ACELE4 Finals Compiled PDF

Summary

This document introduces internal auditing, emphasizing organizational independence and individual objectivity. It describes assurance services and the roles of different parties involved. It also details important concepts like risk management and control processes within an organization.

Full Transcript

CHAPTER 1: INTRODUCTION TO INTERNAL AUDITING Organizational Independence & Individual Objectivity

Introduction To Internal Auditing Chief audit executive describes the role of a person in a senior position
responsible for effectively managing the internal audit activity in
Internal auditing is conducted in diverse legal and cultural accordance with the internal audit charter and the mandatory elements
environments; for organizations that vary in purpose, size, of the International Professional Practices Framework. The chief audit
complexity, and structure; and by persons within or outside executive or others reporting to the chief audit executive will have
the organization. It has become more important for many appropriate professional certifications and qualifications. The specific
entities because of statutes, regulatory frameworks and even job title and/or responsibilities of the chief audit executive may vary
pressure from stakeholders. across organizations.
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an Impairment to organizational independence and individual objectivity
organization's operations. It helps an organization accomplish may include personal conflict of interest, scope limitations, restrictions
its objectives by bringing a systematic, disciplined approach on access to records, personnel, and properties, and resource
to evaluate and improve the effectiveness of risk limitations (funding).
management, control, and governance processes.
Assurance Services
The internal audit activity must be independent, and internal auditors
must be objective in performing their work. An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control
Standard 1100 - Independence and Objectivity processes for the organization. Examples may include financial,
performance, compliance, system security, and due diligence
Independence is the freedom from conditions that threaten engagements.
the ability of the internal audit activity to carry out internal audit
responsibilities in an unbiased manner. To achieve the degree Parties in an Assurance Service
of independence necessary to effectively carry out the
responsibilities of the internal audit activity, the chief audit Assurance services involve the internal auditor’s objective assessment
executive has direct and unrestricted access to senior of evidence to provide opinions or conclusions regarding an entity,
management and the board. operation, function, process, system, or other subject matters. The
Objectivity is an unbiased mental attitude that allows internal nature and scope of an assurance engagement are determined by the
internal auditor. Generally, three parties are participants in assurance
auditors to perform engagements in such a manner that they
services: (1) the person or group directly involved with the entity,
believe in their work product and that no quality compromises
operation, function, process, system, or other subject matter — the
are made. Objectivity requires that internal auditors do not
process owner, (2) the person or group making the assessment — the
subordinate their judgment on audit matters to others.
internal auditor, and (3) the person or group using the assessment —
Organizational Independence the user.

The chief audit executive must report to a level within the organization Consulting Services
that allows the internal audit activity to fulfill its responsibilities. The chief
Advisory and related client service activities, the nature and scope of
audit executive must confirm to the board, at least annually, the
which are agreed with the client, are intended to add value and improve
organizational independence of the internal audit activity.
an organization’s governance, risk management, and control processes
Organizational independence is effectively achieved when the chief without the internal auditor assuming management responsibility.
audit executive reports functionally to the board. Examples of functional Examples include counsel, advice, facilitation, and training.
reporting to the board involve the board:
Parties in a Consulting Service
Approving the internal audit charter. Approving the risk-based
Consulting services are advisory in nature and are generally performed
internal audit plan.
at the specific request of an engagement client. The nature and scope
Approving the internal audit budget and resource plan.
of the consulting engagement are subject to agreement with the
Receiving communications from the chief audit executive on
engagement client. Consulting services generally involve two parties: (1)
the internal audit activity’s performance relative to its plan and
the person or group offering the advice — the internal auditor, and (2)
other matters.
the person or group seeking and receiving the advice — the
Approving decisions regarding the appointment and removal engagement client. When performing consulting services the internal
of the chief audit executive. auditor should maintain objectivity and not assume management
Approving the remuneration of the chief audit executive. responsibility.
Making appropriate inquiries of management and the chief
audit executive to determine whether there are inappropriate Add Value
scope or resource limitations.
The IIA Research Foundation issued a Development and Practice Aids
Individual Objectivity by Urton Anderson on what internal audit customers "value" by scope of
work
Internal auditors must have an impartial, unbiased attitude and avoid
any conflict of interest.

Conflict of interest is a situation in which an internal auditor, who is in a
position of trust, has a competing professional or personal interest. Such
competing interests can make it difficult to fulfill his or her duties
impartially. A conflict of interest exists even if no unethical or improper
act results. A conflict of interest can create an appearance of impropriety
that can undermine confidence in the internal auditor, the internal audit
activity, and the profession. A conflict of interest could impair an
individual's ability to perform his or her duties and responsibilities
objectively.
Practice Advisory 2100-1

The scope of internal auditing work encompasses a systematic,
disciplined approach to evaluating and improving the adequacy and
effectiveness of risk management, control and governance processes
and the quality of performance in carrying out assigned responsibilities.
The purpose of evaluating the adequacy of the organization's existing
risk management, control and governance processes is to provide
reasonable assurance that these processes are functioning as intended
and will enable the organization's objectives and goals to be met, and to
provide recommendations for improving the organization's operations,
in terms of both efficient and effective performance.

Governance - The combination of processes and structures
implemented by the board to inform, direct, manage, and Types of Audit
monitor the activities of the organization toward the
achievement of its objectives. Financial Audit
Risk Management - A process to identify, assess, manage, Compliance Audit
and control potential events or situations to provide Performance Audit
reasonable assurance regarding the achievement of the Management Audit
organization’s objectives. Environmental Audit
Control - Any action taken by management, the board, and Systems-based Audit
other parties to manage risk and increase the likelihood that Risk-based Audit
established objectives and goals will be achieved.
Management plans, organizes, and directs the performance The Institute of Internal Auditors
of sufficient actions to provide reasonable assurance that
Established in 1941, The Institute of Internal Auditors (IIA) is an
objectives and goals will be achieved.
international professional association with global headquarters in Lake
Elements of the Systematic and Disciplined Approach Mary, Florida, USA. The IIA is the internal audit profession's global voice,
recognized authority, acknowledged leader, chief advocate, and
Defined Audit Objectives principal educator. Members work in internal auditing, risk management,
Risk Analysis governance, internal control, information technology audit, education,
Audit Work Plan and security. The Global Board of Directors comprises 17 directors
Defined Audit Procedures including the Chairman. The Chairman of the Board for 2021-2022 is Mr.
Charlie T. Wright, CIA.
Use of Technology
Independent Review of Audit Work CHAPTER 2: INTERNATIONAL PROFESSIONAL PRACTICES
Review of Conclusions with Management FRAMEWORK & THE CODE OF ETHICS
The Main Objectives of Internal Audit The International Professional Practices Framework (IPPF) is the
conceptual framework that organizes authoritative guidance
1. Helping the organization achieve its objective
promulgated by The IIA. A trustworthy, global, guidance-setting body,
2. Evaluating and improving the effectiveness of risk
The IIA provides internal audit professionals worldwide with authoritative
management, control and governance processes
guidance organized in the IPPF as mandatory guidance and
3. Assurance and consulting activity designed to add value and
recommended guidance. The updated Framework was introduced in
improve operations
July 2015. Modifications proposed for The IIA’s International Standards
Categories of Business Objectives By Committee of Sponsoring for the Professional Practice of Internal Auditing were approved in
Organizations of the Treadway Commission October 2016 and are now in effect. The revisions include the addition
of two new standards, alignment of the Standards to the Core Principles,
1. Strategic Objectives and updates to existing standards.
2. Operations Objectives
3. Reporting Objectives International Professional Practices Framework (IPPF)® Oversight
4. Compliance Objectives Council

Internal Audit versus External Audit The IPPF Oversight Council is designed to evaluate and advise on the
rigor of The IIA's Standards and Guidance-setting process, which will
increase the confidence of internal audit stakeholders around the world.
The organizations included in this Council are: International Federation
of Accountants (IFAC), National Association of Corporate Directors
(NACD), International Organization of Supreme Audit Institutions
(INTOSAI), Organization for Economic Co-operation and Development
(OECD), The World Banks, and The IIA. The scope of the IPPF is only
authoritative guidance developed by an IIA international technical
committee following appropriate due process.

Components of the IPPF

Mission of Internal Audit: To enhance and protect organizational value
by providing risk-based and objective assurance, advice, and insight

Mandatory guidance is developed following an established due
diligence process, which includes a period of public exposure for
stakeholder input. The mandatory elements of the IPPF are:
 Core Principles for the Professional Practice of Internal all the relevant circumstances and are not unduly influenced
Auditing by their own interests or by others in forming judgments.
Definition of Internal Auditing 3. Confidentiality - Internal auditors respect the value and
Code of Ethics ownership of information they receive and do not disclose
International Standards for the Professional Practice of information without appropriate authority unless there is a
Internal Auditing legal or professional obligation to do so.
4. Competency - Internal auditors apply the knowledge, skills,
Recommended guidance is endorsed by The IIA through a formal and experience needed in the performance of internal audit
approval process. It describes practices for effective implementation of services.
The IIA's Core Principles, Definition of Internal Auditing, Code of Ethics,
and Standards. The recommended elements of the IPPF are: 1. Integrity - Internal auditors:

Implementation Guidance 1.1. Shall perform their work with honesty, diligence, and
Supplemental Guidance responsibility.

Core Principles for the Profession of Internal Auditing 1.2. Shall observe the law and make disclosures expected by
the law and the profession.
The Core Principles, above all, define tangible internal audit
effectiveness. When all Principles are present and operating cohesively, 1.3. Shall not knowingly be a party to any illegal activity, or
internal audit function achieves maximum efficiency. Though the way engage in acts that are discreditable to the profession of
every internal auditor approaches these Core Principles may vary from internal auditing or to the organization.
organization to organization, there’s no denying that a failure to achieve
1.4. Shall respect and contribute to the legitimate and ethical
any of the Principles would signal an internal audit activity that’s not
objectives of the organization.
performing at its absolute best. The following are the Core Principles
under the IPPF: 2. Objectivity - Internal auditors:
Demonstrates integrity. 2.1. Shall not participate in any activity or relationship that may
Demonstrates competence and due professional care. impair or be presumed to impair their unbiased assessment.
Is objective and free from undue influence (independent). This participation includes those activities or relationships that
Aligns with the strategies, objectives, and risks of the may be in conflict with the interests of the organization.
organization.
Is appropriately positioned and adequately resourced. 2.2. Shall not accept anything that may impair or be presumed
Demonstrates quality and continuous improvement. to impair their professional judgment.
Communicates effectively.
2.3. Shall disclose all material facts known to them that, if not
Provides risk-based assurance.
disclosed, may distort the reporting of activities under review.
Is insightful, proactive, and future-focused.
Promotes organizational improvement. 3. Confidentiality - Internal auditors:

Code of Ethics by The Institute of Internal Auditors 3.1. Shall be prudent in the use and protection of information
acquired in the course of their duties.
The Code of Ethics states the principles and expectations governing the
behavior of individuals and organizations in the conduct of internal 3.2. Shall not use the information for any personal gain or in
auditing. It describes the minimum requirements for conduct and any manner that would be contrary to the law or detrimental
behavioral expectations rather than specific activities. The purpose of to the legitimate and ethical objectives of the organization.
The Institute's Code of Ethics is to promote an ethical culture in the
profession of internal auditing. A code of ethics is necessary and 4. Competency - Internal auditors:
appropriate for the profession of internal auditing, founded as it is on the
trust placed in its objective assurance about governance, risk 4.1. Shall engage only in those services for which they have
management, and control. This Code of Ethics applies to both entities the necessary knowledge, skills, and experience.
and individuals that perform internal audit services.
4.2. Shall perform internal audit services in accordance with
"Internal auditors" refers to Institute members, recipients of or the International Standards for the Professional Practice of
candidates for IIA professional certifications, and those who perform Internal Auditing.
internal audit services within the Definition of Internal Auditing.
4.3. Shall continually improve their proficiency and the
The Institute's Code of Ethics extends beyond the Definition of Internal effectiveness and quality of their services.
Auditing to include two essential components:
International Standards for the Professional Practice of Internal
1. Principles that are relevant to the profession and practice of Auditing (Standards)
internal auditing.
Standards are principle-focused and provide a framework for performing
2. Rules of Conduct that describe behavior norms expected of
and promoting internal auditing. The Standards are mandatory
internal auditors. These rules are an aid to interpreting the
requirements consisting of:
Principles into practical applications and are intended to guide
the ethical conduct of internal auditors.
Statements of basic requirements for the professional practice
Internal auditors are expected to apply and uphold the following of internal auditing and for evaluating the effectiveness of its
principles: performance. The requirements are internationally applicable
at organizational and individual levels.
1. Integrity - The integrity of internal auditors establishes trust Interpretations, which clarify terms or concepts within the
and thus provides the basis for reliance on their judgment. statements.
2. Objectivity - Internal auditors exhibit the highest level of Glossary terms.
professional objectivity in gathering, evaluating, and
communicating information about the activity or process being It is necessary to consider both the statements and their interpretations
examined. Internal auditors make a balanced assessment of to understand and apply the Standards correctly. The Standards employ
terms that have been given specific meanings as noted in the Glossary, IIA Position Papers
which is also part of the Standards.
Position Papers assist a wide range of interested parties but are
The Purpose of the Standards primarily designed to inform and educate internal audit stakeholders on
issues of importance to The IIA and the profession. Their focus is
Internal auditing is conducted in diverse legal and cultural environments; generally related to significant governance, risk, or control issues, and
for organizations that vary in purpose, size, complexity, and structure; delineating the associated roles and responsibilities of internal auditing.
and by persons within or outside the organization. While differences may
affect the practice of internal auditing in each environment, conformance Committees under the IPPF
with The IIA’s International Standards for the Professional Practice of
Internal Auditing (Standards) is essential in meeting the responsibilities The International Internal Audit Standards Board is
of internal auditors and the internal audit activity. charged by the IIA to develop professional standards for
internal auditors.
1. Guide adherence with the mandatory elements of the The Audit Committee provides assistance to the Executive
International Professional Practices Framework. Committee and the Global Board in fulfillment of their
2. Provide a framework for performing and promoting a broad oversight responsibilities for The Institute's financial reporting
range of value-added internal auditing services. process, a system of internal control, and the audit process;
3. Establish the basis for the evaluation of internal audit to recommend a firm of certified public accountants to audit
performance. and report upon the financial statements of The Institute for
4. Foster improved organizational processes and operations. each fiscal year; to oversee The Institute's Internal Audit
program; and to provide oversight of practices designed to
Structure of the Standards ensure compliance with legal, risk management, and
regulatory requirements.
The Standards comprise two main categories: Attribute and
The Committee of Research and Education Advisors
Performance Standards.
provides the internal audit profession with the information
Attribute Standards address the attributes of organizations and needed to anticipate, and react to, important external and
individuals performing internal auditing. Performance Standards internal factors that could have a material impact on the
describe the nature of internal auditing and provide quality criteria practice of internal auditing.
against which the performance of these services can be measured. The Exam Development Committee ensures that the
Attribute and Performance Standards apply to all internal audit services. content of The IIA’s certification exams is continuously aligned
with and reflects the current global practice of internal
auditing, including the International Professional Practices
Framework.
Finance and Investment Committee reviews the internal
reporting of the budget and financial policies and procedures
of The Institute; to ensure that the reporting of revenue and
expenses of operations and assets and liabilities of the
organization are based on acceptable accounting practices,
and to provide necessary and timely information for decision-
making.
Institute Relations Committee promotes and facilitate the
development and maintenance of a global strategy that
fosters good communication, collaboration and cooperation
among The IIA and all Institutes. To oversee Institute relations
including the formation, development and expansion of IIA
Institutes.

Proficiency

The IIA Standards provides that engagements must be performed with
proficiency and due professional care. Furthermore, it provides
interpretation which states that proficiency is a collective term that refers
Recommended Guidance to the knowledge, skills, and other competencies required of internal
auditors to effectively carry out their professional responsibilities. It
The recommended elements of the IPPF are: encompasses consideration of current activities, trends, and emerging
issues, to enable relevant advice and recommendations. Internal
Implementation Guidance — assist internal auditors in auditors are encouraged to demonstrate their proficiency by obtaining
applying the Standards. appropriate professional certifications and qualifications, such as the
Supplemental Guidance (Practice Guides) — provide detailed Certified Internal Auditor designation and other designations offered by
processes and procedures for internal audit practitioners. The Institute of Internal Auditors and other appropriate professional
organizations.
The recommended elements of the IPPF are:
Due Professional Care
Implementation Guides assist internal auditors in applying the
Standards and Code of Ethics. They collectively address internal Practice Advisory 1220-1 provides that due professional care calls for
auditing's approach, methodologies, and consideration, but do not detail the application of the care and skills expected of a reasonably prudent
processes or procedures. and competent internal auditor in the same or similar circumstances.
Thus, it does not imply infallibility. In exercising due professional care
Supplemental Guidance provides detailed guidance for conducting internal auditors must consider the use of technology-based audit and
internal audit activities. These include topical areas, sector-specific other data analysis techniques. Internal auditors must be alert to the
issues, as well as processes and procedures, tools and techniques, significant risks that might affect objectives, operations, or resources.
programs, step-by-step approaches, and examples of deliverables. However, assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be
identified. Internal auditors must exercise due professional care during It achieves the purpose and responsibility included in the
a consulting engagement as well. internal audit charter.
It conforms with the Standards.
Framework For Management of Threats to Objectivity Its individual members conform with the Code of Ethics and
the Standards.
As provided in the Framework for management of threats to objectivity
issued by the IIA Research Foundation in a publication entitled It considers trends and emerging issues that could impact the
"Independence and Objectivity: A Framework For Internal Auditors", organization.
whether it is assurance services provided by internal auditors working
The internal audit activity adds value to the organization and its
for a given company, outsourced internal audit assurance activities with
stakeholders when it considers strategies, objectives, and risks; strives
minimal internal auditor involvement, or outside experts providing the
to offer ways to enhance governance, risk management, and control
services, both independence and objectivity remain important for
processes; and objectively provides relevant assurance.
internal auditors and the internal audit function. The differences across
the various ways in which internal audit services are offered lie in the Chief Audit Executive
types of conflicts of interest because of differing incentives and
environmental forces that are faced. Chief audit executive describes the role of a person in a senior position
responsible for effectively managing the internal audit activity in
Framework for Management of Threats to Objectivity The IIA accordance with the internal audit charter and the mandatory elements
Research Foundation of the International Professional Practices Framework. The chief audit
executive or others reporting to the chief audit executive will have
appropriate professional certifications and qualifications. The specific
job title and/or responsibilities of the chief audit executive may vary
across organizations. (Glossary of Terms - ISPPIA )

The specific job title as well as the responsibilities of the Chief Audit
Executive may vary across organizations.

The specific responsibilities of the Chief Audit Executive in managing the
internal audit are laid down in IIA Standard 2000:

1. Planning
2. Communication and Approval
3. Resource Management
4. Policies and Procedures
5. Coordination and Reliance
6. Reporting to Senior Management and the Board

Practice Advisory 2000-1 (Managing the Internal Audit Activity)
elaborates on the responsibilities of the Chief Audit Executive.
Threats to Objectivity
Engagement work fulfills the general purposes and
Self-interest Threat responsibilities described in the charter, approved by senior
Personal Relationship management, and accepted by the board.
Familiarity Threat Resources of the internal audit activity are efficiently and
Self-review Threat effectively employed.
Social Pressure Engagement work conforms to the Standards for the
Cultural, Racial and Gender Biases Professional Practice of Internal Auditing.
Cognitive Biases
Planning

The chief audit executive must establish a risk-based plan to determine
the priorities of the internal audit activity, consistent with the
organization’s goals.

To develop the risk-based plan, the chief audit executive consults with
senior management and the board and obtains an understanding of the
organization’s strategies, key business objectives, associated risks, and
risk management processes. The chief audit executive must review and
adjust the plan, as necessary, in response to changes in the
organization’s business, risks, operations, programs, systems, and
controls.

The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of
senior management and the board must be considered in this process.

The chief audit executive must identify and consider the expectations of
senior management, the board, and other stakeholders for internal audit
CHAPTER 3: MANAGING THE INTERNAL AUDIT ACTIVITY opinions and other conclusions.

According to the Performance Standards 2000 of ISPPIA, The chief The chief audit executive should consider accepting proposed
audit executive must effectively manage the internal audit activity to consulting engagements based on the engagement’s potential to
ensure it adds value to the organization. improve management of risks, add value, and improve the

The internal audit activity is effectively managed when:
organization’s operations. Accepted engagements must be included in scope, objectives, and results of the work performed by other providers
the plan. of assurance and consulting services. Where reliance is placed on the
work of others, the chief audit executive is still accountable and
Communication And Approval responsible for ensuring adequate support for conclusions and opinions
reached by the internal audit activity.
The chief audit executive must communicate the internal audit activity’s
plans and resource requirements, including significant interim changes, External Service Provider and Organizational Responsibility for
to senior management and the board for review and approval. The chief Internal Auditing
audit executive must also communicate the impact of resource
limitations. External Service Provider is a person or firm outside of the organization
that has special knowledge, skill, and experience in a particular
Resource Management discipline.
The chief audit executive must ensure that internal audit resources are When an external service provider serves as the internal audit activity,
appropriate, sufficient, and effectively deployed to achieve the approved the provider must make the organization aware that the organization has
plan. the responsibility for maintaining an effective internal audit activity.
Appropriate refers to the mix of knowledge, skills, and other This responsibility is demonstrated through the quality assurance and
competencies needed to perform the plan. Sufficient refers to the improvement program which assesses conformance with the Code of
quantity of resources needed to accomplish the plan. Resources are Ethics and the Standards.
effectively deployed when they are used in a way that optimizes the
achievement of the approved plan. Quality Assurance and Improvement Program

Skills Required of Internal Auditors Adapted from Competency The chief audit executive must develop and maintain a quality assurance
Framework for Internal Auditing (CFIA) study (Birkett et al., 1999) and improvement program that covers all aspects of the internal audit
activity.
1. Cognitive Skills
Technical Skills - Following defined routines with some A quality assurance and improvement program is designed to enable an
mastery evaluation of the internal audit activity’s conformance with the Standards
Analytical Skills - Problem identification or task definition and an evaluation of whether internal auditors apply the Code of Ethics.
and the structuring of prototype solutions or The program also assesses the efficiency and effectiveness of the
performances internal audit activity and identifies opportunities for improvement. The
Appreciative Skills - Making complex and creative chief audit executive should encourage board oversight in the quality
judgments, often in situations of ambiguity assurance and improvement program.
2. Behavioral Skills
Requirements of the Quality Assurance and Improvement Program
Personal Skills - Handling oneself well in situations of
challenge, stress, conflict, time pressure and change The quality assurance and improvement program must include both
Interpersonal Skills - Securing outcomes through internal and external assessments.
interpersonal interactions
Organizational Skills - Securing outcomes through the Internal Assessments
use of organizational networks.
Internal assessments must include:
Policies And Procedures
Ongoing monitoring of the performance of the internal audit
The chief audit executive must establish policies and procedures to activity.
guide the internal audit activity. Periodic self-assessments or assessments by other persons
within the organization with sufficient knowledge of internal
The form and content of policies and procedures are dependent upon audit practices.
the size and structure of the internal audit activity and the complexity of
its work. External Assessments
Personnel Manuals describe the overall organization and its relationship External assessments must be conducted at least once every five years
to employees, including organization's objectives and goals, history, by a qualified, independent assessor or assessment team from outside
employee benefits, promotion policy, development and training the organization. The chief audit executive must discuss with the board:
programs.
The form and frequency of external assessment.
Audit Manuals provide guidance on completing specific engagements in The qualifications and independence of the external assessor
compliance with the technical standards and policies of the internal audit or assessment team, including any potential conflict of
activity. It also provides practical guidance, tools and information for interest.
managing the internal audit activity and for planning, conducting and
reporting on internal auditing assurance engagements. Reporting on the Quality Assurance and Improvement Program

Coordination And Reliance The chief audit executive must communicate the results of the quality
assurance and improvement program to senior management and the
The chief audit executive should share information, coordinate activities, board. Disclosure should include:
and consider relying upon the work of other internal and external
assurance and consulting service providers to ensure proper coverage The scope and frequency of both the interna land external
and minimize duplication of efforts. assessments.
The qualifications and independence of the assessor(s) or
In coordinating activities, the chief audit executive may rely on the work
assessment team, including potential conflicts of interest.
of other assurance and consulting service providers. A consistent
Conclusions of assessors.
process for the basis of reliance should be established, and the chief
Corrective action plans.
audit executive should consider the competency, objectivity, and due
professional care of the assurance and consulting service providers. The Disclosure of Nonconformance
chief audit executive should also have a clear understanding of the
When nonconformance with the Code of Ethics or the Standards The significant risks to the activity’s objectives, resources, and
impacts the overall scope or operation of the internal audit activity, the operations and the means by which the potential impact of risk
chief audit executive must disclose the nonconformance and the impact is kept to an acceptable level.
to senior management and the board. The adequacy and effectiveness of the activity’s governance,
risk management, and control processes compared to a
Reporting to Senior Management and the Board relevant framework or model.
The opportunities for making significant improvements to the
The chief audit executive must report periodically to senior management
activity’s governance, risk management, and control
and the board on the internal audit activity’s purpose, authority,
processes.
responsibility, and performance relative to its plan and on its
conformance with the Code of Ethics and the Standards. Reporting must Key Planning Activities
also include significant risk and control issues, including fraud risks,
governance issues, and other matters that require the attention of senior Audit Planning should be documented and that the process should
management and/or the board. include:

The frequency and content of reporting are determined collaboratively 1. Determine Engagement Objectives and Scope
by the chief audit executive, senior management, and the board. The a. Objectives must be established for each
frequency and content of reporting depends on the importance of the engagement.
information to be communicated and the urgency of the related actions Internal auditors must conduct a
to be taken by senior management and/or the board. preliminary assessment of the risks relevant to the
activity under review. Engagement objectives must
The chief audit executive’s reporting and communication to senior reflect the results of this assessment. Internal
management and the board must include information about: auditors must consider the probability of significant
errors, fraud, noncompliance, and other exposures
The audit charter
when developing the engagement objectives.
Independence of the internal audit activity.
Adequate criteria are needed to evaluate
The audit plan and progress against the plan. governance, risk management, and controls.
Resource requirements. Internal auditors must ascertain the extent to which
Results of audit activities. management and/or the board has established
Conformance with the Code of Ethics and the Standards, and adequate criteria to determine whether objectives
action plans to address any significant conformance issues. and goals have been accomplished. If adequate,
Management’s response to risk that, in the chief audit internal auditors must use such criteria in their
executive’s judgment, maybe unacceptable to the evaluation. If inadequate, internal auditors must
organization. identify appropriate evaluation criteria through
discussion with management and/or the board.
These and other chief audit executive communication requirements are
referenced throughout the Standards. Consulting engagement objectives must address
governance, risk management, and control
CHAPTER 4: ENGAGEMENT PROCESS AND PLANNING
processes to the extent agreed upon with the client
The Standards provides internal auditing process which are divided into Consulting engagement objectives must be
five major categories namely: consistent with the organization's values,
strategies, and objectives.
2200 – Engagement Planning
2300 – Performing the Engagement b. The established scope must be sufficient to achieve
2400 – Communicating Results the objectives of the engagement.
2500 – Monitoring Process The scope of the engagement must
2600 – Communicating the Acceptance of Risks include consideration of relevant systems, records,
personnel, and physical properties, including those
Planning the Audit Engagement under the control of third parties.
If significant consulting opportunities arise during
Internal auditors must develop and document a plan for each an assurance engagement, a specific written
engagement, including the engagement’s objectives, scope, timing, and understanding as to the objectives, scope,
resource allocations. The plan must consider the organization’s respective responsibilities, and other expectations
strategies, objectives, and risks relevant to the engagement. should be reached and the results of the consulting
engagement communicated in accordance with
Purpose of Planning consulting standards.
The main purposes of internal audit planning are:
In performing consulting engagements,
1. To establish objectives and scope of the engagement internal auditors must ensure that the scope of the
2. To determine priorities and to establish the most cost-effective engagement is sufficient to address the agreed-
means of achieving audit objectives. upon objectives. If internal auditors develop
3. To assist in the direction and control of audit work. reservations about the scope during the
4. To help ensure that attention is devoted to critical aspects of engagement, these reservations must be discussed
audit work. with the client to determine whether to continue with
5. To help ensure that work is completed in accordance with pre- the engagement. During consulting engagements,
determined targets. internal auditors must address controls consistent
with the engagement’s objectives and be alert to
Planning Considerations significant control issues.

In planning the engagement, internal auditors must consider: 2. Understand the Auditee including Auditee Objectives
It is virtually impossible to audit something
The strategies and objectives of the activity being reviewed effectively that is not sufficiently understood. The success of
and the means by which the activity controls its performance. any engagement ultimately depends largely on how well the
 internal audit team understands the auditee, its strategic plan, management, the board, and other stakeholders and must be supported
and how it operates. In that context, the internal auditor can by sufficient, reliable, relevant, and useful information.
develop audit priorities and strategies that take into account
significance of activities, and relative risk. Background Preliminary Audit Report
information should be obtained about the activities to be Management's Response
reviewed. Final Report

3. Identify and Assess the Risks Monitoring Progress
Every entity faces a variety of risks both internal and
The chief audit executive must establish and maintain a system to
external sources. Engagement objectives and procedures
monitor the disposition of results communicated to management.
should address the risks associated with the activity under
review. The term "risk" is the possibility of an event occurring The chief audit executive must establish a follow-up process to monitor
that will have an impact on the achievement of objectives. On and ensure that management actions have been effectively
the other hand, "risk assessment" refers to the consideration implemented or that senior management has accepted the risk of not
of probable material effects of uncertain events in achieving taking action. The internal audit activity must monitor the disposition of
organization's objectives. results of consulting engagements to the extent agreed upon with the
client.
Components of Audit Risk:
Inherent Risk Communicating the Acceptance of Risks
Control Risk
Detection Risk When the chief audit executive concludes that management has
accepted a level of risk that may be unacceptable to the organization,
4. Evaluate Adequacy of Control Design the chief audit executive must discuss the matter with senior
Internal control can be defined as set of processes designed management. If the chief audit executive determines that the matter has
to provide reasonable assurance on achievement of not been resolved, the chief audit executive must communicate the
organization's objectives in areas of: matter to the board.
Effectiveness and efficiency of processes and
CHAPTER 5: CONTROL, GOVERNANACE AND RISK
economic use of resources
MANAGEMENT
Reliability of financial reporting information and
Compliance with external rules and regulations as Control, governance and risk management are interrelated concepts
well as internal policies and procedures. that are fundamental to the field of internal auditing and the work of
internal auditors. Auditee plans, organizes and directs the performance
5. Develop a Work Program of sufficient actions to ensure that objectives and goals will be achieved.
Internal auditors must develop and document work programs
that achieve the engagement objectives. Internal Control - The IIA –

Control is the employment of all the means devised in an enterprise to
Work programs must include the procedures for promote, direct, restrain, govern and check upon its various activities for
identifying, analyzing, evaluating, and documenting the purpose of seeing that enterprise objectives are met. These means
information during the engagement. The work program must of control include, but are not limited to, form of organization, policies,
be approved prior to its implementation, and any adjustments systems, procedures, instructions, standards, committees, charts of
approved promptly. accounts, forecasts, budgets, schedules, reports, records, checklists,
Work programs for consulting engagements may methods, devices and internal auditing.
vary in form and content depending upon the nature of the
engagement. Internal Control - COSO –

Internal Control is a process, effected by an entity's board of directors,
6. Engagement Resource Allocation management and other personnel, designed to provide reasonable
Internal auditors must determine appropriate and assurance regarding the achievement of objectives relating to
sufficient resources to achieve engagement objectives based operations, reporting and compliance.
on an evaluation of the nature and complexity of each
engagement, time constraints, and available resources. Components of Internal Control

Appropriate refers to the mix of knowledge, skills, 1. Control Environment – The control environment is the set of
standards, processes, and structures that provide the basis
and other competencies needed to perform the engagement.
for carrying out internal control across the organization. The
Sufficient refers to the quantity of resources needed to
board of directors and senior management establish the tone
accomplish the engagement with due professional care. at the top regarding the importance of internal control
including expected standards of conduct. Management
Performing the Engagement reinforces expectations at the various levels of the
organization. The control environment comprises the integrity
Internal auditors must identify, analyze, evaluate, and document
and ethical values of the organization; the parameters
sufficient information to achieve the engagement’s objectives. enabling the board of directors to carry out its governance
oversight responsibilities; the organizational structure and
Initial Meeting assignment of authority and responsibility; the process for
Transaction Testing attracting, developing, and retaining competent individuals;
Continuous Communication and the rigor around performance measures, incentives, and
Exit Meeting rewards to drive accountability for performance. The resulting
control environment has a pervasive impact on the overall
Communicating Results system of internal control.
2. Risk Assessment - Every entity faces a variety of risks from
Internal auditors must communicate the results of engagements. Final external and internal sources. Risk is defined as the possibility
communication of engagement results must include applicable that an event will occur and adversely affect the achievement
conclusions, as well as applicable recommendations and/or action of objectives. Risk assessment involves a dynamic and
plans. Where appropriate, the internal auditors’ opinion should be iterative process for identifying and assessing risks to the
provided. An opinion must take into account the expectations of senior achievement of objectives. Risks to the achievement of these
 objectives from across the entity are considered relative to 3. Management Override: High level personnel may be able to
established risk tolerances. Thus, risk assessment forms the override prescribed policies and procedures for personal gain
basis for determining how risks will be managed. A or advantage. This should not be confused with management
precondition to risk assessment is the establishment of intervention, which represents management actions to depart
objectives, linked at different levels of the entity. Management from prescribed policies and procedures for legitimate
specifies objectives within categories relating to operations, purposes.
reporting, and compliance with sufficient clarity to be able to 4. Collusion: Control systems can be circumvented by
identify and analyze risks to those objectives. Management employee collusion. Individuals acting collectively can alter
also considers the suitability of the objectives for the entity. financial data or other management information in a manner
Risk assessment also requires management to consider the that cannot be identified by control systems.
impact of possible changes in the external environment and
within its own business model that may render internal control Corporate Governance
ineffective.
3. Control Activities - Control activities are the actions In the Philippines, the Securities and Exchange Commission (SEC) has
established through policies and procedures that help ensure the power and authority to promote corporate governance and the
that management’s directives to mitigate risks to the protection of minority investors, through, among others, the issuance of
achievement of objectives are carried out. Control activities rules and regulations consistent with international best practices. The
are performed at all levels of the entity, at various stages SEC or the Commission is the national government regulatory agency
within business processes, and over the technology charged with supervision over the corporate sector, the capital market
environment. They may be preventive or detective in nature participants, and the securities and investment instruments market, and
and may encompass a range of manual and automated the protection of the investing public.
activities such as authorizations and approvals, verifications,
reconciliations, and business performance reviews. The system of stewardship and control to guide organizations in fulfilling
Segregation of duties is typically built into the selection and their long-term economic, moral, legal and social obligations towards
development of control activities. Where segregation of duties their shareholders/members and other stakeholders.
is not practical, management selects and develops alternative
Corporate governance is a system of direction, feedback and control
control activities.
using regulations, performance standards and ethical guidelines to hold
4. Information and Communication - Information is necessary
the board of directors and Senior Management accountable for ensuring
for the entity to carry out internal control responsibilities to
ethical behavior and reconciling long-term customer satisfaction with
support the achievement of its objectives. Management
shareholder/member value to the benefit of all stakeholders and society.
obtains or generates and uses relevant and quality
information from both internal and external sources to support Its purpose is to maximize the organization's long-term success, thereby
the functioning of other components of internal control. creating sustainable value for its shareholders/members, other
Communication is the continual, iterative process of providing, stakeholders and the nation.
sharing, and obtaining necessary information. Internal
communication is the means by which information is Objectives of Corporate Governance
disseminated throughout the organization, flowing up, down,
and across the entity. It enables personnel to receive a clear Fair and Equitable Treatment of Shareholders
message from senior management that control Self-assessment
responsibilities must be taken seriously. External Increase Shareholders' Wealth Transparency and Full
communication is twofold: it enables inbound communication Disclosure
of relevant external information, and it provides information to
external parties in response to requirements and Enterprise Risk Management – COSO
expectations.
5. Monitoring Activities - Ongoing evaluations, separate Our understanding of the nature of risk, the art and science of choice,
evaluations, or some combination of the two are used to lies at the core of our modern economy. Every choice we make in the
ascertain whether each of the five components of internal pursuit of objectives has its risks. From day-today operational decisions
control, including controls to effect the principles within each to the fundamental trade-offs in the boardroom, dealing with risk in these
component, is present and functioning. Ongoing evaluations, choices is a part of decision-making.
built into business processes at different levels of the entity,
provide timely information. Separate evaluations, conducted As we seek to optimize a range of possible outcomes, decisions are
periodically, will vary in scope and frequency depending on rarely binary, with a right and wrong answer. That’s why enterprise risk
assessment of risks, effectiveness of ongoing evaluations, management may be called both an art and a science. And when risk is
and other management considerations. Findings are considered in the formulation of an organization’s strategy and business
evaluated against criteria established by regulators, objectives, enterprise risk management helps to optimize outcomes.
recognized standard-setting bodies or management and the
board of directors, and deficiencies are communicated to Our understanding of risk and our practice of enterprise risk
management and the board of directors as appropriate management have improved greatly over the past few decades. But the
margin for error is shrinking. The World Economic Forum has
Types of Control commented on the “increasing volatility, complexity and ambiguity of the
world.” That’s a phenomenon we all recognize. Organizations encounter
Preventive Controls - are intended to deter undesirable events challenges that impact reliability, relevancy, and trust. Stakeholders are
from occurring. more engaged today, seeking greater transparency and accountability
Detective/Corrective Controls - are intended to detect and for managing the impact of risk while also critically evaluating
correct undesirable events that occurred. leadership’s ability to crystalize opportunities. Even success can bring
Directive are intended to cause or encourage a desirable with it additional downside risk—the risk of not being able to fulfill
event to occur. unexpectedly high demand, or maintain expected business momentum,
for example.
Limitations of Internal Controls
Organizations need to be more adaptive to change. They need to think
1. Judgment: The effectiveness of controls will be limited by strategically about how to manage the increasing volatility, complexity,
decisions made with human judgment under pressures to and ambiguity of the world, particularly at the senior levels in the
conduct business based on the information at hand. organization and in the boardroom where the stakes are highest.
2. Breakdowns: Even well designed internal controls can break
down. Employees sometimes misunderstand instructions or Glossary – ISPPIA
simply make mistakes. Errors may also result from new
technology and the complexity of computerized information Risk - The possibility of an event occurring that will have an
systems. impact on the achievement of objectives.
 Risk is measured in terms of impact and likelihood. The four objectives categories – strategic, operations, reporting, and
Risk Appetite - The level of risk that an organization is willing compliance – are represented by the vertical columns, the eight
to accept. components by horizontal rows, and an entity’s units by the third
Risk Management - A process to identify, assess manage, and dimension. This depiction portrays the ability to focus on the entirety of
control potential events or situations to provide reasonable an entity’s enterprise risk management, or by objectives category,
assurance regarding the achievement of the organization’s component, entity unit, or any subset thereof.
objectives.
Role of Internal Audit Activity
Enterprise risk management is a process, effected by an entity’s board
of directors, management and other personnel, applied in strategy Under IIA Standard 2120, the internal audit activity must evaluate the
setting and across the enterprise, designed to identify potential events effectiveness and contribute to the improvement of risk management
that may affect the entity, and manage risk to be within its risk appetite, processes.
to provide reasonable assurance regarding the achievement of entity
Determining whether risk management processes are effective is a
objectives.
judgment resulting from the internal auditor’s assessment that:
Achievement of Objectives
Organizational objectives support and align with the
Within the context of an entity’s established mission or vision, organization’s mission.
management establishes strategic objectives, selects strategy, and sets Significant risks are identified and assessed.
aligned objectives cascading through the enterprise. This enterprise risk Appropriate risk responses are selected that align risks with
management framework is geared to achieving an entity’s objectives, the organization’s risk appetite.
set forth in four categories: Relevant risk information is captured and communicated in a
timely manner across the organization, enabling staff,
Strategic – high-level goals, aligned with and supporting its management, and the board to carry out their responsibilities.
mission
Operations – effective and efficient use of its resources However, there are functions which should not be undertaken by the
Reporting – reliability of reporting internal audit activity.
Compliance – compliance with applicable laws and
CHAPTER 6: PERFORMING THE ENGAGEMENT (AUDIT
regulations.
EVIDENCE)
Components of Enterprise Risk Management
Performing Engagement
Internal Environment – The internal environment
encompasses the tone of an organization, and sets the basis Assurance services involve the internal auditor’s objective assessment
for how risk is viewed and addressed by an entity’s people, of evidence to provide opinions or conclusions regarding an entity,
including risk management philosophy and risk appetite, operation, function, process, system, or other subject matters. The
integrity and ethical values, and the environment in which they nature and scope of an assurance engagement are determined by the
operate. internal auditor.
Objective Setting – Objectives must exist before
management can identify potential events affecting their On the other hand, Consulting services are advisory in nature and are
achievement. Enterprise risk management ensures that generally performed at the specific request of an engagement client. The
management has in place a process to set objectives and that nature and scope of the consulting engagement are subject to
the chosen objectives support and align with the entity’s agreement with the engagement client.
mission and are consistent with its risk appetite.
Event Identification – Internal and external events affecting Attributes of Evidence
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities 1. Sufficiency
are channeled back to management’s strategy or objective- 2. Reliability
setting processes. 3. Relevance
Risk Assessment – Risks are analyzed, considering 4. Useful Information
likelihood and impact, as a basis for determining how they
should be managed. Risks are assessed on an inherent and Sufficient information is factual, adequate, and convincing so that a
a residual basis. prudent, informed person would reach the same conclusions as the
Risk Response – Management selects risk responses – auditor. Reliable information is the best attainable information through
avoiding, accepting, reducing, or sharing risk – developing a the use of appropriate engagement techniques. Relevant information
set of actions to align risks with the entity’s risk tolerances and supports engagement observations and recommendations and is
risk appetite.
consistent with the objectives for the engagement. Useful information
Control Activities – Policies and procedures are established
helps the organization meet its goals.
and implemented to help ensure the risk responses are
effectively carried out.
Types of Audit Evidence
Information and Communication – Relevant information is
identified, captured, and communicated in a form and 1. Physical
timeframe that enable people to carry out their 2. Testimonial
responsibilities. Effective communication also occurs in a
3. Documentary
broader sense, flowing down, across, and up the entity.
4. Analytical
Monitoring – The entirety of enterprise risk management is
monitored and modifications made as necessary. Monitoring 5. Computation
is accomplished through ongoing management activities,
Methods of Gathering Audit Evidence
separate evaluations, or both.

Relationship of Objectives and Components Interview / Inquiry
Surveys
There is a direct relationship between objectives, which are what an Inspection
entity strives to achieve, and enterprise risk management components, Vouching and Tracing
which represent what is needed to achieve them. The relationship is Flowcharting
depicted in a three-dimensional matrix, in the form of a cube.
Observation
Confirmation
 Analysis Non-sampling risk is the risk that the auditor reaches an erroneous
conclusion for any reason not related to sampling risk.
Working Papers
Audit Sampling Plans
The chief audit executive must control access to engagement records.
The chief audit executive must obtain the approval of senior Attribute sampling – occurrence rate
management and/or legal counsel prior to releasing such records to Variable sampling – numerical measurement of a population
external parties, as appropriate. The chief audit executive must develop such as peso value.
retention requirements for engagement records, regardless of the
medium in which each record is stored. These retention requirements Basic steps in Audit Sampling
must be consistent with the organization’s guidelines and any pertinent
regulatory or other requirements. Internal auditors must document Define the objective
sufficient, reliable, relevant, and useful information to support the Determine the procedure
engagement results and conclusions. Determine the sample size
Select the sample
The chief audit executive must develop policies governing the custody Apply the procedures
and retention of consulting engagement records, as well as their release Evaluate the results
to internal and external parties. These policies must be consistent with
the organization’s guidelines and any pertinent regulatory or other CHAPTER 7: FRAUD RISK ASSESSMENT, AWARENESS,
requirements. PREVENTION AND DETECTION

Audit Sampling Fraud

The application of audit procedures to less than 100% of items within a The use of one’s occupation for personal enrichment through the
population of audit relevance such that all sampling units have a chance deliberate misuse or misapplication of the employing organization’s
of selection in order to provide the auditor with a reasonable basis on resources or assets (Association of Certified Fraud Examiners)
which to draw conclusions about the entire population.
Elements:
100% TESTING –SELECTING ALL ITEMS
SPECIFIC TESTING – SELECTING SPECIFIC ITEMS Misrepresentation
AUDIT SAMPLING of a material fact
with the intent to deceive
General Approaches to Audit Sampling:
Types of Fraud:
Statistical sampling is an approach to sampling that has the following
characteristics: Misappropriation of assets – theft or misuse of the university
assets
1. Random selection of the sample items; and Corruption - abusing influence and power within the university
2. The use of probability theory to evaluate sample results, to obtain some benefit at the university’s expense
including measurement of sampling risk. Fraudulent Financial Reporting – intentional misstatements or
omissions of amounts or disclosures in financial statements
Sampling risk is the risk that the auditor’s conclusion based on a
sample may be different from the conclusion if the entire population were How to identify the fraudster/fraud
subjected to the same audit procedure. Sampling risk can lead to two
types of erroneous conclusions: If you want to know what a fraudster looks like, look to the person on
your right, then to the one on your left, and it will look like the person in
(i) In the case of a test of controls, that controls are the middle. White-collar criminals look like you and me.
more effective than they actually are, or in the case
of a test of details, that a material misstatement Who Commits Fraud?
does not exist when in fact it does. The auditor is
primarily concerned with this type of erroneous Management - Manipulation of the accounting records
conclusion because it affects audit effectiveness Employees - Stealing the University’s assets such as cash,
and is more likely to lead to an inappropriate audit inventory, etc. Fraudulent disbursements
opinion. Vendors -Shell Companies, Bid Rigging
(ii) In the case of a test of controls, that controls are
less effective than they actually are, or in the case MANAGING FRAUD: Five Key Principles for proactively establishing an
of a test of details, that a material misstatement Environment to effectively manage an Organization’s Fraud Risks
exists when in fact it does not. This type of
1. As part of an organization’s governance structure, a fraud risk
erroneous conclusion affects audit efficiency as it
management program should be in place, including a written
would usually lead to additional work to establish
policy (or policies) to convey the expectations of the board of
that initial conclusions were incorrect.
directors and senior management regarding managing fraud
Managing the Sampling Risk risk.
2. Fraud risk exposure should be assessed periodically by the
1. Increasing the sample size organization to identify specific potential schemes and events
2. Using an appropriate sample selection method that the organization needs to mitigate.
3. Prevention techniques to avoid potential key fraud risk events
Sample Selection Methods should be established, where feasible, to mitigate possible
impacts on the organization.
1. Random selection 4. Detection techniques should be established to uncover fraud
2. Systematic selection events when preventive measures fail or unmitigated risks are
3. Value-weighted Sampling realized.
4. Haphazard selection 5. A reporting process should be in place to solicit input on
5. Block selection potential fraud.
A FRAUD RISK ASSESSMENT should be performed periodically to Fraud Prevention: What Can You Do To Combat Fraud?
identify potential schemes and events that need to be mitigated. Most
organizations have written policies and procedures to manage fraud Ensure proper segregation of