Internal Auditing Module (2022)

INTERNAL AUDITING
MODULE
Editors:
Yusarina Mat Isa
Sharifah Nazatul Faiza Syed Mustapha Nazri
Authors:
Mary Lee Siew Cheng, Yusarina Mat Isa, Azleen Ilias, Sharifah Nazatul
Faiza Syed Mustapha Nazri, Nadzira Yahaya, Amizahanum Adam, Mohd
Amran Mahat, Aida Hazlin Ismail, Azharudin Ali, Tay Boon Hock
Case Study Contributors:

Mary Lee Siew Cheng, Yusarina Mat Isa, Grace Mui, Sanjeev Ghatani,
Mohd Amran Mahat, Amizahanum Adam, Fairuz Fauzee
Copyright@2022
ABOUT THE AUTHORS
Mary Lee Siew Cheng is a Chartered Accountant by profession and a member of the Malaysian
Institute of Accountants and The Malaysian Institute of Certified Public Accountants. She is a
fellow member of The Chartered Association of Certified Accountants (UK), The Chartered Tax
Institute of Malaysia and the Institute of Internal Auditors (Malaysia). She is also an associate
member of The Chartered Institute of Management Accountant (UK). She holds an MBA and a
PhD in Business Administration from the Southern Cross University, Australia. Presently, she is
attached to the Professional Programme Department of Tunku Abdul Rahman University College,
Kuala Lumpur. She can be contacted at marylee@tarc.edu.my.
Yusarina Mat Isa is a senior lecturer at the Faculty of Accountancy, Universiti Teknologi MARA
(UiTM), Puncak Alam campus. She holds a PhD in Accounting from UiTM specializing in
financial criminology. She graduated from Lancaster University, United Kingdom with Master of
Science in Accountancy and Financial Management and holds a Bachelor of Accounting (Hons)
degree from Universiti Tenaga Nasional, Malaysia. She is an associate member of the Institute of
Internal Auditors Malaysia and is currently pursuing Certified Internal Auditor (CIA). Prior to joining
UiTM, she worked as a banking supervisor with Financial Conglomerates Supervision Department,
Bank Negara Malaysia from 2002–2007. Her teaching portfolio includes subjects from various
fields including external auditing, internal auditing, governance and financial accounting. Her
research interest covers risk management, financial crime, banking operations and regulatory
enforcements. She can be contacted at yusarina@uitm.edu.my.
Azleen Ilias holds a PhD in Accounting from Universiti Teknologi MARA (UiTM). She
graduated with Bachelor Degree in Accounting from the Universiti Utara Malaysia, in 2002, and
the MBA (Accounting), in 2004. She is an Associate Member of Malaysian Institute of Accountant
(MIA) and Institute of Internal Auditors Malaysia (IIAM). In 2005, she joined the Universiti
Malaysia Sabah (UMS), as a Lecturer in International Offshore Banking, and at the end of 2010,
she joined the Department of Accounting, College of Accounting and Business Administration,
Universiti Tenaga Nasional (UNITEN) as a Senior Lecturer until today. She taught Internal
Auditing, Public Sector Accounting and few other accounting subjects. Her goal is to be motivated,
successful and capable in sharing knowledge in accounting and auditing area especially internal
auditing. She can be contacted at azleens@ uniten.edu.my.
Sharifah Nazatul Faiza Syed Mustapha Nazri is an associate professor at the Faculty of
Accountancy, Universiti Teknologi MARA (UiTM), Shah Alam. She completed her PhD from
Edith Cowen University, Perth, Australia. She is currently teaching various subjects for both
bachelor and master levels. Her fields of expertise are audit assurance and investigation. Most of
her reseach and writing are on audit assurance and investigation (forensic accounting). Besides
teaching, she also holds various administrative post at the faculty. She is currently, the Liaison
Officer for International Offices representing the faculty. She has been actively involved with in-
house internal audit training for UiTM staff since 2011. She previously worked as an internal auditor
with EON Group and DCB Bank (currently known as RHB Bank). In 2012, she became an associate
member of the Islamic Banking and Finance Institute of Malaysia (IBFIM). She can be contacted at
shari744@uitm.edu.my.
Nadzira Yahaya is a former senior lecturer at the Faculty of Accountancy, Universiti Teknologi
MARA (UiTM), Johor Branch. She completed her degree in Master of Accountancy (MAcc)
from University of Glasgow, Scotland, United Kingdom. She is currently teaching various
subjects at both diploma and bachelor levels. Her fields of expertise are Auditing, Financial
Accounting, Corporate Governance and Public Sector Accounting. Most of her reseach and
writing are on auditing, accounting for non-profit organisation and in the educational field.
Besides teaching, she is also a certified trainer with Institute of Quality & Knowledge
Advancement (INQKA). She has been actively involved with in-house internal audit training for
UiTM staff since 2010. She previously worked as an auditor with KPMG Peat Marwick in Kuala
Lumpur. In 2002, she managed to be a member of The Malaysian Institute of Accountants (MIA).
She can be contacted at nadzira@uitm.edu.my.
Amizahanum Adam graduated from University of Waikato, New Zealand in Bachelor of
Management Studies (Accounting). She starts her first career as an internal auditor in RHB
Investment Bank Berhad (formerly known as RHB Unit Trust Management Berhad). She then
pursued her postgraduate studies at UUM Kedah and managed to obtain MBA (Accounting). She
is also a member of the Malaysian Institute of Accountants (MIA). She is currently teaching in
various fields including auditing and accounting information systems at Universiti Teknologi
MARA, Perak. Her main research interests are auditing and computerised security control. She
can be contacted at amiza592@uitm.edu.my.
Mohd Amran Mahat, CPA (Australia), graduated from Monash University, Australia in Bachelor of
Commerce (Accounting & Finance). He started his first career as an auditor with a major international
accounting firm before pursuing his postgraduate studies. He holds a Master in Accountancy from
Universiti Teknologi MARA (UiTM) Shah Alam. He is, at present, an accounting lecturer in Faculty
of Accountancy, UiTM Melaka. His area of interest includes auditing, strategic management and
taxation. He can be contacted at mohda229@uitm.edu.my.
Aida Hazlin Ismail is a senior lecturer in Universiti Teknologi Mara (UiTM) Puncak Alam
campus. She has fifteen years of experience in teaching auditing courses for undergraduate and
post graduate students, financial accounting, anti-money laundering and public sector
accounting. Graduated with Bachelor (Hons) in Accounting from Universiti Utara Malaysia
(UUM), she obtained her Phd degree from Universiti Kebangsaan Malaysia (UKM). She has
working experience as an auditor in Arthur Andersen before starting her career as a lecturer
with Universiti Teknologi Mara (UiTM) from 2004 till present. Her research interest is in the area
of auditing, business ethics, corporate governance, accounting education, digital teaching and
learning in accounting and small and medium enterprise research. She is also actively
participating in Innovation Education Product and won a few gold, silver and bronze medals from
various innovation competitions National and International exhibitions. Some of her innovative
products are EticaGame “The Quantum BlackWhite”, “Digital Classroom Handbook for I.R 4.0”
and MFRS Lagoon Theme Park. She can be contacted at aidah348@ uitm.edu.my.
Azharudin Ali holds a PhD in Management (Internal Audit) from Aston University, United
Kingdom and a Master of Internal Auditing and Management from CASS Business School, City
University London, United Kingdom. He is currently a Senior Lecturer at Tunku Puteri Intan
Safinaz School of Accountancy (TISSA-UUM), Universiti Utara Malaysia. He can be contacted at
azharudin@uum.edu.my.
Tay Boon Hock is currently the Chief Auditor of Parkson Retail Asia Limited, a leading retailer
with businesses ranging from departmental store, F&B, fast fashion retail chain and gourmet
supermarkets. He began his career as an External Auditor with Deloitte Malaysia and later joined
Wah Chan, one of the biggest jewellers in Malaysia where he held various senior positions
including the Accountant, Senior Operations Manager as well as the Head of Internal Audit.
Collectively, he has more than 22 years’ experience in internal and external audit, risk
management, governance, accounting and finance, operations, system and process improvement.
Mr. Tay obtained his Certified Internal Auditor (“CIA”) in 2015 from the Institute of Internal
Auditors. He is a chartered member of the Institute of Internal Auditor, Malaysia (IIAM), a fellow
member of the ACCA and a member of the MIA. He is currently a member of IIAM’s Board of
Governors and the Chairman of the Certification & Academic Relations Committee (CARC).
Prior to this, he served the CARC and Professional Service Committee of IIAM. He can be
contacted at taybh@parkson.com.my.
TABLE OF CONTENTS
CHAPTER 1. OVERVIEW OF INTERNAL AUDITING
Learning Objectives
Introduction
Definition of Internal Auditing
Development of Internal Auditing Practice
Differences between Internal Auditor and External Auditor
Roles and Responsibilities of Internal Auditors
Organisational Status of Internal Audit Function
Line of Defense
Overview on the Relationship of Internal Auditor with Various Stakeholders
Types of Internal Audit Engagements
International Professional Practices Framework
The Institute of Internal Auditors of Malaysia (IIAM)
Career Prospects for Internal Auditors
Summary
Self-Review Questions
References
Mind Map
CHAPTER 2. CORPORATE GOVERNANCE MECHANISM
Learning Objectives
Introduction
Definition of Corporate Governance
Malaysian Code on Corporate Governance
Corporate Governance Mechanism
Roles of Board of Directors in Corporate Governance
Roles of Audit Committee in Corporate Governance
Roles of Senior Management in Corporate Governance
Roles of Internal Auditors towards Board of Directors, Audit Committee and Senior Management
Summary
References
Mind Map
CHAPTER 3. RISK MANAGEMENT AND CONTROL
Learning Objectives
Introduction
Risk and Risk Management
Enterprise Risk Management
Roles of Board of Directors, Management and Risk Officers in Internal Auditors in Risk
Management
Role of Internal Auditor in Risk Management
Division of Roles on Risk Management between Management and Internal Auditor
Evaluation of Risk Management Process by Internal Auditor
Reporting Risk Management
Alternative Risk Management Frameworks
Controls
The Roles of Internal Auditors in Controls
Division of Roles on Controls between Management and Internal Auditor
Reporting and Communication by Internal Auditor
Alternative Control Frameworks
Categories of Control Objectives
Components of Internal Controls
Limitations of Controls
Summary
References
Mind Map
CHAPTER 4. MANAGING THE INTERNAL AUDIT FUNCTION
Learning Objectives
Introduction
Internal Audit Charter
Staffing in Internal Audit Department
Responsibilities of Those Charged with Governance to the Internal Audit Function
Attributes of an Effective Internal Audit Function
Conflict Management
Outsourcing the Internal Audit Function
Summary
References
Mind Map
CHAPTER 5: QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
Learning Objectives
Introduction
Quality Assurance and Improvement Program
Purposes of a QAIP
Quality Assurance Methodologies
Reporting on the Quality Program
Advantages of a QAIP
Best Approach for a QAIP
Common Issues in Quality Assurance Assessment
Summary
References
Mind Map
CHAPTER 6. INTERNAL AUDIT PROCESS
Learning Objectives
Introduction
Framework of Internal Audit Process
Strategic Audit Planning
Risk-Based Internal Auditing
Risk-Based Audit Planning
Engagement Planning
Performing the Engagement
Evaluation and Conclusion
Communication
Follow Up
Appendix 6.1 Audit of Payrol
Summary
References
Mind Map
CHAPTER 7. INTERNAL AUDIT REPORTING AND MONITORING
Learning Objectives
Introduction
Purpose of Internal Audit Report
Process of Report Writing
Structure of the Report
Opinions and Ratings of the Internal Audit Report
Quality of Report Writing
Strategies in Preparing Internal Audit Report
Communicating Results
Dissemination of the Audit Report
Monitoring the Progress and Follow-up Audit
Summary
References
Mind Map
CHAPTER 8. IMPLICATIONS OF INFORMATION TECHNOLOGY ON INTERNAL

AUDITING
Learning Objectives
Introduction
Definition of IT Audit
Elements of IT Audit
Guide to Conduct an IT Audit
Scope and Objectives Of An IT Audit
Steps in IT Audit
Evaluation of General and Application Controls
Auditing of System Development Life Cycle
Auditing of E-Commerce
Computer-Assisted Audit Techniques (CAATs)
Internal Auditing and the Fourth Industrial Revolution
Summary
References
Mind Map
CHAPTER 9. INVESTIGATION OF FRAUD
Learning Objectives
Introduction
Definition of Fraud
Fraud Triangle and Fraud Diamond
Types of Fraud
Red Flags of Fraud
Internal Auditors’ Role in Fighting Fraud
Other Responsibilities of Fraud Prevention and Detection
Internal Audit’s Role in Anti-Bribery and Anti-Corruption Programs
Fraud Risk Assessment
Fraud Prevention and Detection
Forensic Audit
Fraud Investigation
Summary
References
Mind Map
CHAPTER 10. WHISTLEBLOWING
Learning Objectives
Introduction
Definition of Whistleblowing
Forms of Whistleblowing
Internal Audit as a Whistleblower
Advantages and Disadvantages of Whistleblowing
Whistleblower Protection Act 2010
Code of Conduct in Relation to Whistleblowing
Summary
References
Mind Map
CHAPTER 11. ENVIRONMENTAL AUDITING
Learning Objectives
Introduction
Definition of Environmental Auditing
Objectives of Environmental Auditing
Advantages of Environmental Auditing
Examples of Environmental Audit in a Manufacturing Company
Environmental Audit Report
Environmental Management System (EMS)
Four Pillars of EMS Adoption
Commitments for a Successful EMS Adoption
Summary
References
Mind Map
CASE STUDY
CASE 1: Argon Bank

CASE 2: National Malaysian Bank
CASE 3: Perusahaan Herba, PT.
CASE 4: Lightning Logistics
CASE 5: Taj Mahal Investment
CASE 6: Water Works
CASE 7: ESB Savers Berhad
CASE 8: ABC Pte. Ltd.
1Overview of Internal Auditing
Learning Objectives
After going through this chapter, you should be able to:
• Provide a professional overview of internal auditing
• Differentiate internal auditors and external auditors
• Learn the different types of internal audits
• Describe the evolution and development of internal audit practices
• Understand the roles of the Institute of Internal Auditors of Malaysia (IIAM)
• Describe factors that enhance the image of the internal audit profession
• Understand the Code of Ethics and International Standards for the Professional Practice of
Internal Auditing
• Integrate the Code of Ethics and International Standards for the Professional Practice of Internal
Auditing into the roles of internal auditors
Introduction
Previously, internal auditing was accounting-oriented and focused more on accuracy and
reliability of financial statements as well as historical performance reporting. In current times,
an internal auditor has an enhanced and complex role, with a wider scope and a greater
expectation from stakeholders. Modern internal auditors provide services that include
examination and appraisal of controls, performance, risk and governance for public and
private entities. The new roles also encompass suggestions to improve performance, generate
new ideas or proposals for new corporate direction towards achieving organisational
objectives.
An internal auditor acts as management control and performs independent checks on the
control systems in an organisation. The recent global financial crisis demands more
competent internal auditors to deal with dynamic yet complicated changes in the industry.
Several guidelines are provided to internal auditors to fulfill their responsibilities. Primarily,
internal auditors are required to adhere to the Institute of Internal Auditors’ (the IIA)
International Professional Practices Framework (refer https://global.theiia.org).
Currently, it is a requirement for public listed companies to have an internal audit function.
This requirement has also extended to regulatory bodies and government agencies. The
internal audit function has become the ‘in-thing’ in organisations and by having one,
stakeholders can rest assure that an independent mechanism is in place to control and
monitor how the organisation operates.
Definition of Internal Auditing
Internal auditing is defined as an independent, objective assurance and consulting activity

designed to add value and improve an organisation’s operations. It helps an organisation
1
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes.
Internal auditing is an independent appraisal function established within an organisation to

examine and evaluate its activities as a service to an organisation. The objective of internal
auditing is to assist members of any organisation in the effective discharge of their
responsibilities. Internal auditing furnishes them with analysis, appraisals, recommendations,
counsel and information concerning the activities reviewed. The audit objective includes
promoting effective control at a reasonable cost.
The key terms in the definition of internal auditing are:
• Independence and objectivity

Independence refers to the organisational status of the internal audit function. For the
internal audit activity to be independent, the internal audit function should have direct
access, report directly and be accountable to the Audit Committee. The IIA recommends
that the Chief Audit Executive (CAE) should report functionally to the Audit Committee,
and administratively to the organisation’s Chief Executive Officer (CEO).
Objectivity refers to the mental attitude of the individual internal auditors. Internal
auditors should be free from influence or inteference to allow them to render impartial or
unbiased opinions in the course of audit engagements. In maintaining objectivity, internal
auditors should not involve themselves in the day-to-day operations of the organisation,
make managament decisions or put themselves in situations that would give rise to any
conflict of interest.
• Assurance and consulting activity

The primary purpose of an assurance activity is to assess evidence relevant to the subject
matter of interest and provide conclusion regarding the said matter. A consulting activity,
on the other hand, provides advice and other assistance relating to the subject matter of
interest under the capacity of the work that internal auditors are involved in. Internal
auditors should provide recommendations for improvements in those areas of deficiencies
in order to add value and improve an organisation’s risk management, control and
governance processes.
• Systematic and disciplined approach

Internal auditing is a systematic and guided process. The internal audit function should
establish its own policies and procedures to guide any internal audit activity to ensure
that the audit service provided is of good quality.
• Add value
The assurance and consulting activity allows improvements in an organisation’s
operational activities to achieve its objectives and to ensure effective risk management,
control and governance processes.
• Risk management
Risk management is the process conducted by the management of an organisation to
understand and deal with risks (uncertainties) that could negatively affect the
organisation’s ability to achieve its objectives. At the same time, risk could also lead
to opportunities when an event occurs and positively affects the achievement of an
organisation’s objectives.
• Control
An organisation needs to have in place effective internal control that reasonably
assures the safeguarding of an organisation’s assets againts loss. Hence, internal
auditors are responsible to ensure that such controls are well established by the
2
management of an organisation.
• Governance
Governance is the act of managing an organisation. It relates to decisions that define
expectations, grant power or verify performance. It consists of either a separate process
or part of the management or leadership processes. Hence, internal auditors should assess
the corporate governance process and provide recommendations to achieve effective
governance.
Development of Internal Auditing Practice
The internal audit function is not a profession that arose overnight. It has been in existence
since 3500 BC with the use of tick mark as a form of verification during the Mesopotamian
civilisation. At the global level, the establishment and evolution of internal audit as a
profession is closely linked to history of the IIA, a body founded in the United States in 1941.
Nevertheless, in the early establishment of internal audit profession, internal auditing was
perceived as a function closely related to the work of external auditors — with both involved
in checking the financial affairs of organisations. Throughout the years, internal auditors are
getting their recognition to be established as a distinct function than that of external auditors.
Table 1.1 illustrates the evolution of internal audit profession from its the initial years of its
establishment till now.
Table 1.1 Evolution of Internal Audit Profession
THEN NOW
Concentrates on attesting to the accuracy of Provides services that include examination and appraisal of
financial matters. control and performance of an organisation.
Functions as junior sibling to Set up as a separate, distinct department within the

independent accounting profession. organization
Once acted as auditee’s adversary. Guides to improve operations; seeking to maintain a
cooperative working relationship with clients and auditees.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has

elevated the importance of internal auditing by recommending the need to establish an
effective and objective internal audit function and to coordinate internal auditing with
external auditing. Furthermore, COSO has also emphasised the importance of internal
control in organisation, which further places internal audit as a significant function within
organisations.
In Malaysia, the evolution of the internal audit function started in the 1970s with the
establishment of an internal audit unit in the Ministry of Defence. In 1979, the Federal
Government issued a circular expanding the establishment of internal audit function to other
government ministries with a broader role which included operational audit. In 1993, the
Ministry of Finance requested all government-owned organisations to set up an Audit
Committee, with the intention of protecting government interest as a shareholder and to
oversee the internal audit function in these organisations. Since 1993, it was also made
mandatory for all public listed organisations to establish its Audit Committee to monitor
accountability, governance, independence and objectivity of their internal audit department.
With the establishment of an Audit Committee, internal audit function has further gained its
significance.
3
In the private sector, internal auditing was first set up to focus mainly on evaluating the
efficiency and effectiveness of the internal control systems and compliance. In 2008,
Bursa Malaysia Listing Requirements made it mandatory for public listed organisations
to set up an internal audit function. For private companies, despite absence of mandatory
requirement, the setting up of an internal audit function is done on voluntary basis.
Differences between Internal Auditor and External Auditor

Internal auditors may at times be perceived as redundant when compared to external auditors.
Their functions are in fact different in several aspects, and are summarised in Table 1.2.
Table 1.2 Different Features of Internal Auditor and External Auditor
INTERNAL AUDITOR EXTERNAL AUDITOR

Reporting Reports to Audit Committee/Board of Reports to shareholders
responsibility Directors
In general, part of an organisation’s Is an independent contractor, a third party
Status employees
Serves needs of an organisation Serves third party needing reliable
Stakeholder financial performance report
Is independent of the activities audited, Is independent of management and Board
Independent but is ready to respond to the needs and of Directors, both in fact and mental
status desires of all elements of management. attitude.
Is directly involved with the prevention Is indirectly concerned with the
Responsibility and detection of fraud in any form or prevention and detection of fraud in
towards fraud extent in any activity reviewed. general, but is directly concerned when
financial statements may be materially
affected.
Evaluate governance, control and risk Reviews the financial statements to ensure
management processes to assure the that the statements are free from material
Scope of work accomplishment of entity goals and misstatements and express opinion
objectives. whether the financial statements present a
true and fair view.
Reviews activities continually by Reviews records supporting financial
Timing and focusing on future events. statements periodically (usually once a
frequency of year) and focuses on the accuracy and
audit understandability of historical events as
expressed in financial statements.
Not necessary, but may acquire a Must be a member of Malaysian Institute
Professional Certified Internal Auditor (CIA). of Accountants (MIA) and be granted
qualification audit license by the Ministry of Finance
(MoF) before being recognised as a
Chartered Accountant (CA).
4
Roles and Responsibilities of Internal Auditors
Internal auditors’ roles and responsibilities cover three broad areas in an organization - risk
management, control and governance. Internal auditors shall not assume management’s
responsibilities, but to support the management in terms of ensuring efficiency and
effectiveness of operations, reliability of financial and management reporting and
compliance with laws and regulations. Internal auditors may also be involved in fraud audits
to identify potentially fraudulent acts. They may participate in fraud investigations under the
direction of fraud investigation professionals, and conduct post-investigation fraud audits to
identify control breakdowns and establish financial loss. Internal auditors are not responsible
for the execution of company activities; however, they may advise management and the Board
of Directors on how to better execute their responsibilities. Internal auditors can have access
to every part of an organisation’s operations, and have unlimited access to the company’s
personnel, records and physical properties.
The internal auditors’ roles and responsibilities with respect to risk management, control and
governance include:
Risk Management
• Test check the adequacy of risk management processes, models and systems
• Educate and create awareness among the management and staff concerning the risk
issues
• Assist the management in developing risk management framework and its implementation
• Provide feedback on the appropriateness of risk management infrastructure
Control
• Assess the effectiveness of the organisation’s internal control system, including the
adequacy of control model or design
• Monitor management’s compliance with the organisation’s code of conduct and ethical
policies
• Review corporate policies relating to compliance with laws and regulations, conflict of
interests
• Analyse the controls for critical accounting and management functions
• Provide feedback and reporting of controls deficiencies
Governance
• Advise on the adequacy and appropriateness of the composition of the Board of Directors
• Assess the effectiveness of the Board of Directors in discharging their duties
• Ensure that internal audit charter, role and activities are clearly understood and
responsive to the need of the Audit Committee and Board of Directors
• Assess the effectiveness of the Board of Directors in discharging their duties
• Help to keep the Board of Directors informed on any matters related to company’s interest
Organisational Status of Internal Audit Function
To achieve the objectives of having an internal audit function within an organisation, it

must have adequate authority and freedom to carry out the audit activities. It is important
to establish that internal audit is a function which is essential in the organisation and
cooperation from organisational members is necessary. In the event that the above fails,
the effectiveness of the internal audit function will be diminished.
In order to have the necessary status, the internal audit function must report functionally to
the Audit Committee and administratively to the top management (i.e. the CEO). As shown
5
in Figure 1.1, the CAE needs to have a direct reporting line to the Audit Committee on the
matters that concern their task as internal auditor. For administrative purpose, for instance
for matters concerning operating budget and day-to-day operations of internal audit activity,
the CAE has an indirect reporting line to the CEO shown by the ‘dotted’ line.
Board of Directors
Audit Committee
Chief Executive Officer
Chief Audit
Executive
Figure 1.1 Internal Auditor Line of Reporting
The internal auditors need to be supported by both the Audit Committee and the Board of
Directors in order to make sure that those who are audited cooperate with them. The support
of the board and Audit Committee will demonstrate that the work is viewed as important for
the organisation. If the board and Audit Committee do not support the work of the internal
auditors, others in the organisation will not support the efforts of the internal auditors either.
The correct level of organisational status will provide the internal audit department with
organisational independence. This means that the internal audit function must not have any
direct relationships with the departments it will be auditing. Reporting directly to the Audit
Committee and also having policies about the assignment of internal auditors to engagements
in departments where they previously worked may strengthen internal auditors’
independence.
Line of Defence
The three lines of defence model defines an approach in providing risk assurance. The use of
the three lines of defence to understand the organisation’s system of internal control and risk
management is a great starting point to help ensure effective risks management and control.
The three lines of defence explain the relationships between the functions in the organisation
and act as a guide on how responsibilities should be assigned. The three lines of defence can
be divided as follows:
1. The first line of defence (functions that own and manage risks)
The first line of defence is delivered by business operations to provide adequate level of
assurance in identifying risks, implementing controls, and reporting on progress within their
functional areas. This is formed by managers and staff who are responsible for identifying
and managing risks in the organisation. The managers and staff should have the necessary
knowledge, skills, information, and authority to operate the relevant policies and procedures
of risk control. They are the first contact point where risk is concerned, hence, should ensure
cautious control in absorbing risk into the organisation.
2. The second line of defence (functions that oversee risks or specialise in the compliance
or management of risk)
The second line of defence is provided by the functions that oversee risk management and
compliance processes. It consists of activities covered by several components of internal
governance, such as compliance, risk management, quality, IT and other control departments.
This level provides the policies, frameworks, tools, techniques and support to enable risk and
6
compliance to be managed in the first line of defence. This line of defence monitors and
facilitates the implementation of effective risk management practices by operational
management.
3. The third line of defence (functions that provide independent assurance)

The third line of defence is provided by functions that offer an independent approach to audit
and assurance in order to monitor. Commonly, this is provided by the internal audit function.
The main role of third line of defence is to ensure that the first two lines are operating
effectively and advise how they could be improved. Internal audit function is positioned
within an organisation to provide assurance to the Audit Committee and senior management
on the effectiveness of risk management, control and governance processes. As the third line
of defence, internal auditor plays a crucial role in assuring robust risk management within an
organisation.
Overview of the Relationship between Internal Auditor and Various

Stakeholders
Internal auditors co-exist with other stakeholders and they shall maintain a harmonious
working relationship with the various stakeholders, which include the Board of Directors,
Audit Committee, senior management and external auditors. As shown in Figure 1.2, the
internal auditor plays a significant role to the other stakeholders in various capacities.
Audit Committee Board of Directors

Oversight of financial A body of elected or appointed
reporting and disclosure members who jointly oversee the
activities of a company
Internal Auditors
Assurance and Consulting;
External Auditors
Audit of Financial Statements; Directly responsible for managing
Independent of mind and in appearance a company on a day-to-day basis
Figure 1.2 Internal Auditor and its Stakeholders
Board of Directors
The Board of Directors has a critical role in discharging its governance duty in an
organisation. Among the responsibilities include driving and supporting the internal audit
process. Internal audit function requires strategic direction and adequate mandate to exercise
their duties, and in this regard, the Board of Directors has to ensure that the internal auditors
are not alienated both in terms of existence and function. The Board of Directors must allow
internal auditors to carry out their duties independently and ensure that internal auditors can
perform their work free from interference.
Audit Committee
Audit Committee forms a part of the board committee and has a direct role in ensuring
that internal auditors perform their work independently and meet the organisational
expectations. Audit Committee shall safeguard the interest of the internal auditors and
7
ensure that internal audit charter, activities and processes are appropriate. Audit
Committee must also ensure that internal audit charter, role and activities are clearly
understood and responsive to the need of the management and Board of Directors.
Senior Management
Senior management shall not interfere in the internal audit activity, and similarly internal
auditors shall have no influence on the operational conduct of an organisation. Internal
auditors and senior management must co-exist and should clearly understand the demarcation
of their functions. If this demarcation fails to be observed, the function of internal auditors
to work independently will not be achievable.
External Auditors
Internal auditors and external auditors have distinct functions (Refer Table 1.2); however,
their paths do cross in certain areas. Both parties have to clearly understand their roles and
responsibilities and co-exist to complement each other.
Types of Internal Audit Engagements

There are many types of internal audit engagements that can be conducted by internal
auditors, but broadly classified into assurance and consultancy. The different types of
internal audits have different purposes and characteristics that only apply to appropriate
circumstances and risk assessments. The following provides six examples of internal audit
engagements:
Financial Audit
Independent evaluation to attest the fairness, accuracy and reliability of financial data.
Internal auditors conduct audits by focusing on a financial system’s control to ensure that
the control is adequate and effective in safeguarding the accuracy and reliability of the
financial statements. This audit has a different focus than the financial audit performed
by external auditors.
Operational Audit
Assessment on the methods of operations and evaluation on how to improve performance of
an area, department or functional operation. This process assesses the adequacy, efficiency
and effectiveness of control procedures to meet the objectives of organisations. Operational
audit is a future-oriented, systematic, and independent evaluation of organisational activities.
Management Audit
Assessment on the competencies and capabilities of an organisation’s management in order
to evaluate their effectiveness, especially with regard to the formulation and implementation
of strategic objectives, policies and procedures of the business. The objective of a
management audit is not to appraise the performance of individual executives, but to
evaluate the management team of a unit or the entire organisation.
Compliance Audit
Assessment of an organisation’s adherence to applicable rules and laws that may originate
internally or externally. The audit process may assess the extent of compliance with internal
policies, regulatory rules and requirements and applicable laws.
Information System/Information Technology Audit

Assessment on computer systems and management of information including the integrity of
information. Involves appraisal and testing of computer systems through the various stages
of system development — plan, analyse, design and implement.
8
Fraud/Forensic Audit
An in-depth investigation into any irregularities such as reported fraud or allegations. Its
scope is in the area specified to determine modus operandi and collection of evidence to
support the case that would eventually lead to legal consequences.
International Professional Practices Framework

International Professional Practices Framework (IPPF) is issued by the IIA, which provides
a structural blueprint that facilitates consistent development, interpretation and application of
concepts, methodologies and techniques useful to the internal audit profession. The core
principles of IPPF are as follows:
• Demonstrates integrity
• Demonstrates competence and due professional care
• Is objective and free from undue influence (independent)
• Aligns with the strategies, objectives, and risks of the organisation
• Is appropriately positioned and adequately resourced
• Demonstrates quality and continuous improvement
• Communicates effectively
• Provides risk-based assurance
• Is insightful, proactive, and future-focused
• Promotes organisational improvement
The IPPF outlines the Code of Ethics for the internal auditors which states the principles and
expectations governing the behaviour of individuals and organisations in the conduct of
internal auditing. It describes the minimum requirements for conduct and behavioural
expectations, rather than specific activities. The purpose of the Code of Ethics is to promote
an ethical culture in the profession of internal auditing. A code of ethics is necessary and
appropriate for the profession of internal auditing, founded as it is on the trust placed in
its objective assurance about governance, risk management and control. the Code of Ethics
is demonstrated by the practices of four ethical principles which the internal auditors are
expected to apply and uphold, as shown in Figure 1.3.
Principles
Integrity Competency
Objectivity Confidentiality
Figure 1.3 IIA Code of Ethics
Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance
on their judgment. Integrity relates to honesty, straightforwardness and trustworthiness.
Objectivity Objectivity is rendering unbiased judgement. Internal auditors exhibit the highest
level of professional objectivity in gathering, evaluating and communicating information
9
about the activity or process being examined. Internal auditors make a balanced assessment
of all the relevant circumstances and are not unduly influenced by their own interests or by
others in forming judgments.
Confidentiality Internal auditors shall respect the value and ownership of information they
receive and do not disclose information without appropriate authority unless there is a legal
or professional obligation to do so.
Competency Internal auditors shall apply the knowledge, skills, and experience needed in
the performance of internal audit services.
For the internal audit profession, the IPPF has also prescribed that conformance with the IIA’s
International Standards for the Professional Practice of Internal Auditing (the Standards) is
essential in meeting the responsibilities of internal auditors and the internal audit activity. If
internal auditors or the internal audit activity is prohibited by law or regulation from
conformance with certain parts of the Standards, conformance with all other parts of the
Standards and appropriate disclosures are needed.
If the Standards are used in conjunction with standards issued by other authoritative bodies,
internal audit communications may also cite the use of other standards, as appropriate. In
such a case, if inconsistencies exist between the Standards and other standards, internal
auditors and the internal audit activity must conform to the Standards, and may conform with
the other standards if they are more restrictive.
The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing.
2. Provide a framework for performing and promoting a broad range of value-added
internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organisational processes and operations.
The Standards, together with the Code of Ethics, encompass all mandatory elements of the
IPPF; therefore, conformance with the Code of Ethics and the Standards demonstrates
conformance with all mandatory elements of the IPPF.
The Institute of Internal Auditors of Malaysia (IIAM)

The Institute of Internal Auditors Malaysia (IIAM) is a non-profit organisation dedicated to
the advancement and development of the internal audit profession in Malaysia. The IIAM
was established in 1977 as a chapter of the Institute of Internal Auditors Inc. (IIA Global) and
elevated to the status of a national institute in 1988. In July 1994, the IIAM was incorporated
as a company limited by guarantee and became an affiliate of the IIA Global. The IIAM
maintains its motto “Progress through sharing” and shares with its members information on
new trends, latest internal audit techniques, regulatory and statutory requirements and the
emerging issues affecting the internal audit profession.
The IIAM provides various services for both members and non-members:
• Certification — offering certification for Certified Internal Auditors (CIA), Certified
Financial Services Auditor (CFSA), Certified Government Auditing Professional (CGAP)
and Certification in Control Self-Assessment (CCSA), Certification in Risk Management
Assurance (CRMA) and Qualification in Internal Audit Leadership (QIAL).
• Professional development providing quality and ‘value for money’ internal audit training.
• Guidance and advice — providing research, technical advice and responding to technical
10
enquiries.
• Surveys — conducting surveys on various topics in collaboration with, among others,
Bursa Malaysia, MICG, KPMG and Ernst & Young.
• Quality assurance services — providing assistance and expertise for Quality Assurance and
Improvement Program (QAIP).
Career Prospects for Internal Auditors
A minimum bachelor degree is required to start a career as an internal auditor, whilst

having the relevant professional certification is an added advantage. Internal auditors,
once they join an organisation, may choose to stay for few years to gain adequate
experience. An individual may start as an entry-level internal auditor, then be promoted
to lead/senior internal auditor, internal audit supervisor/manager and the highest position
as head of the internal audit department, commonly by holding the position as chief audit
executive (CAE) / chief internal auditor (CIA).
Promotions can be gained in a number of ways, either internally within the organisation or
by moving to a different organisation especially to bigger organisations. Career development
prospects are enhanced for internal auditors who are flexible and are able to relocate.
Opportunities are also available for anyone who is specialised in a certain area of auditing or
have professional qualifications, such as being a chartered internal auditor or chartered
accountant.
Internal auditing provides a good platform for internal auditors to understand an

organisation’s internal operations and how it works and at the same time builds some key
transferable skills. It means that it may be possible for an internal auditor to move into other
areas of the business such as IT, finance, sales or marketing once the knowledge of how the
businesses is run is acquired. This is not impossible as by being an internal auditor, one will
have the capacity to acquire such knowledge and understanding during the course of audits
of the various departments in the organisation.
Internal auditors may also have the prospect to become an internal audit consultant and be
self-employed, once a strong network and client base are built up, which often may take
several years of practice.
Summary
Relevant authorities throughout the world, including in Malaysia, recognise the significance
of an internal audit function. Internal auditors have a greater role nowadays than before. Their
function and focus are different from that of external auditors; nevertheless, they complement
each other particularly within the scope of governance, risk management and control.
1. Briefly explain the role of an internal auditor today.
2. List four reasons why an internal auditor should ensure the effectiveness of risk
management, control and governance processes in an organisation.
3. What is the purpose of an operational audit?
4. Discuss five types of internal audit activities.
5. Explain the differences between internal auditors and external auditors.
11
6. Elaborate the evolution of internal auditing as a profession.
7. Discuss five critical successful factors to be considered in establishing the internal audit
function as a reputable profession.
References
Mohd Johari Alwi (2017). Study Guide for Internal Auditing Course, Universiti Teknologi
MARA.
Puan Sri Datin Dr. Mary Lee et.al. (2009). Principles and Contemporary Issues in Internal
Auditing, Second Edition, Kuala Lumpur: McGraw-Hill (Malaysia) Sdn Bhd.
Reding F. Kurt et. al. (2009). Internal Auditing: Assurance and Consulting Services, 2nd
Edition, The Institute of Internal Auditors Research Foundation, USA.
The Institute of Internal Auditors (2016). International Professional Practices Framework,
Altamonte Spring, FL., The IIA Research Foundation.
http://www.iiam.com.my
https://www.iia.org.uk
12
Mind Map
13
14
2 Corporate Governance
Mechanism
Learning Objectives
• Define corporate governance
• Understand the Malaysian Code of Corporate Governance
• Understand the roles of Board of Directors, Audit Committee, senior management
and internal audit functions in corporate governance
Introduction
Corporate governance provides a framework of control mechanisms that support the

company in achieving its goals, at the same time preventing unwanted conflicts. The pillars
of corporate governance such as ethical behaviour, accountability, transparency and
sustainability are important to the governance of companies and stewardship of investors’
capital. Companies that embrace these principles are more likely to produce long term value
than those that are lacking in one or all.
Proper governance identifies the distribution of rights and responsibilities among different
participants in the company and outlines among others the rules and procedures for decision-
making, internal control and risk management. Corporate governance is not only concerned
with shareholder interests but requires balancing the needs of other stakeholders such as
employees, customers, suppliers, society and the communities in which the companies
conduct their business.
Definition of Corporate Governance
Corporate governance is defined as:
The process and structure used to direct and manage the business and affairs
of the company towards enhancing business prosperity and corporate
accountability with the ultimate objective of realising long- term shareholder
value, whilst taking into account the interests of other stakeholders.
From the definition, corporate governance focuses mainly on the process used to direct and
control business and affairs of the company which specifies the distribution of rights and
responsibilities among the different parties in the organisation which include the Board of
Directors, managers, shareholders and other stakeholders. Thus, corporate governance can be
described as the proper procedure on how the ‘government’ of a company (the managers and
Board of Directors) should be responsible to their ‘voters’ (the shareholders, creditors and
investors).
Corporate governance emphasizes the transparency of the decision- making processes,

fairness and trustworthiness in managing a company. An effective internal audit function
15
plays a key role in assisting the Board of Directors to discharge its governance
responsibilities.
Malaysian Code on Corporate Governance
The Malaysian Code on Corporate Governance (MCCG), first introduced in the year 2000,
has since been a significant tool for corporate governance reform in Malaysia. The MCCG
reflects accepted principles and internationally recognised practices of corporate governance
which are applicable to all organizations, particularly the public listed companies.
The MCCG was reviewed and updated in 2007, 2012, 2017 and 2021 to ensure that it remains relevant
and is aligned with globally recognised best practices and standards. In 2017, the MCCG, which
supercedes its earlier edition, takes on a new approach as shown in Figure 2.1 to promote
greater internalisation of corporate governance culture. Known as CARE or Comprehend,
Apply and Report, this approach encourages companies to clearly identify the thought
processes involved in practising good corporate governance including providing fair and
meaningful explanation of how the company has applied the practices.
The shift Greater focus Guidance Identify

from and clarity on to assist exemplary
complies or the Intended companies in practices
explain Outcomes for applying the which support
to apply or each Practice Practices companies in
explain an moving
towards
greater
excellence
(Source: MCCG 2021)
Figure 2.1 Key Features of the New Approach (CARE)
Comprehend
Understand and internalise the spirit and intention behind the principles and practices
including its intended outcomes.
Apply
Implement the practices in substance to achieve the intended outcomes of building and
supporting a strong corporate governance culture throughout the company.
Report
Provide a fair and meaningful disclosure on the company’s corporate governance
practices.
Latest amendment of MCCG in 2021 outlines the emphasized roles of the Board of
Directors, Audit Committee and senior management to strengthen the corporate
governance culture with the adoption of new best practices and supplementary guidance
for good governance. Please refer https://www.sc.com.my/regulation/corporate-
governance for further information on MCCG 2021.
16
In the MCCG, the roles of internal auditors are emphasized through the function of the
Audit Committee. Audit Committee is required to ensure that the internal audit function
is effective and able to function independently from the management.
MCCG prescribes that the Audit Committee should ensure that:

• internal audit personnel are free from any relationships or conflicts of interest, which could impair
their objectivity and independence;
• the number of resources in the internal audit department shall be adequate and competent in
carrying out the function;
• the internal audit function is carried out in accordance with a recognised framework;
• the person responsible for the internal audit must report directly to the Audit Committee;
• appointment and removal, scope of work, performance evaluation, and budget for the internal
audit function must be determined by the Audit Committee
Corporate Governance Mechanism
Corporate governance is the policies and procedures a company implements to control

and protect the interests of internal and external business stakeholders. It often represents
the framework of policies and guidelines for each individual in the business. Larger
organisations often use corporate governance mechanisms to manage their businesses
because of their size and complexity. Publicly held corporations are also primary users of
corporate governance mechanisms.
Board of Directors
The Board of Directors is ultimately responsible for the governance of the organisation,
establishing an effective audit committee is the key tool that the Board of Directors has in
order to oversee that the organisation is well- governed and that the financial reporting and
other information delivered to the Board of Directors and communicated to other
stakeholders are accurate and trustworthy. The Board of Directors is accountable for
reviewing corporation administration. The Board of Directors should also establish formal
and transparent arrangements for considering how they should apply the corporate
reporting, risk management and internal control principles and for maintaining an
appropriate relationship with the company’s auditors.
Audits
Audits are an independent assessment of a company’s business and financial operations.
These corporate governance mechanisms make certain that businesses or groups observe
international accounting standards, regulations or other guidelines. Share owners, on the
other hand, with expectations that their money and interests are well-protected, and that
various systems within their companies are sufficient and functioning the way they should
be. Therefore, the external auditor is appointed to evaluate such systems, provide
recommendations or assurances to the owners.
Balance of Power
Balancing power in an organisation ensures that no one individual has the ability to
overextend resources. Segregating duties between the members of the Board of Directors,
directors, managers and other individuals ensures that each individual’s responsibility is
well within reason for the organisation. Corporate governance also can separate the number
of functions that one division or department completes within an organisation. Creating
well-defined roles also keep the organisation flexible, ensuring that operational changes or
new hires can be made without interrupting current operations. The key players of corporate
governance are depicted in Figure 2.2.
17
Corporate Governance
A System Composed of Key Players
Board of
Audit
External auditors
Supervisors
(Source: Alain Laurin, 2002)
Figure 2.2 Key Players of Corporate Governance
Role of Board of Directors in Corporate Governance

The Board of Directors should set the company’s strategic aims, ensure that the necessary
resources are in place for the company to meet its objectives and review management
performance. The Board of Directors should set the company’s values and standards, and
ensure that its obligations to its shareholders and other stakeholders are understood and met.
A Chairman of the Board of Directors who is responsible for instilling good corporate
governance practices, leadership and effectiveness of the Board of Directors is appointed.
The positions of Chairman and CEO are held by different individuals.
To enable the Board of Directors to discharge its responsibilities in meeting the goals and
objectives of the company, the Board of Directors should, among others:
• collectively with senior management, promote good practices of corporate

governance culture within the organisation to reinforce ethical, prudent and
professional behaviour;
• review, dispute and determine management’s proposals for the company, and monitor
the implementation with the involvement of management;
• ensure that the strategic planning of the organisation will add value to long-term
wealth and include strategies on economic, environmental and social considerations
underpinning sustainability;
• supervise and determine the management performance to ensure that the wealth
of the organisation is properly managed;
• ensure there is a sound framework for internal controls and risk management;
• understand the major risks of the company’s business and recognise that some of the
organisation’s decisions may involve some risk taking;
• set the risk level in which the Board of Directors expects management to operate
and make certain that there is a good structure of risk management framework to
identify, analyse, evaluate, control and monitor both financial and non-financial
risks;
• ensure that senior management has the necessary skills and experience in order to achieve the
succession of the Board of Directors and senior management;
• ensure that the organisation has strategies to enable effective communication with
stakeholders; and
18
Key responsibilities of the Chairman include:
• imparting leadership to the Board of Directors so that the Board of Directors can perform its
obligations effectively;
• laying down the agenda and ensuring that the members of the Board of Directors receive
complete and correct records in a timely manner;
• chairing the Board of Directors meetings and discussions;
• encouraging participation and allowing dissenting views to be freely expressed;
• managing the collusion between Board of Directors and management;
• ensuring strategic steps are taken to ensure effective communication with stakeholders and
that their views are communicated to the Board of Directors as a whole;
• leading the Board of Directors in establishing and monitoring good corporate governance
practices in the company; and
• ensuring the Board of Directors is effective in its task of setting and implementing the
company’s direction and strategy.
Role of Audit Committee in Corporate Governance
An effective Audit Committee can bring transparency, focus and independent judgment
needed to oversee the financial reporting process. However, the ultimate responsibility for a
company’s financial reporting process rests fully with the Board of Directors.
The Audit Committee plays a key role in a company’s governance structure. An independent
Audit Committee is better positioned to rigorously challenge and ask probing questions on
the company’s financial reporting process, internal controls, risk management and
governance.
The appropriate level of knowledge, skills, experience and commitment of its members is
critical to the Audit Committee’s ability to discharge its responsibilities effectively. A strong
understanding of financial reporting process complemented with a wide range of diverse
perspectives can significantly strengthen the quality of Audit Committee deliberations.
Collectively, the Audit Committee should possess a wide range of necessary skills to
discharge its duties. All members should be financially literate and able to understand matters
under the purview of the Audit Committee including the financial reporting process.
All members of the Audit Committee should undertake continuous professional development
to keep themselves abreast of relevant developments in accounting and auditing standards,
practices and rules.
The Chairman of the Audit Committee is responsible for ensuring the overall effectiveness
and independence of the Committee. Having the positions of Chairman of the Board of
Directors and Chairman of the Audit Committee assumed by the same person may impair
objectivity of the board’s review of the Audit Committee’s findings and recommendations.
The Chairman of the Audit Committee together with other members of the Audit Committee
should ensure among others that:
• the Audit Committee is fully informed about significant matters related to the
company’s audit and its financial statements, and addresses these matters;
• the Audit Committee appropriately communicates its insights, views and concerns
about relevant transactions and events to internal and external auditors;
19
• Audit Committee’s concerns on matters that may have an effect on the financial or
audit of the company are communicated to the external auditor; and
• there is co-ordination between internal and external auditors.
• In assessing the suitability, objectivity and independence of the external auditor, the
Audit Committee establishes policies and procedures that consider among others:
• the competence, audit quality and resource capacity of the external auditor in relation
to the audit;
• the nature and extent of the non-audit services rendered and the appropriateness
of the level of fees; and
• obtaining written assurance from the external auditors confirming that they are, and
have been, independent throughout the conduct of the audit engagement in
accordance with the terms of all relevant professional and regulatory requirements.
The responsibility of Audit Committees in the area of corporate governance is to provide

assurance that the corporation is in reasonable compliance with pertinent laws and
regulations, conducting its affairs ethically, and maintaining effective controls against
employee conflict of interest and fraud. The specific steps involved in carrying out this
responsibility include:
• Reviewing corporate policies relating to compliance with laws and regulations,

ethics, conflict of interest, and the investigation of misconduct and fraud.
• Reviewing current/pending litigation or regulatory proceedings bearing on corporate
governance in which the corporation is a party.
• Reviewing significant cases of employee’s conflict of interest, misconduct or fraud.
• Requiring the internal auditor to report in writing annually the scope of the reviews
of corporate governance and any significant findings.
Roles of Senior Management in Corporate Governance
Senior management must have the expertise necessary to manage the day-to-day operations
of the regulated entity in carrying out the strategic objectives of the Board of Directors.
Members of the senior management team, including the CEO, should possess certain
fundamental qualities and qualifications: integrity, financial and management experience,
technical competence, and good character.
Effective senior management must also possess and demonstrate the leadership qualities
necessary to coordinate and organise resources and guide and motivate personnel to
achieve the organisational objectives.
As part of its responsibilities, senior management advises the Board of Directors about the
regulated entity’s activities and corresponding risks to ensure that directors are fully informed.
Senior management is also responsible for implementing corrective actions specified by the
Board of Directors. This includes management’s willingness and ability to take timely
corrective action in response to audit, review, and examination findings and
recommendations.
Examples of specific senior management responsibilities include, but are not limited to, the
following:
• Develop strategic and operational plans and risk management policies for approval by the
Board of Directors;
• Implement strategic and operational plans and risk management policies following
20
approval by the Board of Directors;
• Assess and implement an effective internal control framework and risk management
process to address and monitor critical processes and mission activities of the regulated
entity;
• Establish procedures and controls to address compliance with key laws and regulations
applicable to the regulated entity;
• Develop and implement management information systems that adequately address the
regulated entity’s business environment and risk profile;
• Develop written policies, procedures, and standards to address critical processes and
mission activities and controls of the regulated entity;
• Establish procedures to identify, report, assess, and correct deviations from key
standards, risk tolerances, and controls in a timely manner;
• Implement timely corrective action on significant control deficiencies and issues that were
reported by the external or internal auditors, and governmental authorities; and
• Implement timely corrective action on examination of audit findings.
Senior management must ensure that all functions are carried out in accordance with
policies established by the Board of Directors and that the regulated entity has adequate
systems in place to effectively monitor and manage risks.
In addition, senior management must ensure that the regulated entity maintains internal risk
controls appropriate for its size, activities, and business and that information and reporting
systems produce information that is timely, accurate, and complete.
Roles of Internal Auditors towards Board of Directors, Audit Committee

and Senior Management
Internal audit provides assurance by assessing and reporting on the effectiveness of

governance, risk management, and control processes designed to help the organisation
achieve strategic, operational, financial, and compliance objectives.
An internal audit is best positioned to provide assurance when its resource level,
competence, and structure are aligned with organisational strategies and when it follows
IIA standards. It can do this best when it is free from undue influence. By maintaining its
independence, internal audit can perform its assessments objectively, providing
management and the Board of Directors an informed and unbiased critique of governance
processes, risk management, and internal control.
Based on its findings, internal audit recommends changes to improve processes and
follows up on their implementation. Functioning independently within the organisation,
an internal audit is performed by professionals who have a deep appreciation of the
importance of strong governance, an in-depth understanding of business systems and
processes, and a fundamental drive to help their organisations succeed.
Internal audit provides insight by acting as a catalyst for management and the Board of
Directors to have a deeper understanding of governance processes and structures. The
IIA believes internal audit insights on governance, risk and control provoke positive
changes and innovation within the organisation. It inspires organisational confidence and
enables competent and informed decision making. What’s more, successful internal
auditing can mature to provide foresight to the organisation by identifying trends and
bringing attention to emerging challenges before they become crises.
21
Internal audit can add value by providing advisory and consulting services, intended to
improve governance, risk management, and control processes, so long as internal audit
assumes no management responsibility. This is vital to maintaining internal audit’s
objectivity and avoiding conflicts of interest. Selection of the type of audits or services
to be performed should be based on the audit activity’s authority, maturity, and purpose,
as well as the organisation’s needs and issues.
Recent events have highlighted the critical role of directors in promoting good corporate
governance. In particular, the Board of Directors are charged with the ultimate
responsibility for the effectiveness of their organisation’s internal control systems. These
events have highlighted the key role that internal audit can play in supporting the Board
of Directors in ensuring adequate oversight of internal controls and the effectiveness of
corporate governance.
The definition of internal auditing and International Standards identifies that internal
audit has a role to play in evaluating and helping to improve governance processes.
The key role of an internal audit is to assist the Board of Directors / Audit Committee in
discharging its corporate governance responsibilities by delivering:
• An objective evaluation of the existing risk and internal control framework.

• Systematic analysis of business processes and associated controls.
• Reviews of the existence and value of assets.
• A source of information on major frauds and irregularities.
• Ad hoc reviews of other areas of concern, including unacceptable levels of risk.
• Reviews of the compliance framework and specific compliance issues.
• Reviews of operational and financial performance.
• Recommendations for more effective and efficient use of resources.
• Assessments of the accomplishment of corporate goals and objectives.
• Feedback on adherence to the organisation’s values and code of conduct / code of ethics.
Summary
The chapter covers the framework of the Malaysian Code of Corporate Governance which
is recently revised in 2021. The chapter further explains the role of Board of Directors, Audit
Committee, senior management as well as internal audit function to assist the Board of
Directors in discharging their corporate governance function.
1. List two duties of the Board of Directors in accordance with the Malaysian Code of
Corporate Governance.
2. Define corporate governance.
3. How does an internal audit assist the Board of Directors / Audit Committee in
discharging its corporate governance responsibilities?
4. Identify whether the following statements are TRUE or FALSE.

a. The positions of chairman and CEO should be held by the same individual.
b. The tenure of independent directors is capped to a cumulative period of nine
years.
c. The Board of Directors should form a remuneration committee to establish
formal and transparent remuneration policies and procedures to attract and retain
directors.
22
5. Which of the following are the roles of internal auditing in risk management?
a. Participates as part of a formal risk management program
b. Reviews operational and financial performance
c. Provides independent assurance on risk management
d. Assists and advises a new, separate risk management function
References
Ahlawat, S.S., and Lowe, D.J. (2004). An Examination of Internal Auditor Objectivity: In-House
versus Outsourcing Auditing, A Journal of Practice & Theory, 23 (2), pp. 147–158.
Aldbizer, G.R., Casbell, J.D., and Martin, D.R. (2003). Internal Audit Outsourcing, CPA Journal,
38–42. Badawi, I.M., Elifoglu, I.H., Latshaw, C.A., and Zollo, R.A. (2003). New Interagency
Guidance on the Internal Audit Function, Bank Accounting & Finance, 16, pp. 32–42.
Bai, C., Liu, Q., Lu, J., Song, F., and Zhang, J. (2003). “Corporate Governance and Market
Valuation in China”, Working Paper , University of Hong Kong.
Chaithanakij, S. (2005). Theory of Corporate Governance: Trimiti Analysis,
SetthasatThammasat Journal, 23, pp. 1–89 (in Thai).
Chaithanakij, S. (2006). The Determinants for Success and Failure of Corporate Governance
System: The Analysis of Thai Corporate Governance Through the Lens of Three-Pillared
Framework. Doctor of Philosophy Dissertation, Thammasat University, Bangkok, Thailand
(in Thai).
Denis, D.K., and McConnel, J.J. (2003). International Corporate Governance, Journal of
Financial and Quantitative Analysis, 38, 1–36. ECGI. http://www.ecgi.org/codes/documents/.
(accessed September 30,
2006).
Fiss, P.C. (2004). Corporate Governance and the Symbolic Management of Stakeholders:
The mergence of shareholder Value Orientation in Germany.
Glass, A.J. (2004). Outsourcing under imperfect protection of intellectual property, Review of
International Economics, 12, pp. 867–884.
Gordon, E.A., Henry, E., and Palia, D. (2004). Related Party Transactions: Association with
Corporate Governance and Firm Value. (http://papers.ssrn.com).
Haniffa, R.M., and Cooke, T.E. (2002). “Culture, Corporate Governance and Disclosure in
Malaysian Corporations”, Abacus, Volume 38 (3), pp. 317–349
Malaysian Code on Corporate Governance, (2017).
Roe, M. (2004). The Institutions of Corporate Governance. Harvard Law and Economic
Discussion Paper No. 488.
23
Mind Map
24
3Control
Risk Management and
Learning Objectives
 Understand the internal auditor’s roles with respect to risk management
 Understanding various risk faced by organisation
 Know the various risk management framework, in particular, the Enterprise Risk
Management (ERM)
 Know the different risk management frameworks developed across the world
 Understand internal auditor’s roles with respect to control
 Understand the basic internal control principles
 Learn the basic elements of the COSO control framework
 Understand the relationship between risk and controls
Introduction
An organisation, whether it is a profit or non-profit one is set up to achieve certain objectives. Similar
to achieving our personal objectives and goals, along the journey, there will be uncertain events or
risks, which may happen to impact the chances of achieving our personal objectives and goals.
The organisation’s management must be prepared to effectively manage its risks to provide reasonable
assurance that the objectives and goals set can be achieved. It is important to acknowledge the
relationship between objectives, risks and controls. Risks and controls should be considered in the
context of the organisation’s objectives.
The internal audit activity must evaluate and contribute to the improvement of the organisation’s
governance, risk management, and control processes using a systematic, disciplined, and risk-based
approach. Internal audit credibility and value are enhanced when auditors are proactive and their
evaluations offer new insights and consider future impact.
Therefore, one of the main focus of an internal audit activity is to evaluate the effectiveness of risk
management and control aspects of an organisation.
Risk and Risk Management
Definition of Risk
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Generally, organisational objectives can be classified as four main categories, namely, strategic,
financial, operations and compliance. Whenever there are objectives, there will be risks attached to
these objectives.
25
(a) Strategic risk is the exposure to damage or loss arising from an inappropriate
high-level strategic or business plan such as decision to expand into an
emerging market, diversification to new market segment, acquisition oi join-
venture decision, developing a new product or brand etc.
(b) Financial risk refers to the exposure to damage or loss incurred, mainly in
monetary terms, as a result of uncertainties or risk such as changes in domestic
or world economy, volatility of exchange rates, liquidity risk and credit risk,
inadequate resource allocation or failure to respond to changes in the business
environment.
(c) Operational risk is the possibility of damage or loss arising from the internal
inadequacies or breakdown in its systems, controls, procedures, machines or
equipment. Some examples are, outdated or obsolete information technology
and system which lead to wrong decision making, engagement of incompetent staff
or third-party contractor, internal frauds due to poor control activities and
management.
(d) Compliance risk is the possibility of damage or loss arising from non-
compliance to the laws, rules and regulations or terms of contract or agreements
entered into by the organisation with its vendors, partners or its employees.
Definition of Risk Management
Risk management is a process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organisation’s objectives. Risk
management is management’s responsibilty. The management should establish a sound risk
management and ensure that the system is functioning effectively. Risk management requires strategic
and tactical decisions to ensure that organisations can minimise losses. The Board of Directors or
governors of an organisation must oversee the organisation’s risk management function. To facilitate
their oversight role, the Board of Directors can receive assistance from internal auditors.
Enterprise risk management (ERM) is a structured, consistent and continuous process across the whole
organisation to identify, assess and decide on responses to and report on opportunities and threats that
affect the achievement of objectives.
ERM presents a more comprehensive approach in managing risk in organisations. ERM requires
constant evaluation of internal and external risks and their potential impact on all of the organisation’s
business activities, separately and collectively.
Roles of the Board of Directors, Management and Risk Officers in Risk

Management
An effective ERM requires the participation of various parties within the organisation, in particular,
the Board of Directors, management, risk officers and internal auditors. The responsibilities of these
various parties are explained below.
Board of Directors
The Board of Directors sets directions and oversees the management of the organisation. A Board of
Directors is involved in formulating its company’s strategies and objectives, in determining the
resource allocation and the ethical environment. As part of the internal environment for ERM, a Board
of Director’s role is vital to the effective functioning of the ERM in an organisation. To be effective, a
26
Board of Directors will delegate its function to the various committees, i.e Audit Committee,
nomination committee and governance committee. Based on the Committee of Sponsoring
Organizations of Tradeway Commission (COSO), a Board of Directors can perform its oversight roles
by:
• Knowing the extent to which management has established effective ERM in an
organisation.
• Being aware of the organisation’s risk appetite.
• Reviewing the organisation’s risk portfolio to match its risk appetite.
• Being apprised of the most significant risk and management’s response to the risk.
Management
The management team of an organisation comprises the chief executive officer (CEO) and senior
managers. General management is responsible for managing the overall activities of the organisation.
The CEO sets the tone at the top for the organisation and must ensure that activities conducted are
within the organisation’s risk appetite through proper risk management procedures. Senior managers
must provide necessary information to risk officers to enable them to effectively identify and assess
the significant risks faced by the organisation.
Risk Officers
A risk officer is a senior management personnel in charge of coordinating and facilitating risk
management. A risk officer works with other managers to establish risk management plan in the
managers’ respective area of responsibility.
A risk officer has the following responsibilities as outlined by COSO:
• Establishing risk management policies
• Framing authority and accountability
• Promoting competency in risk
Role of Internal Auditor in Risk Management
The role of internal auditor is responsible to evaluate the effectiveness of risk management process
and contribute to the improvement of the processes. The internal audit activity may gather the
information to support this assessment during multiple engagements. The results of these engagements,
when viewed together, provide an understanding of the organisation’s risk management processes and
their effectiveness. Risk management processes are monitored through ongoing management
activities, separate evaluations, or both.
The internal audit activity must evaluate risk exposures relating to the organisation’s governance,
operations, and information systems regarding the:
• Achievement of the organisation’s strategic objectives
• Reliability and integrity of financial and operational information
• Effectiveness and efficiency of operations and programs
• Safeguarding of assets
• Compliance with laws, regulations, policies, procedures, and contracts
Roles of internal auditors with regards to risk management include:

• Giving assurance on risk management processes
• Giving assurance that risks are correctly evaluated
• Evaluating risk management processes
• Evaluating the reporting of key risks
27
• Reviewing the management of key risks
• Facilitating identification and evaluation of risks
However, the internal auditor is prohibited to exercise their roles in the following scope:
• Setting the risk appetite
• Imposing risk management processes
• Managing assurance on risks
• Taking decisions on risk responses
• Implementing risk responses on management’s behalf
• Being accountable for risk management
In essence, it is argued that internal auditors should not assume the role of management in relation to risk
management. The internal auditors should not make decisions on any aspects of risk management
including setting the risk appetite, choosing the risk response measures and implementing the measures
or being accountable for the process.
Division of Roles on Risk Management Between Management and Internal

Auditor
To ensure that objectives are met, organisations must have a proper plan to anticipate and manage risk.
Risk management requires strategic and tactical decisions to ensure that organisations can minimise the
severity of risk events and ultimately enable the organisation to achieve its objectives. Risk management
is management’s responsibility. The Board of Directors or governors of an organisation must oversee
establishment and execution of the organisation’s risk management function. The management should
establish a sound risk management process and ensure that the system is functioning effectively.
To facilitate the oversight role of the Board of Directors, the internal audit assists the Board of Directors
in evaluating the effectiveness and contribute to the overall improvement of the risk management
processes established and executed by the management.
There are many different ways in which an organization can manage risk. The most widely known risk
management strategy is the Enterprise Risk Management (ERM).
Evaluation of Risk Management Process by Internal Auditor
The evaluation of risk management process involves understanding the overall maturity of risk
management practices, the established organisation’s objectives and the risk assessment processes
including identifying, analysing and evaluating as well as how risks are treated, reported and
monitored in the organisation.
Understanding the Current Risk Management Process
In evaluating the effectiveness of the risk management processes, the internal auditors:
 must first understand the mission, vision and objectives of the organisation,
 must examine and understand the current risk management processes, in which risks are
identified, assessed, monitored, treated and reported in the organisation,
 must know the risk appetite and risk culture of the organisation,
 must consider the risk management frameworks adopted and put into practice by the organisation,
if any.
28
Risk Assessment Process
Risk assessment process include the identification, analysis and evaluation of its severity. The severity
can be determined by identifying the likelihood and impact (or consequence) of the risk. Risk
assessment should be done across the whole entity perspective to functional as well as specific
transaction level. Risk events can either be internal or external. Management must identify and evaluate
negative events and devise an action plan to eliminate or mitigate these risks.
(a) Risk identification

The internal auditors may discuss with the Board of Directors, the senior management
and review the recently completed risk management assessment and related reports or
perform its own assessment to assess whether all significant risks are being identified by the
management. The auditors consider both the internal (organisation mission, vision,
objectives, structure and culture, infrastructure, policies and procedures, system and
processes, people and level of competencies etc.) and external factors (political, social,
economic, cultural, environmental, legal framework, competition, relevant trends and
technological changes etc.) or uncertainties affecting the organisation particularly in the
context of its strategic objectives.
(b) Risk analysis and evaluation

The auditors review the management’s evaluation relating to the extent of the risks
identified which pose as threats to the organisation.The evaluations are made on two
dimensions, the likelihood (the probability of the risk) and impact (the consequence of the
risk should the event occur). The results will allow the management to know the severity of
the risks towards their operational, financial or compliance objectives and allow management
to consider their action plans. One way to assess risk is to prepare a risk map. An example of
a risk map is given in Figure 3.1.
The risk evaluation, which takes into consideration the cumulative effect of likelihood and impact of
risks, helps management prioritise in resource allocation.
Risk Response
The internal audit activity assesses the management’s responses, actions or plans in addressing the
risks assessed to ensure all risks identified have been adequately mitigated. The auditor should alert
management to new risks which have not been identified or have been neglected.
29
Generally, there are four types of responses: Avoidance (terminate), reduction (treat), sharing
(transfer) and acceptance (tolerate) which are also known as the 4Ts in risk management literature.
Avoidance — an organisation withdraws from events or activities that give rise to risk. For example,
an organisation will terminate its operation in a region that is recently involved in war or come with
new entries of strong competition or to stop producing its products that are found to have contaminated
ingredients which may be subjected to legal implications or penalties.
Reduction — an organisation will engage in activities that can reduce the impact or likelihood of risk.
The organisation may introduce new control measures such as tightening the approval procedures or
installing CCTV to reduce the risk of internal theft in its warehouse.
Sharing — an organisation shares its burden of risk with another party. Common risk sharing methods
include purchasing insurance coverage, hedging of future transactions or invest via partnering or joint
venture.
Acceptance — an organisation may choose to do nothing about a risk. This is only permissible when
the impact and the likelihood of the risk is low. In this case, the impact of the risk must be borne by
the organisation should the event actually happens.
Reporting of Risk Management
The audit activity must assess the effectiveness of management processes in recording and reporting
of the risks and actions to ensure that relevant risks information, responses and plans are captured and
communicated timely across the whole entity to ensure adequate controls are executed to manage the
risks.
The audit activity will communicate the results of the assurance audit on risk management processes
to the management, highlighting the gap or weaknesses of the processes for improvement purposes. In
addition, the Chief Internal Auditor will discuss with the management on any inadequacy of risk
responses by management, which in the opinion of the auditor are not acceptable or not aligned with
the risk appetite of the organisation.
Alternative Risk Management Frameworks

In assessing the effectiveness of the risk management processes, the internal auditors consider the risk
management frameworks that are available and accepted globally and use them to benchmark and
assess the maturity of the risk management practices in the organisation in order to contribute to the
improvement of risk management processes.
There are several risk management frameworks that are available from different countries. For the
purpose of this book, the following two frameworks will be discussed.
• ISO31000 (2018) Risk Management Guidelines
• COSO Enterprise Risk Management (ERM) Framework 2017
ISO 31000 Risk Management Guidelines (2018)
The ISO 31000:2009 on Risk Management was first issued in 2009. A second edition ISO
31000:2018(E) was issued in February 2018 to replace the first edition. The new version put great
emphasis on value creation and protection for the organisation. It positions risk management as a
fundamental part of governance and leadership and as part of all activities across all levels of the
organisation. ISO 31000:2018 illustrated risk management as three components including principles,
a framework and processes. The ISO clearly explained that the principles, being the foundation of risk
management, must be considered when establishing the organisation’s risk management framework
30
and processes. The ISO is reproduced as shown in Figure 3.2.
(a) Principles
The main purpose of risk management is to create and protect the organisation’s value. It
improves performance, encourages innovation and supports the achievement of objectives.
Figure 3.2 ISO 31000:2018(E) Risk Management Guidelines
(i) Integrated - Risk management is an integral part of an organisational activity. In

other words, it should not be treated as an isolated or stand-alone activity. This
activity should be embedded in all levels of organisation, including the strategic
settings, planning for execution, operations, units and functional processes.
(ii) Structured and comprehensive - A structured and comprehensive approach to risk
management contributes to consistent and comparable results. The risk management
processes should be planned and organized considering all perspectives including how
the placement of risk management, its reporting structure, its duties and responsibilities,
as well as the allocation of resources to ensure a systematic, timely and structured
approach that can lead to effective and efficient risk management activities.
(iii) Customised - The risk management framework and process are customised and
proportionate to the organisation’s external and internal context to its objectives.
There is no one size fits all scenario, risk management must be organised and
planned in accordance with its nature of business, size, competency and culture of
its stakeholders, organisation structure, the maturity of the existing risk management
process as well as the environment and conditions of which the organisation is
operating.
(iv) Inclusive - Appropriate and timely involvement of stakeholders enable their
knowledge, views and perceptions to be considered. This results in improved
awareness and informed risk management. It should embrace the notion that all
stakeholders’ perspective counts. It considers the internal and external environment
and changes as well as the views of all its people and stakeholders.
31
(v) Dynamic - Risks are not static, they can emerge, evolve, change or reduce, disappear
as an organisation’s internal and external context changes. Risk management need to
detect, analyse, monitor, reassess, acknowledge and respond to those changes and
events in a timely and appropriate manner. Depending on the nature of the business,
the speed of change on risks affecting the organisation can vary in its likelihood and
impact.
(vi) Best available information - Risk management relies on various information sources
such as current and historical data and information including experiences, stakeholder
feedback, observation, forecasts and expert judgement. Therefore, it should also take
into account, any limitations of the data or modelling used or the possibility of
divergence among experts.
(vii) Human cultural factors - The risk management process considers the behavior and
culture of its people at all levels including the attitude, characters, knowledge and
their perception towards risks.
(viii) Continual improvement - Risk management is a progressive process which
considers the existing processes, seeking to achieve incremental improvement
over the adequate period depending on the maturity level and resources of the
organisation.
(b) Framework
Leadership and commitment is fundamental in determining the success of any risk

framework. Risk management should be integrated into the governance of the organisation
and must gain support from all stakeholders, particularly the Board of Directors and top
management.
(i) Integration - Risk management must be inclusive, comprehensive, integrated and
customised. It is important to understand the organisation’s mission, vision,
objectives and goals as well as the organisational structure. The risk management
activities must be tailored to fit to ensure they operate effectively at all levels of the
organisation to achieve its objectives and ultimate purposes.
(ii) Design – When designing (or adopting with modification) the risk framework, the
organisation must consider the internal and external factors (as described in section
4.4.2 (a)), taking into account the perception and tone from the top (Board of
Directors and top management), the organisational structure including authority,
duties and accountabilities and responsibilities of the respective roles on risk
management. This would include how risks are being identified, managed, reported
and monitored.
(iii) Implementation – To ensure successful implementation, the following requirements
are necessary: awareness, participation and engagement from all stakeholders
particularly the tone and involvement of the top management to allow adequate
time and resources to be allocated. The consideration of the four Ws (Why, What,
When and Who) and one H (How) should be constantly applied, embedded into the
decision making processes at all levels to ensure everyone understands their roles
and accountability in identifying and managing risks relevant to the work.
(iv) Evaluation – In order to evaluate the effectiveness of its risk framework to
cater for the dynamic nature of risks, the organisation must ensure that information
are available to measure the performance of the risk framework itself.
(v) Improvement – The organisation must continually adapt and adjust to improve and
enhance the effectiveness of its risk framework.
(c) Process
(i) Communication and consultation - Communication is to promote awareness,

understanding, participation towards risks management at all levels. Consultation
involves obtaining feedback and information to facilitate decision making which
32
takes into account all relevant risks.
(ii) Scope, context and criteria – The risk management should be customised to ensure it
is adequately and objectively driven. It must consider the organisation’s structure,
size and nature of business, the current risk management process in place, the
resources available and define specific scope as well as the amount and type of risks
it may or may not take, relative to the objectives.
(iii) Risk assessment – The process include risk identification, analysis and
evaluation which must be organised and conducted systematically, iteratively and
collaboratively.
(iv) Risk treatment – The purpose of risk treatment is to select and implement options for
addressing the risks. It is an iterative process of formulating, selecting, planning and
implementing the options of treating the risks, monitoring the results and adjusting
to ensure adequate treatment of risks.
(v) Monitoring and review – Monitoring and review is part of the continual
improvement program to ensure the effectiveness of risk management processes
at all levels. The results of the monitoring and review should be incorporated
into the organisation’s performance management, measurement and reporting
activities.
(vi) Recording and reporting – The risk management process and its outcome
should be documented and reported through appropriate mechanisms to support the
risk management and decision making processes of all levels as well as to enhance
the communication and dialogue with stakeholders.
The COSO Risk Management Framework
COSO is a well-known body which develops, update and publish comprehensive frameworks. Its
mission is to improve organisation’s performance and governance. Two frameworks relating to risk
management are COSO ERM 2004 – Integrated Framework and the updated document COSO ERM
2017 – Integrating Strategy and Performance Framework.
The focus of COSO ERM 2014 was to help organisations to protect and enhance its value. It is used
by many organisations as guidance to enhance risk management processes. However, significant new
risks have emerged and thus the new update introduced components and supporting principles which
drives better thinking processes and practices of risk management to reflect the importance of aligning
risks to strategy and performance.
Figure 3.3 COSO 2004 ERM Framework
33
(a) COSO ERM 2004 – Integrated Framework
COSO illustrates ERM using a three-dimensional cube linking between business objectives
(at the top of the cube) with the eight components of risk management (at the front of the
cube) and emphasise that risk management should be implemented on entity-wide basis
across all business units, subsidiaries, division, functions, locations and all activities within
the organisation as shown in Figure 3.3.
(b) COSO ERM 2017 – Integrating with Strategy and Performance

COSO ERM 2017 is referred as an updated document and its adoption is not mandatory.
Therefore, an organisation’s management may continue to utilise the the original
framework 2004. However, COSO stated that it reserves the right to supersede or retire
the 2004 version in future.
COSO ERM 2017 introduces a new graphic to illustrate the focus on the alignment of risk
with strategy and performance across all activities of the entire organisation. It also
emphasises the importance of aligning the strategy to the mission, vision and core values of
the organisation. With these comprehensive considerations, organisations will improve their
approach in managing risks, whether existing or emerging risks, internal and external, to help
create, preserve, sustain and realise value of the organisation. The COSO 2017 framework is
reproduced in Figure 3.4.
(Source: Reproduced with kind permission of the Association of International Certified Professional Accountants)
Business
Mission, vision Strategy Objective
& core values & Performance Value
Strategy & Review Information

& Culture & Revision
& Reporting
Figure 3.4 COSO 2017 ERM Framework
The framework consists of five interrelated components of ERM which illustrates their
relationship with the entity’s mission, vision, and core values and show how these interrelated
components flow through the entire activities and processes and ultimately help to enhance the
organisation’s value.
The first and the last components (depicted by the two banded ribbon), Governance and Culture,
and Information, Communication & Reporting are the important foundation and supporting
aspects for an effective ERM. The three components in between (depicted by the three banded
ribbon) namely, Strategy and Objective setting, Performance and Review and Revision represent
the common activities and processes that flow through an entity. The diagram clearly shows that
ERM is not a static but a dynamic process, ERM is not an isolated process but a process which
should be integrated with the day-to-day decision-making process across from strategy
development, business objective formulation, and implementation and performance.
Each of the components are supported with three to five principles which are important to ensure
an effective risk management. The diagram is reproduced in Figure 3.5 and the detailed
descriptions can be found in the COSO guidance on their website (www.coso.org).
34
Figure 3.5 Principles for COSO ERM Framework
Controls
Definition of Controls
Controls are any actions taken by management, the Board of Directors, and other parties to manage
risk and increase the likelihood that established objectives and goals will be achieved. Management
plans, organises, and directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.
The Role of Internal Auditor in Controls
The internal audit activities must assist the organisation in maintaining effective controls by evaluating
their effectiveness and efficiency and by promoting continuous improvement. Internal audit activity
must incorporate knowledge of controls gained from consulting engagements into evaluation of the
organisation’s control processes. Internal audit activity must evaluate the adequacy and effectiveness
of controls in responding to risks on organisation’s governance, operations, and information system
regarding the:
• Achievement of organisation’s strategic objectives

• Reliability and integrity of financial and operational information
• Effectiveness and efficiency of operations and programs
• Safeguarding of assets
• Compliance to law, regulations, policies and contracts
Division of Roles on Controls between Management and Internal Auditor
It is important to understand the division of responsibilities on control between the senior management,
management and internal auditor. Senior management oversees the establishment and execution of the
control system, the management holds the responsibilities for establishing, implementing, maintaining
and monitoring the systems of control within the organisation. The internal auditor evaluates the system
of controls to assure the effectiveness of the controls set out by the management. The evaluations by
internal auditor do not in anyway relieve the management’s responsibilities assigned to them.
35
Evaluating Controls by Internal Auditor
In evaluating the effectiveness and efficiency of controls, the auditor must first identify and
understand the organisation’s existing key control processes used to manage the organisation’s
risks. Controls are considered effective when they help to mitigate the risks and ultimately improve
the chances of achieving organisation’s objectives and goals. Controls are considered efficient
when the benefits derived exceed the costs of implementing the controls.
A common tool used by an internal auditor to evaluate controls is the risk and control matrix. An
example is given in Figure 3.6.
RISK AND CONTROL MATRIX

TASK RISKS RISK RISK CONTROL RESULT OF ADEQUACY OF
ACTIVITY ASSESSMENT RATING MEASURES TEST CONTROL (Y/N)
LIKELI- IMPACT
HOOD
Procurement Not obtaining Possible Moderate Medium • Three quotations to be • Final price N
for renovation the right price obtained for comparison substantially New control
project and/or quality higher than procedures
or price market price required
rigging • Common eg. tender
shareholders committee and
noted among procedures to be
vendors set up
submitted for
quotations
Payment Unauthorised/ Likely Moderate High • Payment according to • Five out of 20 N
to vendors favouritism terms given by suppliers deviations noted. • Payment
<RM20,000 advance • Accounts payable Early payment to based on
payment reconciliation done certain suppliers terms to be
• All payments submitted • No deviation. set in system
with supporting All come with • Exceptions to
documents attached supporting be approved
• Approval with documents by Chief
accountant’s signature • Accounts Operating
payable not Officer
reconciled but
payment made
RISK AND CONTROL MATRIX

TASK RISKS RISK RISK CONTROL RESULT OF ADEQUACY OF
ACTIVITY ASSESSMENT RATING MEASURES TEST CONTROL (Y/N)
LIKELI- IMPACT
HOOD
Payment Payment to Unlikely Major High • Payment require three No deviation noted
to vendors unauthorised signatories (Procurement Y
>RM100,000 party Manager, Accoutant &
Chief Operating Officer)
• All payments submitted
with supporting
documents attached
• Reconciliation to monthly
statement
Petty cash Loss due to Possible Minor Low • Maximum claim amount No deviation noted Y
handling theft / double RM100
/ fictitious • Recording of transaction
claims in petty cash book
• All payment are
supported with receipts
and invoices
Figure 3.6 Risk and Control Matrix
36
Reporting and Communication by Internal Auditor
The internal auditor will communicate and disseminate the results of its evaluation on controls to the
parties at the appropriate level of management. The results of the evaluation would include whether
controls are operating as intended, the significant and pervasiveness of the weaknesses, the root of the
causes. In addition, internal auditors discuss and provide recommendations for corrective actions,
improvement to current procedures or new procedures required to be made.
The management will be responsible to ensure that corrective actions taken are made on a timely basis
to improve the identified control weaknesses reported in the internal audit report.
Types of Controls
Controls can be classified either as soft control or hard control. Hard controls are formal, tangible and
can be measured and evaluated easily. Examples of hard controls include budgets, written approval and
segregations of duties. Soft controls, on the other hand are informal, intangible and subjective such as
an organisation’s ethical climate, integrity and corporate culture. Both are important in an effective
internal control system.
Generally, controls can be either reactive or proactive. A proactive control focuses on avoiding or
preventing an unwanted event from occuring; a reactive control is a measure or response which takes
place after an unwanted event has happened.
The four main types of controls are:

(a) Detective controls (reactive) are designed to detect undesirable events such as errors,
irregularities or fraudulent activities when they occur. Examples of detective controls include
smoke detector which detects if fire incidents occur, review of a computer-generated exception
report, review of budget versus actual performance etc.
(b) Corrective controls (reactive) are designed to correct the undesirable events such as errors,
irregularities or fraudulent activities once they have been detected. It is therefore an after-event
control activity and thus not ideal nor economical. However, it is important to help improve the
situation or to prevent future occurrence of the undesirable event. Example of corrective controls
are system recovery after a server has crashed, a remote site disaster-recovery of data after a fire
incident which burnt down the main server at the head office etc.
(c) Preventive controls (proactive) are the most ideal control activities designed to prevent
undesirable events such as unnecessary errors, irregularities or fraud. Good examples of
preventive controls are the installation of an alarm system, the centralised video surveilliance
and monitoring, automatic or system built-in authorisation or dual authorisation to approve a
high-value transaction etc.
(d) Directive controls (proactive) controls that encourage a desirable event to occur. This can be
classified as part of Preventive Controls. Examples of directive controls are training, guidelines
and incentives.
Other types of controls include:
Compensating Controls (reactive) controls that work as an additional control mechanism should
an expected control fail. This may be grouped under detective controls. An example of a
compensating control is a supervisory review.
Mitigating Controls (reactive) is designed or set up to reduce any potential negative impact if an
undesirable event occurs. This may be classified under corrective controls. An example of
mitigating control is insurance.
37
Alternative Control Frameworks
There are a number of control frameworks that have been established around the world which include
1) the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which is
widely used in the United States and across the world, 2) the Guidance on Control (CoCo) in Canada,
3) the Control Self Assessment (CSA) in the United States, 4) the Cadbury Report of the Committee
on the Financial Aspects of Corporate Governance in the United Kingdom, 5) the Turnbull Model in
the United Kingdom, 6) the King Model in South Africa and 7) the KonTraG Model in Germany.
Globally, only three internal control frameworks are recognised which are the COSO Internal Control
Integrated Framework, CoCo framework — Guidance on Control and the Turnbull Report — Internal
Control: Revised Guide for Directors on the Combined Code. In general, these three frameworks
have similar objectives for internal controls such as effectiveness and efficiency of operations,
reliability of reporting and compliance and similar components of internal controls. Table 3.1
delineates the three frameworks based on specific terms used in each one.
Table 3.1 Recognised Internal Control Frameworks

Framework COS CoCo TURNBULL
O
Origins USA Canada United Kingdom
DEFINITION A process affected by Those elements of an Encompasses the
OF entity’s Board of organisation that policies, processes, tasks,
INTERNAL Directors, management and support people and offer behaviours and other aspects
CONTROL other personnel, designed to reasonable assurance of an organisation that offer
provide reasonable in the achievement of reasonable assurance in
assurance regarding the organisation’s facilitating its effective and
the achievement of objectives in the following efficient operation, enabling
objectives relating to categories: effectiveness and it to respond appropriately
operations, reporting efficiency of operations, to significant business,
and compliance. reliability operational, financial,
of internal and external compliance and other risks in
reporting, compliance with achieving the organisation’s
laws and regulations and objectives relative to
internal policies. safeguarding assets,
identifying and managing
liabilities, the quality of
reporting and compliance
with applicable laws and
regulations.
COMPONENTS • Control environment • Purpose • Control activities
• Risk assessment • Commitment • Information and
• Control activities • Capability communication process
• Information and • Monitoring and • Monitoring
communication learning embeddedness in
• Monitoring activities operations of
organisation
• Response to risks and
changes
• Reporting
(Source: Reding et al. (2013))
COSO Integrated Internal Control Framework
COSO stands for the ‘Commission of Sponsoring Organizations of the Treadway Commission’, a
private commission chartered to research and report on improving quality of financial reporting through
business ethics, effective internal controls and corporate governance. The sponsoring organisations of
COSO are the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the
Financial Executive International, the Institute of Management Accountants and the American
Accounting Association. The initial COSO framework (often called COSO I) was described in a
38
document from 1992: Internal Control – An Integrated Framework. Later in 1994 it was republished
with minor amendments. This report presented a common definition for internal controls and provided
a unified approach for the evaluation of internal control systems. Since the SEC (U.S. Securities and
Exchange Commission) later specifically mentioned the COSO Internal Control-Integrated Framework
as an appropriate framework for the management of internal controls, many companies across the world
have chosen to employ this framework.
In 2006, COSO published the Internal Control Over Financial Reporting Guidance for Smaller Public
Companies (COSO’s 2006 Guidance), which further developed the understanding of how all five
internal control components work cohesively to form an effective internal control system. Although
targeted at smaller public companies’ reporting on internal control over financial reporting, COSO’s
2006 Guidance contains information that should be helpful to all organisations, regardless of size.
In 2013, COSO updated its original 1992 Internal Control Integrated framework. These updates took
into consideration the changes in current business and operating environments. Based on the COSO
(2013) framework, internal control is defined as a process, effected by the an entity’s Board of Directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting and compliance. It is achieved by applying
the 17 principles associated with the five components namely, control environment, risk assessment,
control activities, information and communication and monitoring activities, across the entire
organisation (i.e. entity, division, operation unit and functional level). The three elements are
depicted in a cube format as shown in Figure 3.7.
Figure 3.7 COSO Integrated Internal Control Framework (2013)
Categories of Control Objectives

Operations: Effectiveness and efficiency of operations. Operational objectives are directly related to
the basic mission and vision of an organisation. The focus of operational objectives are to improve
financial performance, productivity, quality, employee and customer satisfaction as well as the
business processes.
Reporting: Reliability of financial reporting. The reporting objectives are related to the generation of
reports for internal and external consumptions. External reports are generated to fulfill the needs of
various stakeholders and generally driven by regulation and standards set by regulators and standard
setting bodies. Internal reports are produced by organisations to facilitate decision making processes
39
by various parties within the organisation. These reports, which can be financial or nonfinancial, need
to be reliable for them to be useful to the parties involved.
Compliance: Compliance with applicable laws and regulations: An organisation operates not in
isolation but within a society with specified laws and regulations. As such, an organisation must make
sure that every aspect of its operations is in compliance with these laws and regulations.
Components of Internal Controls

Based on COSO internal control framework, there are five components of internal control, which are:
• Control environment
• Risk assessment
• Control activities — control policies and procedures
• Information and communication
• Monitoring activities
Control Environment
Control environment is the structure, culture and processes that surround the internal control
implementation in the organisation. Control environment encompasses the Board of Directors and
management’s attitude and action on the importance of control in the organisation. Control
environment ensures that the internal control system is working as intended. The five principles
articulated under control environment are:
Principles underlying control environment
1. A commitment to integrity and ethical values

2.The Board of Directors has an oversight function and is independent of management
3.Management establishes structures, clear assignment of authority and responsibility
4.The organisation is committed to hiring competent individuals
5.Every individual is held accountable for the internal control assigned
Integrity and ethical values set by the Board of Directors and senior management can create control
concsiousness among employees. The ‘tone at the top’ with respect to adherence to control is an
important element to ensure that everyone else in the organisation complies with control policies and
procedures. The control environment helps create a conducive climate for effective controls in the
organisation and serves as a foundation for all the other components of internal control.
Sound integrity and ethical values are critical to internal control effectiveness. These are achieved
through the establishment of a clear code of conduct for the whole organisation. The Board of
Directors and Audit Committee play a vital role in ensuring that all employees abide by the
organisation’s code of conduct. All employees must have the needed competencies to carry out their
respective function with the level of authority and accountability being clearly delineated among them.
The human resource function must demonstrate consistent commitment towards upholding integrity
and ethical behaviour among employees. A clear organisational structure can strengthen internal
control by defining the reporting and accountability lines for employees.
Risk Assessment
Risk assessment is the process of identifying and analysing risks to allow the entity to consider how
the risk events, if it occurs, will affect the achievement of its objectives. Risk assessment should be
done across the whole entity, the entity’s perspective to a function as well as a specific transaction
level. Risks are assessed based on the likelihood of them occurring and the impact they will have on
40
the achievement of objectives. The results from the assessment will allow the management to know
the severity of the risks towards their operational, financial or compliance objectives. The four
principles articulated under risk assessment are:
Principles underlying risk assessment
1-The organisation has clear objectives to identify and assess risk

2-The organisation identifies risk across the entity and analyses risk as a basis to determine
how the risk should be managed
3-The organisation considers the potential for fraud when assessing risk
4-The organisation identifies and assesses changes that could significantly impact the
system of internal control
Control Activities
Control is defined as actions taken by management, the Board of Directors, and other parties to
manage risk and increase the likelihood that establishes objectives and goals that will be achieved.
Management plans, organises, and directs the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved. The control activities occur at all levels across
the organisation from entity wide, business unit, functional process level or specific transactions. The
three principles articulated under control activities are:
Principles underlying control activities
1- The organisation has selected and developed the control activities addressing the risks
identifed
2-The organisation has selected and developed the general control over technology
3-The organisation has deployed the control activities via policies and procedures
Examples of general types of controls are as follows:
• Any policies and procedures that ensure management’s plans are carried out as intended across
all levels, functions and transactions within the organisation
• Control activities include approvals, authorisations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of duties
• Control activities cover controls over IT infrastructure, system access, software security
• Control covers physical controls such as access to building or premises such as door access
system, alarm, CCTV surveillance system, fire alarm etc.
• Controls also include legal advice, contract and agreement, terms and condition protecting the
interest of the organisation
Control Deficiency
COSO defines internal control deficiency as “a condition within an internal control system worthy of
attention”. A control measure is considered deficient if it does not serve its purpose, which is to
eliminate or mitigate risk. For example, a fire exit is not a good control measure if the exit is blocked
with unused furniture, which will prevent employees from using it during a fire.
41
(Source: Reproduced with kind permission of the Association of International Certified Professional Accountants)
Figure 3.8 Effects of Control Activities on Risk
Entity-wide controls
Entity-wide controls are controls that are applicable across units, functions and locations within an
organisation. These controls can be grouped into two types: governance and management
oversight. Governance controls include the ‘tone at the top’, the organisational climate and
management philosophy that support an organisation’s strategic objectives. Management
oversight controls are important to ensure that business risks faced by different business units
within an organisation are properly managed.
Business process controls
Organisations rely on different functions to achieve their objectives. These functions have
operational risk which if unattended, could ultimately prevent the organisations from achieving
their objectives. So controls are established to eliminate or mitigate these risks. These controls
comprise policies and procedures which are formal in nature. Policies are broad statements
stating the principles, rules and guidelines while procedures are specific activities to be carried
out. Each function of the organisation must have specific policies and procedures that would enable
the function to serve the organisation effectively. Examples of process level controls are
performance evaluation, reconciliations of accounts and physical inventory counts.
Transaction level controls
Transaction controls relate to each business activity that is carried out within the organisation.
Examples of these activities include making check payment to suppliers or receiving goods from
suppliers. Categories of transaction control activities include the following:
1- Adequate separation of duties
2-Proper authorisation of transactions and activities
3-Adequate documents and records
4-Physical control over assets and records
5-Independent checks on performance
42
Information and Communication
Information allows business to make informed decisions. Due to modern information technology,
information can come from internal or external sources and in many forms. In terms of risk
management controls, the organisation must generate useful, relevant and quality information to
support the functions of internal control including identifying, assessing and responding to risks.
Communication enables the dissemination of information both internally and externally, so that
everyone in the organisation knows what is expected of them with regard to internal control
activities. The three principles related to information and communication are:
Principles underlying information and communication
1-Information to support the functioning of internal control must be relevant and of high
quality.
2-All relevant information including objectives and responsibilities of internal controls are
communicated internally to enable the functioning of internal control.
3-The organisation should also communicate to external party regarding matters related to
internal control.
The quality of system-generated information affects management’s decision. The quality of

information includes aspects of appropriateness, timing, accuracy and accessibility of information.
Communication must also take place in order for individuals within the organisation to know what is
expected of them so that control can be implemented correctly.
In summary, the process of information and communication are as follows:
• All employees must receive a clear message from top management to take control of activities
seriously.
• Information needed by employees to carry out their function effectively must be identified,
captured and communicated to them in a timely manner.
• Access to internal (operational, financial and compliance) reports must be provided to
employees to perform their tasks.
• External communication with customers, suppliers, regulators, investors and shareholders
must be part of the framework.
• Effective communications by employees of their findings to those in management and the
Board of Directors must be established.
Monitoring Activities
Monitoring is a process that assesses the presence and function of controls over time. Monitoring can
be done on an ongoing basis or on a separate evaluation basis or a combination of the two. Ongoing
monitoring occurs during the normal course of operation while a separate evaluation occurs based on
management’s evaluation of the current state of controls.
An organisation should establish a sound system to ascertain the presence and effectiveness of the five
components (control environment, risk assessment, control activities, information and communication
and monitoring activities) of internal controls including controls over the principles of each component.
Any deficiencies should be communicated in a timely manner that warrant immediate action by
management. Senior management and the Board of Directors should be informed of any serious matter
discovered during the process. Monitoring could be done on an ongoing basis, separately or as a
combination of ongoing and separate exercises to capture the essence of internal controls
comprehensively. The two principles relating to monitoring activities are:
43
Principles underlying monitoring activities
1-The monitoring process is carried out to ascertain whether the components of internal control are
present and functioning.
2-The organisation evaluates and reports on internal controls deficiencies in a timely manner to those
responsible to take corrective actions, including senior management and the Board of Directors for
serious matters.
According to the COSO report, the effectiveness of an internal control system changes over time.
Once-effective procedures can become less effective in later years. Monitoring ensures that the
internal control continues to operate effectively. Monitoring can be done in two ways: through
ongoing activities or separate evaluations. An internal control system usually is structured to self
monitor on an ongoing basis. The greater the degree of effectiveness of ongoing monitoring
activities, the lesser the need for separate evaluation.
Ongoing Monitoring
The purpose of an ongoing monitoring is that any weaknesses, flaws or deficiencies in an internal
control system can be identified immediately, and rectifying procedures can be carried out without
delay. Some monitoring is built into operations through automation. The focus of these
monitoring procedures is on identifying deviations or exceptions from the norm. Ongoing
monitoring should also provide continual feedback on controls that can trigger investigations.
Separate Evaluations
Separate evaluations are normally carried out periodically to identify weaknesses in the internal
control system. A separate monitoring exercise normally relies on human intervention that can
provide a fresh look at all the other components of internal control. An example of monitoring
that is classified as a separate evaluation is the internal audit activity. The evaluations rely on
observations, inquiries, reviews and other examination techniques. Separate evaluation
monitoring may also be needed to cater to specific needs of an organisation in case of business
expansion or in a high priority risk area.
In summary, monitoring consists of the following points:
• Internal control systems need to be monitored over time

• Combination of ongoing and separate evaluations of the internal control systems must
be conducted by management
• Management and supervisory activities are required to be evaluated and monitored on
an ongoing basis
• Auditing the internal control systems needs to be done by management to ensure that
the internal controls are functioning as expected
Limitations of Controls
Controls can bring many benefits but they can provide reasonable but not absolute assurance that
the organisation will achieve its objectives. External factors beyond the organisation’s controls
such as geopolitical risks or natural disasters or epidemic disease can affect the organisation’s
results. The factors that limit the benefits of controls:
• Judgement errors and management override could result in a well- designed control
system not functioning as intended
• Collaborations by two or more parties may circumvent the basic controls set out under
segregation of duties
44
• Excessive or over-reliance on controls may deter people’s creativity or flexibility
• Some controls may be obsolete or become redundant due to changes of business objectives,
structures, technologies or environment which could lead to employee demoralisation
• Lack of understanding of risks priorities causing inefficiency or cost of implementing controls
outweighing the benefits
Summary
This chapter explains the risks and controls, which are the main elements in an internal auditing
function as well as why they are significant to internal auditors. A lengthy discussion on the various
risk management frameworks is also presented in this chapter. The components of the COSO Internal
Controls Integrated Framework are also discussed in detail in this chapter.
1-Explain the components of the COSO Enterprise Risk Management 2017 framework and compare
them to the ISO 31000:2018 risk management — Principles and Guidelines.
2-How does an organisation assess risk? Give specific examples based on an organisation which
operates in the retail industry.
3-Describe the importance of internal controls to an organisation.
4-Explain how a control environment can affect an internal auditor’s work.
References
International Professional Practice Framework (IPPF) and the The Standards of Institute of Internal
Audit The International Organisation for Standardisation – ISO 31000:2018(E)
Committee of Sponsoring Organisations of the Treadway Commission. USA.
(a) COSO Enterprise Risk Management (2017) – Integrating Risk with Strategy and Performance.
(b) COSO Enterprice Risk Management (2004) – Integrated Framework
(c) COSO (2013). Internal Control – Integrated Framework
Epstein, M. J., & Rejc, A. (2005). Evaluating performance in information technology.
Management accounting guideline. Hamilton: The Society of Management Accountants
of Canada.
Reding, K.F, Sobel, P.J., Anderson, U.L, Head, M. J., Ramamoorti, S. Salamasick, M. And
Riddle, C. (2013). Internal Auditing – Assurance and advisory Services. 3rd Edition. The
Institute of Internal Auditors Research Foundation, Florida, USA.
45
Mind Map
46
47
48
4Function
Managing the Internal Audit
Learning Objectives
 Understand the importance of managing the internal audit function
 Identify areas that affect the internal audit function
 Comprehend the issues in managing internal audit conflicts
 Understand the different ways of outsourcing the internal audit function
Introduction
This chapter discusses the importance of managing the internal audit function as part of an
organisation’s component and is divided into three main topics — staffing, managing internal audit
conflicts and outsourcing. These functions are important and necessary in ensuring that an internal
auditor functions effectively and efficiently and serves as an added value to the organisation. The lack
or failure to manage this function will have significant adverse effects on the organisation’s operations.
Internal Audit Charter

The internal audit department should be adequately staffed by competent and skilled individuals. It is
not an easy task to determine the ideal number of staff required as the right size involves a consideration
of a wide range of elements. These elements include factors such as staffing strategies, understanding
customer needs, adding value, addressing risks and use of audit tools. It is important that a chief audit
executive (CAE) review staffing needs on a regular basis to ensure that adequate staff members are
available to discharge the internal audit function effectively, both in terms of numbers and expertise.
Inadequate staffing can lead to a failure in providing high quality internal auditing.
Staffing in Internal Audit Department

The CAE has the responsibility to ensure that the department is efficiently and effectively
managed. Internal audit staff must ensure that they conform to the definition of internal
auditing and the standards. Any problems relating to the staff should be dealt with
professionally. The CAE is also responsible to ensure that the internal audit staff assigned to
a particular audit activity optimises the achievement of the approved plan. When deciding on
the appropriate number of staff for the internal audit department, the CAE needs to justify to
the Audit Committee and the Board of Directors.
An internal audit department should comprise of professional individuals who possess the
knowledge, skills and other competencies. These attributes will enable internal auditors to
effectively perform their professional responsibilities. Hence, the CAE must consider the
necessary attributes pertaining to knowledge, ability and character when deciding who is to
be assigned to the internal audit team. Another important attribute that has to be considered
is the value-added attribute to the organisation.
49
The proficiency of internal auditors can be demonstrated through the professional
certifications and qualifications that they have obtained. It is important for internal auditors
to strive for improvement and enhancement so that they can keep abreast with the demands
of the organisation and the profession. Continuing professional education and development
should be on the internal audit department’s agenda.
Body of Knowledge and Character
It is an ideal scenario when the CAE can employ experienced staff as this can eliminate much
of the overhead costs incurred in supervision, training and working paper reviews. This is
based on the view that internal audit must operate as a business that adds value and be
responsive rather than an expensive cost to the customer or become an outsourcing target.
The knowledge and skills that internal auditors should possess include:
• Proficiency in applying internal auditing standards, procedures and techniques to perform
effective and efficient internal audits. This is where internal auditors should be able to apply
their knowledge to the audit situations and deal with them without having to resort to detailed
research and assistance.
• Adequate knowledge on accounting principles and techniques, management principles as well
as, fundamentals of law, economics, taxation, finance and other related subject matters
Nowadays, internal auditors are facing numerous demands and challenges when performing
their activities. The ever-changing environment they encounter during assignment, calls for
the ability to react quickly to problems, new organisational objectives and management
viewpoints. They should also be diligent and persevering when dealing with difficult
problems.
Another critical trait of internal auditors is the ability to communicate effectively, both orally
and in writing, such as expressing their professional opinions on factual needs.
The IIA Common Body of Knowledge (CBOK) suggests the following guidelines to assist the
CAE in The IIA Common Body:
• Consider the overall current and anticipated workload and then evaluate audit projects and base
strategies according to risk priority rather than available resources. Internal auditors should
focus on risk areas that pose the greatest threat to the organisation.
• Maintain good relationship with governance parties, especially the Audit Committee and
executive management, by informing them about the internal auditors’ capabilities and the
emerging trends affecting the profession. The internal auditors’ audit plan should address
the governance parties’ concerns so that their perceptions on the internal auditors will change
from providing assurance on financial and compliance controls to other challenging issues,
namely, risk assessment, e-commerce and environmental assessment.
• Evaluate the internal audit processes and to continuously improve the performance. The CAEs
should assess the audit teams’ recent trend of workflow and update the staffing strategy
accordingly. Delay in responding to staffing needs might have negative repercussions on the
internal audit activity and the organisation.
Internal auditors need to acquire the appropriate skills, have the right aptitude, relevant experience, and
be passionate about the profession to ensure the effectiveness of the function. The benefit element
should always be considered when developing the staffing strategies. Proper training and evaluation
will boost the performance of the internal auditors and thus fulfil the expectations of the Audit
Committee and executive management.
50
Selecting Internal Auditors
The CAE should design an appropriate process for hiring, normally through testing and interviewing,
to ensure that only candidates with the appropriate qualification and experience are selected. Screening
the prospective candidates’ background and references should be undertaken. Potential candidates are
required to sit for a test and the results of the test will be used to shortlist the candidates to be
interviewed. The interview session should be conducted in a positive tone to ensure that information
about the candidates can be obtained and for the candidates to respond comfortably. Successful
candidates are then required to attend some form of orientation and basic training conducted either by
the internal audit department or human resource department.
Internal Audit Hierarchy
The internal audit department should comprise of professionals with relevant and related qualification
(e.g. possess the Certified Internal Auditing (CIA) qualification and a member of a professional body),
experience and skills. The years of experience in the internal audit profession would promote an internal
auditor to the appropriate senior level. The normal hierarchy of an internal audit department is depicted
in Figure 4.1. Figure 4.2 shows the responsibilities of the internal audit staff.
Figure 4.1 Internal Audit Hierarchy
Position Responsibilities
Chief audit executive (CAE) The CAE is fully responsible for the internal audit function, including the
examination and evaluation of the adequacy and effectiveness of risk
management, internal controls and corporate governance process of the
organisation.
Audit manager (AM) The AM is responsible for planning and coordinating the audit assignments.
He reports directly to the CAE on matters pertaining to the audit assignments,
for example, information technology, special projects, delivery network and
other assignments for a large multinational organisation.
51
Audit supervisor (AS) The AS is responsible for ensuring that designated audit teams conduct
audits as per planned schedules and man-hours. Duties involve reviewing
working papers, co-ordination and preparing reports. The AS may come
from diverse backgrounds, such as accounting, systems and information
technology, valuation, engineering and others; they can be assigned to
various financial and operational activities.
Team leader (TL) The TL is responsible for field audits under the direction of the AS. Duties
include close supervision of the audits and implementing changes in the audit
programmes accordingly.
Auditor The auditor is responsible for detailing audit work of each assignment and
is supervised by the TL. This is normally the entry level into the internal audit
department.
Figure 4.2 Responsibility of Internal Audit Staff
Training and Promotions
In order to ensure the continuous improvements of internal audit performance, internal auditors should
undergo the necessary training. The purpose of the training is to enhance and upgrade knowledge, skill
and competencies of internal auditors and to keep these auditors abreast with the developments in
internal auditing.
The different combination of orientation from basic audit skills and techniques training to the more
specialised training should be planned by the CAE in the staffing strategies. Internal auditors should be
exposed to both hard skills (such as basic internal auditing skills, audit sampling, risk management, risk
analysis and control) and soft skills (such as business communication, analytical thinking, persuasive
skills, problem solving, and managing performance).
Staff evaluation is a prerequisite and should be carried out without any biasness. An evaluation can
be conducted either bi-annually or annually depending on the organisation’s staff appraisal policies.
The purpose of the evaluation is many folds, namely for promotion, salary increments and bonus
awards, and assignment allocations. The use of key performance indicators (KPIs) is one of the
evaluation procedures, where a balance scorecard is used and can be of benefit to both the management
and internal auditors.
Responsibilities of Those Charged with Governance to the Internal Audit

Function
The Board of Directors
The ultimate responsibility of the Board of Directors is on the company’s governance, risk management,
and internal controls. Besides that, the Board of Directors should set appropriate policies for the
company and seek assurance that the supporting processes and activities are functioning effectively by
establishing an Audit Committee. In addition, the Audit Committee is also involved in performance of
the internal audit function. These responsibilities include in addition to other oversight activities, such
as the performance of the external auditors and the integrity of the company’s financial statements.
However, the Board of Directors continues to be responsible, among others, for ensuring
that:
• There is a sound framework for governance, risk management, and internal controls.
• An internal audit function is established and appropriately positioned within the company.
• The CAE reports directly and functionally to the Audit Committee.
52
• The internal audit function is independent of management and the functions, which it audits.
• A corporate disclosure policy and process are put in place to ensure that all information
disclosed to the public, including reports relating to the internal audit function, are timely,
comprehensive, and reliable, effective internal audit activities during the year. The Board of
Directors must take cognisance that the mere appointment of an internal auditor is not sufficient
to be considered as having an internal audit function.
The Audit Committee
The Audit Committee’s responsibilities in respect of the internal audit function include:
• Approving the appointment and removal of the CAE or service provider, if the internal audit
function is outsourced.
• Assessing the performance and approving the remuneration of the CAE.
• Reviewing and approving the internal audit charter. The internal audit charter may also be
presented to the Board of Directors for approval.
• Reviewing and approving the risk-based internal audit plan, internal audit budget and resource
plan.
• Reviewing the progress of the audit plan.
• Ensuring the adequacy of the scope of audit and addressing resource and scope limitations.
• Deliberating on internal audit reports and recommendations raised, and ensuring that
management implements the recommendations.
• Communicating reports of investigations to the Board of Directors, where appropriate.
• Ensuring that a quality assurance and improvement programme is conducted continuously and
an independent Quality Assessment Review is conducted once every five years.
To enable the achievement of the audit plan, the Audit Committee must be satisfied that
the internal audit function:
• Is sufficiently resourced with qualified, competent, and experienced internal auditors as well as
adequate infrastructure such as auditing tools, knowledge repositories and databases.
• Has direct and unrestricted access to information, records, physical properties, and personnel
that enable it to effectively carry out its role and responsibilities.
• The Audit Committee must conduct a separate meeting with the CAE without the presence of
management at least once a year.
Management
The management’s role is to establish and maintain governance, risk management, and internal
control processes. The internal audit function evaluates the adequacy and effectiveness of these
processes and recommends improvements.
The management supports the internal audit function by:
• Inviting the CAE as an observer to management meetings and deliberations on governance, risk
management, and internal control processes.
• Providing unrestricted access to information, records, physical properties, and personnel,
including management, which are relevant to internal audit work.
• Providing input and feedback to the internal audit planning process.
• Implementing internal audit recommendations to improve the effectiveness of governance, risk
management, and internal control processes.
53
Attributes of an Effective Internal Audit Function
There are ten attributes of an effective internal audit function listed in Table 4.1. These attributes may
assist the company to accomplish its objectives by introducing a systematic and disciplined approach
to evaluate and improve the effectiveness of governance, risk management, and internal control
processes.
Table 4.1 Attributes of an Effective Internal Audit Function
Principle 1 Demonstrates An internal auditor demonstrates integrity when:

integrity • performing tasks honestly, diligently, and responsibly
• making appropriate disclosures when communicating with the
Audit Committee, management, and regulatory authorities, where
applicable
• supporting ethical conduct of the organisation and reporting
illegal or discreditable acts
• maintaining confidentiality of information acquired in the course of
their work
Principle 2 Demonstrates The internal auditors should exercise due professional care by
competence and applying the care and skill expected of a reasonably prudent and
due professional competent internal auditor.
care
Principle 3 Objective and The Audit committee must ensure that:

free from undue • the reporting relationships of the Head of Internal Audit and
influence Internal Auditors do not hinder the independent judgment
(independent) • establishing mechanism to address and manage situation when
there is a threat to the independence of the Internal Auditor
• ensure that the Internal Audit Charter addresses the
independence and objectivity of the Internal Audit Function
• lastly, ensure that the Head of Internal Audit confirms the
organisational independence of the Internal Audit Function at least
once a year
Principle 4 Aligns with the The Audit Committee must ensure that the risk-based audit plan is
strategies, aligned with the organisation’s strategies, objectives, and risks, and
objectives, and is developed in consultation with management.
risks of the
organisation
Principle 5 Appropriately The Head of Internal Audit must be positioned at a level of sufficient
positioned and seniority in the organisation to be recognised as an authoritative
adequately voice.
resourced
The Internal Audit Charter must specify the level of authority,

including unrestricted access to information, records, physical
properties, and personnel, required for the Internal Audit Function to
perform engagements and to fulfil its agreed-upon objectives and
responsibilities.
The Head of Internal Audit must ensure that the Internal Auditors
have the mix of knowledge, skills, and other competencies needed to
perform the audit plan. The quantity of resources needed to perform the
planned audits, such as manpower, equipment, technology, and time
must be taken into consideration.
Principle 6 Demonstrates The Audit Committee must ensure that the Internal Audit Function
quality and has a continuous quality assurance and improvement programme
continuous that covers all aspects of an Internal Audit Function and includes
improvement both internal and external assessments.
54
Principle 7 Communicates Communicating effectively with the Audit Committee and
effectively management is an essential responsibility of the Head of Internal
Audit. Communications must be accurate, objective, clear, concise,
constructive, complete, and timely.
Principle 8 Provides The Audit Committee must ensure that the Internal Audit Function
risk-based uses a risk-based approach to conduct assurance work. The Audit
assurance Committee must enquire if there were any areas where
management has accepted a level of risk that may be unacceptable
to the organisation. The Audit Committee must deliberate on the risk
and consider further action, where warranted.
Principle 9 Insightful, Internal auditors should be proactive and their evaluations should
proactive, and identify root-causes of issues and exceptions, offer new insights,
future-focused and consider future impact.
Principle 10 Promotes The Audit Committee must ensure that the Internal Audit Function
organisational assesses and makes appropriate recommendations to improve the
improvement independent, objective assurance and consulting function of the
Internal Audit.
Conflict Management
In the internal auditor’s working environment, conflicts may arise either between internal
auditors or between internal auditors and the other staff within the organisation (auditee).
These conflicts which are inherent should be dealt with professionally as internal auditors
routinely deal with organisational conflicts that affect the internal auditors’ reputation and
the efficacy of the profession.
These conflicts can arise from a simple wording in an audit report to disagreements during
negotiations with management or over-implementation of internal auditor’s
recommendations. Effective communication throughout the organisation can reduce conflict
issues and enhance relationship and co-operation between internal auditors and the auditees.
Conflicts within the internal audit department normally exist when:

• Internal auditors do not understand the internal audit process due to ambiguity and uncertainty.
• Internal auditors fail to think strategically and systematically.
• There is a lack of understanding on the importance of the internal audit and the trends and
challenges facing the profession.
Not all conflicts can be resolved as the financial costs associated with audit conflicts can
be very high. It can also have significant effects on staff morale and increases staff
turnover, thus affect adversely the entire audit process.
Effective communication has been accepted as one way to minimise or eliminate internal
audit conflicts that are due to ambiguity. People are more receptive to situations when they
are given the relevant information rather than being kept in the dark. The CAE must
communicate the internal audit activity’s plans and resource requirements, including
significant interim changes, to senior management and to the Board of Directors for review
and approval. The CAE should also communicate the impact of resource limitations.
The CAE must establish policies and procedures to guide the internal audit activity. The
existence of well-established and well-designed policies and procedures together with
effective communication channels within an organisation can assist to minimise or avoid the
possibility of conflicts. Lesser or no conflicts can increase the efficiency of the internal audit
function.
55
The CAE must report periodically to the Board of Directors and senior management on the
internal audit activity’s purpose, authority, responsibility and performance relative to its plan.
Reporting should also include significant risk exposures and control issues, corporate
governance issues, and other matters needed or requested by senior management and the
Board of Directors. Prompt communication with those charged with governance will enhance
the internal auditors’ trust and relationship within the organisation.
Types of Conflicts
The two types of conflict that internal auditors might face when performing their tasks are
inherent conflicts and avoidable conflicts.
Inherent Conflicts
Inherent conflicts are conflicts that are inherent within an organisation, for example, the
lack of communication in the organisation; Audit Committee and management
misconceptions of the audit function; and a lack of co-operation from auditees. This type
of conflict is difficult to overcome but can be minimised through proper action by
management and the organisation. These actions should be developed and reviewed by
management on a continuous basis.
Avoidable Conflicts
Avoidable conflicts are conflicts that exists within the internal audit department and
process, for example, absence or lack of guidance or reference; unclear instructions for
assignment; incomplete review of working papers; and favouritism relating to
assignments. These conflicts can be avoided by internal auditors with the establishment
of proper audit guidance and manuals; clear instructions, directions and supervision and
less biasness.
How to Deal with Conflicts?
The ability to deal with conflicts would increase internal auditors’ confidence and morale.
It improves the relationship between the internal auditors and auditees. These
recommended practices could help internal auditors reduce the likelihood of conflicts:
• Internal auditors need to develop trust. This can be done by showing a genuine intention in
assisting to improve the organisation, thus ensuring co-operation. For example, internal auditors
liaising their work with the production department to review the high wastage of raw materials
used in production. Internal auditors will forward some recommendations to the production
manager to undertake with the view to reduce the percentage of wastage and subsequently
improve the efficiency and economics of the production department.
• Internal auditors have to be salespersons. This is true when they want to sell their “product”,
that is, recommendations for audit findings. They cannot assume that everyone will
immediately react positively to the submission of their recommendations. Internal auditors
should be able to explain the problems or issues to auditees, instead of identifying problem and
telling the auditees how to fix them.
• Help the auditees to understand the audit objectives. When the auditees know the objectives
and the information needed, conflict can be avoided.
• Internal auditors should be objective and factual about their findings. Different words or phrases
can affect the auditees’ value judgment. Hence, allowing the auditees to review the findings
and suggesting changes, before submission to the Board of Directors or management, can
56
reduce the possibility of conflicts.
• Consider the positive aspects of the conflict because some of these conflicts may help an
organisation move towards its objectives. Some negative conflicts could have positive effects
on the audit process, for example, conducting a formal interview with top management might
be resented but could be considered a valuable gathering technique for internal auditor.
• Compromise in situations, where the auditees are more responsive to important findings
rather than on less important findings. Internal auditors should be firm but at the same time fair
in taking the stance over their findings.
• Internal auditors should try to appreciate and anticipate all potential sources of conflict and
consider all possible solutions to the conflicts prior to any negotiation with auditees. Listening
to what the auditees have to say is a crucial part of the whole process of negotiations.
• Seek support from high-level management especially the Audit Committee. Internal auditors
should be able to segregate personal differences in opinion from critical control issues or ethical
questions that the Audit Committee should be informed about. This is to ensure effective
operation of the audit function.
• Internal auditors should not feel guilty or be made responsible for situations having negative
consequences as a result of the audit findings, such as auditees’ termination, relocation or
mental ailments or conditions.
Managing conflicts accordingly can move the organisation forward or make auditees miserable. It is up
to internal auditors to negotiate effectively with auditees in a harmonious manner, which will then
increase the chances that their recommended changes will be implemented timely by the organisation.
Conflicts can help internal auditors to be more receptive of the auditees and their expectations on the
value internal auditors can add to the organisation. It is thus important for internal auditors to be
proactive when dealing with conflicts instead of reactive, as this will assist them in minimising or in
fact avoiding the conflicts.
Outsourcing the Internal Audit Function
Outsourcing developments have made a great impact on the business arena and millions
have been spent on and budgeted for outsourced services. Irrespective of the services
being outsourced, good things have resulted in adopting this alternative. On a negative
tone, an uncontrollable resort to outsourcing had caused the downfall of many large
corporations, the famous Enron and WorldCom, to name a couple. Hence, before opting
for any outsourced services, careful consideration should be made by the strategic
planners (management) to ensure that the benefits actually outweigh the costs.
Outsourcing involves the use or employment of independent parties to perform a function

within an organisation’s business activities. An external provider can be an individual or a
firm independent of an organisation and must be one who has special knowledge, skill and
experience in a particular discipline. An external provider includes, among others,
accountants, actuaries, engineers, lawyers, environmental specialists, fraud investigators and
security specialists. The internal audit activities that are outsourced usually relate to:
 areas where specialised skills and knowledge are required

 valuations of assets
 determining work-in-progress
 fraud and security investigations
 mergers and acquisitions
 risk managements consultancy
57
It has become a new way of obtaining services without the need to invest in a large capital
investment of setting up a department to undertake those activities. Establishing and
maintaining a department can be a challenging and daunting task for a company. Effective
internal audit functions require a diversity of skills that many organisations find difficult
to source and retain. Significant investment is required in recruiting, training and
developing professional internal auditors equipped with the latest methodology,
technology and time and resource management. By opting to outsource, management can
hire fully dedicated internal audit professionals without the day-to-day managerial
requirements that an in-house internal audit department would require. The outsourcing
arrangements take many forms, from limited assistance to internal auditors who lack
expertise to providing the entire internal audit function.
Reasons for Outsourcing
Many organisations, particularly small organisations, are currently considering the outsourcing
alternative as an appropriate measure where there is scarcity or unavailability of internal audit resources.
The temporary or permanent outsourcing solution may be necessary to acquire timely, professional
internal audit services and competent internal audit staff. Temporary staff shortage, need for special
skills especially on special projects, remote geographical business locations and additional staff to meet
deadlines will demand management to resort to the outsourcing alternatives. The external provider will
indirectly perform operational and financial reviews as part of the engagement activities thus reducing
cost for a company in terms of the time and expert skills. With these reasons in mind, organisations can
make better decisions on the outsourcing alternatives that would enhance and add value to the business
and internal audit function specifically.
Outsourcing internal audit activities has several problems and risks, the major one being a possible
impairment of independence. This impairment arises from the external provider’s continuous
involvement in the management functions and in due course may become an integral part of an
organisation’s internal controls.
Roles of CAE in Outsourcing
The CAE should assess the relationship of an external provider, whether financial, organisational or
personal, to ensure that independence and objectivity are maintained throughout the engagement (Enron
is a classic case of independence impairment). There are situations where the external auditor is the
external provider and this can give rise to ethical issues. A thorough understanding of an external
provider’s objectives and scope of service must be obtained to ensure that it is adequate for the purpose
of an internal audit activity. All these matters need to be documented in an engagement letter or contract.
The compliance with the related standard should also be specified in the letter or contract.
The CAE must review the work performed by the external provider and report accordingly to those
charged with governance. Any external communications of the findings from the engagement to third
parties should only be made with the Board of Directors’ approval. The code on confidentiality
prohibits any internal auditor from disseminating the organisation’s information to external parties
except in certain circumstances such as by court order or public interest (whistle-blowing).
Outsourcing Arrangements
Full Outsourcing
Execution of a full scope and risk-focused internal audit plan contracted to an external provider, usually
from professional accounting firms. An in-house contract with reporting responsibility to the Board of
Directors and Audit Committee will be appointed as a liaison with the selected accounting firm.
The oversight and responsibility for the internal audit activity cannot be outsourced.
58
Should require the approval of the Audit Committee and reporting to the Board of Directors or other
governing body.
Partial Outsourcing
Execution of the internal audit plan is partly done by an internal provider on an ongoing basis.
External provider will report to the head of the internal audit department.
Co-Sourcing
Execution of an internal audit plan is shared between an accounting firm and the organisation. In most
cases, the outsourced party handles specialised areas (e.g. computer security auditing, special
investigations, financial or operational auditing) or those that are more cost effective to co-source.
Reporting should be made to the management and the Board of Directors.
Sub-Contracting
Involves the engagement of an external party for a limited period to undertake a specific engagement
or a portion of some engagement.
In-house internal audit department will normally provide the management and oversight functions.
Advantages of Outsourcing
When choosing the external provider for the outsourced internal audit activity, the CAE
should consider the merits and limitations or risks inherent in the engagement. A careful
assessment and review of the in-house internal audit capabilities and work performed can
act as a benchmark in deciding whether outsourcing is required. In order to ensure a high
return of the outsourced activity, management must assess the long-range planning o f the
organisation to opt for outsourcing as an alternative action. The main objective in making
the final decision is normally based on cost and performance effects. The following include
some of the merits of outsourcing.
• Focus on core competencies

o Outsourcing allows management to focus on core competencies instead of the day-to-
day low payback activities that are time-consuming. The resulting improvements in
staff allocation allow business to afford the luxury of having access to global expertise
and cutting-edge technology. It will increase business returns and effective
management of existing resources.
• Costs
o Internal audit outsourcing helps a business to reduce its costs by converting fixed costs
of an internal audit function to variable costs. The costs of overlapping positions
and audit effort can also be reduced, thus creating more flexibility in increasing and
decreasing workload demands.
• Efficiency of the business
o An external provider can also perform quality checks 24/7 while executing internal
audit activities. This continuous review enables a business process or function to be
performed without any flaws and in tune with the latest technologies.
• External audit
o The knowledge obtained during an internal audit engagement can increase the
efficiency of the annual independent statutory audit in situations where an
external provider is also the internal auditor; example, knowledge on the internal
control systems should reduce the work to document the internal controls, assess the
control risks and design test of controls.
• Business geographical locations
o Businesses with numerous and remote locations will benefit from outsourcing as more
locations can be reviewed and improved. The coverage undertaken by an
59
external provider is more extensive and the co-ordination with an in-house internal
audit staff will increase accessibility to best practices or insight to alternative
approaches.
• Future expectations
o The existence of an external provider can be used as a training ground for future in-
house internal audit staff to gain specialised skills, especially with partial
outsourcing. The retention of knowledge for future assignments through the
working papers and information available can assist the internal audit staff to plan their
assignment.
• Credibility
o An external provider with a good reputation carries greater credibility compared to the
work done by the internal audit staff.
Limitations of Outsourcing
While the merits or benefits of outsourcing are apparent, there are a number of constraints or limitations
that reduce its effectiveness to the organisation, namely:
• The allegiance of in-house staff versus external service provider, where the elements of
motivation and loyalty are questionable.
• The culture of an organisation towards an external provider might limit or hinder the outsource
providers from performing their assignments. They may find it difficult to access information,
whether verbal or written. Hence, to overcome this, the Board of Directors will have to ensure
that an external provider is given the required authority and assistance.
• The Sarbanes-Oxley Act 2002 states that an external audit firm engaged as the outsource
provider should not provide internal audit services to its existing clients as this might impair
the external auditor’s independence.
• Outsourcing internal activities will result in the business incurring significant amount of
resources in the form of fees and time assisting the external provider. Eventually, in the long
term, these costs will become a fixed cost to the organisation.
• Lack of knowledge about the organisation will affect the performance of the outsourced
activity, as an external provider might not be well informed about the organisation’s objectives
and operations. On the other hand, the in-house internal audit staff is normally well-informed
and the competencies possessed represent a unique perspective of the organisation.
• Internal audit department provides a training ground for future managers as they are involved
in organisation risk control and governance processes. The absence of such department may
affect management succession plans.
• The outsourcing alternative lacks long-range development that an in-house department provides
and this may limit the appreciation of internal auditing by the Board of Directors and Audit
Committee.
The idea of outsourcing is not new and many studies and surveys have been done to measure its
effectiveness to an organisation as a whole. Many advocates of outsourcing will agree that outsourcing
tends to resolve problems in a short period of time but is costly to an extent. The need to resort to
outsourcing should only be considered in situations that require immediate result and not for a long-
term engagement. The downfall of Enron evidenced the risks of fully outsourcing major activities of
the organisation.
60
Summary
Managing an internal audit function requires careful consideration of the organisation’s resources —
human, financial and infrastructure. Failure to plan the internal audit activity will result in conflicts and
loss of valuable resources. Hence, the success of the internal audit function depends on the proper
allocation of available resources and adequate monitoring of the internal auditors’ performance. Getting
the right number of staff is a difficult and challenging task for the CAEs, but with proper staff planning,
the internal audit function can be more effective and efficient.
1. Explain what is meant by conflicts within an internal audit profession.

2. Discuss the different conflicts faced by internal auditors while performing their audit function.
3. Conflicts are usually dealt with by internal auditors either before or after the incident. Explain how
internal auditors resolve these conflicts.
4. What are the recommended practices that can help internal auditors to reduce the likelihood of
avoidable conflicts?
5. Explain the term outsourcing.
6. Explain the different types of outsourcing arrangements.
7. Identify the services that can be outsourced by an organisation.
8. Outsourcing has it merits and drawbacks. Discuss.
9. In deciding to outsource an internal audit activity, what are the factors that need to be considered?
10. The Institute of Internal Auditors has developed standards for the internal auditors to comply with
when undertaking internal audit assignments. What is the standard that relates to the use of an
outsource provider?
References
Assoc. Prof. Puan Sri Datin Dr Mary Lee et al. (2004). Internal Audit Practices in Malaysia, 1st
edition, Pearson Prentice Hall.
Assoc. Prof. Puan Sri Datin Dr Mary Lee et al. (2008). Principles and Contemporary Issues in Internal
Auditing.
IIA Position Paper on Resourcing Alternatives for the Internal Audit Function, The Institute of
Internal Auditors, June 2005.
Lawrence B. Sawyer and Mortimer A. Dittenshofer, The Practice of Modern Internal Auditing, 4th
edition. Gene H. Johnson, Tom Means, and John Pullis, Managing Conflict, Internal Auditor,
December 1998.
George R. Aldhizer III and James D. Cashell, Internal Audit Outsourcing, The CPA Journal, 1996.
Norman Marks, February 2000, How Much Is Enough? Internal Auditor.
Robert D. Allen, Managing Internal Audit Conflicts, Internal Auditor. August 1996.
Robert G. Kralovetz, A Guide to Successful Outsourcing, Management Accounting, October 1996.
Staffing, CBOK of the Month – May 2008, IIA Research Foundations.
Sunita S. Ahlawat & Jordan Lowe, An Examination of Internal Auditor Objectivity: In-House versus
Outsourcing, Auditing: A Journal of Practice & Theory, September 2004.
61
Mind Map
62
63
5Improvement
Quality Assurance and
Program
Learning Objectives
 Understand the nature of quality assurance and improvement program (QAIP)
 Explain the importance of QAIP in an internal audit department
 Explain the purposes and benefits of QAIP
 Distinguish different types or approaches of quality assurance
 Explain the best approach for QAIP and common issues in a quality assurance review
Introduction
An internal audit department, regardless of its size, needs to be visible so that it can add value to
the organisation. The added value they bring becomes more important, and it is urged to find relevant
methods to ensure the effectiveness and efficiency of its performance. In order to become more relevant,
all activities performed by the department need to be assessed. The assessment should include all
aspects of operation, processes and methods, as well as staff competency.
The Quality Assurance and Improvement Program (QAIP) needs to be developed and maintained by
the Chief Audit Executive (CAE) that covers all aspects of the internal audit activity. The program has
to be conducted to provide reasonable assurance that the internal audit activity conforms to the
International Standards for the Professional Practice of Internal Auditing (ISPPIA). Apart from that,
an evaluation should also be conducted to ensure that the internal auditors apply The IIA’s Code of
Ethics and the department’s charter. The program should assess the efficiency and effectiveness of the
internal audit activities and identify opportunities for improvement. The CAE should encourage Board
of Directors oversight in the quality assurance and improvement program.
Quality Assurance and Improvement Program

Quality can be defined as conformance to requirements, and requirements are what the customers say
they need. Quality helps to ensure customers’ satisfaction, investors’ confidence, efficient use of
resources and effective corporate governance. Thus, quality assessment is a measurement for
effectiveness, efficiency or any non-conformance as well as looking into areas for any improvement.
Quality also can come from prevention, and prevention is normally the result of finding and correcting
problems within the system. Opportunities for improvement can be found in any operations, processes
or methods, and as such, it is essential to gain management’s attention to prioritise or correct any non-
conformance, problems or to monitor any progress in the operation or system.
Quality assurance is part of quality management focused on providing confidence that quality
requirements will be fulfilled. Both customers and managers have a need for quality assurance as they
cannot oversee operations for themselves. Thus, to maintain and improve the quality required, an
organisation needs to establish a quality assurance and improvement program. This program needs to
be documented and to include activities that aim to provide the evidence needed as to ensure quality
procedures are being appropriately followed and quality requirements are being met.
64
The CAE must develop and maintain a QAIP that covers all aspects of the internal audit activities. This
program must be designed to enable an evaluation of the internal audit activities that would include
operation, processes and methods in conformance with the definition of internal auditing, the Standards
as well as the Code of Ethics. The program should assess the efficiency and effectiveness of an internal
audit activity and identify opportunities for improvement.
Each part of the program should be designed to help add value to the internal auditing activity and
improve an organisation’s operation and to provide assurance that the internal audit activity conforms
to the Standards and the Code of Ethics. In addition, the program may include implementation of new
internal audit policy, updates to the system for evaluation of audit risk, internal audit staff training and
improvement in administrative and monitoring systems for internal audit functions.
Purposes of a QAIP
The primary purpose of a QAIP is to ensure that the scope of work of the internal audit activity
should include all activities documented in the Standards and application of the Code of Ethics. The
secondary purpose of the QAIP is to provide reasonable assurance to the various stakeholders that the
internal audit activity:
• is performed in accordance with its charter, which should be consistent with the Standards and
the Code of Ethics;
• is carried out in an effective and efficient manner; and
• help to identify opportunities for improvement to the organisation’s operations.
Quality Assurance Methodologies

The program must include the following two methods:
1. Internal Assessments
2. External Assessments
The internal assessments are composed of rigorous, comprehensive processes, continuous supervision
and testing of internal audit and consulting work, and periodic validations of conformance with the
Standards and whether internal auditors apply The IIA’s Code of Ethics. On the other hand the external
assessments provide an opportunity for an independent assessor or assessment team to conclude as to
the internal audit activity’s conformance with the Standards and whether internal auditors apply the
Code of Ethics, and to identify areas for improvement.
The difference between these two assessments is that an external assessment requires the involvement
of a qualified independent assessor or assessment team from outside of the organisation. The QAIP
also includes ongoing measurements and analysis of performance metrics such as accomplishment of
the internal audit plan, cycle time, accepted recommendations, and customer satisfaction.
Internal Assessments
Internal assessments consists of:
a. Ongoing monitoring of the performance of the internal audit activity:

This ongoing monitoring can be conducted routinely throughout the process of audit. It can be an
integral part of the day-to-day supervision, review and measurement of the internal audit activity. The
monitoring process can be incorporated into the routine policies and practices used and should include
the processes, tools and information considered necessary to evaluate conformance with the Code of
Ethics and the Standards.
65
The mechanisms used for ongoing monitoring include:
• Adequate engagement supervision;
• Checklist or procedures manual;
• Feedback from audit customers and other stakeholders regarding the efficiency and
effectiveness of the internal audit team;
• Staff and engagement key performance indicators (KPIs) such as the number of certified
internal auditors and their years of experience in internal auditing;
• Other measurements that may be valuable in determining the efficiency and effectiveness of
the internal audit activity such as project budgets, timekeeping systems, and audit plan
completion and budget-to-actual variance.
Findings and reports for assessments should be developed to measure the quality of ongoing
performance; follow-up action should be taken to ensure appropriate improvements are implemented.
b. Periodic self-assessments or assessments by other persons within the organisation with

sufficient knowledge of internal audit practices:
This assessment is not routine but is performed through self- assessments or by other persons with
sufficient knowledge on internal audit practices, within an organisation. It can be conducted by special-
purpose reviews and will usually involve compliance testing.
The internal audit activity conducts periodic self-assessment to validate its continued conformance
with the Standards and Code of Ethics and to evaluate:
• The quality and supervision of work performed.
• The adequacy and appropriateness of internal audit policies and procedures.
• The ways in which the internal audit activity adds value.
• The achievement of key performance indicators.
• The degree to which stakeholder expectations are met.
To accomplish this, the individual or team conducting the self- assessment typically assesses each
standard to determine whether the internal audit activity is operating in conformance. This may include
in-depth interviews and surveys of stakeholders. The internal audit activity may perform additional
steps to support the self-assessment, such as conducting post-engagement reviews or analysing KPIs.
The results of internal assessments and necessary action plans should be shared with appropriate persons
outside the activity, such as the Board of Directors, senior management and external auditors.
Establishing the Performance Measurement Process

To establish effective performance measurements, the CAE should establish a measurement process
that:
i. Identifies critical performance categories. According to the balance scorecards approach, there are
three main performance categories:
 Stakeholder satisfaction — internal (the Board of Directors/ Audit Committee, top
management) and external stakeholders (government bodies, regulators and external auditors).
 Innovation and capabilities — effective use of technology, training and industry knowledge.
 Internal audit processes — risk assessment/audit planning, planning and performing the audit
engagement and audit reporting.
ii. Identifies performance strategies and measurements. Strategies based on methods in compliance
with the Standards or stakeholder expectations.
iii. Provides an effective ongoing performance measurement and reporting process.
iv. Establishes links to strategies and includes specific baseline and target measurements to monitor
progress.
66
Finally, the CAE should ensure that the measures used are specific to the organisation and appropriate
for the size of its activity as well as applicable to its industry, country, national laws and regulations
and operating environment.
External Assessments
External assessments must be conducted once every five years by a qualified, independent assessor or
assessment team from outside of the organisation. The CAE must discuss with the Board of Directors:
 The form and frequency of external assessments; and

 The qualifications and independence of the external assessor or assessment team, including any
potential conflict of interest.
Two approaches to an external quality assessment approved by the IIA for all organisations are as
follows:
a. Full external assessment

A full external assessment would be conducted by a qualified, independent external assessor or
assessment team. The team should comprise competent professional and led by an experienced and
professional project team leader.
The scope of a full external assessment includes the following three core components:
 The level of conformance with the Standards and Code of Ethics.
 The efficiency and effectiveness of the internal audit activity.
 The extent to which the internal audit activity meets expectations of the Board of Directors, senior
management, and operations management, and adds value to the organisation.
b. Self-assessment with independent external validation (SAIV)

This type of external assessment is typically conducted by the internal audit activity and then
validated by a qualified, independent external assessor.
According to Standard 1312, the scope of a SAIV consists of:
• A comprehensive and fully documented self-assessment process that emulates the full external
assessment process, at least with respect to evaluating the internal audit activity’s conformance with
the Standards and Code of Ethics.
• Onsite validation by a qualified, independent external assessor.
• Limited attention to other areas such as benchmarking; review, consultation, and employment of
leading practices; and interviews with senior and operation management.
Approval from the senior management and the Board of Directors is needed in the selection of the
approach to be followed by the department. Regardless of which approach is selected for the external
assessment, a qualified independent external assessor or assessment team must be retained to complete
the assessment. The CAE will consult with senior management and the Board of Directors to select the
assessor or assessment team. They must be competent in two main areas: the professional practice of
internal auditing (including current in-depth knowledge of the IPPF), and the external quality
assessment process.
Their qualifications and competencies should include:

 Certification as an internal audit professional (Certified Internal Auditor).
 Knowledge of leading internal auditing practices.
 Sufficient recent experience in the practice of internal auditing at a management level, which
demonstrates a working knowledge and application of the IPPF.
67
The organisations may seek additional qualifications and competencies for assessment team leaders and
independent validators which include:
 An additional level of competence and experience gained from previous external assessment work.
 Completion of the IIA’s quality assessment training course or similar training.
 CAE (or comparable senior internal audit management) experience.
 Relevant technical expertise and industry experience.
Another important consideration for external assessors that should be discussed by the CAE, senior
management and the Board of Directors are factors that are related to independence and objectivity. All
team members should be free from actual, potential, or perceived conflicts of interest that could impair
objectivity.
The factors that should be considered in relation to the independence of external assessors are:
 Individuals who perform the assessment must not have a real or apparent interest in present or
previous relationships with the organisation or its internal audit activity.
 Individuals who are from different departments of the organisation or in a related organisation,
and organisationally separated from the internal audit activity. A related organisation may be a
parent organisation, an affiliate in the same group of entities or an entity with regular oversight,
supervision or quality assurance responsibilities with respect to the organisation whose internal
audit activity is the subject of the external assessment.
 Reciprocal peer review arrangements among three or more organisations may be structured to
alleviate independence concerns.
 One or more independent individuals could be part of the external assessment team or scheduled
to participate subsequently to independently validate the work of that external assessment team.
Scope for External Quality Assessment

An external assessment should consist of a broad scope of coverage that includes the following
elements:
 Conformance with the Code of Ethics and the Standards; plus the internal audit activity’s charter,
plans, policies, procedures, practices, and applicable legislative and regulatory requirements;
 Expectations of the internal audit activity expressed by the Board of Directors, senior management
and operational managers;
 Integration of the internal audit activity into the organisation’s governance process, including the
relationships between and among the key groups involved in the process;
 Tools and techniques employed by the internal audit activity;
 Combination of knowledge, experience, and discipline within the staff, including staff focus on
process improvement; and
 Determination as to whether or not the internal audit activity adds value and improves the
organisation’s operations.
Procedures for External Quality Assessment

Before the commencement of fieldwork, the quality review team leader should ensure that all team
members are aware of the following information:
i. Objectives of the external quality assessment:

 Purpose of the external quality assessment;
 Compliance with organisation policies; and
 Suggestions for more efficient internal audit procedures.
ii. Team members’ ethics and behaviour:

 IIA’s Code of Ethics;
 Constructive approach during the assessment process;
68
 Important communications with internal audit department staff; and
 Confidentiality statement signed by team members.
iii. Initial arrangements:

 Fieldwork and reporting schedule;
 A questionnaire for the CAE;
 List of documents and materials to be requested;
 Identify personnel to be interviewed and
 Format and structure of working papers for assessment.
iv. Distribution of work and time schedules need to include:

 The operations of the internal audit department;
 The purpose, the expected amount of details and how information is used to evaluate the internal
audit department;
 A questionnaire to be answered by the CAE;
 Tentative fieldwork schedule;
 Tentative members in the external quality assessment team;
 Selected internal audit clients and internal audit staff to be interviewed and
 Workplace and computer facility for external quality assessment of team members during the field
visit.
An example of steps for the External Quality Assessment:
(a) Announcement letter to the CAE

(b) Preliminary Survey
(c) Fieldwork:
1. Interviews
2. Substantive Testing
(d) Reporting:
1. Exit Meeting
2. Draft Quality Assessor Report
3. CAE’s Responses
4. Final Quality Assessor Report
Table 5.1 lists some examples of questions for interviews of the internal audit staff, the CAE and the
Audit Committee/Board of Directors:
Table 5.1 Sample Questions for Interview
Table 5.1: Internal Audit Staff Survey
Evaluation Criteria Excellent Good Fair Poor N/A
Knowledge/Skills to perform work

1 Audit Committee’s expectations
2 Senior Management’s expectations
3 Understanding governance, risk management and control
processes
4 Understanding the activity’s mission and goals
69
......continued
Evaluation Criteria Excellent Good Fair Poor N/A
5 Audit activity’s policies and procedures
6 Overall relationship with audit clients
7 Understanding internal auditing standards
8 Knowledge of the agency’s operations and processes
9 Documentation and review of systems or processes
10 Significant risk exposures and control weaknesses
11 Disclosure of conflicts and lack of independence
12 Audits conducted using a risk-based audit approach
13 Use of CAAT, analytical and trend analysis
14 Availability of audit resources to complete audit

assignments
15 Overall information technology governance
16 Availability of information and access to records
17 Audit focus on improving effectiveness and efficiency of

control processes
18 Quality of audit reports
Training/Experience Alternatives
19 Availability of sufficient professional training to satisfy

continuing professional education requirements
20 Quality of training obtained in relationship to directly

enhancing professional proficiency to perform audit
engagements
21 Ability to obtain professional certifications and/or

participate in professional organisations
22 Encouragement for career growth
Internal Audit Organisation Practices
23 Free from operational duties that would impair

independence
24 Ability to participate in audit planning and scope
25 Quality of communication and supervision
70
Chief Executive Officer and Audit Committee Questionnaire
Evaluation Criteria Yes No Comments
FCIAA/IIA Requirements
1 Does the Chief Internal Auditor report directly to you on all matters?
If “No” to whom, do they report to and on what matters?
2 Does the Chief Internal Auditor have direct access to you whenever
it is necessary? If not, why?
3 Do you receive copies of all Internal Audit reports and respond to

them?
4 Does the Chief Internal Auditor or any of his/her staff perform any
operational duties besides internal auditing?
5 Are you familiar with the general provisions of the Fiscal Control and
Internal Auditing Act (FCIAA)?
6 To your knowledge, does the Internal Audit coverage comply with

the FCIAA provisions?
7 Did the Auditor General’s last agency compliance audit find any
discrepancies in the Internal Audit program? If “Yes” describe them
and state what corrective actions were taken.
8 Did the Chief Internal Auditor include your requested special areas
of concerns within the two-year audit plan?
9 Does the Chief Internal Auditor have access to all agency

information and freedom to include all functional areas in the
biennial audit plan?
10 Does the Chief Internal Auditor have the freedom to consult with
outside agencies specified in the FCIAA?
11 Does the Chief Internal Auditor provide periodic review of

the internal audit charter and present it to you and the Audit
Committee/Board of Directors, if applicable, for approval?
12 Does the Chief Internal Auditor discuss or provide IIA’s Definition of

Internal Auditing, Code of Ethics and Standards periodically to you
and the Audit Committee/Board of Directors, if applicable?
13 Does the Chief Internal Auditor confirm annually with you, and the
Audit Committee/Board of Directors, if applicable, the Internal Audit
Organisation’s independence?
Source: State Internal Audit Advisory Board, State of Illinois (http://siaab.audits.uillinois.edu/)
Reporting on the Quality Program
A CAE must communicate the results of the quality assurance and improvement program to senior
management and the Board of Directors. The disclosure should include:
 The scope and frequency of both the internal and external assessments.
 The qualifications and independence of the assessor(s) or assessment team, including potential
conflicts of interest.
 Conclusions of assessors.
 Corrective action plans.
71
The form, content and frequency of communicating the results will be determined by discussions with
both senior management and the Board of Directors taking into consideration the responsibilities of the
internal audit activity and the CAE as contained in the audit charter. Normally, the results are
communicated upon completion of each assessment and the results of ongoing monitoring are
communicated at least annually. The results will normally include the assessor’s or assessment team’s
evaluation with respect to the degree of conformance.
The IIA provides three categories of rating on the level of conformity (Table 5.2):
 Generally conforms
 Partially conforms
 Does not conform
Table 5.2 IIA Conformity Rating
Standard Rating Explanation

Generally This is the top rating, which means that an internal
conforms activity has a charter, policies, and processes, and the
execution and results of these are judged to be in
conformance with the Standards.
Partially Shows that deficiencies in practice are noted and
conforms judged to deviate from the Standards, but these
deficiencies do not preclude the internal audit activity
from performing its responsibilities in an acceptable
manner.
Does not Shows that deficiencies in practice are judged to be so
conform significant as to seriously impair or preclude the
internal audit activity from performing adequately in
all or in significant areas of its responsibilities.
If there is non-conformance to the Standards or the Code of Ethics, recommendations on what to be

done to the internal audit activity are needed from the team. However, if the non-conformance is with
regard to the Implementation Guides, recommendations for improvement in the areas concerned are
required from the team. This category of offence is considered less serious as compared to the non-
conformance to the Standards or the Code of Ethics.
Advantages of a QAIP
A QAIP can be one of the most significant methodologies that can improve the internal audit department
in a several number of ways:
 Increase the quality of an audit performance in meeting the expectation of various stakeholders,
thus creating a better recognition for the internal audit activities.
 Improve the reliability of source for information risk, internal control and corporate governance.
 Assist the internal audit department to benchmark its operations, activities and policies with best
practices of other industries.
 Give assurance that the internal audit department has the right reporting structure and competent
staffs to cope with any critical issues in the organisation.
 Improve the quality of the audit activities in meeting stakeholders’ expectation.
 Explore possibilities to improve the operation of the internal audit department.
 Improve efficiency, resulting in cost saving for internal audit activities.
 Allow internal auditors to use the phrase “in accordance with the ISPPIA” in their reports to
72
stakeholders.
 Build stakeholders’ confidence by documenting management’s commitment to quality and leading
practices, and gear up the internal auditors’ mindset for professionalism.
 Provide evidence to the Board of Directors, management, and staff that the Audit Committee
and the internal audit activity are concerned with the organisation’s internal controls, ethics,
governance and risk management processes.
Best Approach for a QAIP
In order to get better results when a QAIP is conducted, a greater commitment from management is
needed. Management must show their commitment to ensure the success of a QAIP. Apart from that,
all activities performed must be consistent with the IIA’s standards of quality as well as the Code of
Ethics. Nevertheless, an organisation should develop a set of policies, procedures and controls
specifically for its QAIP. As required by the Standards, a QAIP should implement both methods of
assessments, that is, internal and external assessments. An organisation must implement all corrective
actions recommended by both assessments.
Common Issues in Quality Assurance Assessment
Even though a QAIP is beneficial, the internal audit department might face issues such as outdated
charters that could give some limitation to their quality assurance assessment planning and program.
The CAE might issue inappropriate reporting to the Board of Directors and Audit Committee which
could give result to wrong interpretation by them. Sometimes they might have the perception of
inadequate audit staff knowledge which could result to their lack of confidence in relying on the
reporting.
However, if a QAIP is implemented successfully it can lead to the following areas of strengths or
‘leading practices’:
1. Enhance the risk assessment and audit planning, which can include management’s input,
introduction of a new ‘auditing process’ and internal audit brainstorming sessions.
2. Improve the governance by ensuring management’s awareness on governance, risk assessment,
internal audit and value of strong control environment; incorporate Enterprise Risk Management
(ERM).
3. A QAIP with a variety of performance measurement tools (e.g. balance scorecard) provides reports
on performance to the Audit Committee.
4. Professional Development — participates regularly in professional organisation related to internal
audit and holds leadership positions; should have employment policies with regard to
competencies.
5. Improve audit efficiency — uses an automated audit management information system and uses
software tools and database of audit findings.
Summary
The CAE is responsible for enhancing the quality assurance and improvement program of the internal
audit function. A QAIP is designed to enable an evaluation of internal audit activity’s conformance
with the Standards and the Code of Ethics. In order to achieve this, the monitoring of its effectiveness
is done through both internal (ongoing or periodic assessments) and external assessments (full external
assessor or self-assessment with independent external validation). The results that includes the
necessary action plan and the successful implementation of the action plan for the QAIP will then be
communicated by the CAE to senior management, the Board of Directors and the Audit Committee at
73
least annually.
 Discuss the two types of quality assessments found in the internal audit activity that the CAE can
adopt to comply with the requirement of the Standards.
 The external quality review team should include individuals who possess certain attributes. List
and explain the qualities required for the external reviewers.
 Discuss the matters to be considered by all the members of the quality reviewer team before the
commencement of external quality assessment fieldwork.
 Briefly explain the steps in the implementation of external quality assessment.
 Discuss the benefits of a QAIP.
References
AuditNet. http://www.auditnet.org. Accessed on 30 January, 2019.

Istitute of Internal Auditors. http://www.the iia.org. Accessed on 30 January, 2019
Manchanda, A. and Macdonald C.B. External Assessments as Tactical Tools. Internal Auditing,
December (2011), pp. 47–50.
Mary, L. et. al. (2009) Principles and Contemporary Issues in Internal Auditing. McGraw-Hill
Mary, L. et. al (2016) The Assurance and Consultancy of Internal Audit. McGraw-Hill
http://siaab.audits.uillinois.edu/ Accessed on 27 March, 2013.
74
Mind Map
75
76
6Internal Auditing Process
Learning Objectives
 Describe the overall framework for the internal auditing process
 Explain the importance and relationship between strategic planning and engagament planning
 Define and explain the risk-based internal audit (RBIA)
 Describe internal audit planning process using risk-based internal audit (RBIA)
 Explain step by step implementation of risk-based internal audit (RBIA) for assurance and
consulting engagement
Introduction
This chapter describe the various steps necessary to conduct an internal audit engagement. The overall
framework of an internal audit process is generically suitable for any type of internal audit engagements
(e.g. the operation of an information technology audit, fraud audit, strategic audit, performance audit,
compliance audit or financial audit), which is applicable accross all internal audit services (e.g.
assurance or consulting services) provided by internal auditors or internal audit function. The internal
audit process consists of all activities related to: (1) planning; (2) performing (field work); (3)
communicating; (4) monitoring and (5) quality assurance.
These five interrelated processes are illustrated in the two audit models shown in figures 6.1 (a) and 6.1
(b). The model will adopt the risk-based internal audit (RBIA) approaches throughout the whole internal
audit process. Generally, the internal audit process commences with the planning stage, followed by the
performing stage, communicating (reporting) stage, monitoring (follow-up processes and procedures)
stage and ends with the quality assurance stage. However, this chapter will not cover the quality
assurance stage to well-suit the chapter objective. It is very important to have a good overview of the
overall process before looking into the detail of each stage of the internal audit process to enable
coherent understanding of the relationship between one stage to another.
Figure 6.1(a) An Audit Model Figure 6.1(b) An Audit Model
77
Framework of Internal Audit Process
Based on the above IPPF Standards, the overall framework of an internal audit process is depicted in
Figure 6.2.
Figure 6.2 Overall Framework of Internal Audit Process
Each of the stages shown in Figure 6.2 is discussed in detail in the subsequent sections.
Strategic Audit Planning
An internal audit function can improve an organisation’s operations, add value to an organisation and
become a trusted advisor to assist the Board of Directors and executive management in achieving
organisation’s desired goals and objectives. The internal audit function also helps evaluate and improve
the effectiveness of governance, risk management and control processes. Particularly, this can be
achieved if the internal audit function is capable enough to effectively and carefully plan its works
and activities, and this should be inline with the organisation’s objectives and also able to fulfill its key
stakeholder’s needs and demands.
The chief audit executive must establish a risk-based plan to determine the priorities of the internal
audit activity, consistent with the organisation’s goals. The cornerstone of successful auditing begins
with developing an effective planning. Poor and ineffective planning will cause audit failure and
unachieved organisation’s objectives. Therefore, the internal auditor should well plan the audit work so
that the audit will be performed in an effective, efficient and timely manner. This plan should
incorporate a detailed approach for the expected nature, timing and extent of the audit and the strategies
employed by the internal audit function to achieve the objectives of delivering value to assurance and
consultancy services that assist an organisation in meeting its vision, mission and objectives. To ensure
that all audits are performed in an effective, efficient and timely manner, it is crucial that there is a clear
direction before any audit work begins, at three levels. The levels are strategic audit planning, annual
audit planning, and detailed individual engagement audit planning. The strategic plan is drawn up after
taking into consideration various factors such as the organisation’s strategic plan, internal audit function
charter, Board of Directors and management needs, risks and controls as well as the budget, resources
and the IIA Standards.
IIA has issued a practical guide in July 2012, outlining the necessary steps to develop an internal audit
78
strategic plan. Its purpose is to provide a systematic and structured process that can be used by internal
audit function and Audit Committees to ensure that audit plans remain relevant, value-added, maintain
alignment with the organisation’s objectives and making meaningful contributions to the organisation’s
overall governance, risk management and control processes. The steps for developing the internal audit
strategic plan are listed as follows:
i. Understand the Relevant Industry and the Organisation’s Objectives
First and foremost, the CAE should have a thorough understanding of the organisation’s objectives and
the industry (or industries) in which it operates. For the internal audit activity to deliver any value, it
should contribute to the achievement of the organisation’s strategic and operational objectives as well
as to the financial and compliance objectives while providing assurance that the organisation maintains
a sound ethical environment and a sensible culture of accountability. Therefore, it is imperative that
the internal audit activity and internal audit function have a rigorous knowledge and an in-depth
understanding of the pertinent industries (including the applicable regulations and laws), the changes in
the external and internal business environment, and the organisation’s objectives. To achieve this, the
CAE should refer to the organisation’s strategy formulation, goals and objectives setting and strategic
planning documents as a beginning step for achieving effective internal audit strategic planning.
As the organisation goes through change, most of the internal audit function in an organisation has an
established mission and vision that has developed over time and gets revisited periodically. Certainty
organisational goals, objectives and risks are vigorously or speedily changing, thus internal audit
function must proactively, continuously and appropriately react with a proactive planning that focuses
on protecting and enhancing current value as well as delivering future value to the organisation. The
internal audit function’s current and future mandate must always streamline with the internal audit’s
mission and vision so that it can provide value-added services and proactive contributions to strategic
risk for the organisation beyond simple and ordinary execution of the audit plan and also beyond the
Board of Directors and management expectations.
ii. Consider the International Professional Practices Framework (IPPF)

The professionalism of internal auditors and internal audit function much reflect on their capability and
intensity in implementing IPPF. The CAE should be well verse in the IPPF and consider its requirement
and guidance when developing the internal audit strategic plan. The values the personnel in charge of
all the internal audit activities should adopt are contained within the IPPF’s Standards and Code of
Ethics (along with their organisation’s own values).
iii. Understand Stakeholder Expectations

Understanding stakeholders’ expectations and needs is critical in developing the internal audit strategic
plan. It is important to include key internal and external stakeholders (e.g. board members, senior
management, external auditors and regulators). Normally the CAE will engage senior management such
as the chief executive officer (CEO) and the Audit Committee when identifying the organisation’s
need. The internal audit function must understand how, where and what their stakeholders expect or
seek to perform. The CAE should communicate directly with each key stakeholder to understand his
or her expectations for the internal audit activity; hence enable internal audit function to add value to
the organisation.
iv. Update the Internal Audit Vision and Mission

The strategic plan is a means by which the internal audit activity’s vision and mission are being pursued.
The CAE should develop and update the vision and mission statements based on stakeholders’
expectations and IIA guidance. In writing these statements, it is important to recognise that internal
audit cannot be all things to all people. Therefore, it is necessary for the CAE to make tough choices —
recommending to the Board of Directors what should be pursued and what not to pursue.
79
v. Define the Critical Success Factors
Identifying the critical success factors (CSFs) allows the internal audit function to select the limited
number of elements required to achieve its vision and mission. These factors provide the internal audit
function with the essential elements that all major initiatives should be vetted against to ensure that
resources are directed to the most important activities. Three questions that may be helpful in identifying
the CSFs are:
 Positioning — Is the internal audit status and activity strategically positioned in an organisation
(e.g. respected, appreciated) and supported?
 Processes — Does the internal audit activity enable an ingenious, innovative, dynamic, efficient
and effective process in meeting the organisation’s objectives?
 People — Does the internal audit activity have the capability and right people to deliver its
mission?
The CSF needs to be carefully monitored to ensure that management is giving them continuous
attention.
vi. Perform a Strengths, Weaknesses, Opportunities and Threats (SWOT) Analysis

Performing an assessment on the current and future state of the internal audit activity will help identify
what should be incorporated into a strategic plan. One technique is to perform a strengths, weaknesses,
opportunities and threats (SWOT) analysis against the vision, mission, and critical success factors. The
aim of any SWOT analysis is to identify the key internal and external factors that are important in
achieving the strategy.
vii. Identify Key Initiatives

Based on the results of the SWOT analysis, it is possible to identify and prioritise the key initiatives
that have a significant impact in achieving the internal audit activity’s critical success factors and
therefore, its vision and mission statements. For each initiative, it is valuable to identify a timeline for
implementation, the desired objectives, the performance measurements (qualitative and quantitative),
and the associated SWOT elements.
Apart from the above steps, further activities should be carried out as per Figure 6.3 below in producing
the internal audit strategic plan. The plan can be formulated for five years, three years or any period
depending on the internal audit function needs.
Figure 6.3 An Internal Audit Strategic Planning Process
Risk-Based Internal Auditing
The IIA defines RBIA as a methodology which the internal audit function uses to link internal audit to
an organisation’s overall risk management framework and processes. It also aims to provide assurance
to the Board of Directors that risks are being managed effectively to align with organisation’s risk
80
appetite. This means the risk management processes that an organisation develop and embed to manage
risks is working effectively and efficiently and has reached a level considered acceptable by the Board
of Directors.
RBIA is a new approach at the cutting edge of internal audit practice that emphasises on the
contemporary expression of the internal audit transition from addressing the past activities to managing
the future. It is an approach that is evolving rapidly and still fine-tuning on the best way to implement
it. In general, not all organisations are ready for RBIA; considering that each organisation is different,
with a different risk appetite, attitude to risk, risk structure, risk processes, risk framework, risk model
and risk system. Proficient internal auditors need to adapt these differences, which are the different
levels of maturity (see Figure 6.4), practice, culture and effectiveness of their organisational risk
management process in order to implement RBIA. If the risk management process and framework is
naïve, poor or does not exist, the organisation is not ready for RBIA. Therefore, internal auditors in
such an organisation should promote good risk management practice to improve the maturity level and
effectiveness of risk management and internal control process. Practically, organisations that achieved
risk defined status (3rd level) enable their internal audit function to use RBIA approach in their internal
audit process. If RBIA is relatively new to an organisation, the CAE needs to promote the concept to
the Board of Directors and management and win their support for building effective risk management
practice.
Risk Maturity Key Characteristics Internal Audit Approach
Risk Naive No formal approach developed for risk Promote risk management and rely on
management audit risk assessment
Risk Aware Scattered silo-based approach to risk Promote enterprise-wide approach to

management risk management and rely on audit risk
assessment
Risk Defined Strategy and policies in place and Facilitate risk management/liaise with
communicated. Risk appetite defined risk management and use management
assessment of risk where appropriate
Risk Managed Enterprise-wide approach to risk Audit risk management processes and
management developed and use management assessment of risk as
communicated appropriate
Risk Enable Risk management and internal control Audit risk management processes and
fully embedded into the operations use management assessment of risks
as appropriate
(Source: Position Statement on Risk-Based Internal Audit, The Institute of Internal Auditors, UK and Ireland)
Figure 6.4 Levels of Risk Management Maturity and the Internal Audit Approach
The implementation of RBIA is based on assumptions that (a) audit resources are limited, (b) auditable
unit are subject to different risks, and (c) auditable unit have relatively different degree of importance.
By effectively implementing RBIA, the internal audit function and the organisation should be able to
experience the following advantages:
 RBIA links the internal audit plan with the enterprise risk assessment, strategic objectives, the
Board of Directors and management expectations and management’s performance measures and
reward systems
 RBIA is a simple concept, yet, it provides integration and unity, where the recommendations made
can be traced
 The organisation buys in to the audit process as it suits what the Board of Directors and
management have in their mind. Auditors and managers are now speaking the same language
 Resources needed can be justified
81
 The work is more challenging and interesting to internal auditors
 RBIA is more efficient, it directs audits at the high-risk areas
 RBIA can rank recommendations to provide the greatest value added in terms of the risks mitigated
 RBIA highlight risks which are over-controlled to improve efficiency
 The responses to risks are effective but not excessive in managing inherent risks within the risk
appetite
 Where residual risks are not in line with the risk appetite, action is being taken to remedy that
 Risk management processes, including the effectiveness of responses and the completion of
actions, are being monitored by management to ensure they continue to operate effectively
 Risks, responses and actions are being properly classified and reported
Risk-Based Audit Planning
An effective internal audit function can be achieved through a well-developed audit planning using
RBIA methodology. RBIA refers to a methodology that links the overall audit process such as planning,
performing and reporting to the risk management framework of the organisation. This methodology
enables the internal audit function to address prioritised areas of the organisation, which are aligned to
its strategic objectives. Planning is the process where risk management techniques should be embedded.
The internal audit activity’s plan of engagements must be based on a documented risk assessment,
undertaken at least annually. The input of senior management and the Board of Directors must be
considered in this process. As depicted in Figure 6.3, the CAE and the internal audit function teams
need to identify organisational objectives and assess the risk priorities based on risk registers maintained
by the management. In the absence of a risk management function in the organisation, internal audit
function may need to identify the risks with the input from senior management and the Board of
Directors. The link between risk assessment and strategic objectives processes are described
schematically in Figure 6.5.
Audit planning at the macro level (annual audit plan for the entire organisation) shows the important
links among strategic processes, risks universe processes and audit universe processes. Risk universe
derived from risk management techniques, which uses the strategic plan to derive the elements of the
audit universe. The most important of these insights is that the audit universe contains the essential
elements to support the overall business plan. Parallelism is the key in running the organisation through
annual business plans and running the internal audit function through annual audit plans. The use of
RBIA enables risk factors to derive directly from the business process instead of the audit process. It
means RBIA provide linkages between the annual plans (audit and business plan) to ensure that the
current (not past) risks are addressed and the utmost current and future value is extracted from the
internal audit process.
Figure 6.5 underscores the essential communication between strategic plans and audit universe plans as
well as operational business plans and annual audit plans. The significant outcome is the direction of
interaction and the content of that communication. The strategic planning process drives the audit
universe, and the audit universe contains the strategic elements of the organisation.
RBIA utilise risk scenarios in developing macro risk assessment and annual audit plans, this process is
vital in creating the ability to combine both qualitative and quantitative data in imaginative ways.
Traditionally, in the past most current audit schedules are cyclical, including those that claim to be
risk based. This is illogical. Fortunately, RBIA offers creative ways to deal with this problem.
82
(Source: Position Statement on Risk-Based Internal Audit, The Institute of Internal Auditors, UK and Ireland)
Figure 6.5 Risk Assessment and Strategic Objectives
Engagement Planning
At the individual engagement level, the internal auditor must establish what is going to be audited
(planning), carry out the approved plan (performing), and communicate the results accomplished
(reporting). Before starting an audit engagement, planning documents must be prepared which state
the engagement objective of the audit. The planning document should contain:
 Relevant information relating to the individual audit engagement;
 The timing and quantity of resources required for each engagement;
 Results of the reviews;
 Details of transaction testing performed; and
 Conclusions reached in regard to the stated objectives of the audit engagement.
83
Figure 6.6 Flow Chart of Internal Auditing Planning Process Using RBIA
Internal auditors must develop and document a plan for each engagement, including the engagement’s
objectives, scope, timing, and resource allocations.
An audit engagement refers to an individual audit assignment for each of the activities included in the
annual audit plan. The activities could comprise of an audit, review, fraud investigation or consultancy,
which would require the drawing up of an engagement plan. There are four aspects that need to be
considered when preparing a plan for the engagement:
 The objectives of the activity being reviewed and the means by which the activity controls its
performance;
 The significant risks to the activity, its objectives, resources, and operations and the means by
which the potential impact of risk is kept to an acceptable level;
 The adequacy and effectiveness of the activity’s governance, risk management, and control
processes compared to a relevant framework or model; and
 The opportunities for making significant improvements to the activity’s governance, risk
management, and control processes.
The engagement plan must also outline the timing and resource allocation for the entire audit.
Engagement Objectives and Scope

Each engagement requires clear objectives to ensure effectiveness and efficiency. The objectives define
what the engagement needs to achieve and the deliverables. Other than objectives, the engagement plan
also needs to define scope of which and what the engagement should or should not cover.
In setting up the objectives, the following factors need to be taken into consideration:
 Understanding of the auditee to ensure that the engagement objectives can capture meaningful area
that can add value to auditee’s operation and ultimately enhance the governance, risk and control
of the organisation. To do so, the auditor would have to conduct a preliminary survey in order to
obtain information regarding the auditee. Information that is gathered should include the
organisational chart, policy and procedures, process mapping and so on.
 Preliminary assessment of the risks relevant to the activity under review.
84
 The assessment should be aligned to the engagement objectives.
 Probability of significant errors, fraud, non-compliance and other exposures when developing the
engagement objectives.
 Criteria that can adequately evaluate governance, risk management and controls. Internal auditors
must ascertain the extent to which management and/or the Board of Directors has established
adequate criteria to determine whether objectives and goals have been accomplished. If the criteria
are adequate, internal auditors must use them in their evaluation. If otherwise, internal auditors
must work with management and/or the Board of Directors to develop appropriate evaluation
criteria.
 For consulting engagement, the objectives must address governance, risk management, and control
processes to the extent agreed upon with the client. Furthermore, consulting engagement
objectives must be consistent with the organisation’s values, strategies and objectives.
In determining the scope, auditors must take into consideration the relevant systems, records, personnel
and physical properties, including those under the control of third parties to ensure that the scope can
adequately address the engagement objectives.
In performing consulting engagements, internal auditors must ensure that the scope of the engagement
is sufficient to address the agreed- upon objectives. If internal auditors develop reservations about
the scope during the engagement, these reservations must be discussed with the client to determine the
continuation with the engagement. In addition, during consulting engagements, internal auditors must
address controls consistent with the engagement’s objectives and be alert to significant control issues.
Risks and Control Assessments
Risk assessment has become the important method to guide audits in order to develop effective audit
planning and provide strategic direction for limited resources. The internal audit activity should assist
the organisation by identifying and evaluating significant exposures to risk and contributing to the
improvement of risk management and control systems.
The auditor must perform preliminary risk assessment as well as consider and identify probability of
significant errors, fraud, non-compliance, and other exposures during the audit planning process. The
result of the assessment will influence the objectives set for the engagement as well as the audit plan.
Risks that auditors should be concerned with are those that threaten the achievement of an auditee’s
objective as a whole.
Auditors may find it very useful if auditees have their own risk management information where auditors
can use as reference. Such information are:
 The reliability of the management’s assessment of risk.

 The management’s process for monitoring, reporting and resolving risk and control issues.
 The management’s reporting of events that exceeded the limits of the organisation’s risk appetite
and responses to those reports.
 Risks in related activities relevant to the activity under review.
Risk assessment involves gauging two dimensions of risks which are the likelihood of risk occurring
and the impact on the objectives if the risks occur. The level of likelihood and impact can be set based
on five or seven criteria depending on the management’s judgement. Table 6.1 illustrates the example
of criteria to assess level of likelihood and impact.
Assessing risks by identifying likelihood and consequences helps internal audit to draw up the risk
scoring matrix which combines both factors and identifies whether the risk is low, medium or high (see
Table 6.2). Further, internal audit needs to evaluate how a management’s plan to respond to the risks
identified. Risks need to be mitigated with an adequate control mechanism to avoid the risks from
occurring. However, there are certain risks that a management can take and accept at its assessed levels
85
(tolerated risks). Risks that exceed a management’s risk tolerance threshold must be mitigated to an
acceptable low level. For example, avoiding risks (disbanding activities that give risk), sharing risks
(transfer some to insurance company) or reducing risks (implementing control activities designed to
lower their impact, likelihood or both).
Subsequent to risks assessments, internal audit needs to assess the existence and adequacy of controls
to determine whether controls can mitigate (stop) risks from occurring as shown in Table 6.3.
Table 6.1 Example of Criteria to Assess Level of Likelihood and Impact
Likelihood Assessment of Risk Consequence Assessment
A: Several times a day A Almost 1: The impact poses no 1 Negligible

B: Every day Certain threat and only requires
2 Minor
routine procedures to
C: Several times a year B Likely 3 Moderate
deal with it
D: Once a year C Probable 2: The impact would 4 Major
E: Once in 10 years D Unlikely threaten a minor aspect 5 Catastrophic
E Rare of the area’s operations
but it would not affect
the overall performance
of the area
3: The impact would not
threaten the area’s key
objectives, but subject
it to significant review
or change the area’s
function
4: The impact would
threaten the area’s key
objectives
5: The impact would
stop the area from
reaching its key
objectives
Table 6.2 Example of Risk Scoring Matrix
CONSEQUENCE
1 2 3 4 5
L A Significant Significant High High High
I
K B Moderate Significant Significant High High
E
L C Moderate Moderate Significant High High
I
H D Low Moderate Moderate Significant High
O
O E Low Low Moderate Significant High
D
86
Table 6.3 Individual Controls Effectiveness Measures
RCE Guide
Good Nothing more to be done except review and monitor the existing
controls. Controls are well designed for the risk to address the
root causes and management believes that they are effective and
reliable at all times.
Satisfactory Most controls are designed correctly and are in place and
effective. Some work needs to be done to improve operating
effectiveness or management has doubts about operational
effectiveness and reliability.
Poor While the design of controls may be largely correct in that they
treat most of the root causes of the risk, they are not currently
very effective.
Or
Some of the controls do not seem to be correctly designed in that
they do not treat root causes; those that are correctly designed
are operating effectively.
Very poor Significant control gaps. Either controls do not treat root causes
or they do not operate effectively at all.
Uncontrolled Virtually no credible control. Management has no confidence that
any degree of control is being achieved due to poor control design
and/or very limited operational effectiveness.
When carrying out risk and control assessments, there are few types of audit tests that are normally
carried out by auditors (subject to the respective audit environment) such as:
 Walk through test

As the name suggests, this test aims to explore step by step the process affected by the auditee for
specific operational task. It gives an experiential firsthand and comprehensive knowledge of how a
particular task is performed as well as who are the persons in charge. This process enables the auditor
to come up with a flowchart of the process if the auditee has not developed their own process flowchart.
In a certain scenario, the auditee may already have the flowchart where the auditor can review the
control implementation during the walkthrough test.
 Internal Control Questionnaires (ICQ)
ICQ comprise of questions that test the adequacy of controls within the process or tasks under review.
The questions should, where possible, be phrased in such a way that only a ‘yes’ or ‘no’ answer is
required so as to promote consistency in the answers received. The advantage of using a questionnaire
is that it acts as a checklist to cover all aspects of a normal internal control structure. However, auditors
also need to be careful when using ICQ to establish judgment on controls because the questionnaire
approach can omit some highly unusual areas that are not included in standard internal control
structures.
Creating a Test Plan and a Work Program
Based on the risk and control assessment that is performed, the next step is to create a test plan to
enable specific focus in addressing the scope and objectives. The test plan will be translated into a
work program, which will provide further details on objectives and audit procedures. A test plan
represents the strategy to collect evidence for a particular engagement. It includes nature and timing
of the audit work to be carried out for the related audit/control objectives. It may also indicate the
required time to be spent for the engagement.
87
The test plan that is prepared will be used as a basis for developing a work program. The internal
auditors must develop and document work programs that achieve the engagement objectives. The work
program includes methodologies to be used, such as technology-based audit and sampling techniques.
Generally, a work program includes the following details:

 Objectives
 Reference documents if any (for example COSO, SOP)
 Date of work being performed
 Allocation of the task to individual auditors
 The person performing the work
 Detail audit procedures and evidence collected
 Quantifying how long a task should take to execute
 Additional notes
It is important to note that in an RBIA methodology, an audit work program would be developed for a
particular audit engagement based on risk and controls assessment, unlike a compliance based or a
procedural based audit where programmes may be standardised.
Resource Allocation
Resource allocation is a process of determining what should be done, how, where and when it should
be done as well as who should do it. Therefore, managing and allocating resources for internal audit
activity with regards to timing, staff and priorities of work procedures is very important for achieving
effective audit. In this respect, internal audit function must assure an efficient and effective management
of internal audit resources such as time, finance, people, capacity, intellectual property, skills, talents,
tools and techniques. This is crucial to ensure that all planned work is of high priority and that audit
resources are used in the best possible way.
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives
based on an evaluation of the nature and complexity of each engagement, time constraints and available
resources. At the individual engagement level, resource allocation refers to activities such as allocating
the number of staffs to each assignment, time allocated to each staff, determining the knowledge, skills
and experiences of the staff, training requirement (if needed) and any other external resources that
need to be obtained.
In determining the number of staff and the time allocated, it is important to evaluate the nature and
complexity of the engagement as well as the availability of resources. It is also important to consider
staff competency when allocating resources to the engagement. Competency includes the experience as
well as knowledge and expertise to perform the planned audit tests in order to achieve the audit
objective. For example, if the engagement is related to an information technology (IT) audit, the staff
assigned must possess knowledge in the area of IT. If required competency is not currently available,
training should be considered to supplement the current knowledge and skills of the staff.
Documentation and Communication
The engagement plan needs to be clearly documented and approved at the appropriate levels.
Documentation is in fact required throughout the overall audit process. The well-documented plan
should be made available to the staff involved in the engagement to ensure that everyone understands
the objectives, scope, test plan, resource allocation and the expected output.
88
In summary, the engagement plan is the document that sets the direction for a specific engagement. It
includes key elements such as the following:
 Planned engagement objectives and scope of work

 Preliminary assessment of risks and controls
 The timing of the engagement work
 Internal auditors assigned to the engagement
 The process of communicating throughout the engagement including the methods, time frames and
the person in charge
 Business conditions and operations of the activity being reviewed including recent changes in
management or major system
 Concerns or any request by the Audit Committee/management
 Audit strategy and test plan
Performing the Engagement
Performing the engagement involves performing the engagement tests by the internal auditors as
outlined in the planning phase and evaluating and documenting the results. Internal audit customers are
kept informed of the engagement process through regular status meetings. Internal auditors normally
discuss with internal audit customers about audit observations, potential findings, and recommendations
with the internal audit customers as they are identified. The type of information required and analysis
applied may depend on whether the engagement is designed to provide assurance services or consulting
and advice services.
The performance of an internal audit engagement is to collect data and information for the purpose of
meeting the engagement objectives, internal auditors should consider the expectations of the Board of
Directors and senior management. It also involves substantial field work. Internal auditors must
identify, analyse, evaluate and document sufficient information to achieve the engagement’s objectives.
The process is guided by the audit strategy and the test plan documented during the audit engagement
planning which is executed by the assigned audit team.
Identifying and Collecting Information
Identifying information explains that internal auditors must identify sufficient, reliable, relevant and
useful information to achieve the engagement’s objectives. Sufficient information is factual, adequate,
and convincing so that a prudent, informed person would reach the same conclusions as the auditor.
Reliable information is the best attainable information through the use of appropriate engagement
techniques. Relevant information supports engagement observations and recommendations and is
consistent with the objectives of the engagement. Useful information helps the organisation to meet its
goals. Thus, engagement information should be collected and documented in such a way that a prudent,
informed person, such as another internal auditor or an external assessor, could repeat the engagement
and achieve an outcome that confirms the internal auditor’s results and logically leads to the same
conclusions.
Information or evidence collection activity is also known as audit procedures. Details of the procedures
that need to be carried out are documented in the audit work program. The information gathering process
generally involves the activities listed in Table 6.4 where examples are also given.
Applicability and usage of the above methods in collecting information depends on the type of
engagement to be carried out. For example, if the engagement relates to assessing IT controls, most
likely Computer-Assisted Audit Techniques (CAATs) will be used as the primary information
collection procedure.
89
Analysing and Evaluating Information
Internal auditors’ approach to analysis and evaluation of information often includes a combination of
manual audit procedures and CAATs. During this process, one very important consideration is to
ensure the sufficiency, relevancy and reliability of information collected. Sufficiency refers to
the adequacy of information to enable auditors to make assessment and judgement on achievement
of the scope and objectives of the audit. Relevance refers to the applicability of the information in
context to the particular engagement while reliability refers to the accuracy and objectivity of the
information. In addition, reliability of information depends on the information provider. Information
from external independent third party (such as confirmation) is more reliable than information generated
and provided by the auditee.
Table 6.4 Activities of the Information Gathering Process
Activities Detailed examples
Interviewing or conducting inquiry Discuss with payroll manager on payroll calculation.

Verifying or vouching Review the payroll payment instruction letter sent to the bank.
Observation Observe employee clock in attendance.
Re-performance/Recalculation Recalculate amount of tax deduction.
Questionnaires Issue survey on employee satisfaction.
Analytical procedures Calculate ratio on total monthly tax deduction for 12 months.
Computer assisted audit techniques Using audit software to reconcile payroll file and employee
(CAATs) master file.
Physical inspection Test drive the company car used by the chief executive officer to
ensure that it is in good condition.
Review of published reports or minutes Review minutes of meeting to identify decision on bonuses for
the year.
Confirmation Send letters to employees who took company car loan to confirm
the loan balance due.
Documenting the Information Collected
All the information collected, need to be properly documented to ensure compliance to IPPF standards
and for the benefit of future reference and knowledge management. The CAE usually establishes a
common approach to workpaper documentation in the internal audit activity’s policies and procedures
guide. Internal auditors must document relevant information to support the conclusions and engagement
results.
The documentation is commonly termed as audit working papers and is either kept manually or in
electronic form. An important aspect of audit evidence is the use of the working papers by the auditors
to record procedures applied, tests performed, information obtained and the conclusions reached during
the course of the audit. Working papers, which are the property of the auditors, assist them in the
planning, designing and performance of the audit work. Working papers also facilitate the supervision
of assistants and the review of work carried out. The fact that working papers provide evidence that the
work has been carried out with due care and skill have legal significance. All matters that require
judgment, such as the evaluation of internal control and any conclusions drawn about its “quality”
should be explained and included in the working papers.
The form and content of the working papers depend on the requirements, nature and conditions of the
audit engagement. More detailed working papers may be required for a large complex audit where
90
several audit assistants are employed.
The contents of working papers used by the auditor vary depending on the type of audit engagement,
the nature and complexity of the entity environment, and the form of the auditor’s report. Generally,
the audit work papers would contain the following elements.
Audit Plan Working papers should contain evidence that the auditor has developed a plan for the whole
audit engagement. This includes information on any special audit procedures, any unusual
circumstances and the nature of any special reports to be rendered. An audit programme should also
be included showing the audit procedures and other supplementary information, such as flowcharts and
organisation charts that have helped shape the course of the examination.
Narrative Summaries All information gathered through inquiry, confirmation, inspection and any
other methods of enquiry, along with the conclusions reached, are recorded in narrative summaries.
These summaries are normally prepared by the supervisor in charge of the audit engagement and are
reviewed by the Chief Audit Executive (CAE) or the head of internal audit.
Supporting Documents Auditors prepare various types of schedules or summary in support of

specific work performed. Risk and control assessments, documents and analysis using generalised
audit software are a couple of examples.
Evaluation and Conclusion
In an RBIA, all collected information that constitute evidences are corroborated and evaluated based on
risks towards achieving the audit objectives. Corroborating means bringing together facts from various
types of evidence that can support each other to form one solid conclusion. In short, it is like putting
together a jigsaw puzzle.
The internal auditors must base conclusions and engagement results on appropriate analysis and
evaluations. The standard does not elaborate further on methods and considerations during evaluation
and conclusion process. One good guidance is to identify requirements during the communication
process that enables a structured way of evaluating findings.
The engagement observations and recommendations emerge from a process of comparing criteria (the
correct state) with condition (the current state). Whether or not there is any difference, the internal
auditor would have a foundation on which to build the report. The internal audit final report is a principal
outcome in which internal auditors express their opinions, present the audit findings, and discuss
recommendations for improvements. To facilitate communication and ensure that the recommendations
presented in the final report are practical, Internal Audit discusses the rough draft with the client prior
to issuing the final report.
When conditions meet the criteria, it is then appropriate for internal auditors to reach an opinion that
performance of a particular task is satisfactory. Opinions and recommendations are based on the
following attributes:
 Criteria: The standards, measures, or expectations used in making an evaluation and/or verification
(the correct state).
 Condition: The factual evidence that the internal auditor finds in the course of the examination (the
current state).
 Cause: The reason for the difference between expected and actual conditions.
 Effect: The risk or exposure the organisation and/or others encounter because the condition is not
consistent with the criteria (the impact of the difference). In determining the degree of risk or
exposure, internal auditors must consider the effect their engagement.
91
Further, when arriving at the conclusion, auditors should consider the following:
 whether the conclusion encompasses the entire scope or specific aspects of an engagement
 program objectives and goals
 to review alignment to organisational goals; whether the organisation’s objectives and goals are
being met
 whether the activity under review is functioning as intended
 an overall assessment of controls or area under review
 whether the scope is limited to specific controls or aspects of the engagement
In order to achieve the purpose of internal audit, which is to improve and add value to the
organisation’s governance, risk management and control processes, internal auditors need to develop
recommendations once conclusion is decided. The following are factors to consider when developing
recommendations:
 Should be specific to the problem and offer some alternatives or advice to solve the problem
 Avoid dictatorial connotations by using ‘should’, ‘ought’ or ‘must’
 Findings must be taken seriously by the management/auditee but not always obligated to accept
the audit recommendations
 Should be suited to the auditee’s needs and considerations
Few pertinent questions should be answered in order to ensure that the recommendations being
developed can enhance the effectiveness of the audit.
 Does the recommendation solve the problem, i.e. resolve the risk?
 Is the auditee capable of implementing the recommendation? Does the auditor have the necessary
expertise and technology?
 Is the recommendation compatible with the operations?
 Is the recommendation cost effective? Benefits versus costs.
 Does the recommendation represent a long term, short term or stopgap solution to the problem?
The illustration on how the above are applied during the evaluation is presented in Appendix 6.1
Performing an Audit on Payroll.
Communication
Internal auditors need to communicate engagement results of audit. It is interesting to note that the
standard does not explicitly use the word reporting but instead look to a larger context, which is
communicating. Therefore, the communication of audit results may take several phases as well as using
several means including a written report. Communication between auditors with the auditee may start
as early as the preliminary or interim results are obtained until the final conclusion is achieved and
communicated to the auditee. It is also a normal practice to issue an interim written report before the
final written report is presented which in most cases is supplemented by slide presentation. Figure 7.7
illustrates the process of preparing an audit communication.
92
Preparation of the initial draft of the report.
Review and edit by member of
the audit team.
Preparation of the revised audit
report. Review and edit by the manager of
audit assignment.
Preparation of the second revision of the
report. Review and edit by the head of
internal audit department.
Preparation of the third revision of the
report.
Combined review and edit by the
audit team leader, manager and
director.
Preparation of the ‘discussion draft’ of the
report for review by auditee management.
Review by management and
response provided on audit
Preparation of the final draft of the audit findings.
report for distribution.
Figure 6.7 Process of Preparing an Audit Communication
The quality of communication is also very important in order to achieve an efficient outcome from
the audit. Clear presentation of audit objectives, findings and recommendation will enable positive
understanding and response from auditee and the management. Figure 7.8 shows the important factors
that influence the quality of communication.
Quality
Timely
Figure 6.8 Criteria of Quality Communication
The format of communication may vary from one engagement to another and may also depend on
whether a written report is prepared. In general, the following aspects must be included to ensure that
the above factors, which determine quality are taken into consideration.
 Executive summary or overview of the whole engagement
 The engagement’s objectives and scope
 Condition, criteria, effect, cause, observations
 Applicable conclusions
 Recommendations
 Action plans
93
Follow Up
A follow-up procedure is part of the monitoring process in which the CAE should establish and maintain
a system to monitor the disposition of results communicated to management. The CAE should establish
a follow-up process to monitor and ensure that management actions have been effectively implemented
or that senior management has accepted the risk of not taking action.
Internal auditors will perform a follow-up review to verify the resolution of the report findings, followed
by reviewing and testing the client response letter and the actions taken to resolve the audit engagement
report findings to confirm that the desired results were achieved. All unanswered and unresolved
findings will be discussed in the follow-up report. Basically, in the follow-up reports the internal
auditors will review, compare and conclude with the lists of actions taken by the respective internal
audit customers to resolve the original report findings. The report also comprises a brief description of
the finding, unresolved findings, the original audit recommendation, the internal audit customers’
response, the current condition, and the continued risk exposure to the organisation. The outcome of
the follow-up review will be in the form of a discussion draft of each report with unresolved findings.
The draft will be communicated to the audit customers before the final report of the follow-up process
is issued. Finally, the follow-up review results will be communicated to the respective internal audit
customers and other parties that considered appropriate to resolve the matter such as executives, senior
management or the Board of Directors.
A follow-up process is very important in order to ensure effectiveness of the internal audit function. It
is very crucial that all parties involved, namely the auditees, the internal auditors and the management
play their roles respectively as shown in Table 6.5.
Table 6.5 Roles of Internal Auditors, Management and Auditees in a Follow-Up Process
a) Role of Internal Auditors c) Role of Internal Audit

• Timely review Customers (Auditees)
• Respect the internal audit • Provide proper responses
customer’s (auditee’s) stewardship • Assist and cooperate
• Communicate the evaluation • Inform discrepancies regarding
• Avoid from interrupting the the recommendations
operation of the auditee • Communicate the progress of
corrective action
b) Role of Management • Choose an appropriate measure
for the company
• Monitor the follow-up process,
check with and encourage the • Ensure the measures taken are
internal customer to assure an cost effective
appropriate response to the audit • Ensure the corrective measure
report is enough to avoid the problem
• Assess or approve the adequacy
and cost-effectiveness of
corrective actions and take
needed steps to rectify observed
inadequacies
94
Summary
This chapter describes the overall process of an internal audit commencing from the development of
strategic audit plan that drives the overall operation of internal audit department. Thereafter, it explains
the development of an engagement plan of each individual audit that needs to be carried out. Further,
this chapter describes the internal audit engagement process, which encompasses risk and control
assessment, developing test plan and audit programme, performing fieldwork, evaluation and
conclusion as well as communicating audit findings. Finally, this chapter discusses the follow-up
process that enhances the effectiveness of the internal audit functions. Appendix 6.1 illustrates the
practical example of an internal audit engagement process on a payroll function.
Conclusion
The controls are generally in place but inadequately designed to mitigate significant risks and are not
operating effectively in most cases. In those cases where control deficiencies were identified,
management generally had alternative solutions and / or mitigating strategies with which to address
the deficiencies. As a result, the majority of the observations and recommendations focus on process
improvements to further enhance the efficiencies of current processes and controls within the payroll
processes. Other observations have been classified either as low, medium or high risk, depending on
the potential impact these could have on the operations of the company.
1. Discuss the benefits of strategic audit plan to the internal audit function.
2. Describe the internal audit planning process.
3. Explain the importance of risk-based internal auditing (RBIA).
4. Outline the process of risk assessment and explain the part it plays in the strategic planning of the
work of an internal audit function.
5. Describe briefly how changes to the corporate objectives should be accommodated in the internal
audit strategic plan (annual internal audit plan).
6. Describe the steps in planning an internal audit assignment.
7. Describe the steps that you would take to identify the “significant issues” which you will need to
include in this initial work plan (consider the implications of audit resourcing).
8. List four important criteria for effective communication of audit results.
9. Give your opinion whether or not all internal audit reports should be lodged on the company’s
website.
10. Describe the different methods of communicating audit findings and recommendations to
management.
11. Compare and contrast the factors that internal auditors should take into account when
communicating findings and recommendations to different levels of management.
12. Discuss how follow-up contributes to internal audit effectiveness
References
Gleim, I. N. (2013). CIA Review Part II: Conducting the Internal Audit Engagement, 14th ed., Gleim
Publications.
IIA (2017). The Professional Practices Framework, The Institute of Internal Auditors Research
Foundation.
Institute of Internal Auditors (IIA) UK and Ireland (2014). Risk based internal auditing, Retrieved
from https://global.theiia.org/standards- guidance/topics/Documents/201501GuidetoRBIA.pdf
95
[Accessed 22 January 2019].
K. H. Spencer Pickett, The essential handbook of internal auditing, Wiley, 2012.
Wiley CIA Exam Review, Volume 2, Conducting the Internal Audit Engagement, 4th Edition, S. Rao
Vallabhaneni
96
Mind Map
97
98
99
6.1 Performing an Audit on
Payroll
AUDIT PROGRAM
A. Audit Objectives and Scope

The main purpose of this review is to assess design adequacy and operating effectiveness of the internal
controls surrounding the payroll processes and identify process improvements. Objectives of the current
review include the following:
 Evaluate controls to ensure that only legitimate employees are paid at the correct and authorised
rate.
 Evaluate access controls and segregation of duties within the payroll function.
 Evaluate controls to ensure pay and deduction is accurately calculated and disbursed timely.
 Evaluate controls to ensure payroll data is accurately recorded and presented in the general ledger.
 To ensure that the company is complying with all statutory laws and regulations in all payroll
matters.
Additionally, the audit also aims to provide assurance to the management on the completeness of
implementation of agreed-upon solution from the previous payroll audit, which was conducted in
2009 and to evaluate management efficiency in addressing the highlighted issues.
B. Methodology
The audit program was structured to include a review of previous audits, documentation
reviews, interviews and testing. Data analytics were used as part of testing to examine a large
volume of pay transactions to identify patterns and anomalies. All pertinent information from
the last audit was utilised to obtain our understanding towards payroll process since there are
no significant changes in policies and procedures, organisational structure and payroll system.
Risk and control matrix was then developed to include the following understanding and
procedures:
 Objectives of each payroll activity;
 Key risks inherent to each process;
 Expected and existing controls for mitigating the risks identified.
C. Audit Procedures
We performed a specific testing related to the risks and controls identified to evaluate whether the
controls were designed adequately and operating effectively to mitigate the risks. At the conclusion of
our audit, the observations were summarised and management’s response was incorporated into our
report.
100
Detailed Audit Programme
i) Risk and Control Matrix
Risk Score**
(Impact ¥ Probability)
Impact Probability Total

Payroll Activity and Objectives Process-level Risks Expected Controls
1. Recruitment and resignation
of employees:
 Only valid employees are recorded and
• No proper segregation of duties, 3 3 9 a) Each payroll process is performed
paid.
authorisation and monitoring may result by a different person and properly
 Employees are correctly classified as to: authorised before master files are
exempt and non-exempt. updated and payment released.
• Paying fictitious employees
 All new employees are added to the
• Paying terminated and resigned
payroll master files timely.
employees
 Terminated or resigned employees
• Paying current employees who have
are removed from payroll master files
not worked
timely.
• Employees are paid and terminated b) The company can be at risk of lawsuits, 3 2 6 b) Payroll system interfaces with HR
within statutory and union civil penalties or internal complaints if information system that can trace
requirements. they violate the related federal or state valid current employees and time
regulations (i.e. Labour Act or minimum worked.
wage laws) in salary structure and other HR and payroll personnel are well
payroll matters. trained in payroll administration and
routinely monitors federal and state
labour policies, laws and regulations
to avoid non-compliance (i.e. base-
pay process, salary structure and
adjustment).
2. Calculation of payroll and deduction: a) Error in calculation of payroll and 2 3 6 a) Calculation of payroll and
• Payroll is accurately calculated and deduction due to huge number of hourly deductions are automated through
paid at the correct and authorised rate paid (non-exempt) employees (40% of payroll system and are linked to
(exempt and non-exempt). total staff) with frequent transaction HR information system (payroll
• Taxes and other statutory deductions (bi-weekly pay) and various deductions. master files and attendance
are accurately computed and paid system) without manual
timely. intervention. Payroll system is
programmed to correctly calculate
payroll including overtime and
withheld amounts.
101
Risk Score**

b) Failure to pay on time, under/ 3 2 6 b) Hours worked by non-exempt
overpayments or unlawful deductions employees are reviewed and
may result in internal complaints or authorised by HOD before being
union claims if it happens to non-exempt submitted to payroll department
employees. and supported by justification and
approved timesheets.
c) When tax amount or other statutory 3 2 6 • Payroll withholding tables are
deductions are incorrectly computed, properly set-up and reviewed
withheld or reported to authorities (wrong before processing.
declarations and sent with delay) may • HR/payroll personnel are well-
incur civil penalties or fines. trained in taxes computation (right
percentage applied and legislative
changes properly updated) to
ensure proper preparation of
Tax Returns/ Declarations and
submission in due time to avoid
penalties.
3. Disbursement of payroll: a) Insufficient amount of available balance in 2 3 6 a) Payroll imprest account is regularly
• Payroll is disbursed on time. payroll imprest account will lead to delay monitored to ensure sufficient
• Payroll disbursements including in disbursing payment on time. funds are available to cover payroll
overtime reflect actual time worked expenses. Deposits are reserved
and is properly authorised. and transferred from general
account on a monthly basis and
are equal to the net expected pay
to employees and statutory bodies
for deductions made.
b) If delay in disbursing payment of payroll 3 2 6 b) The payroll system is set-up to run
occurs frequently, it may result in automatically bi-weekly so that the
employees’ dissatisfaction and a high pay process is without delay.
turnover rate. c) Payroll (net pay) is directly
deposited into employee’s bank
account via an electronic payment
file generated by the payroll system
**Risk Rating / Score :
102
Risk Score**

c) Failure to identify multiple payroll inputs 3 2 6 d) The payroll system is set-up to
may result in duplicate payments to the flag any duplicate payments for
same person by mistake or intentionally the manager to review prior to
(fraud). disbursement.
4. Recording and reporting payroll data • Incorrect accounting record that is caused 3 2 6 a) A review of accounting records and
• Payroll data is accurately accounted by wrongly keyed-in or system error may reconciliation is done once a month
in the accounting system and result in wrong decision making by the by Finance Manager to validate
presented in the general ledger. management.
the correct accounts used and to
ensure payroll data corresponds
with HR data and general ledger.
(e) Payroll is recorded in the 3 3 9 b) Logical security is properly

• Lack of effective logical security practices
appropriate period. administered by IT personnel at
may create opportunities for unauthorised
(f) Confidential employee least once a year, which is to
person to access and manipulate data
information is appropriately include a review of access rights to
for profit or destructive motives that can the payroll system.
safeguarded, limiting the liability
cause data corruption, loss in reputation,
exposure and reputational decline.
loss of competitive advantage or legal
• Unauthorised access to the payroll consequences.
system and sensitive data is adequately
prevented.
Score Low Medium High
Impact 1 2 3
Probability 1 2 3
Total 1–3 4–6 7–9
*Management tolerance level is not more than 3 points of total risk scores
103
i) Design Adequacy
Process Flowchart Existing Controls Expected Controls Gap of Design Adequacy
1. Recruitment and resignation of employees • Payroll functions are performed • Each payroll process is a) Improper segregation of duties
by different departments performed by different persons for user access in the KiraGaji
When an employee joins namely: and properly authorised before system.
or resigns, the employee’s • HR department establishes master files are updated and b) KiraGaji is a standalone system
base-pay, enter data records payment released. whereby it does not interface
particulars must be updated in the with HR information system.
for new employees, maintain • The payroll system interfaces
employee’s master file input form. personnel records including with HR information system c) No gap in policies and
withholding data tables that can trace valid current procedures as well as payroll
and process employee employees and time worked. personnel training.
status changes (promotion, • HR and payroll personnel Conclusion:
demotion, increment etc.) are well trained in payroll Existing controls are inadequate to
After filing or updating the master • Payroll department processes administration and routinely manage the risks to an acceptable
file input form must be verified by bi-weekly pay via paycheques monitors federal and state labour level. Refer to observation no. 3.
a superior. to all employees. policies, laws and regulations to
• Finance department avoid non-compliance (i.e. base-
maintains record keeping of pay process, salary structure
payroll expenses including and adjustment).
Sent to manager for approval. reconciliation report.
• Policies and procedures
are in place and are in
accordance with statutory and
regulatory requirements for
payroll processes from the
Updated in the Payroll
entry phase throughout the
system. employment phase up to the
exit phase including user access
management.
104
2. Calculation of payroll and deductions a) KiraGaji system runs the payroll d) Calculation of payroll and a) KiraGaji is a standalone system
calculation including overtime deductions are automated whereby it does not interface
and deduction once data are through payroll system and with HR attendance system to
Time Recording: entered. However, the system are linked to HR information identify the time worked. Manual
is not integrated with the system (payroll master files intervention is involved to
Recording of hours worked by
attendance system to automate validate hours worked based on
timesheets, clocking-in and out and attendance system) without
the overtime calculation. approved timesheets submitted
arrangement, recording of changes in manual intervention. The
b) Payroll for hourly paid by employees.
pay rates, recording of advances and payroll system is programmed
employees are processed based b) No gap observed in processing
other deduction, paid leave and so on. on approved timesheets by HOD. to correctly calculate payroll of withheld amounts.
including overtime and withheld
c) Deductions/withholding tables Conclusion:
amounts.
are set-up by the HR department Existing controls are inadequate to
after receiving election form e) Hours worked by non-exempt
manage the risks to an acceptable
from employees and regularly employees are supported by
level. Refer to observation no. 1.
Checking: Time-in and out for checked by the HR manager. justification and approved
timesheets, which are reviewed
work, excessive break taken, leave Copy of election form is kept and authorised by HOD before
supported with valid approved leave by the payroll department to submitting to the payroll
form. Medical claims supported cross-check the figure. Any department.
with genuine medical certificates. adjustments will be updated in f) Payroll withholding tables are
the system. properly set-up and reviewed
Overtimes are properly claimed.
before processed.
g) HR/payroll personnel are well
trained in taxes computation
(right percentage applied and
legislative changes properly
updated) to ensure proper
preparation of Tax Returns/
Declarations and submission in
Calculation of Wages: Basis for due time to avoid penalties.
compilation of payroll, preparation,
checking and approval of payroll.
Sent to manager for approval.
105
3. Disbursement of payroll a) Payroll imprest account is a) Payroll imprest account is No proper Standard Operating Policy
established separately to regularly monitored to ensure and Procedure is set up for the
process payroll cheques sufficient funds are available to disbursement of payroll.
Preparation and authorisation of
for better control of payroll cover payroll expenses. Deposits
cheques and bank transfer file. Conclusion:
expenses. are reserved and transferred from
b) Deposits from general account general account on a monthly Existing controls are inadequate to
transferred to the imprest basis and are equal to the net manage the risks to an acceptable
account on daily basis to cover expected pay to employees and level. Refer to observation no. 2.
any cheques presented. statutory bodies for deductions
Comparison of cheques and bank made.
c) KiraGaji system is programmed
transfer list with payroll. b) The payroll system is set-up to
to run the bi-weekly pay process
automatically on the 15th run automatically the bi-weekly
pay without delay.
and 30th of each month if no
c) Payroll (net pay) is directly
adjustment is keyed in.
deposited into employee’s
Maintenance and d) KiraGaji system is programmed bank account via an electronic
reconciliation of wages to flag any payments to identical payment file generated by the
employees (with the same payroll system.
records.
identification – name, IC no or
d) The payroll system is set-up to
bank account) for the manager’s
flag any duplicate payments for
review prior to disbursement.
the manager’s review prior to
disbursement.
4. Recording and reporting payroll data a) Payroll control reports have been a) A review of accounting records Logical security is not properly set
designed and implemented to and reconciliation is done once up to protect unauthorised access to
ensure correct payroll process a month by the Finance Manager payroll data.
Compiling of overall payroll records and help identify potential fraud, to validate the correct accounts Conclusion:
for financial and management which includes: used and to ensure payroll data Existing controls are inadequate to
reporting purposes. • Report of staff changes on match the HR data and general manage the risks to an acceptable
a monthly basis from HR ledger. level. Refer to observation no. 4.
department (new hires and c) Logical security is properly
Reconciliations are carried out leavers for the months). administered by IT personnel at
to make sure no unexplained least once a year, which is to
• Payroll overview total amount
or untimely variances. report (summary of gross include a review of access rights
pay, deductions, net pay), to the payroll system.
including a comparison to
previous month’s amount.
Maintenance of Payroll • Multiple payments to same
Recording and Reporting. account.
Sent to manager for approval.
106
Test Plans and Results
Testing Approach Detailed Audit Testing Audit Testing Conclusion
1. Recruitment and resignation of employees
Procedures are in place for HR processes Obtain the SOP and interview the personnel on the User access procedure for employees from user creation,
including payroll processing from the entry processes and the control. modification and deletion are incorporated as part of the HR
phase to the employment phase up to the exit procedures.
phase including user access management.
New hiring should be approved as per Verify the additions to payroll (new employees hired The process is as per HR policies.
company policies. The pay scale or basis during the month).
salaries should be verified to ensure they are
approved according to company policy.
Process is in place to determine if a worker Review job description. Ten sample records are sufficient.
will act as employee or contract employee Advertise, screen and interview.
and verification of job requirements and Ten samples of employees files were obtained and
duties are performed accordingly. checks were performed on the following for each
Ensure screening and background checks are employee’s record:
performed to shortlist qualified application
• Examination for completeness, authorisation
which also helps to screen out “ghost” and
unneeded candidates. • Compare pay rates, deductions
• Trace from register to employee records
Payments for payroll-related services are Check that a resigned employee is properly removed No resigned employees in the payroll system.
being made to valid employees for time from the payroll.
actually worked. Controls must be in place
to ensure that no payments are made to
fictitious or ‘ghost’ employees and payments
to valid employees are stopped once the
employee is terminated.
The resignation checklist should be updated Review on the resignation checklist. Obtain a Thirty samples were selected mainly 5 samples from
to include the removal of user access for the few samples to check whether there is proper Finance, 5 from IT department, 5 samples from HR and 10
related system. endorsement from IT Department. from operations. The review noted that the IT department
will disable the user access upon receiving the form; thus,
immediately block leavers from accessing the company’s
system. The user access will be deleted within 7 days.
Exit interview and resignation checklist Review the exit interview and resignation checklist The exit interview and resignation checklists are performed
should always be performed, completed for completeness. and completed as per HR policy.
and followed-up if required on all resigned/
terminated staff.
107
2. Calculation of payroll and deductions
Ensure that all benefits and deductions • Recalculate benefits and deductions for a sample Inaccuracies in the salary payments as numerous errors
(employee loan, retirement plan, contribution of employees. were noted in the calculation of contract employees’ pay
to charitable organisation and PACs, tax etc.) • Inspect documentation for evidence of earnings and some of the deductions were not included for
are computed correctly by validating and management’s review. salaried employees. Refer to Observation 1.
performing a check on the following:
• Verification of payroll amounts and
benefits calculations.
• Agreement of gross earnings and total tax
deducted with taxation returns.
Check whether payroll transactions are • Review reconciliation before and after reports to Refer to Observation 1 and 4.
correctly recorded in the accounting system. payroll master file.
The following should be validated: • Review reconciliation payroll master file to
• Changes to master payroll file are verified general ledger. Confirm whether discrepancies
before and after reports. are followed-up promptly and resolved.
• Payroll master file is reconciled to general
ledger.
Extract the overtime reports and perform Observe employee and management use of time Employees who turned in a clock card were paid. However,
test of controls on overtime recorded in the clock and time cards. there were high manual interventions involved in computing
Trace a sample of time cards to payroll accounting the hours as highlighted in Observation 1. Overtime hours
payroll, verify that all overtime is approved by
records for those employees. were submitted in bulk to payroll, which raised concerns
the appropriate manager and so on.
over accuracy of overtime reported and matching of payroll
expenses with overtime worked.
Employees being paid must have active Select a sample of employee files from payroll This procedure addresses the auditor’s concern regarding
personnel files. accounting. Cross-reference this information to nonexistent employees or ‘ghost’ employees.
related personnel files.
3. Disbursement of payroll
Payroll imprest account should have sufficient Obtain and review the bank statement of the payroll Insufficient funds noted in the imprest account from
funds to cover all payroll expenses. imprest account. January 2012 to May 2012.
Perform analytical procedures using ACL to check In November 2012 there was excess of 60% in the imprest
disbursement date, transaction and amount involved account.
and observe any overdraw or delay in disbursement Refer to Observation 2.
as compared to requirement stated in the company
policy.
108
4. Recording and reporting payroll data
Payroll transactions are properly classified in • Review chart of accounts. Although procedures are in place, audit could not ascertain
the financial statements. • Review procedures for classifying payroll costs. whether the information is correctly reflected in the financial
• Chart of accounts. • Review budgeting procedures. reporting as discrepancy and inaccuracy were noted in
• Independent approval and review of payroll and the GL system.
accounts charged to payroll.
• Payroll budgets in place and reviewed by
the management.
The organisational structure for HR, Payroll Access to the payroll system should be segregated Refer to Observation 3.
and Finance are formally defined with clear and given to authorised personnel only.
segregation of duties (job descriptions) and
responsibilities to support business objectives
and goals.
ii)Observations
Observation 1 Inaccuracy of pay due to frequent (bi-weekly pay) and tedious transactions (overtime calculation and various deduction).
The calculations of all payments and deductions should be correctly calculated and accounted as well as in accordance with the
Criteria relevant taxation and other regulations and requirements.
At the time of review, employees are paid on bi-weekly basis. The department has about 4,400 employees, which consist of 2,700
salaried employees and 1,700 contract employees that are paid hourly. Contract employees’ earnings are depicted in the following
table:
Pay earn Hours in a pay period

Standard pay 80 hours
Time and a half Additional 20 hours in a pay period
Double time Exceeding 100 hours in a pay period
Conditions
In addition, for salaried employees there are various deductions such as employees’ loan, contribution for long-term retirement plans
and political action committees (PACs) as well as taxation, are included in the bi-weekly pay.
Although the department has implemented the KiraGaji payroll system, most of the computation still involves a high level of manual
intervention, which is prone to human error and inefficiency. Specifically,
• For payroll, the bi-weekly input of overtime data involved manual computation of hours and rates of about 500 to 600 applications
before keying into the KiraGaji System.
109
• Although, the KiraGaji system has a direct interface with the General Ledger system, from the data analytics used, there is
discrepancy especially in the payment to contract staff. Specifically, there were 465 records with discrepancy. Payroll for hourly-
paid employees are processed based on approved timesheets by HOD and there are three different calculations from different
criteria to compute in pay earnings. A further check of 20 samples noted that there were inaccuracies between the timesheet/clock-
card and the amount from the system for nine samples.
• A separate system is used to compute staff loan. Furthermore, the loan system is not interfaced with the General Ledger (GL), the
journal entries for posting to GL are manually keyed into the excel spreadsheets for update by Finance.
• Frequent payment of salary (bi-weekly basis) and tedious transactions for deduction.
• Complexity of pay earning calculations for contract staff.
Causes
• High level of manual intervention in payroll processing.
• As there is no system to enforce dual controls and audit trail report to highlight any changes in the KiraGaji, the input accuracy and
completeness of the overtime data may not be ascertained.
• The current process is prone to human error and there is the risk that any input errors may not be detected on a timely basis.
• Whenever there are adjustments, there is a risk that these adjustments may be inaccurately documented by respective Managers
Effects and/or processed by Payroll.
• The salary amounts paid to individual employees were not in accordance with the correct pay rate.
• It is recommended that bi-weekly Payroll processing to be revisited and revised to monthly payment. This would eliminate the need
for adjustments and would prevent any potential errors from occurring as a result.
• Management should also strengthen the control over the current high level of manual intervention. Specifically,
O Audit trail report on all changes of data should be produced before each processing cycle. Total amount and sample check on
the individual data should be performed by and reviewed by a staff with no input access to KiraGaji and Loan System to detect
Recommendations omissions and errors.
O Management should explore the possibility of generating the journal entries directly from both the payroll and loan systems and
uploading the information into the GL without the requirement for any re-input. If this direct upload is not possible, the Payroll
Manager should perform the total amount and sample check on the individual data as an interim measure.
Observation 2 Delay in disbursement of payroll due to using of imprest account, insufficient funds
Payroll imprest account should have sufficient funds to cover all payroll expenses. Funds should be deposited for the exact amount
of the total net payroll. Once the funds are expensed to employees, the account funds should be at or near zero, until the next payroll
Conditions
date is due.
An Imprest payroll account is a separate account held by a corporation that contains funds strictly for employee payroll use. When
payroll is due, funds are withdrawn from the Imprest account, rather than from the company’s main account. The advantages of an
imprest account is that it limits the organisation's exposure to payroll fraud, allows the delegation of payroll cheque signing duties,
separates routine payroll expenditures from other expenditures, and facilitates cash management.
The review noted that there were insufficient funds in the imprest account deposit and from the records there were a number of
Criteria instances where an additional deposit was made to avoid an overdraw on the account from January 2012 to May 2012.
However, in November 2012, there is an excess of 60% in the imprest account. By depositing too much, this will leave money sitting in
an account that could be redirected elsewhere in the organisation.
110
• Lack of monitoring of the imprest account.
Causes • Inadequate planning and forecasting on computing the precise amount to be place in the imprest account which normally relies on
the company's knowledge of payroll expenditure.
• Insufficient amount of available balance in the payroll imprest account may lead to delay in disbursing payment on time.
Effects • Frequent delays in disbursing payment of payroll may result in employees’ dissatisfaction and high turnover rate.
• It is recommended that the payroll imprest account is regularly monitored to ensure sufficient funds are available to cover payroll
Recommendation expenses. Deposits are reserved and transferred from general account on a monthly basis and should be equal to the net expected
pay to employees and related deductions made.
Observation 3 Inadequate segregation of duties and user access in the KiraGaji system.
There should be appropriate segregation of duties that include separate authorising, recording and reconciling functions. These duties
Criteria are typically owned or performed by different departments or personnel.
The review on segregation of duties and user access for various payroll functions revealed the following weaknesses:
• All Payroll Department employees should have full edit and unlimited access to the Payroll Module, including access to modify
salary/hourly rate fields.
• All Payroll Department employees should have access to post payroll to the Finance Module. Access to the Finance Module should
Conditions be limited to the Finance Department.
• HR employees that are not involved in payroll processing should have edit access to payroll adjustments, pay types and salary
schedule.
• Lack of housekeeping on access permissions and user profiles since the system was set up by the KiraGaji vendor.
Causes • No customised user access permission was established for the company.
• Inappropriate access rights that do not correspond to the job scope and no proper segregation of duties surrounding compensation
Effects and the payroll function. Errors, misappropriation of payroll funds or other types of irregularities could occur and may not be
traceable and detected in a timely manner.
Appropriate segregation and user access should be reviewed and monitored regularly, especially when there are job / function
changes. Specifically:
• Access to modify salary/rate fields should be limited to the HR Department.
• Access to process payroll should be limited to the Payroll Department. Access within the Payroll Department should be limited
according to roles and job duties.
Recommendations • Access to post payroll to the Finance Module should be limited to the Finance Department who should not be able to modify the
information.
• All other access to the Payroll Module should be limited to specific authorised functions or view capabilities only.
111
Observation 4 Inadequate processing controls in payroll disbursement
The integrity of Payroll payment data should be maintained and proper procedures should be in place to govern the use of Internet
Criteria Banking access.
The current payroll process has the following weaknesses:

• For payroll payments, the Payroll Officer uploads the payroll payment data into EasyBank2u system and prints a detailed report.
The Payroll Manager will review the total amount and sample check on individual amount. However, the payroll payment data can be
uploaded again with different payee and amount details, while the control totals remain identical. Any unauthorised changes by the
Payroll Officer may not be detected on a timely basis.
• The payroll manager who is also one of the administrators of EasyBank2u Internet banking system also controls the password
Conditions
and security card that used to belong to a former manager. Thus, additional access rights can be granted without restriction to
the security cards this payroll manager controls to effect the transfer of funds without additional approvals. In addition, formal
procedures to manage the security cards and passwords are also not in place.
• Lack of awareness on strengthening the access control of Internet banking account.

Causes • Absence of procedures on payroll processing over EasyBank2u.
Effects Unauthorised payments made may be undetected.
Management should strengthen the payroll processing controls. Specifically,

• The total headcount and payroll amount in KiraGaji system should be reconciled to the data maintained by the HR team and
Finance. The payroll system can be enhanced with encryption technology. Alternatively the Payroll Manager should sample check
the payroll information loaded into EasyBank2u system to provide more assurance that the payroll information loaded is valid.
Recommendations
• Segregation over the receipt of password letters and custody of security cards should be enforced. Formal procedures over security
administration of EasyBank2u should be implemented. A regular review of EasyBank2u user listing should also be performed.
112
7Monitoring
Internal Audit Reporting and
Learning Objectives
 Understand the purpose of providing an internal audit report
 Describe the report writing process
 Describe the format and content of an internal audit report
 Define the criteria for a good-quality internal audit report
 Describe the distribution of an internal audit report
 Describe the report monitoring and follow-up process
Introduction
The final stage in an internal audit engagement is to communicate the results and disclose important
matters during the process to the auditee. In this study, the process of preparing and communicating the
internal audit report refers mainly to the International Standards for the Professional Practice of Internal
Auditing (ISPPIA). An internal audit report is fundamentally the final product of an audit engagement
that is considered important to the management. Internal auditors communicate results based on
evidence, analytical judgements and later determine whether the auditee has taken any appropriate
corrective action.
The internal audit report is considered as the auditor’s opportunity to draw the management’s undivided
attention into the issues faced by the organisation. That is how auditors should regard reporting, which
is an opportunity to inform the management that some corrective actions are required. Internal audit
reports instil confidence in investors by indicating that the reported financial information is free from
errors and intentional misstatements. The internal audit report is perceived to be as useful as the Audit
Committee report, management’s discussions and analysis as well as the management’s report on
internal control. The Chief Audit Executive (CAE) is responsible for communicating results that
provide the CAE’s due consideration, opinions and conclusions (The Institute of Internal Auditors,
2017). Furthermore, the internal audit report provides a perceived disclosure that is highly credible
through the CAE report to the Audit Committee, Chief Executive Officer (CEO) and Chief Finance
Officer (CFO).
Purpose of Internal Audit Report

The internal audit report is compulsory to be prepared, whereby internal auditors must communicate
the results of audit engagements. The purposes of communicating the results of audit engagements are
as follows:
1. Developing Recommendation
The report should disclose the current internal control situation highlighting the problems discovered
during the engagement so that the management can take notice and overcome the problems. These
problems could either be low or high risk and have implications on overall organisational achievements.
Thus, the role of an audit report is to change or improve internal controls.
113
2. Present the Management with Control and Risk Issues
The internal audit report should highlight the importance of control and risks related to achieving the
business objectives. Management itself needs to address the potential risk that is due to the element of
controls not being properly addressed and managed according to the business objectives. The potential
risk from environmental factors has a great effect on business operations. Thus, the management needs
to initiate high priority control, appropriate solutions and improvement tools in order to focus on future
achievement.
3. Developing an Action Plan

Internal auditors recommend and develop an action plan for the current actual event arising from the
internal audit process. The action plan is one- step ahead of recommendations that require the
management to make some required changes.
4. To Promote Problems to Management

The report is structured for the purpose of promoting problems related to the risk area and the
implication towards business objectives. The audit report highlights the results of compliance and non-
compliance of rules and regulations, level of errors and the irregularity of control. Highlighting and
promoting problems to the management creates greater concern for problems in the risk areas and
instigates the management to plan remedial action plans.
5. To Document the Results

The results prepared from an internal audit process are intended to convey internal documentation to
the management. The results are reported as a formal document that records the audit program together
with findings from the audit process. The internal audit report acts as a formal tool to convey audit
findings to the management in order to highlight the risk areas and provide opinions and
recommendations.
6. To Provide Assurance to Management Operations

This is a crucial role where the internal audit report is assured and confirmed based on the view of audit
review controls. The audit process ensures that risk management and controls are applied and practiced
with no adverse findings. Besides that, the internal audit report assures and confirms that problems
faced by organisations might have no major consequences that affect the effectiveness of the operation.
Process of Report Writing

Internal auditors play an important role in achieving business objectives to ensure and improve the
effectiveness of risk management, control and governance processes. The reporting itself ensures the
reliability and integrity of financial and operational information, the effectiveness and efficiency of
operations, safeguarding of assets as well as compliance with laws, regulations and contracts.
In order to communicate the results, the following process should be carried out, prepared and executed
as in Figure 7.1:
114
Figure 7.1 Process of Report Writing
1. Field Audit Exit Meeting

This is when an internal audit team conducts a meeting with an auditee or management to discuss the
results accruing from an audit process. The purpose of an exit meeting is to enable the auditors to discuss
matters regarding the system’s weaknesses and the risk areas discovered during the audit. More
corrective actions on lack of control and protection need to be provided on the risk area system. In the
meeting, auditors need to discuss and ask auditees or management questions on significant and material
issues. Auditors themselves need to gauge auditees’ feedback and reactions in order to draft the final
audit report. In the next stage, the CAE confirms the contents of the draft report.
2. Draft Audit Report

Internal Auditors prepare the draft audit report after the management has agreed with the entire content
and facts. The draft audit includes audit observations, audit recommendations and an audit plan. The
audit plan highlights specific recommendations and states who is in charge of improving the risk areas.
The draft is prepared by the CAE and submitted to the CEO or senior management. The CEO or senior
management then makes decisions based on recommendations given in the report.
3. Response from Various Departments

Auditees will receive a copy of the draft audit report from the CEO. The department itself must take
into consideration each recommendation provided by the internal auditors for the purpose of improving
business operations and ensuring the effectiveness of the system.
4. Final Audit Report

The final audit report is prepared by the CAE after receiving feedback from auditees. The final report
includes significant issues, action plans, recommendations, departments’ responses and auditors’
conclusions. The internal audit report is published together with the management’s responses.
5. Post Audit Survey

The internal auditors require auditees and the management to fill in a post audit survey. This is to
evaluate the effectiveness of the audit process, audit planning, audit performance, professionalism and
knowledge of the audit team.
6. Follow-Up Audit
Auditors will perform a follow-up audit on significant issues that were identified in the final
engagement report. They will request for follow up information to review and report on corrective
115
actions taken when addressing all previous significant issues.
Structure of the Report

The structure of an internal audit report differs due to the internal audit process and a variation in the
information gathered from the auditee. The report must include the title, details of auditee, location,
date of the report, report number, status, list of distributed reports, appropriate release and
confidentiality notifications as well as list of internal auditors involved. The contents should consist of
an executive summary, background, action plan, recommendations and management’s responses. The
executive summary should also include the objectives and scope of the report, methods used, opinions,
standards, conformance statements and observation summary.
Firstly, the objectives in the report should be able to tailor the engagement of the audit process.
Secondly, the scope that is covered in the report should be accurate and only those necessary need
to be included in the report. Thirdly, the report needs to describe broadly the methods employed in the
audit process with the specialised methods used. Fourthly, the report should include related matters on
the opinion that aligns the ratings with the observations covered in the report. In preparing the opinion,
there is a need to focus on the causes and effects for the observation by using precise words and reducing
the exaggeration on the effects of observations. Fifthly, there is a need to mention the standards applied
in conducting the internal audit process, which is the standards related to ISPPIA.
Sixth, an observation summary should be in the report to allow readers to understand each condition.
Each condition represents the level of risk and determines the cause of the observation, which can be
determined by using a few techniques found in the field management, such as the Five Why Analysis,
Change Analysis and the Ishikawa Diagram. Related to the Five Why Analysis are concerns on the root
cause for any problem to identify the solution. Change analysis may also be used to identify any
potential impact of any change and identify any solution in order to accomplish a change. Ishikawa
Diagram, known as a fishbone diagram, is used to identify potential factors, which is a cause and effect
for any specific event. Thus, these techniques would be used by internal auditors in observing any
conditions and identifying the action plan. This is in line with the observation, as suggested by the
Practice Guide for Audit Reports (The Institute of Internal Auditors, 2016), must include elements such
as conditions, criteria, cause, effect, and rating as shown in Table 7.1. After determining the causes
and the management has considered all recommendations and taken appropriate action, the internal
auditors should assess the residual risks. Then, they should investigate the effects for each risk in order
to meet the organisation’s objectives.
Table 7.1 Elements of Observation
Elements Description
Condition Factual evidence identified during the course of the engagement
Criteria Standards, measures, or expectations used in making an evaluation and/or
verification of an observation
Cause Underlying reason for the difference between the criteria and condition
Effect Risk or exposure encountered because the condition is not consistent with the criteria
Rating It can be an effective communication tool for delivering the significance of each
observation and could assist management with prioritising their action plans, and
internal auditors with prioritising follow-up.
Next, the internal auditors should focus on recommendations to prevent future occurrences and correct
the existing conditions, which are known as caused-focused recommendations. The internal auditors
should decide if they wish to use condition-focused and/or recovery-focused recommendations. In
preparing for the recommendations, there are two writing styles for recommendations, which are
116
imperative and modal verbs. Imperative verbs represent action, instruction and commands, while the
modal verbs represent words that are obligatory in nature, like should or must in sentences. For
example, ‘please monitor the authorisation in the cheque preparation process’, as in the imperative
verb version, while ‘monitoring the authorisation of cheque preparation must be assigned’, is the modal
verb version.
The action plan is the next process in reporting, where auditees/clients present their plan in order to
address the cause and impact of either the recovery or correction for each condition. Formulating an
opinion is the conclusion of an engagement. The opinion should be communicated to stakeholders for
them to understand the overall internal audit process. Opinions and conclusions on the overall
assessment of specific controls can be formed based on professional judgments after observations have
been carried out; however, internal auditors must evaluate the effects based on overall observations in
order to suggest recommendations for each of the conditions. Internal auditors examine the operation
to ensure that it conforms with objectives aimed at achieving organisational goals.
The internal auditor’s opinion should be in line with the level of professional expertise and judgment
pertaining to governance, risk management and compliance throughout the overall organisation.
Moreover, internal auditors must understand the judgmental nature of the report according to the
internal auditing perspective. Whereas, opinions must be consistent with the views of primary
stakeholders and the overall implications in achieving organisational goals.
The final communication of engagement results must include applicable or feasible conclusions, as well
as applicable recommendations and/or action plans. Where appropriate, the internal auditor should
provide an opinion which considers the expectations of senior management, the Board of Directors, and
other stakeholders and must be supported by sufficient, reliable, relevant, accurate and useful
information.
In relation to the observation elements, below is the example of the internal control review on payrolls.
The observation is based on the time and attendance records, as shown in Table 7.2.
Table 7.2 Example of Internal Audit Report: The Structure of Report Time and Attendance Record-
Payroll Internal Control Review AAA Berhad
Structure
Title Page Payroll Internal Control Review:
Time and Attendance Record
March 1, 2012
Issued by Group of Internal Audit — AAA Berhad
Header and Footer
Executive Summary Objective
iii) Objective  To determine the efficiency and effectiveness of the time and
attendance system.
iv) Scope  To ensure that the system has followed proper internal controls.
v) Methods  To ensure the time and attendance records have been properly
completed, reviewed, approved and processed.
vi) Opinion
 To ensure the adequacy of separation of duties, security
vii) Standards conformance controls and monitoring procedures.
statement
viii) Observation Summary
117
Scope
• The purpose of this audit is to identify the effectiveness of
existing systems and controls in detecting errors and fraud.
• The audit analysed five weeks of time and attendance system
and records in manual payroll system.
• The audit team interviewed person-in-charge in order to
understand the manual payroll system.
Methods
The methods used in this audit engagement are:
• The auditors inspected the time and attendance records from the
manual payroll system in order to verify the accuracy and
completeness of data written in timesheets.
• Auditing also vouched data on authorised timesheets record
(source document) that has been verified and compared with
information that was entered in the payroll and accounting
system, which produced the computer report.
• Interviewed person in charge in order to understand the overall
procedure of manual payroll system and accounting and payroll
system.
Opinion
1. The internal audit has suggested that the critical procedures in
time and attendance sheets be prepared on a timely basis to
maintain the level of accuracy and timeliness. Any problems
such as entering erroneous data and documenting incorrect
information while preparing timesheets would affect the payroll
and accounting system.
continued
Structure
118
2. The responsibility of each employee and payroll supervisor is
very important and needs to be emphasised in ensuring that all
hours worked are accurately and correctly reported, calculated
and paid. Mistakes in approving all hours worked would result in
inappropriate payments.
3. The payroll supervisor is responsible and accountable for checking
and reviewing the accuracy of the time and attendance sheets.
The head of payroll unit is responsible to provide signature for time
and attendance sheet.
Overall, errors or mistakes do happen in the payroll and accounting
system; hence, this would cause information error and lack of
productivity.
Standard conformance statement
This audit was conducted in conformance with International
Standards for the Professional Practice of Internal Auditing (IPPF).
Background
Manual payroll system was reorganised to provide better efficiency
in time and attendance processing. The process includes two key
process objectives:
1. Making accurate timesheets
2. Ensuring proper authorisation
Criteria
1. The policies of the organisation require employees to record time
and attendance through punch-in cards and manual timesheets.
2. Every timesheet requires checking and review by the payroll
supervisor.
3. The head of payroll unit is required to sign every timesheet
based on the authorisation of hours worked.
Conditions of the observation
1. The time and attendance sheets are not properly completed and
approved.
2. The time and attendance are not properly reviewed by payroll
supervisors.
3. The timesheets have been approved and signed without proper
checking by the head of payroll.
Cause
The manual payroll system is a highly labour-intensive process as
handwritten timesheets are then keyed in and entered in the payroll
Effects of the observation
1. There is a possibility of keying in erroneous data into the payroll
2. The report produced through the payroll and accounting system
would document erroneous information.
3. Inappropriate payments may have been made when the time and
attendance sheets were inadequately reviewed and authorised.
119
……continued
Structure
Rating the Observation

Low risk
Action Plan Recommendations
Recommendations 1. The payroll supervisor should ensure that all time and attendance
Management Responses recorded are reviewed for completeness and checked for errors
before entering into the payroll and accounting system.
2. Backup reviewers must review the individual inputting timesheet
information from the source document in order to avoid any
process errors.
3. The Human Resource Department should implement training in
payroll writing procedures for supervisors, backup reviewers and
employees in understanding their function in the time and
attendance process.
4. Head of payroll unit and payroll supervisor must perform proper
and timely review for signature approval and error checking.
Action Plan
1. Training for new hires and current employees to emphasise their
responsibility and function to record time and attendance
accurately.
2. Training on proper timekeeping practices for employees who
were found to be not complying with proper procedures and
rules.
3. Training for payroll and management on supervising timesheet
record and reviewing overall manual payroll system.
Management Responses
The director of Human Resource Department has agreed on all
recommendations made in this report. The policy of time and
attendance will be addressed. All recommendations should be
implemented in June 2012.
Report Distribution in Title Page Internal readers
— Separate internal and external Human Resource Director
readers Director of Finance
External Readers
Registrar of Companies
Bursa Malaysia
Report Team AAA Bhd Group of Internal Audit
Appendices –
(Source: Adapted and Modified from Henderson, 2012)
Opinions and Ratings of the Internal Audit Report

In structuring the internal audit report, the opinions and ratings of the report are also important to
highlight the results based on the internal auditor’s observation. For example, Table 7.2 presents the
rating and opinion for time and attendance record-payroll internal control review. This rating and
opinion are developed based on the conditions of observation done by the internal auditors.
Opinions of the Internal Audit Report
The overall opinion will be issued based on the strategies, objectives, and risks of the organisation
in order to meet the expectations of senior management, the Board of Directors, and other stakeholders.
The overall opinion must be supported by sufficient, reliable, relevant, accurate and useful information.
120
In addition, internal auditors must communicate the internal audit report after they have identified each
risk for each observation along with the evaluation and assessment, which is related to the development
of opinion. The opinion developed by CAE should address a few matters such as:
1. The strategies, objectives, and risks faced by the organisation.

2. The opinion can solve a problem, add value and provide management with confidence on the
condition of organisation.
3. The understanding of expectation for the scope of the overall opinion based on the discussions
with management and any stakeholders.
4. The scope of the overall opinion should include the specific time related to the opinion and
consider whether there are any limitations to the scope.
5. The conclusions and other communicated results should be sufficient, reliable, relevant, accurate
and useful information.
6. Summarise the information on the overall opinion and identify the relevant risk or control
framework as a criteria used for the overall opinion.
Ratings of the Internal Audit Report
In developing the ratings on the internal audit report, there is no single prescribed way for expressing
engagement outcomes on effectiveness and efficiency of controls reviewed. The final engagement
communication can be either a positive or negative assurance. A positive assurance is known as
reasonable assurance if internal auditors conform and ensure that the controls are designed adequately
and operating effectively. A negative assurance is known as limited assurance when internal auditors
are led to believe that controls are not designed adequately and operating ineffectively. The opinion is
developed based on observations on the overall internal control for each process.
The rating system is developed to rate observation for operation area and risk. The rating on a report is
a subjective professional judgment based on the business complexity, the potential effects of the
observations, the responsiveness of management action plans, and the repeat nature of the observations.
Commonly, internal audit activities use a three point rating system: unsatisfactory, marginal and
satisfactory. The rating system for observation is also a three point system: high risk, medium risk or
low risk. This rating system has advantages as it makes it easier in summarising results to senior
management and in contributing to the internal audit activities planning. Furthermore, it will also
provide focus attention to stakeholders in alerting to them to areas that need more focus and show more
impact.
Quality of the Report Writing
The quality of a report is important, and it should conform with the standards. This is to ensure each
internal audit process has been implemented according to principles or rules of conduct stipulated in
the Code of Ethics and the Standards. In ensuring the quality of the information presented in the internal
audit report, the conformation must be accurate, objective, clear, concise, constructive, complete and
timely. The descriptions of the criteria are presented in Table 7.3.
121
Table 7.3 Criteria of Good Quality Report Writing
Quality Description
Accurate Free from errors and distortions and is faithful to the underlying facts.
Objective Fair, impartial and unbiased and is the result of a fair-minded and balanced assessment of all
relevant facts and circumstances.
Clear Easily understood and logical, avoiding unnecessary technical language and providing all
significant and relevant information.
Concise Communication is to the point and avoid unnecessary elaboration, superfluous details,
redundancy and wordiness.
Constructive Helpful to the engagement client and organisation and lead to improvements where needed.
Complete Lack nothing that is essential to the target audience and include all significant and relevant
information and observations to support recommendations and conclusions.
Timely Opportune and expedient, depending on the significance of the issue, allowing management
to take appropriate corrective action.
(Source: The Institute of Internal Auditors, 2017)
The quality of the report can be enhanced by five other factors based on practice, such as
readability, clarity, objective wording, tone and the conventions of written language that improves the
quality.
First is readability. Message placement, coherence, conciseness and the use of graphics can help
enhance the readability of a report. Message placement refers to the structure of the report, in which
each observation is delivered in a structured manner in the executive summary and body of the report.
Second, the report should be written coherently using appropriate words, phrases and terms.
Conciseness is the third factor that improves the level of readability in a report. The report should
contain the right information and avoid redundant words. Concise information will assist the
management in understanding the main conditions, causes, effects and recommendation(s) for each
observation. The last factor that affects readability is how good graphics are presented to highlight
information from the audit process. Graphic presentations that use pie and bubble charts and bars; trends
that use line graphs; status against goals that use dashboards and categorisation that uses iconic images
and colour are the best formats for comparing information.
Second, clarity of information is also important. To ensure clarity, definitions must be used
appropriately. Definitions are crucial for understanding concepts used in each observation and audit
process. Each observation might carry different concepts and term. Confusion can be avoided by
providing a glossary and hyperlinks when electronic reports are used. The report should be written in
simple and clear structured sentences. Thirdly, internal auditors must avoid biased wordings. The report
must be prepared objectively when describing the engagement; hence, the wording used must be fair,
impartial and unbiased. The written report must state the weakness of the process, if any, and internal
control. The tone of the writing should reflect the level of severity of each observation. The severity
and risk in each observation has to be reflected in the tone of the
writing.
Finally, the language used in the report should be relevant to the culture of the location. The level of
understanding of the report depends on good grammar, punctuation and mechanics. Thus, internal
auditors must improve their writing skills in order to improve their internal audit reputation and the
level of readers’ comprehension. Readers comprehension can be improved through good quality reports
and complete information provided by internal auditor.
122
Overall, all criteria should be taken into consideration in writing the internal audit report. An excellent
report portrays the auditor’s competency and capability in writing a high-level quality report and hence,
facilitates the reader’s comprehension. Together with the quality criteria, there is a need to understand
the strategies in preparing an internal audit report. This would ensure the management, particularly
Audit Committee and senior management to easily understand and be concerned about the highlighted
matters.
Strategies in Preparing Internal Audit Report
When preparing an internal audit report, the best practice is to attract readers to understand the contents
of the report, especially the senior line management. The right technique ensures direct, objective and
convincing reports as well as being able to deliver the intended message with clarity. The report can be
delivered based on guidelines that ensure the completeness of an internal audit report. The main
contents of the internal audit report must be stated immediately because auditees, senior executives and
Audit Committee members want a succinct description of the issue, its level of risk and recommended
mitigation or corrective measures. In addition, auditors need to communicate the severity of risks and
explain the risks in meaningful ways so that management can focus more on recommendations.The
report should be written and communicated so that pertinent ideas that were the focus in the audit
findings are understood by the auditees.
The writing style of the audit report requires auditors to construct sentences that consist of a noun,
which readers can easily understand and visualise. Each sentence must generally be short and contain
no more than 24 words to ensure readability. Meanwhile, ideas in the report can be improved by
simplifying ideas into lists in order to help audittee to digest and process information in a short time.
However, auditors need to avoid using technical terms because not every auditee would understand or
are familiar with accounting and auditing terminologies. Thus, auditors need to use the correct words
as well as acceptable practices and norms required for business documents in order to highlight
potential improvements for each of the controls, which if not implemented could lead to possible
failure. In the case of pointing out issues, auditors must avoid using negative words because such words
have a high tendency to provoke rather than convince auditees. With these strategies, this would ensure
to achieve the purpose of internal audit reports in documenting and communicating the results to both
auditees as well as senior management and the Audit Committee.
Communicating Results
Communicating results is an important task for internal auditors. Internal auditors must work on the
challenges involved in communicating results, not only when delivering positive news, but also
negative news. Archambeault and Rose (2011) had suggested five key steps to effective
communication.
Firstly, internal auditors must make advance preparations when communicating negative news. This
includes a review of the findings, auditors’ understanding of critical issues, gathering information about
readers and considering visualising the point of view they expect from the audience regarding the
negative news. Secondly, internal auditors must focus on coordinating a meeting so that they can
maintain control over the direction of the meeting. They must try to schedule a time and place where
they can have the participants’ undivided attention.
Thirdly, internal auditors must be straightforward and honest in their delivery. They must be aware that
certain words are emotionally charged and thus, could produce negative reactions from clients.
Nonverbal cues in communication such as body language, facial expressions, eye contact and tone
of voice should also be taken into consideration as it could help auditors in their presentation. Fourth,
internal auditors must anticipate the responses or feedbacks from clients to counter the audit findings.
123
They need to respond and discuss every finding with clients in a proper and positive manner instead of
mostly reacting defensively. Finally, the last step to ensure effective reporting is by determining
corrective measures. Internal auditors can provide the biggest contribution, encouragement and
constructive suggestions. All corrective actions and recommendations to mitigate problems and risk
areas will assist clients in the long-term to achieve organisational objectives and goals.
Dissemination of the Audit Report
Control over the distribution of the final engagement report is done by the CAE. The CAE is responsible
for communicating the results to parties who can ensure that the results would be given due
consideration. The purpose of distributing the report is to assist clients or auditees to achieve the desired
action. The following factors should be taken into consideration in disseminating internal audit report:
1. Discussions with the Board of Directors and review of any organisational communication protocol,
the CAE determines who will receive the results from the engagement and the form of
communications that will ensue.
2. When determining the recipients of the report, the CAE takes into consideration whether the
party/parties has a genuine business interest for receiving the results, as well as whether this
party/parties has the responsibility to initiate management action plans.
3. To ensure consistency, internal audit activities could develop a standard distribution list of parties
who have been censored to receive all types of communication, as well as management levels that
should be included in the distribution list for engagement results pertaining to their area of
responsibility.
4. The CAE can expand the distribution list if necessary, which often includes the organisation’s
senior management.
5. To ensure compliance with legal obligations and organisational protocols, it is important for the
CAE to exercise caution and consideration when disseminating the results outside the organisation.
The CAE should consider the ramifications of communicating sensitive information as such
information might affect the organisation’s market value, reputation, earnings, or competitiveness.
The CAE might find it helpful to consult with a legal counsel and compliance areas within the
organisation.
The responsibility to disseminate the internal audit report would be important to the CAE for the
validation and approval. This is to ensure the report is directed to the appropriate recipients. This is for
the reason that the results from the report will be given to the recipients that are able to give some
reasonable consideration. After the dissemination, if there is a need for further monitoring, the
respective recipients or auditees should take action to follow up.
Monitoring the Progress and Follow-up Audit

Monitoring and follow-up on the progress are two stages that occur after the CAE has disseminated and
communicated an internal audit report based on relevant standards. For monitoring purpose, the CAE
should establish procedures on how to ensure the effectiveness of monitoring progress. The monitoring
procedures that involve the role of the CAE are as follows:
1. Whether sophisticated or simple, it is important for the CAE to develop a process that captures the
relevant observations, agreed corrective actions, and current status.
2. The CAE often develops or purchases a tool, mechanism, or system to track, monitor, and report
on such information. Based on information provided to the internal audit by the management, the
status of the corrective actions is updated in the system periodically and often directly by the
management using a shared exception tracking system.
3. The frequency and approach to monitoring (the extent of audit staff to verify that corrective action
124
was taken) is determined based on the CAE’s professional judgment, as well as the expectations
set by the Board of Directors and senior management.
4. The form of reporting is determined based on the CAE’s judgment and the agreed expectations.
Some CAEs report the status of every observation for every engagement in a detailed manner,
while others report only observations that are rated as posing a higher risk, perhaps summarised
by the business process or executive owner, noting statistics, such as percentage of corrective
actions on track, overdue and completed on time
5. In some instances, the CAE might report on the completion of the corrective action as well as
whether the action has rectified the underlying issue. Capturing and measuring positive
improvements based on the execution of corrective actions is considered a leading practice.
The final part is the follow-up process, where internal auditors need to examine whether the
management has taken action for each recommendation. Conversely, the Practice Guide for Audit
Reports (The Institute of Internal Auditors, 2016) has suggested a tracking spreadsheet or system,
including the audit observation, action plan, responsible personnel, and target completion dates.
Internal auditors must present documents with relevant information to support their conclusions and
engagement results as well as document follow-up procedures and results. Follow-up procedures need
to be conducted and performed in order to instil confidence and assurance to the CAE, upper
management and the Board of Directors. Furthermore, these procedures would ensure that the issues
and associated risks are identified and mitigated adequately.
The follow-up audits should be performed at specific time intervals, or on an ongoing basis. When
performed at specific time intervals, the CAE might schedule specific assignments in the annual internal
audit plan to perform a follow-up for incomplete or expired action plans from the previous year(s).
When follow-up activities are performed on an ongoing basis, the follow-up process is usually
performed monthly or quarterly and consists of three elements, namely collecting information,
verifying the completion of the action plan, and reporting results to the engagement client, senior
management, and periodically to the Board of Directors.
In relation to the monitoring and follow-up as mentioned above, these activities will provide benefits to
the organisation. Depending on whether the recommendations from the past results have been
performed correctly by the respective parties or auditees within the timescale that is given by the
management. Besides that, the report related to monitoring and follow-up could be important to both
committee and senior management in order to highlight any specific areas that are of concern to both
Audit Committee and senior management. In addition, this process will ensure that each
recommendation is fully implemented by the auditees and will provide a good impact to the organisation
and the risks that have been identified has been effectively mitigated. Thus, the actions done by the
auditee will expect to reduce any possible risks in future.
Summary
Prepare internal audit report together with monitoring. The monitoring and follow up are part of the
audit process. Internal auditors and auditee should understand the purpose of preparing the internal audit
report. There are six steps on how to prepare an internal audit report in order to ensure the process is in
line with the standards. Together with this, internal auditors would need to consider the best practice of
the structure of the report and any related strategies to produce a high quality report. With respect to
the engagement with the management in communicating the results, internal auditors would need to
understand the matters related to communicating results, dissemination of the audit report as well as
monitoring the progress and follow-up audit.
125
1. Discuss the advantages of writing an internal audit report.
2. Discuss the process of writing an internal audit reporting.
3. Describe the quality of an internal audit report as required by the standards.
4. Comment on the quality of internal audit reporting in Table 8.2: The Structure of Report, Payroll
Internal Control Review, Time and Attendance Record. You can comment based on the report
quality checklist.
5. Discuss the role of internal auditors in monitoring and follow-up process for each reporting.
References
Adams, P., Cutler, S., McCuaig, B., Rai, S., & Roth, J. (June 30, 2012). Sawyer’s Guide for Internal
Auditors, 6th Edition, ISBN-13: 978-0894137211, The Institute of Internal Auditors Research
Foundation.
Archambeault, D. & Rose, M. (2011), The ABCs of Communicating Results. Internal Auditor
Available at: http://www.theiia.org/intAuditor/back-to-basics/2011/communicate-bad-
news/the-abcs-of-communicating-
results/?search=The%20ABCs%20of%20Communicating%20Results
Henderson, J. (2012). Time and Attendance Reporting Internal Control Review. Internal Audit Report.
Town of Trumbull, CT. Office of The Financial/Accounting Controls Analyst. pp. 3-13.
Available at: http:// www.trumbull-ct.gov/filestorage/7112/7181/Internal_Audit_Report_-
_Time_and_Attendance_Reporting_ Internal_Control_Review,_April_2012.pdf
Kurt F.R., Paul., J.S., Urton., L.A., Michael., J.H., Sridhar., R., Mark., S., & Cris., R. (2009). Internal
Auditing: Assurance & Consulting Services. ISBN-13: 978-0894136436. The Institute of
Internal Auditors Research Foundation.
The Institute of Internal Auditors (2016). The Supplemental Guidance: Practice Guide Audit Report.
Available at: https://na.theiia.org/standards-guidance/recommended-guidance/practice-
guides/Pages/ audit-reports-practice-guide.aspx
The Institute of Internal Auditors (2017). International Professional Practices Framework (IPPF).
International Standards for the Professional Practice of Internal Auditing (Standards). Edition
First Printing. USA.
The Institute of Internal Auditors (2017). Implementation Guides. International Professional Practices
Framework (IPPF) (2017). Available at: https://na.theiia.org/standards-guidance/mandatory-
guidance/ Pages/Standards.aspx
126
Mind Map
127
8Implications of Information
Technology on Internal
Auditing
Learning Objectives
 Describe the Information technology (IT) audit
 Identify technology risks and challenges to internal auditing
 Discuss the evaluation of general and application controls
 Define and discuss the audit of the System Development Life Cycle (SDLC)
 Define and discuss the audit of e-commerce and its challenges to Internal Auditors
 Understand the idea of computer-assisted audit techniques (CAATs) in performing an audit
procedure
 Discuss the impact of the Fourth Industrial Revolution on internal auditing
Introduction
Information technology (IT) has growth positively in Malaysia and aggressively after the launch of the
Multimedia Super Corridor (MSC) in Cyberjaya. Entities ranging from sole proprietorship to big
organisation rely on IT to record and process day-to-day business transactions. Some business
organisations merely purchase available application software in the market to process their business
transactions. Those with a budget for system development might prefer to develop their own system
application. Heavy reliance on computers for processing business transactions has changed the business
scenario. Businesses are now subjected to various IT related risks such as:
System Application Error

The use of software application in processing transactions will eventually reduce the risk of human
error. However, the risk of system error might increase since the system requires to be upgraded from
time to time due to the expansion of business operations. Too many changes and flaws in the system
program procedures will lead to the issue of reliability of the software. At the same time risks such as
operating system crashes, transmission error or missing data can occur.
Hardware Failure
Computer hardware such as central processing unit (CPU), monitors, servers, etc. can easily
malfunction if not properly maintained and protected. A proper procedure in handling computer
hardware is important to prevent it from physical damage. Damages could be due to inappropriate use,
sabotage or environmental disasters such as a fire, blackout, flood or an earthquake.
Computer Crime
Business transactions conducted via the Internet can expose the oganisation’s electronic data to attacks
from hackers, competitors, terrorist groups, previous employees or industrial spies. These identified
parties will attack to look for valuable data or to harm the computer system. There are unlimited types
of computer attacks such as hacking, spamming, spoofing or sending viruses and worms.
128
Therefore, controlling and protecting business information has become one of the main priorities in
most organisations. An effective control of the processing data in the information system is important
to protect an organisation’s liability and to ensure security as well as confidentiality. This is where
management should regularly monitor and evaluate their system to ensure effective functionality and
adherence to related standards and practices.
IT audit is part of the overall audit process to ensure IT control issues are preserved at all times. The
scope of IT audit is wide since a computer system not only records transactions, but has become the
key business processing system of an organisation. Generally, IT audit is concerned with the following
issues:
1. Security
To ensure access to the system and its data is restricted to authorised personnel only.
2. Confidentiality
To ensure that sensitive information of an organisation is protected from unathorised access or
disclosure.
3. Privacy
To ensure personal information of any third party such as customers’ addresses, contact numbers, etc.
are treated in accordance with the organisational business policy and protected from unauthorised
access or disclosure.
4. Processing integrity
To ensure business data are processed accurately, completely in a timely manner with proper
authorisation.
5. Availability
To ensure the operating system and its data are available at all times to meet the needs of business
operations.
(Source: Trust Services Framework, which developed jointly by American Institute of Certified Public
Accountants & Canadian Institute of Chartered Accountants)
This chapter highlights different areas to be audited in regards to computerised systems, such as the
evaluation of general and application control, audit of System Development of Life Cycle (SDLC),
audit of e-commerce and the use of Computer-Assisted Audit Techniques and Tools (CAATTs) in
completing audit procedures. The sample audit programs attached within this chapter allows a better
understanding of areas that are audited.
Definition of IT Audit
IT audit is one of the branches of the different types of audits that is performed by an internal auditor.
IT audit holds the same definition as general auditing which is ‘an independent examination of the
internal controls, records, and related information generated from the system in order to form an opinion
on the integrity of the system of controls, the compliance with policies and procedures, and the
recommendation of control improvements to minimise or limit risks. However, IT audit focuses more
on the evaluation of an organisation’s computer systems and network to ensure:
 The effectiveness of control procedures in minimising related technology risks; and
 The compliance with international or Malaysia’s standard operating practice, policies, procedures
and related law or regulations of the regulatory body.
129
Elements of IT Audit
A major challenge in performing an IT audit is to determine the scope for the assessment of internal
control in the IT environment. Assurance on information systems can only be obtained if all
components are being assessed and evaluated properly. The major areas of an IT audit are categorised
as follows:
Physical and Environmental Review

Review physical facilities and condition of IT environment such as physical access, power supply, air
conditioning and humidity control.
System Administration Review

Review all system administration procedures to ensure compliance to regulatory rules. It includes
review on security control procedures of existing operating systems and database management systems.
Application Software Review

Review all business application software, for example, software to record accounting and finance
transactions used by the finance department, software to process salary used by the payroll department
and web-based customer order system used by the sales department. Generally, assessment is carried
out in these areas:
 Access control and authorisations
 Procedure handling validation, error and exception process
 Processing transaction flowchart
 Manual on controls and procedures
Network Security Review

Review IT network’s infrastructure, which includes internal and external connections to the system,
perimeter security, firewall review, router access control lists, port scanning and intrusion detection.
Business Continuity Review

Review control procedures in ensuring the systems and information are available when needed, for
example:
 The procedures for maintenance of fault tolerant and redundant hardware.
 Backup procedures and storage.
 Documented and tested disaster recovery/business continuity plan.
Data Integrity Review

Review control security measures around IT operating systems and application software to ensure
output produces is accurate, complete, timely and valid.
The CAE should consider performing an audit on these six major elements of IT in the annual audit
plan. Addressing all of these elements properly will assure the highest level of security control measures
in the IT environment.
Guide To Conduct an IT Audit

The Information Systems Audit and Control Association or better known as ISACA is an independent,
non-profit global association handling the process of development, adoption and the use of globally
accepted knowledge and practices for the information system. Initially, ISACA was started by a small
group of individuals who shared a common interest on the requirement of the establishment of resource
centre for auditing control in the computer systems. Back in 1969, the group was known as the EDP
Auditors Association. This association has expanded its scope by establishing an education foundation
with the purpose to undertake more research on IT governance and control field.
130
ISACA developed the Control Objectives for Information and Related Technology (COBIT)
framework. It serves an IT governance framework, which provides guidelines on controls requirements,
technical issues and business risks. Amongst the benefits of employing this framework are:
 Allows the management to benchmark security and control practices of IT environments;
 Allows users the assurance that adequate IT security and control exists; and
 Allows auditors to substantiate their internal control opinions and advise on IT security and control
matters.
In addition, the Institute of Internal Auditors (IIA) has developed and issued the Guide to the
Assessment of IT Risk (GAIT). This guideline helps auditors to evaluate and assess IT general controls
that have an impact over financial reporting. The GAIT Practice Guides include three areas, which are:
1. The GAIT Methodology

It is a guideline to assess the scope of IT general controls using a top- down and risk-based approach.
It helps the management to identify any deficiencies in key IT general controls that may result in
material errors in financial statements. There are four principles that form the basis for this guideline,
which include:
Principle One: The identification of risks and related controls in IT general control processes (e.g. in
change management, deployment, access security, and operations) should be a continuation of the
top-down and risk-based approach used to identify significant accounts, risks to those accounts,
and key controls in the business processes.
Principle Two: The IT general control process risks that need to be identified are those that critically
affect IT functionality in financially significant applications and related data.
Principle Three: The IT general control process risks that need to be identified as existing in processes
at various IT layers: application program code, databases, operating systems and networks.
Principle Four: Risks in IT general control processes are mitigated by the achievement of IT control
objectives, not individual controls.
GAIT Methodology enables organisations to implement these principles and offers management and
auditors guidance around scoping IT general controls and the tools to defend these decisions.
2. GAIT for IT General Control Deficiency Assessment

It is a guideline to evaluate any IT general control deficiencies identified during assessment such as
material weaknesses or significant deficiencies.The guideline was developed by nine certified public
accounting firms to help management as well as internal and external auditors in assessing deficiencies
in the organisation’s internal control system for financial reporting.
3. GAIT for Business and IT Risk

It is a guideline to help identify the IT controls that are critical to achieving business goals and
objectives. Adherence to this guideline would help the CAE and audit team provide assurance and
the necessary levels of consideration to IT related business risks.
Scope and Objectives of an IT Audit
The scope of IT audit depends on various factors such as the nature and background of the business,
existing and potential technology risks as well as resources from the IT department (e.g. number of
staff, software applications). Therefore, it is pertinent for management to have an appropriate plan in
performing IT audit to ensure a proper assessment on every area of IT functions.
Ideally the scope should consist of audits on security controls, logical access controls, physical security
controls, installation controls and local network area controls. This scope of audit is properly detailed
as per Table 10.1.
131
Table 8.1 Highlights on the Objectives of an Audit for Five Scope of IT Audit
No. Scope of Audit Objective of Audit
1. Security Controls To ensure the establishment of appropriately defined IT Management

structure with a clear framework of authorities and responsibilities for
successful implementation of security objectives of an organisation.
2. Logical Access To ensure that the access controls are reviewed to determine safeguards
Controls are in place to prevent unauthorised acquisition of data resources.
3. Physical Security To prevent unauthorised access to computer-related equipment.
Controls To ensure an adequate protection on computer-related equipment against
natural hazards and malicious damages.
4. Installation Controls To ensure consistent control of software and hardware management in its
operation of applications system.
5. Local Area Network To prevent any unauthorised access to local area network.
Controls
The following tables show examples of audit programs for the five scopes of audit as
mentioned in Table 8.1.
Table 8.1(a) Audit Program for Security Controls
Audit Procedures
1. Review the information security management structure to identify those responsible for:
ix) Security management
x) Security administration
xi) Data owners
xii) System owners
xiii) System users
xiv) System providers
xv) Procedure owners
2. Review whether the Security Administrator’s responsibilities include the following:
 Promote security awareness and education;
 Administer access to software; and
 Advise and guide development, maintenance and implementation of IT Standards
3. Review the appropriateness of the level of segregation of duties between the following:
• Application development
• Technical support
• Computer operations
• Security administration
• User department
132
Table 8.1(b) Audit Program for Logical Access Controls
Audit Procedures
1. Review the User Security Administrator and check the following:

• There is a procedure in place for issuing, approving and monitoring application access.
• User access control reports are periodically reviewed for accuracy and completeness by user
management.
2. Check whether access to control software administration facilities is limited to only the security
administrator.
3. Verify whether user IDs are used to identify users accessing the system.
4. Verify that a user security administration procedure is in place to ensure that unique user IDs are
assigned to system users.
5. Review the following:

• Passwords are being used to confirm users’ identity.
• Passwords are encrypted to ensure confidentiality.
6. Check whether a user ID has been disabled if it has been inactive for a period of more than 90 days.
7. Check whether user IDs are automatically disabled after three consecutive unsuccessful login
attempts.
8. Check that unattended terminals are automatically logged-off after a certain number of minutes of
inactivity.
Table 8.1(c) Audit Program for Physical Security Controls
Audit Procedures
1. Review the Computer Centre as a secure location and ensure that the physical access control
procedures include:
• entrances that are fitted with locking devices which can identify staff, and detect date, time of
entry/exit
• emergency exits that are fitted with alarms
• perimeter walls that are constructed from true floor to true ceiling
• access to air conditioning units, power and telecommunication lines and backup power units are
secured
2. Review the adequacy of the various modes of protection from fire and water damage to include:
• automatic fire detection and alarm system
• regular check and service for the system
• regulations complied with fire suppression system
3. The Computer Centre power supply must be backed up with the following:
• a generator for air conditioning and lighting;
• an uninterruptible power supply (UPS) or battery backup for computers; and
• regular maintenance and testing for generator(s) and UPS or battery backup.
4. Review of the following:

• room temperature and humidity in the Computer Centre are maintained within specified range as
recommended by the manufacturers
• regular inspections and cleaning of air cooling units
5. Review controls for confidential print output – identification, documentation, printing on secure
printers, access restriction to printer rooms, and output release to authorised personnel only.
133
Table 8.1(d) Audit Program for Installation Controls
Audit Procedures
1. Review the controls for system software to include:

• protection using an access control mechanism
• maintenance of the system that is fully supported by vendor
• authorisation of changes
• documentation and support of software maintenance facility
2. Review the following:

• inventory listing, to ensure that it is regularly maintained and verified
• removal, movement or disposal of computer equipment should be authorised and properly
recorded
• hardware maintenance agreements should include preventive maintenance
• all computer equipment must be operated and maintained according to the manufacturer’s
specifications
• a log for hardware problems and actions taken to resolve the problems
3. Review on the selected agreements with third party providers on the following:
(g) All IT staff and affected parties should be aware of the relevant agreements and the
commitments contained within.
(h) Amendments made to agreements are subjected to the approval by the Board of Directors.
4. Obtain and review the procurement procedures and ensure that all procedures are followed.
• Review samples of the proposal obtained from suppliers.
• Ensure that at least three proposal from different suppliers are attached for every procurement
process.
• Ensure that supplier proposal evaluation and additional investigation have been carried out prior
to the selection of the supplier.
Scrutinise the review from the company’s legal advisor.
Table 8.1(e) Audit Program for Local Area Network Controls
Audit Procedures
1. Check whether the audit system is able to generate an audit trail showing activities of the users in
the system such as user ID, date and time, terminal number and activities performed.
2. Review the physical access to critical components and check the following:
• The servers are located in secure rooms /cabinets with adequate environmental controls
• Only an authorised person is allowed to operate on the equipment
• Secondary media (e.g. diskettes and cartridges) are stored securely
3. Review logbook, to ensure that external parties who install, repair or service local area network and
computer equipment are accompanied by an authorised IT staff, with approval granted by the IT
manager.
4. Review the computer disaster recovery plan for all critical local area network systems. Ensure the
following steps are incorporated:
• include spare devices with sufficient capacity and speed for backup purpose
• the frequency and retention of backup of the servers and workstations
• documentation and testing of backup and recovery procedures
• uninterruptible power supply system to protect critical network servers and its components
5. Check that all directories and files are installed with antivirus software and being scanned regularly.
6. Review the antivirus software and ensure the following features are available:
d) virus detection and removal capabilities
e) licensing agreement, which provides regular anti-virus updates, at least every week
f) reputable track record, in terms of reliability where viruses are detected and removed
134
Steps in IT Audit
A proper process of audit will eventually lead to the achievement of an audit objective for different
audit areas. Figure 10.1 presents the recommended steps in performing IT audit.
1. Establish the Terms of Engagement

The CAE will determine the scope and objectives of the audit of IT functions. The engagement letter
will be addressed to the respective auditee, i.e., Head of IT Department. The letter will include
information such as the scope and objectives of audit, responsibilities of auditor and auditee, authority
for auditor to have access to all information of IT functions and audit schedule.
Figure 8.1 Steps in IT Audit
2. Preliminary Review
This is the process where the auditor needs to gather information on the IT department as a basis in
preparation for an audit plan. Among the information required includes the auditee’s strategy and
responsibilities in managing and controlling IT’s operations.
3. Establish Materiality and Assess Risks

The auditor needs to establish judgement on the materiality of IT’s function as well as perform an
assessment on the auditee’s business risk, in order to set the scope of the audit.
4. Plan the Audit

Normally, a proper audit plan includes the engagement’s objectives, scope, timing and resource
allocation. A well-developed audit plan will ensure that the audit process is conducted efficiently and
effectively.
5. Consider Internal Control

The auditor has to consider the internal control of the auditee in order to begin the audit process. The
information on internal controls could come from a variety of sources such as studies of existing
internal controls, previous audit reports, reports by regulators such as Bank Negara Malaysia, Bursa
Malaysia or feedback from operating personnel. Once the process is completed, the auditor could
assess the level of auditee’s control risk, which is important to determine the level of substantive tests
to be performed during fieldwork.
6. Perform Audit Procedures

The auditor will perform the audit process based on the scope stated in the audit plan. The auditor will
use a substantive test approach to audit IT business functions.
135
7. Issue the Audit Report
The auditor will issue an audit report once all audit procedures have been completed and evaluated.
Evaluation of General and Application Controls

There are two control groups for any IT system: general controls and application controls. General
controls handle all aspects of IT functions including the administration of IT function, hardware or
software acquisition and maintenance, physical and security control over hardware and the
establishment of disaster recovery plan in the event of unexpected emergencies. Application controls
deal with the control of usage of individual transactions specific to certain software application. For
example, controls over the processing of sales or cash receipts.
Table 8.2 Different categories of general and application controls
Categories of Control Purpose of Control Example of Control

GENERAL CONTROLS
Administration of IT To ensure proper administration of h) List of IT staff with their
function people and resources of the responsibilities.
department. i) Organisational chart of IT
department
Physical access control To ensure proper control in place for Access to Data Centre is restricted to
physical access IT department and its authorised personnel only.
critical areas.
Logical access control To ensure a proper control in place for Using of password and user ID to
infrastructure, applications and data. access information on organisation in
the computer.
Backup and contingency To ensure a proper backup and Well-written business contingency and
plan contingency plan is in place for disaster recovery plans.
unexpected emergencies such as fire,
virus attack, power failure or natural
disaster.
APPLICATION CONTROLS
Input control To check the integrity of data entered Review the input screens to ensure
into an organisation’s application. they are designed to capture all
relevant data required.
Processing control To ensure proper control for data Review system documentation to
processing so that the process is ensure key computations are fully
complete, accurate and authorised. documented.
Output control To ensure output results similar with The controls over output (printed
input data. To ensure computer output reports) confidentiality are maintained.
is not interrupted by or shown to
unauthorised users.
Auditing of System Development Life Cycle
The system development life cycle (SDLC), also known as Software Development Process is a method
whereby a system analyst will create or alter the information system to produce a high quality system
to meet the user’s expectations. SDLC consists seven phases that management should follow closely in
order to develop a solid information system.
136
These seven phases will also give proper evaluation and management of risk associated with the system
development process. Each stage has to be completed before management could move on to the next.
This will ensure success in the development process. Figure 10.2 shows the seven phases of the SDLC.
Figure 8.2 SDLC Phases
Phase 1: Systems Planning

During this phase, management will plan a system to meet the organisation’s mission and objectives.
The plan will include general guidelines for system development, time frame and budget. Several
documents will be generated from this phase, which consists of a long-term plan, policies for selecting
IT projects, both long-term and short-term IT budgets, a project proposal and a project schedule.
Phase 2: Systems Analysis

During the second phase, a system analyst will gather the necessary information such as facts and
samples to be used in the project from the end users. The analyst will then review and analyse the
input received and produce a system analysis report.
Phase 3: Conceptual Design

During this phase, a conceptual design is developed to include views from all respective persons
involved with the development project. The outcome from this process will be translated into a possible
document such as a data flow diagram (DFD).
Phase 4: Systems Selection

A system selection phase involves a process where management together with the system analyst will
evaluate alternative system requirements to select the best system to meet the requirements stipulated
by the users as well as to fulfil the organisation’s objectives. The analysis involved includes a detailed
feasibility study, where the management will examine whether the newly developed system is able to
work within the current IT infrastructure, with the organisation’s business processes and procedures as
well as the existing employees’ skills. The management is also responsible to produce a cost-benefit
analysis for the newly developed system. The finance personnel is responsible to analyse and determine
the value of each alternative. The outcome from this selection process will be summarised in a selection
report.
Phase 5: Detail Design

At this level, the system analyst will develop a system based on the DFD created in phase three, taking
into consideration the analysis made during the selection process. The system analyst has to record the
procedures involved, outcomes as well as problems encountered during the development process.
137
Phase 6: Programming and Testing Systems
The programming and testing system is the most important phase in the SDLC. It will determine
whether the outcome of the project is able to meet the predetermined objectives. There are several
factors to be considered in the testing process, which include:
 Testing should be done offline, before the online implementation.
 Testing should be done as a stand-alone module, before being conducted in conjunction with the
other applications.
 Testing should be done with the participation of the end users.
 Result of the testing process should be documented.
Phase 7: Systems Implementation

This is the last process of the SDLC where the system is ready to be employed. Management has to
sign-off the user acceptance agreement before the system is made live. However, the process of the
SDLC does not end at this stage. Management is required to perform a post-implementation evaluation
on the project. The review should be made on the capability of the system in meeting the user’s
requirement and comparison should be made on the actual costs against benefits. The process of
evaluation should be made continuously to ensure proper corrective and preventive actions to be made
to the new system.
Internal Auditors Involvement in the SDLC

Companies that are involved in the system development processes are likely to invest heavily in the
project to ensure it is efficiently delivered. Therefore, this project requires independent review to ensure
all risks are properly identified and administered, value-added improvements are properly suggested,
and eventually this will help to meet the objective of the project. The following are a few examples of
internal auditors involvement, which act as an independent reviewer for the SDLC project.
1. An internal auditor holds an advisory role in every phase of the SDLC. Normally, an internal
auditor is invited as an independent party during each meeting of the SDLC project. Advice from
an internal auditor is needed on certain risk areas of the development process to ensure that an
effective system is created. Other roles of an internal auditor are listed below:
 Review the project proposal generated during the system planning phases. This is to ensure
issues such as control procedures and governance activities are properly addressed.
 Review the relevant documents generated during system testing. This is to ensure the output
generated meets the requirements needed by the end users; and to comply with the
organisation’s policies as well as conform to rules and regulations stipulated by the regulatory
body.
 Review and examine various documents generated at every phase of the SDLC process. This
is to determine that the project runs smoothly. Other than that, an internal auditor could also
use the other tools to assess, such as an inquiry and a checklist. Results from this process will
help an internal auditor evaluate if the project is developed in the best interest of the
organisation.
2. The role of an internal auditor is to provide an independent view on issues during the development
process.
An internal auditor who is independent of the SDLC is able to provide independent or unbiased opinions
in regards to any issues derived during the development of project. This is important as the project has
two parties, i.e. management (end users of the system) and system analyst (could be staff of the
organisation or a third party developer), where both parties have their own interest in regards to the
newly developed system. Therefore, the presence of an internal auditor is needed to ensure that the
project is carried out effectively without jeopardising the interest of the parties involved. However, in
providing advice an internal auditor must maintain his or her integrity by remaining in an advisory
capacity. An internal auditor should not be directly involved with the actual design or testing activities
138
of the new system.
3. An internal Auditor is involved in auditing the SDLC.

An audit on the SDLC is important to provide the management with the assurance that the actual
development of the project complies with the necessary requirements stated in the SDLC methodology.
The objectives of the audit are:
 To ascertain that the standards and procedures for the SDLC are made available and followed
accordingly;
 To ascertain that resources are effectively and efficiently utilised to enable the project to meet its
deadline;
 To ascertain that proper authorisation/approval is sought at each stage prior to the commencement
of further tasks;
 To ascertain that project documentation is current and properly maintained for future review;
 To ascertain that test documentation including test plans and results are adequately maintained;
and
 To ascertain that proper change request procedures exist to ensure all changes are authorised and
attended to on a timely basis.
Auditing of E-Commerce
Electronic commerce, or commonly known as e-commerce is the process by which organisations
conduct their business over electronic systems such as the Internet and other computer networks with
their customers, suppliers and other external business partners. According to the IT Audit Assurance
Guidance (issued by ISACA, 2010) e-commerce includes both business-to-business (B2B) and
business-to-consumer (B2C) models, but does not include existing non-Internet e-commerce methods
that are based on private networks, for examples Electronic Data Interchange (EDI) and SWIFTnet.
The using of e-commerce may expose a company’s sensitive information, as well as programs and
hardware equipment to potential sabotage by external parties especially hackers. There are indefinite
numbers of threats in regards to the use of e-commerce as a business model, which include:
 virus infections;
 hacking;
 cybercrime; and
 failure of the system and infrastructure.
E-commerce Challenges and Internal Auditing

Unlimited number of Internet exposures when using an e-commerce model has caused management
concern over the need of a strong control on the organisation’s IT environment. Management could use
various control tools such as firewall, antivirus, encryption techniques and others to protect company
data and systems application. Besides having all these security tools, management requires the
assistance from internal auditors to review the ability and adequacy of the existence security control.
The following are among areas of concern for an internal auditor in regards to e-commerce.
Knowledge on security exposures and control measures

Internal auditors should equip themselves with the various security breach techniques (e.g.
hacking, spamming, virus attacks) associated with e-commerce transactions. They should be capable in
addressing those security issues. They need to understand that different security threats require
different approaches and solutions.
For example, inadequate network access control may increase the possibility of unauthorised access
(e.g., hacking) by an external party into the company’s sensitive and confidential data. An internal
auditor could perform a penetration test to examine the effectiveness of an organisation’s information
security. It is a test where an internal audit team will try to break into an organisation’s information
system legally. Normally, the team will try different methods to compromise a company’s system, in
139
order to assess the level of security control. If the level of security control is poor, the team would
recommend additional protection tools. For example, a company could exercise the idea of defence-in-
depth, i.e. a process where the company employs a multiple layer of protection tools to avoid a single
point of failure. One of the tools is a firewall with several authentication methods (ID card, password
and biometrics) used simultaneously to access the company’s website.
An effective recommendation will help management to overcome issues in a short period of time. Thus,
this would allow management to focus on other critical areas of business operations.
Skills and experience in handling e-commerce security issues

The use of e-commerce as part of a business operation has increased the function, scope and
responsibilities of the IT department. As a result, internal auditors need to equip themselves especially
to better their skill and knowledge on the latest development in IT control procedures. If possible,
auditors must understand the concept behind the development of e-commerce business model. This
could help them identify any vulnerable areas exposed to external or internal threats.
Question on loss of transaction integrity

Since e-commerce transactions do not involve physical documentation, internal auditors should focus
on the adequacy of the security control as stated in the IT policy and procedures. The auditors could
also perform a walkthrough of the e-commerce system to ensure that a proper security control procedure
is installed and implemented at every stage of the transaction.
Audit on e-commerce
Once a company has operated online, an internal audit has to consider an e-commerce audit in the
annual audit plan. This is important to help management in evaluating the existing system of internal
control on the current e-commerce model. Generally, reasons for an audit on e-commerce are:
 to assess the effectiveness of the infrastructure and security measures of an e-commerce
 to evaluate compliance of e-commerce business operations with an organisation’s IT security
policies as well as with the industry best practices
 to evaluate the readiness of IT functions in the event of a major failure in e-commerce business
transactions
 to identify other security issues that may affect the current infrastructure of an e-commerce model
Computer-Assisted Audit Techniques (CAATs)

Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and techniques
(CAATTs) is an approach of auditing using computers. CAATTs offer various tools or utilities, which
help the auditor to select, gather, analyse and report audit findings. CAATTs normally offer basic
Microsoft Office application such as spreadsheet, word processors and text editing programs, while
more advanced software packages offer more functions such as statistical analysis and report writing
tools. Among functions provided by CAATTs are:
Information Retrieval and Analysis

Auditors could use automated retrieval and analysis tools to assess data and records and to evaluate and
analyse them based on the criteria or parameters set by them. Common audit tests or routines on data
analysis such as matching transactions, identifying duplicate transactions, checking of approvals versus
authorisation limits, system overrides, access authorities, telephone usage, and so on could be handled
by the systems rather than done manually.
Fraud Detection Tool

Auditors could use the highly sophisticated software to identify unexpected or unexplained patterns in
data that may indicate a possible fraud case. For example, software may warn the user of the existence
of duplicate payments, long overdue outstanding accounts, sudden write-offs, unusual expensive
acquisition or overrides of authorisation limit.
140
Audit Reporting Function
CAATTs providing tools to enable automatic linking between work performed, information gathered,
auditor assessments and information used in supporting audit report writing function. This function
allows auditors to minimise duplication of writing or translating information from one section of the
audit working papers to another related section or as a summary. Intelligent CAATTs may note audit
findings in the audit programs, checklist or internal control questionnaire, which then transfers the
related information into the management letter for reporting to the management.
Advantages of CAATs
 CAATs are suitable to audit large volumes of transactions. It is valuable to organisations with
complex processes, distributed operations and high transaction volumes. The use of CAATs will
help auditors to scrutinise all business data and highlight any unusual transactions.
 As businesses expands, most companies would prefer the company data to be kept electronically
rather than in printed form. Therefore, the use of CAATs is important for auditors to gain access
into audited data in a much effecient way. A direct access to an organisation’s data will eventually
reduce the time and effort spent in performing audit procedures with assured accuracy.
 Using CAATs in performing substative testing will provide total assurance to the area being
audited. It allows auditors to point out errors or fraud easily in order to provide effective
recommendations. This will also increase the credibility of auditors in the eyes of the management.
 CAATs provide a standard uniform practice and user-friendly interface for auditors. It allows
auditors to perform various tasks, irrespective of the data format or the underlying operating system
of an organisation. A CAE could also use a log analysis which contains all tests conducted using
the software for the purpose of reviewing the job of each auditor.
Disadvantages of CAATs
 The issue of cost outweighing the benefits of purchasing an audit software is one of the limitations
of having CAATs in an organisation. The question is whether management is willing to invest in
a new audit software and bear all related costs. There are many costs associated with using this
software, which includes:
 Cost of puchasing and installing the software;
 Cost of training the staff to use the software;
 Cost for maintaining the software; and
 Cost for after sales services such as telephone charges to contact the service centre, especially if
the service centre is located abroad.
 Certain audit software may have compatibility issues with the existing software applications used
by a company. The use of CAATs may not be suitable with complex operating systems. Therefore,
it becomes problematic for auditors to use the software to gain access to the auditee’s database
pertaining to the audited transactions.
 The installation and use of a new audit software may sometimes require certain computer
resources or facility. Normally, there are a few system requirements that need to be addressed by
management for the purpose of installation. For examples, the type of processor, size of memory
and storage required, compatibility with DVD-ROM drive and the Internet connection for
registration purpose. The problem may also arise when auditors use the software to perform audit
procedures. A typical situation is where the audit process is in conflict with the normal processing
of a company’s transactions. This may result in server failure.
 CAATs which is used to extract business data has various security issues. Sensitive business data
such as customers’ details, business plan and strategies could be compromised by irresponsible
persons, if not handled properly. Inadequate control procedure on handling business data could
also contribute to this issue.
141
Internal Auditing and The Fourth Industrial Revolution
The first industrial revolution began with the introduction of mechanical production equipment powered
by water and steam. This was followed by the introduction of the concept of mass production with the
help of electrical power in the early 20th century. Then the third industrial revolution evolved in the
early 1970s, with the use of electronics and computers to automate the manufacturing worldwide.
Today, the concept of ‘Cyber-Physical Systems’ with terms such as artificial intelligence, big data,
robotics and many more has come into existence.
Industrial Revolution 4.0 or IR 4.0 “involves the use of software (apps) as a medium for
automating business activity. It stimulates manufacturing productivity by enhancing the
connectivity between humans and machines”, (Idris, 2018). IR 4.0 provide the idea of
combining the existing manufacturing technology with tools such as autonomous robots,
simulation, Internet of Things (IOT), cloud, cyber security, and big data. This being done
with expectation to shift the manufacturing industry into more innovative business model,
thus enabling it to be competitive globally.
For internal auditing, big data and data analytics provide greater opportunity in improving current
process of conducting audit. Big data refers to an extremely large set of data, that is characterised by
high volume, fast rate of velocity and ranges of variety. Whereas data analytics refers to the process of
turning the big data into meaningful information for management’s decision making purposes. Both
could provide a bigger opportunity for internal auditors in handling audit tasks efficiently, then
help the company to become more viable in the industry.
To incorporate data analytics as part of auditing procedures, the company might consider the following
aspects:
1. Support from top level management

Top level management especially the Board of Directors should actively plan, discuss and decide to
invest or explore on any potential ideas that could help the internal auditor in dealing with big data.
Planning among others include, a proportionate budget for investment on analytics tools, enhancing
current technology used in auditing so as to ensure the ability to accommodate current complex big
data as well as an allocation of incentive allawonce for staff who is interested to pursue knowledge and
skills on those specialised area.
2. On-going programs on enhancing analytical skills

The CAE is responsible to plan continuous programs on enhancing analytics knowledge and technical
skills among audit team members. This could help the auditor to meet their audit objective with greater
assurance and ability to maintain efficiency in carrying out their audit duties. The audit staff should also
be motivated to transform themselves to become more innovative in dealing with big data. Creativity
in understanding, dealing and presenting the unique big data in more significant way could help the
internal auditor to enhance the level of competitiveness of their organisation. Other than that, the CAE
should also consider conducting an in-house training not only to the audit team, but also to other non-
audit staff, to highlight on the new approach of auditing. This could help in reducing unneccessary
outcomes due to the lack of knowledge on the new requirements and methods in conducting audit
among operational staff.
3. Automated audit tools and techniques

Integrating data analytics into the current audit methodologies requires a proper plan structure. Internal
auditors are now dealing with non- traditional data which is characterised by volumes of unstructured
data that not only comes from the company, but also comes from social media, emails, videos, statistic,
forecasts and many more. In the process of integrating data analytics, the CAE should consider factors
such as the availability of the IT infrastructure to support the idea, the compatibility and security features
of data sources and also the ability of handling internal control issues and dealing with current auditing
142
standards. Properly handling these operational risks could lead to the smooth transition of using data
analytics as part of audit methodologies, thus improving the audit reporting process as well as enriching
the decision and actions of top level management.
Summary
The job of internal auditors in regards to an IT audit is very challenging as it involves reviewing and
reporting audit findings that are highly technical. To perform audit procedures effectively, auditors
should possess adequate IT knowledge, technical skills and experiences. This would also enable
auditors to translate the audit findings into value-added recommendations that could assist an
organisation in achieving its business objectives.
1. Discuss guidelines when performing an IT audit.

2. Discuss six major areas in regards to an IT audit.
3. Identify and discuss the advantages and disadvantages of CAATs.
4. List the audit procedures pertaining to an audit of a system development.
5. What are the differences between business conducted in the traditional manner and one using the
Internet?
6. Design an internal audit program for an e-commerce audit.
References
Anantha Sayana, S. Using CAATs to Support IS Audit. ISACA Journal. (2003): Volume 1.
Anantha Sayana, S. The IS Audit Process. ISACA Journal.
Arens, A. A., Elder, R.J., Beasley, M.S., Amran, N.A., Fadzil, F.H., Mohamad Yusof, N.Z.,
Mohamad Nor, M.N. & Shafie, R. (2008). Auditing and Assurance Services in Malaysia.
Pearson Malaysia. 2008.
Blanco, L. (2002). Audit Trails in an E-commerce Environment, CISA Journal, Volume 5.
GAIT Methodology—A risk-based approach to assessing the scope of IT general controls. The
Institute of Internal Auditor (2007).
Guide to the Assessment of IT Risk (GAIT). The Institute of Internal Auditors. (2009).
Idris, R. (2018). IR 4.0: The Way Forward. (2008). Daily Express Independent National Newspaper
of East Malaysia.
IS Auditing Guideline: G3 Use of Computer-Assisted Audit Techniques.
IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance. ISACA. August 2010.
Kaur, J., Yap, M.L. and Mohamed Nadzri, A.Z. IS Auditing Standards in Malaysia. ISACA Journal.
(2008): Volume 1.
Lee, M., Haron, H., Ismail, I., Che Haat, M.H., Zaini, N., Tong, S.Y., Lok, C.L. and Nasar, M.F.
(2009). Principles and Contemporary in Internal Auditing. McGraw Hill Education.
Romney, M.B. and Steinbart, P.J. Accounting Information Systems. Pearson Education Limited. 2012.
Singleton, T. W. Systems Development Life Cycle and IT Audits. ISACA Journal. (2004): Volume 3.
143
Mind Map
144
145
146
9Investigation of Fraud
Learning Objectives
 Describe the fraud triangle/fraud diamond theory
 Define the different types of fraud and identify the red flags for fraud
 Explain the roles and responsibilities of an internal auditor in fraud prevention and detection
 Explain other roles and responsibilities for fraud prevention and detection
 Describe the framework of the fraud risk assessment
 Understand the concept of forensic auditing
Introduction
The increased levels of fraud, a heightened regulatory environment and pointed questions from internal
and external auditors and Board of Directors have caused companies to be more vigilant in their efforts
to address fraud. Fraudulent schemes are often on-going crimes that can last months or even years
before detection, making it difficult to measure losses.
Fraud has negatively impacted organisations in different ways, including financial, reputational,
psychological and social. Organisations have been forced to cease operations due to the impact of
financial and reputation damages. Victims of fraud also suffer mental and emotional harm and stress
related physical effects in addition to financial losses.
Fraud can range from minor employee theft, an unproductive behaviour to misappropriation of assets,
fraudulent financial reporting, or Ponzi schemes used to defraud investors. However, the risk of fraud
can be reduced through prevention, detection and deterrence. Most frauds begin small and continue to
grow as schemes remain undetected. For example, perpetrators often view initial stealing as temporary
borrowings that will be fixed before anyone notices the problem. The borrowings accelerate and the
perpetrators take positions that are indefensible or develop a scheme for concealment and attempt to
avoid discovery. As the fraud continues to grow, hopefully, it will be detected by a fellow employee,
management, or internal or external auditor.
Definition of Fraud
Fraud encompasses a wide range of irregularities and illegal acts characterised by intentional deception
or misrepresentation. In general, fraud is defined as an act or course of deception, an intentional
concealment, omission or perversion of truth, to:
 gain unlawful or unfair advantage,
 induce another to part with some valuable item or surrender a legal right, and/or
 inflict injury in some manner.
Wilful fraud is a criminal offense which calls for severe penalties, and its prosecution and punishment
(like that of a murder) is not bound by the statute of limitations.
Fraud refers to an intentional act by one or more individuals among management, those charged with
governance, employees or third parties, involving the use of deception to obtain an unjust or illegal
advantage. Fraudulent financial reporting involves intentional misstatements, in one or more ways as
147
stated below:
 Deception such as manipulation, falsification or alteration of accounting records or supporting

documents,
 Misrepresentation in, or intentional omission from financial statements of significant events,
transactions or other information,
 Intentional misapplication of accounting principles relating to measurement, recognition,
classification, presentation or disclosure of material transactions.
Fraud is generally defined by law as an intentional misrepresentation of existing fact made by one
person to another with knowledge of its falsity and for inducing the other person to act, and upon which
the other person is inflicted with resulting injury or damage. Fraud may also be an omission or
purposeful failure to state material facts, as non-disclosure makes the other statements misleading.
However, incompetence or negligence in managing a business or even a reckless waste of assets (by
speculating on the stock market, for example) does not normally constitute a fraud. In such cases, to be
proven as fraud, the aggrieved party (creditors or stockholders/shareholders) must prove that at some
point they were intentionally deceived on a material fact.
Fraud Triangle and Fraud Diamond

The following describes what is known as the fraud triangle theory as shown in Figure 9.1. In order
for fraud to occur, all the three elements have to be present. Employees should be cognizant of pressures
and how they relate to companies overall fraud risk. Rationalisations can be reduced by promoting a
strong sense of ethical behaviour amongst employees and creating a positive work environment. By
implementing strong internal controls, companies can lessen or remove opportunities for fraud to occur
and increase the chances of detecting it. Government and companies can take steps to influence all three
legs.
Figure 9.1 The Three Elements of the Fraud Triangle
Pressure
Pressure is what causes a person to commit fraud. Pressure can include almost anything such as medical
bills, expensive tastes, addictions and so on. Most of the time, pressure comes from a significant
financial need/problem. Often this need/problem is non-sharable in the eyes of the fraudster. That is,
the person believes, for whatever reason, that their problem must be solved in secret. However, some
frauds are committed simply out of greed alone.
Opportunity
Opportunity provides a situation to commit fraud. Because fraudsters do not wish to be caught, they
must also believe that their actions will not be detected. Opportunity is created by weak internal
controls, poor management oversight and/or through the use of one’s position and authority. Failure to
establish adequate procedures to detect fraudulent activity also increases the opportunities for fraud to
148
occur. Of the three elements, opportunity is the leg that organisations have the most control over. It is
essential that organisations build processes, procedures and controls that do not needlessly put
employees in a position to commit fraud and effectively detect fraudulent activity when it occurs.
Rationalisation
Rationalisation is a crucial component in most frauds. Rationalisation involves a person reconciling
his/her behaviour (stealing) with the commonly accepted notion of decency and trust. Some common
rationalisations for committing fraud are:
 The person believes committing fraud is justified to save a family member or loved one;
 The person believes he/she will lose everything — family, home, car, and so on, if he/she does not
take the money;
 The person believes that no help is available from outside;
 The person labels the theft as ’borrowing’; and fully intends to pay back the stolen money at some
point;
 The person, because of job dissatisfaction (salaries, job environment, treatment by managers, etc.),
believes that something is owed to him/ her; and
 The person is unable to understand or does not care about the consequence of his/her actions or of
accepted notions of decency and trust.
However, Wolfe and Hermanson (2004), believe that the fraud triangle could be enhanced to improve
both fraud prevention and detection by considering a fourth element that is capability as depicted in the
fraud diamond theory in Figure 9.2.
€¥
$£
Figure 9.2 Fraud Diamond
Capability
Personal traits and abilities play a major role in whether fraud may actually occur even with the presence
of the other three elements. The components of capabilities are position/function, brains,
confidence/ego, coercion skills, effective lying and immunity to stress.
 The person’s position or function within the organisation may offer the ability to create or exploit
an opportunity for fraud not available to others. For example, a CEO or divisional president has
the positional authority to influence when contracts or deals take effect, thus affecting the timing
of revenue or expense recognition.
 The right person for a fraud is smart enough to understand and exploit internal control weaknesses
and to use position, function, or authorised access to the greatest advantage. Many of today’s
largest frauds are committed by intelligent, experienced, creative people, with a solid grasp of
company controls and vulnerabilities. This knowledge is used to leverage the person’s
responsibility over or authorise access to systems or assets.
 The right person has a strong ego and great confidence that he will not be detected, or the person
believes that he could easily talk himself out of trouble if caught. Such confidence or arrogance
can affect one’s cost- benefit analysis of engaging in fraud: the more confident the person, the
lower the estimated cost of fraud will be.
149
 A successful fraudster can coerce others to commit or conceal fraud. A person with a very
persuasive personality may be able to convince others to go along with a fraud or to simply look
the other way. In addition, common personality type among fraudsters is the “bully,” who “makes
unusual and significant demands of those who work for him or her, cultivates fear rather than
respect and consequently avoids being subject to the same roles and procedures as others.” Many
financial reporting frauds are committed by subordinates reacting to an edict from above to “make
your numbers at all costs” or else.
 A successful fraudster lies effectively and consistently. To avoid detection, she must look auditors,
investors, and others right in the eye and lie convincingly. She also possesses the skill to keep track
of the lies, so that the overall story remains consistent.
Types of Fraud
Fraud is perpetrated by a person knowing that it could result in some unauthorised benefit to him or her,
to the organisation or to another person, and can be perpetrated by an outsider. The following lists the
common kinds of fraud.
Asset Misappropriation
Involves stealing of cash or assets (supplies, inventories, equipment and information) from the
organisation. In many cases, the perpetrator tries to conceal the theft, usually by adjusting the records.
Financial Statement Fraud

Involves misrepresenting financial statements, often by overstating assets or revenue or understating
liabilities and expenses. Financial statement fraud is typically perpetrated by managers who seek to
enhance the economic appearance of the organisation. Members of the organisation may benefit directly
from the fraud by selling stock, receiving performance bonuses, or using the false report to conceal
another fraud.
Corruption
Misused of entrusted power for private gain. Corruption includes bribery and other improper use of
power. Corruption is off–book fraud meaning that there is little financial evidence available to prove
that the crime occurred. Corrupt employees do not have to fraudulently change financial statements to
cover up their crimes. They simply receive cash payments under the table. In most cases, these crimes
are uncovered through tips or complaints from third parties. Procurement-related corruption is common.
Bribery
The offering, giving, receiving or soliciting of anything of value to influence an outcome. Bribes may
be offered to key employees or managers who are purchasing agents and who have the ability to award
businesses to vendors.
Falsification of Expense Claims

An old favourite with both senior and junior staff. Common ‘ruses’ include inflating mileage claims,
entertaining friends and relatives at the company’s expense and claiming for expenses that were never
incurred.
Stealing Money from the Company Bank Account

The perpetrator having gotten away with stealing once will keep on doing it again.
Manipulating Sales Figures to Reach Target and Achieve Bonuses

A simple version of this involves booking sales in one month then crediting them back the next, unless
the perpetrator keeps this up, the overstatement in one month will naturally show as a shortfall in the
next.
150
Falsifying Supplier Invoices
A senior manager who had renovation work carried out on his house and then arranged for the invoices
to be sent to the company, booked as costs for work carried out on the company’s premises.
Stock Theft
A time-honoured way to make a ‘fast buck’. The perpetrator will over a period of time abscond with a
number of items from the warehouse and resell them. So long as the stock losses are within tolerance,
then it is possible for this to remain undetected for a significant period of time.
Transactions That Are Not at ‘Arms Length’

When a company asks for tenders for a contract, they usually obtain at least three quotes from third
parties. The best value quote should then be selected. When the system does not run effectively, there
is an opportunity for friends and relatives of the purchasing department to send in quotes that are
accepted, bypassing the quotes from reputable suppliers.
Tax Evasion
Fraud at corporate level. Excessively complex organisational structures are created and designed to
obfuscate the revenue streams to hide the reality from tax authorities.
Fictitious Invoicing
Where there are poor accounting controls, fraudsters can arrange for fake invoices from connected
parties to be passed for payment.
Acquisition of Company Property at Less than Market Value

This requires the collusion of at least two people (usually quite senior in position). Company property
is ‘sold’ to one of the individuals at a bargain price approved by the other. The property is then resold
at market value and the profit is split between the two individuals.
Theft of Raw Materials

Manufacturers should measure the quantities and costs of the raw materials used in the manufacturing
process. Some processes use expensive materials such as gold. When the measurement system is
compromised or management does not investigate adverse yield variances, fraudsters have the
opportunity to steal the raw material.
Given the ongoing recession, the temptation/pressure to commit fraud is even greater; companies and
government organisations would be well advised to review their procedures.
Red Flags of Fraud
Managers and employees responsible for stewardship of companies should be aware of red flags for
fraud. These are only warning signs that may indicate higher fraud risk; however, they are not evidence
that fraud will occur. Also, the existence of one or two flags is not something to be overly concerned
with. Many employees do demonstrate one or more elements on the list. However, if multiple flags are
present that span the three groupings and accounting irregularities or weak controls are identified, then
appropriate authorities (including the superintendent’s office and internal auditing) should be contacted.
Common Personality Traits of Fraudsters

 Wheeler and dealer
 Domineering/controlling
 Do not like people reviewing their work
 Strong desire for personal gain
151
 Have a ‘Beat the System Attitude’
 Live beyond their means
 Close relationship with customers or vendors
 Unable to relax
 Often have a ‘too good to be true’ work performance
 Do not take vacation or sick time or only take leave in small amounts
 Often work excessive overtime
 Outwardly appear to be very trustworthy
 Often display some sort of drastic change in personality or behaviour
Common Sources of Pressure

 Medical problems — especially for a loved one
 Unreasonable performance goals
 Spouse loses a job
 Divorce
 Starting a new business or current business is struggling
 Criminal conviction
 Civil lawsuit
 Purchase of a new home, a second home, or a home renovation
 Need to maintain a certain lifestyle (‘champagne tastes’ or ‘keep up with the Joneses) — person
(or spouse) either likes expensive things or feels pressured to ‘keep up with’ or out-do others in
regards to material possessions
 Excessive gambling
 Drug or alcohol addiction
Changes in Behaviour
 Suddenly appears to be buying more material items — houses, cars, boats, clothes, jewellery,
electronics, and so on
 Brags about new purchases
 Starts to carry unusual amounts of cash
 Creditors/bill collectors show up at work or call frequently
 Borrows money from co-workers
 Becomes more irritable or moody
 Becomes unreasonably upset when questioned
 Becomes territorial over their area of responsibility
 Would not take vacation or sick time or only takes it in small increments
 Works unnecessary overtime
 Turns down promotions
 Starts coming in early or staying late
 Redoes or rewrites work to ‘make it neat’
 May start or mentions family or financial problems
 Exhibits signs of drug or gambling addiction (absenteeism, becomes manipulative, looks ill,
inconsistent or illogical behaviour, loss of sleep or appetite, etc.)
 Exhibits signs of dissatisfaction (decrease in productivity, change attire, irregular schedules,
frequent complaining about inequities or work issues)
Internal Audit’s Role in Fighting Fraud
Fighting fraud in an organisation requires the combined efforts of many different departments, including
internal auditors assisting in the prevention and detection of fraud by evaluating the adequacy and
effectiveness of internal control, assisting management in establishing effective fraud prevention
measures, proactively auditing for fraud, and investigating suspected fraud.
152
Specifically, the practice guide states, that, in conducting audit engagements, the internal auditor
should:
 Consider fraud risks in the assessment of internal control design and determination of audit steps
to perform.
 Have sufficient knowledge of fraud to identify red flags indicating fraud might have been
committed.
 Be alert to opportunities that could allow fraud, such as control deficiencies.
 Evaluate whether management is actively retaining responsibilities for oversight of the fraud risk
management programme, whether timely sufficient corrective measures have been taken with
respect to any noted control deficiencies or weakness, and whether the plan for monitoring the
programme continues to be adequate for the programme’s ongoing success.
 Evaluate the indicators of fraud and decide whether any further action is necessary or whether an
investigation should be recommended.
 Recommended investigation when appropriate.
Internal auditors evaluate risks faced by organisations based on audit plans with appropriate testing.
Internal auditors need to be alert to signs and possibilities of fraud within an organisation. These auditors
are often in a better position to detect the symptoms that accompany fraud. They usually have a
continual presence in the organisation which provides them with a better understanding of the
organisation and its control system. Internal auditors can assist:
 in deterring fraud by examining and evaluating the adequacy and effectiveness of internal controls.
 in establishing effective fraud prevention measures by knowing the organisation’s strengths and
weaknesses and providing consulting expertise.
The importance an organisation attaches to its internal audit activity is an indication of the
organisation’s commitments to effective internal control and fraud risk management. Internal auditors’
roles in relation to fraud risk management are as follows:
 To launch initial or full investigation of suspected fraud, to perform root cause analysis and control
improvement recommendations, to monitor a reporting/whistle-blowing hotline and provide ethics
training
 To obtain sufficient skills and competencies including knowledge of fraud schemes, investigation
techniques and laws
 To conduct proactive auditing to search for misappropriation of assets and information
misrepresentation using CAAT techniques and data mining
 To employ analytical and other procedures of high-risk accounts and transactions to identify
potential fraud
Other Responsibilities of Fraud Prevention and Detection

Board of Directors
The Board of Directors has the responsibility for effective corporate fraud governance.
The role of the Board of Directors:
 To oversee and monitor management’s actions to manage fraud.

 To evaluate management’s identification of fraud risks.
 To implement anti-fraud measures.
 To set the tone at the top.
153
To set the tone for fraud risk management, the Board of Directors should engage in the following:
 Implement policies that encourage ethical behaviour, including processes for employees,
customers and external business relationship partners to report instances where those policies are
violated.
 Monitor the organisation’s fraud risk management effectiveness by appointing one executive-level
member of management to be responsible for coordinating fraud risk management and reporting
to the Board of Directors.
Audit Committee
The CAE must report periodically to senior management and the Board of Directors on the internal
audit activity’s purpose, authority, responsibility and performance related to his plan. The Audit
Committee usually has oversight of the internal audit activity.
An Audit Committee is the independent eyes and ears of the investors and other stakeholders. The role
of the Audit Committee is as follows:
 To evaluate management’s identification of fraud risks.

 To implement anti-fraud measures.
 To provide the tone at the top that fraud will not be accepted in any form.
 To hire external auditors to report on the financial statements of the organisation.
 To provide recommendations on internal control.
 To be responsible for overseeing management’s compliance with appropriate financial reporting.
 To be responsible for preventing senior management from overriding the controls or other
inappropriate influence over the reporting process.
Management
The primary responsibility for the prevention and detection of fraud rests with the governing body and
management. Management’s responsibilities include creating an environment where fraud is not
tolerated, identifying risks of fraud, and taking appropriate actions to ensure that controls are in place
to prevent and detect fraud. The role of the management is as follows:
 Responsible for overseeing the activities of employees and typically does so by implementing
and monitoring processes and internal controls.
 Assess the vulnerability of the entity to any fraudulent activities.
 Responsible for establishing and maintaining an effective internal control system at a reasonable
cost.
 Maintain discussions with investigators and legal counsel to develop controls over the investigation
process, including developing policies and procedures for effective fraud investigations and for
handling the results of investigations, reporting and communications.
External Auditor
External auditors have the responsibility to comply with professional standards and to plan and perform
audit for an organisation’s financial statements to obtain reasonable assurance whether these statements
are free from material misstatements and if misstatements were found, whether they were caused by
error or fraud.
Whenever external auditors have determined that there is evidence of fraud, their professional
standards typically require that the matter be brought to the attention of the appropriate level of
management. An external auditor typically reports fraud involving senior management directly to those
charged of governance.
154
Fraud Investigators
Fraud investigators are usually responsible for the detection and investigation of fraud as well as the
recovery of assets. They also have a role in fraud prevention. Senior management and the Audit
Committee need to support investigators and to let all stakeholders know that the business entity is
ready to respond quickly and appropriately to fraud risks.
Fraud investigators often work closely with the legal counsel to take action against perpetrators.
Communication between fraud investigators and legal counsel is likely to be confidential. Fraud
investigators’ work is done under the direction of the legal counsel.
A lead investigator usually determines the knowledge, skills and other competencies needed to carry
out an investigation effectively and assigns competent and appropriate people to the team.
Other Employees
Every employee has a role to play in fighting fraud. Employees are the eyes and ears of an organisation,
and they should be empowered to maintain a workplace of integrity. Employees can report their
suspicion of fraud to the employee hotline, the internal audit department or a member of management.
To deter and detect fraud and abuse, many experts believe an employee hotline that is appropriately
monitored is the single most cost-effective fraud detection and deterrence mechanism.
Internal Audit’s Role in Anti-Bribery and Anti-Corruption Programs
The specific role of internal audit in anti-bribery and anti-corruption programs varies across the
organisation, depending on the reinforcement of the program, both through identifying the existence
of potential and actual incidents and assessing the effectiveness of the program designed to anticipate
and address these risks.
Specifically, internal audit can reinforce each of the following program components in the noted ways:
1. Tone at the top/governance structure, by:

 Understanding the attitude and tolerance of management and the Board of Directors regarding
bribery and corruption risks
 Assessing whether that attitude is sufficiently restrictive
 Validating that this attitude has been effectively communicated throughout the organisation
 Scrutinising the governance structure and oversight of the anti- bribery and anti-corruption
program
2. Bribery and corruption risk assessment, by:

 Understanding all aspects of the anti-bribery and corruption program before performing risk
assessments
 Evaluating inherent bribery and corruption risk as part of a comprehensive risk assessment
 Ensuring the audit plan for assessing the anti-bribery and anti- corruption program is based on the
results of risk assessment
3. Policies and procedures, by testing whether they are:

 Documented appropriately
 Approved by management
 In compliance with applicable laws and regulations
 Implemented effectively
4. Communication and training, by:

 Sharing information with other functions or parties (e.g. fraud investigation, legal compliance,
external audit, regulations), as appropriate
155
 Assisting in communicating and training employees in anti-bribery and anti-corruption policies (to
the extent that doing so does not impair their objectivity)
5. Monitoring and auditing, by:

 Ensuring risk assessments, analysis, and communication are effective in supporting management’s
monitoring role.
6. Investigation and reports, by:

 Participating in investigations as appropriate, based on the team’s resources, the organisation’s
governance structure, and formal protocols.
 Understanding the culture and legal landscape of the jurisdictions involved
 Being familiar with local protocols for investigating and reporting
 Following the organisation’s protocol regarding any audit evidence that might indicate bribery or
corruption
 Performing and documenting adequate audit actions to support any findings, conclusions, or
recommendations pertaining to bribery or corruption
 Seeking legal advice or recommending management seek legal advice regarding any evidence of
illegal activity uncovered during an audit
 Working with appropriate personnel to determine whether an irregularity or illegal act has occurred
and gauge its effect
7. Enforcement and sanctions, by:

 Working with management to adhere to a defined process for evaluating cases of bribery or
corruption and, if appropriate, implementing sanctions according to a formal policy.
Fraud Risk Assessment
A fraud risk assessment is often a critical component to an organisation’s larger enterprise risk
management programme. The fraud risk assessment is a tool that assists management and internal
auditors to systematically identify where and how fraud may occur and who may be in the position to
commit fraud. A fraud risk assessment concentrates on fraud schemes and scenarios and whether or not
the controls can be circumvented.
The scope of fraud risk assessment may vary widely depending on the organisation’s size, complexity
or industry. A fraud risk assessment generally includes five key steps:
1. Identify Relevant Fraud Risk Factors

This process includes the review of documentation of previous frauds and suspected frauds
committed against or on behalf of the organisation, evaluation of related frauds, and review of the
organisation’s performance measures over the past few years compared with its competitor.
For example, inconsistent patterns between non-financial measures, excessive use of licensed software
and other intellectual property may indicate possible fraud.
2. Identify Potential Fraud Schemes and Prioritise Them Based on Risk

The fraud assessment team identifies fraudulent schemes by brainstorming, conducting management
interviews, using analytical procedures and reviewing prior frauds. During this process, the team has to
always consider the basic characteristics of the Fraud Triangle.
The following factors are to be considered when prioritising fraud risks:
 Monetary impact
 Impact to the organisation’s reputation
156
 Loss of productivity
 Potential criminal/civil actions including potential regulatory noncompliance
 Integrity and security of data
 Loss of assets
 Location and size of operations/units
 Company culture
 Management/employee turnover
 Liquidity assets
3. Map Existing Controls to Potential Fraud Schemes and Identify Gaps

The fraud risk assessment team identifies prevention and detects controls in place to address each fraud
risk and the likelihood of potential fraud. Anti-fraud controls such as whistle-blower protection policy,
Board of Directors oversight, continuous monitoring, code of conduct, and good communications are
important elements.
4. Test Operating Effectiveness of Fraud Prevention and Detection Controls

Internal auditing typically plays an important role in assessing the operating effectiveness of internal
controls. Internal auditors consider not only the existence of the internal control, but also its
effectiveness through periodic testing.
For example, an organisation may implement security passwords to change every 30 days; however the
network system, may not block the user access if the password is not changed as required. As in this
case, the internal control is present but is not effective.
5. Document and Report of the Fraud Risk Assessment

Key elements that would likely be documented in fraud risk assessment include:
 The types of fraud that have potential of occurring.
 The inherent risk of fraud considering the availability of liquid and saleable assets, organisational
morale and employee turnover, the history of fraud losses, and other specific business area
indicators.
 The adequacy of existing anti-fraud programmes, monitoring and preventive controls.
 The potential gaps in the organisation’s fraud controls, including segregation of duties.
 The likelihood of significant fraud occurring.
 The business impact/significant of a fraud.
Fraud Prevention and Detection
Fraud can occur at various levels in an organisation. Therefore, it is important to establish appropriate
preventive and detective techniques.
Fraud Prevention
Fraud prevention entails implementation of policies and procedures, employee training and
management communication to educate employees on fraudulent activities. It also involves those
actions taken to discourage the commission of fraud and limit fraud exposure when it occurs. Instilling
a strong ethical culture and setting the correct tone at the top are essential elements in preventing fraud.
A strong principle mechanism for preventing fraud is effective and efficient internal controls, including
controls related to screening customers, vendors and external business relationship partners.
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) presented a
framework for assessing and improving the internal control systems to fight fraud.
i. Control environment
Elements of a strong control environment to help prevent fraud include the following:
 A code of conduct, ethics policy or fraud policy to set the appropriate tone at the top
157
 Ethics and whistle-blower programmes to report fraud
 Hiring and promotion guidelines and practices
 Oversight by the Audit Committee, Board of Directors or other oversight body
ii. Risk assessment
Establishing a fraud risk assessment process that considers fraud risk factors and fraud schemes by
involving appropriate personnel in the process. Also, fraud risk assessments should be conducted on a
regular basis.
iii. Control activities

These are policies and procedures for business processes, including appropriate authority limits and
segregation of duties.
iv. Information and communication

Promoting the importance of the fraud risk management programme and the organisation’s position on
fraud risk both internally and externally through corporate communications programs by:
 Designing and delivering fraud awareness training
 Ascertaining affirmation or creating a certification process to ensure that employees have read and
understood corporate policies and that the employees are in compliance with the policies
v. Monitoring
Providing periodic evaluation of anti-fraud controls by:
 Using independent evaluators for the fraud risk management programme by internal auditors or
other groups
 Using technology to aid in continuous monitoring and detection activities
Fraud Deterrence
Training is usually a key factor in deterring fraud. Training can cover the organisation’s expectations
of its employees’ conduct, the procedures and standards necessary to implement internal controls and
employee roles and responsibilities to report misconducts.
Employees need to understand the ethical behaviour expected of them to act accordingly within the
organisation. New employee orientations can present the organisation’s mission, values and code of
conduct as well as explain types of fraud, responsibility to report violations of ethical behaviour and
impropriety and ways to report potential fraud. The training on fraud needs to be tailored to the
organisation and employees’ position within the organisation.
Periodic training throughout employees’ career reinforces fraud awareness and the cost of fraud to the
organisation. This can be done through surveys that not only confirm attendance, but also offer quick
examination to determine whether employees have gained the necessary knowledge from the training.
Fraud Detection
This entails activities and programmes designed to identify fraud or misconduct that is occurring or has
occurred.
Detective controls are designed to provide warnings or evidence that fraud is occurring or has occurred.
Effective internal controls are one of the strongest deterrents to fraudulent behaviour and actions.
Although detective internal controls may provide evidence that fraud exists, detective internal controls
cannot prevent fraud.
Fraud detection methods need to be flexible, adaptable and continuously changing to meet the changes
in the risk environment. While preventive measures are apparent and readily identifiable, detective
controls may not be as apparent.
158
An effective way for an organisation to learn about existing fraud is to provide employees, suppliers
and stakeholders with a variety of methods to report their concerns about illegal or unethical behaviour.
Ways to collect the information on fraud include:
i. Code of conduct confirmation

When employees sign an annual code of conduct outlining their responsibilities in the prevention and
detection of fraud, they can be asked to report any known violations.
ii. Whistle-blower hotline

This can take the form of a telephone call or a web-based reporting system where the whistle blower
can remain anonymous.
iii. Exit interviews

Conduct exit interviews for terminated employees or those who have resigned can help identify
fraudulent schemes. These interviews may also determine whether there are issues regarding
management’s integrity, and may provide information regarding conditions conducive to fraud.
iv. Proactive employee survey

Routine employee surveys can be conducted to solicit employees’ knowledge of fraud and unethical
behaviour within the organisation. A proactive survey could elicit anonymous information from
employees, which would aid the organisation in catching fraud sooner than waiting for employees to
volunteer the information.
Other methods of fraud detection include surprise internal or external audits in high fraud risk areas,
continuous monitoring by management on critical data and related trends to identify unusual situations
or variances, routine and/or ad hoc matching of public data and/or proprietary data against relevant
transactions, vendor lists, employee roster and other data.
Forensic Audit
In general, forensic audit is defined as the application of accounting methods to the tracking and
collection of forensic evidence, usually for an investigation and a prosecution of criminal acts such as
embezzlement or fraud. It is also called forensic accounting.
The concept of financial auditing may be defined as ‘a concentrated audit of all the transactions of the
entity to find the correctness of such transactions and to report whether or not any financial benefit has
been attained by way of presenting an unreal picture’. Forensic auditing aims to legally determine
whether fraud did occur. In the process, it also aims at naming the person(s) involved (with the
intention to take legal action). Figure 9.3 outlines the difference between financial audit and forensic
audit.
Forensic audit involves examination of legalities by blending the techniques of propriety value-for-
money audit, regularity, investigative and financial audits. The objective is to find out whether or not
true business value has been reflected in financial statements and in the course of examination to
ascertain if any fraud has taken place.
Skills for Forensic Auditor

In addition to having strong accounting skills and good legal knowledge, a forensic auditor must have
the following:
 Knowledge of entity’s business and legal environment
 Awareness of computer-assisted audit procedures
 Innovative approach and sceptics of routine audit practices
159
Application
Forensic accounting and auditing may be applied in the following areas besides fraud detection:
 Conducting due-diligence (especially for segment-wise profitability analysis)
 Business valuation
 Management auditing
 Assessing loss before settling insurance claims.
Particulars Financial Audit Forensic Audit

Objective Express opinion as to ‘true and Determine correctness of the
fair’ presentation. accounts or whether any fraud
has actually taken place.
Techniques ‘Substantive’ and ‘compliance’ Analysis of past trend and
procedures. substantive or ‘in depth’ checking
of selected transactions.
Period Normally all transactions for a No such limitations. Accounts
particular accounting period. may be examined in detail from
the beginning.
Verification of stock, estimation of Relies on the management Independent verification of
realisable value of current assets, certificate/representation of suspected/selected items carried
provisions/Liability estimation, and management. out.
so on.
Off balance-sheet items (like Used to vouch the arithmetic Regularity and propriety of
contracts etc.) accuracy and compliance with these transactions/contracts are
procedures. examined.
Adverse findings, if any Negative opinion or qualified Legal determination of fraud and
opinion expressed, with/without naming persons behind such
quantification. frauds.
Figure 9.3 Differences between Financial Audit and Forensic Audit
Examination Methods
Tests of reasonableness
 Check weaknesses in internal controls
 Identify questionable transactions — indicating wide fluctuations from the normal transactions and
not, in general, related to main objectives
 Review questionable transaction documents for peculiarities, like improper account,
classifications, pricing, invoicing, or claims, and so on
Historical comparisons
 Develop a profile of the entity under investigation, its personnel and beneficiaries, using available
information
 Identify questionable accounts, account balances, and relationships between accounts, to find out
variances from current expectations and past relationships
 Gather and preserve evidence corroborating asset losses, fraudulent transactions and financial
misstatements
The internal auditor’s mindset towards fraud differs from the other ‘common’ audits; the mindset should
be investigative and anomaly oriented (generally auditors are trained to address majority of the risks).
 Fraud risk impact and residual risk are difficult to measure.
 Fraudsters may not be who you think they are.
 The most common fraudster profile may contradict your intuition; a well-educated, middle-aged
male, with no criminal history.
 10% of people will always commit fraud, 10% of people will never commit fraud and 80% of
160
people will have the opportunity to commit fraud.
 Technical expertise is needed in assessing fraud risk, investigation techniques, gathering and
maintaining evidence, and so on.
 Consult with internal or external experts if a task is greater than the means.
 Internal audit supports management by determining whether the organisation has adequate internal
controls and promotes an adequate control environment.
 Since internal audit is centralised, independent, and has an objective function, it is in a prime
position to address fraud risk management programmes and to affect change.
 Different organisational structures and internal audit charters affect internal audit’s role and ability
to achieve its purpose.
Fraud Investigation
A fraud investigation consists of gathering sufficient information about specific details and performing
those procedures necessary to determine whether fraud has occurred, the loss or exposure associated
with the fraud, who was involved, and how it happened. An important outcome of investigations is
that the innocent are cleared of suspicion. Investigations attempt to discover the full nature and the
extent of the fraudulent activity. Investigations work includes preparing, documenting and preserving
evidence sufficient for potential legal proceedings. Internal auditors, lawyers, investigators, security
personnel and others from inside and outside the organisation usually conduct or participate in fraud
investigations.
Investigation Processes
Management is responsible for the investigation process. Investigation process includes:
 developing policies and procedures O need to consider the rights of individuals, the qualification
of those who conduct the investigations, and relevant laws.
 preserving evidence
 handling the results of investigations
 reporting
 Communication
Internal Auditor’s Role

 Help management identify critical indicators of fraud schemes.
 Evaluate gaps in internal controls during the progression of fraud reviews/investigations.
Conduct ad-hoc forensic accounting investigations.
 Support the chief audit executive to ensure appropriate communication on fraud issues addressed
by internal auditors to the Board of Directors, the Audit Committee and others.
Conducting the Investigation

A plan is developed for each investigation. The plan includes:
 Gathering evidence through surveillances, interviews or written statement.
 Documenting and preserving evidence.
 Determining the extent of the fraud.
 Determining the method used to perpetrate fraud.
 Evaluating the cause of the fraud.
 Identifying the perpetrators.
The common investigation procedures include:

a) Obtaining evidence
Collecting and preparing the evidence is a critical stage in investigating the fraud. Examples of evidence
are letters, memos, computer files, security and logbook, camera videos, internal phone records and
161
news articles.
b) Interviewing
Investigators need to be knowledgeable and cognizant. The investigator has the responsibility to ensure
that the investigation process is handled in a consistent and prudent manner.
Reporting
Reporting fraud investigations consist of oral, written, interim or final communication to senior
management and/or the Board of Directors regarding the status and results of fraud investigations.
Additional considerations concerning fraud reporting are
 Submitting draft of the proposed final communication on fraud legal counsel for review.
 Notify senior management and the Board of Directors on a timely basis when fraud happens.
 The results of fraud may indicate that fraud was undiscovered previously. Senior management and
the Board of Directors need to be informed on such discovery.
Communication of Fraud Incidents

There are two types of communication
a) Internal communication
Strategic tools used by the management to reinforce its position regarding integrity, action taken on
fraudster and when there is a violation of policy and demonstrate the importance of internal control.
Such communications may take the form of newsletter, memo or fraud training program.
b) External communication
Management will determine whether to inform public or not after consulting with legal counsel, human
resource personnel and the CAE. Notification to the enforcement is also needed.
Summary
Fraud can occur at various levels in an organisation. The chapter describes the three elements of the
Fraud Triangle: pressure, opportunity and rationalisation. It further explains on the fraud risk
assessment framework as a tool to assist internal auditors to systematically identify the circumstances
of fraud occurring. The chapter concludes with an elaboration of forensic auditing and fraud
investigation.
1. Define fraud.
2. What are three elements that have to be present for a person committing fraud?
3. Identify the element of Fraud Triangle theory for each of the following situations:
a) A person who is having financial constraints stole the company’s money.
b) A person labels the theft as ‘borrowing’; and fully intends to pay back the stolen money at some
point.
c) A cashier stole money from the cash register machine because she knew that there is no CCTV
installed at the shop.
4. Identify five key steps in a fraud risk assessment.
5. Identify whether the following measures are meant for fraud prevention or fraud detection.
162
Fraud Prevention Fraud Detection
1. Set a strong control environment such as code

of conduct
2. Segregation of duties in business process
3. Whistle-blower hotline
4. Exit interviews
5. Fraud awareness training
6. Identify whether the following statements are true or false.

a. Statutory audit determines correctness of the accounts or whether any fraud has actually taken
place while forensic audit express opinion as ‘true or fair’ presentation.
b. Forensic audit involves analysis of past trend and substantive or ‘in depth’ checking of selected
transactions while statutory audit involves ‘substantive’ and ‘compliance’ procedures.
c. Statutory audit relies on independent verification of selected item while forensic audit relies on
management representation.
References
ACFE 2012 Report To The Nation (RTTN)—http://www.acfe.com/rttn.aspx
PwC 2011 Global Economic Crime Survey (GECS)—http://www.pwc.com/gx/en/economic-crime-
survey/ index.jhtml.
Internet Crime Complaint Center (IC3) 2011 Internet Crime Report—
http://www.ic3.gov/media/2012/120511. aspx
PwC 2004—The Emerging Role of Internal Audit in Mitigating Fraud and Reputation Risks.
Mitigating Business Risk—Example of Anti-Fraud Framework from the Inscap Associates Australian
Standard on Fraud and Corruption Control, AS 8001-2003
Grant Thornton—Managing fraud risk: The Audit Committee perspective Forensic Firms Forensic
Strategic http://www.forensicstrategic.com/
Forensic CPAs—http://www.forensic-cpas.net/index.html Financial Forensic & Valuation Group –
http://www. ffvgroup.com/index.html
IPPF—Practice Guide on Internal Auditing and Fraud (2014)
Managing the Business Risk of Fraud: A Practical Guide—Paper sponsored by IIA, AICPA and ACFE.
Farrell, Barbara R. and Joseph R. Franco. 1999. The Role of the Auditor in the Prevention and Detection
of
Business Fraud: SAS No. 82. Western Criminology Review 2/1. [Online].
Association of Certified Fraud Examiners. 1999. Report on the Nation Occupational Fraud and Abuse.
163
Mind Map
164
165
10 Whistleblowing
Learning Objectives
 Define whistleblowing
 Understand the role of an internal audit as a whistleblower
 Explain the provisions of the Malaysian Whistleblower Protection Act 2010
 Describe the code of conduct in relation to whistleblowing
Introduction
Corporate fraud is a persistent issue, which is a concern to all organisations. The Global Fraud Study
with the Association of Certified Fraud Examiners (ACFE) reported that a typical organisation loses
5% of its annual revenue to fraud. Most organisations have therefore placed various fraud prevention
and detection mechanisms such as anti-fraud education, established the ‘right tone at the top’ with ‘zero-
tolerance’ against fraud cases and set an internal whistleblowing policy. However, corporate
whistleblowing has proved to be an effective internal corporate monitoring mechanism as evidenced in
the WorldCom and Enron cases. Since then, there has been a growing interest in whistleblowing.
In Malaysia, the Whistleblower Protection Act 2010 was enforced on 15 December 2010. The Act is
aimed to provide protection to whistleblowers who disclose information of serious misconduct in the
public and private sectors to the relevant enforcement agencies. Despite all the whistleblowing
legislations, employees are still rather reluctant to expose incidents of improper conduct. In the UK, the
Public Interest Disclosure Act 1998 provides a framework of legal protection for whistleblowers from
victimisation and dismissal. Likewise in the United States, further response to the corporate scandals is
the Sarbanes-Oxley Act (2002) which states that ‘in order for companies to continue as being listed,
they must establish a mechanism for Board of Directors to receive, retain and treat complaints regarding
accounting, internal accounting controls or auditing matters; the process must ensure the security and
confidentiality of the whistleblowers’.
Definition of Whistleblowing
The term “whistleblower” comes from the whistle a referee uses to indicate a foul play or a policeman
blowing his whistle to stop an illegal activity. The first law to protect whistleblowers was the United
States Claims Act in 1863. The Act was enacted during the former US President Abraham Lincoln’s
administration with the main objective of catching dishonest suppliers who would provide ill horses or
faulty rifles and ammunition to the military during the American Civil War.
The Whistleblower Protection Act (2010) of Malaysia defines a ‘whistleblower’ as any person who
makes a disclosure of an improper conduct to an enforcement agency. It further defines ‘improper
conduct’ as any conduct, which constitutes a disciplinary or criminal offence.
Whistleblowing is defined by the Institute of Internal Auditors (UK) as ‘the unauthorised disclosure by
internal auditors, in good faith, of serious information relating to questionable practices, whose
disclosure is perceived to be in the public interest. The information may comprise audit results, findings,
opinions or information acquired in the course of performing their duties’. In a simple definition,
whistleblowing is a voluntary act of reporting on misconduct within an organisation to internal parties
166
or external parties (such as the media or law enforcement agencies). The action is truly a moral act of
an individual done out of a sense of duty to do the right thing to halt any illegal, harmful or improper
behaviour in an organisation. As such, there should be appropriate whistleblowing reporting procedures
in the organisation before the issues of concern become a serious problem, which could result in
reputational damage.
Forms of Whistleblowing
There are two forms of whistleblowing:
 Internal whistleblowing, which is a reporting process for employees on any suspected incidents
of wrongdoing within the organisation. For example, the setting up of an internal independent
whistleblowing hotline to a non-executive director such as the chair of the Audit Committee or
chair of the Board of Directors.
 External whistleblowing, which is a reporting process in circumstances when internal reporting of
suspected wrongdoing fails. The whistleblower would then report to an external body such as
regulators and/or the media as a last resort.
Besides the two forms of whistleblowing, Michael Woodford, the former Olympus President and CEO
who turned into a whistleblower, on a GBP1.1 billion fraud at the Japanese electronics company,
recommended an independent whistleblowing line separated from the executive management (CIA,
2014).
Internal Auditor as a Whistleblower
The responsibility to prevent and detect fraud by setting up of a sound system of internal control rests
with the Board of Directors and supported by the internal auditor. Section C 3.5 of the UK Corporate
Governance Code (2016), which applies to companies listed on the London Stock Exchange, states that
‘the Audit Committee should review arrangements by which staff of the company, may, in confidence,
raise concerns about possible improprieties in matters of financial reporting or other matters. The Audit
Committee’s objective should be to ensure that arrangements are in place for the proportionate and
independent investigation of such matters and for appropriate follow-up action’.
Very often, internal auditors in their course of work have access to critical sensitive information, which
may adversely impact the organisation. In such a circumstance, the chief audit executive (CAE) is
required to report the information to the Audit Committee and if his/her concerns are not taken up, the
CAE should consider communicating to external parties outside the organisation.
The decision of the internal auditor to communicate outside the normal chain of command needs to be
based on a well-informed opinion that the wrongdoing is supported by substantial, credible evidence
and that a legal or regulatory imperative, or a professional or ethical obligation, requires further action.
Thus, an internal audit acts as the means to investigate and to deal with complaints especially related to
fraud or corruption. An internal audit plays a vital role to support the Board of Directors or Audit
Committee in their oversight role. However, the actions of whistleblowers will provoke many reactions,
which are often unfavourable to them.
The Institute of Internal Auditors (UK) in its Whistleblowing Policy Position Paper states the role of
the Board of Directors in ensuring that the internal audit’s involvement in whistleblowing would not
compromise its prime assurance functions and that the internal audit is adequately resourced with the
necessary skills and resources. The paper further states that where the internal audit plays an indirect
role, it should provide assurance on the effectiveness of the whistleblowing procedures to the Board of
Directors and reserve the right to receive all whistleblowing reports. These reports would enable the
internal auditor to carry out investigations on the incidents raised and would provide assurance on the
internal controls in the organisation.
167
Advantages and Disadvantages of Whistleblowing
Benefits of Whistleblowing
 Whistleblowing will end a long-standing company’s wrongdoing and prevent further disaster
to the organisation.
The whistleblowing by Sherron Watkins prevented the stakeholders of Enron from further harm. In
2001, she uncovered accounting irregularities in the financial reports of Enron and testified before the
Congressional committees in 2002.
Likewise, Cynthia Cooper, the vice-president for internal audits at WorldCom who unearthed $3.8
billion fraud in America’s second largest phone company. This was the largest incident of accounting
fraud in US history.
Both Sherron Watkins and Cynthia Cooper were jointly named Times People of the Year in 2002 for
exposing corporate financial scandals.
 Sharpened the rules on the company’s financial reporting by public companies.

The Sarbanes-Oxley Act (2002) requires Chief Executive Officers and Chief Financial Officers to
certify that the financial accounts are true and if found lying, they could face a jail sentence of 20 years.
Disadvantages of Whistleblowing
 Loss of jobs
As in the Enron case, steep financial losses and loss of jobs were not only limited to its employees.
Many of the employees of the Anderson US operations who were not involved with the Enron audit
were at risk of losing their jobs. Even the Anderson partners were also affected with the loss of their
audit clients.
 Retaliation from the management

A whistleblower is often stigmatised as “disloyal” and blamed for any wrongdoing.
Whistleblower Protection Act 2010
The Whistleblower Protection Act 2010 (Act) came into force in Malaysia on 15 December 2010 to
facilitate reporting mechanisms for whistleblowing and to protect retaliations against whistleblowers.
The Act only covers disclosures of improper conduct to a designated enforcement agency or agencies,
which includes:
 Any ministry, department, agency or other body set up by the Federal Government of Malaysia,
State Governments or local governments
 Royal Malaysian Police Force
 The Malaysian Securities Commission
 The Companies Commission of Malaysia
Section 3 of Part 2 of the Act provides the following general power to the designated enforcement
agencies:
 To receive disclosures of improper conduct
 To enforce the whistleblower protection
 To deal with the disclosure of improper conduct
 To receive and deal with complaints of detrimental action
 To implement the provisions of the Act
168
The protection of the whistleblowers and any person related to or associated with whistleblowing under
Section 7 Part 3 of the Act comes in three forms:
 Protection of confidential information — such as the identity of the whistleblower (his/her
occupation, residence and work address etc.) and the identity of the person perpetuating the
improper conduct would also be kept in confidence.
 Immunity from civil and criminal actions.
 Protection against detrimental actions.
Code of Conduct in Relation to Whistleblowing

A code of conduct is a set of principles and rules to govern behaviour of employees in an organisation.
The code serves to ‘reflect the covenant that an organisation has made to uphold its most important
values, dealing with such matters as its commitment to employees, its standards for doing business
and its relationship with the community’. It involves the development of a corporate ethical culture with
core principles of honesty, ethical conduct and integrity.
The internal audit activity must evaluate the design, implementation and effectiveness of the
organisation’s ethics-related objectives, programs and activities’. Internal auditors are involved in
assessing the effectiveness of the code to minimise the risk of improper conduct, which includes the
reporting of non- compliance to the Audit Committee.
The Sarbanes-Oxley Act of 2002 is an example of an enactment in response to the Enron and WorldCom
scandals; among other things, designed to protect whistleblowers and mandating the establishment to a
stringent corporate code of conduct. This includes Section 806 of the Act in which employees of public
listed companies who provide evidence of fraud will be granted protection against retaliations and
discrimination. The Act further states that should an employee feel discriminated for reporting
violations, he/she can seek relief by filing a complaint with the Secretary of Labour. The employee
may be entitled to compensatory damages if the Secretary is in favour of the case.
Generally, the code of conduct and whistleblower policy should include the following:
a) Introduction of the policy

Directors, officers and employees of an organisation are required to observe the highest standards
of business and personal ethics in conducting their duties and responsibilities. They are also responsible
to report any violations or suspected violations of the code and shall be protected from any harassment,
retaliation or adverse employment consequences.
b) Issues that the code will address:

 Conflicts of interest
 Confidentiality
 Full, fair, accurate and timely disclosures of relevant facts in all reports
 Compliance with all applicable governmental laws, rules and regulations
 Prompt internal reporting of any illegal or unethical behaviour
 Personal accountability in adhering to the code
c) Reporting of violations
In most cases employees are encouraged to report to their supervisor or anyone in management or the
Compliance Officer directly. Supervisors and managers shall report suspected violations to the
Compliance Officer.
d) Appointment of a Compliance Officer

A Compliance Officer is responsible for investigating and resolving all reported complaints concerning
suspected violations of the code. The Officer shall then report the matter to the Audit Committee.
169
The Officer is also responsible to acknowledge the receipt of the reported or suspected violation within
a specific number of working days. All reports shall be promptly investigated and appropriate corrective
actions shall be taken.
e) Acting in good faith

Complaints on suspected violations of the code must be in good faith and believing that the
information disclosed is true and correct. Unsubstantiated allegations will be viewed as a serious
disciplinary offence.
f) Confidentiality of reports
An assurance that all reports of violations or suspected violations shall be kept in confidence.
g) Protection afforded to whistleblowers

Lastly, an assurance that any employee who report in good faith shall be afforded protection from
harassment, retaliation or adverse employment consequences.
Summary
This chapter explains the need for the Board of Directors to be made aware that effective whistleblowing
arrangements are important for a healthy corporate culture. Employees should be encouraged to speak
out without fear, and that the issues be handled in confidence and without prejudice to the interests of
the individual.
The Institute of Internal Auditors (UK) had in 2002 published a report and policy position paper on
whistleblowing procedures for internal auditors. The paper clearly states on the role of internal auditors
to assist the Board of Directors and Audit Committee in ensuring an effective system to detect and
prevent corrupt practices in an organisation. The report further provides guidance to an internal auditor
who acts as a whistleblower.
In Malaysia, the Whistleblower Protection Act 2010 was passed to support whistleblowing and to
promote good governance under the Government Transformation Programme. The Act serves to protect
whistleblowers from civil and criminal detrimental actions against them and provide the assurance of
maintaining confidentiality of information.
The chapter concludes with a general outline of the code of conduct in reporting of violations or
suspected violations by directors, officers or employees, in accordance with the whistleblowing policy.
1. Define whistleblowing and identify significant whistleblowers of corporate financial scandals.
2. Explain the role of an internal auditor as a whistleblower.
3. Explain the benefits and disadvantages of whistleblowing.
4. Explain the provisions of the Malaysian Whistleblower Protection Act 2010 to protect
whistleblowers against retaliations.
5. Describe the code of conduct in relation to whistleblowing.
References
CPA Journal, Enhanced Protections for Whistleblowers under the Dodd-Frank Act, January 2013 ECI
Ethics & Compliance Initiative, Why have a code of conduct.
Fastenberg, D (2011), 10 Whistleblowers Heard Around The World
Lacaya, R and Ripley A (2002), Persons of the Year 2002: The Whistleblowers, Time Magazine.
170
HKICS (2010), Guidance Note: A Practical Guide to Good Governance, The Hong Kong Institute of
Chartered Secretaries.
IIA (2013), International Professional Practices Framework (IPPF), The Institute of Internal Auditors
Research Foundation.
IIA (UK) (2014), Whistleblowing and Corporate Governance: the role of internal audit in
whistleblowing,The Chartered Institute of Internal Auditors (UK)
IIA (US) (2010), Do the Right Thing, viewed on 20 February 2014,
<http://www.theiia.org/intAuditor/ feature-articles/2010/february/do-the-right-thing
Malaysian Law (2010), Whistleblower Protection Act 2010, Percetakan Nasional Malaysia Bhd.
Woodford, M (2014), Whistleblower, viewed on 29 May 2015, <http://www.theiia.org/intAuditor/
feature-articles/2014/february/whistleblower/
National Council of non-profit Associations, Sample Whistleblower Policy, www.ncna.org Prickett,
Ruth, Jan/Feb 2014, Billion Dollar Questions, Audit & Risk Magazine of IIA (UK)
171
Mind Map
172
11Environmental Auditing
Learning Objectives
• Discuss the purpose of environmental auditing
• Define environmental audit
• Suggest the objectives of environmental audit
• Discuss the advantages of performing environmental audit
• Illustrate environmental audit report
• Give examples of environmental audit in a manufacturing company
• Describe an Environmental Management System (EMS)
• Illustrate four pillars of EMS adoption
• Discuss commitment needed for a successful EMS adoption
Introduction
In line with the internal auditing definition to add value and improve an organisation’s operations, the
internal audit profession needs to play a prominent role in responding to all significant issues that have
implications on the company’s activities as a whole (Mary, L. et al., 2009). A more holistic approach
to understand companies’ operations is very much recommended as it will guide the internal audit
activity in addressing critical issues faced by the management. Meanwhile, the new paradigm shift for
corporate entities gives more emphasis to achieve sustainability. In pursuing sustainability, decision-
making process is one of the most important elements in an organisation and it needs to be more
vigorous when considering various aspects including the impact of the organisation’s operations on the
economy, society and environment.
In recent years, the world’s population was shocked with several disastrous impacts on the environment
mainly due to a series of corporate blunders. The industrial world, in particular, has been criticised for
its devastating impact on the environment. In Malaysia, the recent outrageous illegal dumping of
chemical waste incident in the 1.5 km stretch of Kim Kim River in Johor Bahru had not only cost the
Malaysian government approximately RM10 million for the cleaning operation, it was also reported
that more than 3,000 people were treated for exposure to hazardous fumes and about 111 schools in the
affected area were forced to close temporarily.
Therefore, it is an undeniable demand for all parties, in particular, firms and companies to be more
environmentally responsible as the negative impact of their operations towards the environment could
be life threatening. In other words, management’s ability to address environmental concerns are
attracting greater concerns from most stakeholders including regulators, investors, employees, fund
providers as well as the community at large. In response to the concerns, managements are facing
greater pressure from stakeholders to properly manage environmental issues faced by their own entity.
Definition of Environmental Auditing

The role of environmental auditing has grown in importance in the last two decades. Many top officials
in various industries are beginning to realise the contribution of environmental audit in managing
environmental risks of their respective entities. The Institute of Internal Auditors (IIA) Research
Foundation defines environmental audit as ‘an integral part of an environmental management system
173
whereby management determines whether the organisation’s environmental control systems are
adequate to ensure compliance with regulatory requirement and internal policies’. It involves a
systematic, documented and objective driven evaluation for the purpose of evaluating relevant audit
evidence to determine whether the organisation’s activities conform and comply with audit criteria and
other relevant environmental regulatory requirements.
An environmental audit may have broad coverage on organisational activities and areas, including
operational procedures, feasibility studies, business activities, buildings, industrial and commercial
developments and industrial hazards. There are also various types of environmental audits, all of which
have the main objective to determine whether the entity’s environmental management system conforms
to planned arrangements for environmental management, including the requirements of relevant
regulations and any applicable international standards.
Objectives of Environmental Auditing

The objective of environmental auditing activities may differ between organisations. The level of
comprehensiveness of an audit is based on goals and objectives established by management of the
organisation. At large, the decision on the environmental audit objective is determined after considering
the interest of all stakeholders such as the government, customers, suppliers, employees and the
community at large. Some of the objectives that could be included in environmental audit programs are:
1. evaluation of the environmental management systems
2. compliance with the company’s environmental policies and procedures as well as relevant
environmental laws and reporting requirements
3. procedures for handling and storage of raw materials
4. manufacturing processes used in production plants
5. facilities and programs established for the treatment, storage, or disposal of liquid effluents, solid
waste materials and/or hazardous wastes
6. procedures for minimising noise pollution as well as air-based emission in the surrounding area
7. environmental risks and liabilities of property acquisitions and divestitures;
8. pollution prevention and waste minimisation programs; and
9. types of building materials and maintenance procedures used at the sites.
It is important to note that the objective of a comprehensive environmental audit program should not be
limited to areas under compulsory regulatory compliance. In some companies, management may
establish several environmental protective measures that go beyond the regulatory requirements. For
example, instead of merely complying with the regulated waste disposal and clean up procedures, an
organisation may proactively introduce, a continual waste minimisation program as part of its
environmental-friendly management effort. See Figure 11.1: EMS Internal Audit Objective in
Sumirubber Malaysia Sdn Bhd for illustration.
174
EVALUATING THE ANALYSE THE
EFFECTIVENESS RELIABILITY OF COMPLIANCE SAFEGUARDING OF
OF ENVIRONMENTAL WITH LAWS AND ENVIRONMENTAL
ENVIRONMENTAL REPORTING AND REGULATIONS ASSETS
MANAGEMENT PROCEDURES
SYSTEM
Figure 11.1 EMS Internal Audit Objective in Sumirubber Malaysia Sdn Bhd
Advantages of Environmental Audit

An environmental audit examines the relationship between the impacts of an organisation’s activities
on the environment. Being one of the crucial pillars of an environmental management system,
environmental audit brings several advantages to an organisation which includes:
1. Avoid negative publicity and be assured of a worthy reputation as one of the good corporate players
to stakeholders such as bankers, potential investors, customers, suppliers and shareholders.
2. Improve eco-efficiencies by adopting cleaner and environmentally friendly activities.
3. Increase employee awareness of the company’s environmental responsibility.
4. Able to be effective in managing environmental risk and comply with relevant environmental
legislations.
5. Lower the risk of regulatory punishment due to potential environmental breach and the likelihood
of regulatory action being effectively reduced.
6. Serve as an ongoing monitoring mechanism to maintain compliance as well as identify an
opportunity for continued improvement.
7. Able to safeguard against environmental disaster or emergencies. The entity would also be better
prepared to respond to any environmental crises due to the existence of audit documentation.
8. Enhance corporate attractiveness, which may bring long-term financial benefits in term of customer
loyalty or securing profit opportunities especially in countries with stringent environmental regulations
where environmental considerations are heavily emphasised.
Examples of Environmental Audit in a Manufacturing Company
Operation Site Compliance Audits

This type of audit examines specific operation sites of a company to evaluate its ongoing
environmental practices. The assessment is done based on the applicable government regulations
as well as the environmental policies established by the company. Among the components of this audit
are assessing processes related to the treatment, storage, and disposal of hazardous and non-hazardous
materials used in the manufacturing process.
Pollution Prevention Audit

The auditor will attempt to discover the possibility to alter existing manufacturing process that would
result in the reduction and/or elimination of waste or pollution by-products. The audit may
include examining the effectiveness of previous pollution prevention efforts practiced by
management, to seek opportunity for continuous improvement in minimising the emission of harmful
175
substance to the environment.
Transactional Environmental Audit on Asset Transfer

The assigned auditor will have the task to measure any potential environmental risk associated
with an asset transfer. This type of audit is very important to avoid the possibility of acquiring an
environmental liability as a result of asset acquisition. Opinion(s) and/or recommendation(s) as
a result of this audit are regarded as critical insight(s) for top officials of a company before
deciding on any property transfer and acquisition.
Product Audits
It is important for a company to make sure all its products comply with relevant governmental
requirements particularly related to the component of raw material substances, chemical usage and
recycling regulations. Apart from ensuring regulatory compliance, product audits may also help
the company to boost consumers’ confidence about product safety and other environmental related
issues.
Environmental Liability Accrual Audits

The purpose of this audit is to identify and report the existence of any liability accruals for all known
environmental issues related to a company. The findings of this audit are yet another significant input
for top management of the company. In addition, the acknowledgement of these liabilities in the
financial statements will also meet the requirements by the Securities and Exchange Commission.
Environmental Audit Report

A company disclosing information about their environmental practices would allow stakeholders to
make informed decision about the adequacy and the impact of organisational actions towards achieving
sustainability (Deegan, 2009). In a similar vein, a detailed environmental disclosure would have a
positive impact to the management’s reputation (Simnett et al., 2009). Generally, an environmental
audit report highlights the achievement of an organisation in view of its environmental goals and
objectives as outlines in its environmental policy and its environmental management system. Ideally,
the report outlines (1) the positive aspect of an organisation’s environmental performance, (2) any
deficiencies or weaknesses found in the current environment management practices, and (3) a proposal
for improvement opportunities or recommendations concerning the weaknesses identified earlier
during the audit.
The results of an environmental audit are normally released to all departments of the organisation to
strengthen overall organisational commitment towards the environment. In some companies, yearly
summary of environmental audit findings are prepared and presented to the Board of Directors. The
information obtained from the audit is also made available to external stakeholders such as consumers,
suppliers, regulators and the community to ensure their specific environmental concerns and needs are
being satisfied.
Environmental Management Systems (EMS)

Globally, an increasing number of organisations are giving more attention on environmental issues in
achieving sustainable growth. In general, more efforts are put forward in avoiding any environmental
impact from the production process over and above producing environmentally friendly products. Many
organisations have also adopted Environmental Management Systems that provide a systematic
approach for an organisation to achieve its intended outcomes of providing value for the environment,
gaining a competitive advantage and the trust of stakeholders (Darnall and Kim, 2012).
176
An EMS can be defined as a systematic process to prescribe and implement environmental objectives,
policies and responsibilities including regular audits to monitor the performance of each element in
environmental management systems. An EMS is also regarded as a set of comprehensive, transparent
and efficient management processes with the ultimate aim to enable an organisation to continually
reduce their unfavourable impact on the natural environment. It prescribes specific competencies,
behaviour, procedures and demands for the implementation of operational environmental policies
throughout the organisation.
The most popular standard for EMS is the International Organisation for Standardisation, ISO 14001
(Jones et al., 2012). In Malaysia, the national standard for EMS is identified as MS ISO 14001:2015.
Among the benefits of adopting ISO 14001 includes the improvement in both organisational and
environmental performance (Salim et al., 2018). This Standard underlines the necessary requirements
and guidelines for any organisation to improve its environmental performance through more efficient
use of resources and reduction of waste. Upon application, an organisation will go through several
procedures such as adequacy audit, compliance audit, certification process as well as yearly
surveillance. By complying with the Standard, an organisation acts in accordance with the legal
requirements set out by Environment Quality Act 1974 (Act 127) and the relevant regulations.
Four Pillars of EMS Adoption

Netherwood, A (1998) has identified four pillars, which form the foundation for EMS adoption. See
Figure 11.2: Four Pillars of EMS Adoption for illustration.
1. A written environmental policy

The first pillar of EMS adoption is the establishment of a written environmental policy. The existence
of such policy is very important to express a holistic organisational commitment towards a
responsible environmental management. The policy also represents an organisational pledge to comply
with all relevant environmental legislation. In other words, the policy shall reflect management’s
continuous environmentally friendly efforts throughout its organisational activities including strategic
planning, project implementation, product offerings as well as services. Through the establishment of
an environmental policy, an organisation shares its beliefs and values on the significance of conserving
the environment while safeguarding financial returns from its investment.
PERFORMANCE
ENVIRONMENTAL
INDICATORS
POLICY
AND GOALS
ENVIRONMENT
ENVIRONMENTAL
TRAINING
AUDIT
PROGRAM
Figure 11.2 Four Pillars of EMS Adoption
2. Environmental performance indicators and goals

The second pillar of EMS adoption is the creation of environmental performance indicators and goals.
It shows continuous organisational commitment to implement and take into effect earlier
environmental policy. Management will find ways to translate its written environmental pledge into
177
actions by identifying its environmental impacts and setting management objectives and targets for
achieving its environmental goals.
3. Environment training program

The third pillar refers to the environmental training program. It represents the adopters’ efforts to
ensure their employees possess the right understanding and share the same wisdom related to
organisational concerns on the environment. The main objective of the training program is to develop
necessary expertise and competency to ensure all activities of the organisation are acceptable within
the applicable environmental laws and regulations. This will include the creation of enhanced
management and communication structure both within and outside the organisation to inculcate
environmental concerns among the people.
4. Environmental audit
The fourth EMS pillar, environmental audit, is indispensable and critical to ensure continuous
environmental improvement within the organisation. It serves the organisation by periodically
evaluating and recommending appropriate solutions and corrective measures to address any identified
weaknesses or discrepancies within the environmental management program. A more detailed
discussion on environmental audit is found towards the end of this chapter.
It is important for an EMS adopter to embrace all these four pillars. Failure to execute any one of these
components will restrain the EMS’s ability to achieve its full potential. For example, failure to
implement environmental audits may prevent the organisation from rectifying any discrepancies or
weaknesses that exist within its environmental management system; thus, hampering EMS’s ability to
ensure continual environmental improvement. In a similar vein, forgoing environment training program
for employees may lead to a lack in a collective view on the importance of having environmental
concerns among the people within the organisation; thus, lowering the chances of successfully
integrating EMS deeply within the organisation.
An excellent example of EMS adopter in Malaysia is Sumirubber Malaysia Sdn Bhd, a well-known
leading manufacturer of high quality latex-based glove under Sumitomo Rubber Group. This company
strongly believes in having an excellent environmental management that would ultimately help the
company to gain better acceptability in the market. For about 30 years, Sumirubber Malaysia
continues to earn the trust of society through the introduction of environmentally friendly products
while consistently minimising the impact of its production process on the environment. In line with its
environmental policy, Sumirubber Malaysia emphasises energy conservation, waste reduction,
compliance obligations, implementing emergency preparedness and promoting recycle activities. Apart
from extensive environmental auditing programs, the company has also made environment training
as one of its top priority through the development of rigorous training programs, ranging from basic
awareness courses to specific MS ISO14001:2015. In order to continuously promote and elevate
environmental awareness throughout its organisation, Sumirubber Malaysia made several conservation
and social contributions such as the annual Mudball Program and Mangrove Tree Planting.
Another outstanding example of EMS adopter is the Fujitsu Group, the leading Japanese information
and communication technology (ICT) company. It offers a full range of technology products, solutions
and services in more than 100 countries. With an approximately 140,000 staff throughout the world,
the Fujitsu Group is considered as the largest IT service provider in Japan and 7th in the world. As a
responsible corporate citizen, the Group takes a leading role in sustaining the well-being of society
through its business activities. The top management of Fujitsu Group has made it clear that
environmental protection is the utmost important in creating a sustainable environment for future
generations.
Fujitsu Group was upgraded to a worldwide integrated ISO14001:2015 in 2018. It established its
environmental policy based on the principles and guidelines set forth in the Fujitsu Way. With clear
environmental goals set for all of its business areas, the Group conducts its business activities in a
sustainable manner. (See Exhibit 11.1: The Fujitsu Way; Philosophy and Principles).
178
“Being environmentally
friendly is a pre-requisite to
remaining viable as a
company. We must be
committed to this basic policy
and implement it consistently
and continuously”
Hiroaki Kurokawa
12th President
Figure 11.3 The Fujitsu Group’s DNA
Exhibit 11.1 The Fujitsu Way; Philosophy and Principles
Philosophy
The Fujitsu Group recognises that global environmental protection is a vitally important
business issue. By utilising our technological expertise and creative talents in the ICT
industry, we seek to contribute to the promotion of sustainable development. In
addition, while observing all environmental regulations in our business operations, we
are actively pursuing environmental protection activities on our own initiative. Through
our individual and collective actions, we will continuously strive to safeguard a rich
natural environment for future generations.
Principles
• We help customers and society reduce the environmental impact of their business
activities and improve environmental efficiency with advanced technologies, ICT
products and solutions.
• We proactively promote environmentally conscious business activities to help the
environment and economy coexist harmoniously.
• We strive to reduce the environmental impact of our ICT products and solutions
throughout their entire lifecycle.
• We are committed to conserving energy and natural resources, and practice the
3Rs approach (reduce, reuse and recycle) to create best-of-breed eco-friendly
products and solutions.
• We seek to reduce risks to human health and the environment from the use of
chemical substances and waste.
• We disclose environment-related information on our business activities, ICT
products and solutions, and we utilise the resulting feedbacks to critique ourselves
in order to further improve our environmental programs.
• We encourage our employees to work on global environmental conservation such
as tackling climate change and preservation of biodiversity through their business
and civic activities to be role models in society.
Among the green initiatives taken by the Fujitsu Group is the introduction of Fujitsu Green Procurement
Policy. The policy shows the Group’s commitment in implementing Green Procurement throughout its
supply chain. From the earliest stage of development, all Fujitsu products have incorporated energy
conservation concepts in its design and material selection. These green initiatives are introduced to
ensure its customers are offered eco-friendly products that ultimately reduce the burden on the
environment. Interestingly, Fujitsu also works together with its customer in protecting the global
179
environment. The company supplies their customers with environmental solutions, incorporating the
know-how and innovative technology it developed for its own environmental countermeasures.
Commitments for a Successful EMS Adoption

Implementing a successful EMS depends heavily on the following, but not limited to, collective
commitments and exhaustive efforts by management and employees within the organisation.
1. To make sure all organisational activities comply with relevant governing standards and regulatory
requirements, locally as well as internationally, on environmental protection.
2. To monitor continuous improvement efforts on environmental performances through efficient
organisational planning, economic investments and necessary technological measures. This would
ensure that environmental concerns become an integral part of the planning and decision-making
process of the organisation. Employees should also be encouraged and empowered to give ideas
or suggestions on improvements.
3. To allocate sufficient resources for educating employees on environmental concerns such as staff
environmental awareness as well as accountability and training programs. It is important to
emphasise that an appropriate level of competency, accountability and awareness on environmental
issues among staff has a significant impact on the success of an environmental management
program.
4. To establish a set of ethical conduct on environmental issues, which should be observed by
everyone in the organisation as an indicator of an ongoing commitment on environmental issues.
5. To practice and promote efficient use of energy resources through cost effective conservation and
energy management programs, including research and development projects aimed at minimising
and mitigating unfavourable environmental impacts caused by operations. For example, the
introduction of new environmentally friendly technology in the production plant that can eliminate
the emission of harmful greenhouse gases.
6. To place sound environmental stewardship in all company-owned facilities and properties by
setting clear principles on how authority and accountability are delegated within the organisation.
This would include the emphasis on environmental risk management activities to meet the
requirements of the environmental policy and applicable legal regulations.
7. To have the ability to execute emergency-response plans whenever necessary, as well as to
implement appropriate restoration program on any adverse environmental impacts caused by the
organisation’s activities.
8. To ensure all wastes including confiscated materials, electronic equipment, chemicals, solid and
biological wastes are handled and disposed in an efficient and proper manner consistent with the
applicable environmental regulations and policies.
9. To perform evaluation on the environmental performance through periodic reviews and audits to
rectify any weaknesses or discrepancies, and ultimately, meet the objectives of EMS adoption.
Summary
Organisations around the world, including their stakeholders, are becoming increasingly concerned with
the need to become more environmentally responsible in pursuing sustainable growth and development.
As such, the implementation of sound environmental management system with excellent environmental
policies, performance indicators, trainings as well as environmental audits, are becoming increasingly
important and significant to support the sustainability of organisations as well as their products and
services. In addition, the ability to properly manage the environmental impacts may create the advantage
needed for corporate organisations to be competitive as well as to reap greater financial benefit in the
future.
180
Apart from discussing environmental management system (EMS), this chapter also provide discussions
related to environmental audit including its definition, objective of environmental audit, benefits of
environmental audit and environmental audit report. Examples of environmental audit in a
manufacturing company such as Operation Site Compliance Audits, Transactional Environmental Audit
on Asset Transfer, Product Audits and Environmental Liability Accrual Audits are also provided.
Finally, an intensive list of commitments needed for a successful adoption of EMS are put forward in
the last section of the chapter.
1. Define an environmental audit.

2. Discuss the benefits of performing an environmental audit.
3. Describe your understanding of the Environmental Management System (EMS).
4. Illustrate the importance of the environmental policy as one of the four pillars for EMS adoption.
5. Discuss the commitment needed for a successful EMS adoption.
References
Darnall, N. and Y. Kim. Which Types of Environmental Management Systems Are Related to Greater
Environmental Improvements? Public Administration Review, 72:3(2012): 351–365.
Deegan, C. Environmental Disclosures and Share Prices—A discussion about efforts to study this
relationship. Accounting Forum 28 :1 (2004): 87–97.
Jones N, Panoriou E, Thiveou K, Roumeliotis S, Allan S, Clark JRA, Evangelinos KI. Investigating
Benefts From The Implementation of Environmental Management Systems In A Greek
University. Clean Technol Environ 14 (2012): 669–676.
Mary, L. et al. Principles and Contemporary Issues in Internal Auditing. McGraw-Hill, 2009.
Netherwood, A. Environmental Management Systems: Corporate Environmental Management.
London: Earthscan (1998)
Salim, H. K., Padfield, R., Lee, C. T., Syayuti, K., Papargyropoulou, E., & Tham, M. H. An
Investigation Of The Drivers, Barriers, And Incentives For Environmental Management
Systems In The Malaysian Food And Beverage Industry. Clean Technologies &
Environmental Policy, 20:3 (2018): 529–538
Simnett, R., Vanstraelen, A. Chua, W. Assuranceon Sustainability Report; An International
Comparison. The Accounting Review 84:3 (2009): 937–967.
“Cleaning up Toxic River Sungai Kim Kim in Pasir Gudang to Cost S$2.16 Million.” The
Straits Times, The Star/Asia News Network, 21 Mar. 2019, www.straitstimes.com/asia/se-
asia/ cleaning-up-toxic-river-sungai-kim-kim-in-pasir-gudang-to-cost-s216-million.
“Environmental Report 2018”, Sumirubber Sdn Bhd, https://www.srigroup.co.jp/csr/csr/ecology/
documents/08_18_SRIM.pdf
“ISO 14001 Certification Acquisition Results.” ISO 14001 Certification Acquisition Results – Fujitsu
Malaysia, www.fujitsu.com/my/about/environment/management/ems/result.
“MS ISO 14001: 2015—Environmental Management Systems.” MS ISO 14001: 2015—
Environmental Management Systems - JSM Portal, Department of Standards Malaysia,
www.jsm.gov.my/ms-iso-14001#. XMJKRdIzYdU.
181
182
CASE 1
Argon Bank
Contributors: Yusarina Mat Isa and
Mary Lee Siew Cheng
Background
Argon Bank, established as a small family business back in 1963, has
managed to pull its way through the challenges of the banking industry
and register a net asset of RM5.3 billion in 2018. The bank has significant
banking operations in Malaysia, Singapore and the Philippines with a
network of more than 150 branches and staff strength of 3,000 personnel.
From a close-knit family business, the bank has grown to become one
of the largest players in the Malaysian banking industry. The management
team is headed by the chief executive officer (CEO), Mr Jagjit, who reports
directly to the Board of Directors. Apart from the Board of Directors,
the governance of the bank is also overseen by the audit and the risk
management committee. The reporting structure of the bank is depicted in
Figure 1.
Argon Bank operates as a retail, commercial and corporate bank and
also has a treasury operation. The bank is very aggressive in capturing the
market for corporate loans, and as of 31 December 2018, its corporate loan
portfolio makes up 53% of the bank’s total loan as shown in Figure 2. The
bank is targeting a corporate loan growth rate of 9% for the year ending
in 2019. Most of the bank’s corporate clients are those from manufacturing
and service industries. The top management of the bank envisioned the
bank to be a market leader in capturing big corporate clients in the next
five years.
Board of
Directors Audit and Risk
Management
Committee
President and Chief

Executive Officer
Internal Audit and
Compliance
Head Retail Banking Head Commercial/ Head Treasury Group Chief Group Risk
Corporate Banking Operation Financial Officer Management
Figure 1 Organisational Structure of Argon Bank

Retail loans
25%
Corporate
loans 53%
Commercial
loans
22%
Figure 2 Composition of Argon Bank’s Loan
Facts of the Case

In early 2019, the management of the bank, particularly the chief risk officer
(CRO), had observed a number of peculiarities in the credit processes of the
corporate loan sector. Having taken over the position in middle of 2018,
he became very concerned about what he saw. He had a feeling that the
controls in the credit processes were somewhat relaxed, to the extent that
corporate loans were approved on the pretext of unsecured contracts put
forward by the clients. After careful consideration, he provided feedback
to the internal auditors and asked the internal auditors to review the credit
approval processes in the commercial and corporate banking department.
The internal audit team, headed by team leader Mr Amrun, started to
plan for the engagement when they received the ad hoc request from the
CRO. Having just taken over the portfolio from Mr Ismail, the previous team
leader in charge, Mr Amrun needed to really understand the processes in the
department before starting the audit. One of the important tasks was for Mr
Amrun to understand the risks faced by the department. In the preliminary
study, Mr Amrun asked his team to go through previous internal audit
reports of the department. Based on these reports, Mr Amrun noticed that
the internal auditors had highlighted various issues on the circumvention of
control measures in the department and recommendations were proposed
accordingly. Nevertheless, Mr Amrun observed that internal auditors had
failed to perform follow-up audits to assess the implementation of the
recommendations. Although the management had agreed to implement
most of the recommendations presented in regards to improving controls,
they fell short in executing most of the recommendations.
Mr Amrun realised that a thorough audit on the credit processes in the
commercial and corporate banking department was crucial. He planned
a three-week field audit and gathered relevant documents from the
department. The audit team, comprising five auditors, started their audit
fieldwork by looking at the credit policies available with respect to the
corporate loan sector and comparing the policies against the practices
adopted by the department. They also collected evidences through
interviews with the relevant personnel and review of documentations.
The very first thing that the audit team observed was the lack of
required documentation for loan applications. Further investigation into
the clients’ credit files revealed that there was no checklist for documents
needed to process the loan applications. Although the corporate loan
application policies emphasised on supporting documents such as client’s
audited financial statements, memorandum and articles of associations,
directors’ resolution, valuation reports and various other documents,
rarely did the auditors find such documents in the credit files. If any,
the documents were either incomplete or inadequate. When the auditors
queried the credit personnel, they were informed that those clients were
well-known major companies in the industries; hence, their repayment
capacity was assumed to be satisfactory and these companies were ‘very
unlikely to be dissolved’ due to their size.
The audit team proceeded to further check the valuation reports
provided by some of the clients applying for loan to purchase properties.
Although the reports appeared to be genuine and certified, some valuation
figures attracted the auditors’ attention. Looking at the current property
market, some of the valuations provided in the reports were far above
average. The auditors found that although the bank has its panel of
valuers, some of the valuers engaged to value the clients’ properties
were introduced by the clients themselves. The auditors were concerned
that there might be a certain degree of collusion between the valuers and the
clients, and this could have resulted in overstating the prices of properties
considerably. The problem was also aggravated by the practice of credit
personnel in performing site visits only after the loans were disbursed. Any
disparity between the values presented in the valuation reports and the true
value of the properties could only be known at the time of the visits, which
at times were too late.
Absence of credit risk rating for corporate borrowers was another
perplexing issue that Mr Amrun tried to comprehend. The criteria used to
assess the loan application were not clear, both in practices and in policies,
thus providing avenues for risk ambiguity. The borrower’s risks were not
rated and the loans were approved based on assessment and judgement by
credit personnel as well as the CEO, Mr Jagjit. There was no committee set
up to assist in the credit risk management process. Every decision had to go
through the CEO, and the CEO had at times vetoed the decision of the loans
that were rejected and no exception reports were presented to the Board of
Directors. There was one particular loan that was granted to Mr Zanadu’s
company, which was rejected earlier. Mr Zanadu is Mr Jagjit’s son-in-law.
Based on interviews with the credit personnel in the corporate and
commercial banking department, Mr Amrun felt that the personnel
are working too hard and too much to meet the loan target set by the
management. As the remuneration is related to loans approved, instead
Credit Risk Management Best Practices
BNM has issued a guideline on credit risk best management practices and
it prescribes the minimum level that banking institutions should observe to
ensure prudent conduct in the operations of its credit-granting activities. BNM
requires the following measures to be in place in managing the bank’s credit
risk:
• The credit policy and standards should define acceptable loan purposes,
types of loans and loan structures, and industries to which the bank is
willing to lend, as well as the types of information the lender is required to
obtain and analyse
• Banking institutions are required to develop appropriate credit grading
system to systematically grade the credit risk of the borrower
• The borrower needs to be assessed on the current and expected financial
condition, the borrower’s credit history and correlation between historical
and projected repayment capacity as well as the borrower’s ability to
withstand adverse conditions or ’stress’
• Collateral pledged by the borrower — amount, quality and liquidity; the
bank’s ability to realise the collateral under the worst case scenario
• Qualitative factors, such as management, the industry and the state of the
economy as a whole
• Banking institutions are required to set up a committee to specifically
assist the Board of Directors in overseeing the credit risk management
process
• Collateral policies set by the bank shall include parameters on approved
panel for solicitors, property valuers and insurance companies
• The credit approval process should establish accountability for decisions
taken and designate who has the authority to approve credits or changes in
credit terms and what the authorised limit would be.
Responsibilities of Internal Auditors

The issued guideline on Credit Risk Management Best Practices also includes
the general requirements expected of internal auditors with respect to credit
risk management. In managing the credit risk, internal auditors should provide
an ongoing focus on the internal control systems and periodic reviews of the
credit risk management processes. It should also review compliance with
approved policies, as well as applicable laws and regulations. Among the
expectation on internal auditors are:
• Internal auditors must evaluate the independence and overall effectiveness
of the credit risk management systems.
• The internal auditor’s assessment on the adequacy of internal controls
will involve understanding, documenting, evaluating and testing a banking
institution’s internal control system and follow-up of corrective actions and
review of management’s action to address material weaknesses.
of loans applied, this might be a motivation to increase the loan base by

compromising the risk mitigation measures. Failure of internal auditors to
carry out a follow-up audit on the implementation of the recommendation
proposed has left the internal control loopholes unaddressed.
Based on the team’s observation, Mr Amrun realised that the bank has
not been adopting some of the best practices in credit risk management as
recommended by Bank Negara Malaysia (BNM).
Upon the completion of the audit fieldwork, Mr Amrun was very worried
that the bank might face a serious financial problem if the lack of control
in the loan approval processes was not monitored and rectified. Failure of
a corporate loan repayment may lead to a significant adverse impact on the
bank due to its substantial loan quantum.
Mr Amrun and his team deliberated the findings with the management
of commercial and corporate banking department. The department’s
general manager, Mr Huay, admitted that the controls were lacking, but
they had inherited the practices for so long, and at the same time, the bank
is still prospering and standing tall. Mr Huay also mentioned that the top
management, including the CEO, were in the know of what was going on
in the department but their silence showed that they were condoning the
practices. Although Mr Huay acknowledged that some of the findings were
truly risky and should be rectified immediately, he mentioned that the
corrective measures cannot be implemented overnight and they needed the
full support from the top management in order to ‘make things work’.
Mr Amrun, was very worried and concerned, and he highlighted the
issues to the audit committee. The audit committee responded that they
would look into and evaluate the issues presented in the audit report and
would revert to Mr Amrun after their next meeting.
Questions:
1. Identify the weaknesses in the commercial and corporate banking
department’s credit approval processes and explain their effects in
reference to the BNM guidelines on Credit Risk Management Best
Practices as well as internal control principles in general.
2. Evaluate the internal audit processes of Argon Bank’s internal audit
function.
3. Discuss the best possible approaches that Mr Amrun and his team could
adopt in dealing with the issues identified.
4. Discuss the lessons learned from this case.
CASE 2
National Malaysian Bank

Contributor: Grace Mui
Background
National Malaysian Bank, a prominent banking institution in Malaysia, is
one of the pioneer banks in Malaysia. It has expanded its operations over
the years with a strong presence in the country as well as in the Asian
region. The National Malaysian Bank has a range of credit card products.
Therefore, the bank is susceptible to the risk of credit card fraud and the
issue of ensuring the security of customer data.
Facts of the Case

Adam, the manager of credit card services, and Johan, the internal audit
manager, sipped teh tarik while discussing the news headlines about a
police raid on a seemingly legitimate business that was printing fake blank
credit cards1. The news report highlighted that the local syndicate produced
fake credit cards complete with card holder details for sale to international
syndicates.
Both Adam and Johan were long-time employees of the National
Malaysian Bank. As such, they were familiar with the dangers of credit
card fraud and the creative means employed by fraudsters to obtain credit
card details2 despite the use of the EMV3 chip credit card security feature in
credit cards issued by Malaysian banks4.
Their discussion turned to an email complaint received by the bank’s
credit card services email account the day before.
Adam explains to Johan that the procedure for a customer to change
his/her personal details, such as mailing address, is to visit the branch of the
bank in person. At the branch, the customer is required to complete a ‘change
of personal details’ form and to produce an original identity document as
proof of his/her identity. Common identity documents are the Malaysian
identity card and passport. In the event that the change was made without
the customer’s knowledge and consent, the bank would have breached
their duty of care towards the customer to preserve the confidentiality and
privacy of the customer’s data.
Johan suggests that Adam perform the following checks on the credit
card customer database to check the following:
1. How many credit card customers have a credit card account mailing
address that differs from the mailing address of their other bank
accounts?
Email complaint from customer
Dear Sir/Madam,
I am writing to report a potential case of fraud. I didn’t receive the hard copy of my credit card statement
for the month of February 2018. I have been receiving the statements without fail until February 2018.
Yesterday I called 1-800-123456 about 9:30 pm to check the balance owing so I could pay my credit card
bill. Cik Rozita attended to me.
When I checked my mailing address as per the National Malaysian Bank computer system
I was horrified to discover that it was listed a Eden Healing Spa, #10 Lot 2A Taman Pasir Panjang,
Sandakan. Cik Rozita was not able to advise me as to when and how this change in address occurred. It is
my suspicion that it occurred after the January 2018 statement was sent.
I would like to formally inform the National Malaysian Bank Credit Card Centre that in the
past 30 years, my home address has been No. 4 Jalan Besar, Petaling Jaya and this is the
address I wrote in all the necessary forms when I opened accounts at your bank. Further,
I have no business dealings in East Malaysia nor have I visited East Malaysia. Therefore,
I strongly suspect that the physical mailing address for my credit card has been changed by unauthorised
persons and there is the potential for my credit card to be used fraudulently by unauthorised persons.
The following day, I contacted the branch manager of the branch where I usually conduct my transactions
and found that the address for my other National Malaysian Bank accounts had not been changed. This
made me suspicious as to why my mailing address for only my credit card account was changed.
I am writing to inform you that I would like my credit card account mailing address to be changed back to
the No. 4 Jalan Besar, Petaling Jaya, Selangor, Malaysia with immediate effect.
Your kind assistance is very much appreciated to circumvent the possibility of my credit card being used
by unauthorised parties for fraudulent purposes. I look forward to someone from the National Malaysian
Bank Credit Card Services Centre contacting me at this email address or at 011-9876543 to advise me on
the next course of action.
Yours sincerely,
Yasmin Tan
National Malaysian Bank Credit Card number 9876 5432 1098 7654 cardholder since August 2001
2. Which customer mailing addresses are linked to more than one credit
card with a different name?
3. How many ‘change in address’ requests were made by customers in the last
12 months? When was each request made?
4. For these ‘change in address’ requests, were the policies and procedures
for these changes followed? Specifically, did the customer initiate the
change by physically submitting a form at a bank branch and providing
the relevant identity documents?
The bank’s information technology (IT) team produces this exception report
for Adam. The exception report highlights that:
1. There were 80 different customers whose credit card account mailing
address differs from the mailing address of their other bank accounts.
2. The mailing addresses of these 80 customers were linked to only
five mailing addresses. Of these five, the Eden Healing Spa address —
as mentioned in Yasmin’s email — was listed as the mailing address of
12 different credit card customers.
3. The changes in the mailing addresses for all 80 credit card customers
took place within the last 25 days.
4. None of these changes were evidenced by either a completed ‘change in
personal details’ form or proof of identity documents.
5. Yasmin was the first customer to lodge a complaint about the
unauthorised change in mailing address. Forty-eight of the other
customers had opted for online credit card statements. The remaining
customers continue to receive hard copy credit card statements by
mail. Adam expects that these remaining customers, like Yasmin, did
not receive hard copy credit card statements for February 2011.
Adam and Johan discuss the exception report with Anna, the IT security
manager. Anna explains that data breaches can be perpetrated by parties
internal or external to the organisation5. Internal data breaches can be
perpetrated by existing employees or former employees. External data
breaches are perpetrated by non-employees. The intent to commit fraud
may or may not be present in data breaches.
Anna confirms that in the last three years the bank had implemented a
more secure data security system. Further, Anna’s team had been conducting
rigorous tests and checks on a frequent basis to ensure that there was no
breach in the bank’s security system. Anna finds that there is no reason to
believe that there was a breach of the security system in the previous 12
months. She suggests that there is a possibility that an internal data breach
has occurred.
Johan runs a test to match the five suspicious mailing addresses with the
addresses of current employees and former employees who left the
company in the last 12 months. The results show that the Eden Healing Spa
address matches the home address of a former employee who resigned two
months ago. The former employee had previously spent two years in the
bank’s credit card services department processing credit card applications.
Adam remembers that this former employee was close friends with another
data entry clerk who was currently responsible for keying in changes in
customers’ personal details. Adam recognises that there is the possibility
that there was collusion between the former employee and the data entry
clerk. In order to prevent further changes from being made to customer
accounts, Adam immediately assigns this data entry clerk to a less data-
sensitive task for the next month.
Johan recognises that the there is the possibility that further
unauthorised changes have been made to customers’ personal details.
Further, he is also concerned that the 80 customers’ credit cards may have
been used for fraudulent purposes.
Johan ponders about the possibility that the bank’s IT system has a
backdoor6 that could have been exploited to allow for an external data
breach. Further, there is the possibility that an external party offered
a current employee rewards — financial or otherwise — to make those
changes.
Johan wonders what he should do next to solve this data breach and
prevent it from occurring again.
Questions:
1. Based on this case, identify scenarios where the unauthorised changes
to the mailing address were a result of internal data breaches and
external data breaches. What internal controls could have prevented
these data breaches? What internal controls could have detected these
data breaches?
2. What do you propose that the National Malaysian Bank should do to
prevent further unauthorised changes in customers’ personal details?
Who do you think is responsible for these preventive measures?
3. What do you propose that Adam — with the assistance of Johan and
Anna, if required — should do to determine if the credit cards that were
compromised have been used for fraudulent transactions?
4. What measures are available to the National Malaysian Bank to prevent
the fraudulent use of the credit cards of the 80 customers whose credit
card accounts have been compromised?
5. What are the possible consequences of organisations disclosing
data breaches to the public? What are the possible consequences of
organisations not disclosing data breaches to the public?
ENDNOTES
1 Camoens, A. and Ruban, A. ‘Printing shop’ busted over fraudulent
activities, The Star, 19 October 2011. https://www.thestar.com.my/news/
nation/2011/10/19/printing-shop-busted-over-fraudulent-activities/
2 Bank Negara Malaysia ‘Unauthorised use of credit or debit card’ from
Bank Negara Malaysia’s Financial Fraud Alert. http://www.bnm.gov.my/
microsites/fraudalert/0205_card.htm.
3 Europay-Mastercard-Visa
4 Bank Negara Malaysia, ‘EMV chip credit card security intact’, Bank
Negara Malaysia Press Release dated 17 August 2005, http://www.
bnm.gov.my/index.php?ch=8&pg=14&ac=1065
5 Holtfreter, R.E. (2011) ‘Breaking breach secrecy, Part 1’, FRAUD Vol.26
No.5 September/October, Association of Certified Fraud Examiners,
pp. 44–51
6 A backdoor or trapdoor is a method of accessing the computer system or
a computer program that bypasses security mechanisms. Programmers
may install a backdoor to access the computer system or program to
troubleshoot the system or program. It can sometimes be exploited by
unauthorised parties to access the system or program.
CASE 3
Perusahaan Herba, PT.

Contributor: Sanjeev Gathani
Background
Perusahaan Herba, PT. is a wholly owned subsidiary of an American
multinational company operating in Jakarta, Indonesia. The principal
activities of the company are buying and selling of spices and commodities.
The Indonesian office is the hub of its Asian market and has been profitable
since it began. The company has been in operation since 2000 and has a
staff strength of 20. The company is divided into three departments: finance
& human resources, sales & marketing and distribution & logistics. Each
department is headed by a manager, who in turn is supported by two
persons. The three managers report to the local managing director. The
finance department consists of a finance manager and four supporting
staff who handle general ledger, accounts payable, accounts receivable
and fixed assets respectively. The finance manager reports to the group
financial controller who is based in Denver, Colorado, USA.
The local managing director operates in a casual and hands-off
approach. He leaves the day-to-day operations to the managers and rarely
questions unless the desired results are not achieved. He has expensive
taste and enjoys the finest food and wine and always dresses well and
has an affluent lifestyle. The office is decorated with expensive paintings
and items, which gives the impression that you are entering a five-star
hotel. All work stations and meeting rooms are well equipped with state- of-
the-art communication devices. The decor is well maintained and the
receptionists provide an unforgettable experience for the visitors.
Facts of the Case

i. Finance & Human Resources Department
The finance department is well controlled, in the sense that its directives
are never questioned. The instructions passed down are to be followed and
authority is not to be questioned. The finance manager is a hardworking
man who rarely takes his annual and medical leave. He is extremely fit. He
controls the activities in the department with an iron fist and is a happily
married man with three grown-up girls. He loves his job and is dedicated to
delivering the best.
All financial transactions, including the sourcing of vendors, are
channelled through him, and his approval is required before processing.
Ultimately, it is the finance manager who decides who the company sources
from and at what price and what quantity. No one in the company would
question his judgement as he has a free hand in running the department.
The finance manager also doubles up as the human resources manager,
and he manages all the human resources activities of the company
including its talent retention and compensation plans. He reports to the
local managing director and the holding company decentralises its human
resources function and wants the companies to follow the practices of the
local country and not that of the holding company.
The turnover of the company is low as most people enjoy working in
a stress-free environment. The only time when you are questioned is when
results are not delivered. The company does not care how results are achieved
as long as they are achieved.
ii. Sales and Marketing

The staff in this department are extremely driven and have a great sense of
belief that impossibility is not an obstacle. There is nothing that they would
not do to achieve their sales targets. In terms of ethical practices, the staff
vouch that they comply and they do not adhere to unethical practices. When
they achieve their sales targets, they are rewarded with monetary and non-
monetary incentives. These are paid upon the execution of sales order and
the generation of sales invoice. They are not penalised if the customers do
not pay the sales invoices.
The customer accounts are set up by the admin team and support staff
in the sales & marketing department and are duly processed upon the
receipt of requisite forms and signatures. No questions are asked or raised
— documentation must be complete and that is the bottom line.
iii. Distribution and Logistics

The manager here is a local lady and she is very practical and pragmatic.
She runs the department with a very hands-off approach and is only
concerned with achieving the Key Performance Index (KPI) for herself
and the department. This is done at all costs and so far the department
has been achieving the results. The turnaround time of sales order is
three hours and delivery is within two days within Asian countries and
one day within Indonesia.
The appointment of service providers for this department is handled
internally and its evaluation is done on a yearly basis by the team support
staff. All appointments and evaluation are reviewed and approved by the
manager.
Other Information
The company requires all invoices to be approved by the respective
managers prior to paying the vendors. The invoices are checked for
arithmetic accuracy as well as proper accounting classification by the
accounts payable accountant. The accounts payable accountant would
process the invoice as long as the requisite approval is granted and the
payment is well supported with invoices and other documentation. No
questions are raised if the documents are in order.
Vendor evaluation is carried out and the criteria are highly subjective,
that is, it is by way of ticking the boxes and no explanation or justification
is required to support why certain boxes are ticked. The exercise is carried
out by the department staff who know the vendors and no independent
review is carried out. The evaluation is divided into three parts:
– Delivery promptness
– Pricing
– Complaints
The evaluators are then required to tick any of the three provided boxes
— Excellent, Good and Poor. In addition to this, the evaluators are free to
comment on any of the evaluation criteria that appears on the evaluation
form.
Previously, the internal auditors had raised concerns in the areas of
vendor selection, evaluation and payment. The internal auditors had noted
that payments were made to parties other than those stated on the invoices.
They also raised concerns that the company was dealing with vendors who
were individuals and not companies. Furthermore, these were not checked
against the blacklisted companies for all the US incorporated companies or
subsidiaries. Most of the vendors that the company dealt with were directly
or indirectly associated with the members of the local management team.
The evaluation itself raised some questions, as it was subjective and could
not be verified and validated by a third party.
Issues raised by the internal audit department were played down and
sometimes omitted from the final submission to the Audit Committee. All
communication to the Audit Committee were vetted by the local managing
director, who ensured that only the right and required information, according
to him, were submitted to the Audit Committee.
Issues
An unsigned letter was sent to the chairman of the Audit Committee with
an allegation that the managers of the company are on the take and that
they have milked the company well over a million dollars over the past two
years.
The alleged letter stated that several companies with whom the company
has dealings with are related to the managers. The letter also mentioned
that goods and services were sourced at prices well above the market value
and that some services were not even provided but payments were made.
It further claimed that the mastermind behind the whole scheme was the
finance manager who roped in the others to milk the company.
Questions:
1. Identify the control weakness in the vendor selection, evaluation and
payment processes of the company.
2. Identify the scheme that was perpetrated to defraud the company.
3. List down the steps that could be taken to prevent such a re-occurrence
of events.
4. Identify the issues in the reporting of audit findings to the Audit
Committee, and what could have been done to ensure that all issues are
reported without filtration.
5. Identify and list at least two oversight controls that the holding company
can institute to prevent a re-occurrence of such events.
CASE 4
Lightning Logistics
Background
Lightning Logistics is a subsidiary company of Cepat Transport Group
(holding company). The chief audit executive (CAE) had recently retired
and moved to another country. Anna was recommended by the CAE of
Cepat Transport Group to succeed the retired CAE of Lightning Logistics
due to her ten years of experience as an outsourced internal auditor with
a Malaysian chartered accounting firm. In her capacity as an outsourced
internal auditor, she had performed several internal audit assignments for
clients in the manufacturing and logistics industries.
Three months before the previous CAE retired, the Board of Directors
of the holding company had sanctioned a group-wide initiative to improve
the internal governance structures. This initiative was part of the group’s
plan to list selected subsidiaries on Bursa Malaysia. Lightning Logistics is
one of the two subsidiaries that the holding company aims to list on Bursa
Malaysia by end of the year.
Facts of the Case

Anna had spent the morning reviewing the last six months’ audit reports
of Lightning Logistics Sdn Bhd. This was her second week as the newly
appointed CAE of Lightning Logistics.
A fortnight before the previous CAE’s retirement, the senior
management of Lightning Logistics invited Anna to attend the previous
CAE’s final presentation to senior management. During that meeting,
Anna was introduced to the rest of the internal audit team — an internal
audit manager and an internal auditor. The internal audit manager joined
Lightning Logistics five years ago as an internal auditor. She was promoted
to the position of Internal Audit Manager two years ago. The Internal Auditor
joined the Lightning Logistics two years ago. The previous CAE expressed
his appreciation for the hard work and dedication shown by his team in his
six years of office at Lightning Logistics. He encouraged the internal audit
team to support Anna. Anna started work the day after the previous CAE
retired from the position.
At the end of Anna’s first week, the chief financial officer (CFO) was
involved in a serious car accident. The CFO had to be hospitalised for
one month. During that period, the accountant took on the duties of the
CFO. The accountant, Johan, joined Lightning Logistics three months ago.
Previously, Johan was an accountant with another logistics company for
five years.
Johan had been furnishing Anna with the necessary information
to assist her in her review of the audit reports from the last six months.
Anna was particularly interested in the negative cash flows — RM20,000 in
February and RM25,000 in March this year. She asks Johan for the expense
reports related to those two months. As Johan gathers the information for
Anna, he finds a separate folder marked ‘confidential’. It contains actual
receipts and other relevant documents submitted by the CEO for travel
expense claims in February and March this year. Johan is surprised to find
that the documents showed that the expenses claimed by the CEO totalled
RM22,600 in February and RM31,300 in March. Johan immediately walks
over to Anna’s office with the folder and hands it over to her. As Anna looks
through the folder, Johan reads the executive expense audit reports that
stated that the CEO’s travel expense claims were RM3,000 in February and
RM4,200 in March this year.
Puzzled by the discrepancies Anna picks up the phone to call the
personal assistant to the CEO to seek clarification from the CEO about
these travel expense claims. The personal assistant informs Anna that the
CEO was on holiday overseas for two weeks beginning that day. This was
news to Anna. When Anna asked the personal assistant if she was aware
of the CEO’s travel claims in February and March this year, the personal
assistant breathed in deeply before asking how Anna had obtained the
CEO’s travel expense claim records. The personal assistant asked for Anna
to quickly return the folder with the documents related to the travel claims
and only rely on the figures stated in the executive expense audit report.
She also informed Anna that the CFO had agreed to the travel claims and
the CEO had been reimbursed for the amounts of RM22,600 and RM31,300.
The personal assistant further argued that the accounts had already been
closed for those months so there was nothing that could be done about the
claims.
After Anna informed Johan about her conversation with the personal
assistant to the CEO, Johan shows her photocopies of the cheques he had
found in the folder. The cheques were signed by both the CEO and CFO
to reimburse the CEO for the travel claims. Anna and Johan decide to
ask the internal audit manager if she or the previous CAE were aware
of these claims. The internal audit manager informs her that in May this
year the previous CAE had raised the same questions about these claims
and had reported this matter to the Audit Committee chair. The Audit
Committee chair decided that the CFO was to conduct the investigation
into the claims. All records were removed from the internal audit office
immediately after that decision was made. The CFO’s investigation report
revealed that there were no problems related to the claims. The previous
CAE and audit committee chair were informed that the travel expense
claims reported in the executive expense audit reports should be as per
accounting records, which is RM3,000 in February and RM4,200 in March.
The audit committee and the Board of Directors accepted the CFO’s
investigation report into the matter.
Anna decided that she needed to have a second cup of coffee as she
mulled through this matter. Johan leaves the room to make a photocopy of
the contents of the folder.
Half an hour later, the internal audit manager forwards Anna an email
about a complaint raised by the receiving manager in March this year.
The email was addressed to the previous CAE and questioned Lightning
Logistics’ reliance on one of five approved vendors for packaging materials.
The receiving manager outlined how the vendor, Tepat Packaging Sdn
Bhd, had consistently delivered poor quality materials and did not always
have sufficient inventory for deliveries. Therefore, additional deliveries
were required from Tepat Packaging. In the same quarter of the previous
three years, Lightning Logistics only required three deliveries of packaging
materials. In those years, Lightning Logistics relied on an average of
three vendors. However, in the first quarter of this year, Tepat Packaging
made seven deliveries. Of these, the receiving manager had to reject four
deliveries because of poor quality materials and there was insufficient
inventory for the three remaining deliveries. When the receiving manager
queried the CFO about Lightning Logistics’ dependence on one vendor, the
CFO explained that Tepat Packaging had provided the best quote.
Anna calls the purchasing manager to ask packaging materials price
quotes from approved vendors from the beginning of the year until that day.
As Anna scans through the quotes, she discovers that the quotes from Tepat
Packaging were on average 15% higher than quotes from other vendors. Even
so, Tepat Packaging was the sole vendor that supplied Lightning Logistics
with packaging materials. The purchasing manager informs Anna that the
CFO oversees the vendor selection process.
Anna turns to social media to assist her in the investigation. She
googles ‘Tepat Packaging Sdn Bhd’ and finds that the Tepat Packaging is
a partnership and one of the partners is the CFO of Lightning Logistics.
Anna then decides to have a look at the CFO’s Facebook page. As she
scans the Facebook page, she comes across photos of the CFO attending
the CEO’s son’s wedding celebration. She reads a post by the CEO that his
son’s wedding celebration was in early March this year and that the cost of
the wedding celebration was RM53,900, which coincides with the total of
the CEO’s travel expense claims of RM22,600 in February and RM31,300 in
March this year. As she reads through the CFO’s Facebook page she realises
that the CEO’s son had married the CFO’s cousin.
The next day, Anna meets with the Audit Committee chair to discuss the
next course of action. The Audit Committee chair does not seem surprised
by the executive travel expense claims and the undisclosed related party
disclosures in the vendor selection process. He explains to Anna that
an expected outcome of the group internal governance exercise is the
identification of misappropriation of assets by management. He informs
Anna that she has the support of the Audit Committee to investigate these
two matters.
As Anna leaves the meeting with the Audit Committee chair, she recalls
that at her meeting with the previous CAE a fortnight before his retirement,
he briefly mentioned to Anna that she should be aware that the relationship
between the CEO and CFO is ‘more like family’ (sic). The previous CAE
had also mentioned that it would be better for Anna not to rock the boat
by questioning the relationship between the CEO and CFO if she intends to
remain as CAE of Lightning Logistics.
Questions:
1. Identify the misappropriation of assets by senior management
highlighted in this case.
2. What are the weaknesses in the vendor selection process? How can
these weaknesses be addressed?
3. What can be done to ensure that there is transparency in the executive
expense claims process?
4. What are your thoughts about Anna using social media to gather
information?
5. What do you suggest Anna should do in this situation? Why? (In
answering this question, identify and discuss all possible courses of
action available to Anna.)
CASE 5
Taj Mahal Investment

Contributor: Fairuz Fauzee
Background
Taj Mahal Investment company is an Indian-owned business based in the
United States. It is a family business inherited by sons of Mr Prabbas, a
very well-known textile businessman in Mumbai. However, with the
critical analysis of the present textile scenario affected by recent policy
changes and restructuring in comparison to the one at international level,
professional management skills, technology integration, innovations
in diverse product development and futuristic vision, the eldest son
Mr Rajesh changed the business into investment bases. The main player in the
business is the director of the company, Mr Rajesh; financial manager
Mr Mehta is his brother and the management department is headed by
Mr Nankar, his brother-in-law.
Facts of the Case

The business scenario keeps on changing according to changes in business
trends. Mr Rajesh decided to invest in many sectors of business as long as
they could maintain their wealth. Since derivatives trade was on the rise in
India, Mr Rajesh, the director, allocated a large amount of money — US$2.5
million — for investment. It was to be managed by local funds manager
Mr Praveet, his cousin. Mr Praveet had complete authority to invest the
money and maintain record-keeping. Mr Praveet is the youngest son in the
family and lives a lavish lifestyle in a luxury apartment and drives Porsche
cars. A year later, Mr Praveet, the funds manager, resigned after accepting
a job overseas, leaving a US$2.0 million trading loss on the books. Because
there was no one else to continue the work, Mr Rajesh, the director, stopped
the trading operation.
To trade in derivatives, the company deposited margin money, a kind
of security deposit account with a custodian bank. Trading took place
daily through two reputed corporate brokers, A and B. For each trade, the
custodian bank adjusted the margin account according to the exchange
rules. The trades also were entered in a spreadsheet in the form of a trade
register, which was used for accounting purposes and to create internal
management information system (MIS) reports. The trade register included
information regarding: the shares traded, the broker’s name, brokerage,
margin investments, pending contracts, booked profits for closed contracts
and the national profit and loss based on rate fluctuations pertaining to
open contracts.
Because the investment operation was closed and the statutory tax
returns had to be filed, Mr Rajesh asked the group’s internal auditor to
review the account. The auditor used an audit software tool to analyse the
data in the MIS trade register, which did not reveal any serious findings. The
auditor then conducted a monthly trade analysis and noticed the trading
loss was dispersed throughout the year, instead of appearing during times
the market was dismal.
While reviewing the broker’s trade statements the column indicating the
execution time for each contract caught his attention. Because the auditor
had the trading information digitally, he was able to merge the time field for
all transaction into MIS register and reapply several audit tests. Using his
audit software, the auditor used the ‘filter’ command to analyse transactions
of more than US$300,000 and the ‘sort’ command to print the results, which
included date, time, profit and loss information per transaction.
The report revealed that many of the large-value trades were completed
on the same day, almost at the same time, resulting in losses to the
company. Intrigued, the auditor examined the audit report again and found
that the loss-yielding trades were completed by a different broker. The
auditor checked this business practice with other derivatives traders and
colleagues, who said that the simultaneous use of different brokers in such
loss-yielding contracts did not make sense.
After conducting the test, the auditor found all relevant trade folders in
the computer were erased by the funds manager before leaving. Using an
audit tool to retrieve deleted files, he discovered the fraud was engineered
through cross-deal method, in which the funds manager bought and sold
loss-yielding trades simultaneously through two brokers. The transactions
were designed to cause losses to the Taj Mahal Investment company,
yielding equivalent profits clandestinely to a third broker C hired by the
funds manager.
Mr Rajesh was very worried about the losses because it was very
material to his business empire and could affect overall wealth. Suspecting
fraud, the auditor discussed the results with the director, and he gave full
responsibility to the head of the internal auditors to conduct a thorough
investigation.
Questions:
1. Explain the fraud red flag that could be identified in the case study that
needs to be investigated by internal auditors.
2. Explain the factors that could influence employees’ fraud and relate to
the case study.
3. List any two common fraud types.
4. How could internal auditors use their knowledge of IT to solve the
company’s problem.
5. Explain the advantages and disadvantages of using CAAT in internal
audit work.
6. Explain investigation techniques that could be applied by internal
auditors to help Mr Rajesh.
CASE 6
Water Works Bhd

Background
Water Works Bhd is a well-established Malaysian company that produces
water filters. The company has been in operation for 15 years and its products
are exported to various Asian countries such as Singapore, Thailand,
Indonesia and the Philippines. Water Works is led by an experienced chief
executive officer (CEO), and his main objective is to maximise shareholders’
wealth.
The most recent inventory audit at the company’s warehouse highlighted
a discrepancy in the inventory of commercial water filters. There is evidence
that points to foul play by the warehouse manager. James, the CAE, is
considering various options available to the company to resolve this issue.
Facts of the Case

James, the CAE of Water Works Bhd, was reviewing a report on the recent
inventory audit at the company’s warehouse. He noticed the discrepancy
between the physical count and the inventory records for the main inventory
item, commercial water filters. James reaches across the table for the surat
layang1, he received in the mail that morning. The surat layang1 accused
John, the warehouse manager, of being the mastermind in the sale of 500
commercial water filters to a fictitious customer that was eventually written
off as a bad debt. The letter detailed how the commercial water filters were
sold at a 20% discount on the black market.
James remembered that two months ago there was a fire in the same
warehouse. The night watchman at the warehouse noticed the smoke and
called the fire brigade. The fire was promptly put out, and the fire brigade
reported that the possible cause of the fire was a cigarette butt thrown into
a waste bin at the warehouse office. The damage was minimal and repairs
were started at the warehouse office within the same week to ensure
that there was minimal disruption to operations. The warehouse manager
reported that some inventory records were destroyed and some of the water
filters were damaged.
A week after the fire at the warehouse, an employee from the warehouse
was hospitalised for a fortnight after a motorcycle accident on his way
home from work. Soon after, the employee resigned from his clerical
1 An anonymous letter
position at the warehouse and returned to his hometown in the next state.
Not long after his resignation, rumours were circulated that instigated this
employee as the one who started the warehouse fire. However, repairs to
the warehouse office were completed a fortnight after the fire, so there was
no opportunity to gather further evidence from the scene of the fire.
James walks over to the finance manager’s office to discuss this case
with her. Liza has been the finance manager at Water Works for three
years. She has a reputation of being efficient, reliable and thorough in her
work. Over the years, James and Liza had been able to seek each other’s
professional opinion and feedback on various work-related matters.
After Liza listened to James concern about the situation at the
warehouse, she retrieves the inventory records and performs data analytics
on the inventory levels. She prints out the report and hands it to James.
James observes that at the end of each of the past three financial years,
there is a marked reduction in inventory value. He asks Liza about it. Liza
explains to James that at the previous financial year end, a physical stock
take conducted by her team at the warehouse discovered that obsolete
inventory worth RM10,000 had been included in the closing inventory.
She included the write-down of the inventory in the financial statements.
The external auditors had agreed with her that the write-down was the
appropriate course of action in that situation.
Liza informs James of a conversation she had with Zain, the human
resource manager at the beginning of the new financial year about John, the
warehouse manager. John had been with Water Works for 11 years — first,
as a warehouse clerk and four years ago, he was promoted to warehouse
manager after the previous warehouse manager retired. Currently, John
has three warehouse clerks reporting to him. According to Zain, John
was a model employee who worked long hours and hardly applied for
annual leave. At the recent company annual dinner, John was presented
with a service award for his faithful service to the company. In his speech
that evening, the CEO commented that John was probably the healthiest
employee because he had not applied for sick leave in the past three years.
However, Zain did observe that in the last four years John has been
upgrading to new imported luxury cars every year. Further, John had
commented to Zain the year before that he (John) had to work hard
because he had spent RM1,000,000 to acquire a new house. Liza said that
this news was puzzling considering that John’s salary did not seem to
commensurate with his preferences for luxury cars and his new million-
ringgit house.
James asks Liza about the warehouse clerk who was hospitalised and
later resigned. Liza explains that the clerk was with the finance department
for three years before he was transferred to the warehouse six months
before the fire. Liza was of the opinion that he was a reliable employee
who was very thorough in his work. He was well-versed with accounting
for inventory and aware of the various internal controls over inventory at
Water Works. The transfer from the finance department to the warehouse
was made because senior management was of the opinion that the
warehouse manager required assistance to prepare usable and informative
management reports. When the clerk decided to resign from Water Works,
Liza spoke to him personally to persuade him to reconsider his resignation.
However, the clerk was adamant about leaving and commented that he was
tired of being bullied by other warehouse staff.
James tells Liza that he suspects that John is connected to the theft
of the water filters. Liza asks James what he intends to do next. James
explains that as CAE, he is responsible for raising the discovery of the
theft to human resources. It is then the responsibility of human resources
to initiate a domestic inquiry into the matter. The domestic inquiry panel
will then have to decide on the following options: (1) report the theft of
commercial water filters to the police; (2) initiate a domestic inquiry or
(3) not to do anything.
In initiating a domestic inquiry, the domestic inquiry panel has to decide
whether internal audit should gather the evidence or fraud investigators
should be engaged to gather the evidence. After the completion of the
domestic inquiry, senior management has the option of initiating civil
action.
Each of the options available to Water Works has its own benefits and
costs. These options are:
Option 1: Report the theft of the commercial water filters to the police
This option will initiate criminal action as the police will take charge of
the investigation and potential prosecution. However, criminal action tends
to be public in nature and this option can potentially result in the public
perception that Water Works’ internal controls are inadequate.
James was unsure about whether he should name John as a suspect in the
police report or allow the police to identify their suspects. Should James name
John as a suspect and if the police investigation fails, John could possibly sue
Water Works for defamation.
Another concern is if the police investigation finds that there is
insufficient evidence to prosecute the thieves, then lodging the police report
would have been in vain. Further, employees who were under suspicion
could file a lawsuit against Water Works for causing them distress during
the police investigation.
Option 2: Initiating a domestic inquiry and internal audit gathers the

evidence
James can report the discovery of the theft of water filters to the human
resource manager. The human resource manager will then conduct a
domestic inquiry while the internal audit gathers evidence.
James’s primary concern about this option is that he and his internal
audit team do not have sufficient knowledge and experience to gather and
preserve the evidence. Comparatively, the benefit of the internal audit team
conducting the investigation is that they are knowledgeable with Water
Works’ operations, policies and procedures and staff. Therefore, they may
be able to gather evidence in a friendly, non-threatening manner.
Option 3: Initiating a domestic inquiry and engaging the services of fraud

investigators
An alternative to internal audit gathering the evidence is to engage the
services of fraud investigators. This alternative incurs a high cost, but fraud
investigators have the required knowledge and experience to gather and
preserve evidence that can be admissible in court. This evidence can be
used in the event that Water Works decides to initiate civil action.
Option 4: Don’t do anything
After the completion of the domestic inquiry, senior management can
choose not to do anything in response to the discovery of the theft. Whilst
no further costs are incurred with this option, employees may have the
perception that it is acceptable to perpetrate fraud because there are no
negative consequences for their actions.
Questions:
1. Comment on James’ assessments of the benefits and costs of these
options. Are there other options available to Water Works? Discuss the
benefits and costs of these additional options.
2. What is the audit trail of transactions, records and documents that
James should work through to verify the inventory values and numbers?
Identify the relevant transactions, records and documents in your
analysis of the audit trail.
3. What internal control mechanisms can Water Works apply to address
the misappropriation of inventory by employees?
4. What human resource issues are raised in this case? What possible courses
of action are available to John should he be named as a suspect in this
case? For this question, refer to the relevant IPPF standards, regulations
and laws, where possible.
CASE 7
ESB Savers Berhad

Contributors: Mohd Amran Mahat and
Amizahanum Adam
Background
ESB Savers Berhad (ESB) is a pioneer company providing electricity
supplies in Malaysia. ESB, which is listed on the main board of Bursa
Malaysia, has a capacity of approximately 28,000 employees to serve
customers throughout the nation. With the mission to be a leader in
supplying products and services, ESB has a strong management team,
which is headed by chief executive officer, Arshad Ibrahim. He is a member
of the Association of Chartered Certified Accountants (United Kingdom)
and also a member of the Malaysian Institute of Accountants. Arshad
Ibrahim had spent 10 years as an audit partner in a prominent audit firm.
He also served in several companies within Lenong Group, including Projek
Lebuhraya Iskandar Timur Barat, HWAA Properties Sdn Bhd. and Lenong
Overseas Corporation Sdn Bhd. In September 1998, he joined ESB as the
chief executive officer. He was appointed as a non-independent executive
director of ESB on 1 September 2004.
Arshad Ibrahim reports directly to the Board of Directors. Apart from
the governance of the Board of Directors, the operation of ESB is also
governed by the Bursa Malaysia and Energy Commission of Malaysia. The
reporting structure of the company is presented in Figure 1.
In ESB, Group Internal Audit (GIA) function is established to assist the
Audit Committee to discharge its responsibilities, especially in maintaining
effective internal control systems to safeguard its assets and investments.
The GIA’s main concern is to provide an objective and independent assurance
on the adequacy and effectiveness of the internal control systems, risk
management and governance process by performing adequate coverage
of risk-based audit procedures. To improve its efficiency, the GIA function
is further divided into core business units (Generation, Transmission,
Distribution, Project & Engineering and Procurement & Projects) and non-
core business units (Group Corporate Services, Core Business Support
Services, Investment Management and Information & Communication
Technology). A complete hierarchy of ESB’s GIA is depicted in Figure 2.
The job scope of ESB’s GIA was governed by Bursa Malaysia
Amended Listing Requirements, Company Guides (including Audit Charter,
Department ISO Procedures & Company Policies & Procedures/Circulars/
Guidelines), and other Guides and References, including International
Professional Practices Framework on Internal Audit, Code of Ethics, COSO
Model and other relevant references.
AUDIT BOARD OF
COMMITTEE DIRECTORS
CHIEF CHIEF
INTERNAL EXECUTIVE
AUDITOR OFFICER
CORE ENTERPRISE CORPORATE

BUSINESS MANAGEMENT SERVICES
CHIEF OPERATING
OFFICER VICE PRESIDENT
PLANNING & RISK VICE PRESIDENT
MANAGEMENT CORPORATE
VICE PRESIDENT SERVICES
GENERATION
DIVISION VICE PRESIDENT
GROUP FINANCE
VICE PRESIDENT
TRANSMISSION VICE PRESIDENT
DIVISION HUMAN RESOURCE
& ADMIN
VICE PRESIDENT
DISTRIBUTION VICE PRESIDENT
DIVISION CORPORATE
AFFAIRS
VICE PRESIDENT
INFORMATION
SYSTEMS
Figure 1 ESB Berhad – Organisation Chart
Facts of the Case

Madam Melina is the chief internal auditor of ESB since November 2007.
Madam Melina and her team members (including two deputy chief auditors,
eight head units and approximately 180 combinations of senior audit
managers, senior auditors, IT auditors and junior auditors) travel extensively
around Malaysia and sometimes overseas to complete their annual audit
plan. The staff experience ranges from six months to 15 years, and they are
experts in various aspects that include auditing, electrical engineering and
information system.
Madam Melina uses the current method, that is, risk-based auditing in
conducting the audits. On an annual basis, Madam Melina together with
both the deputy chief auditors will discuss about the scope of the audit
to be included in the annual audit plan. Basically, the scope of the audit
will be determined based on the factors such as the company’s strategic
plan, the risk profile of any individual department or unit, risk management
report, financial reports, previous years audit reports and any new project/
development that was approved by the board. Madam Melina will also discuss
and get feedback from senior management including Arshad Ibrahim, on
the areas which they consider a concern, or departments whose results
they think are more critical. For example, the vice president of distribution,
CHIEF INTERNAL
AUDITOR
CORE FUNCTIONS HUMAN RESOURCE NON-CORE

& ADMIN FUNCTIONS
DEPUTY CHIEF DEPUTY CHIEF

AUDITOR AUDITOR
HEAD UNIT GROUP

HEAD UNIT CORPORATE SERVICES
GENERATION
HEAD UNIT BUSINESS

HEAD UNIT SUPPORT SERVICES
TRANSMISSION
HEAD UNIT
HEAD UNIT INVESTMENT
DISTRIBUTION MANAGEMENT
HEAD UNIT HEAD UNIT

PROJECTS INFORMATION
MANAGEMENTS TECHNOLOGY
Figure 2 ESB’s Group Internal Audit – Organisation Chart
En. Aaron Azhar, had informed Madam Melina that he received a lot of
complaints from customers at one of their customer sales centers in the
north region. Madam Melina used the feedback as guidance and eventually
the issue had been integrated into the risk assessment analysis and became
one of the audit scopes for the current year audit. Once finalised, the audit
plan will be presented to the Audit Committee for approval.
The process of internal audit in ESB is further facilitated by the
existence of an online portal. The online portal is developed by external
experts to cater to the needs of coordinated information among various
departments in ESB. In relation to GIA, the portal is fundamental to the
operation of internal audit department in ESB. All information with regards
to internal audit activities are provided online to its members that include
audit memorandum, audit program, schedule for audit fieldwork as well as
job assignment. The portal also provides information on audit fieldwork
tentative, which is accessible by every department in ESB.
INFORM AUDITEE
ON THE
EXECUTION OF OPENING MEETING FIELDWORK
THE AUDIT
REVIEW AUDIT
PREPARE & REVIEW DOCUMENTATIONS
‘DRAFT AUDIT EXIT MEETING & SUMMARY OF
REPORT’ FINDINGS
ISSUE CUSTOMER
FINALISE AUDIT SATISFACTION FOLLOW UP AUDIT
REPORT SURVEY
Figure 3 Audit Process
The process of audit in ESB starts by informing the auditee on the

execution of the audit through electronic notification via the online portal.
In an opening meeting, the audit team leader will meet with the head of
department/units subject to be audited. Basically, during this process the
audit team leader will highlight the audit scope and introduce team members.
At the same time, auditee may highlight issues that they require the internal
auditor to further their review. At the end of the audit, prior to preparing the
internal audit report, the audit team will conduct a meeting with the auditees’
management and those responsible for the functions concerned in order to
present their findings. The auditee will be given five working days from
the date of submission of findings to determine and initiate corrective and
preventive actions needed. Should the auditee reject the issues highlighted
by the auditor, reasons must be provided, for example, audit evidence
being acceptable. A one-month period will be given for the corrective and
preventive actions to be implemented. Should the corrective and preventive
actions require more than one month to be implemented, the auditee is to
communicate a reasonable timeframe for implementation to the auditor. The
final audit report will only be issued after the auditors have gone through
the draft audit report with the auditee. This is to ensure that the auditees are
aware, understand and agree on the issues and recommendations included
in the report. Toward the end of the audit process, the group internal audit
(GIA) will issue a customer satisfaction survey to the auditee. This could
help the GIA to improve the process of audit based on the feedback given
by the auditee.
Gilmore, a very ambitious and talented fresh graduate from a local
university, is recently appointed as a junior internal auditor in ESB. Gilmore
is very excited with her appointment, and she is looking forward to apply
her knowledge obtained from her undergraduate studies, especially related
to internal auditing practices. However, just after two weeks of reporting to
duty, Gilmore starts to feel the pressure in adapting herself to the working
environment in ESB. Based on her observation, almost everyone in the
internal audit department seems to be extremely busy and on the rush mode
to meet the reporting deadlines. Gilmore feels even more pressure when
most senior internal auditors she meets have a very high expectation of her
due to her outstanding results in the undergraduate studies.
In her second month as junior internal auditor, Gilmore is assigned
to perform compliance audit in the power distribution unit, headed by Mr
Joshua, a senior staff in his retiring age. The unit is relatively small and less
complicated as compared to previous audit assignments participated by
Gilmore. As such, the audit team leader believes that Gilmore is capable of
performing the audit task individually. The assigned task is to performing
certain procedures to measure compliance to the existing internal control
system in the power distribution unit. After downloading related materials
from the online portal, Gilmore simply makes a visit to the department
without giving any courtesy call or reminder to Mr Joshua about the audit
fieldwork tentative. Gilmore assumes that Mr Joshua is fully aware of her
visit as stated in the notification sent via the online portal earlier.
In contrast to her expectation, Gilmore is not really welcomed by
Mr Joshua. Seemingly unaware of the audit fieldwork tentative, Mr Joshua
is not prepared for the visit and fails to provide Gilmore with the necessary
documents in due time. As a result, Gilmore is facing trouble in completing
her audit file and is almost certain to miss her deadline in preparing her first
ever internal audit report. Gilmore starts to feel nervous and tense. She did
not expect to face this kind of situation. In rationalising his behaviour, Mr
Joshua puts the blame on Gilmore for her failure to remind him about the
audit visit.
Questions:
1. Discuss the strength of the group internal audit function in ESB Berhad.
2. In relation to the situation faced by Gilmore, advise her on the best
approach to perform the assigned task.
3. Discuss the lessons learnt from the above case.
CASE 8
ABC Pte Ltd.

Contributor: Sanjeev Gathani
Background
ABC Pte Ltd. (the Company), incorporated in 1980, is a listed company on
the second board of the Australian Stock Exchange. In a period of five
years, its revenue has grown from USD 1 million to USD 25 million. Gross
margins have been in region of 10% to 15% and costs have been increasing
at a rate of 5% on an annual basis. The Company has operations across the
Asia Pacific region with principal activities in the sourcing of component
parts for automotives as well as manufacturing of engines for powerboats
and power crafts.
The Company’s headquarters is in Gold Coast, and its manufacturing
plants are in Malaysia, China and India. The chief executive officer (CEO),
an Australian, oversees the overall operations of the company from the
headquarters.
As shown in Figure 1, each plant is headed by a managing director
who is assisted by five heads of departments — procurement, sales
and marketing, logistics and distribution, human resources and general
administration. The finance and reporting functions of the company
are centralised at the headquarters. Each managing director has about
25 staff reporting to him/her — from line managers to office assistants.
The manufacturing staff strength varies from 100 to 200 persons.
Headquarters (Gold Coast)

Finance
Department
Plant Plant Plant Plant

(Malaysia) (China) (India) (Singapore)
Procurement Sales and Logistics and Human General

Marketing Distribution Resources Administration
Figure 1 ABC Pte Ltd. Company Structure

The managing director in each of the plant directly reports to the head of
manufacturing in Gold Coast.
Facts of the Case

i. Finance Department
The finance team at the headquarters is headed by an experienced financial
controller. He is in charge of two finance managers, who in turn manage
a team of accountants. There are two teams in the finance department —
manufacturing team and components sales team. Each of the finance teams
has two accountants who oversee the day-to-day accounting activities.
The finance managers’ responsibilities are primarily for review, budgeting
and forecasting financial figures. The financial controller’s responsibilities
include preparation of management of statutory accounts as well as
controlling the costs of the business and managing its profitability.
The financial controller has been with the company since it started its
operations. He was previously a finance manager in the hospitality industry
and moved to take on this new role. Both of the finance managers are from
the manufacturing industries, and they hold masters degrees in accounting
as well as business. All the accountants in the company hold an accounting
qualification.
Overall, the organisational culture in the company is from top-down.
The instructions are passed down to the line managers and staff for them
to follow. The style of management is authoritative and there is little
room for questioning or challenging the decisions or instructions from the
management.
The external auditor of the company is related to the current CEO
as he was the former audit partner in the firm. The fees paid to them
are well over a quarter of a million USD — both statutory, taxation and
consulting. The partner of the audit engagement is a very close associate
of the financial controller. No issues have been raised by the external
auditors during the course of review in the last few years. If issues come
up, they are usually swept under the carpet as the management does not
want to open up a can of worms. Questions had been raised by the junior
auditors on the business processes, in particular the procurement activity
in most of the plants. The auditors have been told not to question and just
do their job as the client fee is substantial and that they would not want
to rock the boat.
Balance sheet account reconciliations were done by the accountants
but these were never reviewed by the finance managers or even the
financial controller. Although debtors and creditors statements were
received quarterly from the major debtors and suppliers, these were not
reconciled as the vendors statements were sent directly to the respective
head of procurement department and not the finance department. No one
in the finance department questioned this and of course, the suppliers did
not, as well, since they were being paid on time and sometimes more than
required.
ii. Procurement Department in Manufacturing Plant
in Malaysia
The department is headed by an ex-military personnel who was hired from
the forces to join the Company. He is very authoritative and does not like
to be questioned at all. He does his work and rarely takes leave from office
and even when he does, he watches his staff from a distance. Although he
has a team of 25 staff, he single-handedly controls the procurement of major
components. He would insist on buying from a selected group of suppliers
and would personally handle all negotiations. He would instruct his staff to
place the orders, and he would solely approve them as he had the authority
to transact up to USD 50,000. When purchase values were higher than his
authority level, he would instruct the suppliers to split the purchase orders
and he would sign them off. Very rarely would the financial controller sign
off the purchase orders.
The vendor management process, that is, in terms of sourcing,
negotiating, updating and evaluating, was carried out by his department and
he was the approving officer. All documents were validated and approved
by him and thereafter provided to the finance department for input.
The company process requires three quotations for all component
purchases that are non-stock in nature and this is duly complied with. For
stock purchases, no quotations are required except that the purchases
have to be made from the approved vendor list. Once again, this was duly
complied with. Vendor evaluation was carried out and the results were
reviewed and approved by the head of the procurement department.
The head of the procurement department led a lavish lifestyle. He ate
well and drove fast cars and spent lavishly on expensive clothing and gifts
for staff, especially his female colleagues. He had his ways with women and
was a slick talker. He never forgot to treat his staff with gifts of love such
as free dinners, movie tickets, business trips and at times money in cash.
People in the company would not dare question him as he was in a
senior position as well as having a very strong character and persona. He
delivered the desired results to the management in keeping the costs down
and supplying the relevant stock items and as such no one questioned his
authority or his decision on procurement matters.
All management reports were prepared by his staff which of course
he reviewed and signed off. The department documentation and filing was
immaculate.
Case Issue
An anonymous letter was sent to the chairman of the audit committee stating
that the head of procurement department in Malaysia manufacturing plant
was in collusion with suppliers to defraud the company. The letter made an
allegation that he took well over USD 5 million from the company over a
period of three years. The letter stated that the department head awarded
contracts to suppliers that were non-competitive as well as ordered items
well above the required quantities. The whistleblower also stated that there
were several cases of duplicate payments of invoices that were made to
certain suppliers. In some cases, the same items were bought from the same
supplier at a different price and all in the same month.
The chairman of the audit committee has called upon the internal audit
head to review the content of the letter and carry out investigation to
validate if the allegation made is indeed true.
Questions:
1. Identify the plot that the head of procurement devised to defraud the
company.
2. Identify the red flags of the case study.
3. Identify the control weaknesses in the procurement and finance
processes and thereafter make the appropriate recommendations.
4. Draft out an audit program and list down the audit tests that you would
perform to detect the fraud that has been perpetrated.
5. Is the relationship between the external auditor and the client an
appropriate one? If not why? State the reasons.

Internal Auditing Module (2022)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Auditing Module (2022)

Uploaded by

Copyright:

Available Formats

INTERNAL AUDITING

Case Study Contributors:

CHAPTER 2. CORPORATE GOVERNANCE MECHANISM

CHAPTER 3. RISK MANAGEMENT AND CONTROL

CHAPTER 4. MANAGING THE INTERNAL AUDIT FUNCTION

CHAPTER 5: QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

CHAPTER 6. INTERNAL AUDIT PROCESS

CHAPTER 8. IMPLICATIONS OF INFORMATION TECHNOLOGY ON INTERNAL

CHAPTER 9. INVESTIGATION OF FRAUD

CHAPTER 10. WHISTLEBLOWING

CHAPTER 11. ENVIRONMENTAL AUDITING

CASE 1: Argon Bank

Definition of Internal Auditing

Internal auditing is defined as an independent, objective assurance and consulting activity

Internal auditing is an independent appraisal function established within an organisation to

The key terms in the definition of internal auditing are:

• Independence and objectivity

• Assurance and consulting activity

• Systematic and disciplined approach

Development of Internal Auditing Practice

Table 1.1 Evolution of Internal Audit Profession

Functions as junior sibling to Set up as a separate, distinct department within the

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has

Differences between Internal Auditor and External Auditor

Table 1.2 Different Features of Internal Auditor and External Auditor

INTERNAL AUDITOR EXTERNAL AUDITOR

Organisational Status of Internal Audit Function

To achieve the objectives of having an internal audit function within an organisation, it

Figure 1.1 Internal Auditor Line of Reporting

3. The third line of defence (functions that provide independent assurance)

Overview of the Relationship between Internal Auditor and Various

Audit Committee Board of Directors

Figure 1.2 Internal Auditor and its Stakeholders

Types of Internal Audit Engagements

Information System/Information Technology Audit

International Professional Practices Framework

Figure 1.3 IIA Code of Ethics

The purpose of the Standards is to:

The Institute of Internal Auditors of Malaysia (IIAM)

Career Prospects for Internal Auditors

A minimum bachelor degree is required to start a career as an internal auditor, whilst

Internal auditing provides a good platform for internal auditors to understand an

Corporate governance provides a framework of control mechanisms that support the

Definition of Corporate Governance

Corporate governance is defined as:

Corporate governance emphasizes the transparency of the decision- making processes,

Malaysian Code on Corporate Governance

The shift Greater focus Guidance Identify

(Source: MCCG 2021)

Figure 2.1 Key Features of the New Approach (CARE)

MCCG prescribes that the Audit Committee should ensure that:

Corporate Governance Mechanism

Corporate governance is the policies and procedures a company implements to control

(Source: Alain Laurin, 2002)

Figure 2.2 Key Players of Corporate Governance

Role of Board of Directors in Corporate Governance

• collectively with senior management, promote good practices of corporate

Role of Audit Committee in Corporate Governance

The responsibility of Audit Committees in the area of corporate governance is to provide

• Reviewing corporate policies relating to compliance with laws and regulations,

Roles of Senior Management in Corporate Governance

Roles of Internal Auditors towards Board of Directors, Audit Committee

Internal audit provides assurance by assessing and reporting on the effectiveness of

• An objective evaluation of the existing risk and internal control framework.