Internal Audit 101

Frederick Pokoo-Aikins
fpaikins@gmail.com
Governance, Risk
Management & Compliance
Our Vision
To be the lead advocate, trainer
and practitioner in internal
auditing in Africa by providing
superior internal audit solutions
to the private, public and third
sectors.
Governance, Risk
Our Mission
To engage internal audit leaders
and their customers; government
officials, corporate executives and
senior management in a constant
dialogue on the position, role and
value of the internal audit
activity.
Governance, Risk
Governance, Risk
Internal Audit 101:
Audit Principles and Techniques
Governance, Risk
Course Overview
• Day One
– Modern Internal Auditing
– The Audit Process
– Risk Management and Risk Assessment
– Audit Planning
• Day Two
– Process Documentation
– Audit Programs
– Audit Fieldwork
– Audit Reports
– Soft Skills
Governance, Risk
Module One
Modern Internal Auditing
Governance, Risk
Modern Internal Auditing
• Internal Auditing Defined
• Code of Ethics
• The Value Proposition of IA
• The Role of Internal Auditor
• The IIA Competency Framework
Governance, Risk
Internal Auditing Defined
• “independent, objective assurance
and consulting activity designed to
1add value and improve an
organization’s operations. It 2helps

an organization accomplish its
objectives by bringing a systematic,
disciplined approach to 3evaluate
and improve the effectiveness of risk
management, control, and
governance processes”
Governance, Risk
The
what
The why The how
Governance, Risk
What are we doing?
• 1adding value and improving on
organisations operations –
• Making things better than when

we met it.
Systems | Processes | Procedures
Governance, Risk
Why are we doing it?
• 2helping the organization
accomplish its objectives
• How do you determine

organisational objectives?
• Gain a seat at the table
Governance, Risk
How are you doing it?
• 3evaluating and improving the
effectiveness of risk
governance processes
• The triple magic wand
Governance, Risk
IIA Definition Logic
Helps the organization

accomplish its objectives
Adding value and improving on

organisations operations
Evaluating and improving on the

effectiveness of GRC processes
Governance, Risk
• “independent, objective assurance
and consulting activity designed to
1add value and improve an
organization’s operations. It 2helps

an organization accomplish its
objectives by bringing a systematic,
disciplined approach to 3evaluate
and improve the effectiveness of risk
governance processes”
Governance, Risk
Code of Ethics
• Principles and Rules
– Integrity
– Objectivity
– Confidentiality
– Competency
Governance, Risk
Code of Ethics – Principles
• Integrity
– The integrity of internal auditors
establishes trust and thus provides
the basis for reliance on their
judgment
Governance, Risk
Integrity Rules
• Shall perform their work with honesty,
diligence, and responsibility
• Shall observe the law and make
disclosures expected by the law and the
profession
• Shall not knowingly be a party to any
illegal activity, or engage in acts that are
discreditable to the profession of internal
auditing or to the organization
• Shall respect and contribute to the
legitimate and ethical objectives of the
Governance, Risk
Management & Compliance organization
• Objectivity
– Internal auditors exhibit the
highest level of professional
objectivity in gathering,
evaluating, and communicating
information about the activity or
process being examined.
Governance, Risk
Objectivity Rules
• Shall not participate in any activity or
relationship that may impair or be
presumed to impair their unbiased
assessment.
• Shall not accept anything that may
impair or be presumed to impair their
professional judgment.
• Shall disclose all material facts known to
them that, if not disclosed, may distort
the reporting of activities under review.
Governance, Risk
• Confidentiality
– Internal auditors respect the value
and ownership of information they
receive and do not disclose
information without appropriate
authority unless there is a legal or
professional obligation to do so.
Governance, Risk
Confidentiality Rules
• Shall be prudent in the use and
protection of information acquired
in the course of their duties.
• Shall not use information for any
personal gain or in any manner
that would be contrary to the law
or detrimental to the legitimate
and ethical objectives of the
organization.
Governance, Risk
• Competency
– Internal auditors apply the
knowledge, skills, and experience
needed in the performance of internal
audit services.
Governance, Risk
Competency Rules
• Shall engage only in those services for
which they have the necessary
knowledge, skills, and experience.
• Shall perform internal audit services
in accordance with the International
Standards for the Professional
Practice of Internal Auditing.
• Shall continually improve their
proficiency and the effectiveness and
quality of their services
Governance, Risk
Internal Auditing is the
cornerstone for sustainable
organisational success
The IIA Value Proposition
Governance, Risk
Role of Internal Auditors
• Re- Corporate Governance
• Re- Risk Management
• Re- Fraud
• Re- Corporate Ethics
• Re- Internal Controls
• Re- Information Technology
• Re- Financial Reporting
Governance, Risk
The IIA Global Internal Audit
Competency Framework - 2013
Governance, Risk
Module Two
The Audit Process (Overview)
Governance, Risk
The Audit Process
Governance, Risk
The Audit Process
Governance, Risk
The Internal Audit Process
Governance, Risk
Governance, Risk
How an audit is conducted
Governance, Risk
Module Three
Risk Management/Assessment
Governance, Risk
Governance, Risk
A few things about Risk
• What is Risk?
– The effect of uncertainty on an
objective
– Could be positive or negative
Governance, Risk
• What is Risk Management?
– Coordinated activities to direct and
control an organisation with regard to
risk
Governance, Risk
The Risk Management Process
Governance, Risk
• What is Risk Management
Process?
– Systematic application of management
policies, procedures and practices to
the activities of communicating,
consulting, establishing the context,
and identifying, analyzing, evaluating,
treating, monitoring and reviewing
risk.
Governance, Risk
Components of Risk Assessment
• Risk Identification
• Risk Analysis
• Risk Evaluation
Governance, Risk
2013 COSO Internal Control
• Definition
• Pillars | Components | Standards
• Principles
Governance, Risk
Group Exercise
Governance, Risk
Exercise 1- 15mins
• The ORC Relationship
Governance, Risk
Module Four
Audit Planning
Governance, Risk
Audit Planning
• Annual Audit Planning
• Components of the Audit Project
Plan
Governance, Risk
Annual Audit Planning
• Risk Based Audit Planning
– Overview
Governance, Risk
Components of the Audit Project Plan
• Audit Objectives
• Audit Scope
• Audit Methodology
• Audit Program
• Audit Time Budget
• Audit milestone dates
Governance, Risk
Audit Objectives
• General audit objectives
• Specific audit objectives
Governance, Risk
Group Exercise
Governance, Risk
Exercise 2- 5mins
• Select one functional area in
your organisation and formulate
a general audit objective and the
appropriate specific objectives
for that function
Governance, Risk
Planning
• Distribute Audit Notification
• Conduct Pre-Audit Meeting
• Interview Department Personnel
• Review Policies and Procedures
• Understand and Document the Business
Processes
• Perform Risk Assessment
• Prepare Internal Control Questionnaire
• Prepare a Detailed Audit Program
• Prepare audit budget (in hours)
• Select items to be Audited (samples, not 100%)
Governance, Risk
Module Five
Process Documentation
Governance, Risk
Process Documentation
• Process Flow charts
• Tools for Process Mapping
• System Narratives
• Interviewing Skills
Governance, Risk
Process Flow charts
• A Flowchart is a diagram that
uses graphic symbols to depict
the nature and flow of the steps
in a process
• This is very helpful in identifying

the risks embedded within the
process
Governance, Risk
Drawing a flow chart
• Start with the big picture
• Observe the current process
• Record process steps
• Arrange the sequence of steps
• Draw the Flowchart
Governance, Risk
Governance, Risk
Example – Washing of Hands
Governance, Risk
Governance, Risk
Group Exercise
Governance, Risk
Exercise 4 - 15mins
• Select a process at your work
place and develop a flow chart
for it.
Governance, Risk
Module Six
Audit Programs
Governance, Risk
Audit Programs
• Components of the Audit
Program
Governance, Risk
Components of the Audit Program
• the audit objective(s);
• the relevant line(s) of inquiry,
criteria, and audit questions;
• the information to be requested
from entities
• how the evidence will be
analyzed;
Governance, Risk
Example of Audit Program
• Cash at Bank and on Hand
– Cash and bank.doc
Governance, Risk
Group Exercise
Governance, Risk
Exercise 3 – 15mins
• Select an audit area and develop
an initial audit work program for
performing the audit
Governance, Risk
Module Seven
Audit Fieldwork
Governance, Risk
Audit Fieldwork
• Testing Controls – design and
operating effectiveness
• Techniques for gathering audit
evidence
• Working paper preparation
Governance, Risk
Testing Controls – design
effectiveness
• Look out for effectiveness in
dealing with pre-identified risks
Governance, Risk
Testing Controls – operating
effectiveness
• The focus is on whether the
controls are effective in dealing
with the identified risks plus any
other risks that might emerge
during the performance of the
activity
Governance, Risk
Techniques for gathering audit evidence
• Analytical procedures
• Inspection
• Confirmation
• Recalculation
• Enquiry
• Observation
• Re-performing
Governance, Risk
Working Papers
• The documents containing the
evidence to support the auditor’s
findings, opinions, conclusions
and judgments.
• They include the collection of
evidence, prepared or obtained
by the auditor during the audit.
Governance, Risk
Two forms of documentation
1. Documentation of the audit
activities (the what, why, how,
when and by whom)
performed in fulfilling the
assignment objectives.
Governance, Risk
Two forms of documentation
2. Documentation of the
evidence collected and used to
support findings, conclusions
and recommendations
presented in audit reports
Governance, Risk
Governance, Risk
Governance, Risk
Basic principles of working Paper
preparation
• Legible and neatly prepared
• Understandable without the need
for detailed supplementary oral
explanations
• Restricted to matters that are
materially important and relevant
to the objectives of the
assignment
Governance, Risk
The Experienced Auditor Principle
• The experienced auditor should
understand what was done to
arrive at the conclusions
– Who is an experienced auditor
Governance, Risk
Content of work papers
• Heading
• Title
• Date of Preparation and the
Identity of the Auditor
• Notes and Other Symbols
• Index and cross referencing
Governance, Risk
Indexing and cross referencing
• This is the unique ID of the
working paper and helps to link
all of them together.
Governance, Risk
Fieldwork
• Review Supporting Documentation
• Interview department personnel
• Perform analyses
• Identify Exceptions
• Identify Recommendations for
Improvement
• Prepare Written Audit Comments (i.e.,
findings)
• Department Provides Written Response
and Corrective Action Plan for findings
Governance, Risk
Module Eight
Audit Reporting
Governance, Risk
Why write internal audit reports?
• Required by Standards.
• Inform- (Tell what auditors found)
• Persuade – (Convince
management of worth and
validity of findings)
• Get Results – (Move management
towards change and
improvement.)
Governance, Risk
The Truth about Audit Reporting
• Demonstrates:
– Effectiveness of the IA unit
– Competence of the IA unit
• Common ground where internal
auditor meets management
– Medium that establishes the auditor’s
authority or otherwise
Governance, Risk
Unethical uses of the Audit Report
• Tool for achieving
management’s/auditor’s biased
agenda
– Settle scores/personal vendetta
– Weapon of mass destruction
• Win favour with management
Governance, Risk
Developing Audit Reports
• From issues to findings
• The Five Cs
• Reporting Formats
• Other Reports
Governance, Risk
From issues to findings
• Findings are issues which are
fully developed to add value
– Improve the current condition
Governance, Risk
The 5 Cs
Cause
Criterion Corrective action
condition
Consequence
Governance, Risk
In a nutshell
• What should be?
• What is?
• Why the deviation from the “what
should be” occurred?
• What happened or could happen
because the “what is” differed from
the “what should be”?
• What is needed to correct the
condition and improve operations?
Governance, Risk
Reporting Formats
• 5Cs
• ORR
Governance, Risk
Reporting
• Issue a draft report
• Discuss draft report with unit
management
• Issue final report
• Report is factual, clear, concise,
with an appropriate tone
Governance, Risk
Other Reports from the Audit Dept
1. Status of implementation of annual
internal audit plan
2. Report on adequacy of audit resources
3. Recommendation Implementation
Status Summary (follow up report)
4. Summary of high risk findings and
recommendations with action plans
5. Routine discussed audit reports
6. Ad-hoc Investigation reports
Governance, Risk
The End
• Thank you for your time
Governance, Risk

Internal Audit 101

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit 101

Uploaded by

Copyright:

Available Formats

Frederick Pokoo-Aikins

Modern Internal Auditing

organization’s operations. It 2helps

The why The how

• Making things better than when

Systems | Processes | Procedures

• How do you determine

• Gain a seat at the table

• The triple magic wand

Helps the organization

Adding value and improving on

Evaluating and improving on the

organization’s operations. It 2helps

The Audit Process (Overview)

• This is very helpful in identifying

Criterion Corrective action

• Thank you for your time

You might also like