Professional Documents
Culture Documents
Internal Audit 101
Internal Audit 101
fpaikins@gmail.com
Governance, Risk
Management & Compliance
Our Vision
To be the lead advocate, trainer
and practitioner in internal
auditing in Africa by providing
superior internal audit solutions
to the private, public and third
sectors.
Governance, Risk
Management & Compliance
Our Mission
To engage internal audit leaders
and their customers; government
officials, corporate executives and
senior management in a constant
dialogue on the position, role and
value of the internal audit
activity.
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
Internal Audit 101:
Audit Principles and Techniques
Governance, Risk
Management & Compliance
Course Overview
• Day One
– Modern Internal Auditing
– The Audit Process
– Risk Management and Risk Assessment
– Audit Planning
• Day Two
– Process Documentation
– Audit Programs
– Audit Fieldwork
– Audit Reports
– Soft Skills
Governance, Risk
Management & Compliance
Module One
Governance, Risk
Management & Compliance
Modern Internal Auditing
• Internal Auditing Defined
• Code of Ethics
• The Value Proposition of IA
• The Role of Internal Auditor
• The IIA Competency Framework
Governance, Risk
Management & Compliance
Internal Auditing Defined
• “independent, objective assurance
and consulting activity designed to
1add value and improve an
The
what
Governance, Risk
Management & Compliance
What are we doing?
• 1adding value and improving on
organisations operations –
Governance, Risk
Management & Compliance
Why are we doing it?
• 2helping the organization
accomplish its objectives
Governance, Risk
Management & Compliance
How are you doing it?
• 3evaluating and improving the
effectiveness of risk
management, control, and
governance processes
Governance, Risk
Management & Compliance
IIA Definition Logic
Governance, Risk
Management & Compliance
Internal Auditing Defined
• “independent, objective assurance
and consulting activity designed to
1add value and improve an
Governance, Risk
Management & Compliance
Code of Ethics – Principles
• Integrity
– The integrity of internal auditors
establishes trust and thus provides
the basis for reliance on their
judgment
Governance, Risk
Management & Compliance
Integrity Rules
• Shall perform their work with honesty,
diligence, and responsibility
• Shall observe the law and make
disclosures expected by the law and the
profession
• Shall not knowingly be a party to any
illegal activity, or engage in acts that are
discreditable to the profession of internal
auditing or to the organization
• Shall respect and contribute to the
legitimate and ethical objectives of the
Governance, Risk
Management & Compliance organization
Code of Ethics – Principles
• Objectivity
– Internal auditors exhibit the
highest level of professional
objectivity in gathering,
evaluating, and communicating
information about the activity or
process being examined.
Governance, Risk
Management & Compliance
Objectivity Rules
• Shall not participate in any activity or
relationship that may impair or be
presumed to impair their unbiased
assessment.
• Shall not accept anything that may
impair or be presumed to impair their
professional judgment.
• Shall disclose all material facts known to
them that, if not disclosed, may distort
the reporting of activities under review.
Governance, Risk
Management & Compliance
Code of Ethics – Principles
• Confidentiality
– Internal auditors respect the value
and ownership of information they
receive and do not disclose
information without appropriate
authority unless there is a legal or
professional obligation to do so.
Governance, Risk
Management & Compliance
Confidentiality Rules
• Shall be prudent in the use and
protection of information acquired
in the course of their duties.
• Shall not use information for any
personal gain or in any manner
that would be contrary to the law
or detrimental to the legitimate
and ethical objectives of the
organization.
Governance, Risk
Management & Compliance
Code of Ethics – Principles
• Competency
– Internal auditors apply the
knowledge, skills, and experience
needed in the performance of internal
audit services.
Governance, Risk
Management & Compliance
Competency Rules
• Shall engage only in those services for
which they have the necessary
knowledge, skills, and experience.
• Shall perform internal audit services
in accordance with the International
Standards for the Professional
Practice of Internal Auditing.
• Shall continually improve their
proficiency and the effectiveness and
quality of their services
Governance, Risk
Management & Compliance
Internal Auditing is the
cornerstone for sustainable
organisational success
The IIA Value Proposition
Governance, Risk
Management & Compliance
Role of Internal Auditors
• Re- Corporate Governance
• Re- Risk Management
• Re- Fraud
• Re- Corporate Ethics
• Re- Internal Controls
• Re- Information Technology
• Re- Financial Reporting
Governance, Risk
Management & Compliance
The IIA Global Internal Audit
Competency Framework - 2013
Governance, Risk
Management & Compliance
Module Two
Governance, Risk
Management & Compliance
The Audit Process
Governance, Risk
Management & Compliance
The Audit Process
Governance, Risk
Management & Compliance
The Internal Audit Process
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
How an audit is conducted
Governance, Risk
Management & Compliance
Module Three
Risk Management/Assessment
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
A few things about Risk
• What is Risk?
– The effect of uncertainty on an
objective
– Could be positive or negative
Governance, Risk
Management & Compliance
A few things about Risk
• What is Risk Management?
– Coordinated activities to direct and
control an organisation with regard to
risk
Governance, Risk
Management & Compliance
The Risk Management Process
Governance, Risk
Management & Compliance
A few things about Risk
• What is Risk Management
Process?
– Systematic application of management
policies, procedures and practices to
the activities of communicating,
consulting, establishing the context,
and identifying, analyzing, evaluating,
treating, monitoring and reviewing
risk.
Governance, Risk
Management & Compliance
Components of Risk Assessment
• Risk Identification
• Risk Analysis
• Risk Evaluation
Governance, Risk
Management & Compliance
2013 COSO Internal Control
• Definition
• Pillars | Components | Standards
• Principles
Governance, Risk
Management & Compliance
Group Exercise
Governance, Risk
Management & Compliance
Exercise 1- 15mins
• The ORC Relationship
Governance, Risk
Management & Compliance
Module Four
Audit Planning
Governance, Risk
Management & Compliance
Audit Planning
• Annual Audit Planning
• Components of the Audit Project
Plan
Governance, Risk
Management & Compliance
Annual Audit Planning
• Risk Based Audit Planning
– Overview
Governance, Risk
Management & Compliance
Components of the Audit Project Plan
• Audit Objectives
• Audit Scope
• Audit Methodology
• Audit Program
• Audit Time Budget
• Audit milestone dates
Governance, Risk
Management & Compliance
Audit Objectives
• General audit objectives
• Specific audit objectives
Governance, Risk
Management & Compliance
Group Exercise
Governance, Risk
Management & Compliance
Exercise 2- 5mins
• Select one functional area in
your organisation and formulate
a general audit objective and the
appropriate specific objectives
for that function
Governance, Risk
Management & Compliance
Planning
• Distribute Audit Notification
• Conduct Pre-Audit Meeting
• Interview Department Personnel
• Review Policies and Procedures
• Understand and Document the Business
Processes
• Perform Risk Assessment
• Prepare Internal Control Questionnaire
• Prepare a Detailed Audit Program
• Prepare audit budget (in hours)
• Select items to be Audited (samples, not 100%)
Governance, Risk
Management & Compliance
Module Five
Process Documentation
Governance, Risk
Management & Compliance
Process Documentation
• Process Flow charts
• Tools for Process Mapping
• System Narratives
• Interviewing Skills
Governance, Risk
Management & Compliance
Process Flow charts
• A Flowchart is a diagram that
uses graphic symbols to depict
the nature and flow of the steps
in a process
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
Example – Washing of Hands
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
Group Exercise
Governance, Risk
Management & Compliance
Exercise 4 - 15mins
• Select a process at your work
place and develop a flow chart
for it.
Governance, Risk
Management & Compliance
Module Six
Audit Programs
Governance, Risk
Management & Compliance
Audit Programs
• Components of the Audit
Program
Governance, Risk
Management & Compliance
Components of the Audit Program
• the audit objective(s);
• the relevant line(s) of inquiry,
criteria, and audit questions;
• the information to be requested
from entities
• how the evidence will be
analyzed;
Governance, Risk
Management & Compliance
Example of Audit Program
• Cash at Bank and on Hand
– Cash and bank.doc
Governance, Risk
Management & Compliance
Group Exercise
Governance, Risk
Management & Compliance
Exercise 3 – 15mins
• Select an audit area and develop
an initial audit work program for
performing the audit
Governance, Risk
Management & Compliance
Module Seven
Audit Fieldwork
Governance, Risk
Management & Compliance
Audit Fieldwork
• Testing Controls – design and
operating effectiveness
• Techniques for gathering audit
evidence
• Working paper preparation
Governance, Risk
Management & Compliance
Testing Controls – design
effectiveness
• Look out for effectiveness in
dealing with pre-identified risks
Governance, Risk
Management & Compliance
Testing Controls – operating
effectiveness
• The focus is on whether the
controls are effective in dealing
with the identified risks plus any
other risks that might emerge
during the performance of the
activity
Governance, Risk
Management & Compliance
Techniques for gathering audit evidence
• Analytical procedures
• Inspection
• Confirmation
• Recalculation
• Enquiry
• Observation
• Re-performing
Governance, Risk
Management & Compliance
Working Papers
• The documents containing the
evidence to support the auditor’s
findings, opinions, conclusions
and judgments.
• They include the collection of
evidence, prepared or obtained
by the auditor during the audit.
Governance, Risk
Management & Compliance
Two forms of documentation
1. Documentation of the audit
activities (the what, why, how,
when and by whom)
performed in fulfilling the
assignment objectives.
Governance, Risk
Management & Compliance
Two forms of documentation
2. Documentation of the
evidence collected and used to
support findings, conclusions
and recommendations
presented in audit reports
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
Governance, Risk
Management & Compliance
Basic principles of working Paper
preparation
• Legible and neatly prepared
• Understandable without the need
for detailed supplementary oral
explanations
• Restricted to matters that are
materially important and relevant
to the objectives of the
assignment
Governance, Risk
Management & Compliance
The Experienced Auditor Principle
• The experienced auditor should
understand what was done to
arrive at the conclusions
– Who is an experienced auditor
Governance, Risk
Management & Compliance
Content of work papers
• Heading
• Title
• Date of Preparation and the
Identity of the Auditor
• Notes and Other Symbols
• Index and cross referencing
Governance, Risk
Management & Compliance
Indexing and cross referencing
• This is the unique ID of the
working paper and helps to link
all of them together.
Governance, Risk
Management & Compliance
Fieldwork
• Review Supporting Documentation
• Interview department personnel
• Perform analyses
• Identify Exceptions
• Identify Recommendations for
Improvement
• Prepare Written Audit Comments (i.e.,
findings)
• Department Provides Written Response
and Corrective Action Plan for findings
Governance, Risk
Management & Compliance
Module Eight
Audit Reporting
Governance, Risk
Management & Compliance
Why write internal audit reports?
• Required by Standards.
• Inform- (Tell what auditors found)
• Persuade – (Convince
management of worth and
validity of findings)
• Get Results – (Move management
towards change and
improvement.)
Governance, Risk
Management & Compliance
The Truth about Audit Reporting
• Demonstrates:
– Effectiveness of the IA unit
– Competence of the IA unit
• Common ground where internal
auditor meets management
– Medium that establishes the auditor’s
authority or otherwise
Governance, Risk
Management & Compliance
Unethical uses of the Audit Report
• Tool for achieving
management’s/auditor’s biased
agenda
– Settle scores/personal vendetta
– Weapon of mass destruction
• Win favour with management
Governance, Risk
Management & Compliance
Developing Audit Reports
• From issues to findings
• The Five Cs
• Reporting Formats
• Other Reports
Governance, Risk
Management & Compliance
From issues to findings
• Findings are issues which are
fully developed to add value
– Improve the current condition
Governance, Risk
Management & Compliance
The 5 Cs
Cause
condition
Consequence
Governance, Risk
Management & Compliance
In a nutshell
• What should be?
• What is?
• Why the deviation from the “what
should be” occurred?
• What happened or could happen
because the “what is” differed from
the “what should be”?
• What is needed to correct the
condition and improve operations?
Governance, Risk
Management & Compliance
Reporting Formats
• 5Cs
• ORR
Governance, Risk
Management & Compliance
Reporting
• Issue a draft report
• Discuss draft report with unit
management
• Issue final report
• Report is factual, clear, concise,
with an appropriate tone
Governance, Risk
Management & Compliance
Other Reports from the Audit Dept
1. Status of implementation of annual
internal audit plan
2. Report on adequacy of audit resources
3. Recommendation Implementation
Status Summary (follow up report)
4. Summary of high risk findings and
recommendations with action plans
5. Routine discussed audit reports
6. Ad-hoc Investigation reports
Governance, Risk
Management & Compliance
The End
Governance, Risk
Management & Compliance