INTRODUCTION TO INTERNAL

AUDITING

INTERNAL AUDITING STANDARDS

 IIA’s Definition of Internal Auditing
Define internal auditing.
• Internal auditing is defined by the Institute of Internal Auditors as
“an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It
helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance
processes.”
 Explain the key terms used in the definition
of internal auditing.
• Independence is freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an
unbiased manner.
• Objectivity is an unbiased mental attitude that allows internal auditors to
perform engagements in such a manner that they believe in their work
product and that no quality compromises are made. Objectivity requires
that internal auditors do not subordinate their judgment on audit matters
to others.
• Assurance is a service that provides an objective examination of evidence
for the purpose of providing an independent assessment on governance,
risk management, and control processes.
 Explain the key terms used in the definition
of internal auditing.
• Consulting refers to services that are advisory and are intended to add
value and improve an organization’s governance, risk management,
and control processes.
• Adding value to the organization (and its stakeholders) is when the
audit provides objective and relevant assurance and contributes to
the effectiveness and efficiency of governance, risk management, and
control processes.
• Risk management processes identify, assess, manage, and control
potential events or situations to provide reasonable assurance
regarding the achievement of the organization’s objectives
 Explain the key terms used in the definition
of internal auditing.
• Control processes are the policies, procedures, and activities that are
part of a control framework, designed to ensure that risks are
contained within the risk tolerances established by the risk
management process.
• Governance consists of the combination of processes and structures
implemented by the board to inform, direct, manage, and monitor
the activities of the organization toward the achievement of its
objectives
Describe the factors that determine the scope
of internal auditing.
• Risk management: Identify and evaluate significant exposures to risk
and contribute to the improvement of risk management and control
systems.
• Control: Maintain effective controls by evaluating their effectiveness
and efficiency and by promoting continuous improvement.
• Governance: Assess and make appropriate recommendations for
improving the governance process in the accomplishment of the
organization’s objectives.
Explain the main functions of management
and how they relate to achieving control.
• Planning is the development of a clear purpose, long-term objectives,
and short-term goals of an organization.
• Organizing entails establishing a rule structure to help achieve the
goals of the organization.
• Directing is the process of inducing members of an organization to
perform their roles successfully.
• Controlling is the comparison of actual performance with pre-
determined standards, plans, or objectives.
Explain the main functions of management
and how they relate to achieving control
• The main purpose of control is to ensure that the enterprise’s
objectives are met effectively, efficiently, and economically.
• The basic requirements for achieving adequate controls are as
follows:
1. Controls must fit the needs of the managers and reflect the
organization pattern.
2. Controls must focus on exceptions and critical points.
3. Controls must be flexible to accommodate change.
4. Controls must be economical and cost-effective.
 Define risk and enterprise risk, and explain
how they are related to the concept of control.
• Risk is the possibility of an event occurring that will have an impact on
the achievement of objectives. Enterprise risk, therefore, is the
possibility of an event occurring that may reduce the likelihood of an
organization achieving its objectives.
• Effective control provides reasonable assurance that the organization
will achieve its objectives reliably (by reducing uncontrolled risk to an
acceptable level) and therefore includes the identification and
mitigation of risk.
 Explain the role of internal auditors in
their organization.
• The role of internal auditors is to act as consultants to both the board
of directors and management in assessing and improving the
effectiveness and efficiency of the organization’s risk management,
control, and governance processes.
• Internal auditing aids the organization by helping the board and
management better fulfil their responsibilities.
 Explain the role of internal auditors in
their organization.
• The internal auditor must cooperate closely with the management of
the activities being audited, but must maintain independence and
objectivity while carrying out audit activities. In performing consulting
activities, the internal auditor will report directly to the management
of the unit or activity being reviewed.
• The internal auditor must have a direct reporting relationship to the
board or its audit committee in order to perform assurance functions.
Compare the role of internal auditors with
that of external auditors.
• Internal auditors are responsible to the board and management of
the organization; external auditors are responsible to the
shareholders.
• Internal auditors are independent of the functions that they audit,
but are not independent of the organization itself; external auditors
must be independent of the organizations that they audit.
• The purpose of internal auditing is to improve organizational
performance; the purpose of external auditing is to express an
opinion on the financial statements.
Compare the role of internal auditors with
that of external auditors
• The scope of internal auditing extends to all activities of the
organization; the scope of external auditing is limited to financial
areas impacting the financial statements.
• Internal auditing focuses on the appropriate design and effective
implementation of management processes; external auditing focuses
on balances at a point in time.
Describe the types of audits carried out by
internal auditors.
• Compliance audits focus on reviewing compliance with established
policies, procedures, laws, and so on.
• Internal financial audits focus on the reliability and integrity of the
accounting system and its output.
• Operational audits review an organization’s effectiveness, efficiency,
and economy of operations, and recommend improvements.
• Comprehensive audits (mainly in the public sector) focus on financial
verification, compliance, and performance assessments
Describe the types of audits carried out by
internal auditors.
• Information technology (IT) audits focus on the controls in
computerized environments.
• Integrated audits are conducted when IT auditing is included with
other types of internal auditing.
• Fraud audits can be carried out by internal auditors when
management or auditors detect or suspect the existence of a fraud.
• Environmental audits assess the extent to which the organization is in
compliance with regulatory requirements on environmental matters
Compare internal auditing and
performance measurement
• Internal auditing evaluates and reports on the degree of
correspondence between performance and appropriate agreed-on
criteria.
• Performance measurement is based on identifying those measures
critical to an organization’s success and setting specific, measurable
targets for them. Performance is compared with these targets in
order to assess organizational performance
 Compare internal auditing and
performance measurement.
• . Internal auditing increasingly focuses on the evaluation of
organizational effectiveness and efficiency, and requires that
measurable criteria be established against which to assess
performance.
• Performance measurement has the advantage of being a continuous
process; internal auditing of particular activities is usually
intermittent.
Outline the role of the internal auditor in promoting
ethical culture and standards in an organization.
• Internal auditors should use their position of trust and integrity to be
advocates of ethical conduct. They should work towards increased
compliance with legal, ethical, and societal responsibilities.
• Internal auditors should periodically assess the state of the ethical
climate and evaluate the extent to which the organization fulfils its
ethical responsibilities.
 Apply ethical judgments in the context of
the internal auditor’s work.
• Adherence to an ethical code increases the reputation and
effectiveness of the work of the internal auditor.
• Internal auditors are responsible for assessing compliance with
policies including those related to the company’s code of ethics.
• Unethical actions can pose a significant risk to an organization and
should be reported to the board and senior management.
• Internal auditors have access to confidential and sensitive information
and must respect the principle of confidentiality
 Apply ethical judgments in the context of
the internal auditor’s work.
• Internal auditors may become involved in fraud investigations, which
directly relate to illegal and/or unethical actions.
• Internal auditors must comply with the ethical standards of the
professional organizations of which they are members
• The IIA Code of Ethics is based on the principles of integrity,
objectivity, confidentiality, and competency, and consists of Rules of
Conduct describing expected behavioural norms for its members.