LESSON 1 – ASSURANCE PRINCIPLES

CORPORATE GOVERNANCE
 Memorandum Circular No. 19
 Date: November 22, 2016
 It is the system of stewardship and control to guide organizations in fulfilling their long-term
economic, moral, legal, and social obligations toward their stakeholders.
1. Board of Directors
2. Management
3. Independent director
4. Executive director
5. Non-executive director
 Code of Corporate Governance for Publicly-Listed Companies
1. Establishing a competent board
2. Establishing clear roles and responsibilities of the board
3. Establishing board committees
 3.2 – The board should establish an Audit Committee to enhance its oversight capability
ove the company’s financial reporting, internal control system, internal and externa
audit process, and compliance with applicable laws and regulations. The committee
should be composed of at least three appropriately qualified non-executive directors,
the majority of whom, including the Chairman, should be independent. All the
members of the committee must have relevant background, knowledge, skills, and/or
experience in the areas of accounting, auditing and finance. The Chairman of the Audit
Committee should not be the chairman of the Board or of any other committees.
 The Audit Committee has the following duties and responsibilities, among others:
a. Recommends the approval the Internal Audit Charter (IA Charter)
b. Through the Internal Audit (IA) Department, monitors and evaluates the
adequacy and effectiveness of the corporation’s internal control system,
integrity of financial reporting, and security of physical and information assets.
c. Oversees the Internal Audit Department and recommends the appointment
and/or grounds for approval of an internal audit head or Chief Executive (CAE).
d. Establishes and identifies the reporting line of the Internal Auditor to enable
him to properly fulfill his duties and responsibilities.
e. Reviews and monitors Management’s responsiveness to the Internal Auditor’s
findings and recommendations;
f. Prior to the commencement of the audit, discusses with the External Auditor
the nature, scope, and expenses of the audit, and ensures the proper
coordination
g. Evaluates and determines the non-audit work, if any, of the External Auditor,
and periodically reviews the non-audit fees paid to the External Auditor in
relation to the total fees paid to him and to the corporation’s overall
consultancy expenses.
h. Reviews and approves the Interim and Annual Financial Statements before
their submission to the Board
i. Reviews the disposition of the recommendations in the External Auditor’s
management letter;
DEFINITION OF TERMS
 Board - The highest level of governing body charged with the responsibility to direct and/or
oversee the activities and management of the organization. Typically, this includes an
independent group of directors (e.g., a board of directors, a supervisory board, or a board of
governors or trustees). If such a group does not exist, the “board” may refer to the head of the
organization. “Board” may refer to an audit committee to which the governing body has
delegated certain functions.”
 Internal Audit Activity - “A department, division, team of consultants, or other practitioner(s)
that provides independent, objective assurance and consulting services designed to add value
and improve an organization’s operations…”
 Chief Audit Executive - describes a person in a senior position responsible for effectively
managing the internal audit activity in accordance with the internal audit charter and the
Definition of Internal Auditing, the Code of Ethics, and the Standards... The specific job title of
the chief audit executive may vary across organizations

ASSURANCE
 means an engagement in which a practitioner expresses a conclusion designed to enhance the
degree of confidence of the intended users other than the responsible party about the outcome
of the evaluation or measurement of a subject matter against criteria.”
 International Framework for Assurance Engagements
 Need for Assurance
 Potential bias in providing information.
 Remoteness between a user and the organization or trading partner.
 Complexity of the transactions, information, or processing systems.

ASSURANCE SERVICE
 Assurance services (or assurance engagements) are three-party contracts in which assurers
reports on the quality of information.
 Scope of Assurance Service:
 A wider spectrum of services.
 A more diverse group of users.
 Greater potential users.
 Value of Assurance
 The assurance function gives investors, creditors and users of information confidence in
the accuracy of data.
 The value of assurance, then, is in the confidence it generates in users of the
information.

ELEMENTS OF ASSURANCE SERVICE

 Three-Party Relationships
 Practitioner - The term “practitioner” is broader than the term “auditor”. Experts may
also be engaged by practitioners to perform Practitioner assurance services
  Responsible Party - The person (or persons) responsible for the subject matter or the
subject matter information. The responsible party may or may not be the party who
engages the practitioner (the engaging party).
 Intended Users - The persons or class of persons for whom the practitioner prepares the
assurance report. Intended users may be identified may be identified by agreement
between the practitioner and the responsible party, or by law.
 Subject Matter
 Subject matters have different characteristic (e.g, qualitative vs. quantitative, objective
vs. subjective, historical vs. prospective, and relates to a point in time or covers a period)
which may affect the precision with which the subject matter can be evaluated or
measured against criteria and the persuasiveness of available evidence.
 Sufficient Appropriate Evidence
 Evidence - The practitioner performs an assurance engagement with an attitude of
professional skepticism to obtain sufficient appropriate evidence about whether the
subject matter information is free of material misstatement.
 Sufficiency - is the measure of quantity of evidence
 Appropriateness - is the measure of the quality of evidence
 Suitable Criteria
 Relevance
 Completeness
 Reliability
 Neutrality
 Understandability
 Assurance Report
 The practitioner provides a written report containing a conclusion that conveys the
assurance obtained about the subject matter information.
 A practitioner normally can express two levels of assurance in an assurance service:
 a reasonable (but not absolute) level, and
 a limited level of assurance

LEVELS OF ASSURANCE
1. Reasonable assurance (such as an audit opinion)
2. Limited assurance (such as in reviewed financial statements)
3. No assurance (such as a compilation of financial statements)

AUDIT
 Objective examination of factual evidence
 Providing an independent and reasonable assurance against an established criteria
 International Framework for Assurance Engagements
 External Audit
 an independent examination of financial statements of an entity that enables an auditor
to express an opinion whether the financial statements are prepared (in all material
respects) in accordance with an identified and acceptable financial reporting framework
(e.g. international or local accounting standards and national legislations)
 Brink’s Modern Internal Auditing
  Internal Audit
 .is an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.

INTERNAL AUDIT VS. EXTERNAL AUDIT

Internal Audit External Audit

1. Focus Provides financial, operational, Primarily attests to financial
assurance, consultative, statements and, where
governance, computer, and applicable, internal control.
fraud-related services.
2. Management Reports to audit committee and Primarily reports to the audit
management administratively. committee
Builds relationships throughout
the organization, identifies
issues and concerns, and
addresses their prompt
resolution.
3. Audit committee Usually reports directly to the Provides financial statement
audit committee. Provides (and, where applicable, internal
insight into and analysis of the control) attestation to the audit
organization’s business risks, committee or board of
financial statements, system of directors. Often provides
internal control, and level of updates on pending accounting
compliance with laws,pronouncements and their
regulations, and policies. potential impact on the
organization.
4. Standards Follows the IIA’s International Applies auditing standards
Standards for the Professional required in local country or
Practice of Internal Auditing jurisdiction.
5. Approach Generally follows a predefined Generally follows an approach
methodology, but often based on the audit firm’s audit
customizes approach to methodology
appropriately meet individual
assignment objectives
6. Independence Demonstrates organizational Provides financial statement
independence and objectivity in (and, where applicable, internal
work approach, but is not control) attestation to the audit
independent of the committee or board of
organization. (IA should be directors. Often provides
independent of the activity updates on pending accounting
audited, but is integral to the pronouncements and their
organization.) potential impact on the
organization.
7. Results Identifies issues (findings), Meets local statutory
makes recommendations, and requirements; determines if
assists in facilitating resolutions.
financial statements (including
footnotes) are fairly stated (free
of material error).
8. Control Assesses components of an Controls considered in the audit
organization’s internal control of the financial statements as
framework, focusing on control required by local country
improvement and operational standards.
efficiency and effectiveness.
Under PCAOB standards, opines
Under SOX 404, assists in on management’s assessment
assessing the adequacy, of the effectiveness of the
effectiveness, and efficiency of organization’s internal control
the financial and operational over financial reporting and on
systems of internal control, the effectiveness of the
including the design and organization’s internal control
operating effectiveness of the over financial reporting.
system of internal control of
each activity of the organization In the course of assessing the
(including control over financial organization’s internal control,
reporting). Can assist in evaluates the capabilities and
documenting internal controls, effectiveness of internal
testing internal controls, and/or auditing
providing input to management
with respect to concluding on
design and operating
effectiveness.
9. Risk Identifies and qualifies key Identifies key financial reporting
business risks to estimate risks in relation to its audit of
probability of occurrence and the organization’s financial
impact on business. Makes statements.
appropriate recommendations
as a result of the risk
assessment.
10. Fraud Focused on fraud awareness Includes fraud detection steps
within the organization. May in audit plan. Gathers
include fraud-detection steps in information necessary to
audit programs. Investigates the identify risks of material
allegations of fraud. Reviews misstatement due to fraud by
management’s fraud prevention inquiring of management and
controls and detection others within the entity about
processes and makes the risks of fraud. Considers the
recommendations for results of the analytical
improvement procedures performed in
planning the audit and fraud
risk factors
 11. Recommendations Co
12. Follow-up
Communicates
recommendations for corrective
action, generally to auditee,
management, and the audit
committee
Follow up with auditees to
determine whether work is
sufficient to achieve issue
resolution
Communicates
recommendations for corrective
action generally to senior
management or the board of
directors.
Limits follow-up primarily to
financial areas

LESSON 2 – THE EMERGENCE IN GLOBAL PROFESSION OF INTERNAL AUDITING

THE INSTIUTE OF INTERNAL AUDITORS

 The IIA is the internal audit profession's global voice, recognized authority, acknowledged
leader, chief advocate, and principal educator.

1941 IIA, Inc. was established in New York

 over 193,000+ members from 170+ countries & territories, with 109
institutes and 162 chapters from across the globe
 2016 celebrated 75 years of “Progress through Sharing”
1948 IIA – Manila Chapter was organized on 14 Aug 3rd chapter of IIA, Inc.
1990 Earned “Institute” status
2016 Awarded the “Centre for Excellence in Certification” by ACIIA, 27 Apr 2016 in KL
Malaysia
2018 Serves 2,600+ members from over 500 companies of 53 out of 65 industries or
sectors

 The IIA is the internal audit profession's global voice, recognized authority, acknowledged
leader, chief advocate, and principal educator.
 The only globally accepted designation for internal auditors and the standard by which
individuals demonstrate their professionalism in internal auditing.
 Vision: To continuously produce and sustain certified professionals

REASONS TO MAKE A CAREER MOVE TO INTERNAL AUDITING

 Future-proofing the profession
 Is Internal Auditing a great career choice?
 Gain experience in all aspects of an organization.
 Respected, rewarding and diverse work
 Excellent benefits and compensation.
 Advancement opportunities and a fast-track to management.
 Travel and networking opportunities.
 Career Path Opportunities
 Entry-level internal auditor
  Lead / Senior internal auditor
 Internal audit supervisor / manager
 Internal audit executive / chief audit executive (CAE)
 The Value of an IIA Global Certification
 Distinguish you from your peers.
 Demonstrate your proficiency with internal staff and external clients.
 Develop your knowledge of best practices in the industry
 Demonstrate your proficiency and professionalism.
 Lay a foundation for continued improvement and advancement
 Help you earn credibility and respect in your field
 Open more opportunities for advancement.
 Increase your earning potential by as much as 51%.*
 Prove your willingness to invest in your own development.
 Demonstrate your commitment to your profession
 Improve your internal audit skills and knowledge.
 Build confidence in your knowledge of the profession.
 Drive Your Career Forward
 As the only globally recognized certification for internal auditors and The IIA’s premier
designation for more than 40 years, the CIA sets the standard for excellence in the
profession. The CIA distinguishes you from your peers and demonstrates proficiency and
professionalism.
 Adding the CIA credential to your resume, LinkedIn profile, and business card will help
you stand out and demonstrate you are:
 A true expert who understands and can apply The IIA's Standards.
 A stronger, more competent professional.
 Equipped for career-advancing opportunities
 A credible and trusted internal auditor.
 Eligibility Requirements
 CIA candidates must hold a 3- or 4-year post-secondary degree (or higher). A stronger,
more competent professional.
 Two years post-secondary education and five years verified experience in internal audit
or its equivalent, OR
 Seven years verified experience in internal audit or its equivalent.
 Work Experience
 CIA candidates with a 4 year post secondary degree must obtain a minimum of 24
months of internal auditing experience or its equivalent
 A Masters degree can substitute for 12 of the required 24 months
 Character Reference
 Candidates must exhibit high moral and professional character and must submit a
Character Reference Form signed by a CIA, CGAP, CCSA, CFSA, CRMA, or the candidate's
supervisor
 Proof of Identification
 Candidates must provide proof of identification in the form of a copy of the candidate’s
official passport or national identity card.
 Eligibility Period
 If a candidate has not completed the certification process within four years, all fees and
exam parts will be forfeited.
 CPE and CPD Requirements
  The reporting deadline is 31 December each year.
 Exam Syllabus
 Part 1:Essentials of Internal Auditing
 Foundation of Internal Auditing
 Independence and Objectivity
 Proficiency and Due Professional Care
 Quality Assurance and Improvement Program
 Governance, Risk Management, and Control
 Fraud Risks
 Part 2: Practice of Internal Auditing
 Managing the internal audit function
 Planning the Engagement
 Performing the Engagement
 Communicating Engagement Results and Monitoring Progress
 Part 3: Business Knowledge for Internal Auditing
 Business Acumen
 Information Security
 Information Technology
 Financial Management
 Steps to certification
1. Create a profile in CCMS
2. Apply to the program
3. Submit documentation
4. Register for your exam
5. Schedule your exam
6. Prepare for your exam
7. Sit for your exam

LESSON 3 – INTRODUCTION TO INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF)

THE INSTITUTE OF INTERNAL AUDITORS (IIA)

 Established in 1941
 Is an international professional association with global headquarters in Lake Mary, Florida, USA.
 Is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief
advocate, and principal educator
 Has more than 190,000 members worldwide
 Over 177,000 IIA certified individuals in over 160 countries worldwide.

INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF)

 Is the conceptual framework that organizes authoritative guidance promulgated by the IIA
   Provides internal audit professionals worldwide as mandatory guidance and recommended
guidance
 Mission
 The Mission of Internal Audit articulates what internal audit aspires to accomplish
within an organization. Its place in the New IPPF is deliberate, demonstrating how
practitioners should leverage the entire framework to facilitate their ability to achieve
the Mission.
 Mandatory Guidance
 Conformance with the principles set forth in mandatory guidance is required and
essential for the professional practice of internal auditing. Mandatory guidance is
developed following an established due diligence process, which includes a period of
public exposure for stakeholder input.
 Core Principles
 The Core Principles, taken as a whole, articulate internal audit effectiveness. For an
internal audit function to be considered effective, all Principles should be present and
operating effectively. How an internal auditor, as well as an internal audit activity,
demonstrates achievement of the Core Principles may be quite different from
organization to organization, but failure to achieve any of the Principles would imply
that an internal audit activity was not as effective as it could be in achieving internal
audit’s mission.
 Definition
 The Definition of Internal Auditing states the fundamental purpose, nature, and scope of
internal auditing
 Code of Ethics
 The Code of Ethics states the principles and expectations governing the behavior of
individuals and organizations in the conduct of internal auditing. It describes the
minimum requirements for conduct, and behavioral expectations rather than specific
activities.
 Standards are principle-focused and provide a framework for performing and promoting internal
auditing.
 Recommended Guidance
 Recommended guidance is endorsed by The IIA through a formal approval process. It
describes practices for effective implementation of The IIA's Core Principles, Definition
of Internal Auditing, Code of Ethics, and Standards.
 Implementation Guidance
 Implementation Guides assist internal auditors in applying the Standards. They
collectively address internal auditing's approach, methodologies, and consideration, but
do not detail processes or procedures.
 Supplemental Guidance
 Supplemental Guidance provides detailed guidance for conducting internal audit
activities. These include topical areas, sector-specific issues, as well as processes and
procedures, tools and techniques, programs, step-by-step approaches, and examples of
deliverables

LESSON 4 – MANDATORY GUIDANCE OF IPPF

IPPF
 Mission
 To enhance and protect organizational value by providing risk-based and objective
assurance, advice, and insight.
 Definition
 “Internal Auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and governance
processes.”
 Objectivity
 “An unbiased mental attitude that allows internal auditors to perform engagements in
such a manner that they believe in their work product and that no quality compromises
are made. Objectivity requires that internal auditors do not subordinate their judgment
on audit matters to others.”
 Independence
 “The freedom from conditions that threaten the ability of the internal audit activity to
carry out internal audit responsibilities in an unbiased manner. ”
 Assurance Services
 “An objective examination of evidence for the purpose of providing an independent
assessment on governance, risk management, and control processes for the
organization. Examples may include financial, performance, compliance, system
security, and due diligence engagements. ”
 Consulting Services
 “Advisory and related client service activities, the nature and scope of which are agreed
with the client, are intended to add value and improve an organization’s governance,
risk management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation, and training ”
 Definition
 “Internal Auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.”
 Risk management
 process to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization's objective
 Control
 any action taken by management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved
 Governance
 combination of people, policies, procedures, and processes that help ensure that an
entity effectively and efficiently directs its activities toward meeting the objectives of its
stakeholder

CODE OF ETHICS
 Purpose
 States the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing
 Describes the minimum requirements for conduct, and behavioral expectations rather
than specific activities.
 Promotes an ethical culture in the profession of internal auditing
 Two Essential Components
1. Principles - that are relevant to the profession and practice of internal auditing
2. Rules of Conduct - that describe behavior norms expected of internal auditors.
 Integrity
 The integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment.
 Integrity – Rules of Conduct
 Internal Auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the
organization.
 Objectivity
 Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being
examined.
 Internal auditors make a balanced assessment of all the relevant circumstances and are
not unduly influenced by their own interests or by others in forming judgments
 Objectivity – Rules of Conduct
 Potential Impairments
 Past or future work assignments
 Conflict of interest
 Gifts and gratuities
 Assignment of non-audit functions
 Scope limitation
 Resource limitation
 Access restriction
 Internal Auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed
to impair their unbiased assessment. This participation includes those activities or
relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their
professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort
the reporting of activities under review.
 Confidentiality
 Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority unless there is a legal or
professional obligation to do so.
  Confidentiality – Rules of Conduct
 Internal Auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of
their duties
3.2. Shall not use information for any personal gain or in any manner that would be
contrary to the law or detrimental to the legitimate and ethical objectives of the
organization.
 Competency
 Internal auditors apply the knowledge, skills, and experience needed in the performance
of internal audit services.
 Competency – Rules of Conduct
 Internal Auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge,
skills, and experience.
4.2. Shall perform internal audit services in accordance with the International Standards
for the Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their
services.

CORE PRINCIPLES
 Demonstrates integrity.
 Demonstrates competence and due professional care.
 Is objective and free from undue influence (independent).
 Is appropriately positioned and adequately resourced.
 Demonstrates quality and continuous improvement
 Provides risk-based assurance.
 Aligns with the strategies, objectives, and risks of the organization.
 Is insightful, proactive, and future-focused.
 Promotes organizational improvement.
 Communicates effectively

LESSON 5 – THE STANDARDS PART 1

STANDARDS
 International Standards for the Professional Practice of Internal Auditing (The Standards) –
ISPPIA
 The Standards comprise two main categories:
 Attribute Standards address the attributes of organizations and individuals
performing internal auditing
 Performance Standards describe the nature of internal auditing and provide
quality criteria against which the performance of these services can be
measured
 The Standards are a set of principles-based, mandatory requirements consisting of:
  Statements of core requirements for the professional practice of internal
auditing and for evaluating the effectiveness of performance that are
internationally applicable at organizational and individual levels.
 Interpretations clarifying terms or concepts within the Standards.
 Applies to individual internal auditors and the internal audit activity
 Chief audit executives are additionally accountable for the internal audit
activity’s overall conformance with the Standards.
 If prohibited by law or regulation from conformance with certain parts of the
Standards, conformance with all other parts of the Standards and appropriate
disclosures are needed.
 The purpose of the Standards is to:
1. Guide adherence with the mandatory elements of the International Professional
Practices Framework.
2. Provide a framework for performing and promoting a broad range of value-added
internal auditing services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
 IA Governance
 1000 – Purpose, Authority, and Responsibility
 1100 – Independence and Objectivity
 1300 – Quality Assurance and Improvement Program
 IA Staff
 1200 – Proficiency and Due Professional Care
 IA Management
 2000 – Managing the Internal Audit Activity
 2100 – Nature of Work
 2600 – Communicating the Acceptance of Risks
 IA Process
 2200 – Engagement Planning
 2300 – Performing the Engagement
 2400 – Communicating Results
 2500 – Monitoring Progress

Attribute Standards
1000 Purpose, Authority, and Responsibility
1010 Recognizing Mandatory Guidance in the Internal Audit Charter
1100 Independence and Objectivity
1110 Organizational Independence
1111 Direct Interaction with the Board
1112 Chief Audit Executive Roles Beyond Internal Auditing
1120 Individual Objectivity
1130 Impairment to Independence or Objectivity
1200 Proficiency and Due Professional Care
1210 Proficiency
1220 Due Professional Care
1230 Continuing Professional Development
1300 Quality Assurance and Improvement Program
1310 Requirements of the Quality Assurance and Improvement Program
1311 Internal Assessments
1312 External Assessments
1320 Reporting on the Quality Assurance and Improvement Program
1321 Use of “Conforms with the International Standards for the Professional Practice of
Internal Auditing”
1322 Disclosure of Nonconformance
Performance Standard
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination and Reliance
2060 Reporting to Senior Management and the Board
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
2430 Use of “Conducted in Conformance with the International Standards for the
Professional Practice of Internal Auditing”
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks