Risk and Control

Self-Assessments
Advantages of RCSA
• It increases employee understanding of
the company’s risks and controls.
• It raises employee control consciousness.
• It provides a mechanism for early risk
detection.
• It encourages more open communication,
teamwork, and continuous improvements.
• It empowers employees and enhances
accountability.
RCSA Procedures
• Identifying potential risks and
exposures.
• Assessing the control processes that
mitigate or manage those risks.
• Developing action plans to reduce risks
to acceptable levels.
• Determining the likelihood of achieving
business objectives.
RCSA Approaches
The three primary RCSA approaches are:
1. Facilitated approach
• Client-facilitated
• Audit-facilitated
2. Questionnaire approach
3. Self-certification approach
1. Facilitated Approach
Internal auditors with specialized training can
help organize facilitated team workshops, in
which information is gathered from work teams
representing different levels or areas in the
business unit or function.
Workshops are conducted in a straightforward,
open, and productive manner and encourage
participants to speak candidly about what is
working well, what is not working well, and
what action needs to be taken.
Client-facilitated Workshops
The objective-based format focuses on the
best way to accomplish a business
objective.

The risk-based format focuses on listing the

risks associated with an objective.
Audit-facilitated Workshop
The control-based format focuses on how
well controls are working.

The process-based format focuses on

selected activities that are elements of a
chain of processes.
Components of Successful Workshop
• Facilitators should interview participants
before the workshop begins.
• Workshops should provide sufficient time for
the team to brainstorm, develop, and discuss
ideas.
• Control issues should be carefully examined.
• Participants should receive a quick summary
and assessment of the discussion.
• Action should be taken.
2. Questionnaire Approach
Surveys or questionnaires can be used when
budgets are limited or if individuals who would
normally participate are too widely dispersed to
participate in a workshop.
Survey questions need to be customized for the
unit’s any specific circumstances or needs of the
unit being assessed, including their regulatory
environment.
Furthermore, the process owners themselves
should interpret the data after it is collected.
3. Self-certification Approach
Self-certification refers to a number of
approaches that produce information
about business processes, risk
management activities, and control
procedures.
Role of Internal Audit
The role of the IAA in a RCSA program can vary
between two extremes:
• The internal audit activity may sponsor, design, and
implement the process, conduct the training, supply
the facilitators, scribes, and reporters, and
coordinate the participation of management and
work teams.
• The internal audit’s involvement can be minimal,
serving as an interested party and consultant of the
entire process and as the ultimate verifier of the
evaluations.
Monitoring the Engagement
As the level of internal audit’s involvement
in the RCSA programs and workshops
increases, the CAE should carefully monitor
the objectivity of the internal audit staff,
take steps to ensure that objectivity is not
impaired, and also to augment internal
audit testing to ensure that bias or
partiality does not affect the final
judgments of the staff.
Audits of Third Parties and
Contract Auditing
Third Party Audits
A “third party” is a service provider that
processes transactions between a
business and its clients, its employees, or
its trading partners.
A third-party audit assesses the working
relationship between these groups,
identifying the various strengths and
weaknesses, and it is designed to help
maintain smooth operations overall.
Approval Needed
This type of audit can be conducted only with
the consent of the third party.
A contract with a service provider should
specifically state the scope of the service to
be provided, service standards, and
minimum acceptable service-provider
characteristics.
If auditing of the provider is necessary, the
contract should include the right to audit.
SOX Requirement
The requirements of the Sarbanes-Oxley
Act make third party audit reports very
important to the process of reporting on
effective internal controls at service
organizations.
Performing 3rd Party Audit
A third-party audit may be performed
either by internal auditors or by an
outside, independent auditor.

The decision whether to audit internally or

to contract for the third-party audit
depend on a number of factors.
Scope of the Audit
The scope of a third-party audit depends upon
the particular needs of the particular
engagement.
For starters, the auditor needs to acquire an
understanding of the third party’s internal
controls.
The auditor needs to be aware of any and all
applicable federal and state laws and
regulations in order to ascertain whether the
service provider is in compliance.
Contract Auditing
Contract auditing usually refers to the
auditing of construction-type contracts or
operating contracts.
1. Lump-sum contracts
2. Cost-plus contracts
3. Unit-price contracts
1. Lump-Sum Contracts
These contracts are made for a total price
in accordance with certain specifications
or requirements.

Audit challenges arise as a result of the

changes that complicate the contract
details.
Risks of Lump-Sum Contracts
• Inadequate competition, insurance, or bond coverage
• Certification of completion when work is not
completed
• Charges for equipment or activities that are not
received
• Escalation provisions may be exercised unnecessarily
• Changes in specifications or prices and authorization
for extras and revisions may cause a contracted cost
to increase outside of the formal tender and
authorization process
Risks of Lump-Sum Contracts
• Extras, changes, and revisions that are already
part of the original contract may be charged
again
• Additional charges may be added for overhead
items that should not be included
• Content of change orders, including
appropriate fees, may not be appropriately
authorized
• Inadequate inspection relative to specifications
2. Cost-Plus Contracts
For cost-plus contracts, the buyer pays the cost of
performing the contract plus a fixed dollar-
amount or percentage of the cost to the
contractor.
The advantage of a cost-plus contract is that it can
used for projects with numerous and significant
unknown factors.
The disadvantage of cost-plus contracts is that
there is little incentive for the producer to be
economical or efficient.
Risks of Cost-Plus Contracts
• Overhead costs also billed directly
• Inadequate internal controls by contractor over
charges for people, materials, and services
• Unreasonable charges for use of contractor-
owned equipment
• Excessive staffing for the project
• No effort to obtain best prices for materials and
equipment
• Billings in excess of the amounts the contractor
pays for labor or material
Risks of Cost-Plus Contracts
• Failure to credit project for discounts, insurance rate
refunds, or returned or salvaged material
• Duplication of effort or costs between headquarters and
field offices
• Inadequate job-site supervision or inspection by contractor
or by architect engineers
• Inadequate communication and follow-up from the
headquarters office
• Unreliable cost accounting and reporting procedures by a
contractor
• Billing supervision as “direct labor” in violation of contract
terms
3. Unit-Price Contracts
In these contracts, the cost-per unit is set
but the total units will be specified as the
contract is being executed.
Auditor Should Evaluate
• Bidding procedures (such as competitive bidding)
• Cost estimates and cost controls
• Tax treatments
• Terms of the contract and progress payment plans
• Budgets and financial forecasting, availability of
resources, and sources of funding
• Contractor’s accounting and management systems
• Required performance bond
Risks of Unit-Price Contracts
• Excessive progress payments
• Improper reporting of units completed
• Prices bearing no relation to cost
• Improper changes to the original
contract
• Unauthorized escalation adjustments
• Inaccurate field records or inaccurate
extension of unit prices
Quality Audit Engagements
Quality Audit Engagements
In many companies, the internal audit function
will be responsible for performing Quality-
related engagements.

These engagements generally focus on

assessing whether or not the company is
producing its product and/or providing its
service to the appropriate level of quality.
Failures in Quality
When the actual performance falls short of
the target level of quality, further work will
be required to determine why the failure
occurred and what can be done to prevent
it from happening again.
Modern Views of Quality
The modern view of quality is the basis of
total quality management (TQM).
Total Quality Management
(TQM)
Continuous improvement is one of internal
audits’ key objectives, and therefore the
internal audit activity has a critical role in
the TQM process.

TQM pursues the approach of “right first

time” and zero-tolerance of waste.
Focus on the Customer
A central tenet of TQM is that every
department has a customer, and this
customer must be kept in mind at all
times.

By identifying the needs of this customer, the

provider can improve areas that require
enhancement and eliminate unnecessary
tasks.
The Assessment
A quality audit engagement assesses
whether or not a function or a unit meets
its defined quality standards.

If there are no defined standards, then the

auditor should coordinate with
management to establish quantifiable
standards before moving forward with the
audit engagement.
Coordination of Activities
If a quality assurance department or other
quality team performs regular audits,
then the internal auditor can coordinate
efforts with them.

This department might even become part

of the internal audit function.
ISO 9000 Quality Standards
ISO 9000 is a series of standards designed
to provide a level of quality assurance.

In order for a company to qualify for ISO

9000 certification, an external auditor
must certify its compliance with ISO 9000
standards.
ISO 9000:2015
• There is a greater emphasis on building a management
system suited to the particular needs of each organization.
• A requirement that the individuals at the top of the
organization be involved in and accountable for aligning
quality with larger business strategies.
• Risk-based thinking that makes the management system a
preventive tool and one that also encourages continuous
improvement.
• The requirements for documentation are less prescriptive,
allowing the organization more freedom to determine
documentation it needs and the format of it.
ISO 9000 Family of Standards
ISO 9000 contains detailed explanations of the seven
quality management principles with tips on how to ensure
these are reflected in the way that employees work.
ISO 9001 sets out the criteria for a quality management
system and is the only standard in the family that can be
certified to. It can be used by any organization, large or
small, regardless of its field of activity.
ISO 9004 provides guidance on how to achieve sustained
success with a quality management system.
ISO 19011 gives guidance for performing both internal
and external audits to ISO 9001.
Seven Quality Management Principles
ISO 9000 is based on seven quality management
principles, which are outlined in the ISO publication,
Quality Management Principles.
1. Customer focus.
2. Leadership.
3. Engagement of people.
4. Process approach.
5. Improvement.
6. Evidence-based decision making.
7. Relationship management.
ISO 9001 Certification
Certification testing is done by a number of different certification
bodies. Many countries have also established bodies to accredit
the certification bodies.
An organization that applies for ISO 9001 Certification goes through
an audit that includes an extensive sample of its sites, functions,
products, services, and processes.
If there are any nonconformities the certificate will not be issued
until those nonconformities have been fixed.
The certification is given for specific element of the company that it
was applied for and not to the organization as a whole.
The certificate is given for a specific period of time and it must be
renewed at intervals set by the certification body. The normal
time period is every three years.
ISO Audit Engagements
The scope of an ISO 9000 quality audit covers a
number of areas, such as physical location,
organizational units, activities and processes
to be audited, and the time period to be
covered.
The audit will determine conformity with
applicable policies, procedures, standards,
laws and regulations, management
requirements, contract requirements, and
industry or business sector codes of conduct.
Audit Procedures
• Interviews with employees, observations of
activities, and the work environment, and
conditions
• A review of inspection records, records of
monitoring programs, and results of measurements
• Inquiries into the auditee’s sampling programs,
control of sampling, and measurement procedures
• Customer and supplier feedback
• Information from databases and websites
Due Diligence Engagements
Due Diligence Engagements
Due diligence audit engagements are often
performed for a potential acquisition,
joint venture, or divestiture.

External professional advisors are normally

part of the team, often leading it.
Part of the Agreement
Part of any preliminary agreement to
purchase a business must be an
authorization to gain access to the books
and the facilities of the seller in order to
perform the due diligence audit.

Does not need to be a financial

engagement.
Security Audit Engagements
Security Audit Engagements
A physical security audit ensures that an
organization’s physical facilities are
properly secured and that the
environment is safe for management and
staff.

The audit includes perimeter security,

proximity security, and physical security of
the premises.
Perimeter Security Auditing
Requires a review of the property boundaries and a
boundary risk assessment, including
documenting risks on a site map.
Risks can include rail lines, roads, unsecured access
points, improperly lighted areas, power lines,
phone lines, and other service access points.
The auditor should attempt to gain unauthorized
access by bypassing the guard station or through
“social engineering” (for example, attempting to
pass through security without credentials).
Proximity Security Auditing
Determines how vulnerable company
buildings are by being near certain items or
buildings.
Physical Security Auditing
Assesses the integrity of building entry
points.
The facility should be toured to identify and
document security and safety issues.
The company should hold regular,
mandatory training sessions that explain
evacuation procedures in case of a fire,
bomb threat, or other types of disaster.
Privacy Audit Engagements
Privacy Concerns
Privacy concerns exist in all aspects of an organization,
from its paper-based records to its internal databases
to its policies of data collection on its website.
Internal auditors need to make certain that private,
personal information is protected from unauthorized
access, either from inside or outside the organization.
Additionally, policies should be in place, in line with all
applicable laws, to specify the appropriate instances
where disclosure can be made, either with or without
the individual’s consent.
Privacy Vulnerabilities
Privacy vulnerabilities pose a number of challenges
and pitfalls for companies and their customers.
For companies, disclosing or losing control of
private information could lead to lawsuits,
penalties, fines, and (of particular importance)
negative publicity.
For individuals, unauthorized disclosure of private
information could be embarrassing,
inconvenient, and cause financial loss (such as
damaged credit ratings).
Privacy Requirements
Most countries have laws and regulations to
protect personal data and information,
but the application of these laws and their
enforcement will vary.
Thus, it is the internal auditor’s
responsibility to evaluate the privacy
framework, identify significant risks,
evaluate controls, and make
recommendations for improvements.
Evaluating the Privacy
Framework
• Compliance with governmental statutory and
regulatory mandates.
• Documenting compliance with governmental
statutory and regulatory mandates.
• The organization’s existing policies and
procedures.
• Protection of personal information.
• Cost versus benefits of additional security
measures.
Evaluating the Privacy
Framework
Ethical imperative of maintaining the
confidentiality of the private information. With
regards to the Code of Ethics, the rules state that
internal auditors:
• Shall be prudent in the use and protection of
information acquired during the audit.
• Shall not use information for any personal gain
or in any manner that would be contrary to the
law or be detrimental to the legitimate and
ethical objectives of the organization.
Identifying Privacy Risks
• General information about the organization.
• Data characteristics
• Data flow maps
• Data collection policy
• Data storage policy
• Data usage policy
• Data disclosure policy
• Data destruction policy
Evaluating Controls
In evaluating controls, the auditor should
consider the following:
• Administrative controls
• Technical controls
• Physical controls
• Other controls
Performance Audit
Engagements
Performance Audit Engagements
Organizations are only able to achieve
success if they are able to achieve their
goals and objectives.
To achieve their goals and objectives,
organizations have to have the right
performance measurement systems in
place to understand whether they are on
the right track.
Objective
The objective of performance audits is to
appraise the organization’s performance
measurement systems to understand whether
the system is effective and efficient in
measuring the organization’s performance.
Performance audits focus on the effectiveness,
efficiency, and economy of the information.
Performance audits usually entail review of the
organization’s KPIs.
Operational Audit
Engagements
Operational Audit Engagements
Two types of operational audit
engagements:
1. Economy and efficiency engagements,
and
2. Program-result engagements.
1. Economy and Efficiency
It determines the following:
• How economically and efficiently an
operation uses its resources
• The causes of operational inefficiencies
• Compliance with laws and regulations
pertaining to issues of economy and
efficiency
2. Program-Result
A program-result engagement is an audit of a
particular program or activity that primarily focuses
on costs, output (effectiveness), benefits, and the
effects of a program.
• The achievement of the desired, preset objectives
• The effectiveness of the programs or activities in
achieving the desired objectives
• Compliance with related laws and regulations
pertaining to the program or function under audit
Financial Audit
Engagements
Scope of Engagements
The audit of the financial statements is
done by the external auditor.

May involve looking at an area that is not a

main part of the audit.

May also look at efficiency connected to

financial amounts.
Audit Risk
The risk that the conclusion that is reached
is incorrect.
Three events must occur for this to
happen:
1. There is an error in what is being
audited
2. Internal controls fail to detect the error
3. The auditor fails to detect the error
Three Components of Audit Risk
1. Inherent risk
2. Control risk
3. Detection risk
Calculating Audit Risk
AR = IR * CR * DR

• Inherent risk can’t be changed – it is

assessed.
• Control risk can’t be changed in the past
– it is assessed.
• Only item to impact is how much work
the auditor does.
Assessing Control Risk
Whether using qualitative or quantitative measures,
the auditor will automatically assess control risk at
the maximum level if any of these situations exist:
• The internal controls do not relate to an
assertion.
• The controls are considered ineffective, even if
they were properly followed.
• Evaluating the effectiveness of the controls would
be useless and, even after careful evaluation, the
auditor would not be able to reduce control risk.
Control Risk and Detection Risk
Control risk and detection risk are inversely
related.
Detection Risk and Work
Performed
The level of detection risk and the amount
of work that an auditor needs to perform
are inversely related.
Financial Statement Assertions
Assertions are the claims that management
makes when it presents financial
information, and the auditor determines if
these assertions are correct.
The Assertions
• Completeness
• Rights and obligations
• Valuation or allocation
• Existence or occurrence
• Statement of presentation and
disclosure
Role in Financial Reporting
In the financial reporting process, an auditor
creates and prepares financial statements,
related notes, and other accompanying
disclosures.
The internal auditor’s task, therefore, is to
provide a level of assurance to senior
management and the audit committee
that the control processes are adequately
designed and effectively implemented.
Environmental Audits
Environmental Audit
An environmental audit is a systematic,
documented, periodic and objective
evaluation of how well an entity, its
management, and its equipment are
performing.
The aim is helping to safeguard the environment
by facilitating management control of
environmental practices and assessing
compliance with entity policies and external
regulation.
Reasons for Environmental
Audits
• A growing opinion among investors that
environmental issues are a potential source of risk to
a company’s business and reputation, and
environmental issues must therefore be managed.
• An increasingly greater number of “ethical” investors
who prefer to invest in companies with strategies for
sustainable business.
• Consumers are gradually moving towards a
preference for purchasing “environmental-friendly”
products rather than cheaper alternatives.
• To be in compliance with ISO 14001.
ISO 14000
ISO 14000 series provides a general
framework of environmental quality
standards based upon formal certification.
Companies that want to be in compliance
with ISO 14000 are required to have an
audit each year of their system.
These audits are to be undertaken by an
independent external expert.
Environmental Management
Organizations that are subject to
environmental laws and regulations need
to establish an environmental
management system.

Internal auditing should review the

environmental control systems to ensure
that they comply with regulatory
requirements and internal policies.
Types of Environmental Audits
The IIA Research Foundation has identified seven
types of environmental audits:
• Compliance
• Environmental Management Systems
• Transactional
• Treatment, Storage, and Disposal Facility
• Pollution Prevention
• Environmental Liability Accrual
• Product Audit
Internal Audit’s Role
Organizations need to assess environmental, health,
and safety (EH&S) risks, especially companies that
operate in countries with high fines and severe
penalties for environmental damage, employee-
rights lawsuits, and safety liability.
The CAE will need to certify that these risks have
been assessed and addressed.
In large companies, environmental auditing may be
conducted internally by a dedicated
environmental audit function.
Risk Exposures to Evaluate
• The comprehensiveness of organizational reporting
structures.
• The likelihood of environmental harm, fines, and
penalties.
• Environment-related expenditures mandated by the
government.
• The history of injuries and deaths related to
environmental issues.
• The loss of customers, negative publicity, and damage
to public image and reputation due to an
environmental-related accident.
Managing the Process
The CAE and chief environmental officer
should work together closely in
environmental audits.
An environmental audit can be focused on
compliance, management systems, or a
combination of both.
The CAE should evaluate the organizational
placement and independence of the
environmental audit function.
Consulting Services and
Principles of Consulting
Definition of Consulting
From the Glossary:
Advisory and related client service activities,
the nature and scope of which are agreed with
the client, are intended to add value and
improve an organization's governance, risk
management, and control processes without
the internal auditor assuming management
responsibility. Examples include counsel,
advice, facilitation, and training.​
Authority for Consulting
The authority to perform consulting
engagements must be give in the Charter.
Implementation Standard 1000.C1
The nature of consulting services must be defined in the internal
audit charter.
Principles Guiding
Consulting Activities
PA 1000.C1-1 is no longer applicable, but it
provides 12 principles that are intended to
guide consulting engagements performed
by internal auditors.
Consulting Principles
1. Value proposition
2. Consistency with Internal Audit Definition
3. Audit activities beyond assurance and
consulting
4. Interrelationship between assurance and
consulting
5. Empower consulting through the Internal
Audit Charter
6. Objectivity
Consulting Principles
7. Internal audit foundation for consulting
services
8. Communication of fundamental information
9. Principles of consulting understood by the
organization
10.Formal consulting engagements
11.CAE responsibilities
12.Criteria for resolving conflicts or evolving
issues
Types of Consulting
Engagements
• Formal
• Informal
• Special
• Emergency
Refusal of Consulting Engagement
Auditors generally should refuse a
consulting engagement if it is meant to
circumvent or to allow others to circumvent
requirements that would normally apply to
an assurance engagement.
Independence and Objectivity
Internal auditors may provide consulting
services relating to operations for which
they have had previous responsibilities.
Implementation Standard 1130.C1
Internal auditors may provide consulting services relating to
operations for which they had pervious responsibilities.
Implementation Standard 1130.C2
If internal auditors have potential impairments to independence
or objectivity relating to proposed consulting services, disclosure
must be made to the engagement client prior to accepting the
engagement.
Assessing Impact on Objectivity
To assess the impact that a previous position may have
on objectivity, the auditor should consider:
• The appropriate requirements and standards of the
profession.
• Expectations of stakeholders, directors, the audit
committee, and legislative bodies.
• Any allowances or restrictions that are in the charter.
• Disclosures that may be required by standards.
• Subsequent audit work including its scope and
coverage.
When Objectivity is Impaired
If the objectivity of the auditors is impaired or
compromised, third-party auditors may need to
handle the audit engagement.
If third-party auditors are unavailable or not a
viable option, in order to move the engagement
forward the auditor should disclose the
responsibility he or she had in the area.
Relevant disclosures should be made in the
communications related to the engagement.
Due Professional Care
In every engagement, the internal auditor
should exercise due professional care.
Implementation Standard 1210.C1
The chief audit executive must decline the consulting engagement or
obtain competent advice and assistance of the internal auditors lack
the knowledge, skills, or other competencies needed to perform all or
part of the engagement.
Implementation Standard 1220.C1
Internal auditors must exercise due professional care during a
consulting engagement by considering the:
• Needs and expectations of clients, including the nature, timing, and
communication of engagement results;
• Relative complexity and extent of work needed to achieve the
engagement’s objectives; and
• Cost of the consulting engagement in relation to potential benefits.
Scope of Work
A consulting engagement’s scope and
methodology must sufficiently address the
objectives.
Implementation Standard 2200.C1
During consulting engagements, internal auditors must address
controls consistent with the engagement’s objectives and be alert
to significant control issues.
Reservations About Scope
If internal auditors develop reservations about the scope
during the engagement, these concerns should be discussed
with the client to determine the appropriate course of action.
In these situations, internal auditors must exercise
professional judgment in order to:
• Determine the significance of any exposures or
weaknesses as well as the impact of any actions taken or
contemplated to address these problems
• Determine the expectations that senior management, the
audit committee, and board have about how these matters
are reported
Communicating Results
There are no specific standards for the form, content,
or structure of the communications related to a
consulting engagement’s results.
However, all such communications should clearly
describe the nature of the engagement along with
any limitations, restrictions, or other significant
factors.
Furthermore, the internal auditor should be careful to
restrict communications about the engagement to
those people who are authorized in the
engagement’s documentation.
Implementation Standard 2410.C1
Communication of the progress and results of consulting
engagements will vary in form and content depending upon the
nature of the engagement and the needs of the client.
Implementation Standard 2440.C1
The chief audit executive is responsible for communicating the
final results of consulting engagements to clients.
Implementation Standard 2440.C2
During consulting engagements, governance, risk management,
and control issues may be identified. Whenever these issues are
significant to the organization, they must be communicated to
senior management and the board.
Documentation
Because the roles of the internal auditor
are different between consulting and
assurance engagements, the requirements
for documentation will be different as well.
Implementation Standard 2240.C1
Work programs for consulting engagements may vary in
form and content depending upon the nature of the
engagement.
Implementation Standard 2330.C1
The chief audit executive must develop policies
governing the custody and retention of consulting
engagement records, as well as their release to internal
and external parties. These policies must be consistent
with the organization’s guidelines and any pertinent
regulatory or other requirements.
Monitoring Results
As with an assurance engagement, the IAA
should follow-up on and monitor the
results of a consulting engagement as
agreed with the client.
Implementation Standard 2240.C1
Work programs for consulting engagements may
vary in form and content depending upon the
nature of the engagement.
Implementation Standard 2500.C1
The internal audit activity must monitor the
disposition of results of consulting engagements
to the extent agreed upon with the client.
Consulting Engagements
Consulting Engagements
1. Internal control training
2. Business process mapping
3. Benchmarking
4. System development process
5. Design of performance measurement
systems
6. Internal control testing
7. Business process review / reengineering
1. Internal Control Training
Because the auditing of internal controls is such an important part
of the internal auditors’ work, internal auditors may be
involved in internal control training.
Internal auditors are in a good position to instruct employees on
the objectives of internal controls and their components,
including risk assessment, segregation of duties, monitoring of
controls, and so on.
Internal auditors are able to relate the objectives and their
components back to how controls should be working in the
organization.
This gives employees a clearer understanding of what internal
controls are and why they are important for organizational
success.
Standard 2130
The internal audit activity must assist the organization in
maintaining effective controls by evaluating their effectiveness
and efficiency and by promoting continuous improvement.
Reasons to Provide Training
• To communicate and embed a control
awareness within the organization’s
operations.
• To decrease fraud.
• To motivate employees to report control
deficiencies /weaknesses.
• To provide staff support for the
organization’s Control Self-Assessment
(CSA) program.
2. Benchmarking
Benchmarking, also known as best
practices, is an important tool in for
implementing TQM.

In benchmarking, a company uses the

standards set by other companies as a
target or model for its own operations.
Types of Benchmarks
• Financial / nonfinancial
• Internal / external
• A functional benchmark is a comparison with
organizations that operate within the same
technological area.
• A competitive benchmark is a comparison with
the best of a company’s competitors.
• A generic benchmark compares processes that
are virtually the same, regardless of the industry
or production line.
Internal Audit Role
Company needs to focus on benchmarks
that are the most important for the
company’s success.

Internal auditing can assist in identifying

the benchmark areas and assisting the
process of establishing benchmarks.
3. Business Process Mapping
Creates an illustration of the activities that
occur within a business process, usually as
part of a process-improvement program.
5. Systems Development
Reviews
According to The IIA’s GTAG 12: Auditing IT Projects,
“internal auditing can add considerable value by
evaluating the effectiveness of risk management over
both IT and organizational aspects of IT-related
projects.” The practice guide states that “the benefits
of internal audit involvement may include:
• Providing independent ongoing advice throughout
the project, and
• Identifying key risks or issues early, which enables
project teams to operate proactively to mitigate
risks.”
Internal Auditor Involvement
Traditional audit approach
Consulting approach
Embedded approach
7. Design of Performance Measurement
Systems
Companies can only be successful only if
they meet or exceed their targeted key
performance indicators (KPIs).

KPIs are used to help companies define

what is it they hope to achieve.
Internal Audit Role
From a business standpoint, the critical
issue for companies is to understand
which KPIs are the most important for
the company’s success.

Internal auditing can be used during the

design phase to help management focus
only on the important KPIs.
6. Internal-Control Testing
Section 404 of Sarbanes-Oxley (SOX) requires
companies to include in their annual reports:
• A statement of management’s
responsibility for establishing and
maintaining adequate internal controls
over financial reporting.
• An assessment of the effectiveness of
those internal controls.
Internal Audit Role
Internal auditors may be asked to assist in
the design and testing of controls, including
observing specific activities in the control
process, inspection of documents and
records, and inquiries of management,
supervisory, and staff personnel.
7. Business Process
Review / Reengineering
Business Process Review is an important
means of improving processes or
completely reengineering them.

BPR promotes rapid change, which in the

current business environment can
provide a competitive advantage.
Internal Audit Role
Internal auditors may be able to assist
during the decision-making and
implementation phases by evaluating
implications of organizational change and
considering how the change should be
managed.