all evidence and members of staff wherever this is
required for the purposes of the audit
● must be objective in collecting and evaluating information and evidence
● must be able to prepare audit reports on any matters they consider necessary

Independence consists of two important elements:

1. Organisational independence of an internal audit function.
2. Individual objectivity.

1. Organisational independence of an internal audit function

An organisation that recognises the importance of placing the internal audit function at a level that
would maximise its effectiveness and be able to evaluate the efficiency of the risk management,
controls and governance processes that are in place, often do so by appointing a senior
management position described in the Global Internal Audit Standards as a Chief Audit Executive
(CAE). The Chief Audit Executive (CAE) is a senior employee within the organisation, who is the
head of the internal audit function and is responsible for internal audit activities.

The organisational independence of the internal audit function is directly influenced by the
following two factors:
● The level of responsibility conferred on the internal audit function within the organisation,
which naturally reflects the value that management attaches to the work performed by the
internal auditors. This is an indicator of the degree of acceptance by top management of the
role played by the internal auditors.
● The level of management to which the CAE, as the head of the internal audit function, reports.
This is an indicator of the internal auditor's degree of access to top management.
The “organisational plan” refers to the plan according to which management groups together
organisational units or departments whose activities are compatible, to create a logical flow of
operations for the transfer, or taking over, of duties and responsibilities at specified strategic points
so that the objectives of the undertaking can be achieved, and the management policy carried out
as smoothly and efficiently as possible.

To establish the correct organisational status of the internal audit function, the organisational plan
must be carefully constructed, and the position of internal audit must allow the internal auditors to
be independent.

Principle 7 – Standard 7.1 describes how organisational independence should be established

within the internal audit function. The Standard does not prescribe any fixed solution, but it does
require that the organisational level of the internal audit function should be such that internal
auditors enjoy the necessary access to and support from executive management to enable them to
carry out their duties free from interference and to obtain the cooperation of the auditees.

AUI2601 49
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

KEY CONCEPTS
Principle 7 – Standard 7.1 Organisational Independence

Principle 7: The internal audit function is only able to fulfil the Purpose of
Internal Auditing when the chief audit executive reports directly to the
board, is qualified, and is positioned at a level within the organisation that
enables the internal audit function to discharge its services and responsi-
bilities without interference.

STUDY

In the Global Internal Audit Standards, you need to study the following:
● The requirements stipulated in Standard 7.1 for Organisational
Independence
● The essential conditions for organisational independence that relate to the
Board and senior management
● Considerations for implementation of Standard 7.1 Organisational
Independence
● Examples of evidence of conformance of Standard 7.1
Global Internal Audit Standards (theiia.org)

According to the Global Internal Audit Standards, the following essential conditions relate to
the organisational independence of the Internal Audit Function:

The role of the Board with regard to organisational independence:

● Establish a direct reporting relationship with the chief audit executive and the internal audit
function to enable the internal audit function to fulfil its mandate.
● Authorise the appointment and removal of the chief audit executive.
● Provide input to senior management to support the performance evaluation and remuneration
of the chief audit executive.
● Provide the chief audit executive with opportunities to discuss significant and sensitive matters
with the board, including meetings without senior management present.
● Require that the chief audit executive be positioned at a level in the organisation that enables
internal audit services and responsibilities to be able to be performed without interference from
management. This positioning provides the organisational authority and status to bring matters
directly to senior management and escalate matters to the board where necessary.
● Acknowledge the actual or potential impairments to the internal audit function’s independence
when approving roles or responsibilities for the chief audit executive that are beyond the scope
of internal auditing.
● Engage with senior management and the chief audit executive to establish appropriate
safeguards if chief audit executive roles and responsibilities impair or appear to impair the
internal audit function’s independence.
● Engage with senior management to ensure that the internal audit function is free from
interference when determining its scope, performing internal audit engagements and
communicating results.

50
The functions and role of the internal auditor in an organisation Learning unit 6

The role of senior management with regards to organisational independence:

● Position the internal audit function at a level within the organisation that enables it to perform
its services and responsibilities without interference, as directed by the board.
● Recognise the chief audit executive’s direct reporting relationship with the board.
● Engage with the board and the chief audit executive to understand any potential impairments to
the internal audit function’s independence caused by non-audit roles or other circumstances
and support the implementation of appropriate safeguards to manage such impairments.
● Provide input to the board on the appointment and removal of the chief audit executive.
● Solicit input from the board on the appointment and removal of the chief audit executive.

Considerations for implementation relating to organisational independence:

Internal auditing is most effective when the internal audit function is directly accountable to the
board, defined as "functional reporting to the board," rather than to management for the operations
it assures and advises on. A direct reporting relationship between the board and the chief audit
executive allows the internal audit function to deliver audit services and convey engagement
outcomes without interference or unnecessary constraints.

The chief audit executive functionally reports to the board, whereas the administrative reporting is
often to a member of management. This facilitates access to senior management and the ability to
challenge management's viewpoints. To attain this authority, it is standard practice for the
chief audit executive to report administratively to the chief executive officer or its equivalent.

A few situations that may introduce impairments to independence include:

● The chief audit executive lacks direct communication or interaction with the board.
● Management attempts to limit the scope of the internal audit services that were previously
approved by the board and documented in the internal audit charter.
● Management attempts to restrict access to the data, records, information, personnel, and
physical properties required to perform the internal audit services.
● The budget for the internal audit function is reduced to a level that leaves the function unable
to fulfil its responsibilities as outlined in the internal audit charter.
Examples of evidence of conformance relating to organisational independence:
● The internal audit charter, which documents the internal audit function’s reporting relationships
● The internal audit charter documenting board approval of long-term non-audit roles and
responsibilities and corresponding safeguards to independence, including the expected duration
of the roles, responsibilities, and safeguards and how the effectiveness of the safeguards will
be evaluated periodically
● Documented methodologies to be followed when an impairment is suspected or identified
● Formal action plans that outline specific safeguards to address independence concerns.
● Documentation of assurance services to be provided by other internal or external providers as a
safeguard to independence
● Minutes or other documentation evidencing the board’s approval of the appointment or
removal of the chief audit executive
Source: Adapted from Global Internal Audit Standards

AUI2601 51
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

KEY CONCEPTS
Principle 2 – Maintain objectivity.
Internal auditors maintain an impartial and unbiased attitude when per-
forming internal audit services and making decisions.

Objectivity is an unbiased mental attitude that allows internal auditors to make professional
judgements, fulfil their responsibilities and achieve the purpose of internal auditing without
compromise. An independently positioned internal audit function supports an internal auditor’s
ability to maintain objectivity.

Principle 2 consists of three standards, which will be discussed:

Standard 2.1 Individual Standard 2.2 Safeguarding Standard 2.3 Disclosing
Objectivity Objectivity impairments to objectivity
Internal auditors must maintain Internal auditors must avoid Details of impairment must
professional objectivity when conflict of interest and must be disclosed.
performing all aspects of internal not be unduly influenced by
audit services. their own interests.

Standard 2.1 Individual Objectivity

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 2 – Maintain Objectivity
● Standard 2.1 Individual Objectivity
● The requirements stipulated in Standard 2.1 for individual objectivity
● Considerations for implementation of Standard 2.1 Individual Objectivity
● Examples of evidence of conformance of Standard 2.1
Global Internal Audit Standards (theiia.org)

Global Internal Audit Standard 2.1 - Individual Objectivity

Internal Auditors must maintain professional objectivity when performing all aspects of inter-
nal audit services. Professional objectivity requires internal auditors to apply an impartial
and unbiased mindset and make judgments based on balanced assessments of all relevant cir-
cumstances. Internal auditors must be aware of and manage potential biases.

Considerations for implementation relating to Standard 2.1 Individual Objectivity:

Objectivity implies that internal auditors perform their responsibilities without compromise or
subordination of their judgment to others. Conducting objective assessments requires an unbiased
perspective, free of prejudice and external pressures, which is essential to delivering
objective assurance and advice to the board and senior management. Internal auditors must
develop an understanding of how situations, activities and relationships may influence their ability
to be objective.

Internal auditors must acknowledge that humans tend to misinterpret information or make
assumptions and errors, which impairs the objective evaluation of information and evidence.

52
The functions and role of the internal auditor in an organisation Learning unit 6

Examples of biases include but are not limited to:

● Self-review bias – lack of critical perspective when reviewing one’s own work, which may
lead to overlooking mistakes or shortcomings
● Familiarity bias – making assumptions based on past experiences, which may compromise
professional scepticism
● Prejudice or unconscious bias – misinterpretation of information, based on predisposed ideas
about culture, ethnicity, gender, ideology, race, or other characteristics, which may cause
inaccurate judgments
Examples of evidence of conformance relating to Standard 2.1 Individual Objectivity:
● References in the internal audit charter to the internal auditor’s responsibility for maintaining
objectivity
● Policies and procedures related to objectivity
● Records of planned and completed objectivity training, including a list of participants
● Attestation forms that confirm internal auditors’ awareness of objectivity’s importance and the
obligation to disclose any potential impairments
● Documented disclosures of potential conflicts of interest or other impairments to objectivity
● Notes from supervisory reviews and mentoring of internal auditors
Source: Adapted from Global Internal Audit Standards

Standard 2.2 Safeguarding Objectivity

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 2 – Maintain Objectivity
● Standard 2.2 Safeguarding Objectivity
● The requirements stipulated in Standard 2.2 for safeguarding objectivity
● Considerations for implementation of Standard 2.2 Safeguarding
Objectivity
● Examples of evidence of conformance of Standard 2.2
Global Internal Audit Standards (theiia.org)

Impairment to organisational independence and individual objectivity may include, but is not
limited to, personal conflict of interest, scope limitations, restrictions on access to records,
personnel, properties, and resource limitations, such as funding.

Global Internal Audit Standard 2.2 - Safeguarding Objectivity

Internal auditors must recognise and avoid or mitigate actual, potential, and perceived
impairments to objectivity.

Requirements relating to Standard 2.2 Safeguarding Objectivity:

Internal auditors must not accept any tangible or intangible item, such as a gift, reward, or favour,
that may impair or be presumed to impair objectivity.

AUI2601 53
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

When performing internal audit services:

● Internal auditors must refrain from assessing specific activities for which they were previously
responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance
services for an activity for which the internal auditor had the responsibility within the previous
12 months.
● If the internal audit function is to provide assurance services where it had previously
performed advisory services, the chief audit executive must confirm that the nature of the
advisory services does not impair objectivity and must assign resources such that individual
objectivity is managed.
● If internal auditors are to provide advisory services relating to activities for which they had
previous responsibilities, they must disclose potential impairments to the party requesting the
services before accepting the engagement.

Considerations for implementation relating to Standard 2.2 Safeguarding

Objectivity:
Objectivity is impaired when circumstances, actions, or relationships can affect internal auditors'
judgments and decisions, consequently influencing internal audit findings and conclusions.

Internal auditors must exercise their judgment concerning additional circumstances that may
impair or be assumed to impair objectivity.

Conflicts of interest arise when an internal auditor possesses a conflicting professional or personal
interest that might impede the unbiased performance of internal audit responsibilities.

Examples of conflicts of interest include situations, actions and affiliations that may, in fact, or
appearance
● oppose or compete with the organisation's interests
● establish the potential for inappropriate financial or personal gain
● be established exclusively to safeguard against prospective or actual loss or damage
● exhibit nepotism or extend favouritism to specific individuals
The organisation's and/or the internal audit function's policies may restrict certain activities or
relationships that could lead to a conflict of interest.

Internal auditors should apply their understanding of objectivity and relevant policies and
procedures to assess whether any circumstances, actions or affiliations could impair, or be
considered to impair, their objectivity. The perceptions of others should be considered.

Examples of evidence of conformance relating to Standard 2.2 Safeguarding

Objectivity:
● Policies and procedures for identifying potential impairments and necessary safeguards
● Records of objectivity training
● Documentation through which internal auditors attest that they either have no known
impairments or have disclosed potential impairments
● Notes from supervisory review
● Remuneration plan
● Plans showing alternative provisions to fulfil the internal audit plan activities where
impairments to objectivity were unavoidable
Source: Adapted from Global Internal Audit Standards

54
The functions and role of the internal auditor in an organisation Learning unit 6

Standard 2.3 Disclosing Impairments to Objectivity

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 2 – Maintain Objectivity
● Standard 2.3 Disclosing Impairments to Objectivity
● The requirements stipulated in Standard 2.3 Disclosing Impairments to
Objectivity
● Considerations for implementation of Standard 2.3 Disclosing
Impairments to Objectivity
● Examples of evidence of conformance of Standard 2.3
Global Internal Audit Standards (theiia.org)

Global Internal Audit Standard 2.3 Disclosing Impairments to Objectivity

If objectivity is impaired in fact or appearance, the details of the impairment must be dis-
closed promptly to the appropriate parties.

Requirements relating to Standard 2.3 Disclosing Impairments to Objectivity:

If internal auditors become aware of an impairment that could compromise their objectivity,
they are required to inform the chief audit executive or an appointed supervisor. Should the chief
audit executive ascertain that an impairment is compromising an internal auditor's capacity to
execute tasks objectively, the chief audit executive is obligated to discuss it with the management
of the activity under review and determine the appropriate actions to rectify the matter.

If the chief audit executive's objectivity is impaired, either in reality or in appearance, the chief
audit executive must inform the board of the impairment.

Considerations for implementation relating to Standard 2.3 Disclosing Impairments

to Objectivity:
The requirements for disclosing impairments to objectivity are generally outlined in the
methodology of the internal audit function and describe the actions that need to be implemented
for each impairment to objectivity. The chief audit executive, in collaboration with the board and
senior management, normally establishes the approach for disclosing and managing impairments
to objectivity.

If an impairment to objectivity cannot be avoided, the chief audit executive may consider options
to manage the impairment, including
● reassigning internal auditors to remove the impaired internal auditor from the engagement
● rescheduling an engagement to ensure it is properly staffed
● adjusting the scope of an engagement
● outsourcing the performance or supervision of the engagement

AUI2601 55
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

Examples of evidence of conformance relating to Standard 2.2 Safeguarding

Objectivity:
● Internal audit methodologies for disclosing objectivity impairments
● Documentation disclosing the presence or affirming the absence of objectivity impairments
● Records of the disclosure of objectivity impairments and the response from and/or approval of
the mitigation by appropriate partie.

6.2.1 POSSIBLE REPORTING LINES FOR THE INTERNAL AUDIT

FUNCTION
DISCUSSION

The decision to whom the chief audit executive should report is vital for the
effectiveness of the internal audit function's independence. In practice, we find that
the chief audit executive may report to any or a combination of the management
functions listed below:
1. Governing body – board of directors/control board/committee
2. Top executive management
3. Chief Executive Officer (CEO)
4. Chief Financial Officer (CFO)
5. Audit Committee (as a subcommittee of the board of directors)
The advantages and disadvantages of each of these forms of reporting, as well as
the compromise method of dual reporting, are discussed in greater detail below.

1. Governing body – board of directors/control board/committee and top executive

management
Direct reporting to the top executive management (board of directors or managing director) holds
great advantages for the independence and accessibility of the internal audit function.

REFLECTION

The following question, however, arises in this case: What is the primary purpose of
the internal audit function in an organisation? Is it the rendering of assistance as a
service to management or is it to serve as a control over management?

If the primary accent is on rendering assistance and a service to management, it is

logical that the internal audit function should fall under the guidance and control of
management and should, therefore, report to them.

A compromise (dual reporting) could be agreed upon and the chief audit executive of internal
auditing would then report to
● the board of directors regarding functional responsibilities
● executive management regarding (operational) matters
An important aspect to bear in mind when reporting to top executive management is that other
members of management may mistrust the internal auditor because of his or her access to top
executive management, and that he or she may therefore not be acceptable to them as a member of
the management team. This distrust originates because other members of management might

56
The functions and role of the internal auditor in an organisation Learning unit 6

perceive the influence and authority of the internal auditor arising from his or her high status and
level of reporting as a threat to their own positions. For this reason, the internal auditor might face
resistance as a fellow member of the management team.

2. Chief Executive Officer (CEO)

Initially, the advantages of this level of reporting include the following:
● It guarantees access to a high-level official.
● It provides a reasonable measure of independence for the internal auditor. (In big undertakings
the CEO is not normally responsible for a particular department.)
● Management may feel less threatened because the accessibility of the internal auditor is at a
lower level than if he were to report to the Board of Directors (see 1). The distrust with which
management may regard the internal auditor might thus be reduced by this level of reporting.
However, there are the following disadvantages:
● If the influence and authority of the internal auditor are such that audit matters receive the
attention of the CEO, to the detriment of other management matters, the efficiency of
management will suffer and distrust might increase.
● Since a CEO is normally very busy, the CAE might find that he or she does not receive the
guidance and support necessary to perform his or her task effectively. Reporting to the CEO
may, therefore, not be the ideal reporting structure for internal auditors.

3. Chief Financial Officer (CFO)

In practice, this line of reporting works well. The most important to be considered in this case is
the level of responsibility and authority of the CFO. If it is too low, the internal auditors will find it
difficult to perform their duties free of interference and to obtain the cooperation of auditees. Low-
level access does not afford the internal auditors the necessary status.

When referring to the CFO, we do not mean the financial accountant. The organisational
independence of the internal auditor would be affected if he or she were to report to the chief
accountant because the chief accountant would be able to suspend the audit activities of the
internal auditor as soon as weaknesses in activities under his or her control were pointed out. The
internal audit function would not have the necessary authority and status to deal effectively with
other heads of departments.

Although reporting to the CFO is common, the disadvantage for the internal auditor is a certain
loss of independence, because he or she could be manipulated by the finance department,
particularly if his or her involvement in financial matters is considered. Other departments, such as
production, may feel that they are open to criticism, whereas the finance department can avoid this.

4. The audit committee

REFLECTION

Refer to learning unit 4.3 and reflect on the relationship between the internal audit
function and the audit committee. See: LU 4.2 TOPIC 2

An audit committee is a committee comprising persons outside the organisation (directors from
other companies, consultants, non-affiliated officials) with specialised knowledge, responsible for

AUI2601 57
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

serving as a link between the governing body/top executive management and the external and
internal auditors in all matters pertaining to auditing.

This level of reporting gives the internal audit function a high degree of organisational
independence and accessibility because it is reporting to a body with more authority than top
executive management, and most members are not involved in the operational matters of the
company (executive functions). The involvement of the audit committee with the appointment and
discharge of the chief audit executive is also advocated in the professional standards.

In practice, however, the following problems are experienced with this channel of reporting:
1. Because the audit committee does not meet frequently enough, they do not have the time to
support the internal audit function on a day-to-day basis as an independent reporting facility.
Audit committees meet on average four times a year.
2. Because of its function, the audit committee, by its very nature, is apart from the mainstream of
business activities. As a result, the internal auditor does not always receive the necessary
information and directives which might enable him to function effectively.
3. The audit committee also has a functional rather than an operational role and it is, therefore,
undesirable that members should be involved with the operational or household details of the
internal audit function. Their proper functions would include the final authorisation of audit
plans and audit findings, the coordination of audit efforts and the formulation of audit policy.
Any restrictions placed on the internal auditor by management should, however, be brought to
their attention by the internal auditor for final resolution. As a result of these problems, sole
reporting to the audit committee is not currently common practice.

5. Dual reporting
Owing to the limitations of each of the reporting lines described above, a compromise
arrangement is normally made in practice, whereby the chief audit executive has a dual level of
reporting. The chief audit executive reports
1. to the audit committee on functional responsibilities
2. to the CEO or CFO on operational/household tasks such as reviewing budgets, requests for
salary increases and staff expansion
Dual reporting takes place when a particular management function reports to more than one
management authority.

The disadvantages of a divided line of reporting are the following:

1. The possibility of manipulation by all the parties.
2. It is essential to clearly demarcate and enforce the responsibilities of the parties to whom the
audit activity reports, especially where the parties are not on the same organisational level and
therefore do not have the same organisational status and authority.
3. There is a possibility that an internal audit manager with dual reporting responsibility may be
pulled in two directions as a result of a difference of opinion between the parties to whom he
or she reports.

58
The functions and role of the internal auditor in an organisation Learning unit 6

6.3 THE ROLE OF THE INTERNAL AUDIT FUNCTION IN AN

ORGANISATION
REFLECTION

As discussed in Topic 1, see TOPIC 1 Learning unit 1.2, the Global Internal Audit
Standards defines internal auditing as follows:

Internal auditing is an independent, objective assurance and advisory service

designed to add value and improve an organisation's operations. It helps an or-
ganisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of governance, risk manage-
ment and control processes.

Internal audit activities are performed in diverse legal and cultural environments;
within organisations that vary in purpose, size, and structure; and by persons within or
outside the organisation. These differences may affect the practice of internal auditing
in each environment. However, compliance with the Global Internal Audit Standards is
essential if the responsibilities of internal auditors are to be met.

REFLECTION

Refer to Learning unit 1.2 TOPIC 1, the Purpose of Internal Audit.

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Domain I: Purpose of Internal Auditing
Global Internal Audit Standards (theiia.org)

The Purpose statement is intended to assist internal auditors and internal audit stakeholders in
understanding and articulating the value of internal auditing.

The objective of internal auditing is to assist members of the executive and senior management in
the effective discharge of their duties and responsibilities with regard to risk management, control
and governance. To this end, internal auditing furnishes them with analyses, appraisals,
recommendations, counsel, and information concerning the activities reviewed. The management
of the organisation sets the objectives and goals. These plans or objectives are designed to ensure
the success of the organisation. To accomplish these plans the managers must ensure the
successful attainment of the goals, which will ultimately lead to the attainment of the objectives.

Therefore, it is the internal auditors' duty to help managers ensure that their plans achieve what
they want them to achieve. This is how internal auditors add value to the organisation and help it
to run more smoothly.

AUI2601 59
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

6.3.1 THE INTERNAL AUDITOR AS ADVISER TO MEMBERS OF THE

ORGANISATION
DISCUSSION

Internal auditors examine and review the activities of the undertaking to

understand and evaluate them and form an opinion on the effectiveness of such
activities. These opinions are then used to furnish members of the organisation
with advice, information and recommendations that will enable them to discharge
their duties effectively.
As an adviser, the internal auditor must form an unbiased opinion and it is for this
reason that the internal audit function is defined as an independent, objective
assurance and advisory activity and grouped as such in the organisational structure
of the undertaking.
As an adviser, the internal audit function merely offers advice, gives information,
or makes recommendations. This means that the ultimate decision of whether or
not to accept this advice or information or to implement these recommendations
always rests with executive management.

The internal audit function should never possess the organisational power to force top
executive management to accept the audit results. Furthermore, internal auditors
should never take responsibility for implementing their recommendations as advisers;
they need to stay independent from the activities they review.

The internal auditor is responsible only for following up to ascertain that a decision relating to his
or her recommendations has been taken. Management may decide to
1. accept the internal auditor’s recommendations, in which case the internal auditor must
ascertain that the corrective action taken is achieving the desired results, or
2. reject his or her recommendations, in which case the internal auditor should ascertain that top
executive management has assumed the risk associated with failure to take corrective action on
reported findings
Managers are often unaware of the benefits that their internal auditors can offer. This may be
because the internal auditors have not educated management about those benefits.

REFLECTION

Refer to Learning unit 4.3 TOPIC 1, the relationship with management.

Internal auditors can therefore assist management in

● monitoring activities top management can't monitor
● identifying and minimising risks
● validating reports to senior management
● protecting senior management in technical areas beyond its knowledge
● providing information for the decision-making process
● reviewing for the future as well as for the past
● helping line managers manage by pointing to violations of procedures and
management principles

60
The functions and role of the internal auditor in an organisation Learning unit 6

Here are some brief examples of this assistance to management:

Monitoring activities. Each year, a chief audit executive prepares a schedule of proposed audits
that specifies the activities to be monitored. These are presented to executive management and the
board and can be adjusted to meet the needs of senior officials.

Identifying and minimising risks. Many internal audit functions identify the more serious risks
to the enterprise that they come across in the daily execution of their work. Internal auditors make
sure that the risks and the controls over them have been thoroughly examined.

Validating reports to senior management. Senior managers make their decisions based on
reports to them – not usually on matters of personal knowledge. Accurate, timely reports are more
likely to produce knowledgeable decisions. Some audit activities compile lists of such executive
reports and reference them to scheduled audits. When such audits are done, the auditors review the
reports for accuracy, timeliness and meaningfulness. Management decisions are then more likely
to be valid as the information on which decision-making is based, has been independently verified
by the internal auditor.

Protecting management in technical fields. The growing complexity of business and

government affairs brings with it certain matters that may be beyond the scope of the manager
who must decide on them.

Helping in the decision-making process. Managers, not internal auditors, are responsible for
making operating decisions. However, internal auditors can supply or validate the data based on
which those decisions are made. Also, they can evaluate the effects of decisions made, point out
risks that were not anticipated and make recommendations in the decision-making process based
on their knowledge and experience.

Reviewing for the future as well as the past. The internal audit function assesses policies or
programmes still in the design stage, the implementation of a policy or programme, and the actual
results achieved by a policy or programme. Also, computer-literate internal auditors appraise
controls over proposed information systems before they are implemented.

Helping managers manage. Managers who are not in control of their activities develop problems.
The internal auditors generally find the problems and suggest corrections. Those corrections,
however, can be just quick fixes or they can reach the roots of the problems and improve
management. The latter is always the most desirable, and internal audit recommendations should
always aim to address the root cause of any problem.

6.3.2 THE INTERNAL AUDITOR AS A CONTROL FUNCTION

DISCUSSION

The internal audit function serves as a detective control in the system of internal
control, in other words, it functions as a control over other controls.
The scope of the task of the internal audit function in an undertaking includes the
examination and evaluation, by the internal auditor, of the adequacy and
effectiveness of risk management, control and governance processes and the
quality of performance in carrying out assigned responsibilities.

AUI2601 61
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

In this capacity, the internal audit function evaluates the general system of
management control and the system of internal control and keeps top executive
management informed regarding the adequacy of the system.
The aim of evaluating the adequacy of the organisation's existing governance, risk
management and control processes is to determine whether the established system
provides reasonable assurance that the objectives and goals of the organisation will
be achieved efficiently and economically. In the course of this process, the internal
auditor also determines whether policies, standards and procedures are being
carried out as laid down by management.
The aim of evaluating the effectiveness of governance, risk management and
control processes is to determine whether the system is dependable, that is,
whether objectives and goals are being accomplished in an accurate and timely
fashion with minimal use of resources.
Finally, the quality of performance in carrying out assigned responsibilities is
evaluated in order to determine whether the objectives of the undertaking have in
fact been achieved.
Where deviations or problems with the above exist, internal audit detects and
reports on this. In this sense, internal audit is a control function.

6.4 THE ADVANTAGES OF THE INTERNAL AUDIT FUNCTION IN

AN ORGANISATION

6.4.1 THE NEED FOR INTERNAL AUDITING

The safeguarding of assets, reliability of financial records and efficiency in operations are basic
responsibilities of the management of an organisation and are primary objectives of accounting
and administrative controls. Management is increasingly aware of the advantage of having an
internal audit function to assist in fulfilling such responsibilities.

REFLECTION

You are probably wondering why a company needs internal auditors to add value and
improve its operations when these functions are clearly the responsibility of
management.

Revise the functions of management as discussed in learning unit 5.

See Learning unit 5 functions of management

STUDY

Shareholders appoint directors to manage the company on their behalf. Due to growth
in our society, managers need the assistance of internal auditors simply because their
organisations have complex activities, the volumes of transactions are high and
dependence on large numbers of people creates operational problems. The managers
need assurance that their plans are executed correctly throughout the organisation and
that all employees in the organisation at all levels comply with the rules of the
organisation and perform their responsibilities properly. This is where internal audit

62
The functions and role of the internal auditor in an organisation Learning unit 6

plays an important role in helping the organisation achieve its objectives (by
communicating to management).

Complex organisations create a need for different levels of management and together
with the internal audit function ensure that the company as a whole works together to
achieve the same goals, which have been formulated by top management.

The need to establish an internal audit function in an organisation can further be

motivated as follows:
● Many organisations are a blend of business and non-business activities, and
these developments increase the need for internal auditing in all types of
organisations where the complexity of the activities, the volume of transactions,
and the dependence of large numbers of people create operational challenges.
● Whenever organisational responsibilities are established, there is a potential
need for internal auditing services to give assurance that those responsibilities
are executed as planned.
● The safeguarding of assets, reliability of financial records and efficiency in
operations are basic responsibilities of management and are primary objectives
of accounting and administrative controls. Management is increasingly aware
of the advantages of having an internal audit function to assist in monitoring
such responsibilities.

6.4.2 THE ADVANTAGES FOR INTERNAL AUDITING

The most important advantage offered by regular exposure of the activities
of an organisation to an internal audit is closely linked to the purpose of an
internal audit, namely the assistance rendered to the management of the
organisation to help them attain their objectives.

Other advantages:
1. The internal audit report provides management with the assurance that management policy,
standards and procedures are satisfactory, that they are being executed and adhered to, and that
the risk management, control and governance processes are adequate and effective.
2. Any deviations, discrepancies or unsatisfactory aspects from which deductions for re-
organisation, adaptation or correction could be made, are timeously brought to management's
attention.
3. The internal auditor's report assures management that management data, whether operational
or financial information, are compiled in a consistent, uniform and standardised manner. This
forms the basis for the proper interpretation of the information and the true evaluation of the
operational results and the financial state of affairs of the organisation for further analyses to
arrive at meaningful management decisions.
4. There is always a possibility of discovering fraud and errors when continuous evaluation of the
internal control is carried out by internal auditors, which is of the utmost importance to
management.
5. The advantages associated with the possibility of exposing fraud and errors include the moral
influence an internal audit may have on the work and behaviour of personnel. The moral
influence lies in three spheres:
● The staff are likely to keep their work up to date and file vouchers systematically, which
leads to more efficient work performance.

AUI2601 63
TOPIC 3 THE FUNCTIONAL ROLE OF INTERNAL AUDITING

● There should be an improvement in the diligence, accuracy and neatness of work

performed by the staff.
● An audit would certainly discourage inclinations toward slackness, negligence and
dishonesty.

6. Unexpected visits by the internal auditor will also provide an element of surprise, not only
strengthening the moral influence, but also reducing the time available for the staff to cover up
or rectify fraud and errors.
7. The quality and contents of the internal audit report offer management a mechanism to apply in
evaluating the internal audit function itself.
8. The internal audit report offers the auditee an instrument for the evaluation of his or her own
work performance, and for the timely correction of problems. Internal auditors also make
recommendations, thereby assisting the auditee to correct or improve the operations audited.
9. The productive use of all available resources is ensured, enabling the organisation to achieve
its stated objectives.
10. It enables the enterprise to evaluate its working procedures and to rectify any problems in a
timely manner.
Note that the advantages of an internal audit are also determined by the type of organisation and
the maturity of its systems and processes. Shareholders, suppliers and customers will, for example,
also benefit from improved operations. In conclusion, we again emphasise that any professed
advantage must always be subordinate to and closely associated with the objective of internal
auditing.

ACTIVITY 6.1

Question 1

Briefly explain the place of the internal audit function in the organisational structure of
an organisation.

FEEDBACK
Question 1
To establish the correct organisational status of the internal audit function, it is impor-
tant that the organisational plan of an entity is carefully constructed and that the
position of the internal audit function allows the internal auditors to be independent.

The Global Internal Audit Standards describes how organisational independence

should be established within the internal audit function. They require that the internal
auditors enjoy the necessary access to and support from executive management to ena-
ble them to carry out their duties free from interference and to obtain the cooperation
of the auditees.

Standard 7.1 states that the board should establish a direct reporting relationship with
the chief audit executive and internal audit function to fulfil its mandate. The chief
audit executive (CAE) reporting functionally to the board and administratively to the
organisation’s chief executive officer or chief financial officer, facilitates organisation-
al independence. The CAE should report to an individual with sufficient authority to
promote independence and ensure broad audit coverage, adequate consideration of en-
gagement communications, and appropriate action on engagement recommendations.
The internal audit function should be independent of the activities audited and internal

64
The functions and role of the internal auditor in an organisation Learning unit 6

auditors should be objective in performing their work. The fact that internal auditors
may be employees of the company does not, of itself, impair their objectivity.

AUI2601 65
TOPIC 4
Professional matters relating to internal
auditing

Contents

Learning unit 7: Introduction to the Global Internal Audit Standards 68

Learning unit 8: Global Internal Audit Standards Domain II Ethics and
Professionalism 74
Learning unit 9: Global Internal Audit Standards – Domain III, IV and V 84

INTRODUCTION AND PURPOSE OF THE TOPIC

In this topic we give you an overview of the Global Internal Audit Standards.

LEARNING OUTCOMES

After you have studied this topic, you should be able to

● give an account of the purpose and content of the Global Internal Audit Standards
for internal auditors
● apply Domain II Ethics and Professionalism in practical context-specific examples
● describe the purpose and requirements of the Global Internal Audit Standards in
terms of the conduct of an internal auditing engagement

AUI2601 67
Learning unit 7
Introduction to the Global Internal Audit Standards Learningunit7

Contents

7.1 GLOBAL INTERNAL AUDIT STANDARDS 68

7.1.1 Elements of the global internal audit standards 69
7.1.2 Fundamentals of the global internal audit standards 71

7.1 GLOBAL INTERNAL AUDIT STANDARDS

Source: www.theiia.org

68
Introduction to the Global Internal Audit Standards Learning unit 7

The Global Internal Audit Standards set

forth principles, requirements,
considerations and examples for the
professional practice of internal auditing
globally. The Standards apply to any
individual or function that provides
internal audit service, whether an
organisation employs internal auditors
directly, contracts them through an
external service provider, or both.

READ

Before studying the new Global Internal Audit Standards, first read the following
article regarding the IPPF evolution.

Future of the IPPF Evolution (theiia.org)

7.1.1 Elements of the global internal audit standards

REFLECTION

Refer to Learning unit 1.2 of Topic 1 and revise your knowledge on the purpose of
the internal audit function.

The Purpose of Internal Audit describes internal audit’s primary purpose and
overarching goal.

Achievement of the purpose of the internal audit function is supported by the entire
Global Internal Audit Standards.

STUDY

The Institute of Internal Auditor’s Global Internal Audit Standards guide the
worldwide professional practice of internal auditing and serve as a basis for evaluating
and elevating the quality of the internal audit function.

In the Global Internal Audit Standards, 15 guiding principles enable effective internal
auditing. Each principle is supported by standards that contain requirements,
considerations for implementation and examples of evidence of conformance. Together,
these elements help internal auditors achieve the principles and fulfil the Purpose of
Internal Auditing.

AUI2601 69
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

The Global Internal Audit Standards

Source: www.theiia.org

KEY CONCEPTS - STUDY

Domains II to V contain Principles and Standards.

What is a principle?
Principles: broad descriptions of a related group of requirements and
considerations

70
Introduction to the Global Internal Audit Standards Learning unit 7

What is a Standard?

Applicability and elements of the standards

The requirements, considerations for implementation, and examples of evidence
of conformance are designed to help internal auditors conform to the Standards.
While conformance with the requirements is expected, internal auditors occasionally
may be unable to conform with a requirement yet still achieve the intent of the
standard.

The Standards use the word “must” in the Requirements sections and words “should”
and “may” to specify common and preferred practices in the Considerations for
Implementation sections. Each standard ends with a list of examples of evidence. The
examples are neither requirements nor the only ways to demonstrate conformance;
rather, they are provided to help internal audit functions prepare for quality
assessments, which rely on demonstrative evidence.

7.1.2 Fundamentals of the global internal audit standards

DISCUSSION

The Standards apply to the internal audit function and individual internal auditors,
including the chief audit executive. While the chief audit executive is accountable
for the internal audit function’s implementation of and conformance with all
principles and standards, all internal auditors are responsible for conforming with
the principles and standards relevant to performing their job responsibilities.

Mandatory Guidance
Global Internal Audit Standards guide the worldwide professional
practice of internal auditing and serve as a basis for evaluating and
elevating the quality of the internal audit function. At the heart of the
Standards are 15 guiding principles that enable effective internal auditing.
Mandatory
Each principle is supported by standards that contain requirements,
considerations for implementation, and examples of evidence of
conformance. Together, these elements help internal auditors achieve the
principles and fulfil the Purpose of Internal Auditing.

AUI2601 71
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Topical Requirements are designed to enhance the consistency of

internal audit services related to specific audit subjects and to support
internal auditors performing engagements in those risk areas. Internal
auditors must conform to the relevant requirements when the scope of an
engagement includes one of the identified topics.
Topical Requirements strengthen the ongoing relevance of internal
auditing in addressing the evolving risk landscape across industries and
sectors.

Supplemental Guidance
Supplemental Global Guidance supports the Standards by providing nonmandatory
information, advice and best practices for performing internal audit
services. It is endorsed by the IIA through formal review and approval
processes.
Global Practice Guides provide detailed approaches, step-by-step
processes, and examples on subjects including
● assurance and advisory services
● engagement planning, performance and communication
● financial services
● fraud and other pervasive risks
● strategy and management of the internal audit function
● public sector
● sustainability
Global Technology Audit Guides (GTAG) provide auditors with the
knowledge to perform assurance or advisory services related to an
organisation’s information technology and information security risks and
controls.

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video about the IPPF and
internal audit:

https://youtu.be/_6n0Sgp2x5E?si=4Ebqn7PBH-cjd_yL

STUDY

Global Internal Audit Standards (theiia.org)

72
Introduction to the Global Internal Audit Standards Learning unit 7

Figure 5.1: Global Internal Audit Standards www.theiia.org

AUI2601 73
Learning unit 8
Global Internal Audit Standards Domain II Ethics and
Professionalism Learningunit8

Contents

8.1 ELEMENTS OF ETHICS AND PROFESSIONALISM 74

8.1.1 Applicability and enforcement of domain ii ethics and professionalism 75
8.2 PRINCIPLES OF ETHICS AND PROFESSIONALISM 75
8.2.1 PRINCIPLE 1: Demonstrate Integrity 76
8.2.2 PRINCIPLE 2: Maintain Objectivity 77
8.2.3 PRINCIPLE 3: Demonstrate Competency 79
8.2.4 PRINCIPLE 4: Exercise Due Professional Care 80
8.2.5 PRINCIPLE 5: Maintain Confidentiality 82

8.1 ELEMENTS OF ETHICS AND PROFESSIONALISM

STUDY

The principles and standards in the Ethics and Professionalism domain of the Global
Internal Audit Standards replace the IIA’s former Code of Ethics and outline the
behavioural expectations for professional internal auditors, including chief audit
executives, other individuals and any entities that provide internal audit services. The
fact that a particular behaviour is not mentioned in these principles does not preclude it
from being considered unacceptable or discreditable.

74
Global Internal Audit Standards Domain II Ethics and Professionalism Learning unit 8

Source: GLOBAL INTERNAL AUDIT STANDARDS - The Institute of Internal Auditors (iiam.com.
my)

DISCUSSION

Ethical conduct is an important requirement for the practice of any profession. The
principles and standards in the Ethics and Professionalism domain of the Global
Internal Audit Standards are necessary and appropriate for the profession of
internal auditing.

8.1.1 Applicability and enforcement of domain ii ethics and professionalism

All internal auditors are required to conform to the standards of ethics and professionalism. If
internal auditors are expected to abide by other codes of ethics, behaviour or conduct, such as
those of an organisation, conformance with the principles and standards of ethics and
professionalism contained in the standards does not preclude it from being considered
unacceptable or discreditable.

While internal auditors are responsible for their own conformance, the chief audit executive is
expected to support and promote conformance with the principles and standards in the Ethics and
Professionalism domain by providing opportunities for training and guidance. The chief audit
executive may choose to delegate certain responsibilities for managing conformance but retains
accountability for the ethics and professionalism of the internal audit function.

8.2 PRINCIPLES OF ETHICS AND PROFESSIONALISM

DISCUSSION

Internal auditors are expected to apply and uphold the following principles:
1. Demonstrate Integrity – Internal auditors demonstrate integrity in their work
and behaviour.
2. Maintain Objectivity – Internal auditors maintain an impartial and unbiased
attitude when performing internal audit services and making decisions.
3. Demonstrate Competency– Internal auditors apply their knowledge, skills,
and abilities to fulfil their roles and responsibilities successfully.

AUI2601 75
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

4. Exercise Due Professional Care – Internal auditors apply due professional

care in planning and performing internal audit services.
5. Maintain Confidentiality – Internal auditors use and protect information
appropriately.

8.2.1 PRINCIPLE 1: Demonstrate Integrity

Principle 1 Demonstrate Integrity

KEY CONCEPTS
Principle 1 Demonstrate Integrity

Internal auditors demonstrate integrity in their work and behaviour.

The Global Internal Audit Standards define integrity as behaviour characterised by adherence to
moral and ethical principles, which includes demonstrating honesty and the courage to act based
on relevant information, even under pressure to act otherwise or when such actions may lead to
potential negative personal or organisational consequences.

Principle 1 consists of these Standards:

Standard 1.1 Honesty and Standard 1.2 Organisation’s Standard 1.3 Legal and
Professional Courage Ethical Expectations Ethical Expectations
Requirements
Internal auditors must perform Internal auditors must Internal auditors must not
their work with honesty and understand, respect, meet and engage in any activity that
professional courage. contribute to the legitimate is illegal or discreditable to
and ethical expectations of the the organisation or the
organisation and must be able profession of internal
to recognise conduct that is auditing or that may harm
contrary to those expectations. the organisation or its
employees.
Considerations for implementation
Internal auditors should enhance Internal auditors should Internal auditors must not
their awareness and consider ethics-related risks engage in or be a party to
understanding of honesty and and controls during individual any activity that is illegal or
professional courage by seeking engagements. discreditable to the
opportunities to obtain ethics- organisation or the
related continuing professional profession of internal
education. auditing or that may harm
the organisation or its
employees.

76
Global Internal Audit Standards Domain II Ethics and Professionalism Learning unit 8

Examples of evidence of conformance

● A training plan that includes ● Records of internal ● Documented
ethics education and training auditors’ participation in communication between
● Feedback from key workshops, training events, internal auditors and
stakeholders regarding the or meetings where ethical their supervisors and/or
honesty and courage of expectations and issues legal counsel that
internal auditors were discussed addresses concerns
about illegal or
unprofessional actions

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 1 – Demonstrate Integrity
● Standard 1.1, 1.2 and 1.3
● The requirements stipulated for Standards 1.1, 1.2 and 1.3
● Considerations for implementation of Standards 1.1, 1.2 and 1.3
● Examples of evidence of conformance of Standards 1.1, 1.2 and 1.3
Global Internal Audit Standards (theiia.org)

8.2.2 PRINCIPLE 2: Maintain Objectivity

Principle 2 Maintain Objectivity

KEY CONCEPTS
Principle 2 Maintain Objectivity
Internal auditors maintain an impartial and unbiased attitude when performing
internal audit services and making decisions.

Objectivity is an unbiased mental attitude that allows internal auditors to make professional
judgments, fulfil their responsibilities, and achieve the Purpose of Internal Auditing without
compromise. An independently positioned internal audit function supports internal auditors’
ability to maintain objectivity.

AUI2601 77
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Principle 2 consists of these Standards:

Standard 2.1 Individual Standard 2.2 Safeguarding Standard 2.3 Disclosing
Objectivity Objectivity Impairments to
Objectivity
Requirements
Internal auditors must maintain Internal auditors must If internal auditors become
professional objectivity when recognise and avoid or aware of an impairment that
performing all aspects of internal mitigate actual, potential and may affect their objectivity,
audit services. Professional perceived impairments to they must disclose it to the
objectivity requires internal objectivity. Internal auditors chief audit executive or a
auditors to apply an impartial must not accept any tangible designated supervisor. If the
and unbiased mindset and make or intangible item, such as a chief audit executive
judgments based on balanced gift, reward or favour, that determines that an
assessments of all relevant may impair or be presumed to impairment is affecting an
circumstances. impair objectivity. Internal internal auditor’s ability to
auditors must avoid conflicts perform duties objectively,
of interest and must not be the chief audit executive
unduly influenced by their must discuss the
own interests or the interests impairment with the
of others, including senior management of the activity
management or others in a under review, the board,
position of authority, or by the and/or senior management
political environment or other and determine the
aspects of their surroundings. appropriate actions to
resolve the situation.
Considerations for implementation
Objectivity means internal The internal audit function’s If an impairment to
auditors perform their work methodologies should specify objectivity cannot be
without compromise or the expectations and avoided, the chief audit
subordination of judgment to requirements for internal executive may consider
others. The Global Internal auditors related to options to manage the
Audit Standards, along with the ● receiving gifts, favours impairment, including
policies established and training and rewards ● reassigning internal
arranged by the chief audit ● identifying situations that auditors to remove the
executive, support objectivity by may impair objectivity impaired internal
providing requirements, ● responding appropriately auditor from the
procedures and guidance that set upon becoming aware of engagement
forth a systematic and an impairment ● rescheduling an
disciplined approach for engagement to ensure it
gathering and evaluating is properly staffed
information to provide a ● adjusting the scope of
balanced assessment of the an engagement
activity under review. ● outsourcing the
performance or
supervision of the
engagement

78
Global Internal Audit Standards Domain II Ethics and Professionalism Learning unit 8

Standard 2.1 Individual Standard 2.2 Safeguarding Standard 2.3 Disclosing

Objectivity Objectivity Impairments to
Objectivity
Requirements
Examples of evidence of conformance
● References in the internal ● Policies and procedures for ● Internal audit
audit charter to internal identifying potential methodologies for
auditors’ responsibility for impairments and necessary disclosing objectivity
maintaining objectivity safeguards impairments
● Policies and procedures ● Minutes of board meetings ● Documentation
related to objectivity where impairments to disclosing the presence
objectivity were discussed or affirming the absence
of objectivity
impairments

REFLECTION

Principle 2 Maintain Objectivity was discussed in detail in Topic 3: Learning unit 6.2

Ensure that you understand and studied the following in learning unit 6.2:
● Principle 2 Maintain Objectivity
● Standard 2.1, 2.2 and 2.3
● The requirements stipulated for Standards 2.1, 2.2 and 2.3
● Considerations for implementation of Standards 2.1, 2.2 and 2.3
● Examples of evidence of conformance of Standards 2.1, 2.2 and 2.3
Global Internal Audit Standards (theiia.org)

8.2.3 PRINCIPLE 3: Demonstrate Competency

Principle 3 Demonstrate Competency

KEY CONCEPTS
Principle 3 Demonstrate Competency

Internal auditors apply the knowledge, skills, and abilities to fulfil their roles and
responsibilities successfully.

Demonstrating competency requires the development and utilisation of knowledge, skills and
abilities to provide internal audit services. The competencies required for each internal auditor
differ due to the varied services they provide.

AUI2601 79
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Principle 3 consists of these Standards:

Standard 3.1 Competency Standard 3.2 Continuing Professional
Development
Requirements
Internal auditors must engage only in those Internal auditors must maintain and
services for which they have or can attain the continually develop their competencies to
necessary competencies. improve the effectiveness and quality of
internal audit services.
Considerations for implementation
Internal auditors should develop competencies To improve the quality of performing
related to communication and collaboration, internal audit services, internal auditors
governance, risk management and control should seek opportunities to learn about
processes, and pervasive risks such as fraud. trends and best practices as well as emerging
topics, risks, trends, and changes that may
affect the organisations for which they work
and the internal audit profession.
Examples of evidence of conformance
● Documentation listing the certifications, ● Records of internal auditor’s completed
education, experience, work history, and continuing professional education and
other qualifications of internal auditors credentials obtained
● The results of internal and external quality ● Internal auditor’s performance reviews
assessments and/or plans for professional
development

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 3 – Demonstrate Competency
● Standard 3.1 and 3.2
● The requirements stipulated for Standards 3.1 and 3.2
● Considerations for implementation of Standards 3.1 and 3.2
● Examples of evidence of conformance of Standards 3.1 and 3.2
Global Internal Audit Standards (theiia.org)

8.2.4 PRINCIPLE 4: Exercise Due Professional Care

Principle 4 Exercise Due Professional Care

KEY CONCEPTS
Principle 4 Exercise Due Professional Care

Internal auditors apply due professional care in planning and performing internal
audit services.

80
Global Internal Audit Standards Domain II Ethics and Professionalism Learning unit 8

Due professional care requires careful planning and performing of internal audit services with the
diligence, judgment and scepticism possessed by prudent and competent internal auditors. In
exercising due professional care, internal auditors act in the best interest of their clients but are not
required to be infallible.

Principle 4 consists of these Standards:

Standard 4.1 Conformance Standard 4.2 Due Standard 4.3 Professional
with the Global Internal Audit Professional Care Skepticism
Standards
Requirements
Internal auditors must plan and Internal auditors must exercise Internal auditors must
perform internal audit services in due professional care by exercise professional
accordance with the Global assessing the nature, scepticism when planning
Internal Audit Standards. circumstances and and performing internal
requirements of the services to audit services.
be provided.
Considerations for implementation
The chief audit executive should To perform services with due Professional scepticism
review the Standards when professional care requires that enables internal auditors to
changes occur and align the internal auditors consider and make objective judgments
internal audit function’s understand the Purpose of based on facts, information
methodologies accordingly. Internal Auditing and the and logic, rather than trust
nature of the internal audit or belief.
services to be provided.
Examples of evidence of conformance
● Documentation of the ● Planning notes ● Documentation that
internal audit function’s documenting the strategy false or misleading
methodologies and an and objectives of the information was
indication of when they were organisation and activity handled as an
last updated under review engagement finding
● Documented assessments ● Records of relevant
of governance, risk training planned and
management and control completed, including a
processes list of participants

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 4 – Exercise Due Professional Care
● Standard 4.1, 4.2 and 4.3
● The requirements stipulated for Standards 4.1, 4.2 and 4.3
● Considerations for implementation of Standards 4.1, 4.2 and 4.3
● Examples of evidence of conformance of Standards 4.1, 4.2 and 4.3
Global Internal Audit Standards (theiia.org)

AUI2601 81
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

8.2.5 PRINCIPLE 5: Maintain Confidentiality

Principle 5 Maintain Confidentiality

KEY CONCEPTS
Principle 5 Maintain Confidentiality

Internal auditors use and protect information appropriately.

Because internal auditors have unrestricted access to the data, records and other information
necessary to fulfil the internal audit mandate, they often receive information that is confidential,
proprietary and/or personally identifiable. Internal auditors must respect the value and ownership
of information they receive by using it only for professional purposes and protecting it from
unauthorised access or disclosure, internally and externally.

Principle 5 consists of these Standards:

Standard 5.1 Use of information Standard 5.2 Protection of information
Requirements
Internal auditors must follow the relevant Internal auditors must be aware of their
policies, procedures, laws and regulations when responsibilities for protecting information
using information. and demonstrate respect for the
confidentiality, privacy and ownership of
information acquired when performing
internal audit services or as the result of
professional relationships.
Considerations for implementation
Internal auditors must have unrestricted access The information acquired, used and
to information to enable them to provide internal produced by the internal audit function is
audit services without interference. Using and protected by laws, regulations and the
handling information appropriately is the policies and procedures of the organisation
responsibility of every internal auditor. and the internal audit function and generally
covers physical and digital security and
access, retention and disposal of information.
Examples of evidence of conformance
● Effectively designed operating controls over ● Documentation of restrictions on the
access to and use of information distribution of workpapers and final
● Attendance records of training on the use of communication
information ● Signed agreements to confidentiality or
nondisclosure of information

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 5 – Maintain confidentiality
● Standard 5.1 and 5.2
● The requirements stipulated for Standards 5.1 and 5.2

82
Global Internal Audit Standards Domain II Ethics and Professionalism Learning unit 8

● Considerations for implementation of Standards 5.1 and 5.2

● Examples of evidence of conformance of Standards 5.1 and 5.2
Global Internal Audit Standards (theiia.org)

ACTIVITY 8.1

State, with reasons, whether or not the following action of the internal auditor is a
breach of the Code of Ethics:

John Khumalo, a junior internal audit staff member, discussed with his
friends the incidence of fraud he had discovered during his audit of the
company’s debtors.

FEEDBACK

This is a violation of Domain II Ethics and Professionalism. Mr Khumalo is guilty

of misconduct.

Principle 1 – Standard 1.1 Honesty and Professional Courage – Internal auditors

shall perform their work with honesty, diligence, and responsibility.

Principle 5 – Standard 5.2 Protection of information – Internal auditors must

demonstrate respect for the confidentiality, privacy, and ownership of information
acquired when performing internal audit services or as the result of professional
relationships.

This was a violation, since John Khumalo had no legal obligation to divulge this
information.

AUI2601 83
Learning unit 9
Global Internal Audit Standards – Domain III, IV and V Learningunit9

Contents

9.1 INTRODUCTION 85
9.2 DOMAIN III: GOVERNING THE INTERNAL AUDIT FUNCTION 85
9.2.1 PRINCIPLE 6: Authorised by the Board 86
9.2.2 PRINCIPLE 7: Positioned Independently 88
9.2.3 PRINCIPLE 8: Overseen by the Board 90
9.3 DOMAIN IV: MANAGING THE INTERNAL AUDIT FUNCTION 91
9.3.1 PRINCIPLE 9: Plan Strategically 92
9.3.2 PRINCIPLE 10: Manage Resources 95
9.3.3 PRINCIPLE 11: Communicate Effectively 97
9.3.4 PRINCIPLE 12: Enhance Quality 100
9.4 DOMAIN V: PERFORMING INTERNAL AUDIT SERVICES 102
9.4.1 PRINCIPLE 13: Plan Engagements Effectively 103
9.4.2 PRINCIPLE 14: Conduct Engagement Work 106
9.4.3 PRINCIPLE 15: Communicate Engagement Results and Monitor Action
Plans 111

84
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

9.1 INTRODUCTION
REFLECTION

Reflect on learning unit 7: Introduction to the Global Internal Audit Standards. Ensure
that you understand the purpose of the Global Internal Audit Standards as well as the
elements of the Global Internal Audit Standards. It was discussed in detail in Topic 4:
Learning unit 7.1.

9.2 DOMAIN III: GOVERNING THE INTERNAL AUDIT FUNCTION

STUDY

According to the Global Internal Audit Standards, appropriate governance

arrangements are essential to enable the internal audit function to be effective.

Domain III:
● Outlines the requirements for chief audit executives to work closely with the
board to
– establish the internal audit function
– position it independently
– oversees its performance

This domain also outlines senior management’s responsibilities that support the
board’s responsibilities and promote strong governance of the internal audit function.

Meeting with the board and senior management

Engagements with the board and senior management are necessary to clarify the
significance of the current situation and to achieve agreement over their respective
roles. The nature and frequency of these discussions are dependent upon the conditions
and changes inside the organisation.

The chief audit executive must obtain feedback from both the board and senior
management. Although the board holds the final authority to adopt the internal audit
mandate, charter and related standards, senior management generally plays an
important part in advising the board and the chief audit executive.

Disagreements on essential conditions

If either the board or senior management disagrees with one or more of the essential
conditions, the chief audit executive must emphasise – with examples – how
the absence of the condition may affect the internal audit function’s ability to fulfil its
purpose or conform with specific standards.

Definition of board
The glossary of the Global Internal Audit Standards defines the term “board” as the
highest-level body charged with governance, such as
● a board of directors
● an audit committee
● a board of governors or trustees
● a group of elected officials or political appointees
● another body that has authority over the relevant governance functions

AUI2601 85
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Application of Domain III

The Standards apply to individuals and functions that provide internal audit services. Internal audit
services may be provided by persons within or outside of the organisation for organisations that
vary in purpose, size, complexity and structure.

The Standards apply whether an organisation employs internal auditors directly, contracts them
through an external service provider, or both. In all cases, the board retains the responsibility to
support and oversee the internal audit function.

Source: GLOBAL INTERNAL AUDIT STANDARDS - The Institute of Internal Auditors (iiam.com.my)

9.2.1 PRINCIPLE 6: Authorised by the Board

Principle 6 Authorised by the Board

KEY CONCEPTS
Principle 6 Authorised by the Board
The board establishes, approves, and supports the mandate of the internal audit
function.

The internal audit function receives its mandate from the board. The mandate specifies the
authority, role and responsibilities of the internal audit function and is documented in the internal
audit charter.

The mandate empowers the internal audit function to provide the board and senior management
with objective assurance, advice, insight and foresight. The internal audit function carries out the
mandate by bringing a systematic, disciplined approach to evaluating and improving the
effectiveness of governance, risk management and control processes throughout the organisation.

86
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Principle 6 consists of these Standards:

Standard 6.1 Internal Audit Standard 6.2 Internal Audit Standard 6.3 Board and
Mandate Charter Senior Management
Support
Requirements
The chief audit executive must The chief audit executive The chief audit executive
document or reference the must develop and maintain an must provide the board and
mandate in the internal audit internal audit charter that senior management with the
charter, which is approved by the specifies, at a minimum: information needed to
board. ● Purpose of Internal support and promote
Auditing recognition of the internal
Essential conditions ● Commitment to adhering audit function throughout
Board to Global Internal Audit the organisation.
Standards
Approve the internal audit Essential conditions
● Mandate, including scope
charter, which includes the
and types of services to be Board
internal audit mandate and the
provided
scope of types of internal audit Champion the internal audit
● Organisational position
services. function to enable it to fulfil
and reporting relationship
the Purpose of Internal
Senior Management Auditing and pursue its
Essential conditions
Support the internal audit strategy and objectives.
Board
mandate throughout the
Approve the internal audit Senior Management
organisation and promote the
authority granted to the internal charter. Support recognition of the
audit function. internal audit function
Senior Management throughout the organisation.
Communicate with the board
and chief audit executive
about management’s
expectations that should be
considered for inclusion in the
internal audit charter.
Considerations for implementation
The chief audit executive The chief audit executive The board and the chief
informs the board and senior typically presents a final draft audit executive should meet
management about the of the internal audit charter at least annually without
characteristics of an effective during a board meeting to be management present.
internal audit function. discussed and approved.

AUI2601 87
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Examples of evidence of conformance

● Minutes of board meetings ● Minutes of the board ● Minutes of board
during which any changes to meeting during which the meetings indicating
the internal audit charter are internal audit charter was board review and
discussed and approved by discussed and approved approval of the internal
the board ● The approved charter and audit plan, internal audit
the date approved budget, and resource
plan

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 6 – Internal Audit Mandate
● Standard 6.1, 6.2 and 6.3
● The requirements stipulated for Standards 6.1, 6.2 and 6.3
● Considerations for implementation of Standards 6.1, 6.2 and 6.3
● Examples of evidence of conformance of Standards 6.1, 6.2 and 6.3
Global Internal Audit Standards (theiia.org)

9.2.2 PRINCIPLE 7: Positioned Independently

Principle 7 Positioned Independently

KEY CONCEPTS
Principle 7 Positioned Independently

The board establishes, approves, and supports the mandate of the internal audit
function.

According to the Global Internal Audit Standards, the board is responsible for enabling the
independence of the internal audit function.

Independence is defined as the freedom from conditions that impair the internal audit function’s
ability to carry out its responsibilities in an unbiased manner.

REFLECTION

Refer to Topic 3 learning unit 6.2 ensure that you understand all aspects covered in
learning unit 6.2 that relate to Principle 7.

It was discussed in detail in Topic 3: Learning unit 6.2.

Principle 7 consists of these Standards:

88
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 7.1 Organisational Standard 7.2 Chief Audit

Independence Executive Qualifications
Requirements
The chief audit executive must confirm to The chief audit executive must
the board the organisational independence maintain and enhance the
of the internal audit function at least qualifications and competencies
annually. necessary to fulfil the roles and
responsibilities expected by the
Essential conditions board.
Board
Essential conditions
Authorise the appointment and removal
Board
of the chief audit executive.
Approve the chief audit executive’s
Senior Management roles and responsibilities and
Position the internal audit function at a identify the necessary qualifications,
level within the organisation that enables experience and competencies to
it to perform its services and carry out these roles and
responsibilities without interference, as responsibilities.
directed by the board.
Senior Management
Engage with the board to determine
the chief audit executive’s
qualifications, experience and
competencies.
Considerations for implementation
Internal auditing is most effective when The board should encourage the
the internal audit function is directly chief audit executive to pursue
accountable to the board. A direct continuing professional education,
reporting relationship between the board membership in professional
and the chief audit executive enables the associations, professional
internal audit function to perform internal certifications, and other
audit services and communicate opportunities for professional
engagement results without interference. development.
Examples of evidence of Conformance
● The internal audit charter, which ● Documented approval by the
documents the internal audit board of the chief audit
function’s reporting relationships executive’s job description
● Documented methodologies to be ● Documented participation in
followed when an impairment is professional associations
suspected

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 7 – Internal Audit Mandate

AUI2601 89
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

● Standard 7.1 and 7.2

● The requirements stipulated for Standards 7.1 and 7.2
● Considerations for implementation of Standards 7.1 and 7.2
● Examples of evidence of conformance with Standards 7.1 and 7.2
Global Internal Audit Standards (theiia.org)

9.2.3 PRINCIPLE 8: Overseen by the Board

Principle 8 Overseen by the Board

KEY CONCEPTS
Principle 8 Overseen by the Board

The board oversees the internal audit function to ensure the function’s effectiveness.

Board supervision is crucial for enhancing the overall effectiveness of the internal audit function.
Achieving this principle requires cooperative and interactive communication between the board
and the chief audit executive, along with the board's endorsement in securing adequate resources
for the internal audit function to accomplish its task.

Principle 8 consists of these Standards:

Standard 8.1 Board Standard 8.2 Standard 8.3 Standard 8.4
Interaction Resources Quality External Quality
Assessment
Requirements
The chief audit The chief audit The chief audit The chief audit
executive must executive must executive must executive must
provide the board evaluate whether develop, implement, develop a plan for an
with the information internal audit and maintain a quality external quality
needed to conduct its resources are assurance and assessment and
oversight sufficient to fulfil the improvement program discuss the plan with
responsibilities. internal audit mandate that covers all aspects the board.
and achieve the of the internal audit
Essential conditions internal audit plan. function. Essential conditions
Board Board
Essential conditions Essential conditions
Communicate with Discuss with the chief
Board Board
the chief audit audit executive the
executive to Consider the impact Approve the internal plans to have an
understand how the of insufficient audit function’s external quality
internal audit function resources on the performance assessment of the
is fulfilling its internal audit mandate objectives at least internal audit function.
mandate. and plan. annually.
Senior Management
Senior Management Senior Management Senior Management
Collaborate with the
Work with the board Engage with the board Provide input on the board and the chief
and the chief audit and the chief audit internal audit audit executive to

90
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 8.1 Board Standard 8.2 Standard 8.3 Standard 8.4

Interaction Resources Quality External Quality
Assessment
executive on the executive on any function’s determine the scope
process for escalating issues of insufficient performance and frequency of the
matters of importance resources and how to objectives. external quality
to the board. remedy the situation. assessment.
Considerations for implementation
To provide the board To analyse the Action plans that The board and chief
with the information sufficiency of the address deficiencies audit executive may
needed to exercise its resources necessary to and opportunities for determine that it is
oversight fulfil the internal audit improvement. Actions appropriate to conduct
responsibilities, two- mandate and achieve should be agreed upon an external
way communication the plan. with the board. assessment more
is needed. frequently than every
five years.
Examples of evidence of conformance
● Presentations ● Documentation of ● Chief audit ● Formal external
made by the chief a cost-benefit executive quality assessment
audit executive to analysis presentations and report prepared
the board ● Documentation of other and validated by a
● Internal audit the chief audit communications qualified,
communications executive’s covering the independent
to board members resourcing results of the assessor
strategy quality
assessments

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 8– Overseen by the Board
● Standard 8.1, 8.2, 8.3 and 8.4
● The requirements stipulated for Standards 8.1, 8.2, 8.3 and 8.4
● Considerations for implementation of Standards 8.1, 8.2, 8.3 and 8.4
● Examples of evidence of conformance with Standards 8.1, 8.2, 8.3 and 8.4
Global Internal Audit Standards (theiia.org)

9.3 DOMAIN IV: MANAGING THE INTERNAL AUDIT FUNCTION

STUDY

The chief audit executive is responsible for managing the internal audit function in
accordance with the internal audit charter and Global Internal Audit Standards. This
responsibility includes strategic planning, obtaining and deploying resources, building
relationships, communicating with stakeholders and ensuring and enhancing the
performance of the function.

AUI2601 91
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

The individual responsible for managing the internal audit function is expected to
conform with the Standards, including performing the responsibilities described in this
domain, whether the individual is directly employed by the organisation or contracted
through an external service provider.

The chief audit executive may delegate appropriate responsibilities to other qualified
professionals in the internal audit function but retains ultimate accountability.

The direct reporting relationship between the board and the chief audit executive
enables the internal audit function to fulfil its mandate. The chief audit executive
typically has an administrative reporting line to the highest-ranking person in senior
management, such as the chief executive officer, to support day-to-day activities and
establish the status and authority necessary to ensure the results of the internal audit
services are given due consideration.

Source: GLOBAL INTERNAL AUDIT STANDARDS - The Institute of Internal Auditors (iiam.com.
my)

9.3.1 PRINCIPLE 9: Plan Strategically

Principle 9 Plan Strategically

KEY CONCEPTS
Principle 9 Plan Strategically
The chief audit executive plans strategically to position the internal audit function to
fulfil its mandate and achieve long-term success.

According to the Global Internal Audit Standards, planning strategically requires the chief audit
executive to understand the internal audit mandate and the organisation’s governance, risk
management, and control processes. A properly resourced and positioned internal audit function
develops and implements a strategy to support the organisation’s success. In addition, the chief
audit executive creates and implements methodologies to guide the internal audit function and
develop the internal audit plan.

92
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Principle 9 consists of these Standards:

Standard 9.1 Standard 9.2 Standard 9.3 Standard 9.4 Standard 9.5
Understanding Internal Audit Methodologies Internal Audit Coordination
Governance, Strategy plan and Reliance
Risk
Management
and Control
Processes
Requirements
To develop an The chief audit The chief audit The chief audit The chief audit
effective internal executive must executive must executive must executive must
audit strategy develop and establish create an internal coordinate with
and plan, the implement a methodologies to audit plan that internal and
chief audit strategy for the guide the internal supports the external
executive must internal audit audit function in a achievement of providers of
understand the function that systematic and the assurance
organisation’s supports the disciplined organisation’s services and
governance, risk strategic manner to objectives. consider relying
management, objectives of the implement the NB: Focus on: on their work.
and control organisation. internal audit When the
1. The internal
processes. strategy, develop internal audit
audit plan
the internal audit function relies
must:
plan, and conform on the work of
2. Chief audit
with the other assurance
executive
Standards. service
must review
and revise providers, the
the internal chief audit
audit plan as executive must
necessary document the
and basis for that
communicate reliance and is
timely to still responsible
the board for the
and senior conclusions
management: reached by the
internal audit
function.
Considerations for implementation
Understanding To develop the Methodologies This standard The chief audit
Governance vision and may exist as requires an executive
Processes strategic individual organisation- should develop
The chief audit objectives of the documents or wide risk a methodology
executive should internal audit may be collected assessment to be for evaluating
be well-informed strategy, the chief into an internal completed at other providers
about leading audit executive audit manual or least annually as of assurance
governance should start by integrated into the basis for the and advisory
considering the internal audit plan. services that

AUI2601 93
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Standard 9.1 Standard 9.2 Standard 9.3 Standard 9.4 Standard 9.5
Understanding Internal Audit Methodologies Internal Audit Coordination
Governance, Strategy plan and Reliance
Risk
Management
and Control
Processes
principles and organisation’s management To strive to includes a basis
frameworks. strategy and software. ensure that the for relying upon
objectives and the Internal audit audit universe their work.
Understanding expectations of methodologies and risk The chief audit
Risk the board and describe assessment cover executives
Management senior processes and the should
Processes management. procedures for organisation’s understand the
The chief audit The chief audit communicating, key risks, the objectives,
executive should executive may handling internal audit scope, and
understand design a timeline operational and function should results of the
globally accepted for administrative independently work performed.
risk management the implementa- matters, and review and
NB: Focus on:
principles and tion of the overseeing the validate the key
internal audit risks that were 1. Examples of
frameworks. internal audit
function. identified within coordina-
strategy and
Understanding the tion
related
organisation’s 2. To
Control performance
risk management determine
Processes measures.
system. whether the
The chief audit internal
executive should NB: Focus on:
audit
become familiar 1. When function
with globally developing may rely on
accepted control the internal the work of
frameworks. audit plan, another
the chief provider,
audit the
executive methodolo-
should gy should
consider the consider:
following:
2. To schedule
internal audit
engagements,
the chief
audit
executive
should
consider:

94
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 9.1 Standard 9.2 Standard 9.3 Standard 9.4 Standard 9.5
Understanding Internal Audit Methodologies Internal Audit Coordination
Governance, Strategy plan and Reliance
Risk
Management
and Control
Processes
3. The proposed
internal audit
plan should
include:
Examples of evidence of conformance
● Documenta- ● Documented ● Documenta- ● Approved ● Documenta-
tion of internal audit tion of internal audit tion and
orientation or strategy, software plan. implementa-
training including program ● Documented tion of the
provided to vision, incorporating risk methodolo-
internal audit strategic methodologies. assessment gy to
staff objectives and ● Documenta- and determine
regarding the supporting tion of updates prioritisation, whether to
organisation’s initiatives. to the including the rely on a
governance, methodologies. inputs upon provider’s
risk which the work.
management, plan is based.
and control
processes.

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 9 – Plan Strategically
● Standard 9.1, 9.2, 9.3, 9.4 and 9.5
● The requirements stipulated for Standards 9.1, 9.2, 9.3, 9.4 and 9.5
● Considerations for implementation of Standards 9.1, 9.2, 9.3, 9.4 and 9.5
● Examples of evidence of conformance with Standards 9.1, 9.2, 9.3, 9.4 and
9.5
Global Internal Audit Standards (theiia.org)

9.3.2 PRINCIPLE 10: Manage Resources

Principle 10 Manage Resources

KEY CONCEPTS
Principle 10 Manage Resources
The chief audit executive manages resources to implement the internal audit function’s
strategy and achieve its plan and mandate.

AUI2601 95
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Managing resources requires obtaining and deploying financial, human and technological
resources effectively. The chief audit executive needs to obtain the resources required to perform
internal audit responsibilities and deploy the resources according to the methodologies established
for the internal audit function.

Principle 10 consists of these Standards:

Standard 10.1 Financial Standard 10.2 Human Standard 10.3
Resource Management Resources Management Technological Resources
Requirements
The chief audit executive must The chief audit executive The chief audit executive
manage the internal audit must establish an approach to must strive to ensure that
function’s financial resources. recruit, develop and retain the internal audit function
The chief audit executive must internal auditors who are has the technology to
seek budget approval from the qualified to successfully support the internal audit
board. The chief audit executive implement the internal audit process.
must communicate promptly the strategy and achieve the The chief audit executive
impact of insufficient financial internal audit plan. must communicate the
resources to the board and senior The chief audit executive impact of technology
management. must strive to ensure that limitations on the
human resources are effectiveness or efficiency
appropriate, sufficient and of the internal audit
effectively deployed to function to the board and
achieve the approved internal senior management.
audit plan.
Considerations for implementation
The chief audit executive should The structure and approach to The internal audit function
follow the budget processes resourcing the internal audit should use technology to
established by the organisation. function should align with the improve its effectiveness
The budget should be approved internal audit charter and and efficiency.
by the board. support the achievement of NB: Focus on:
If significant additional the internal audit function’s
1. Examples of such
resources are needed due to strategy and implementation
technology:
unforeseen circumstances, the of the internal audit plan.
2. To evaluate whether the
chief audit executive should NB: Focus on: internal audit function
discuss the circumstances with 1. In formulating an has the technological
the board and senior approach for managing resources to perform its
management. the internal audit responsibilities the chief
function’s human audit executive should:
resources, the chief
executive should:
2. To develop and retain
internal auditors, the chief
audit executive should:
3. To evaluate whether the
human resources are
appointed and sufficient to

96
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 10.1 Financial Standard 10.2 Human Standard 10.3

Resource Management Resources Management Technological Resources
achieve the internal audit
plan, the chief audit
executive should consider:
Examples of evidence of conformance
● Documentation of the ● Documented analysis of ● Documented discussions
internal audit plan against the gaps between or plans related to
budget, forecast, and actual the competencies of requests for and
expenses internal auditors on staff implementation of
and those required technologies
● Job descriptions ● The names of internal
auditors and their
technology-related
certifications and
qualifications

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 10 – Manage Resources
● Standard 10.1, 10.2 and 10.3
● The requirements stipulated for Standards 10.1, 10.2, and 10.3
● Considerations for implementation of Standards 10.1, 10.2, and 10.3
● Examples of evidence of conformance of Standards 10.1, 10.2 and 10.3
Global Internal Audit Standards (theiia.org)

9.3.3 PRINCIPLE 11: Communicate Effectively

Principle 11 Communicate Effectively

KEY CONCEPTS
Principle 11 Communicate Effectively
The chief audit executive guides the internal audit function to communicate effectively
with its stakeholders.

Effective communication requires building relationships, establishing trust and enabling

stakeholders to benefit from the results of internal audit services. The chief audit executive is
responsible for helping the internal audit function establish ongoing communication with
stakeholders to build trust and foster relationships. The chief audit executive oversees the internal
audit function’s formal communications with the board and senior management to enable quality
and provide insights based on the results of internal audit services.

AUI2601 97
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Principle 11 consists of these Standards:

Standard 11.1 Standard 11.2 Standard 11.3 Standard 11.4 Standard 11.5
Building Effective Communicate Errors and Communicat-
Relationships Communication Results Omissions ing the
and Acceptance of
Communicating Risk
with
Stakeholders
Requirements
The chief audit The chief audit The chief audit If a final The chief audit
executive must executive must executive must engagement executive must
develop an establish and communicate the communication communicate
approach for the implement results of internal contains a unacceptable
internal audit methodologies to audit services to significant error levels of risk.
function to build promote accurate, the board and or omission, the When the chief
relationships and objective, clear, senior chief audit audit executive
trust with key concise, management executive must concludes that
stakeholders. constructive, periodically and communicate management
complete and for each corrected has accepted a
timely internal engagement as information level of risk
audit appropriate. promptly to all that exceeds to
communications. The results of parties who organisation’s
internal audit received the risk appetite or
services can original risks tolerance,
include: communication. the matter must
be discussed
● Engagement
with senior
conclusions
management.
● Themes such
as effective
practices or
root causes
● Conclusions at
the level of
the business
unit
NB: Focus on:
1. Engagement
conclusions
2. Themes
3. Conclusions
at the level of
the business
unit or
organisation
4. When
communicat-
ing such a

98
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 11.1 Standard 11.2 Standard 11.3 Standard 11.4 Standard 11.5
Building Effective Communicate Errors and Communicat-
Relationships Communication Results Omissions ing the
and Acceptance of
Communicating Risk
with
Stakeholders
conclusion to
the board or
senior
management,
the chief audit
executive
must include:
Considerations for implementation
Regular, ongoing Methodologies The results of The chief audit The chief audit
communication may include internal audit executive and the executive gains
among the board, policies, criteria, services may be board should an
senior style guides, and based on agree on a understanding
management and procedures to individual protocol for of the
the internal audit guide the internal engagements, communicating organisation’s
function audit function’s multiple the correction. risks and risk
contributes to a communications engagements and The chief audit tolerance
common and achieve interactions with executive through
understanding of consistency. the board and determines the discussions
the NB: Focus on: senior most appropriate with the board
organisation’s management over method of and senior
1. Engagement
risks and time. communication management,
communica-
assurance NB: Focus on: so that the relationships
tions are:
priorities and corrected and ongoing
Accurate, 1. Engagement
promotes information is communication
Objective, conclusions
adaptability to received by all with
Clear, Concise, 2. Themes
change. parties. stakeholders,
Constructive, 3. Conclusions and the results
Complete, at the level of
of internal audit
Timely the business
services.
unit or
organisation NB: Focus on:
1. When risks
exceed the
risk appetite,
impacts
may
include:

AUI2601 99
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Standard 11.1 Standard 11.2 Standard 11.3 Standard 11.4 Standard 11.5
Building Effective Communicate Errors and Communicat-
Relationships Communication Results Omissions ing the
and Acceptance of
Communicating Risk
with
Stakeholders
Examples of evidence of conformance
● Documenta- ● Style guides, ● Final ● Internal audit ● Documenta-
tion of the templates, and engagement methodolo- tion of
internal audit other communica- gies for discussions
function’s documented tions, handling and
plan for methodologies including errors and agreement
managing for effective engagement omissions with the
stakeholder communica- findings, ● The original board on
relationship. tion recommenda- and corrected methodolo-
tions and final gies for
conclusions communica- communi-
tion cating risk
documents concerns

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 11 – Communicate Effectively
● Standard 11.1, 11.2, 11.3, 11.4 and 11.5
● The requirements stipulated for Standards 11.1, 11.2, 11.3, 11.4 and 11.5
● Considerations for implementation of Standards 11.1, 11.2, 11.3, 11.4 and
11.5
● Examples of evidence of conformance with Standards 11.1, 11.2, 11.3, 11.4
and 11.5
Global Internal Audit Standards (theiia.org)

9.3.4 PRINCIPLE 12: Enhance Quality

Principle 12 Enhance Quality

KEY CONCEPTS
Principle 12 Enhance Quality
The chief audit executive is responsible for the internal audit function’s conformance
with the Global Internal Audit Standards and continuous performance improvement.

According to the Global Internal Audit Standards, quality is a combined measure of conformance
with the Global Internal Audit Standards and the achievement of the internal audit function’s
performance objectives. The chief audit executive is responsible for ensuring that the internal

100
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

audit function is continuously seeking improvement. This requires developing measures to assess
the performance of internal audit engagements, internal auditors and the internal audit function.

Principle 12 consists of these Standards:

Standard 12.1 Internal Quality Standard 12.2 Performance Standard 12.3 Oversee
Assessment measurement and Improve Engagement
Performance
Requirements
The chief audit executive must The chief audit executive The chief audit executive
develop and conduct internal must develop objectives to must establish
assessments of the internal audit evaluate the internal audit methodologies for
function’s conformance with the function’s performance. engagement supervision,
Global Internal Audit Standards The chief audit executive quality assurance and the
and progress toward must develop a performance development of
performance objectives. measurement methodology to competencies.
assess progress toward The chief audit executive is
achieving the function’s responsible for supervising
objectives. engagements, whether the
engagement work is
performed by the internal
audit staff or by other
service providers.
Considerations for implementation
Ongoing Monitoring The establishment of When planning
Ongoing monitoring involves the performance objectives is engagements, the chief
day-to-day supervision, review critical to determining audit executive or a
and measurement of the internal whether an internal audit supervisor should review
audit function. function is fulfilling its the engagement objectives.
mandate in conformance with Assessing the skills of the
Periodic self-assessments enable the Standards and achieving
internal audit staff is an
the internal audit function to improvement in accordance ongoing process extending
validate its conformance with the with the function’s strategy.
beyond reviewing
Standards.
NB: Focus on: engagement workpapers.
NB: Focus on:
1. Establishment of
1. Additional mechanisms performance objectives
commonly used for ongoing should take into
monitoring. consideration the desired
2. Periodic self-assessments outcomes articulated
evaluate: within:
2. Examples of performance
categories to consider
when establishing
performance objectives
and measures may
include:

AUI2601 101
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Standard 12.1 Internal Quality Standard 12.2 Performance Standard 12.3 Oversee
Assessment measurement and Improve Engagement
Performance
Examples of evidence of conformance
● Completed checklists that ● Performance measures that ● Engagement workpapers
support workpaper reviews, address the tracked with documentation of
survey results and performance objectives supervision
performance measures and respective targets for ● Completed checklists
related to the efficiency and those measures that support workpaper
effectiveness of the internal reviews
audit function

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 12 – Enhance Quality
● Standard 12.1, 12.2 and 12.3
● The requirements stipulated for Standards 12.1, 12.2, and 12.3
● Considerations for implementation of Standards 12.1, 12.2, and 12.3
● Examples of evidence of conformance with Standards 12.1, 12.2 and 12.3
Global Internal Audit Standards (theiia.org)

9.4 DOMAIN V: PERFORMING INTERNAL AUDIT SERVICES

STUDY

According to the Global Internal Audit Standards, performing internal audit services
requires internal auditors to effectively plan engagements, conduct the engagement
work to develop findings and conclusions, collaborate with management to identify
recommendations and/or action plans that address the findings, and communicate with
management and the employees responsible for the activity under review throughout
the engagement and after it closes.

Internal audit services involve providing assurance, advice, or both.

Assurance services are intended to provide confidence about governance, risk

management and control processes to the organisation’s stakeholders, especially the
board, senior management and the management of the activity under review. Through
assurance services, internal auditors provide objective assessments of the differences
between the existing conditions of an activity under review and a set of evaluation
criteria. Internal auditors evaluate the differences to determine whether there are
reportable findings and to provide a conclusion about the engagement results,
including reporting when processes are effective.

Internal auditors may initiate advisory services or perform them at the request of the
board, senior management or the management of an activity. The nature and scope of
advisory services may be subject to agreement with the party requesting the services.
Examples of advisory services include advising on the design and implementation of

102
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

new policies, processes, systems and products; providing forensic services; providing
training; and facilitating discussions about risks and controls. When performing
advisory services, internal auditors are expected to maintain objectivity by not taking
on management responsibility. For example, internal auditors may perform advisory
services as individual engagements, but if the chief audit executive takes on
responsibilities beyond internal auditing, then appropriate safeguards must be
implemented to maintain the internal audit function’s independence.

Source: GLOBAL INTERNAL AUDIT STANDARDS - The Institute of Internal Auditors (iiam.com.my)

9.4.1 PRINCIPLE 13: Plan Engagements Effectively

Principle 13 Plan Engagements Effectively

KEY CONCEPTS
Principle 13 Plan Engagements Effectively
Internal auditors plan each engagement using a systematic, disciplined approach.

The Global Internal Audit Standards, along with the methodologies established by the chief audit
executive, form the foundation of internal auditors’ systematic, disciplined approach to planning
engagements. Internal auditors are responsible for effectively communicating at all stages of the
engagement. Engagement planning starts with understanding the initial expectations for the
engagement and the reason the engagement was included in the internal audit plan. When planning
engagements, internal auditors gather the information that enables them to understand the
organisation and the activity under review and to assess the risks relevant to the activity. The
engagement risk assessment allows internal auditors to identify and prioritise the risks to
determine the engagement objectives and scope. Internal auditors also identify the criteria and
resources needed to perform the engagement and develop an engagement work program, which
describes the specific engagement steps to be performed.

AUI2601 103
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Principle 13 consists of these Standards:

Standard 13.1 Engagement Standard 13.2 Engagement Standard 13.3
Communication Risk Assessment Engagement
Objectives and Scope
Requirements
Internal auditors must Internal auditors must develop an Internal auditors must
communicate the objectives, understanding of the activity establish and document
scope and timing of the under review to assess the the objectives and scope
engagement with management. relevant risks. for each engagement.
Subsequent changes must be Internal auditors must review the The engagement
communicated with management gathered information to objectives must
timely. understand how processes are articulate the purpose of
intended to operate. the engagement and
NB: Focus on: describe the specific
goals to be achieved,
1. To develop an adequate
including those
understanding, internal
mandated by laws and/or
auditors must identify and
regulations
gather reliable, relevant, and
sufficient information
regarding:
2. Internal auditors must
review the gathered
information to understand
how processes are intended
to operate.
Considerations for implementation
Engagement communications Internal auditors should consult The objectives and
may include initial, ongoing, with the engagement supervisor scope for assurance
closing and final while planning. engagements are
communications with the To develop an understanding of determined primarily by
management of the activity under the activity under review and the internal auditors,
review. assess relevant risks, internal whereas the objectives
NB: Focus on: auditors should start by and scope for advisory
understanding the internal audit engagements are
1. The extent of ongoing
plan, the discussions that led to typically jointly
communication depends on
its development, and the reason established by the
the nature and length of the
the engagement was included. internal auditors and the
engagement and may
management of the
include: NB: Focus on:
activity under review.
1. To gather information,
NB: Focus on:
internal auditors may:
1. Properly defining
engagement
objectives and scope
before the
engagement starts

104
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 13.1 Engagement Standard 13.2 Engagement Standard 13.3

Communication Risk Assessment Engagement
Objectives and Scope
enables internal
auditors to:
2. These include
controls designed to
manage risks related
to:
Examples of evidence of conformance
● Documentation showing that ● Working papers ● Engagement
the required communications documenting: Objectives of planning
occurred throughout the the activity being reviewed memorandum
engagement
NB: Focus on: NB: Focus on:
Working papers documenting Engagement
workpapers
documenting

Standard 13.4 Evaluation Standard 13.5 Engagement Standard 13.6 Work

Criteria Resources Program
Requirements
Internal auditors must identify When planning an Internal auditors must
the most relevant criteria to be engagement, internal auditors develop and document an
used to evaluate the aspects of must identify the types and engagement work program
the activity under review defined quantity of resources to achieve the engagement
in the engagement objectives necessary to achieve the objectives.
and scope. For advisory services, engagement objectives. The engagement work
the identification of evaluation program must identify:
criteria may not be necessary, Internal auditors must ● Criteria to be used to
depending on the agreement consider: evaluate each objective.
with relevant stakeholders. ● The nature and ● Tasks to achieve the
complexity of the engagement objectives.
engagement ● Methodologies,
● The time frame within including the analytical
which the engagement is procedures to be used,
to be completed and tools to perform the
● Whether the available tasks.
financial, human and ● Internal auditors
technological resources are assigned to perform
are appropriate and each task.
sufficient to achieve the
engagement objectives
Considerations for implementation
As part of gathering information Identifying and assigning The engagement work
and planning the engagement, resources when planning an program builds on the

AUI2601 105
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Standard 13.4 Evaluation Standard 13.5 Engagement Standard 13.6 Work

Criteria Resources Program
internal auditors identify the engagement is typically information gathered and
criteria used by the organisation handled by an internal auditor developed during
to evaluate the effectiveness and designated to lead and engagement planning and
efficiency of the governance, supervise the engagement. details the tasks and
risk management and control When planning engagements, methodologies that will be
processes of the activity under internal auditors should used to achieve the
review. consider the most efficient engagement objectives and
and effective application of analyse and evaluate
NB: Focus on: available financial, human information as internal
Examples of adequate criteria and technological resources. auditors develop
include: engagement findings,
recommendations and
conclusions.
Examples of evidence of conformance
● Workpapers documenting the ● Approved engagement ● Workpapers supporting
sources of criteria considered work program showing the development of the
and the process used to utilisation of appropriate work program such as
determine the adequacy of and sufficient resources risk and control matrix
the criteria used with testing approach

NB: Focus on:

Workpapers supporting
the development of the
work program, such as:

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 13 – Plan Engagements Effectively
● Standard 13.1, 13.2, 13.3, 13.4, 13.5 and 13.6
● The requirements stipulated for Standards 13.1, 13.2, 13.3, 13.4, 13.5 and
13.6
● Considerations for implementation of Standards 13.1, 13.2, 13.3, 13.4, 13.5
and 13.6
● Examples of evidence of conformance of Standards 13.1, 13.2, 13.3, 13.4,
13.5 and 13.6
Global Internal Audit Standards (theiia.org)

9.4.2 PRINCIPLE 14: Conduct Engagement Work

Principle 14 Conduct Engagement Work

106
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

KEY CONCEPTS
Principle 14 Conduct Engagement Work
Internal auditors implement the engagement work program to achieve the engagement
objective.

According to the Global Internal Audit Standards, to implement the engagement work program,
internal auditors gather information and perform analyses and evaluations to produce evidence.
These steps enable internal auditors to
● provide assurance and identify potential findings
● determine the causes, effects, and significance of the findings
● develop recommendations and/or collaborate with management to develop action plans
● develop conclusions

Principle 14 consists of these Standards:

Standard 14.1 Gathering Standard 14.2 Analysis and Standard 14.3 Evaluation
Information for Analysis and Potential Engagement of Findings
Evaluation Findings
Requirements
To perform analyses and Internal auditors must analyse
Internal auditors must
evaluations, internal auditors relevant, reliable, and
evaluate each potential
must gather information that is: sufficient information to
engagement finding to
● Relevant – consistent with develop potential engagement
determine its significance.
engagement objectives, findings. When evaluating potential
within the scope of the Internal auditors must analyse engagement findings,
engagement, and contributes information to determine internal auditors must
to the development of whether there is a difference collaborate with
engagement results. between the evaluation management to identify the
● Reliable – factual and criteria and the existing state root causes when possible,
current. Internal auditors use of the activity under review, determine the potential
professional scepticism to known as the “condition.” effects, and evaluate the
evaluate whether significance of the issue.
A difference between the
the information is reliable. To determine the
criteria and the condition
Reliability is strengthened significance of the risk,
indicates a potential
when the information is: internal auditors must
engagement finding that must
– Obtained directly by an consider the likelihood of
be noted and further
internal auditor or from the risk occurring and the
evaluated
an independent source. impact the risk may have on
– Corroborated. the organisation’s
– Gathered from a system governance, risk
with effective governance, management, or control
risk management, and processes.
control processes. Internal auditors must
prioritize each engagement
● Sufficient – when it enables
finding based on its
internal auditors to perform
significance, using
analyses and complete
evaluations and can enable a

AUI2601 107
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Standard 14.1 Gathering Standard 14.2 Analysis and Standard 14.3 Evaluation
Information for Analysis and Potential Engagement of Findings
Evaluation Findings
prudent, informed, and methodologies established
competent person to repeat by the chief audit executive.
the engagement work
program and reach the same
conclusions as the internal
auditor.
Considerations for implementation
Procedures to gather information The engagement work A rating or ranking can be
for analyses may include: program may include a list of an effective communication
● Interviewing or surveying specific analyses to be tool for describing the
individuals involved in the conducted, such as the significance of each finding
activity following: and may assist management
● Directly observing a process, ● Tests of the accuracy or with prioritizing its action
also known as performing a effectiveness of a process plans. When determining the
walk-through or activity significance, internal
● Obtaining confirmation or ● Ratio, trend and auditors should consider
verification of information regression analyses ● the impact and
from an individual who is ● Comparisons between likelihood of the risk
independent of the activity current period information ● the risk tolerance
under review and budgets, forecasts or ● any additional factors
● Inspecting or examining similar information from important to the
physical evidence such as prior periods organisation
documentation, inventory or ● Analyses of relationships
equipment among sets of information
The chief audit executive
● Directly accessing ● Internal benchmarking,
may provide templates for
organisational systems to comparing information
internal auditors to use to
observe or extract data between different areas
document engagement
● Working with system users within the organisation
findings, ensuring proper
and administrators to obtain ● External benchmarking,
documentation of various
data comparing information
elements such as the
from similar organisations
● criteria
● condition
The chief audit executive and
● root cause (when
the internal audit
possible)
methodologies may provide
● effect (risk or potential
guidance for determining
exposure)
whether to perform additional
● significance and
analyses. Considerations
prioritisation
include the
● results of the engagement
risk assessment, including Findings should explain the
the adequacy of control difference between the
processes. conditions and the criteria
and should provide

108
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 14.1 Gathering Standard 14.2 Analysis and Standard 14.3 Evaluation
Information for Analysis and Potential Engagement of Findings
Evaluation Findings
● significance of the activity documented evidence that
under review and the supports the internal
potential findings auditors’ evaluation and
● the extent to which the judgment about the
analyses support potential findings’ significance.
engagement findings
● availability and reliability
of information for further
evaluation
● costs compared to the
benefits of performing
additional analysis.
Examples of evidence of conformance
● Engagement work program, ● Workpapers that ● Workpaper that lists the
which includes procedures document the analyses criteria, condition, root
for gathering data relevant to performed, including data cause (when possible),
the engagement objectives analytics programs or effect (risk or potential
software used, test exposure), and a
populations, sampling prioritisation of each
processes and sampling finding
methods

Standard 14.4 Standard 14.5 Engagement Standard 14.6

Recommendations and Action Conclusion Engagement
Plans Documentation
Requirements
Internal auditors must determine Internal auditors must Internal auditors must
whether to develop develop an engagement document information and
recommendations, request action conclusion that summarizes evidence to support the
plans from management, or the engagement results engagement results. The
collaborate with management to relative to the engagement analyses, evaluations, and
agree on actions to: objectives and management’s supporting information
● Resolve the differences objectives. The engagement relevant to an engagement
between the established conclusion must summarize must be documented such
criteria and the existing the internal auditors’ that an informed, prudent
condition. professional judgment about internal auditor, or similarly
● Mitigate identified risks to an the overall significance of the informed and competent
acceptable level. aggregated engagement person, could repeat the
● Address the root cause of the findings. work and derive the same
finding. engagement results.
● Enhance or improve the
activity under review.

AUI2601 109
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

When developing
recommendations, internal
auditors must discuss the
recommendations with the
management of the activity
under review.
Considerations for implementation
Internal auditors should The conclusion may add Documentation of the
promptly discuss the findings context regarding the impacts internal audit engagement
and potential recommendations of the findings within the through workpapers is
or action plans with the activity under review and the important.
management authorized to make organization. For example, Engagement documentation
and oversee changes to the some findings may have a should include the
activity under review. The chief significant impact on following:
audit executive may create a achieving goals or managing
methodology to help internal risks at an activity level, but ● Date or period of the
auditors identify the appropriate not at an organisational level. engagement
management. ● Engagement risk
assessment
Although internal auditors must
● Engagement objectives
collaborate with management on
and scope
how to address the engagement
● Work program.
findings, it is management’s
● Description of analyses,
responsibility to implement
including details of
actions to address the findings.
procedures and source(s)
of data
● Engagement results
● Names or initials of the
individuals who
performed and
supervised the work.
● Evidence of
communication to
appropriate parties
NB: Focus on:
1. Common workpapers
include:
2. A basic format for
workpapers:
Examples of evidence of conformance
● Workpapers for each finding, ● A workpaper showing the ● Workpapers
with the criteria, condition, basis for the overall documenting the work
root cause (when possible), engagement conclusion performed in accordance
effect (risk or potential ● A conclusion statement in with the established
exposure), and the final communication methodology
recommendation(s) and/or
action plans included

110
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

● Results of internal
quality assessment
reviews validating
conformance with
workpaper and
supervision policies

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 14 – Conduct Engagement Work
● Standard 14.1, 14.2, 14.3, 14.4, 14.5 and 14.6
● The requirements stipulated for Standards 14.1, 14.2, 14.3, 14.4, 14.5 and
14.6
● Considerations for implementation of Standards 14.1, 14.2, 14.3, 14.4, 14.5
and 14.6
● Examples of evidence of conformance of Standards 14.1, 14.2, 14.3, 14.4,
14.5 and 14.6
Global Internal Audit Standards (theiia.org)

9.4.3 PRINCIPLE 15: Communicate Engagement Results and Monitor Action

Plans
Principle 15 Communicate Engagement Results and Monitor Action Plans

KEY CONCEPTS
Principle 15 Communicate Engagement Results and Monitor Action Plans
Internal auditors communicate the engagement results to the appropriate parties and
monitor management’s progress toward the implementation of recommendations or
action plans.

According to the Global Internal Audit Standard, internal auditors are responsible for issuing a
final communication after completing the engagement and communicating the engagement results
to management. Internal auditors continue to communicate with the management of the activity
under review to confirm that action plans are implemented.

Principle 15 consists of these Standards:

Standard 15.1 Final Engagement Standard 15.2 Confirming the
Communication Implementation of Recommendations or
Action Plans
Requirements
For each engagement, internal auditors must Internal auditors must confirm that
develop a final communication that includes management has implemented internal
the engagement’s objectives, scope, auditors’ recommendations or management’s
recommendations and/or action plans if action plans following an established
applicable, and conclusions. The final methodology, which includes:

AUI2601 111
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

Standard 15.1 Final Engagement Standard 15.2 Confirming the

Communication Implementation of Recommendations or
Action Plans
communication for assurance engagements ● Inquiring about progress on the
also must include: implementation.
● The findings and their significance and ● Performing follow-up assessments using a
prioritisation. risk-based approach.
● An explanation of scope limitations, if any. ● Updating the status of management’s
● A conclusion regarding the effectiveness of actions in a tracking system.
the governance, risk management, and
control processes of the activity reviewed. The extent of these procedures must consider
the significance of the finding.
Considerations for implementation
A statement that the engagement is conducted The methodology for confirming the
in conformance with the Global Internal Audit implementation of management’s action plans
Standards should be included in the final should include criteria for determining when to
engagement communication. Indicating that perform follow-up assessments to confirm that
the internal audit engagement conformed with management’s action plans have effectively
the Standards is appropriate only if supported addressed findings. Follow-up assessments
by the results of engagement supervision and may be performed for completed action plans
the quality assurance and improvement selectively, depending on the risk’s
program. significance. Under certain circumstances,
When issued as a report, the final regulators may require reporting on
communication may include the following management’s action plans.
components, in addition to the requirements: If management decides on an alternative action
plan and internal auditors agree that the
● Title
alternative plan is satisfactory or better than
● Background (a brief synopsis of the
the original action plan, then progress on the
activity under review)
alternative plan should be tracked until
● Recognition (positive aspects of activity
completion.
under review and/or appreciation of
cooperation)
● Distribution list
The review of the final communication should
verify whether
● the work performed and documented was
consistent with the engagement objectives
and scope and the Standards.
● the engagement results are clearly stated
and supported by relevant, reliable and
sufficient information
● the requirements for communicating with
the management of the activity under
review were met

112
Global Internal Audit Standards – Domain III, IV and V Learning unit 9

Standard 15.1 Final Engagement Standard 15.2 Confirming the

Communication Implementation of Recommendations or
Action Plans
Examples of evidence of conformance
● Written final communications ● A routinely updated tracking system (for
● Slides and/or meeting notes of example, a spreadsheet, database or other
presentations when final communication is tool) that contains the finding, associated
oral corrective action plan, status and internal
● Documentation indicating that the final audit’s confirmation
communication was reviewed and
approved

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 15 – Communicate Engagement Results and Monitor Action Plans
● Standard 15.1, and 15.2
● The requirements stipulated for Standards 15.1 and 15.2
● Considerations for implementation of Standards 15.1 and 15.2
● Examples of evidence of conformance of Standards 15.1 and 15.2
Global Internal Audit Standards (theiia.org)

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video about the IPPF and
internal audit:

GLOBAL INTERNAL AUDIT STANDARDS - The Institute of Internal Auditors

(iiam.com.my)

DID YOU KNOW?

Unisa has signed The United Global Compact (UNGC). The UNGC has ten principles
that guide businesses in ethical practices. The principles that specifically focus on
ethics are as follows:
● Principle 10: Anti-Corruption - This principle states that businesses should
work against corruption in all its forms, including extortion and bribery1.
● Principles 1 and 2: Human Rights - These principles emphasize that businesses
should support and respect the protection of internationally proclaimed human
rights and ensure they are not complicit in human rights abuses1.

By focusing on ethics, the UNGC aims to create a business environment that is not only profitable
but also fair, transparent and sustainable.

The Ten Principles | UN Global Compact

AUI2601 113
TOPIC 4 PROFESSIONAL MATTERS RELATING TO INTERNAL AUDITING

DID YOU KNOW?

CATALYTIC NICHE AREAS - Through the leadership of the Principal and Vice-
Chancellor, Professor Puleng LenkaBula, the university has identified ten (10) catalytic
niches.

The part of the catalytic niche areas that focuses on ethics is Domain II - Ethics and
Professionalism. This domain emphasises the following core principles:
1. Demonstrate integrity
2. Maintain objectivity
3. Demonstrate competency
4. Exercise due professional care
5. Maintain confidentiality
These principles are essential for ensuring that internal auditors uphold the highest standards of
ethical behaviour and professionalism in their work.

Catalytic niche areas (unisa.ac.za)

114
TOPIC 5
The internal auditor’s competencies to
perform their responsibilities

Contents

Learning unit 10: The qualifications and skills of an internal auditor 116
Learning unit 11: Personal characteristics of an internal auditor 122

INTRODUCTION AND PURPOSE OF THE TOPIC

Global Internal Audit Standards requires that internal auditing engagements must
be performed with proficiency and due professional care. You learnt in the
previous topics that an internal auditor must add value and improve an
organisation's operations. To be able to meet these high-level expectations, the
internal auditor should possess certain knowledge and skills and should also
exhibit certain characteristics. This topic covers these expectations in more detail.

LEARNING OUTCOMES

When you have worked through this topic, you should be able to
● describe the formal qualifications, knowledge, skills and competencies that an
internal auditor should possess to carry out his or her professional duties
● outline the personal characteristics that may be expected of an internal auditor

AUI2601 115
Learning unit 10
The qualifications and skills of an internal auditor Learningunit10

Contents

10.1 THE IIA’S GLOBAL INTERNAL AUDIT COMPETENCY FRAMEWORK 116

10.1.1 Global internal audit competency framework - Who it is for? 117
10.1.2 Outline of the global internal audit competency framework 118
10.2 RECOMMENDED QUALIFICATIONS FOR INTERNAL AUDITORS 120

10.1 THE IIA’S GLOBAL INTERNAL AUDIT COMPETENCY

FRAMEWORK

Source: www.theiia.org

116
The qualifications and skills of an internal auditor Learning unit 10

The IIA’s Internal Audit Competency Framework© provides a clear and concise professional
development plan for internal auditors at every level of their career. The framework defines four
knowledge areas focused on various standards, situationally specific functions, and key
proficiencies, with three distinct competency levels that progress from general awareness to
applied knowledge, and finally, an expert practitioner.

The comprehensive and concurrent strategy defines and delivers the knowledge and skills
necessary to navigate a successful career in internal auditing focused on best practices and
practical applications.

The framework also serves as an effective onboarding tool or a multi-year training plan that helps
chief audit executives and leaders continuously identify and fill skills gaps within the audit
function.

Source: www.theiia.org

TABLE 10.1
Outline of internal audit competencies
Professionalism Performance Environment Leadership &
Communication
● Mission of internal ● Organisational ● Organisational ● Internal audit
auditing governance strategic planning strategic planning
● Internal audit ● Fraud and management ● Audit planning
charter ● Risk management ● Common business and coordinating
● Organisational ● Internal control processes assurance efforts
independence ● Engagement ● Social ● Quality assurance
● Individual planning responsibility and and improvement
objectivity ● Engagement sustainability Program
● Ethical behaviour fieldwork ● Information
● Due professional ● Engagement technology
care outcomes ● Accounting and
● Professional finance
development

10.1.1 Global internal audit competency framework - Who it is for?

The IIA’s Internal Audit Competency Framework© was created for every internal auditor,
everywhere in the world and at any point in their career. It provides clear and concise professional
development plans, tools and techniques that evolve with the current risk environment.

AUI2601 117
TOPIC 5 THE INTERNAL AUDITOR’S COMPETENCIES TO PERFORM THEIR RESPONSIBILITIES

The framework is designed to be used by the following people and institutions:

● Internal auditors to develop competencies that will help them meet their individual career
objectives
● Course developers and certification groups within the profession to ensure courses and
certifications develop and adequately assess the required competencies
● Employers, other professions, and the public to use as a point of reference for comparison or
benchmarking with their own competency frameworks or to gain a clear and detailed view of
the levels of expertise required by internal auditors
● The IIA and its affiliated institutes to develop strategies to support their position in the
international community with respect to standard setting
● Students to understand the competencies they would need to demonstrate to be successful
internal auditors and to assist them in assessing their career development plans
● The academic community to provide a listing of critical professional competencies to
consider in course development to prepare students for entry into the internal audit profession
● Recruiters and HR professionals to develop appropriate job descriptions and recruit suitably
qualified staff

10.1.2 Outline of the global internal audit competency framework

The Framework consists of 10 core competencies, each designed to enhance specific skills and
knowledge areas:
1. Professional ethics: Promoting and applying professional ethics
2. Internal audit management: Developing and managing the internal audit function
3. IPPF: Applying the International Professional Practices Framework (IPPF)
4. Governance, risk management, and control: Applying a thorough understanding of
governance, risk management and control appropriate to the organisation
5. Business acumen: Maintaining the expertise of the business environment, industry practices
and specific organisational factors
6. Communication: Communicating with impact
7. Persuasion and collaboration: Persuading and motivating others through collaboration and
cooperation
8. Critical thinking: Applying process analysis, business intelligence and problem-solving
techniques
9. Internal audit delivery: Delivering internal audit engagements
10. Improvement and innovation: Embracing change and driving improvement and innovation

118
The qualifications and skills of an internal auditor Learning unit 10

Figure 10.1: These competency areas are illustrated as follows:

Source: www.theiia.org

READ

You can obtain a copy of The IIA’s Global Internal Audit Competency Framework
(Career map alignment) at the following link:

141738 SEM-Career Map Framework Overview.indd (internal-audit-strategy.com)

Note that you are not required to study the whole document.

KEY CONCEPTS
Principle 3 Demonstrate Competency.

It was discussed in detail in Topic 4: Principle 3

Demonstrating competency requires developing and applying the knowledge, skills,

and abilities to provide internal audit services.

Principle 3, standard 3.1 Internal auditors must possess or obtain the competencies to perform
their responsibilities successfully. The required competencies include the knowledge, skills, and
abilities suitable for one’s job position and responsibilities commensurate with their level of
experience. Internal auditors must possess or develop knowledge of The IIA’s Global Internal
Audit Standards.

AUI2601 119
TOPIC 5 THE INTERNAL AUDITOR’S COMPETENCIES TO PERFORM THEIR RESPONSIBILITIES

The Global Internal Audit Standards define competency as Knowledge, skills, and abilities.

Internal auditors should develop competencies related to

● communication and collaboration
● governance, risk management, and control processes
● business functions, such as financial management and information technology
● pervasive risks, such as fraud
● tools and techniques for gathering, analysing and evaluating data
● the risks and potential impacts of various economic, environmental, legal, political and social
conditions
● laws, regulations and practices relevant to the organisation, sector and industry
● trends and emerging issues relevant to the organisation and internal auditing
● supervision and leadership
While internal auditors are responsible for ensuring their individual professional development and
may assess their own skills and opportunities for development, the chief audit executive should
support the professional development of internal auditors. The chief audit executive may establish
minimum expectations for professional development and should encourage the pursuit of
professional qualifications. The chief audit executive should include funding for training and
professional development in the internal audit budget and provide opportunities internally as well
as externally, through continuing professional education, training and conferences.

10.2 RECOMMENDED QUALIFICATIONS FOR INTERNAL AUDITORS

REFLECTION

Refer to Topic 1 and familiarise yourself with the professional qualifications and
certifications as discussed in learning unit 2.2.3.

Refer to Topic 1: Learning unit 2.2.3 Certifications.

READ

The internal auditing profession offers a certification programme, which has been
specifically developed for internal auditors. This programme, which was developed in
the USA in 1972, is known as the Certified Internal Auditor (CIA) programme and is
controlled by the International Institute of Internal Auditors. A person who has
obtained the CIA qualification enjoys international recognition as a professionally
qualified internal auditor.

NB!! Read through the Certified Internal Auditor (CIA) brochure to obtain a
better understanding of the CIA qualification.

2023-6322-CERT - 2022 CIA Brochure Digital Asset.indd (theiia.org)

120
The qualifications and skills of an internal auditor Learning unit 10

MULTIMEDIA

Click on the hyperlinks below to view the following YouTube video on why CIA is
recommended:

Title: Information about the Certified Internal Audit Certification (CIA)

Length: 15;15

Link: https://youtu.be/bD3S11PgcPc?si=oAlJ3vr1EuEesOjn

DISCUSSION

For more information on the current CIA examination syllabus access the web
pages of the Institute of Internal Auditors, visit https://na. theiia. org/certification/
Pages/Certification.aspx.
In South Africa, the CIA qualification is also regarded as the only distinctive
qualification for internal auditors.

MULTIMEDIA

Click on the hyperlinks below to view the importance of the Certified Internal Auditor
(CIA) certification:

Link: https://youtu.be/j4pzeKDgHgk?si=_vLpUD1_9mJGqwjp

AUI2601 121
Learning unit 11
Personal characteristics of an internal auditor Learningunit11

Contents

11.1 PERSONAL CHARACTERISTICS OF AN INTERNAL AUDITOR 122

11.1 PERSONAL CHARACTERISTICS OF AN INTERNAL AUDITOR

Refer to Topic 1 and familiarise yourself with the professional qualifications and certifications as
discussed in learning unit 2.2.3 .

It was discussed in detail in Topic 4: Learning unit 8.2.4 Principle 4: Exercise due
provessional care

Having to liaise with and advise senior and executive management regarding diverse aspects of an
organisation can be challenging. Internal auditors should also be able to build relationships and
create confidence throughout the organisation, while remaining independent and objective. To
achieve this, the internal auditor should exercise due professional care, which requires him or her
to possess certain personal characteristics.

KEY CONCEPTS
Principle 4 Exercise Due Professional Care.

It was discussed in detail in Topic 4: Principle 4

Internal auditors apply due professional care in planning and performing internal
audit services.

When exercising due professional care, internal auditors perform in the best interest of those
receiving internal audit services but are not expected to be infallible.

Internal auditors must plan and perform internal audit services in accordance with the Global
Internal Audit Standards. The standards that embody exercising due professional care require:
● conformance with the Global Internal Audit Standards

122
Personal characteristics of an internal auditor Learning unit 11

● consideration of the nature, circumstances and requirements of the work to be performed

● application of professional scepticism to critically assess and evaluate information
The Global Internal Audit Standards explain that due professional care requires planning and
performing internal audit services with the diligence, judgment, and scepticism possessed by
prudent and competent internal auditors. When exercising due professional care, internal auditors
perform in the best interests of those receiving internal audit services but are not expected to be
infallible.

Internal auditors must exercise due professional care by assessing the nature, circumstances and
requirements of the services to be provided, including
● the organisation’s strategy and objectives
● the interests of those for whom internal audit services are provided and the interests of other
stakeholders
● adequacy and effectiveness of governance, risk management, and control processes
● cost relative to potential benefits of the internal audit services to be performed
● extent and timeliness of work needed to achieve the engagement objectives
● relative complexity, materiality, or significance or risks to the activity under review
● probability of significant errors, fraud, non-compliance, and other risks that might affect
objectives, operations or resources
● use of appropriate techniques, tools and technology
Examples of evidence of conformance for due professional care:
● Planning notes documenting the strategy and objectives of the organisation and activity under
review
● Documented assessments of governance, risk management and control processes
● Workpapers indicating supervisory review of engagements
● Internal auditors’ performance reviews
● Internal and external assessments performed as part of the internal audit function’s quality
assurance and improvement program

KEY CONCEPTS
To be able to comply with the requirements for due professional care, in practice, an
internal auditor should possess the following personal characteristics:
1. Inquisitive awareness of new developments. Insight into the technological
influences on the applicable disciplines, together with an interest in learning
more about matters in which he or she is not proficient or new developments.
2. Good interpersonal relations. Being part of the organisation, internal auditors
should be able to maintain very good interpersonal relations. An internal
auditor should have a pleasant personality, inspire confidence, speak
convincingly and act with authority. He or she should be able to persuade
others to cooperate, be tactful in his or her behaviour, and win the confidence
of both management and colleagues.
3. Diligence and patience. Internal auditors must be able to exercise patience.
Repetitive and routine work, although monotonous, should not affect their
attention and concentration. Whenever necessary, they should be capable of
probing deeply into a matter and should never hesitate to ask questions about
matters about which they are uncertain.

AUI2601 123
TOPIC 5 THE INTERNAL AUDITOR’S COMPETENCIES TO PERFORM THEIR RESPONSIBILITIES

4. Objectivity and confidence. Internal auditors should have the courage of their
convictions and should not hesitate to criticise justly or disclose the truth.
Moreover, they should not yield to pressure. In other words, they should not
hesitate to follow the path of duty, despite possible conflicting interests.
However, their conviction must always be supported by facts.
5. Practical approach. Internal auditors must be practical and never allow
theoretical knowledge, or possible theoretical schemes, to distort their practical
judgement, experience or reasoning. They must be considerate toward the
auditee and refrain from making demands that will disrupt their employer's
business.
6. Professionalism. Internal auditors should always adhere to their high
professional calling and the ethical code that governs the profession, always
acting sincerely, honestly and impartially.
7. Independence and sound judgement. Internal auditors must be completely
independent, in mind as well as in their external relations with management
and the auditee. This requires internal auditors to be free from control and their
professional judgement should not be subordinate to that of others.
8. Integrity. Integrity has to do with uprightness and honesty. An internal
auditor's integrity should never be in doubt.
As students of internal auditing, make personal growth your goal, and strive to develop
these characteristics.

124
TOPIC 6
The purpose, responsibilities and liabilities
of an internal auditor

Contents

Learning unit 12: The purpose, responsibilities and liabilities of an internal auditor 127
Learning unit 13: The internal auditor’s role and responsibilities with regard to
fraud 137

INTRODUCTION AND PURPOSE OF THE TOPIC

The internal audit function should have a charter, approved by executive
management, which clarifies the purpose, authority and responsibility of the
internal auditors.

This topic contains an account of the responsibilities of internal auditors towards

the organisation they serve. We also discuss the internal auditor's responsibility
with regard to fraud in more detail.

AUI2601 125
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

LEARNING OUTCOMES

When you have worked through this topic, you should be able to
● give an account of the internal auditing standards relating to the purpose, authority
and responsibility of the internal auditor
● apply your knowledge of the purpose, authority and responsibility of internal
auditors in practical situations with reference to the charter of an internal audit
function
● apply your knowledge of the responsibilities of the internal auditor regarding fraud
in practical situations

126
Learning unit 12
The purpose, responsibilities and liabilities of an
internal auditor Learningunit12

Contents

12.1 THE ROLE OF THE INTERNAL AUDIT FUNCTION – THE INTERNAL AUDIT
MANDATE 128
12.1.1 Principle 6, Standard 6.1 Internal Audit Mandate 129
12.2 THE AUTHORITY OF AN INTERNAL AUDITOR – THE INTERNAL AUDIT
CHARTER 130
12.2.1 Principle 6, Standard 6.2 Internal Audit Charter 130
12.3 THE RESPONSIBILITY OF AN INTERNAL AUDITOR 134
12.3.1 Responsibility to management 134
12.3.2 Responsibility regarding the execution of tasks 135
12.3.3 Responsibility towards the employer 135
12.4 THE LIABILITIES OF AN INTERNAL AUDITOR 135
12.4.1 Liability towards the employer 135
12.4.2 Liability towards third parties 136

AUI2601 127
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

12.1 THE ROLE OF THE INTERNAL AUDIT FUNCTION – THE

INTERNAL AUDIT MANDATE
MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on What is Internal
Audit. This will refresh your memory on what you have learnt in Topic 1.

Link: What is Internal Audit (youtube.com)

REFLECTION

Refer to Topic 1 and reflect on what you know about the purpose of Internal Auditing
in LU 1.2.

It was discussed in detail in Topic 1: Learning unit 1.2 Purpose of Internal

Auditing

The purpose of the internal audit function should be derived from the definition of internal
auditing.

KEY CONCEPTS - STUDY

Let’s recap the definition of internal auditing:

The definition of internal auditing, as defined by the Global Internal Audit Standards:

“Internal auditing is an independent, objective assurance and advisory service

designed to add value and improve an organisation's operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of governance, risk management, and control
processes” (2025).

It was discussed in detail in Topic 1: Learning unit 1.3.

Internal auditors should make a meaningful contribution to meet the needs of the organisation,
which is mainly to achieve its objectives.

The Internal Audit Mandate

The mandate empowers the internal audit function to provide the board and senior management
with objective assurance, advice, insight and foresight. The internal audit function carries out the
mandate by bringing a systematic, disciplined approach to evaluating and improving the
effectiveness of governance, risk management and control processes throughout the organisation.

REFLECTION

Before you attempt the rest of this topic, ensure that you are familiar with the content
of Principle 6, Standard 6.1 of the Global Internal Audit Standards.

It was discussed in detail in Topic 4: Learning unit 9.2.1 Principle 6

128
The purpose, responsibilities and liabilities of an internal auditor Learning unit 12

KEY CONCEPTS
The Global Internal Audit Standards define the internal audit mandate as:

The internal audit function’s authority, role, and responsibilities, which may be
granted by the board and/or laws and regulations.

12.1.1 Principle 6, Standard 6.1 Internal Audit Mandate

According to the Global Internal Audit Standards (2025), the chief audit executive must provide
the board and senior management with the information necessary to establish the internal audit
mandate. The chief audit executive must document or reference the mandate in the internal audit
charter, which is approved by the board. Periodically, the chief audit executive must assess
whether changes in circumstances justify a discussion with the board and senior management
about the internal audit mandate.

Board
● Discuss with the chief audit executive and senior management the appropriate authority, role
and responsibilities of the internal audit function.
● Approve the internal audit charter, which includes the internal audit mandate and the scope and
types of internal audit services.

Senior management
Participate in discussions with the board and chief audit executive and provide input on
expectations for the internal audit function that the board should consider when establishing the
internal audit mandate. Senior management support the internal audit mandate throughout the
organisation and promote the authority granted to the internal audit function.

The chief audit executive should discuss with the board and senior management the internal audit
mandate and other key considerations in the internal audit charter, focusing on helping the board
and senior management to understand the following aspects:
● Authority – The internal audit function’s authority is created by its direct reporting
relationship to the board. Such authority allows for free and unrestricted access to the board as
well as all activities across the organisation (for example, records, personnel, and physical
property).
● Role(s) – The primary role of the internal audit function is to conduct internal audit activities
and deliver internal audit services. There may be situations where roles beyond internal
auditing are part of the chief audit executive’s responsibilities, such as risk management or
compliance.
● Responsibilities – An internal audit function’s responsibilities comprise its accountability and
obligations to carry out its role(s), as well as the specific expectations of key stakeholders.
● Scope – The scope of internal audit services covers the entire breadth of the organisation for
which the internal audit function is responsible for providing services.
● Internal audit services – Internal audit services may simply be defined as assurance and
advisory services or may be more specifically defined, such as performance auditing,
assurance regarding internal controls over financial reporting, and investigations.

AUI2601 129
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 6 – Authorised by the Board
● Standard 6.1 – Internal Audit Mandate
● The requirements stipulated for Standard 6.1
● Considerations for implementation of Standard 6.1
● Examples of evidence of conformance of Standard 6.1
Global Internal Audit Standards (theiia.org)

12.2 THE AUTHORITY OF AN INTERNAL AUDITOR – THE

INTERNAL AUDIT CHARTER
DISCUSSION

The internal audit function in an organisation operates according to policies laid

down by management and the board of directors. These policies vary from one
organisation to another. The purpose, authority and responsibility of the internal
audit function should be defined in a formal, written document, referred to as a
charter, which should be authorised by top management and accepted by the
members of the board of directors.

REFLECTION

Before you attempt the rest of this topic, ensure that you are familiar with the content
of Principle 6, Standard 6.2 of the Global Internal Audit Standards.

It was discussed in detail in Topic 4: Learning unit 9.2.1 Principle 6

The Internal Audit Charter

According to Principle 6 of the Global Internal Audit Standards, the internal audit function
received its mandate from the board. The mandate specifies the authority, role and responsibilities
of the internal audit function and is documented in the internal audit charter.

The board establishes, approves and supports the mandate of the internal audit function.

KEY CONCEPTS
The Global Internal Audit Standards define the internal audit charter as:

A formal document that includes the internal audit function’s mandate, organisational
position, reporting relationships, scope of work, types of services, and other
specifications (date; page number).

12.2.1 Principle 6, Standard 6.2 Internal Audit Charter

According to the Global Internal Audit Standards, the chief audit executive must develop and
maintain an internal audit charter that specifies, at a minimum, the internal audit function’s:
● purpose
● commitment to adhering to the Global Internal Audit Standards

130
The purpose, responsibilities and liabilities of an internal auditor Learning unit 12

● mandate, including scope and types of services to be provided, and the board’s responsibilities
and expectations regarding management’s support of the internal audit function
● organisational position and reporting relationships
The chief audit executive must discuss the proposed charter with the board and senior
management to confirm that it accurately reflects their understanding and expectations of the
internal audit function.

Board
● Approve the internal audit charter.
● Discuss with the chief audit executive and senior management other topics that should be
included in the internal audit charter to enable an effective internal audit function.
● Review the internal audit charter with the chief audit executive to consider changes affecting
the organisation, such as the employment of a new chief audit executive.
Senior management communicate with the board and chief audit executive about management’s
expectations that should be considered for inclusion in the internal audit charter.

The internal audit charter should describe administrative reporting responsibilities, such as the
processes for
● approving the internal audit function’s human resources administration and budgets
● approving the chief audit executive’s expenses
● reviewing the chief audit executive’s performance
The format of an internal audit charter may vary from one organisation to another. While there are
models for an internal audit charter, the chief audit executive should customise the internal audit
charter to address the unique organisational aspects that may affect the internal audit mandate,
scope and internal audit services.

Other topics for consideration in the internal audit charter include the following:
● Safeguards to objectivity and independence, including processes for addressing potential
impairments, and the frequency with which those safeguards are re-evaluated to ensure they
are achieving the desired result
● Unrestricted access, including how the internal audit function accesses the data, records,
information, personnel, and physical properties necessary to fulfil the internal audit mandate
● Communications, including the nature and timing of communicating with the board and
senior management
● Audit process, including any expectations regarding communications with management in the
area under review (before, during, and after an engagement) and how disagreements with
management are handled
● Quality assurance and improvement, including expectations for developing and conducting
internal and external assessments of the internal audit function and communicating the results
of the assessments
● Approvals, including any circumstances specified by the board and senior management

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 6 – Internal Audit Mandate
● Standard 6.2 – Internal audit charter

AUI2601 131
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

● The requirements stipulated for Standard 6.2

● Considerations for implementation of Standard 6.2
● Examples of evidence of conformance of Standard 6.2
Global Internal Audit Standards (theiia.org)

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on the internal
audit charter.

Title: IATS The Audit Charter

Length: 5:54

Link: https://youtu.be/hWqYmPoCT7w?si=FXez0G8CLUOd2l7g

DISCUSSION

The following features need to be included in the internal audit charter to grant
them the necessary authority:
● Access to the books, records, vouchers and accounts
This authority is included because the internal auditor must have access to all
the information pertaining to the audit assignment at all times.
● Obtaining information and explanations
It is virtually impossible for an internal auditor to possess all the relevant
knowledge required at all times. It is, therefore, necessary that management and
staff should be compelled to furnish the internal auditors with additional
information and explanations should they require them.
● Attending meetings
Internal auditors need to keep abreast of matters concerning planning and
policies within the organisation, so that they can perform their duties. It is,
therefore, necessary for the internal auditor to attend and contribute to policy
making meetings or to receive copies of the minutes of such meetings.
● Believing trusted officials
Internal auditors are entitled to place reliance on any information supplied to
them by trusted employees in the organisation. Internal auditors must, however,
exercise reasonable care, and treat each case on its merits before they accept as
trustworthy all information given to them by employees.
Based on this foundational work, the chief audit executive drafts an internal audit
charter. The IIA offers a model internal audit function charter that may be used as a
guide. Although they vary by organisation, charters typically include the following
sections:
● Introduction – to explain the overall role and professionalism of the internal
audit function, citing the relevant elements of the Global Internal Audit
Standards.

132
The purpose, responsibilities and liabilities of an internal auditor Learning unit 12

● Authority – to specify the internal audit function’s full access to the records,
physical property and personnel required to perform its engagements and to
declare its accountability for safeguarding assets and confidentiality.
● Organisation and reporting structure – to document the chief audit
executive’s reporting structure. The CAE reports functionally to the board
and administratively to a level within the organisation that allows the internal
audit function to fulfil its responsibilities. This section may delve into specific
functional responsibilities, such as approving the charter and audit plan, and
hiring, compensating, and terminating the CAE as well as administrative
responsibilities, such as supporting information flow within the organisation or
approving human resource administration and budgets.
● Independence and objectivity – to describe the importance of internal audit
independence and objectivity and how these will be maintained, such as
prohibiting internal audit from having operational responsibility or authority
over areas audited.
● Responsibilities – to lay out major areas of ongoing responsibility, such as
defining the scope of assessments, writing an audit plan and submitting it to the
board for approval, performing assessments, communicating the results,
providing a written audit report, and monitoring corrective actions taken by
management.
● Quality assurance and improvement – to describe the expectations for
maintaining, evaluating and communicating the results of a quality program
that covers all aspects of the internal audit function.
● Signatures – to document the agreement between the CAE, a designated board
representative and the individual to whom the CAE reports, with the date, name
and title of signatories.
Once drafted, the proposed charter should be discussed with senior management
and the board to confirm that it accurately describes the agreed role and
expectations or to identify desired changes. Once the draft has been accepted, the
CAE formally presents it at a board meeting to be discussed and approved. The
CAE determines the frequency with which to review and reaffirm with the board
whether the agreement’s provisions continue to enable the internal audit function
to accomplish its objectives. If a question should arise, the charter may be
referenced and updated as needed to clarify the internal audit function’s role.

ADDITIONAL RESOURCES
Please note that the examples of the audit committee charters below are for illus-
trative purposes only, and we won’t ask you to draft a charter in the examination.

Click on the hyperlinks below to view examples of charters.

Microsoft Word - Model Charter 123016.docx (nigc.gov)

Internal Audit Charter (knysna.gov.za)

AUI2601 133
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

READ

Read the paper of the IIA on The Internal Audit Charter. Find pp-the-internal-audit-
charter.pdf in Additional Resources.

12.3 THE RESPONSIBILITY OF AN INTERNAL AUDITOR

REFLECTION

Before you attempt the rest of this topic, ensure that you are familiar with the content
of Purpose Statement of Internal Auditing of the Global Internal Audit Standards.

It was discussed in detail in Topic 1: Learning unit 1.2 The purpose of internal
auditing

The objective of internal auditing is to assist members of the organisation in the effective
discharge of their responsibilities and to add value and improve the organisation's risk
management, control and governance processes.

The internal auditor should use all the powers at his or her disposal and employ them in such a
manner as to best execute his or her main task of assisting the members of the organisation. The
duties of an internal auditor comprise more than mere review and reporting, and involve certain
responsibilities:

12.3.1 Responsibility to management

Because of their basic function, namely, to assist the management of the organisation in carrying
out their responsibilities, internal auditors have special duties towards management.

Since internal auditors cooperate so closely with management in fulfilling the important role of
evaluating management's activities, they need to maintain good relations with management,
without compromising their objectivity in any way. This task could become difficult when the
internal auditor needs to be critical of management's activities. Internal auditors must have a very
clear picture of management's style, strategy, vision and mission, general approach and attitudes,
priorities, and so on.

It is their duty to examine every management function objectively and report on it timeously.

REFLECTION

Before you attempt the rest of this topic, ensure that you are familiar with the functions
of management:
● Planning
● Organising
● Directing
● Control
It was discussed in detail in Topic 3: Learning unit 5: The functions of management
in an organisation

134
The purpose, responsibilities and liabilities of an internal auditor Learning unit 12

12.3.2 Responsibility regarding the execution of tasks

In addition to the above responsibility to management, internal auditors also have responsibilities
in respect of the execution of their tasks.

In the execution of these responsibilities, internal auditors are required to perform such tests,
procedures or audit investigations that will provide adequate information to enable them to form a
definite audit opinion on the specific audit, which must be included in the internal audit report.

The internal auditor has an obligation to carry out his or her task in accordance with the guidelines
contained in the Global Internal Audit Standards Domain II Ethics and Professionalism.

REFLECTION

Before you attempt the rest of this topic, ensure that you are familiar with the content
of Domain II of the Global Internal Audit Standards.

It was discussed in detail in Topic 4: Learning unit 8.1: Domain II Ethics and
Professionalism

12.3.3 Responsibility towards the employer

In consequence of their contractual obligation as employees, internal auditors have an obligation
towards their employer to act in good faith in the fulfilment of their duties.

The following aspects are usually included in this contractual obligation:

Internal auditors
● may not use confidential information obtained in the performance of their duties for their own
gain or impart such knowledge to third parties
● should further the interests of their employer's business undertaking
● may not perform acts of dishonesty (fraud, theft) against their employer
● may not perform acts which are in competition with their employer
● may not perform acts of misconduct while performing their duties

12.4 THE LIABILITIES OF AN INTERNAL AUDITOR

In South Africa, the liability of internal auditors derives mainly from legal system principles.

12.4.1 Liability towards the employer

Internal auditors are responsible for fulfilling their duties as contracted with their employer. They
should perform these duties in a capable manner and without negligence. The auditor is guilty of
breach of contract if he or she contravenes the stipulations of the contract of service, or should he
or she be found to be incompetent or negligent.

In the case of breach of contract, the employer has the following legal remedies:
1. In terms of the general principles of the law of contract, appeal to the court to issue an order
forcing the internal auditor to abide by the stipulations of the contract.
2. Claim compensation for all losses sustained from the breach of contract by the internal auditor.
3. When the breach of contract is very serious, summarily terminate the internal auditor's contract
of service.

AUI2601 135
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

12.4.2 Liability towards third parties

The liability of internal auditors towards third parties for wrongful acts originates from negligent
or deliberate misrepresentation by them in the performance of their duties.

There is no contractual relationship, nor any relationship of confidence between the internal
auditor and third parties. Because the internal auditor does not report on the fairness of the
financial statements of the undertaking, no liability can originate via the financial statements. For
liability to ensue, the internal auditors must have been aware that third parties were going to rely
on their recommendations.

Presumably, third parties will hold the undertaking responsible for an act of negligence committed
by the internal auditors in the performance of their duties. In this case the undertaking should be
able to institute legal action against the internal auditor.

A third party, however, has a definite claim for compensation from the internal auditor personally
if the internal auditor is found to be guilty of deliberate misrepresentation. In this case the third
party could even hold the undertaking and the internal auditor jointly and separately responsible.

In the case of wrongful acts through negligence or deliberate misrepresentation by the internal
auditor, the onus of proof rests with the third party.

The third party will have to prove that

1. there was misrepresentation (an act)
2. the internal auditors were negligent in the performance of their duties, that is, that the
misrepresentation was wilful or negligent (guilt desideratum)
3. the loss sustained by the third party resulted from his or her dependence on the
misrepresentation (causality)
4. the third party sustained a monetary loss as a result of the misrepresentation (damage)
5. the internal auditors were aware of the dependence of the third party when they committed the
misrepresentation (wrongful desideratum)

136
Learning unit 13
The internal auditor’s role and responsibilities with
regard to fraud Learningunit13

Contents

13.1 INTRODUCTION 137

13.2 NATURE AND CATEGORIES OF FRAUD 138
13.3 INTERNAL AUDITOR’S ROLES AND RESPONSIBILITIES WITH REGARD TO
FRAUD 141

13.1 INTRODUCTION
When executing their duties, internal auditors should apply the care and skill expected of a
prudent and competent internal auditor in the same or similar circumstances. Due professional
care is, therefore, appropriate to the complexities of the audit being performed. In exercising due
professional care, internal auditors should be alert to the probability of intentional wrongdoing,
irregularities, errors and omissions, inefficiency, waste, ineffectiveness and conflicts of interest.
They should also be on the lookout for these wherever irregularities are most likely to occur.

Fraud is just one of the risks to which organisations are exposed, and this is of particular concern
today. The management of any organisation must take cognisance of fraud, and any controls
introduced should be consciously aimed at preventing or detecting it. This learning unit deals with
the nature of fraud and the role and responsibilities of internal audit in detecting and preventing it.

READ

Read the following very interesting article. It is a fraud scenario with lessons learned.

Internal Auditor: October 2024 (mydigitalpublication.com)

AUI2601 137
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

13.2 NATURE AND CATEGORIES OF FRAUD

KEY CONCEPTS
What is fraud?

In the Global Internal Audit Standards, fraud is defined as follows:

Any intentional act characterized by deceit, concealment, dishonesty, misappropriation

of assets or information, forgery, or violation of trust perpetrated by individuals or
organizations to secure unjust or illegal personal or business advantage.

Fraud can be committed by an employee at any level within an organisation as well as by anyone
outside the organisation.

There are three common characteristics of fraud:

1. Pressure or incentive – the need the fraudster is trying to satisfy by committing the fraud
2. Opportunity – the fraudster’s ability to commit the fraud
3. Rationalisation – the fraudster’s ability to justify the fraud in his or her mind

Figure 13.1: The fraud triangle

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on the fraud
triangle, and make notes of the important concepts:

https://youtu.be/HDdjHbkYqD0?si=tATNsDAhFyMkAnqy

Examples of fraud
A person commits fraud knowing that it could result in some unauthorised benefit to him or her, to
the organisation, or to another person. Fraud can be perpetrated by persons either outside or inside
the organisation. Some common fraud schemes are shown in the video mentioned below:

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on types of fraud:

Link: https://youtu.be/-otHohty-Lk?si=Vm1eSDYhMJknG1Te

● Asset misappropriation. This involves stealing cash or assets (supplies, inventory, equipment
and information) from the organisation.

138
The internal auditor’s role and responsibilities with regard to fraud Learning unit 13

– Skimming. This involves stealing cash from an organisation before it is recorded on the
organisation’s books and records. For example, an employee accepts payment from a
customer, but does not record the sale.
– Disbursement fraud. This occurs when a person causes the organisation to issue a
payment for fictitious goods or services, inflated invoices, or invoices for personal
purchases. For example, an employee can create a shell company and then bill the
employer for non-existent services. Other examples are fraudulent healthcare claims
(billings for services not rendered, unbundled billings instead of bundled billings),
unemployment insurance claims by people who are in fact working, or pension or social
security claims for people who have died.
– Expense reimbursement fraud. This involves an employee being paid for fictitious or
inflated expenses. For example, an employee submits a fraudulent expense report claiming
reimbursement for personal travel, non-existent meals, extra mileage, and so on.
– Payroll fraud. This occurs when the fraudster causes the organisation to issue a payment
by making false claims for compensation. For example, an employee claims overtime for
hours not worked or an employee adds ghost employees to the payroll and receives the
paycheque.
– Financial statement fraud. This involves misrepresenting the financial statements, often
by overstating assets or revenue or understating liabilities and expenses. Financial
statement fraud is typically perpetrated by organisation managers who want to enhance the
economic appearance of the organisation. Members of management may benefit directly
from the fraud by selling stock, receiving performance bonuses or using the false report to
conceal another fraud.
– Information misrepresentation. This involves providing false information, usually to
those outside the organisation. It usually involves fraudulent financial statements, although
falsification of information used as performance measures can also occur.
– Corruption. This is the misuse of entrusted power for private gain. Corruption includes
bribery and other improper uses of power. Corruption is often an off-book fraud; by this we
mean that there is little financial statement evidence available to prove that the crime
occurred. Corrupt employees do not have to fraudulently change financial statements to
cover up their crimes – they simply receive cash payments under the table.
– Bribery. This is the offering, giving, receiving, or soliciting of anything of value to
influence an outcome. Bribes may be offered to key employees or managers such as
purchasing agents who have discretion in awarding business to vendors. Typically, a
purchasing agent accepts kickbacks to favour an outside vendor in buying goods or services.
The flip side of offering or receiving anything of value is demanding it as a condition of
awarding business: this is termed economic extortion. Another example is a corrupt lending
officer who demands a kickback in exchange for approving a loan. Those paying bribes
tend to be commissioned salespeople or intermediaries for outside vendors.
– Conflict of interest. This occurs where an employee, manager or executive of an
organisation has an undisclosed personal economic interest in a transaction that adversely
affects the organisation or the shareholders’ interests.
– Diversion. This involves diverting a potentially profitable transaction to an employee or
outsider that would normally generate profits for the organisation.

Fraud prevention and detection

Fraud prevention entails implementing policies and procedures, employee training and
management communication to educate employees about fraudulent activities. It also entails
activities and programs designed to identify fraud or misconduct that is occurring or has occurred.

AUI2601 139
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

READ

Read the following article about the perceived role of internal auditing in fraud
prevention and detection in South African public sector national departments. You will
not be examined on the content of this article.

Motubatse_Percieved_2014.pdf (up.ac.za)

Typical roles/responsibilities relating to fraud prevention and detection

1. Board of directors
The board of directors is responsible for effective and responsible corporate fraud governance.
The role of the board is to oversee and monitor management’s actions to manage fraud risks. It
is also responsible for setting the tone for fraud risk management within an organisation.
2. Audit committees
The audit committee of the board of directors is the independent eyes and ears of the investors
and other stakeholders. The committee’s responsibilities are to
● evaluate management’s identification of fraud risks and the implementation of antifraud
measures, and to provide the tone at the top that fraud will not be accepted in any form
● oversee controls to prevent or detect management fraud
● oversee senior management’s compliance with appropriate financial reporting and prevent
senior management override of controls or other inappropriate influence over the reporting
process

3. Management
Management is responsible for fraud prevention, and their responsibilities include
● implementing and monitoring processes and internal controls
● establishing and maintaining an effective internal control system at a reasonable cost

4. Internal auditors
Internal auditors evaluate risks faced by their organisations based on audit plans with
appropriate testing. Internal auditors need to be alert to the signs and possibilities of fraud
within an organisation. Specifically, internal auditors can assist in deterring fraud by
examining and evaluating the adequacy and effectiveness of internal controls. In addition, they
may assist management in establishing effective fraud prevention measures by knowing the
organisation’s strengths and weaknesses and providing consulting expertise.

MULTIMEDIA

Listen to the IIA’s new fraud podcast brought to you by All Things Internal Audit. The
fraud podcast provides fictionalised accounts of real-world frauds featured in the
Internal Auditor’s Fraud Department.

In the latest episode, an organisation’s chief audit executive investiattes a suspicious

tuition reimbursement during the pandemic, uncovering a web of deceit involving an
employee. Listen to “School of Fraud”.

School of Fraud (theiia.org)

140
The internal auditor’s role and responsibilities with regard to fraud Learning unit 13

13.3 INTERNAL AUDITOR’S ROLES AND RESPONSIBILITIES WITH

REGARD TO FRAUD
DISCUSSION

According to the Global Internal Audit Standards, Principle 3, Standard 3.1

Competency states that internal auditors must possess the competencies to
perform their responsibilities successfully.
Internal auditors should develop competencies related to
● pervasive risks, such as fraud
There are references to the responsibility of internal audit regarding fraud in
various Global Internal Audit Standards. In this regard, the following principles
and standards are of particular importance:
● Principle 3 – Demonstrating competency requires developing and applying the
knowledge, skills, and abilities to provide internal audit services.
● Principle 4 – Internal audits apply due professional care in planning and
performing internal audit services. Due professional care requires planning and
performing internal audit services with the diligence, judgment and scepticism
possessed by prudent and competent internal auditors.

REFLECTION

Before you attempt the rest of this topic, ensure that you are familiar with the content
of Principle 3 and 4 of the Global Internal Audit Standards.

It was discussed in detail in Topic 4: Learning unit 8.2: Principle 3 and 4

In conducting audit engagements, the internal auditor should do the following:

● Consider fraud risks in the assessment of internal control design and determination of audit
steps to perform. Internal auditors are not expected to detect fraud, but internal auditors are
expected to obtain reasonable assurance that business objectives for the process under review
are being achieved and material control deficiencies – whether through simple error or
intentional effort – are detected. The consideration of fraud risks is documented in the working
papers, as well as linkage of fraud risks to specific audit work.
● Have sufficient knowledge of fraud to identify red flags indicating fraud may have been
committed. This knowledge includes the characteristics of fraud, the techniques used to
commit fraud and the various fraud schemes and scenarios associated with the activities
reviewed.
● Be alert to opportunities that could allow fraud, such as control deficiencies. If significant
control deficiencies are detected, additional tests conducted by internal auditors could be used
to identify whether fraud has occurred.
● Evaluate whether management is actively retaining responsibility for oversight of the
fraud risk management program, that timely and sufficient corrective measures have been
taken with respect to any noted control deficiencies or weaknesses, and that the plan for
monitoring the program continues to be adequate for the program’s ongoing success.
● Evaluate the indicators of fraud and decide whether any further action is necessary or
whether an investigation should be recommended.
● Recommend investigation when appropriate.

AUI2601 141
TOPIC 6 THE PURPOSE, RESPONSIBILITIES AND LIABILITIES OF AN INTERNAL AUDITOR

The internal auditor’s role in fraud investigations

The role of the internal audit function in investigations needs to be defined in the internal audit
charter as well as in the fraud policies and procedures. For example, internal auditing may have
the primary responsibility for fraud investigations, may act as a resource for investigations or may
refrain from involvement in investigations. Internal auditing may refrain from involvement
because it is responsible for assessing the effectiveness of investigations or because it lacks the
appropriate resources to be involved in investigations. Any of these is acceptable, as long as the
impact of these activities on the independence of internal auditing is recognised and handled
appropriately.

In addition to advising management, internal auditors may become involved in investigations by

● monitoring the investigation process to help the organisation follow relevant policies,
procedures and applicable laws and statutes (where internal auditing was not responsible for
conducting the investigation)
● locating and/or securing the misappropriated or related assets
● supporting the organisation’s legal proceedings, insurance claims or other recovery actions
● evaluating and monitoring the organisation’s internal and external post-investigation
reporting and communication plans and practices
● monitoring the implementation of recommended control enhancement
Internal auditors typically assess the facts of investigations and advise management relating to
remediation of control weaknesses that lead to the fraud. Internal auditors may design steps in
audit programmes or develop “auditing for fraud” programmes to help disclose the existence of
similar instances of fraud in the future.

Reporting fraud investigations

Reporting fraud investigations consists of the various oral, written, interim or final
communications to senior management and/or the board regarding the status and results of fraud
investigations. Reports can be preliminary and ongoing throughout the investigation. If internal
auditing conducts the investigation, Global Internal Audit Standard 15.1 Final Engagement
Communication provides information applicable to necessary engagement communications.

It was discussed in detail in Topic 4:Standard 15.1

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on real-time fraud
prevention in a real-time world:

https://youtu.be/sMDg7ld1tZU?si=jOggFNKO5x3G_cT_

142
TOPIC 7
Concepts relating to internal audit

Contents

Learning unit 14: Governance, risk management and control 144

INTRODUCTION AND PURPOSE OF THE TOPIC

This topic contains an overview of the important concepts of governance, risk
management and control and how the internal audit function should plan and
conduct its services to achieve the aim of improving governance, risk management
and control in organisations.

LEARNING OUTCOMES

When you have worked through this topic, you should be able to
● explain the concepts of risk management, control and governance

AUI2601 143
Learning unit 14
Governance, risk management and control Learningunit14

Contents

14.1 INTRODUCTION 144

14.2 GOVERNANCE PROCESS 146
14.3 RISK MANAGEMENT PROCESS 149
14.4 CONTROL PROCESS 155

14.1 INTRODUCTION
The Definition of Internal Auditing states very clearly that the internal audit function contributes
to the improvement of governance, risk management and control processes within organisations.
This aligns internal auditing with the current trends in corporate governance codes and best
practice guidelines internationally.

It was discussed in detail in Topic 1: Learning unit 1.3.

REFLECT

According to the Global Internal Audit Standards, Domain I Internal Auditing

enhances the organisation’s

It was discussed in detail in Topic 1: Learning unit 1.2: Domain I

● successful achievement of its objectives
● governance, risk management and control processes
● decision-making and oversight
● reputation and credibility with its stakeholders
● ability to serve the public interest

144
Governance, risk management and control Learning unit 14

DISCUSSION

According to the Global Internal Audit Standards, Principle 9 Plan

Strategically: The chief audit executive plans strategically to position the internal
audit function to fulfil its mandate and achieve long-term success.

The internal audit function must evaluate and contribute to the improvement of the organisation’s
governance, risk management and control processes using a systematic, disciplined and risk-based
approach. Internal audit credibility and value are enhanced when auditors are proactive, and their
evaluations offer new insights and consider future impact.

In essence, if the organisation manages and applies good corporate governance principles, these
generally also filter through to the risk management and control processes. The internal audit
function must evaluate these processes in the sequence suggested above to conduct efficient and
effective internal audits.

Figure 14.1: Governance, Risk Management and Control

AUI2601 145
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

14.2 GOVERNANCE PROCESS

What is governance?

Governance is the process put in place by an organisation's top management to manage the
organisation in the pursuit of its goals. Through governance, the needs of all the stakeholders
involved with that specific organisation should be balanced.

KEY CONCEPTS
According to the Global Internal Audit Standards, governance means the combination
of processes and structures implemented by the board to inform, direct, manage, and
monitor the activities of the organisation toward the achievement of its objectives.

BLOG

Click on the hyperlink below and read the blog. This is one of my favourite articles
with regard to governance.

Internal auditor as Gardener of Governance - IIA

Corporate governance
Corporate governance represents a collection of broad principles and practices for the efficient,
effective and profitable running of an organisation in pursuit of its objectives. It should comply
with principles of best practice and applicable legal and regulatory requirements in this process.

In other words, governance is the process that the top management of an organisation has put in
place to manage the organisation in the pursuit of its goals.

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on corporate
governance fundamentals: internal controls.

https://youtu.be/C9Tc2uMWDNI?si=Jtkl28L7tkH-pBn9

READ

Read the following article for a better understanding of corporate governance.

Corporate Governance (drishtiias.com)

146
Governance, risk management and control Learning unit 14

READ

The disastrous effect of the absence of good corporate governance in organisations was
seen in the collapse in the early years of this century of large companies such as Enron
and WorldCom that occurred in 2002 in the USA. Enron was a major American energy
company, which reported extremely good financial results and attracted investors.
There was no indication of the serious trouble the company was in until it suddenly
and unexpectedly collapsed. Its reported financial condition was sustained largely by
institutionalised, systematic and creatively planned accounting fraud. From 1999 until
May 2002 another company, WorldCom, used fraudulent accounting methods to mask
its declining earnings by painting a false picture of financial growth and profitability to
prop up the price of its shares.

These are just two of many similar examples of organisations that misled stakeholders. Good
corporate governance aims to prevent cases like these by laying down principles for the effective
management of organisations.

The biggest fraud that hit South Africa was accounting irregularities at Steinhoff (a global retailer)
in 2017. Alleged issues of poor governance and corporate culture contributed to the collapse of
Steinhoff. Large amounts of money from employee pension funds invested by the Public
Investment Corporation (PIC) in Steinhoff International were exposed.

KPMG (a big accounting firm) also suffered reputational damage after being caught up in
the corruption scandals of VBS Mutual Bank. This led to KPMG being investigated by the
Independent Regulatory Board for Auditors (IRBA), with the firm losing key clients and young
auditors being left with moral/ethical questions – after all, the auditing profession is supposed to
be one of the pillars of governance.

The Steinhoff, KPMG and VBS debacles indicate that companies and organisations need to have a
close look at governance and ethical leadership, and should review recent failures to evaluate the
extent to which the King Code of Corporate Governance is being applied.

DISCUSSION – KING IV

The 1994 King Report on Corporate Governance in South Africa successfully

formalised the need for organisations to recognise that they can no longer act
independently from the societies and the environments in which they operate. An
updated report, known as the King II Report, was issued in March 2002, followed
by the King III Report in March 2010. The latest King Report (King IV) came into
effect in November 2016.
King IV moved from “apply or explain” to “apply and explain “and reduced the 75
principles in King III to 17 basic principles in King IV. All companies are
encouraged to follow the Code but are not required by law to do so. King IV
provides governing bodies with a model for the way in which any area that is
subject to their governance should be approached. The underpinning philosophies
of King IV are sustainable development and integrated reporting. King IV
highlights the following key aspects:
● Integrated thinking: Considers the connectivity and interdependencies
between the range of factors that affect an organisation’s ability to create value
over time.

AUI2601 147
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

● The organisation as an integral part of society: Organisations operate in a

societal context, which they affect and by which they are affected.
● Stakeholder inclusivity: There is an interdependent relationship between the
organisation and its stakeholders, and the organisation’s ability to create value
for itself depends on its ability to create value for others. An organisation
becomes attuned to the opportunities and challenges posed by the triple context
in which it operates by having regard to the needs, interests and expectations of
material stakeholders.
● Corporate citizenship: As the organisation is an integral part of society, it has
corporate citizenship status. This status confers rights, obligations and
responsibilities on the organisation towards society and the natural environment
on which society depends.

READ

Read the summary of the King IV report.

Download King-IV-Summary-1-November-2016.pdf in Additional Resources.

ROLE OF INTERNAL AUDIT - GOVERNANCE

The internal auditor's responsibility toward governance

The definition of internal auditing requires internal auditors to evaluate the effective-
ness of the governance process. To do this, the internal auditor should know enough
about governance to be able to compare current practices with other best practices and
should be familiar with the organisation, its financial, ethical and social systems, and
the environment in which it operates. This knowledge and understanding will enable
the internal auditor to contribute successfully to governance by improving and adding
value to the existing systems. Internal auditors should be guided by the King Report on
Corporate Governance for South Africa (King IV) during their evaluation process as
well as The Global Internal Audit Standards.

Principle 9, Standard 9.1 Understanding Governance, Risk Management, and Control

Processes
According to Standard 9.1 of the Global Internal Audit Standards, to understand governance
processes, the chief audit executive must consider how the organisation
● establishes strategic objectives and makes strategic and operational decisions
● oversees risk management and control
● promotes an ethical culture
● delivers effective performance management and accountability
● structures its management and operating functions.
● communicates risk and control information throughout the organisation
● coordinates activities and communications among the board, internal and external providers of
assurance services, and management
In short, the scope of internal auditing should, therefore, provide reasonable assurance that
management's governance processes are effective in achieving the organisational objectives.

148
Governance, risk management and control Learning unit 14

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 9 – Plan Strategically
● Standard 9.1
● The requirements stipulated for Standard 9.1
● Considerations for implementation of Standard 9.1. Understanding
Governance Processes.
● Examples of evidence of conformance with Standard 9.1.
Global Internal Audit Standards (theiia.org)

14.3 RISK MANAGEMENT PROCESS

MULTIMEDIA

Click on the hyperlink below to get an overview of what risk management is.

https://youtu.be/_MvxQN-Wjn8?si=mCvgckX7mIk5hOIC

What is risk?

MULTIMEDIA

Click on the hyperlink below to get a good understanding of risk:

https://youtu.be/RjGBJk30rDc?si=py2Ny_gHQb-ovjGy

Figure 14.2: What is risk?

Source: www.wise-outsourcing.com

AUI2601 149
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

KEY CONCEPTS
According to the Global Internal Audit Standard’s Glossary:
● Risk is defined as the positive or negative effect of uncertainty on objectives.
● Risk management is defined as a process to identify, assess, manage, and
control potential events or situations to provide reasonable assurance
regarding the achievement of the organisation’s objectives.

Risk is measured in terms of impact and likelihood.

● Impact refers to the financial and other consequences that may occur if the risk materialises.
● Likelihood refers to the chances of the risk event occurring or not occurring.
This relates to all objectives – strategic, financial, control and compliance objectives. It can be
either positive or negative.

MULTIMEDIA

Click on the hyperlink below to get an understanding of risk and how to use a risk
matrix:

https://youtu.be/-E-jfcoR2W0?si=6R4O_CmNn2bNVyCt

What is business risk?

Business risk

Business risk can be explained as the threat that an event or action will adversely affect an
organisation's ability to achieve its business objectives and execute its strategies successfully.
Business risk is comprised of strategic risk, financial risk, operational and sustainability risk.

READ

Read the following article on business risk: definition, factors and examples.

Business Risk: Definition, Factors, and Examples (investopedia.com)

150
Governance, risk management and control Learning unit 14

What is risk management?

Risk management can be explained as a process to identify, assess, manage and control potential
events or situations to provide reasonable assurance regarding the achievement of the
organisation’s objectives.

Therefore, risk management is the management process used in any organisation to manage the
risks that affect the achievement of the organisation's objectives. The risk management process
entails the planning, arranging and controlling of activities and resources to minimise the impacts
of all risks to levels that can be tolerated by shareholders whom the board has identified as
relevant to the business of the company.

READ

Read the following article on what risk management in internal audit is.

What is Risk Management in Internal Audit - ESG | The Report (esgthereport.com)

ROLE OF INTERNAL AUDIT – RISK MANAGEMENT

The internal auditor's responsibility toward risk management

Management is accountable to the board for designing, implementing and monitoring

the process of risk management, and for integrating it into the day-to-day activities of
the company.

The internal audit function should assist the board, directors and management through
consultation and facilitation in identifying, evaluating and assessing significant risks
and by providing independent assurance as to the adequacy and effectiveness of related
internal controls and the risk management process as indicated by the Global Internal
Audit Standards.

The internal audit function must evaluate the effectiveness and contribute to the im-
provement of risk management processes.

Determining whether risk management processes are effective is a judgment resulting

from the internal auditor’s assessment that
● organisational objectives support and align with the organisation’s mission
● significant risks are identified and assessed
● appropriate risk responses are selected that align risks with the organisation’s
risk appetite
● relevant risk information is captured and communicated promptly across the
organisation, enabling staff, management and the board to carry out their
responsibilities
The most difficult part of any risk management process is to identify all the risks for
an organisation. Thus, during the evaluation process, the definition of internal auditing
requires the internal auditor to adopt a systematic, disciplined approach. The most crit-
ical of the internal auditor’s tasks is to ensure that all the relevant risks were identified
through the risk management process.

The evaluation of the risk management process by the internal auditor will give man-
agement assurance regarding the success achieved in the risk management process and

AUI2601 151
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

the achievement of its goals. In this way, the internal auditor will add value to the or-
ganisation as a whole and facilitate the process of continuous improvement by
highlighting any deviations from or shortcomings in the risk management process,
and recommending improvements to the process where appropriate.

Principle 9, Standard 9.1 Understanding Governance, Risk Management, and Con-

trol Processes

According to Standard 9.1 of the Global Internal Audit Standards, to understand risk
management and control processes, the chief audit executive must consider how the or-
ganisation identifies and assesses significant risks and selects appropriate control
processes.

This includes understanding how the organisation identifies and manages the following
key risk areas:
● Reliability and integrity of financial and operational information
● Effectiveness and efficiency of operations and programs
● Safeguarding of assets
● Compliance with laws and/or regulations

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 9 – Plan Strategically
● Standard 9.1
● The requirements stipulated for Standard 9.1
●
Considerations for implementation of Standard 9.1 NB! Understanding
Risk Management Processes
● Examples of evidence of conformance with standards 9.1
Global Internal Audit Standards (theiia.org)

In any organisation the extensive number of risks is overwhelming. Therefore, there was a great
need for a process to effectively understand and manage risks across the organisation. This was
achieved by the introduction of enterprise risk management (ERM).

KEY CONCEPTS
Enterprise risk management (ERM) is the identification and management of risks in
the face of uncertainty as an integral part of value creation and preservation for the
organisation, in a manner that will provide reasonable assurance of the achievement of
the organisation's objectives.

READ

Read the following article on the enterprise risk management framework.

Enterprise risk management framework (diligent.com)

152
Governance, risk management and control Learning unit 14

Figure 14.3: Enterprise risk management

Source: COSO's enterprise risk management framework | ACCA Global

An important aspect of the risk management process is a system of internal control that reduces
risks to a level that the board considers acceptable – this is the “risk appetite” of the organisation.

Internal auditors must be alert to the significant risks that might affect objectives, operations or
resources. However, assurance procedures alone, even when performed with due professional care,
do not guarantee that all significant risks will be identified.

MULTIMEDIA

Click on the hyperlink below to get an understanding of what enterprise risk

management is:

https://youtu.be/0EzQEZH0VlQ?si=opmo0alO1rM1Uc36

DISCUSSION

Nature of work
The work performed by the internal audit function should be of such a nature that
it enables the auditors to evaluate and contribute to the improvement of
governance, risk management and control processes. The internal audit function
should follow these steps:
1. First, it finds out exactly what the objectives of the organisation are and
evaluates the governance processes.
2. Then, it reviews the risk management process.
3. After evaluating the risk management process, internal audit can evaluate the
control processes.

AUI2601 153
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

The sequence in which this is done is very important, because the control process
is based on the risk management process. Only once the internal auditors are
certain that the governance processes are well managed can they look at risk
management and control. In essence, if the organisation manages and applies good
corporate governance principles, it generally tends to manage the risk management
and control processes well.
Proper control starts with identifying the organisational objectives, as this is the
basis of what everyone in the organisation should work to achieve.

READ

Read the following article on the basics of internal audit and risk management.

Internal Audit and Risk Management: The Basics | Knowledge Leader

DISCUSSION

What are organisational objectives?

Every organisation must establish objectives that will determine the purpose of that
organisation's activities. This starts with establishing the vision and mission
statements for the organisation. Organisational objectives can be described as the
ideals or goals that an organisation is aspiring toward.
The mission statement defines the purpose of the organisation, i. e., why the
organisation exists.
The mission is broken down into organisational objectives for each business unit or
process. The setting of these objectives could range from a formal, structured
process to an informal process.
Organisational objectives can be
● strategic objectives – pertain to the value creation choices management makes
on behalf of the organisation.
● operational objectives – pertain to the effectiveness and efficiency of the
organisation's operations, including performance and profitability goals and
safeguarding resources against losses.
● reporting objectives – pertain to the reliability of internal and external
reporting of financial and operational information.
● compliance objectives – pertain to adherence to applicable laws and
regulations.
The executive management uses these objectives to identify the risks that have an
impact on the organisation and develops controls to address these risks to ensure
that the organisational objectives will be achieved. Management, therefore, puts
assets at risk to achieve objectives. Assets are exposed to risks such as damage,
unauthorised usage or abuse, theft and fire, and other natural disasters.

154
Governance, risk management and control Learning unit 14

DISCUSSION

What are business processes?

A business process is a unit of work executed within the business to meet the needs
or objectives of a business or organisation. The mix and structure of the processes
will be unique for each organisation. If the internal auditor is to add value and
improve an organisation's operations, he or she needs to understand the
organisation's business processes. Organisations divide activities into business
processes and projects to achieve their objectives.
Effective managers should identify the risks that could impact on these objectives
by carrying out a risk assessment and develop successful strategies on how they
would manage the risks. The risk management process, therefore, consists of the
controls that management implements to control or mitigate the risks identified. In
this process, the internal auditor assists them by giving them assurance on whether
all the important risks have been identified and whether they are properly
controlled.
Risk assessment is described in COSO Internal Control-Integrated Framework as
a dynamic and imperative process for identifying and assessing risks to the
achievement of objectives. Thus, risk assessment forms the basis for determining
how risks will be managed.
Risk assessment can be done by using questionnaires, interviews (individual) and
workshops (control self-assessment or CSA). Most internal audit activities have
limited resources. It, therefore, makes sense to apply most of these resources to
those areas where the risk of errors and fraud is the greatest.

BLOG

Click on the hyperlink below and read the risk management blog.

The Risk Management Blog | Lowers & Associates (lowersrisk.com)

14.4 CONTROL PROCESS

MULTIMEDIA

Click on the hyperlink below to get an understanding of internal controls:

https://youtu.be/ErB5bwjVsY0?si=s4P8eaOC9sUzQV6x

What is control?

KEY CONCEPTS
According to the Global Internal Audit Standard’s Glossary:
● Control is defined as any action taken by management, the board, and other
parties to manage risk and increase the likelihood that established objectives
and goals will be achieved.

AUI2601 155
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

● Control processes is defined as the policies, procedures, and activities

designed and operated to manage risks to be within the level of an
organisation’s risk tolerance.

Controls should be established to encompass all management responses to risk. Controls are
derived from the way management runs the company and should be integrated into all business
processes at every level of the company.

MULTIMEDIA

Click on the hyperlink below to learn more about principles of internal controls.

https://youtu.be/9OBRg5TK9iM?si=mSoVwEIa4WuNg8Qk

The following are examples of controls (and their classification:

TABLE 14.1
Controls
Preventive controls Detective controls Directive controls
Personnel access cards Reconciliations to be done Procedure manuals
Cabinets/locks/keys Control accounts to be balanced Company policy
Security areas/cameras Circular letters Prescribed standards
Internal audit report Exception reports Certain meetings
Use of carbon paper Physical stock count Insurance
Ethical “tone at the top” Alarms Guidelines
Smoke detectors Training programmes

156
Governance, risk management and control Learning unit 14

What is internal control?

You need to understand the generic meaning of “control” before you study the concept of “internal
control”, otherwise you may find it difficult to understand the distinction between them.

Figure 14.4: Internal control

Source: http://www.investopedia.com/terms/i/internalcontrol.asp

Internal control is an offshoot of “control” and it represents, broadly speaking, the entire set of
control measures (internal control system) that are put into operation to give effect to “control” in
the broad sense.

Internal control, which is usually embodied in a system of control measures, and should, therefore,
be seen as the same concept, is a comprehensive concept and cannot be reflected in a brief
definition. Given the large number of elements that make up this concept, comprehensive
descriptions and further explanations are required to analyse and explain it.

READ

Read the following article on internal controls: definition, types, and importance.

Internal Controls: Definition, Types, and Importance (investopedia.com)

DISCUSSION

A good guide on the internal control process is the publication Internal Control –
Integrated Framework, which was published in 1994 and was developed by the
Committee of Sponsoring Organisations of the Treadway Commission, or the
COSO framework, as it is more commonly referred to. The latest update to the
framework was released in 2017. The Enterprise-wide Risk Management (ERM)
framework, also published by COSO, supplements the internal control framework.

AUI2601 157
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

In COSO Internal Control-Integrated Framework 2013, internal control is broadly

defined as follows:
Internal control is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting, and
compliance.

The following is a definition of a system of internal control from a study (the SAC
study) by the Institute of Internal Auditors of the USA. It is important that you pay
attention to every phrase of the definition because every phrase is significant for
the purposes of perspective and understanding.
Pay attention to the relationship between this definition and the definition of
“control”. This definition embraces all the activities of an organisation (Sawyer &
Dittenhofer 2003:69–70):
The study defined an organisation's system of internal control as follows:
The means established to provide reasonable assurance that the overall
objectives and goals of the organisation are achieved in an efficient, effective,
and economical manner ... a set of processes, functions, activities, subsystems,
and people who are grouped together or consciously segregated to ensure the
effective achievement of objectives and goals.

Traditionally, auditors have used a series of internal control functions to determine

if an organisation's controls function adequately. As times changed, questions were
asked as to whether this was still a suitable way to evaluate the company's control
functions. How control and governance integrate into a control environment is an
important part of every internal audit. A new approach was taken to determine how
control should be looked at, which resulted in the establishment of the following
three control models:
● COSO framework (by the Committee of Supporting Organisations of the
Treadway Commission)
● CoCo framework (The Criteria of Control Board of the Canadian Institute of
Chartered Accountants)
● Cadbury Report (The Financial Aspects of Corporate Governance) We only
refer to the COSO model in this module.

READ

Read the following article to gain a better understanding of the COSO Framework.

What is the COSO Framework? How is it Used? (techtarget.com)

158
Governance, risk management and control Learning unit 14

You can see the five interrelated components of the COSO internal control model in the figure
below.

Figure 14.5: The COSO integrated control framework (COSO 2013)

Source: COSO ERM Framework | COSO

READ

Read the following article to gain a better understanding of the COSO Framework.

What is the COSO Framework? How is it Used? (techtarget.com)

According to the COSO model, internalcontrolconsists of the following five interrelated

components:

1. Control environment

The control environment is the set of standards, processes and structures that provide the basis
for carrying out internal control across the organisation. The board of directors and senior
management establish the tone at the top regarding the importance of internal control including
expected standards of conduct. It includes factors such as integrity and ethical values, the
organisational structure and assignment of authority and responsibility; competence; and the
rigour around performance measures, incentives and rewards to drive accountability for
performance.

AUI2601 159
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

2. Risk assessment

Risk assessment involves a dynamic and iterative process for identifying and assessing risks to
the achievement of objectives. Risk assessment forms the basis for determining how risks will be
managed.

Risk can be assessed from two perspectives:

It was discussed in detail in Topic 7: Learning unit 14.2.

● Likelihood
● Impact

3. Control activities

Control activities are the actions established through policies and procedures that help ensure that
management’s directives to mitigate risks to the achievement of objectives are carried out. Control
activities are performed at all levels of the entity, at various stages within business processes, and
across the technology environment.

4. Information and communication

Management obtains or generates and uses relevant and quality information from both internal and
external sources (flowing down, across and up through all levels of the organisation) to support
the functioning of other components of internal control. Communication is the continual, iterative
process of providing, sharing and obtaining necessary information.

5. Monitoring activities

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain
whether each of the five components of internal control, including controls to affect the principles
within each component, is present and functioning.

ROLE OF INTERNAL AUDIT - CONTROL

The role of the internal audit function in terms of control

The internal audit function’s role concerning control is to assist the directors and man-
agement in maintaining effective controls by evaluating those controls to determine
their efficiency and effectiveness, and by developing recommendations for enhance-
ment or improvements. The following standard explains the role of the internal audit
function in terms of control.

STUDY

In the Global Internal Audit Standards, you need to study the following:
● Principle 9 – Plan Strategically
● Standard 9.1
● The requirements stipulated for Standard 9.1

160
Governance, risk management and control Learning unit 14

● Considerations for implementation of Standard 9.1 NB! Understanding

Control Processes
● Examples of evidence of conformance with Standard 9.1
Global Internal Audit Standards (theiia.org)

According to the Global Internal Audit Standards, for each identified organisational objective,
the chief audit executive should develop and maintain a broad understanding of the organisation’s
control processes and their effectiveness.

The chief audit executive may develop an organisation-wide risk and control matrix to
● document identified risks that may affect the ability to achieve organisational objectives
● indicate the relative significance of risks
● understand key controls in organisational processes
● understand which controls have been reviewed for design adequacy and deemed to be
operating as intended

READ

Work through the following presentation on internal controls. This will provide you
with all the information you need to understand control. Download PVAMU-Internal-
Control-Training.pdf under Additional Resources.

DISCUSSION

What is control self-assessment?

Control self-assessment can be seen as a process whereby employee teams and
management at local and executive levels continuously maintain awareness of all
material factors affecting the likelihood of achieving the organisation's objectives,
thereby enabling them to make appropriate adjustments.
It is further stated that to promote independence, objectivity and quality within the
process, as well as effective governance, it is a good idea to involve internal
auditors in the process and that they independently report to senior management
and board committees.
Managers and internal auditors can use the control self-assessment methodology to
assess the adequacy of the organisation's risk management and control
processes. Internal auditors can utilise control self-assessment programmes to
gather relevant information about risks and unusual areas, and to forge greater
collaboration with operating managers and work teams.

MULTIMEDIA

Click on the hyperlink below and watch a short video explaining the concept of control
self-assessment.

https://youtu.be/9OBRg5TK9iM?si=mSoVwEIa4WuNg8Qk

AUI2601 161
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

DISCUSSION

How does control self-assessment work?

Control self-assessment is a technique to evaluate the effectiveness of business
processes by bringing together individuals in natural work groups and focusing the
workgroup teams on the assessment of steps necessary to assure the achievement
of business objectives. A prerequisite is that each work group be given clear
written business objectives that have been communicated to the participants. The
workshop normally includes a team of individuals and their supervisor. The
approach is designed to achieve a sharing of ideas among the people closest to the
operations being reviewed to identify the strengths and weaknesses in the existing
processes and to formulate improvement plans. The presence of the supervisor
ensures a measure of testing action plan suggestions for their feasibility and to
allow that supervisor to benefit from the open sharing of perceptions about the
work environment.
Workshop facilitators gain an understanding of unit business objectives through
interviews.
The CSA-facilitated process would usually occur as follows:
1. The key business objectives are selected for the work unit and are discussed.
2. The work group needs to determine what steps are taken to ensure that
objectives are met and what improvements can be made to the process
surrounding the achievement of the objectives.
3. The targets which could be set to implement such improvements need to be
determined. The final step is for the group to determine where they are,
currently, in achieving the effectiveness of the control, relative to where they
should be. The idea is to determine priorities for action plans.
4. The output of the workshop is tracked, a summary of the ideas discussed is
prepared, and action commitments are made by management.
This process provides an opportunity to gain insights into the soft controls (ethics,
management competence, etc) that may not be a natural outcome of the traditional
control evaluation process. Moreover, the flexibility of the process permits it to be
at virtually any level of the organisation.
An added advantage is the better buy-in to corrective action plans that occur, since
such plans are a product of the work group's thinking and experience. Importantly,
if there happens to be a smoking gun in the work environment, not only can it be
identified, but associated problems can be solved through employee involvement.
The fundamental objective of such a programme is to communicate that everyone's
overriding responsibility is to improve the business.
Source: Management Report on Internal Control (1994:76)
Control self-assessment represents a powerful tool for the internal auditor in the
quest to achieve the objective of adding value and improving the organisation's
operations by gaining first-hand access to employees at all levels and facilitating
discussions on risks and controls in their environment. From this, the internal
auditor gains valuable information to use in the execution of his or her
responsibilities.

162
Governance, risk management and control Learning unit 14

ACTIVITY 14.1

Answer the questions below.

Question 1
Briefly explain the concepts of governance, risk management and control that are in-
cluded in the definition of internal auditing.

Question 2
While conducting an internal audit of the security and maintenance facilities of a com-
pany’s delivery vehicles, you discover that the company is using only security guards
and no other methods to protect their assets, even though, collectively, the vehicles are
valued at R5 million.

List other preventive and detective controls the company could implement to ensure
the effective and efficient physical maintenance and security of its vehicles.

FEEDBACK ON ACTIVITY 13.1

Question 1
● Governance is the process put in place by an organisation’s top management to
manage the organisation in the pursuit of its goals.
● Risk management is the management process used in any organisation to manage
the risks that impact on the achievement of the organisation’s objectives.
● Control is any action taken by management, the board and other parties to manage
risk and increase the likelihood that established objectives and goals will be
achieved.

Question 2
In this question, we asked you to list controls, so you did not have to provide any
explanation or discussion. If you are asked to “describe” or “explain” the controls,
however, you will have to elaborate on each one.

Preventive
● Locks on gates/fences
● Guard dogs
● Lighting
● Maintenance schedules for services
● Regular inspections/services
● Gear locks and alarm systems in vehicles

Detective
● Surveillance cameras on site (could also be preventative)
● Alarms
● Logbooks
● Maintenance records

AUI2601 163
TOPIC 7 CONCEPTS RELATING TO INTERNAL AUDIT

● Delivery reports
● Surveillance via satellite/radio

164
TOPIC 8
The internal audit process

Contents

Learning unit 15: The internal audit process 166

INTRODUCTION AND PURPOSE OF THE TOPIC

The definition of internal auditing states that in rendering their services to the
organisation, internal auditors follow a systematic, disciplined approach. In this
topic, we discuss the internal audit approach, the different types of internal audits
and the nature of internal audit work. We identify all the phases in the internal
audit process and explain the nature and function of each phase and the steps to be
taken within the different phases.

LEARNING OUTCOMES

When you have worked through this topic, you should be able to
● explain the internal audit approach, the types of internal audits and the nature of
internal audit work as determined by the organisation's objectives and requirements
● describe the phases of the internal audit process and the systematic steps that
should be followed during the performance of the internal audit

AUI2601 165
Learning unit 15
The internal audit process Learningunit15

Contents

15.1 INTRODUCTION 166

15.2 MANAGING THE INTERNAL AUDIT FUNCTION 166
15.3 TYPES OF INTERNAL AUDIT ENGAGEMENTS AND ENGAGEMENT
APPROACHES 170
15.3.1 Types of internal audits 170
15.3.2 Internal audit approach 178
15.4 PHASES IN THE INTERNAL AUDIT PROCESS 179

15.1 INTRODUCTION
Global Internal Audit Standards guide the actual performance of internal audit engagements.

15.2 MANAGING THE INTERNAL AUDIT FUNCTION

READ

Before you start with this learning unit, read through the following very interesting
article:Building the internalaudit function of the future | McKinsey

166
The internal audit process Learning unit 15

REFLECT

Domain IV of the Global Internal Audit Standards covers Managing the Internal
Audit Function

It was discussed in detail in Topic 4: Domain IV.

Ensure that you work through this domain and familiarise yourself with the Standards
that form part of Domain IV: Managing the Internal Audit Function.

It is very important that you understand the roles and responsibilities of the Chief
Audit Executive.

KEY CONCEPTS
The Global Internal Audit Standards define:

Internal audit plan:

A document, developed by the chief audit executive, that identifies the engagements
and other internal audit services anticipated to be provided during a given period. The
plan should be risk-based and dynamic, reflecting timely adjustments in response to
changes affecting the organisation.

The internal audit plan must

● specify internal audit services that support the evaluation and improvement of
the organisation’s governance, risk management, and control processes
● be dynamic and updated timely in response to changes in the organisation’s
business, risks, operations, programs, systems, controls, and organisational
culture
● consider the internal audit mandate and the full range of agreed-to internal audit
services
● identify the necessary human, financial, and technological resources necessary
to complete the plan
An internal audit strategy:
Is a plan of action designed to achieve a long-term or overall objective. The internal
audit strategy must include a vision, strategic objectives, and supporting initiatives for
the internal audit function. An internal audit strategy helps guide the internal audit
function toward the fulfilment of the internal audit mandate.

MULTIMEDIA

Click on the hyperlink below to view the following short video on what is internal
audit management.

What is Internal Audit Management?- MetricStream

Also, read the article that forms part of the video above:

What is Internal Audit Management?- MetricStream

AUI2601 167
TOPIC 8 THE INTERNAL AUDIT PROCESS

Domain IV of the Global Internal Audit Standards state that the chief audit executive is
responsible for managing the internal audit function in accordance with the internal audit charter
and Global Internal Audit Standards. This responsibility includes strategic planning, obtaining,
and deploying resources, building relationships, communicating with stakeholders, and ensuring
and enhancing the performance of the function.

Principle 9 – Plan strategically - of the Global Internal Audit Standards states that:
Planning strategically requires the chief audit executive to understand the internal audit mandate
and the organisation’s governance, risk management, and control processes. A properly
resourced and positioned internal audit function develops and implements a strategy to support
the organisation’s success. In addition, the chief audit executive creates and implements
methodologies to guide the internal audit function and develop the internal audit plan.
The chief audit executive plans strategically to position the internal audit function to fulfil
its mandate and achieve long-term success.
9.1: To develop an effective internal audit strategy and plan, the chief audit executive must
understand the organisation’s governance, risk management, and control processes.
9.2: An internal audit strategy helps guide the internal audit function toward the fulfilment
of the internal audit mandate. The chief audit executive must develop and implement a
strategy for the internal audit function that supports the strategic objectives and success
of the organisation and aligns with the expectations of the board, senior management,
and other key stakeholders.
9.3: The chief audit executive must create an internal audit plan that supports the
achievement of the organisation’s objectives. The chief audit executive must base the
internal audit plan on a documented assessment of the organisation’s strategies,
objectives, and risks. The assessment must be performed at least annually.
It was discussed in detail in Topic 4.

Principle 10 – Manage Resources - of the Global Internal Audit Standards states the
following: Managing resources requires obtaining and deploying financial, human, and
technological resources effectively. The chief audit executive needs to obtain the resources
required to perform internal audit responsibilities and deploy the resources according to the
methodologies established for the internal audit function.
The chief audit executive manages resources to implement the internal audit function’s
strategy and achieve its plan and mandate.
10.1: The chief audit executive must manage the internal audit function’s financial resources.
10.2: The chief audit executive must establish an approach to recruit, develop, and retain
internal auditors who are qualified to successfully implement the internal audit strategy
and achieve the internal audit plan.
10.3: The chief audit executive must regularly evaluate the technology used by the internal
audit function and pursue opportunities to improve effectiveness and efficiency.
It was discussed in detail in Topic 4.

168
The internal audit process Learning unit 15

KEY CONCEPTS
Domain I of the Global Internal Audit Standards state that internal auditing is most
effective when it is performed by competent professionals in conformance with the
Global Internal Audit Standards. Internal Auditing strengthens the organisation’s
ability to create, protect, and sustain value by providing the board and management
with independent, risk-based, and objective assurance, advice, insight, and foresight.

Standard 12.2 Performance Measurement: The establishment of performance

objectives should take into consideration the desired outcomes articulated within
● the internal audit charter
● the Principles of the Global Internal Audit Standards
● the internal audit function’s strategy

DISCUSSION

The overall planning phase for the internal audit function starts with the chief audit
executive (CAE) establishing risk-based plans to determine all the work of the
internal audit function for that year. The actual planning regarding a specific audit
engagement is part of the next phase of the internal audit and will be dealt with in
the next section of this learning unit.

These plans should be communicated (Principle 9) to senior management and the board for
review and approval. The annual plan should also address the resources (Principle 10) needed to
perform the audits by looking at the number of people needed, the skills and experience they
should have and whether the required audit tools are available.

The CAE should establish policies and procedures (Principle 9) to guide the internal audit staff
and is also responsible for the coordination (Principle 9) of other parties involved. Finally, the
CAE should report (Principles 6, 8 and 11) on the performance of the department relative to its
plan, to senior management and the board.

Managing the internal audit function is the duty of the CAE, and this topic will be dealt with in
detail in the third-year modules.

READ

Read the following article for a better understanding of managing internal audit:

Managing internal audit | Technical guidance | IIA

The internal audit process can differ dramatically from assignment to assignment, depending on
both the nature and scope of work. Note that the above discussion relates to the management of
the internal audit function and its planning for areas of coverage, and not the individual audits or
engagements. Each individual audit engagement has different characteristics. The general phases
of an internal audit engagement are discussed in Learning unit 15.4: AUDIT PROCESS of this
learning unit.

It was discussed in detail in Topic 8: Learning unit 15.4: Audit process.

AUI2601 169
TOPIC 8 THE INTERNAL AUDIT PROCESS

15.3 TYPES OF INTERNAL AUDIT ENGAGEMENTS AND

ENGAGEMENT APPROACHES

Source: www.investopedia.com

15.3.1 Types of internal audits

Different types of audits can be performed. There is no fundamental difference in the underlying
philosophy of the types of audits to be discussed below. They all strive to improve organisational
performance. The differences lie in the aspect of performance on which they focus.

READ

Read the following article for an explanation of different types of audit engagements:

Internal Audit: What It Is, Different Types, and the 5 Cs (investopedia.com)

170
The internal audit process Learning unit 15

In this learning unit, we provide a brief overview of the following types of audits:

Source: Internal Audit Function Pdf – SkyetaroClarke

1. Compliance audits

Source: Compliance Audit - MechoMotive Uncategorized

AUI2601 171
TOPIC 8 THE INTERNAL AUDIT PROCESS

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video to gain a better
understanding of compliance audits.

https://youtu.be/pINbIROLPlY?si=rigWNXC88MNOfTLn

Compliance audits are carried out to determine whether a business entity has complied with
specific policies, plans, procedures, laws, regulations, or contracts, which affect the organisation.
To complete a compliance audit successfully, there must be established criteria against which the
compliance can be measured.

The focus of compliance auditing is on compliance with laws and regulations, statutes, and
internal policies. Therefore, a compliance audit sets out to find out how well a unit or organisation
complies with an established set of “rules”. The level of compliance with formal rules is an aspect
of performance. Although it is an important aspect, it is not the only one with which an auditor is
concerned.

READ

Read the following article on compliance audit and take note of the characteristics of a
compliance audit.

Compliance Audit: Definition, Types, and What to Expect | AuditBoard

2. Financial audits

Source: Financial Audit: Definition, Importance & Types - Akounto

The purpose of a financial engagement is to enable the internal auditor to express an opinion on
the reasonableness of financial information.

During a financial audit, an auditor looks for evidence relating to the reliability and integrity of
financial information. When an internal auditor conducts such audits, the information is normally
intended to be used by management for internal decision-making purposes. The audit may involve
both operating and financial data. Financial audits normally include a review of the accuracy and

172
The internal audit process Learning unit 15

completeness of the numbers themselves and an evaluation of the adequacy and effectiveness of
the controls that management have implemented to safeguard assets.

READ

Read the following article on the different types of Internal audits and take note of the
purpose, focus and example of each of the different types of audits.

What is Internal Audit: Types, Process, and Reports

Auditing of financial statements is directed at assessing the accuracy of financial reports relating
to financial conditions and operating performance. This type of auditing is usually associated with
external audits and includes ensuring the fairness of financial reporting.

3. Operational audits
Operational auditing (performance auditing) deals with the extent to which a unit meets its
performance objectives (effectiveness) and how well it utilises resources (efficiency and economy).

Source: What is an operational audit?

Operational auditing involves firstly determining management's objectives, followed by

establishing whether the existing management controls will lead to effectiveness, efficiency and
economy.

An auditor must determine

● which key performance indicators are used
● whether they are appropriate
● whether control objectives have been achieved in an effective, efficient and economical
manner

READ

Read the following article on operational auditing to get a better understanding of what
an operational audit entails and take note of the reasons to perform an operational audit.

What is an operational audit?

AUI2601 173
TOPIC 8 THE INTERNAL AUDIT PROCESS

4. Environmental audits

Source: Environmental Audit Meaning, Importance, Etc. for UGC NET Notes

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video about what
environmental auditing is.

https://youtu.be/Mp-0oRb5VJo?si=mT90SEnpHkFmlLdD

During a typical environmental audit, a team of qualified inspectors conducts a comprehensive

examination of a plant or other facility to determine whether it is complying with environmental
laws and regulations. There is, however, a distinction between a compliance audit and an
evaluation of whether an organisation is complying with environmental laws and regulations. The
team systematically verifies compliance with applicable requirements using professional
judgement and evaluations of on-site conditions. The team may also evaluate the effectiveness of
systems in place to manage compliance and assess the environmental risks associated with the
facility's operations.

Effective environmental audit programmes have several characteristics in common. They require
the strong support of their organisation's management as well as adequate allocation of resources
to hire and train audit personnel. In addition, to be effective, audit programmes must operate with
freedom from internal or external pressure and employ quality assurance procedures to ensure the
accuracy and thoroughness of audits.

174
The internal audit process Learning unit 15

5. Fraud audits or investigations

Source: Fraud Risk Assessment. Definitions Related To Fraud Fraud is knowingly making material misrepresentations of
fact, with the intent of inducing someone. - ppt download

REFLECT

Ensure that you work through this learning unit and that you are familiar with the
internal auditor’s role and responsibilities concerning fraud.

It was discussed in detail in Topic 6: Learning unit 13.

Fraud auditing involves helping management create an environment that encourages the detection
and prevention of fraud in commercial transactions. This may involve helping to set a standard for
the organisation with an appropriate code of conduct and conflict of-interest policy.

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video about fraud
auditing.https://youtu.be/bVw5pGTkymo?si=maR-2ImPHbXvkjdN

An internal auditor must know

● the realm of fraud possibilities (How can it happen?)
● the sources of information and evidence (Where do I look?)
● whether the environment is conducive to fraud (Is fraud likely?)
● the areas of fraud opportunity (Where can it happen?)
● the laws of evidence (How can I prove it?)
An internal auditor must be capable of conducting a review of internal controls, assessing the
strengths and weaknesses of those controls, identifying abnormal transactions and distinguishing
between errors and fraudulent entries. This may involve following a computerised audit trail.

An internal auditor is responsible for determining whether an irregularity has occurred and, if so,
whether there is a criminal law in terms of which the matter can be dealt with, and whether there is
an apparent breach of that law since not all fraud can be prosecuted under criminal law.

AUI2601 175
TOPIC 8 THE INTERNAL AUDIT PROCESS

An internal auditor must be alert to red flags and indicators, such as personal behaviour pattern
changes, substantial departmental growth or decline beyond the norms.

Fraud detection may be reactive, in which case an internal auditor reacts to allegations and
complaints, suspicions and management's intuition. Proactive auditing involves ensuring adequate
internal controls through periodic audits, intelligence gathering, reviewing of variances, or logging
of exceptions.

6. Quality audits

Source: Quality Auditing PowerPoint and Google Slides Template - PPT Slides

Quality audits may be defined as a systematic and independent examination to determine whether
quality-related activities are implemented effectively and are complying with the quality systems
and/or quality standards.

As seen by auditors, quality audits are not the same as quality assurance in the normal sense of the
word, which is usually associated with excellence. “Quality audits” is a technical term for auditing
that is focused on systems and processes rather than outcomes. This follows the corporate
governance concept that the properly constituted organisation should be based on a system of
well-controlled systems and processes.

Quality audits have become associated with older forms of management of quality such as total
quality management (TQM). As such, quality audits are associated with quality enhancement
strategies rather than traditional quality control inspections. Quality enhancement focuses on
creating a corporate culture centred on quality, as opposed to quality control, which was a reactive
process after the event and involved rejecting sub-standard products and services.

If quality is viewed in terms of the appropriateness of systems and processes rather than the more
traditional achievement of the correct outcomes, auditing moves from the need to define best
practices and desirable outcomes to evaluating the quality of the processes themselves. Defining
the key performance indicators has always been a contentious point in negotiating with
management for the audit. Reaching agreement on standard systems of practice is normally
considerably easier since little interpretation is required. From this, it follows that a proper
organisational structure is comprehensively systemised and documented, and therefore fully
auditable.

176
The internal audit process Learning unit 15

READ

Read the following article on quality auditing.

The Importance of Quality Auditing | Juran Institute, An Attain Partners Company

7. Programme results audits

Programme results audits aim to measure the accomplishment of established goals and objectives
for operations and programmes. In practical terms, it means audits that determine whether the
desired results are being achieved, as well as whether management has considered other options to
achieve the same results at a lower cost.

Conducting such audits involves

● ascertaining whether a specific objective or goal has been clearly defined for a particular
function
● ascertaining whether the objectives or goals are relevant and consistent with management's
intent
● evaluating any variance between the results and their original stated goals and objectives
In addition, the cost-effectiveness of a given programme is evaluated, as it is the cost-benefit of
continuing a programme. Many auditors use statistical analysis extensively over a period, drawing
inferences from the results of the statistics. Complaint records may give a good indication of the
extent to which given operations of programmes satisfy the needs of the target market.
Management themselves may well be able to advise on the appropriateness of the programmes and
the measurement criteria.

8. Information Technology (IT) and Information Systems (IS) audits

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video on IT audit
fundamentals.

IT Audit | Definition, Process & Examples - Lesson | Study.com

IT audits come in a variety of forms. Any of the above types of internal audits could involve the
use of computers or, for that matter, the auditing of computer systems.

READ

After you have watched the video above, read the following article on IT audit,
definition, process and examples (scroll down for the article).

IT Audit | Definition, Process & Examples - Lesson | Study.com

AUI2601 177
TOPIC 8 THE INTERNAL AUDIT PROCESS

15.3.2 Internal audit approach

The internal audit approach describes the methodology the internal auditor will follow to achieve
the audit objective (engagement objective) most efficiently. The engagement objectives describe
what the internal auditor wants to achieve by performing an audit.

The most accepted and practised approach to an internal audit is the risk-based audit approach.
This approach replaced the compliance-based approach in which compliance with existing
procedures and processes is assessed without an evaluation of whether the procedure or process is
an adequate control. A risk-based approach is more effective as it allows internal audit to
determine whether controls are effective in managing the risks which arise from the strategic
direction that a company, through its board, has decided to adopt (King IV).

The risk-based internal audit (RBIA) approach

READ

Read the following article on risk-based internal auditing approaches.

7 Risk-Based Internal Auditing Approaches to Risk Management

Risk-based internal auditing (RBIA) is the methodology that assures that risks are being managed
within the organisation's risk appetite. This approach is also recommended for internal audit
activities in the King IV report.

To evaluate the success of senior management's risk management, the internal auditor should be
able to identify the risks that may prevent the organisation from achieving its objectives. As risks
are uncertain events that could influence the objectives, the internal auditor and senior
management have to know and agree on exactly what the objectives of the organisation are before
they can begin to identify the risks involved.

The internal auditor must be familiar with the risk management techniques and methods used by
senior management so that he or she can evaluate the level of success with which senior
management has implemented its risk management process.

RBIA is one of many opinions on corporate governance provided to the board and the audit
committee by the internal auditor. These opinions are conventionally known as “assurance”, which
includes the opportunity to indicate why assurance cannot be given, in part or as a whole. In this
course, when using the term “assurance”, we also include the possibility that RBIA has found that
not all risks are managed properly and, therefore, assurance cannot be given.

In implementing RBIA, the assurance required by the board from various functions (e.g., health
and safety, quality control, insurance, the external auditors) will have to be taken into
consideration, and this should be reflected in the internal audit function’s charter (terms of
reference). It is the responsibility of the internal audit function to fulfil the board's requirements; it
is the board's responsibility to fulfil the requirements placed on it by legislation and stakeholders.

178
The internal audit process Learning unit 15

Source: Enterprise Risk Management (ERM): What It Is and How It Works

The methodology consists of the following five core internal audit roles that cover the risk
management framework of the whole organisation (known as “enterprise-wide risk management”
– ERM):
a. Give assurance that the processes used by management to identify all significant risks are
effective.
b. Give assurance that risks are correctly assessed (scored) by management, to prioritise them.
c. Evaluate risk management processes to ensure the response to any risk is appropriate and
conforms to the organisation's policies.
d. Evaluate the reporting of key risks by managers to directors.
e. Review the management of key risks by managers to ensure that controls have been put into
operation and are being monitored.

READ

Read the following article on Enterprise Risk Management (ERM): what it is and how
it works.

Enterprise Risk Management (ERM): What It Is and How It Works

15.4 PHASES IN THE INTERNAL AUDIT PROCESS

The internal audit process consists of systematic audit phases (and associated steps within each
phase) that should be followed for a specific audit engagement to achieve the audit objectives.

Although the ultimate purpose of any internal audit is to produce a report to management to help
members of the organisation achieve the organisational objectives, the objective and/or nature and/
or scope of an audit may differ due to the unlimited variety of internal audits that can be
performed to achieve the specified audit objectives. There is no single uniform audit process that
is valid for all audits, although there are fundamental phases in the process that apply to almost all
internal audits.

AUI2601 179
TOPIC 8 THE INTERNAL AUDIT PROCESS

To conduct an efficient and effective internal audit, the internal audit process should include
the following four phases:

PHASE 1: DETERMINE THE AUDIT ASSIGNMENT AND OBJECTIVES

(AUDITING ENGAGEMENT)
The starting point of any internal audit is knowledge of the internal audit charter and adherence to
its provisions. The internal audit charter may be seen as a contract that formalises the relationship
between the internal audit function and the organisation. The charter is developed by the
management and board of the organisation in conjunction with the internal auditor because these
provisions determine the overall purpose, authority, and responsibility (job description) of the
internal audit function. These provisions should be consistent with the requirements of the Global
Internal Audit Standards and approved by the board. The charter is approved to give it the
necessary status in the organisation.

180
The internal audit process Learning unit 15

REFLECT

Ensure that you work through this learning unit and that you are familiar with the
internal audit charter.

It was discussed in detail in Topic 6: Learning unit 12.2: Internal Audit Charter.

The nature of the audit assignment

The audit engagement could be a specific internal audit assignment, an assurance audit or a review
or consultancy engagement. An engagement may include multiple tasks or activities designed to
accomplish a specific set of related objectives. It could be an operational audit, a financial audit of
the different business processes, an IT audit, an internal control review, fraud detection, a control
self-assessment review or a combination of them all.

The origin of the audit assignment

The audit assignment originates from a risk assessment performed annually by the internal audit
department.

RISK ASSESSMENT

Ensure that you work through this learning unit and that you are familiar with the
content before attempting the next section.

It was discussed in detail in Topic 7: Learning unit 14.3: Risk assessment.

KEY CONCEPTS
According to Standard 9.4 of the Global Internal Audit Standards, the chief audit
executive must create an internal audit plan that supports the achievement of the
organisation’s objectives. The chief audit executive must base the internal audit plan
on a documented assessment of the organisation’s strategies, objectives, and risks.

The normal planning of the audit assignment should be based on a risk assessment, performed at
least annually, that considers the input of senior management and the board of directors. This plan
will enable the CAE to prioritise internal audits in a manner that is consistent with the broader
organisational objectives. The CAE prepares an annual plan to ensure that all the major
organisational objectives and risks will be adequately and appropriately covered by internal audit.
Internal audit assignments for normally planned audits should also be formulated in writing and
discussed with the internal auditor responsible for their performance. This procedure contributes
toward a better understanding of what the audit assignment entails and serves as the basis for the
next phase.

As manager of the internal audit department, the CAE should consider accepting proposed
consulting engagements based on the engagement's potential to improve the management of risks,
add value and improve the organisation's operations. The CAE should determine procedures for
the handling of, coordination of and control over the receiving and performance of special audit
assignments. In practice, when such procedures are not applied, special assignments, either
● do not receive the appropriate attention; or
● they receive excessive attention, to the detriment of the previously planned routine internal
audits

AUI2601 181
TOPIC 8 THE INTERNAL AUDIT PROCESS

The procedure for handling, coordinating and controlling special audit assignments must make
provision for the following five points:
1. Receipt, written formulation, documentation and filing of special audit assignments at a
central place.
2. Determination of the priority which special audit assignments will enjoy with regard to their
execution.
3. Written authorisation by the CAE, bearing in mind the availability of budgeted time, for the
execution or rejection of special audit assignments, together with the appropriate notification
of his or her decision to the initiator of the special assignment.
4. Discussion of the authorised, ranked, written audit assignment with the CAE responsible for
the performance of the particular special audit task.
5. After that, the special assignment should follow the procedures prescribed for normal planned
budgeted internal audits.

Content of the audit assignment

The written formulation and authorisation by the initiator of the audit assignment, regarding the
need for the internal audit assignment, its scope and the restrictions imposed, help to ensure that
all parties concerned, namely
● the responsible internal auditor
● the chief audit executive (CAE)
● management
clearly understand the need from which the audit assignment originated, the limits within which
the audit is to be performed, and what could be achieved by the internal audit.

In internal audits, the limiting factors that pertain to it are not as clearly demarcated as is the case
with ordinary external audits, and to prevent vagueness in causing misunderstandings, this step is
essential. Clearly, setting the scope of an engagement upfront prevents mismatched expectations.

This audit assignment document remains the internal auditor's guideline throughout the
subsequent execution of the audit assignment. All his or her subsequent acts should be aimed at
satisfying the formulated need (objective) which initiated the audit assignment. The internal
auditor’s final audit opinion should fulfil this need specifically.

PHASE 2: PLANNING THE INTERNAL AUDIT (ENGAGEMENT PLANNING)

REFLECT

Ensure that you work through this learning unit and that you are familiar with the
content before attempting the next section.

It was discussed in detail in Topic 4: Learning unit 9.4.1: Principle 13 Plan

Engagements Effectively.

182
The internal audit process Learning unit 15

The prerequisite for conducting an efficient internal audit is proper planning.

Engagement planning comprises the approaches and actions the internal auditor must develop and
record for every audit assignment (engagement), including the scope, objectives, timing and
resource allocation. Proper planning will ensure that each step is fully applied and that the steps
are followed systematically in the correct order. The correct order must be followed because each
planning step is influenced by the previous step(s).

Planning is not confined to the initial stage of the audit but is an ongoing process until the
fieldwork has been completed. Information acquired during the audit and/or changing
circumstances can have an impact on the planning and conducting of the rest of the audit.

KEY CONCEPTS
Principle 13, Standard 13.2 states that internal auditors must establish and document
the objectives and scope for each engagement.

To develop an adequate understanding, internal auditors must identify and gather

reliable, relevant, and sufficient information regarding
● the organisation’s strategies, objectives, and risks relevant to the activity under
review
● the governance, risk management, and control processes of the activity under
review
● the organisation’s risk tolerance, if established
● the risk assessment supporting the internal audit plan
● applicable frameworks, guidance, and other criteria that can be used to evaluate
the effectiveness of those processes
Internal auditors must identify the risks to review by
● identifying the potentially significant risks to be objectives of the activity under
review
● considering specific risks related to fraud
● evaluating the significance of the risks and prioritising them for review
Principle 13, Standard 13.3 states that internal auditors must establish and document
the objectives and scope for each engagement.

The engagement objectives must articulate the purpose of the engagement and describe
the specific goals to be achieved, including those mandated by laws and/or regulations.

The scope must establish the engagement’s focus and boundaries by specifying the
activities, locations, processes, systems, components, period to be covered in the
engagement, and other elements to be reviewed, and be sufficient to achieve the
engagement objectives.

Steps in planning the internal audit

The planning steps that should be followed for each audit are as follows:
1. Obtain background information of the audit area (preliminary survey).
2. Identify the engagement objective(s) to be achieved.
3. Consider the audit risk.

AUI2601 183
TOPIC 8 THE INTERNAL AUDIT PROCESS

4. Determine the allocation of engagement resources.

5. Compile the detailed engagement (audit) programme.
Let us discuss these steps in more detail.

(Step 1) Background knowledge (preliminary survey)

1. It is important to obtain background information on the audit area in a planned and systematic
manner. Not all information related to the audit area is necessarily important to achieve the
objectives of the audit.
2. Even at the planning stage, the internal auditor's approach should be management- and risk-
based orientated, that is to say, comprehensive information on the activity or department to be
audited should be collected. This comprises far more than collecting information on the nature
of transactions, the flow of transactions and documents and the accompanying controls.
3. The reasons for obtaining background information on the auditee are to
● obtain knowledge of the environment and business practices applicable to that business
● be able to identify the business processes put in place
● evaluate the effectiveness and efficiency of the processes
● identify processes that do not assist with the achievement of the objectives

(Step 2) Identify the engagement objectives to be achieved.

What are engagement objectives?

According to the Global Internal Audit Standards, engagement objectives (sometimes also
referred to as audit objectives) are broad statements developed by the internal auditor that
define the intended engagement accomplishments. These statements will not limit the scope of
the investigation and will ensure that the purpose of the engagement is still accomplished. Based
on the information and evidence obtained during the preliminary survey (step 1), the auditors will
determine the objectives of the audit engagement. The objectives must enable the internal auditors
to add value to and improve the operations of the engagement activity (department/ section/unit
audited), as well as those of the organisation as a whole.

While performing the preliminary survey (step 1) the internal auditor should identify the
organisational (business) objectives.

Engagement (or audit) objectives depend on organisational objectives. The engagement (audit)
objective(s) should be established for each audit engagement and should be formulated concerning
the following:
● The provisions of the charter
● The requirements of the audit committee
● The origin of the audit assignment
● The consideration of the risk assessment

Formulation of engagement/audit objectives

It is very important to formulate audit objectives correctly, otherwise, there will be no clarity on
exactly what the internal auditor is expected to achieve by conducting the audit.

NB: Therefore, the engagement/objective is what the internal auditor wishes to ensure by his or
her testing (audit procedures).

184
The internal audit process Learning unit 15

(Step 3) Consider the audit risk.

The internal auditor should make a preliminary assessment of audit risk which are uncontrollable
by the internal auditor and may impact on the achievement of engagement (audit) objectives.

Three risks need to be considered when considering audit risk. They are inherent risk, control risk
and detection risk.

Audit risk
Audit risk will be discussed in more detail in the internal auditing modules at the third-year level.
For this module, you need to understand the meaning of audit risk and the components of audit
risk and be able to calculate audit risk.

Audit risk is the risk that audit coverage will not address significant business exposures

The total audit risk is determined using the following formula:

IAR (internal audit risk) = IR (inherent risk) x CR (control risk) x DR (detection

risk)
1. Inherent risk

Inherent risk is the likelihood of a significant loss occurring before any risk-reducing factors are
taken into account.

In evaluating inherent risk, an auditor should consider the types and nature of the risks and what
factors indicate that a risk exists.

2. Control risk

Control risk is the likelihood that the control processes established to limit or manage inherent risk
are ineffective.

To ensure that an internal audit evaluates the controls properly, an auditor must understand how to
measure the effectiveness of controls. This will involve identifying those controls that provide the
most assurance that risks are being minimised within the business.

It is quite clear from the descriptions of inherent and control risks that, when the risk approach in
the conduct of an audit is followed, these risks should serve as the basis for establishing the
auditor's exposure to risks.

3. Detection risk

Detection risk is the risk that the auditors might not pick up material problems that would affect
the conclusion pertaining to an audit objective.

This might arise because entries and activities are not fully examined.

The term “material” indicates significance. The internal auditor should consider materiality and its
relationship to the audit risk when conducting an audit.

AUI2601 185
TOPIC 8 THE INTERNAL AUDIT PROCESS

(Step 4) Determine the allocation of engagement resources.

This step will be discussed in more detail in the internal auditing modules at the third-year level.
For this module, you need to know and understand the following standards concerning
engagement resources.

KEY CONCEPTS
Principle 13, Standard 13.5 states that when planning an engagement, internal
auditors must identify the types and quantity of resources necessary to achieve the
engagement objectives.

Internal auditors must consider

● the nature and complexity of the engagement
● the time frame within which the engagement must be completed
● whether the available financial, human, and technological resources are
appropriate and sufficient to achieve the engagement objectives
If the available resources are inappropriate or insufficient, internal auditors must
discuss the concerns with the chief audit executive to obtain the resources.

(Step 5) Compile the engagement/audit programme.

The audit or engagement programme lists directions for the examination and evaluation of the
information needed to meet audit objectives within the scope of the audit assignment.

The nature and extent of the audit procedures that should be performed during the fieldwork phase
are determined by considering the results of all the previous steps in the planning process and are
then set out in the form of a written audit programme.

The audit programme is the result of the initial planning steps. The thoroughness with which the
audit programme is compiled will directly determine the efficiency of the audit.

KEY CONCEPTS
Principle 13, Standard 13.6 states that internal auditors must develop and document
an engagement work program that will achieve the engagement objectives.

The engagement work program must be based on the information obtained during the
engagement planning, including, when applicable, the results of the engagement risk
assessment.

The engagement work program must identify

● criteria to be used to evaluate each objective
● tasks to achieve the engagement objectives
● methodologies and tools to perform the tasks
● internal auditors assigned to perform the tasks
The chief audit executive must review and approve the engagement work program
before it is implemented and promptly when any subsequent changes are made.

For advisory services, the work program should be developed in collaboration with the
stakeholders who requested the service.

186
The internal audit process Learning unit 15

PHASE 3: PERFORMING THE ENGAGEMENT (FIELDWORK)

REFLECT

Ensure that you work through this learning unit and that you are familiar with the
content before attempting the next section.

It was discussed in detail in Topic 4: Learning unit 9.4.2: Principle 14 Conduct

engagement work.

Phase 3 of the audit process is where the audit procedures as set out in the audit programme are
conducted and evidence is gathered to satisfy the audit objectives.

The results of the audit procedures performed are captured on working papers, which we discuss
in more detail in the next learning unit.

KEY CONCEPTS
Principle 14, of the Global Internal Audit Standards states the following

To implement the engagement work program, internal auditors gather information and
perform analysis and evaluations to produce evidence. These steps enable internal
auditors to
● provide assurance and identify potential red flags
● determine the cause, effects and significance of the findings
● develop recommendations and/or collaborate with management to develop
action plans
● develop conclusions
Standard 14.1 explains that to perform analyses and evaluations, internal auditors
must gather information that is
● relevant – consistent with engagement objectives, within the scope of the
engagement, and contributes to the development of engagement results
● reliable – factual and current. Internal auditors use professional scepticism to
evaluate whether the information is reliable. Reliability is strengthened when
the information is
– obtained directly by an internal auditor or from an independent source.
– corroborated.
– gathered from a system with effective governance, risk management, and
control processes

● sufficient – when it enables internal auditors to perform analyses and complete

evaluations and can enable a prudent, informed and competent person to repeat
the engagement work program and reach the same conclusions as the internal
auditor

AUI2601 187
TOPIC 8 THE INTERNAL AUDIT PROCESS

Audit evidence

Source: Auditing Evidence: Definition, Characteristics, Example

READ

Read the following article on audit evidence: the definition, characteristics and
example.

Auditing Evidence: Definition, Characteristics, Example

Audit evidence involves all forms of information that the internal auditors consider necessary to
achieve their audit objective.

Given the wide range and important function of audit evidence in the internal audit process, it is
necessary to discuss the concept in more detail. The basic task of internal auditors is to obtain
sufficient acceptable audit evidence to enable them to carry out their responsibilities as efficiently
as possible.

Our discussions of audit evidence in this module are confined to indicating the kinds of audit
evidence that are available and are normally used and the standards with which audit evidence
should comply.

Kinds of audit evidence

There are numerous kinds of audit evidence, all of which are likely to be used at some stage of the
audit. Various audit objectives require the gathering of various kinds of audit evidence or a
combination of different kinds of audit evidence.

Physical evidence - Physical evidence is obtained through the direct observation of people,
property and events. It can take the form of attendance at a physical stock count and/or attendance
at wage pay-outs.

Oral evidence - Oral evidence is gathered in the course of interviews or enquiries. Generally, this
type of evidence must be supported by documentation or other evidence.

Documentary evidence - Documentary evidence comprises the documents of the auditee which
relate to the auditee's business. This type of evidence may be internal or external. External
documentary audit evidence originates outside the undertaking and includes letters or memoranda
received by the auditee, suppliers' invoices, credit notes received, bank statements and packing
sheets. Internal documentary evidence originates within the undertaking and includes sales
invoices, paid cheques, credit notes issued and copies of outgoing correspondence.

188
The internal audit process Learning unit 15

Evidence generated by the internal auditor - This type of evidence is related to analysis and
confirmation. The sources of such evidence are calculations, comparisons with imposed standards,
completed operations, similar operations and the combining of information in context.

The basic categories of engagement/audit procedures

Audit procedures are the tests that the auditor performs during the audit. The basic categories of
engagement procedures to obtain audit evidence are the following:
● Inspection – Inspection involves examinations of records or documents, whether internal
(originating within the company) or external (originating outside the company), in paper form,
electronic form or in the form of other media, or a physical examination of an asset.
● Observation – This consists of looking at a process or procedure being performed by others. It
implies taking a careful and knowledgeable look at people's activities and actions to obtain
information that the internal auditor requires to perform his or her task. Observing is a valuable
procedure, which is used in virtually every assignment, and which requires a high degree of
skill.
● External confirmation – Obtaining external confirmation entails receiving a direct written
response from a third party to a request from the auditor to that third party.
● Recalculation – Recalculation consists of checking the mathematical accuracy of documents
and records manually or electronically.
● Routine checking/transaction audit – Basically, the routine work in an internal audit
(original record examination) comprises those steps (checks) designed to satisfy the internal
auditor that the double-entry functions have been fully and correctly performed. In particular,
auditors need to be satisfied regarding
1. additions
2. cross-casts
3. extensions
4. analysis
5. transfer of totals
6. calculation of balances
7. postings in the books of account

Routine checking is, therefore, essentially concerned with checking on the arithmetical accuracy
of the books of prime entry, the correct postings to the appropriate account and type of account in
the ledgers, and the correct balancing of the books, accounts and statements.

Routine checking lends itself perfectly to the application of sampling or testing techniques and,
because accounting procedures are very important here, this is an area where the internal auditor
may rely largely on an efficient system of internal controls.

A balanced trial balance, control accounts agreeing with the aggregate of individual personal
accounts, or proven reconciliation statements are specific factors that indicate that at least the
relevant section of the system of internal controls is being maintained.
● Reperformance – The auditor independently executes procedures or controls that were
originally performed as part of the entity's internal control (e. g., reperformance of a bank
reconciliation).
● Analytical procedures – Analytic procedures consist of evaluating financial information
through analysis of plausible relationships among financial and non-financial information.

AUI2601 189
TOPIC 8 THE INTERNAL AUDIT PROCESS

● Verification/ audit of balances – Verification consists of checking, examining and/or

obtaining satisfactory evidence (i. e., to prove that something exists or is accurate) that all
assets and liabilities of the undertaking that are (or should be) shown on the balance sheet
1. do exist
2. are in fact the property, or liability, of the undertaking
3. are shown at a fair valuation
4. are all disclosed in conformity with generally accepted accounting principles and/or
specific legal requirements
and that the auditor has satisfied himself of the preceding facts in respect of every item
separately, and of the balance sheet as a whole.
Compilation of an audit procedure – An audit procedure has a certain structure. It must start
with a verb. For example:
● inspect (only a document can be inspected)
● observe (only an action can be observed)
● reperform
● compare
● verify
● enquire, etc
An audit procedure must be stated in full, explaining clearly what you want to do and why, and
what information you will use.

ACTIVITY 15.1

Provide examples of how the internal audit procedures “observing”, “inquiry” and
“verification”, can be applied in an inventory count.

FEEDBACK

Observing
● Observe and note areas where high-value items are stored.
● Observe inventories that may be troublesome, such as those types which are diffi-
cult to count.
● Observe whether the count is being done competently, conscientiously and in ac-
cordance with instructions.
● Observe whether the tags or count sheets are being properly written up.
● Observe whether the counter and recorder note any deterioration of inventory over-
looked at prior sorting.
● Observewhether the count-checking procedureis proceeding according to
instructions.
● Observe how the inventory count is completed.

Inquiry
● Inquire from inventory management to describe the procedures laid down for testing the
inventory records.
● Ask the storeman how he identifies slow-moving or obsolete inventory items during the
inventory count.

190
The internal audit process Learning unit 15

Verification/audit of balances
● Note the cut-off point and trace some of the receipts and issues just before and after the cut-off,
per relevant documents, to the entries on the inventory records to verify that the dates agree.
● Conduct test counts of items and verify that the quantities concur with the balances on the
relevant inventory records; investigate and clear any differences.

PHASE 4: AUDIT REPORTING AND FOLLOW-UP (MONITORING PROGRESS)

REFLECT

Ensure that you work through this learning unit and that you are familiar with the
content before attempting the next section.

It was discussed in detail in Topic 4: Learning unit 9.4.3: Principle 15

Communicate engagement results and monitor action plans.

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video about audit
reporting:

https://youtu.be/Fd4pxz2_RJ0?si=xEFKajj5y0YhVuFs

The entire audit culminates in a report to the management of the organisation. The fulfilment of
the objectives of the internal audit function is largely dependent on the quality of reporting. It must
contain persuasive arguments for change where change is necessary. Matters should also be
discussed with the client during the course of the audit as the picture is developed through the
analysis and evaluation carried out by the auditor, with help from the client. The impact of the
report must be such that the reader is immediately convinced. Such a report is efficient and
effective.

The follow-up stage checks whether agreed actions and decisions have been fully implemented
and whether the adopted risk management strategy is working well.

At this level of study, we confine ourselves to a study of the provisions of the internal auditing
standards regarding the basic requirements with which an internal auditor's report should comply.

KEY CONCEPTS
Principle 15 of the Global Internal Audit Standards states that internal auditors
communicate the engagement results to the appropriate parties and monitor
management’s progress toward the implementation of recommendations or action
plans.

AUI2601 191
TOPIC 8 THE INTERNAL AUDIT PROCESS

According to Standard 15.1, for each engagement, internal auditors must develop a final
communication that includes the engagement’s objectives, scope, recommendations and/or action
plans if applicable, and conclusions.

The final communication for assurance engagements also must include

● the findings and their significance and prioritisation
● an explanation of scope limitations, if any
● a conclusion regarding the effectiveness of the governance, risk management, and control
processes of the activity reviewed
The final communication must specify the individuals responsible for addressing the findings and
the planned date by which the actions should be completed.

When internal auditors become aware that management has initiated or completed actions to
address a finding before the final communication, the actions must be acknowledged in the
communication.

The final communication must be accurate, objective, clear, concise, constructive, complete and
timely, as described in Standard 11.2 Effective Communication.

It was discussed in detail in Topic 4: Learning unit 9.3.3.

What should be done before an audit report can be issued?

Audit reporting begins with observations/findings about the audit and the internal auditor's
recommendations for addressing any problems identified during the audit. These observations and
recommendations emerge during the process of comparing what should be with what is. Whatever
the results of this process, they give the internal auditor something on which to base the report. If
the auditee has met all the criteria, it is appropriate to acknowledge satisfactory performance in the
report.

Source: What Goes in Audit Findings? - Yellowbook-CPE.com

Therefore, for any observation identified during the audit, the internal auditor should compile an
audit finding.

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video about formulating
audit findings:

https://youtu.be/pFr7iH7vYBc?si=_MmdmEISHil58Pfl

192
The internal audit process Learning unit 15

An audit finding should contain the following elements.

● Criteria: the standards, measures or expectations used for evaluating and/or verifying (what
should exist).
● Condition: the factual evidence that the internal auditor has found in the course of the
examination (what does exist).
● Cause: the reason for the difference between the expected and actual conditions (why the
difference exists).
● Effect: the risk or exposure the organisation and/or others encounter because the condition is
not consistent with the criteria (the impact of the difference). In determining the degree of risk
or exposure, internal auditors should consider the effect of their audit observations and
recommendations on the organisation's strategic objectives.
● Recommendations: the possible remedies to address and correct the finding in future. The
recommendation should address the cause of the finding.
Conclusions (opinions) are the internal auditor's evaluations of the effects of the observations and
recommendations on the activities reviewed. These conclusions usually put the observations and
recommendations in perspective, taking their overall implications into account. Audit conclusions,
if included in the audit report, should be clearly identified as such.

Audit reports should include recommendations for improvement, acknowledgements of

satisfactory performance and corrective action.

Recommendations are based on the internal auditor's observations and conclusions. They call for
action to correct existing conditions or to improve operations. The recommendations may act as a
guide for management to achieve certain results by suggesting approaches for correcting or
enhancing performance; these recommendations may, therefore, be general or specific.

The accomplishments of audit clients, in terms of improvements that have been affected since the
last audit or the establishment of a well-controlled operation, may be included in the final report.
This information may be necessary to present the existing conditions fairly and to give a proper
perspective and appropriate balance to the final report. The auditee's views about the audit
conclusions or recommendations may be included in the report.

As part of the internal auditors' discussions with the auditee, they should try to get consensus on
the results of the audit and on a plan of action to improve operations where necessary. If the
internal auditor and the client disagree on the audit results, the report may state both positions and
the reasons for the disagreement. The auditee's written comments may be included as an appendix
to the report or may be presented in the body of the report or a covering letter.

Certain information may not be appropriate for disclosure to all report recipients, because it is
privileged or proprietary, or related to improper or illegal acts. Such information may, however, be
disclosed in a separate report. If the conditions being reported on involve senior management, the
report will only be distributed to the directors of the organisation or the audit committee.

Interim reports are prepared and issued while the audit is in progress. Interim reports may be oral
or written and may be transmitted formally or informally. They may be used to communicate
information that requires immediate attention, to communicate a change in audit scope for the
activity under review, or to keep management informed of the progress of the audit if it extends
over a long period. The use of interim reports does not reduce or eliminate the need for a final
report.

AUI2601 193
TOPIC 8 THE INTERNAL AUDIT PROCESS

A signed written report should be issued after the audit has been completed. Summary reports
highlighting audit results may be appropriate for levels of management above the audit client
(auditee). These may be issued separately from or in conjunction with the final report. The word
“signed” means that the authorised internal auditor's name should be manually signed in the report.
Alternatively, the signature may appear on a covering letter. The internal auditor authorised to sign
the report should be designated by the chief audit executive. If audit reports are distributed
electronically, a signed version of the report should be kept on file by the internal audit function.

EXAMPLE OF AN AUDIT REPORT

Visit the following link and view the internal audit report of ABSA Group Limited.

Absa-Group-Limited-Internal-Audit-Report-2023-Subject-Matter.pdf

194
TOPIC 9
Internal audit procedures and tools

Contents

Learning unit 16: Internal audit procedures and tools 196

INTRODUCTION AND PURPOSE OF THE TOPIC

This topic covers the essential auditing tools used by internal auditors, detailing their nature and
function. We identify all the basic auditing aids that an internal auditor employs in the execution
of his or her task, and we explain the nature and function of each.
●

LEARNING OUTCOMES

When you have worked through this topic, you should be able to

describe the nature and function of the fundamental tools used by internal auditors dur-
ing audits and demonstrate their application in real-world scenarios

AUI2601 195
Learning unit 16
Internal audit procedures and tools Learningunit16

Contents

16.1 BACKGROUND 196

16.2 AUDIT MARKS 197
16.3 INTERNAL AUDIT TESTING 198
16.4 INTERNAL AUDIT WORKING PAPERS 199
16.5 AUDIT FILES 210

16.1 BACKGROUND
DISCUSSION

The internal auditing aids that we deal with here are merely auditing tools that the
internal auditor uses while carrying out the engagement (audit) procedures. They
are not in themselves audit procedures. They form an integral part of the total
audit, but do not in themselves contribute to the formation of the audit opinion.
The results are produced from the evaluation of the internal controls and the
consequent planning of the internal audit by means of the audit programme. The
interpretation of the results of the samples and the evidence gathered and included
in the audit working papers represent the basis for the development of the audit
opinion. On the one hand, internal auditing aids provide the transition between the
preliminary review and the actual conducting of the internal audit, and on the other
hand they serve as the permanent link between the practical audit procedures and
the eventual audit opinion as expressed in the internal auditor's report.

196
Internal audit procedures and tools Learning unit 16

In this topic we introduce you to the most important audit aids that an internal
auditor uses when conducting an audit. These are
● audit marks
● audit testing/sampling
● audit working papers
● audit files

16.2 AUDIT MARKS

DISCUSSION

The internal auditor does not make entries in the books of account, but verifies, or
audits, transactions that have already been recorded in the books of account. As in
the recording process, the internal auditor also experiences a need to utilise a
visible sign to signify the completion of a particular audit activity or procedure
regarding a specific recorded fact. A distinctive audit mark, or tick, is therefore
placed against every examined entry (in front of, after, under, or above) to signify
performance of a particular procedure, like routine checking (with its components
of casting, transfer, extension, balances carried forward and brought down, etc),
and vouching and verification. The reason for having different positions for the
placing of the marks is simply that one and the same entry may be subjected to
more than one procedure or examination function.
While the design and use of audit ticks or marks may, in practice, differ from one
organisation to another, it is nevertheless necessary that they should be applied
consistently within one internal audit function.
Audit ticks have by no means yet been standardised, but here are some examples
that might be used to indicate specific audit functions:

TABLE 16.1
Audit ticks
Casting or additions ___ underneath the total
Transfer of totals H to the left of the total
Postings p to the left of the total
Vouching of transactions # to the left of the total
Verification of balances b to the left of the total

In practice, you may encounter either more or fewer of these standard marks or even entirely
different symbols.

What you need to remember is that an audit mark signifies completion of an audit task, that is,
acceptance of, or satisfaction with, the entry. Audit ticks should be used judiciously and sparingly.
Make sure you really are satisfied before making the tick. On the other hand, do not forget to
make the tick once you are quite satisfied, since unmarked entries represent exceptions requiring
further attention. This applies to all types of audits, not just financial audits.

For example, when auditing the leave forms as part of the audit of the human resources
department, the internal auditor should make a tick next to the signature indicating authorisation of

AUI2601 197
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

the form after comparing it with the authorised list of signatures. These ticks are normally made in
a distinct colour, such as green or purple, so that they can easily be distinguished from the
accounting entries. Furthermore, it is good practice to have a legend on the working paper to
explain the meaning of each tick mark.

16.3 INTERNAL AUDIT TESTING

DISCUSSION

Audit testing does not mean verifying every entry in the books of account and/or
records associated with the audit, but rather the random selection, on a scientific
basis, of specific periods, books, records, or types of audit evidence for an audit.
Once the audit objective has been established, the population suggested by the
audit objective, for example, the documentation of the whole year's purchases, is
determined. Instead of confirming all these transactions, the internal auditor
chooses certain transactions at random, but in a scientific manner. These
transactions represent the sample and are subjected to audit procedures.
Test checking (or sampling) is necessitated by the size and volume of the
transactions of modern business undertakings, which have made it impossible and
unnecessary for an internal auditor to verify every entry. The procedure is,
therefore, to make thorough test checks of entries in the records and books of
prime entry, and if nothing is found to arouse the internal auditor's suspicions he or
she may assume, without further auditing, that the remaining entries, that is, those
not checked, are similarly correct and in order.

MULTIMEDIA ACTIVITY 1

Click on the hyperlink below to view the following YouTube video clip on sampling.

Title: Audit Sampling

Length: 8 min 16 sec

Link: https://youtu.be/sRczLv3zvWM?si=Vd1fwTWYG_vQUppr

The use of statistical sampling does not reduce the need for the internal auditor to use his or her
discretion but provides statistical criteria against which the results of audit tests can be measured.
The planning of audit testing is described in the audit programme after the evaluation of the
system of internal control and has a direct bearing upon the execution of audit procedures. We will
say more about this during the course of your studies (to emphasise the integrated nature of
internal auditing) and so, for the present, we merely discuss some theoretical aspects of sampling.

a. Purpose
Sampling, or testing, (which is merely an audit tool – not a procedure in itself) is applied for the
purposes of
● arriving at an audit opinion rapidly and without delay
● arriving at conclusions on whether the population should be accepted or rejected
● assuring that the conclusions regarding the financial and/or other records are reliable and
accurate

198
Internal audit procedures and tools Learning unit 16

● on the strength of the theory of probability, using the sampling conclusions as the basis for the
reasonableness of the audit opinion

b. Requirements
Every sample must comply with the following three requirements:
1. It must be adequate, that is, it must contain a sufficient number of items to reveal similar
results if other samples of the same size are selected from the same population.
2. It must be representative, that is, reveal characteristics similar to all the data in the particular
population.
3. It must be stable, that is, the results of the sample must remain unchanged even if the sample
size is increased.

c. Factors determining nature and scope

The following factors directly determine the nature and scope of audit sampling or testing:
● The effectiveness of the system of internal control – the more effective, the smaller the sample.
● Materiality of the transactions – the more material, the larger the sample.
● Volume of transactions (population size) does not affect the size of the sample.
● Method of record keeping
● Relative risk associated with the transactions
● Nature of the evidence
● Suggestion of irregularities
● Unusual items in the population

READ

Read the following article for a better understanding of sampling:

Audit Sampling - Overview, Purpose, Importance, and Types

16.4 INTERNAL AUDIT WORKING PAPERS

Figure: 16.1: Audit documentation

Source: Audit Documentation - What Is It, Examples, Checklist, Purpose

AUI2601 199
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

DISCUSSION

It is a professional requirement that internal auditors should work methodically.

Just as auditees are expected to produce supporting documentation, internal
auditors are expected to keep written records of their procedures and findings.
It is not only dangerous, but also extremely unprofessional for an internal auditor
(or his or her assistants) to rely on memory. Of necessity, therefore, internal
auditors are continually collecting working papers prepared either by themselves or
by their assistants (documents, notes, correspondence, calculations, appendices,
etc) with reference to their audit assignment.
Audit working papers serve in the first place as the link between the internal audit
report and the undertaking's records and data, while in the second place they
provide an audit manager with a basis for reviewing the fieldwork of junior
members of staff. Audit working papers also serve as a guide in the performance of
follow-up or subsequent internal audits.

MULTIMEDIA ACTIVITY 2

Click on the hyperlink below to view the following YouTube video clip on working
papers.

https://youtu.be/ZVl57fUYcbE?si=m5tn3IcmvF2rJtf0

REFLECT

Standard 14.6 Engagement documentation:

Internal auditors must document information and evidence to support the engagement
results. The analyses, evaluations, and supporting information relevant to an
engagement must be documented such that an informed, prudent internal auditor, or
similarly informed and competent person, could repeat the work and derive the same
engagement results.

Internal auditors and the engagement supervisor must review the engagement
documentation for accuracy, relevance and completeness. The chief audit executive
must review and approve the engagement documentation. Internal auditors must retain
engagement documentation according to relevant laws and/or regulations as well as
policies and procedures of the internal audit function and the organisation.

It was discussed in detail in Topic 4: Learning unit 9.4.2: Domain IV.

STUDY

In the Global Internal Audit Standards, you need to study:

● Principle 14 – Conduct Engagement Work
● Standard 14.1, 14.2, 14.3, 14.4, 14.5 and 14.6
● The requirements stipulated for Standards 14.1, 14.2, 14.3, 14.4, 14.5 and
14.6
● Considerations for implementation of Standards 14.1, 14.2, 14.3, 14.4, 14.5
and 14.6

200
Internal audit procedures and tools Learning unit 16

● Examples of evidence of conformance of Standards 14.1, 14.2, 14.3, 14.4,

14.5 and 14.6
Global Internal Audit Standards (theiia.org)

DISCUSSION

Effective workpapers contain information that is sufficient and relevant to the

engagement objectives, observations, conclusions and recommendations, which
makes the information useful in helping the organisation meet its goals.
The information documented in effective workpapers is also reliable because it is
derived using appropriate engagement techniques, which are documented. Perhaps
most importantly, workpapers contain sufficient and relevant information that
would enable a prudent, informed person, such as another internal auditor or an
external auditor, to reach the same conclusions as those reached by the internal
auditors who conducted the engagement. Thus, workpaper documentation is an
important part of a systematic and disciplined engagement process because it
organises audit evidence in a way that enables reperformance of the work and
supports engagement conclusions and results.
Workpapers may include the following elements:
● Index or reference number
● Title or heading that identifies the area or process under review
● Date or period of the engagement
● Scope of work performed
● Statement of purpose for obtaining and analysing the data
● Source(s) of data covered in the workpaper
● Description of population evaluated, including sample size and method of
selection
● Methodology used to analyse data
● Details of tests conducted, and analyses performed
● Conclusions including cross-referencing to the workpaper on audit observations
● Proposed follow-up engagement work to be performed
● Name of the internal auditor(s) who performed the engagement work
● Review notation and name of the internal auditor(s) who reviewed the work
Generally, workpapers are organized according to the structure developed in the
work program and cross-referenced to relevant pieces of information. The
result is a complete collection of documentation (electronic, paper, or both) of
the procedures completed, information obtained, conclusions reached,
recommendations derived and the logical basis for each of the steps. This
documentation constitutes the primary source of support for internal auditors’
communication with stakeholders, including senior management, the board,
and management of the area or process under review.

MULTIMEDIA ACTIVITY 3

Click on the hyperlink below to view the following YouTube video clip on working
papers.

https://youtu.be/ZVl57fUYcbE?si=95fUpFDSjTzTVZXa

AUI2601 201
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

TABLE 16.2
Elements of a working paper
THE ESSENTIAL ELEMENTS OF A WORKING PAPER
The following elements should be considered and implemented in order to prepare a working
paper of a high professional standard:
Essential element Purpose
Decide on a standard format and design a Using a template from the beginning will save
template of this format. time, as it will not be necessary to create a new
layout for every new working paper.
Neatness ● It conveys a professional approach to your
work.
● It avoids confusion and error.
Clarity of meaning To ensure that the reviewer of the working paper
understands the contents and would not need to
write a review note saying: “please explain”.
Use an audit point sheet to note all findings
while conducting the audit.
Make full use of the working papers The use from the beginning of information from
developed in previous and other audits previous and other audits related to the same
related to the same institution, for example, institution will prevent time being wasted on
flow charts, system descriptions and other obtaining and documenting the same
data may still be valid. information.

MULTIMEDIA ACTIVITY 4

Click on the hyperlink below to view the following video clip on working papers and
work through the related article underneath the video.:

Audit Working Papers | Definition, Types & Examples - Lesson | Study.com

202
Internal audit procedures and tools Learning unit 16

The following is an example of a basic audit working paper:

Workpaper reference:
Prepared by: (Initials and Date)
Reviewed by: (Initials and Date)
Audit objective
XXXXX
Audit procedures
XXXX
Test workings and results
XXXXX
Conclusion
XXXX
Legends
___: Casting of
transactions #: Vouching
of transactions b:
Verification of balances

Referencing of working papers to evidence

Working papers should be referenced to evidence that supports the information documented in the
working papers.

Why is it necessary to cross-reference working papers?

● Working papers, together with evidence, make up a “story”. If the information is not cross-
referenced, it will be impossible to tell the “whole story”.
● In addition, it will provide an auditor with a leg to stand on, should the client dispute his or her
finding.

AUI2601 203
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

Figure 16.2: Working paper process

Source: Audit Working Papers - What Are They, Examples, Contents, Types

Have a look at the example below to see how working papers can be cross-referenced to their
supporting documentation (evidence).

Working paper 2100 is the working paper prepared by the internal auditor who performed the
audit procedure. The supporting documentation (e. g., logsheet – reference 2100.1) is obtained
from the auditee, which the auditor keeps a copy of as evidence.

How to create working papers in Excel

DISCUSSION

Everything an auditor does from start to finish must be documented. Microsoft

Excel (MS Excel), Microsoft Word (MS Word), IDEA, ACL and all the other
software tools are just that – tools! It can help you to do things better and faster,

204
Internal audit procedures and tools Learning unit 16

but only the internal auditor knows what needs to be done. Therefore, to create a
workpaper in MS Excel you need to
1. know the IIA requirements
2. know the prescribed workpaper minimum checklist
3. have the necessary skills to use your documentation tool
4. combine the above
5. keep applying and improving

Step 1 – IIA requirements:

At this point in time, we assume you have mastered Standard 14.6 on engagement documentation.
Other pertinent IIA standards are the following:
● Standard 12.3 – workpapers should be reviewed to ensure they adequately support the internal
audit findings, conclusions and recommendations.
● Standard 12.1 and 12.3 – an internal audit department should have checklists to support
workpaper reviews to enable internal quality assessment.
● Standard 13.2, 13.3 and 13.6 – contains detailed examples of information that needs to be
documented as part of engagement risk assessment; engagement objectives and scope; and the
work program.
● Standard 14.2 and 14.3 – contains detailed examples of information that needs to be
documented as part of analysis and the evaluation of findings.
Step 2 – Prescribed workpaper minimum checklist:

Taking our guidance from IIA Standards 12.1 and 12.3, we prescribe a minimum checklist for
workpapers prepared by internal audit students for Unisa formative and summative assessments.
Examples of how these should be applied are contained in workpapers S-100 and S-101 on the
pages that follow. Note that these two screenprints was in the same MS Excel file, but on two
different sheets.

AUI2601 205
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

206
Internal audit procedures and tools Learning unit 16

The following describe the minimum checklist for workpapers, as it was applied to the preceding
two workpapers:
● On the left side of the header (and not in the body of the document):
– Name of person performing the audit work (your student number IF you are the preparer),
preceded by the words “Prepared by:” at the top of the header.
– Date when the audit work was completed (actual date IF you are the preparer), preceded by
the words “Prepared date:” just below the name of the preparer.

AUI2601 207
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

– Name of person reviewing the audit work (your student number IF you are the reviewer,
else leave this blank), preceded by the words “Reviewed by:” just below the prepared date.
– Date when the audit work was reviewed (actual date number IF you are the reviewer, else
leave this blank), preceded by the words “Reviewed date:” just below the name of the
reviewer.

● In the middle of the header (and not in the body of the document):
– The name of the client/employer (as per the case study) at the top of the header.
– The engagement type and period (as per the case study) just below the client/employer
name.
– A descriptive heading for the work paper that suitably describes the workpaper (deduct
from the case study) at the bottom.

● On the right side of the header (and not in the body of the document):
– A suitable, unique reference number for the workpaper.

● On the left side of the footer (and not in the body of the document):
– The file name, preceded by the words “File:” at the top of the footer.
– The sheet name, preceded by the words “Sheet:” just below the file name.

● On the right side of the footer (and not in the body of the document):
– The page number, using the following format: “Page x of y”

● In the body of the document and in this particular order:

– The objective of the workpaper (in a text box to differentiate it clearly from the actual audit
work that was done).
– The audit work that was done (see more details below).
– The conclusions drawn (in a text box to differentiate it clearly from the actual audit work
that was done).

As for documenting the audit work itself, the following may need to be documented depending on
the nature of the workpaper
● The actual audit procedures performed or, alternatively, hyperlinks to these procedures
contained in another document or worksheet.
● Identification information of the items that were selected for testing.
● The results of the audit procedures for the particular item that was tested.
● Any significant matters (risks identified, control exceptions, misstatements or inconsistencies)
identified.
● Indications of how the significant matters were addressed, followed up or reported (with
hyperlinks where possible, otherwise the relevant document reference number).
Note that the objectives, audit procedures and conclusions you document should all follow the
conventions for writing good objectives, audit procedures and conclusions.

Note also that you need to document enough information to enable an experienced internal auditor,
with no prior knowledge of the audit, to understand what you did and how you did it. This
experienced internal auditor will then be able to determine whether you followed the IIA standards,
as well as your internal audit charter and internal audit manual providing your mandate and
guidelines. In general, you have to document more and in greater detail if significant professional
judgement was required.

208
Internal audit procedures and tools Learning unit 16

Formatting standards for workpapers to be submitted to Unisa include the following:

● All headings to be in bold and centred, with wrap text so as to not overflow or be cut off.
● Textboxes should be aligned to a single row so that the width of the row can be altered to
reflect the contents.
● All text should be visible in the textboxes and in the cells containing either text or numbers.
● No error messages should be displayed anywhere in the sheet – e. g., #DIV/0!, #N/A,
#VALUE!
● Amounts should be formatted to number format, with two digits after the decimal, a thousands
separator and without the currency sign in order to increase legibility.
● Percentages should be formatted to show a percentage sign and at least one digit after the
decimal.
● Workpaper names should contain their reference number followed by a short description that
reflects the contents of the document.
● To enable hyperlinks between different files to work, all files should be stored in the same
folder on your computer.
● The overall look of your workpaper should be neat and professional.
● All workpapers should be spell-checked before they are handed in.
Step 3 – Know your tools:

Everyone has different operating systems, software and software versions installed. Also, new
versions are released from time to time. This means that any detailed software guidance soon
becomes obsolute, although the principles taught are still applicable for later versions.

You have been exposed to MS Excel in some of the modules you have already passed and are sure
to be exposed to even more advanced functionality in other modules you yet have to master. The
purpose of this learning unit is not to teach you how to use the software. It contains guidelines on
how to stay up to date and apply your knowledge and skills.

Therefore, please get well acquainted with Google, Microsoft Edge, Firefox, or whatever your
preferred search engine is, to such an extent that it becomes a close friend. How to do something is
usually described step by step online already. In addition, YouTube videos are a treasure chest of
continually updated instructions of both recent and older versions of software. When viewing
especially YouTube videos, it is important to keep the following in mind:
● How long ago was the video uploaded and will it still be applicable to the version of the
software you use?
● As a rough indication of the quality of the video - How many subscribers does the channel
have and how many likes did the video get (taking the upload date into account)?
● How long is the particular video? Too long and it might be too general and waste your time,
while too short may not teach you everything you need.
● Listen to an extract of the video to judge the quality of the video, the pace of the presentation
and the language, as well as pronounciation of the presenter. There are many good videos
available, especially on Microsoft software, so you need not be frustrated or irritated.
● Given your current level of skill with the software and your digital acumen in general, consider
watching several related videos to understand how to use the software aspect you need well.
● Also consider that the key words you are using to search might not be the best key words.
Include the name of the software for a start and perhaps do a general search first before looking
for specific YouTube videos to view.
Step 4 – Combine the above:

AUI2601 209
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

Apply Steps 1 to 3 and exactly replicate workpapers S-100 and S-101 in MS Excel.
In doing so, please note the following:
● Your student number should replace the ‘12345678’ next to “Prepared by”. The
actual date you prepare this document should also replace the “20xx-05-23”.
Likewise, replace the year in the engagement period with the actual year.
● On workpaper S-100 the numbers P1 to P5 are underlined as they are hyperlinks
to workpaper S-101. These should similarly be replicated as hyperlinks in your
workpapers.
● Cell E6 on workpaper S-100 is not empty. This cell contains the same formula as
the entire range E4:E7, but it uses the IFERROR function to prevent displaying
error messages, such as dividing by 0.
Also document the following:
● The names and URLs to the YouTube videos that you have watched, including
the reasons for selecting each particular video, as well as your own comment on
the relevance, usefulness and quality of each video.

REFLECT

Was it easy or hard for you to create the workpaper to the standards prescribed? Why?
What are the skills and/or attitudes you need to work on?

Step 5 – Keep applying and improving:

You will be required to create electronic workpapers in MS Word and MS Excel for all your
internal audit modules at Unisa. These workpapers also have to adhere to the IIA requirements and
the Unisa guidance as per the prescribed workpaper minimum checklist detailed above.

16.5 AUDIT FILES

There is a difference between permanent working papers (also called the permanent audit file) and
current (carry-forward) working papers (the current audit file). The information (data) contained in
these two files need not necessarily be kept in separate files but could instead be filed in separate
sections of the same file.

1. Permanent audit file

The permanent audit file should contain information that the internal auditor must refer to during
each audit he or she conducts on an auditee, that is, information which remains relevant beyond
the completion of the current audit assignment. The following are some examples of the most
important permanent working papers:
● Documents and particulars resulting from the engagement activities and pre-audit
investigations, such as audit assignments, formulated needs, documents indicating the scope of
the audit (especially restrictions and/or elaborations), documents of a permanent nature or
extracts from them, for example policies, procedures and standards, copies of important
contracts, particulars of staff, and technical details related to the auditee
● A written description of the basic system of internal control, together with that of the system of
accounting and other record keeping, flow charts and a standard internal control questionnaire
related to the auditee

210
Internal audit procedures and tools Learning unit 16

● Records of accounting and other ratio analysis, tendency determinations, aspects of the
previous internal audit report which may have an influence on the following internal audit, for
example completed “comment on findings” forms and statement of risks, together with
strengths and weaknesses identified
● Copies of the completed audit programme of the completed previous internal audit, as well as
copies of the final and signed internal audit report
It is important that the internal auditor's permanent file should be brought up to date periodically,
that is, all changes in the undertaking's or business's basic structure, policy or procedures should
be noted on existing working papers or alternatively, new working papers should be inserted,
depending on the circumstances.

2. Current audit file

The current working papers, or the contents of the current audit file, should only have a bearing
upon the current internal audit assignment. They are far more varied, depending upon the nature
and circumstances of the auditee as well as the nature and scope of the audit procedures and
findings.

Current audit working papers can only be fully understood and appreciated after having studied
the practical audit procedures. These are dealt with in the modules at the third level, and so at this
stage we will just give you a list of possible examples:
1. Audit queries and replies received (audit correspondence)
2. Audit notes, remarks, and/or opinions
3. Completed “Comment on findings” forms where applicable
4. Schedules of adjustments pursuant to the audit
5. Main schedules
6. Supporting schedules
7. Confirmation certificates (e.g., The bank balance certificate and stock certificates)
8. The completed audit programme and planning documents

THE LAYOUT OF AN AUDIT FILE

The layout of the audit file should reflect the audit process, that is

● determining the audit engagement and overall audit plan

● planning the audit engagement
● fieldwork (performing the engagement)
● audit reporting and follow-up

ACTIVITY 16.1

Answer the following question:

Question 1
Explain what is meant by “internal auditing aids” and give two examples thereof.

AUI2601 211
TOPIC 9 INTERNAL AUDIT PROCEDURES AND TOOLS

FEEDBACK

Question 1
Auditing aids are simply auditing instruments that the internal auditor uses while
carrying out the audit procedures. They are not in themselves audit procedures.
Although they form an integral part of the audit, they merely aid in establishing the
content of the audit opinion or conclusion.

Examples:
● audit marks
● audit working papers
● audit testing or sampling

212