Internal Auditing vs. External Auditing vs.

Assurance

Internal Audit:

1. Internal audit is an independent and objective evaluation function within an organization.

2. It is performed by employees or individuals within the organization who are not directly involved in
the area being audited.

3. The main purpose of internal audit is to assess the effectiveness of internal controls, risk
management, and governance processes.

4. Internal auditors provide recommendations for improvement to management based on their findings.

5. Internal audit is a proactive process that helps organizations identify and address risks before they
become significant issues.

External Audit:

1. External audit is conducted by independent professionals or firms outside the organization.

2. It is typically performed by certified public accountants (CPAs) who are external to the organization.

3. The primary objective of external audit is to provide an opinion on the fairness and accuracy of an
organization's financial statements.

4. External auditors assess the reliability of financial information, compliance with laws and regulations,
and adherence to accounting standards.

5. The external audit opinion is used by stakeholders, such as investors and lenders, to make informed
decisions.

Assurance:

1. Assurance refers to the assessment and verification of certain information or processes.

2. It can be provided by both internal and external auditors, as well as other professionals.

3. Assurance engagements can cover a wide range of areas, including financial reporting, internal
controls, risk management, sustainability reporting, and more.

4. The objective of assurance is to enhance the credibility and reliability of the information being
assessed.
5. Assurance engagements provide stakeholders with confidence that the information they rely on is
accurate, complete, and relevant.

In summary, internal audit focuses on evaluating internal controls and processes within an organization,
external audit focuses on verifying the accuracy of financial statements, and assurance covers a broader
range of assessments to provide stakeholders with confidence in the information being presented.

1. Internal Audit:

- Conducting regular reviews of financial records and transactions to ensure compliance with company
policies and procedures.

- Performing risk assessments to identify potential areas of vulnerability or non-compliance.

- Investigating suspected cases of fraud or misconduct within the company.

- Assessing the effectiveness of internal controls and making recommendations for improvement.

- Evaluating the accuracy and completeness of financial statements.

- Reviewing the company's IT systems and data security protocols.

- Conducting internal audits of specific departments or business units to assess their performance and
adherence to policies.

- Monitoring inventory levels and conducting periodic physical inventory counts.

- Assessing the company's compliance with applicable laws and regulations.

- Evaluating the efficiency and effectiveness of operational processes and recommending improvements.

2. External Audit:

- Reviewing and validating the accuracy and completeness of financial statements prepared by the
company.

- Assessing the company's compliance with accounting principles and standards.

- Evaluating the effectiveness of internal controls and providing an independent opinion on their
reliability.

- Verifying the existence and valuation of company assets and liabilities.

- Assessing the reasonableness of management's estimates and judgments in financial reporting.

- Conducting interviews and inquiries with company personnel to gather audit evidence.

- Examining supporting documents and records to ensure proper documentation of transactions.

- Testing the company's adherence to applicable laws and regulations.

- Providing recommendations for improving financial reporting processes and controls.

- Communicating audit findings to management and the audit committee.

3. Assurance:

- Performing a review of a company's sustainability reporting to assess its accuracy and adherence to
recognized reporting frameworks.

- Conducting an audit of a company's information security controls to provide assurance on the

confidentiality, integrity, and availability of its data.

- Assessing the reliability of a company's internal control systems to provide assurance on the
effectiveness of risk management.

- Reviewing a company's compliance with industry-specific regulations to provide assurance to

stakeholders.

- Conducting a review of a company's quality management systems to provide assurance on the

consistency and effectiveness of product or service delivery.

- Assessing the adequacy of a company's disaster recovery plans to provide assurance on its ability to
recover from major disruptions.

- Reviewing a company's ethical policies and procedures to provide assurance on its commitment to
ethical business practices.

- Conducting an assurance engagement on a company's corporate governance practices to provide

assurance on its transparency and accountability.

- Assessing a company's compliance with international standards or frameworks to provide assurance on

its sustainability and social responsibility efforts.

- Reviewing a company's financial forecasts and projections to provide assurance on their

reasonableness and accuracy.
Code of Ethics

1. Integrity:

- The auditor refuses to manipulate or misrepresent financial information to benefit the company or any
individual.

- The auditor refuses to accept any bribes or illegal payments in exchange for favorable audit outcomes.

- The auditor discloses any conflicts of interest that could compromise their objectivity and
independence.

- The auditor reports any suspected fraud or unethical behavior discovered during the audit process.

- The auditor maintains honesty and truthfulness in all communications and interactions with company
personnel.

2. Objectivity:

- The auditor maintains independence from the company being audited, ensuring they are free from any
personal or financial biases.

- The auditor avoids any conflicts of interest that may compromise their ability to provide unbiased
opinions.

- The auditor critically evaluates and assesses all available evidence and does not allow personal
opinions or external influences to cloud their judgment.

- The auditor ensures that audit findings and opinions are based solely on the facts and evidence
gathered during the audit process.

- The auditor refrains from engaging in any activities that could undermine their objectivity, such as
accepting gifts or favors from the company being audited.

3. Confidentiality:

- The auditor maintains strict confidentiality of all information obtained during the audit process,
including financial records, employee data, and trade secrets.
- The auditor ensures that all audit working papers and documentation are protected and accessible
only to authorized individuals involved in the audit.

- The auditor does not disclose any confidential information to unauthorized parties, unless required by
law or with the consent of the company being audited.

- The auditor ensures that any subcontractors or assistants involved in the audit process also adhere to
strict confidentiality requirements.

- The auditor takes necessary precautions to prevent unauthorized access or disclosure of confidential
information, such as using secure electronic systems and physical safeguards.

4. Competency:

- The auditor possesses the necessary knowledge, skills, and expertise to perform the audit in
accordance with professional standards.

- The auditor keeps up-to-date with changes in accounting principles, auditing standards, and relevant
laws and regulations.

- The auditor conducts the audit using appropriate audit techniques and procedures to obtain sufficient
and appropriate audit evidence.

- The auditor seeks assistance or guidance from experts or specialists when faced with complex or
specialized areas during the audit.

- The auditor ensures that the audit team members assigned to the engagement have the required
competence and experience to perform their duties effectively.
Five Pillars of COSO Framework

1. Control Environment:

- The company's management establishes a culture of integrity and ethical behavior, promoting the
importance of internal control throughout the organization.

- The company's board of directors demonstrates a commitment to effective internal control by

providing oversight and guidance.

- The company has a code of conduct that outlines expected behavior and ethical standards for all
employees.

- The company encourages open communication and feedback channels, allowing employees to report
any unethical behavior or control deficiencies.

- The company's management establishes and enforces appropriate segregation of duties to prevent
conflicts of interest.

2. Risk Assessment:

- The company regularly identifies and assesses the risks it faces, both internal and external, that could
impact its objectives.

- The company conducts risk assessments to evaluate the likelihood and impact of identified risks and
determines how to mitigate or manage them.

- The company considers emerging risks and changes in the business environment when conducting risk
assessments.

- The company involves relevant stakeholders in the risk assessment process to ensure a comprehensive
evaluation of risks.

- The company regularly reviews and updates its risk assessment process to adapt to new risks or
changing circumstances.

3. Control Activities:

- The company implements policies and procedures that provide specific guidance on how to achieve its
objectives and mitigate risks.
- The company establishes and enforces segregation of duties, ensuring that no single individual has
control over a critical process or transaction.

- The company implements physical controls, such as locks and alarms, to protect assets from theft or
unauthorized access.

- The company performs regular reconciliations and reviews of financial records to detect and prevent
errors or irregularities.

- The company implements IT controls, such as user access controls and system monitoring, to safeguard
data and prevent unauthorized access.

4. Information and Communication:

- The company establishes a system for capturing, processing, and communicating relevant information
to support effective decision-making.

- The company ensures that financial and non-financial information is accurate, complete, and
communicated in a timely manner.

- The company establishes clear lines of communication and reporting, allowing employees to escalate
concerns or report control deficiencies.

- The company provides training and education to employees on the importance of internal control and
their roles and responsibilities in maintaining it.

- The company communicates its objectives, strategies, and performance measures to relevant
stakeholders to ensure alignment and transparency.

5. Monitoring Activities:

- The company regularly evaluates the design and operating effectiveness of its internal controls to
ensure they are functioning as intended.

- The company performs periodic internal audits to assess compliance with policies, procedures, and
regulatory requirements.

- The company conducts regular management reviews to assess the effectiveness of internal control and
identify areas for improvement.

- The company establishes a whistleblower hotline or other reporting mechanism for employees to
report control deficiencies or unethical behavior.
- The company responds promptly to identified control deficiencies, implementing corrective actions
and monitoring their effectiveness.

Observation

1. Critical observation:

During an audit of a manufacturing company's inventory management process, it is observed that there
is a lack of segregation of duties. The same employee is responsible for both receiving and recording
inventory, leading to a high risk of fraud and errors. This critical observation indicates a significant
deficiency in internal control and poses a substantial risk to the accuracy and integrity of inventory
records.

2. Major observation:

During a financial audit of a retail company, it is observed that the reconciliation process for credit card
transactions is not being performed timely and accurately. As a result, there are significant discrepancies
between the recorded sales and the actual credit card deposits. This major observation indicates a
weakness in the control activity and poses a risk of material misstatement in the financial statements.

3. Moderate observation:

During an internal audit of an IT department, it is observed that there is a lack of regular backup and
offsite storage of critical data. While some backups are being performed, they are not consistently
tested for completeness and reliability. This moderate observation indicates a deficiency in the control
activity for data backup and recovery, posing a potential risk of data loss or disruption in case of an
incident.

4. Minor observation:

During an audit of a company's expense reimbursement process, it is observed that some employees are
not submitting receipts for expenses below a certain threshold as required by company policy. Although
the overall compliance rate is high, this minor observation indicates a need for better enforcement of
the policy to ensure consistent adherence and accurate reimbursement of expenses.
Tests of Controls

1. Inquiry:

During the test of controls, the auditor chooses to perform inquiries to understand the process of
approving sales orders. The auditor selects a sample of employees involved in the sales order approval
process and asks them about their roles, responsibilities, and the steps they follow to review and
approve sales orders. The purpose of this inquiry is to gather information about the control activities in
place and to assess if they are being effectively performed.

2. Observation:

In the test of controls, the auditor decides to observe the physical inventory count process. The auditor
selects a sample of inventory locations and observes how the employees perform the physical count,
how they record the count results, and how they reconcile any discrepancies. The purpose of this
observation is to verify that the inventory count process is being conducted accurately and in
accordance with the company's inventory control policies and procedures.

3. Inspection:

As part of the test of controls, the auditor conducts an inspection of the company's payroll records. The
auditor selects a sample of employee files and reviews the documentation related to payroll processing,
such as timesheets, pay rate calculations, and payroll tax withholdings. The purpose of this inspection is
to verify the accuracy and completeness of the payroll records and to assess if the control activities
related to payroll processing are being effectively implemented.

4. Reperformance:

During the test of controls, the auditor decides to reperform a sample of vendor invoice approvals. The
auditor selects a sample of vendor invoices and independently performs the approval process, following
the company's policies and procedures. The purpose of this reperformance is to compare the auditor's
results with the company's recorded approvals to assess the effectiveness of the control activity in
ensuring proper authorization and review of vendor invoices.
Inherent risk vs. Control Risk vs. Detection Risk

1. Inherent Risk:

- A software company is developing a new product that relies on untested technology, increasing the
risk of errors or product failure.

- A company operates in a highly regulated industry, facing inherent risks related to compliance with
laws and regulations.

- A company has significant exposure to foreign exchange risk due to its operations in multiple countries,
increasing the risk of financial losses.

- A company's inventory valuation involves significant estimates and judgments, increasing the risk of
material misstatement in financial statements.

- A company has a high dependence on a single supplier for its raw materials, increasing the risk of
supply chain disruption and production delays.

2. Control Risk:

- A company's internal control system is weak or ineffective, increasing the risk of errors or fraud.

- A company's management override controls, allowing them to make unauthorized or inappropriate

transactions.

- A company lacks segregation of duties, increasing the risk of errors or fraud.

- A company's IT systems are vulnerable to cyber attacks, increasing the risk of data breaches or theft.

- A company's employees lack training or knowledge about internal control procedures, increasing the
risk of control failures.

3. Detection Risk:

- The auditor's sample size is too small, increasing the risk of failing to detect material misstatements in
financial statements.

- The auditor's chosen audit procedures are not effective in detecting certain types of misstatements,
increasing the risk of undetected errors or fraud.
- The auditor relies on management representations, increasing the risk of misstatements or fraud going
undetected.

- The auditor is not independent or objective, increasing the risk of overlooking errors or fraud.

- The auditor encounters significant obstacles or impediments to obtaining sufficient and appropriate
audit evidence, increasing the risk of undetected misstatements.