Chapter 3

Internal
Auditing
Oleh : Dharmawan - 181401075
OVERVIEW

• Internal auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance
processes
• Internal auditing reflects organizational policy and program
perspectives on what to audit and how different types of audits are
conducted, as well as subject matter knowledge applicable to each
organization and the kinds of IT audits it performs.
GENERAL STANDARDS AND GUIDANCE
• These standards establish a basic
set of principles and audit
program requirements to which
organizations add industry or
domain specific guidance as well
as any internally developed
procedures and criteria
INDEPENDENCE DAN OBJECTIVITY
• Independence is the freedom from
bias, outside control, or authority
that, in an internal auditing context,
ensures that the audit program is
neither responsible for nor beholden
to the parts of the organization it
audits and, similarly, that individual
auditors do not work for projects,
operational functions, or business
units that they audit
• Objectivity in audit practices connotes
more than independence which
objective auditor makes judgments
based on evidence, is free from conflicts
of interest with the subjects of auditing
activities, and is able to act with
impartiality. More so standards and
practices intended explicitly for internal
auditors tend to emphasize auditor
objectivity rather than independence
No matter which standards and sources of auditing guidance an organization chooses to
adopt, independence needs to be considered. Notable examples include:
• The second general standard in the GAAS, dictates that “In all matters relating to the
assignment, an independence in mental attitude is to be maintained by the auditor or
auditors”
• The ISA issued by the International Auditing and Assurance Standards Board
(IAASB) emphasize the importance of maintaining both an attitude and the
appearance of independence, as auditor independence “safeguards the auditor’s ability
to form an audit opinion without being affected by influences that might compromise
that opinion”
• Attribute standard 1110 in the Institute of Internal Auditors (IIA) International
Standards for the Professional Practice of Auditing stipulates that, “The internal audit
activity must be independent, and internal auditors must be objective in performing
their work”
• Independence is one of the principles of auditing in ISO 19011: “Auditors
should be independent of the activity being audited wherever practicable, and
should in all cases act in a manner that is free from bias and conflict of interest”
• The International Federation of Accountants (IFAC) Code of Ethics requires
both objectivity and independence for professionals engaged in assurance
engagements, including independence of mind “that permits the expression of a
conclusion without being affected by influences that compromise professional
judgment, allowing an individual to act with integrity, and exercise objectivity
and professional skepticism”
• ISACA’s Code of Professional Ethics requires members and holders of ISACA
certifications to “Perform their duties with objectivity, due diligence and
professional care, in accordance with professional standards”
ESTABLISHING IT AUDIT PROGRAM

• The audit program is the formally defined department, business unit,

or function within an organization
• The scope of operations for an internal audit program typically
comprises all types of audits the organization conducts, including
financial and non-IT operational audits as well as audits of IT controls,
procedures, environments, and capabilities
CORPORATE GOVERNANCE
• The internal audit program operates
under the supervision of a Chief Audit
Executive (CAE) and reports through the
CAE to the audit committee of the
organization’s Board of Directors. The
existence and exact composition of the
audit committee depends on the type of
organization, but audit committee
members typically must not be part of
the management team to ensure the
committee’s independence
INTERNAL AUDIT PROGRAM CHARTER
• The audit program charter describes
the purpose of the internal audit
program, including external and
internal needs the program is
intended to address and, in
particular, the relationship between
the audit program and governance,
risk management, compliance, and
other enterprise management
functions
INTERNAL AUDIT PROGRAM
RESPONSIBILITIES
• The responsibilities of the internal audit program include creating and
executing the overall audit strategy for the organization and,
potentially, domain specific strategies or plans for IT, operational, and
compliance and other types of internal audits.
BENEFITS OF INTERNAL IT
AUDITING
• Supporting corporate IT governance, risk management, and compliance programs
• Verifying adherence to organizationally defined policies, procedures, and
standards
• Satisfying requirements to achieve or maintain process maturity, quality
management, or internal control certification
• Adding formality to or increasing the rigor of self-assessment processes and
activities
• Preparing for or “shadowing” anticipated external audits
INTERNAL AUDIT CHALLENGES

• The resource costs associated with internal IT auditing

• The significant skills and expertise needed by internal auditors
• The perceived or actual lack of independence for internal audit
activities
INTERNAL AUDITORS
Common subject matter topics with which internal IT auditors should be
familiar include:
• Business domains and associated processes supported by IT systems
• IT policies and procedures
• Data governance, data management processes, data backup and restoration,
and storage technologies
• Operations and maintenance processes
• Application, systems, and security architecture
• Systems development life cycle process and activities
• IT governance and risk management processes and frameworks
• IT process management or security management models
• IT related standards and certification criteria
SUMMARY
• This chapter describing the structural and operational features of internal
audit programs that include IT audits within their scope. It highlighted
the purpose, objectives, and rationale for establishing and maintaining
internal auditing capabilities and described some of the potential
benefits. It also explains the typical positioning of the internal audit
function within the organization structure and its relation to governance
bodies such as corporate boards of directors. It also described some of
the characteristics of internal auditors and the relevant skills and
experience auditors need