Internal Audit Guidance Note

The Institute of
Internal Auditors
Malaysia
1
2
The Institute of
Internal Auditors
Malaysia
3
Copyright © 2022 by The Institute of Internal Auditors Malaysia. All rights reserved. No part of
this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written
permission from the publisher.
ISBN 978-983-41014-3-5
9 7 8 9 8 3 4 1 0 1 4 3 5
GUIDANCE FOR AN
EFFECTIVE INTERNAL AUDIT
FUNCTION 2.0
PUBLISHER
The Institute of
Internal Auditors
Malaysia
1-17-07, Menara Bangkok Bank, Berjaya Central Park, 105 Jalan Ampang, 50450 Kuala Lumpur
Telephone: +603-2181 8008 Fax: +603-2181 1717
E-mail: [email protected] Website: www.iiam.com.my
4
FOREWORD
I would like to take this opportunity to congratulate The Institute of Internal Auditors
Malaysia for taking a leading role in enhancing the governance of corporate Malaysia
and for the timely publication of this Guidance for an Effective Internal Audit Function
2.0, which is an important resource for all organisations committed to good corporate
governance in Malaysia.
Internal audit’s mission is to enhance and protect organisational value by providing

risk-based and objective assurance, advice and insight. As such, the issuance of this
Guidance is pivotal to assist the organisation in having an effective internal audit function
that will add value and be treated as a business partner rather than a ‘fault-finder’.
It is imperative that we work in an eco-system that upholds corporate governance to the

fullest, and ensure integrity and transparency are practised to build confidence from key
stakeholders and attract more investment into the country.
On that note, it gives me great pleasure to support this Guidance, and hope that it will
be used by internal auditors from all types of organisations to establish a system with
healthy checks and balances.
Having good corporate governance is a virtue that must be encouraged in every

organisation in the country. As such, this Guidance is also commended for its inclusivity,
where the recommendations can be applied by any organisation where relevant. I am
excited at the prospect of every organisation having an effective internal audit function,
and again, congratulate IIA Malaysia for leading this effort. Thank you.
I
PREFACE
This Guidance for an Effective Internal Audit Function 2.0 comes as a comprehensively
refreshed edition to serve as a reference point for everyone who has a duty or interest to
uphold the highest level of governance, risk and control in any organisation.
We are confident that the Board of Directors, Chief Executive Officers, Chief Financial
Officers, Management, Chief Audit Executives and every internal auditor of public
interest entities, public sector organisations, and private companies and businesses
would be able to capitalise on this Guidance as a catalyst to jointly achieve internal audit
excellence, as well as a validation of progress achieved.
Departing from existing coverage of governance relating to regulatory requirements of

public listed companies which was the mainstay of past publications, this Guidance
includes perspectives on internal audit functions of the government and Shariah-
compliant entities and aims to provide a more inclusive view to unite the entire internal
audit fraternity on universal best practices that are hinged on internationally recognised
standards and publications, and nationally mandated regulations and sanctioned
researches.
In the context of achieving an effective internal audit function, areas deliberated

include the duties and responsibilities of various stakeholders, characteristics and
requirements of an internal audit function, core principles governing internal auditors,
prescribed competency framework for the further development of internal auditors,
the contemporary role of internal auditors in Environmental, Social and Governance
(ESG), quality assurance and improvement programmes, outsourcing and co-sourcing
decisions, and performance measures of the internal audit function.
We would like to express our heartfelt appreciation for the invaluable contribution of
every individual that made this publication a success: Taskforce members, Observers,
Technical Writer, and the Secretariat. We hope this Guidance will serve as a useful
resource to everyone directly or indirectly involved in the profession of internal auditing.
Mohd Khaidzir bin Shahari Geetha Kanny

Chairman of Taskforce Executive Director,
and Governor, IIA Malaysia IIA Malaysia
II
TASKFORCE OBSERVERS
Mohd Khaidzir Bin Shahari Jimmy Tium
Chairman General Manager – Internal Audit Department
Head of Risk Consulting Securities Commission Malaysia
KPMG Malaysia
Mazliana Mohamad
Director – Risk & Compliance
Nasrein Fazal Sultan
Bursa Malaysia
Former Governor
The Institute of Internal Auditors Malaysia
Kaleon Leong Bin Rahan
Chief Executive Officer
Wong Chae Sing Federation of Investment Managers Malaysia
Regional Head – Ethics & Compliance
Bausch Health
Roshni Jayantilal TECHNICAL WRITER

Former Chief Executive Officer
Malaysian Institute of Corporate Dr Eddy Yap Tat Hiung
Governance Founder and Managing Consultant
CONDUCTIVITI Business Advisory Sdn Bhd
Devanesan Evanson
Chief Executive Officer
Minority Shareholder Watch Group
SECRETARIAT
Simon Tay Pit Eu The Institute of Internal Auditors Malaysia
Executive Director – Professional Practices
& Technical Geetha Kanny
Malaysian Institute of Accountants Executive Director
Noorlida Binti Mohd Khalid Alyssa Hew Li Min

Director – Internal Audit Management Division Head of Technical & Quality Assurance
Accountant General’s Department of Malaysia
Ryan Chong Chung Ming
Senior Executive, Quality Assurance
Shamsul Bahrom Mohamed Ibrahim
Group Chief Internal Auditor, AmBank Group
Chairman of Chief Internal Auditors
Networking Group (CIANG)
Dr Azleen Binti Ilias

Academician
Universiti Tenaga Nasional
Prof Dr Zurina Binti Shafii

Academician
Universiti Sains Islam Malaysia
III
TABLE OF CONTENT

ABBREVIATIONS V
1.0 Introduction 1
2.0 Roles and Responsibilities in Relation to the Internal Audit Function 6
3.0 Characteristics of an Effective Internal Audit Function 13
4.0 Core Principles for the Profession of Internal Auditing 23
5.0 Internal Audit Competency Framework 30
6.0 Role of the Internal Audit Function in Environmental, Social, and Governance (ESG) 31
Performance and Reporting
7.0 Quality Assurance and Improvement Programme (QAIP) for the 32
Internal Audit Function
8.0 Outsourcing and Co-sourcing of the Internal Audit Function 33
9.0 Measuring Internal Audit Performance 35
10.0 Conclusion 38

LIST OF FIGURES:
Figure 1: Elements of the IPPF 4

Figure 2: The IIA’s Three Lines Model 22
Figure 3: Core Principles for the Professional Practice of Internal Auditing 23
Figure 4: Internal Audit Competency Framework 30
Figure 5: Internal Audit Performance Measurement Methodologies and Criteria 36
Figure 6: Proposed Balanced Scorecard for Internal Audit Functions 36
Figure 7: Criteria Employed in Internal Audit KPI Setting 37
Figure 8: Ten Action Steps for Implementation of Balanced Scorecard and 38
KPI Reporting for Internal Audit Functions

LIST OF TABLES:
Table 1: Summary of IPPF Elements 6

Table 2: Key Activities of an Internal Audit Function in Public Listed Companies 11
Table 3: Key Activities of an Internal Audit Function in the Public Sector 12
Table 4: Attribute Standards of the ISPPIA 13
Table 5: Performance Standards of the ISPPIA 21
Table 6: Considerations in the Outsourcing of the Internal Audit Function 34

APPENDICES:
Appendix 1 Examples of Questions Relating to the Role of Audit Committee on the 41

Internal Audit Function
Appendix 2 Examples of Questions Relating to the Effectiveness of the Internal 42
Audit Function
Appendix 3 Examples of Internal Audit Effectiveness and Efficiency Metrics 43
Appendix 4 Example of Reporting Internal Audit Effectiveness and Efficiency Dashboard 46
Appendix 5 Example of Internal Audit Feedback Survey 47
Appendix 6 Example of Key Performance Indicators based on Balanced Scorecard 48
Elements
IV
ABBREVIATIONS
BNM Bank Negara Malaysia
Board Board of Directors
CAE Chief Audit Executive
CG Guide Corporate Governance Guide
COSO Committee of Sponsoring Organizations of the Treadway Commission
ERM Enterprise Risk Management
ESG Environmental, Social and Governance
IIA Institute of Internal Auditors Inc.
IIA Malaysia The Institute of Internal Auditors Malaysia
IPPF International Professional Practices Framework
ISPPIA International Standards for the Professional Practice of Internal Auditing
KPI Key Performance Indicator
LR Bursa Malaysia Main Market Listing Requirements
MCCG Malaysian Code on Corporate Governance
MIA Malaysian Institute of Accountants
MSWG Minority Shareholder Watch Group
PDCG Policy Document on Corporate Governance of Bank Negara Malaysia
PDSG Policy Document on Syariah Governance of Bank Negara Malaysia
PS Malaysian Treasury Circular (Pekeliling Perbendaharaan)
QAIP Quality Assurance and Improvement Programme
SC Securities Commission Malaysia
V
VI
1.0 INTRODUCTION
1.1 Objectives of this Guidance
a) This Guidance aims to provide internal auditors, Board of Directors,

Audit Committees, and Management of all organisations, including the
government and government agencies, the means to have an effective
internal audit function by highlighting:
i. a comprehensive outline of the respective roles and responsibilities

relating to internal auditing across a broad range of entities such as:
• public interest entities;
• public sector organisations; and
• private companies and businesses.
ii. the required performance and attributes that need to be demonstrated

by the internal audit function;
iii. the competencies required, and the accompanying performance

measurements of the internal audit function; and
iv. a systematic and structured approach to evaluate and improve the

effectiveness of an organisation’s governance, risk, and controls.
b) For internal auditors, this Guidance is ancillary to The Institute of Internal

Auditors Inc. (IIA) to provide a more holistic view of the form and substance
of an effective internal audit function by including the perspectives and
expectations of other stakeholders.
c) This Guidance aims to recommend best practices in achieving the

following organisational objectives, where applicable:
i. Compliance with the Companies Act 2016, particularly Section 246

which stipulates that Directors of public companies, and its
subsidiaries, are to have in place a system of internal control for their
organisations;
ii. Compliance with the Bursa Malaysia Main Market Listing

Requirements (LR), particularly paragraph 15.12(1)(e), which
stipulates the functions of Audit Committees pertaining to the internal
audit function;
iii. Adoption of the Malaysian Code on Corporate Governance 2021

(MCCG 2021), particularly Intended Outcome 11 and its ensuing
practices, which stipulate that companies should have an effective
governance, risk management and internal control framework, and
that the Audit Committees should ensure that the internal audit
function is effective and able to function independently;
1
iv. Compliance with the Policy Document on Corporate Governance
(applicable to licensed banks, investment banks, Islamic banks,
insurers, takaful operators, and financial holding companies) of Bank
Negara Malaysia (2016), particularly Standard 8.3 and Standard
16.1, which respectively stipulates the role of the Board and Senior
Management on governance and internal control framework of the
applied institutions;
v. Compliance with the Policy Document on Corporate Governance

(applicable to developmental financial institutions) of Bank Negara
Malaysia 2019 (PDCG 2019), particularly Standard 8.3 and Standard
16.1, which respectively stipulates the role of the Board and Senior
Management in governance and internal control;
vi. Compliance with the Policy Document on Shariah Governance

(applicable to licensed Islamic banks, licensed takaful and retakaful
operators, licensed banks, investment banks, and developmental
financial institutions approved to carry on Islamic financial business,
and Shariah committee members) of Bank Negara Malaysia 2019
(PDSG 2019), particularly Standard 8.1 and Standard 15.1, which
respectively stipulates the role of the Board and Senior Management
in governance and internal control;
vii. Compliance with public sector statutes such as the Financial

Procedure Act 1957 (Revised 1972), which provides for the control
and management of the public finances of Malaysia and outlines
financial and accounting procedures; and the Statutory Bodies
(Accounts and Annual Reports) Act 1980, which provides for time
limits relating to the preparation and submission of financial
statements of statutory bodies;
viii. Compliance with the Malaysian Treasury Circular on Implementation

of Internal Audit at Federal Ministries or Departments and State
Governments (PS 3.1), which requires the establishment of internal
audit functions at Federal Ministries or Departments and State
Governments, the associated roles and responsibilities of the internal
audit function and the Secretary General of Ministries, Head of
Federal Departments and State Secretaries (hereinafter referred to
as Chief Executive), and the requirement to be corporate members
of The Institute of Internal Auditors Malaysia (IIA Malaysia);
ix. Compliance with the Malaysian Treasury Circular on Establishment of

Audit Committees at Federal Ministries and State Governments
(PS 3.2), which requires the establishment of Audit Committees at
Federal Ministries and State Governments and the associated
responsibilities of the Audit Committees;
2
x. Compliance with the Co-operative Societies Act 2013, particularly
Section 42A, which requires every cooperative to establish an Internal
Audit Committee with duties and responsibilities provided in the by-
laws;
xi. Compliance with the Garis Panduan Tadbir Urus Syariah (GP 28) of
the Malaysia Co-operative Societies Commission, which requires the
establishment of an Internal Audit Committee within the Shariah
governance structure that includes the Board, Shariah Committee
and the Management of cooperatives; and
xii. Adherence to Guidelines on Shariah-based Management (Garis

Panduan Umum Tadbir Urus Berteraskan Shariah) published
by the Department of Islamic Development Malaysia in 2017,
intended for federal Islamic institutions and agencies, and which
emphasises Board effectiveness, risk management, compliance,
internal controls, resource management, and procurement
management.
d) The existence of an effective internal audit function is recommended for

any organisation, regardless of regulatory compliance purposes, as it
provides both an assurance and consulting function that adds strategic
and operational value.
e) While the following sections are predominantly based on the internal

audit function in public listed companies, the same principles can be
applied to non-public listed companies and organisations as best
practices.
3
1.2 Underpinning References of this Guidance
a) This Guidance is primarily based on the International Professional

Practices Framework (IPPF) – the globally and nationally recognised
conceptual framework that organises authoritative guidance promulgated
by IIA.
b) In the internal audit universe, an effective internal audit function is

expected to adhere to all elements of the IPPF as demonstrated in Figure
1 below:
MISSION
RY GUIDA
NDATO NCE
MA
CORE PRINCIPLES
DEFINITION CODE OF
ETHICS
STANDARDS
IMPLEMENTATION GUIDANCE
SUPPLEMENTAL
GUIDANCE
RE E
COM NC
MENDED GUIDA
Figure 1: Elements of the IPPF
4
c) Explanation on each element of the IPPF is summarised in Table 1 below:
Mission Articulates the aspirations of an

internal audit function within an
organisation, which is to enhance
and protect organisational value by
providing risk-based and objective
assurance, advice and insight.
MANDATORY GUIDANCE
Definition of Internal auditing is an independent,

Internal Auditing objective assurance and consulting
activity designed to add value and
improve an organisation’s operations,
and helps an organisation accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate
and improve the effectiveness of risk
management, control, and governance
processes.
Core Principles Defines tangible internal audit

for the Professional effectiveness, where the presence of
Practice of Internal all ten Principles (as laid out in Section
Auditing 4.0), would enable internal audit to
function at maximum efficiency when
operating cohesively.
International Standards for These Standards are principle-

the Professional Practice focused and provide a framework for
of Internal Auditing performing and promoting internal
(ISPPIA) auditing, and are primarily classified as
Attribute Standards and Performance
Standards (as outlined in Section 3.0),
where:
• Attribute Standards address the
characteristics of organisations
and parties performing internal
audit activities.
• Performance Standards describe
the nature of internal audit activities
and provide criteria against which
the performance of these services
can be evaluated.
5
Code of Ethics States the principles and expectations
governing the behavior of individuals
and organisations in the conduct of
internal auditing.
RECOMMENDED GUIDANCE
Implementation Guidance Assists internal auditors in applying

the ISPPIA.
Supplemental Guidance Provides detailed processes and

procedures for internal auditors.
Table 1: Summary of IPPF Elements
d) As internal auditors serve a broad range of stakeholders, sectors, and

industries: the value of internal auditing depends on how well they
support the objectives of the respective organisations, which in turn
are subject to regulatory requirements and commercial considerations.
As such, the notion of internal audit effectiveness has to be assessed
in conjunction with the various regulatory frameworks and risks
surrounding the organisations that internal auditors serve.
e) References are also drawn from publications of national regulatory

bodies, statutory bodies, and professional institutions which form a
body of knowledge relating to the internal audit function that can be
utilised by any organisation that aspires to uphold the highest standard
of corporate governance.
2.0 ROLES AND RESPONSIBILITIES IN RELATION TO THE

INTERNAL AUDIT FUNCTION
2.1 The Board of Directors
a) The Board of Directors (“Board”) is responsible for a company’s

governance, risk management, and internal controls as stipulated in
Section 246 of the Companies Act 2016, and with duties and
responsibilities stipulated in Section 213.
b) The responsibilities of the Board are also specified in Principle A: Board

Leadership and Responsibilities of MCCG 2021. In this regard, the Board
is to set appropriate policies and seek assurance that the supporting
processes and activities are functioning effectively.
6
c) The Board is required to establish an Audit Committee per LR 15.09 to
assist the Board in its oversight of the adequacy and effectiveness of the
governance, risk management, and internal controls, as well as the
performance of the internal audit function. These responsibilities are in
addition to other oversight activities, such as the performance of the
external auditors and the integrity of the company’s financial statements.
d) The MCCG 2021 emphasises that companies should have an effective

governance, risk management and internal control framework in place
and recommends the following best practices in relation to the internal
audit function:
i. An internal audit function is established and appropriately positioned

within the company.
ii. The person responsible for the internal audit function should report
directly to the Audit Committee.
iii. The internal audit function should be independent of Management

and the functions that it audits.
e) The Board must take cognisance that the mere appointment of an internal
auditor is not sufficient to be considered as having an internal audit
function, as it has to ensure that the internal audit function performs
adequately and effectively based on performance attributes discussed at
Section 3.0 of this Guidance.
2.2 The Audit Committee
a) The responsibility of the Audit Committee is specifically stipulated in

LR paragraph 15.12 (1) (e) and (f), which outlines the functions of the
Audit Committee for the private sector, while the responsibility of the
Public Sector Audit Committee is specifically stipulated in the Malaysian
Treasury Circular PS 3.2 for the public sector.
b) The Board, via the Audit Committee, should disclose the following as
stipulated in Practice 11.2 of MCCG 2021:
i. whether internal audit personnel are free from any relationships or

conflicts of interest, which could impair their objectivity and
independence;
ii. the number of resources in the internal audit department;
iii. name and qualification of the person responsible for internal audit;
and
7
iv. whether the internal audit function is carried out in accordance with
a recognised framework.
c) The Audit Committee should decide on the following in accordance with

Guidance 11.1 of MCCG 2021:
i. Appointment and removal of internal auditors;
ii. Scope of internal audit work;
iii. Performance evaluation of the internal audit function; and
iv. Budget of the internal audit function.
d) In deciding on the scope of the internal audit plan, the Audit Committee
must be satisfied that:
i. internal audit personnel have relevant experience, sufficient standing

and authority to enable the effective discharge of functions;
ii. the internal audit function has sufficient resources and is able to
access information to enable it to carry out its role effectively; and
iii. internal audit personnel have the necessary competency, experience

and resources to carry out the function effectively.
e) The Audit Committee is to consider the following, as recommended in

the publication on Effectiveness of Internal Audit Function: Thematic
Review Findings and Key Takeaways (Bursa Malaysia and IIA Malaysia,
2021)
i. regularly reviewing the sufficiency of the scope of the internal audit

function in providing relevant assurance on the adequacy and
operating effectiveness of governance, risk and control processes as
promulgated by the Statement on Risk Management and Internal
Control – Guidelines for Directors of Listed Issuers issued by Bursa
Malaysia (2012); and
ii. requiring the internal audit function to adopt a globally recognised

framework for internal auditing such as the IPPF of the IIA.
f) To provide more clarity for Audit Committees with regards to their duties
relating to the internal audit function, the Bursa Malaysia Corporate
Governance Guide – Pull-Out I (2021) provided a set of questions relating
to the internal audit function (refer to Appendix 1).
8
g) A template for the Audit Committee’s evaluation of the effectiveness of the
internal audit function is presented in the Bursa Malaysia Corporate
Governance Guide – Pull-Out II (2021) (refer to Appendix 2).
h) In the public sector, the role of the Public Sector Audit Committee as set out
in Paragraph 5 of PS 3.2 are as follows:
i. reviewing and examining the state of internal controls and information

controls;
ii. reporting on the effectiveness of accounting and financial systems

and internal control as an early notification of weakness at Federal
Government / State Government;
iii. reviewing the annual internal audit plan and making recommendations
before approval by the Chief Executive and subsequent presentation to
the Treasury of Malaysia;
iv. ensuring the internal audit function is provided with appropriate access
in carrying out their duties and that there are no unreasonable hindrances;
v. ensuring the internal audit function is adequately resourced and is staffed

with competent personnel for effective functioning;
vi. reviewing reports from the internal audit function and the National Audit
Department to ensure all reported issues are resolved and noting on
follow-up actions; and
vii. considering and recommending studies on improving the effectiveness

of the internal audit function and quality assurance.
2.3 Management
a) Management’s role is to establish and maintain governance, risk

management, and internal control processes, while the internal audit
function evaluates the adequacy and effectiveness of these processes
and recommends improvements as it is independent of Management.
b) Management owns the operational and business processes in an

organisation and is thus accountable for creating, sustaining and
improving a particular process, as well as being responsible for the
outcomes of the process.
c) Management can support the internal audit function by:
i. inviting internal auditors as observers to management meetings and

deliberations on governance, risk management, and internal control
processes;
9
ii. inviting internal auditors to steering committees on process
improvements without transferring their responsibilities as process
owners;
iii. providing unrestricted access to information, records, physical

properties, and personnel that are relevant to internal audit work;
iv. providing input and feedback to the internal audit planning process;
v. providing budgetary and resource support for the internal audit

function as approved by the Audit Committee;
vi. providing adequate infrastructures such as work stations,

telecommunication facilities and connectivity; and
vii. implementing internal audit recommendations to improve the

effectiveness of governance, risk management, and internal control
processes.
d) In the public sector, the Chief Executive has the following duties as set
out in Paragraph 5.1 of PS 3.1:
i. reviewing and approving the annual audit plan and audit reports;
ii. ensuring that the internal audit function is independent and does not
involve itself in the operations of the organisation;
iii. ensuring that the internal audit function is given the freedom to
examine all relevant documents for auditing purposes;
iv. following up on previous audits and determining if remedial actions

have been effectively implemented;
v. participating in management and policy meetings; and
vi. ensuring that the internal audit function enhances their knowledge
and skills in performing audit duties.
2.4 Internal Audit Function
a) Internal auditing is an independent, objective assurance and consulting

function designed to add value and improve an organisation’s
operations, as defined in the IPPF. It helps an organisation accomplish
its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of governance, risk management, and
internal control processes. The internal audit function works to enhance
and protect organisational value by providing risk-based and objective
assurance, advice, and insight.
10
b) The internal audit function is to be headed by a CAE who must be a
person of calibre who demonstrates the attributes of integrity, intellectual
curiosity, focus on audit quality, and possess skills relating to technical,
business, communication, and people management. These are essential
as the incumbent is required to interact and partner with the Board, Audit
Committee and Management, while maintaining independence and
objectivity.
c) Guidance 11.1 of MCCG 2021 states that an internal audit function helps
a company to accomplish its goals by bringing an objective and
disciplined approach to evaluate and improve the effectiveness of
risk management, internal control, anti-corruption, whistle-blowing and
governance processes. This function serves as an important source
of advice for the Audit Committee and the Board pertaining to
weaknesses or deficiencies in internal processes to facilitate appropriate
remedial measures by the company. It has also included the evaluation
and improvement of anti-corruption and whistleblowing processes as
part of the role of internal audit.
d) Some of the key activities of an internal audit function as stated in the

Bursa Malaysia Corporate Governance Guide (2021) are listed in Table 2
below:

i. review and evaluate the governance, risk and control
environment in organisations;
ii. review the implementation of prescribed authoritative

practices and the governance structure accountable for
these practices;
iii. systematic analysis of business processes to identify

associated controls;
iv. feedback on adherence to codes of conduct or ethics;
v. assessment of fraud and irregularity reporting;
vi. follow up on the status of post-audit management

implementations;
vii. ad-hoc reviews on financial reporting matters, strategic

transactions, and contractual obligations; and
viii. value-added recommendations on efficiency and

effectiveness of resource utilisations.
Table 2: Key Activities of an Internal Audit Function in Public Listed Companies
11
e) In the public sector, the internal audit function has a scope of work as set
out in Paragraph 4.2 of PS 3.1, listed in Table 3 below:
i. review the reliability and effectiveness of the financial

system and internal controls of the organisation;
ii. review the compliance of all policies, laws, regulations,

and instructions that are in force;
iii. review effectiveness and efficiency of organisational

activities;
iv. review the safeguarding of assets and rights against

loss, fraud, and leakages;
v. provide opinion and advice relating to internal controls

of all systems, including information, communication
and technology systems;
vi. report audit outcomes and follow-up actions on audit

issues to the Chief Executive;
vii. annual audit plan and internal audit reports for the
approval of the Chief Executive; and
viii. present annual audit plans and audit reports in Audit

Committee meetings.
Table 3: Key Activities of an Internal Audit Function in the Public Sector
f) In further providing clarity with regards to the effectiveness of the internal

audit function, the Bursa Malaysia Corporate Governance Guide – Pull-
Out II (2021) provides some sample questions which may be used to
assist the process of evaluation (refer to Appendix 2).
g) Internal auditors should continuously keep abreast with developments in

the profession, relevant industry and regulations to ensure they are able
to perform their role effectively, including undertaking root-cause analysis
to provide strategic advice and suggest meaningful business
improvements. This can be achieved by adhering to IIA’s Internal Audit
Competency Framework (see Section 5.0).
12
3.0 CHARACTERISTICS OF AN EFFECTIVE INTERNAL
AUDIT FUNCTION
a) The mandatory Attribute Standards of the ISPPIA addresses the
characteristics of organisations and parties performing internal audit
activities, and are summarised in Table 2 below:
ATTRIBUTE STANDARD KEY REQUIREMENT
1000 – Purpose, Authority, The purpose, authority, and

and Responsibility responsibility of the internal audit
activity must be formally defined in an
internal audit charter that is periodically
reviewed.
1100 – Independence and The internal audit activity must be

Objectivity independent, and internal auditors must
be objective in performing their work.
1200 – Proficiency and Due Internal auditors must possess

Professional Care the knowledge, skills, and other
competencies, and must apply the care
and skills expected of a reasonably
prudent and competent internal auditor.
1300 – Quality Assurance The Chief Audit Executive (CAE)

and Improvement must develop and maintain a
Programme quality assurance and improvement
programme that covers all aspects of
the internal audit activity.
Table 4: Attribute Standards of the ISPPIA
b) The mandatory Performance Standards of the ISPPIA describe the nature

of internal audit activities and provides criteria against which the performance
of these services can be evaluated as shown in Table 3 below:
PERFORMANCE STANDARD KEY REQUIREMENT
2000 – Managing the The CAE must effectively manage

Internal Audit Activity the internal audit activity to ensure it
adds value to the organisation. The
internal audit activity adds value to the
organisation and its stakeholders when
it considers strategies, objectives, and
risks; strives to offer ways to enhance
governance, risk management, and
control processes; and objectively
provides relevant assurance.
13
2000 – Managing the The CAE must effectively manage

Internal Audit Activity the internal audit activity to ensure it
adds value to the organisation. The
internal audit activity adds value to the
organisation and its stakeholders when
it considers strategies, objectives, and
risks; strives to offer ways to enhance
governance, risk management, and
control processes; and objectively
provides relevant assurance.
2010 – Planning The CAE must establish a risk-based

plan to determine the priorities of the
internal audit activity, consistent with
the organisation’s goals. To develop
the risk-based plan, the CAE is to
consult with Senior Management and
the Board to obtain understanding
of the organisation’s strategies, key
business objectives, associated risks,
and risk management processes. The
CAE must review and adjust the plan,
as necessary, in response to changes
in the organisation’s business, risks,
operations, programmes, systems, and
controls.
2020 – Communication The CAE must communicate the

internal audit activity’s plans and
resource requirements, including
significant interim changes, to Senior
Management and the Board for review
and approval. The CAE must also
communicate the impact of resource
limitations.
2030 – Resource The CAE must ensure that internal audit

Management resources are appropriate (by having
a mix of knowledge, skills, and other
competencies needed to perform the
plan), sufficient (by having enough
resources needed to accomplish the
plan), and effectively deployed to
achieve the approved plan.
14
2040 – Policies and The CAE must establish policies and

Procedures procedures to guide the internal audit
activity, the form and content of policies
and procedures which are dependent
on the size and structure of the internal
audit activity and the complexity of its
work.
2050 – Co-ordination and The CAE should share information,

Reliance coordinate activities, and consider
relying upon the work of other internal
and external assurance and consulting
service providers to ensure proper
coverage and minimise duplication of
efforts.
2060 – Reporting to Senior The CAE must report periodically

Management and the Board to Senior Management and the
Board on the internal audit activity’s
purpose, authority, responsibility, and
performance relative to its plan and
on its conformance with the Code of
Ethics and the Standards. Reporting
must also include significant risks and
control issues, including fraud risks,
governance issues, and other matters
that require the attention of Senior
Management and/or the Board.
2070 – External Service When an external service provider

Provider and Organisational serves as the internal audit activity, the
Responsibility for Internal provider must make the organisation
Auditing aware that the organisation has
the responsibility for maintaining
an effective internal audit activity,
which is demonstrated through the
quality assurance and improvement
programme which assesses
conformance with the Code of Ethics
and the ISPPIA.
15
2100 – Nature of Work The internal audit activity must evaluate

and contribute to the improvement of
the organisation’s governance, risk
management, and control processes
using a systematic, disciplined, and
risk-based approach. Internal audit
credibility and value are enhanced
when auditors are proactive and their
evaluations offer new insights and
consider future impact.
2110 – Governance The internal audit activity must

assess and make appropriate
recommendations to improve
the organisation’s governance
processes for making strategic and
operational decisions, overseeing risk
management and control, promoting
appropriate ethics and values
within the organisation, ensuring
effective organisational performance
management and accountability,
communicating risk and control
information to appropriate areas of
the organisation, and coordinating
the activities of, and communicating
information among the Board, external
and internal auditors, other assurance
providers, and Management.
The internal audit activity must evaluate

the design, implementation, and
effectiveness of the organisation’s
ethics-related objectives, programmes,
and activities, as well as assess
whether the information technology
governance of the organisation
supports the organisation’s strategies
and objectives.
16
2120 – Risk Management The internal audit activity must evaluate

the effectiveness and contribute to
the improvement of risk management
processes, by determining whether risk
management processes are effectively
supporting organisational objectives
and aligned with the organisation’s
mission, identifying and assessing
significant risks, selection of appropriate
risk responses that aligns with the
organisation’s risk appetite, and the
timely capturing and communication of
relevant risk information which enables
staff, Management and the Board in
carrying out their responsibilities.
2130 - Control The internal audit activity must

assist the organisation in maintaining
effective controls by evaluating their
effectiveness and efficiency and by
promoting continuous improvement.
The internal audit activity must evaluate

the adequacy and effectiveness
of controls in responding to risks
within the organization’s governance,
operations, and information systems
regarding the achievement of the
organization’s strategic objectives,
reliability and integrity of financial and
operational information, effectiveness
and efficiency of operations and
programmes, safeguarding of assets;
and compliance with laws, regulations,
policies, procedures, and contracts.
2200 – Engagement Internal auditors must develop and

Planning document a plan for each engagement,
including the engagement’s objectives,
scope, timing, and resource
allocations. The plan must consider the
organisation’s strategies, objectives,
and risks relevant to the engagement.
17
2210 – Engagement Objectives must be established for

Objectives each engagement by conducting
preliminary assessment of the risks
relevant to the activity under review,
and which engagement objectives must
reflect the results of this assessment.
Internal auditors must also consider the
probability of significant errors, fraud,
non-compliance, and other exposures.
2220 – Engagement Scope The established scope must be

sufficient to achieve the objectives of
the engagement, which must include
consideration of relevant systems,
records, personnel, and physical
properties, including those under the
control of third parties.
2230 – Engagement Internal auditors must determine

Resource Allocation appropriate and sufficient resources to
achieve engagement objectives based
on an evaluation of the nature and
complexity of each engagement, time
constraints, and available resources.
2240 – Engagement Work Internal auditors must develop and

Programme document work programmes that
achieve the engagement objectives by
including the procedures for identifying,
analysing, evaluating, and documenting
information during the engagement.
2300 – Performing the Internal auditors must identify,

Engagement analyse, evaluate, and document
sufficient information to achieve the
engagement’s objectives.
2310 – Identifying Internal auditors must identify sufficient,

Information reliable, relevant, and useful information
to support engagement observations
and recommendations that is consistent
with the objectives of the engagement.
18
2320 – Analysis and Internal auditors must base conclusions

Evaluation and engagement results on appropriate
analyses and evaluations.
2330 – Documenting Internal auditors must document

Information sufficient, reliable, relevant, and useful
information to support the engagement
results and conclusions. The CAE must
control access to engagement records,
and must obtain the approval of Senior
Management and/or legal counsel prior
to releasing such records to external
parties, as appropriate.
2340 – Engagement Engagements must be properly

Supervision supervised to ensure objectives are
achieved, quality is assured, and staff
is developed. The extent of supervision
required will depend on the proficiency
and experience of internal auditors and
the complexity of the engagement.
2400 – Communicating Internal auditors must communicate the

Results results of engagements which supports
recommendations and conclusions
to the appropriate parties, allowing
Management to take appropriate
corrective action.
2410 – Criteria for Communications must include the

Communicating engagement’s objectives and scope
as well as applicable conclusions,
recommendations, and action plans.
Final communication of engagement
results must, where appropriate, contain
the internal auditors’ opinion and/or
conclusions which takes account of the
expectations of Senior Management,
the Board, and other stakeholders.
19
2420 – Quality of Communications must be accurate,

Communications objective, clear, concise, constructive,
complete, and timely to support
recommendations and conclusions,
allowing Management to take
appropriate corrective action.
2430 – Use of “Conducted Indicating that engagements are

in Conformance with the “conducted in conformance with
ISPPIA” the International Standards for the
Professional Practice of Internal
Auditing” is appropriate only if supported
by the results of the quality assurance
and improvement programmes.
2440 – Disseminating The CAE must communicate results

Results to the appropriate parties who can
ensure that the results are given due
consideration, and is responsible
for reviewing and approving the final
engagement communication before
issuance and for deciding to whom and
how it will be disseminated.
2450 – Overall Opinions When an overall opinion is issued, it

must take into account the strategies,
objectives, and risks of the organisation;
and the expectations of Senior
Management, the Board, and other
stakeholders. The overall opinion must
be supported by sufficient, reliable,
relevant, and useful information.
2500 – Monitoring Progress The CAE must establish and maintain

a system to monitor the disposition of
results communicated to Management
by way of establishing a follow-up
process to monitor and ensure that
management actions have been
effectively implemented or that Senior
Management has accepted the risk of
not taking action.
20
2600 – Communicating the When the CAE concludes that

Acceptance of Risks Management has accepted a level of
risk that may be unacceptable to the
organisation, the CAE must discuss
the matter with Senior Management.
If the CAE determines that the matter
has not been resolved, the CAE must
communicate the matter to the Board.
Table 5: Performance Standards of the ISPPIA
c) The CG Guide 2021 further reinforced this with the following salient
characteristics that are commonly exhibited by effective internal audit
functions:
i. Internal auditors that are objective and free from undue influence;
ii. Internal audit function that is adequately resourced;
iii. Internal audit function that is appropriately positioned and with

unrestricted access to the necessary and relevant information, records,
physical properties and personnel; and
iv. Internal audit coverage that is aligned with the strategies and risks of the
company.
d) In operationalising the above, the MCCG 2021 recommends that Audit

Committees satisfy themselves that:
i. the person responsible for internal audit has relevant experience,

sufficient standing and authority to enable the internal auditor to
discharge his functions effectively;
ii. internal audit has sufficient resources and is able to access information
to enable it to carry out its role effectively; and
iii. the personnel assigned to undertake internal audit have the necessary
competency, experience and resources to carry out the function effectively.
e) In the Shariah audits of Islamic Financial Institutions (“IFI”) as stipulated in

PDSG 2019, Shariah audits refer to a function that provides an independent
assessment on the quality and effectiveness of the IFI’s internal control,
risk management systems, governance processes as well as the overall
compliance with operations, business, affairs and activities within the IFI.
21
f) Standard 19.2 of PDSG 2019 stipulates that a Shariah audit function must:
i. establish an audit methodology to assess the risk profile and vulnerabilities

of each auditable area;
ii. generate an audit plan for the assignments to be performed;
iii. establish clearly documented audit programmes that provide guidance to

the internal auditors in gathering information, auditing procedures and
audit assessment; and
iv. communicate results to the Board and Shariah committee through an

audit report, detailing the audit findings and recommendations for
rectification measures, as well as the auditee’s responses and action
plans.
g) The vital role of internal audit is also illustrated in IIA’s Three Lines Model as
depicted in Figure 2 below:
KEY: Accountability, reporting Delegation, direction, Alignment, communication

resources, oversight coordination, collaboration
Figure 2: The IIA’s Three Lines Model
h) The Governing Body relates to the Board and Audit Committee, to which the
internal audit function is accountable and reports to. The First Line role
relates to the process owners at the operational and functional level, while
the Second Line role relates to compliance and risk management functions.
The Third Line relates to the internal audit function, which evaluates the
adequacy and effectiveness of the First and Second Lines and reports the
same to the Board and Audit Committee.
22
4.0 CORE PRINCIPLES FOR THE PROFESSION OF
INTERNAL AUDITING
4.1 An internal audit function is considered to be effective in enhancing and
protecting organisational value when it demonstrates achievement of
the Core Principles for the Professional Practice of Internal Auditing of the
IPPF, which is more elaborately laid out in the Practice Guide on
Demonstrating the Core Principles for the Professional Practice of Internal
Auditing. The Core Principles are illustrated in Figure 3 below:
Figure 3: Core Principles for the Professional Practice of Internal Auditing
4.1.1 Principle 1: Demonstrates Integrity
a) Internal auditors are to apply and uphold the principles of integrity,

objectivity, confidentiality, and competency as encapsulated in the
Code of Ethics of IIA.
b) An internal auditor demonstrates integrity when:
i. Performing tasks honestly, diligently, and responsibly;
ii. Making appropriate disclosures when communicating with the

Audit Committee, Management, and regulatory authorities, where
applicable;
iii. Supporting ethical conduct of the organisation and reporting

illegal or discreditable acts; and
iv. Maintaining confidentiality of information acquired in the course

of their work.
23
4.1.2 Principle 2: Demonstrates Competence and Due Professional Care
a) The internal audit function is to collectively possess the required

competencies to adequately address the extent and complexity of
audit coverage over the organisation’s operations.
This includes ensuring that internal auditors are equipped with:
i. Appropriate qualifications such as Certified Internal Auditor; and
ii. Necessary skills through experience, training, and continuing

professional education such as courses offered by IIA Malaysia.
b) Internal auditors are expected to exercise due professional care by

applying the care and skills expected of a reasonably prudent
and competent internal auditor. Due professional care requires
understanding and applying the IPPF’s systematic and disciplined
approach to internal auditing, which is supplemented by function-
specific policies and procedures established by the CAE.
4.1.3 Principle 3: Objective and Free from Undue Influence
a) The reporting relationships of the CAE and internal auditors must

not impede the exercise of independent judgement by internal
auditors. In particular, internal audit reports should not be subject to
the influence of the Chief Executive Officer or Management.
b) The Audit Committee is responsible for establishing an appropriate

mechanism to address and manage situations where there is a threat
to internal auditors’ independence and objectivity. For example,
conflict of interest policies that prohibit internal auditors from auditing
functions where they held functional responsibilities in the past twelve
months or those they are currently responsible for. In the event that
the Internal audit function is required to undertake activities other
than internal audit, the Audit Committee must put in place adequate
safeguards to address perceived or actual impairments to the
independence of the Internal audit function.
c) The Audit Committee must ensure that the Internal Audit Charter
addresses the independence and objectivity of the internal audit
function and describes how these will be maintained, such as
prohibiting internal auditors from having operating responsibility or
authority over areas audited.
d) The Audit Committee must ensure that the CAE confirms the
organisational independence of the internal audit function at least
once a year.
24
4.1.4 Principle 4: Aligns with the Strategies, Objectives, and Risks of the
Organisation
a) The internal audit function is to ensure that the risk-based audit plan
is aligned with the organisation’s strategies, objectives, and risks, and
is developed in consultation with Management. This plan is intended
to ensure that the internal audit scope of coverage adequately
examines areas with the greatest exposure to the key risks that
could affect the organisation’s ability to achieve its objectives. The
risk-based plan must be reviewed and revised when deemed
necessary, in response to changes in the organisation’s business,
risks, operations, programmes, systems, and controls.
b) The Audit Committee to ensure that the CAE:
i. participates as an observer in management and committee

meetings, such as Risk Management Committee and Information
Technology Steering Committee, to keep abreast of any changes
to the organisation’s business operations, risks, and controls but
not to be involved in any decision-making process;
ii. reviews the corporate structure and organisational chart to

identify the organisation’s stakeholders, structure, and reporting
relationships as part of the planning process; and
iii. analyses the organisation’s strategic plan to gain insight into

strategies, objectives, and risks, including trends and emerging
issues.
4.1.5 Principle 5: Appropriately Positioned and Adequately Resourced
a) The CAE is to report functionally to the Audit Committee and

administratively to the Chief Executive Officer or equivalent. The CAE
must be positioned at a level of sufficient seniority in the organisation
to be recognised as an authoritative voice.
b) The Internal Audit Charter must specify the level of authority, including
unrestricted access to information, records, physical properties, and
personnel required for the internal audit function to perform
engagements and to fulfil its agreed-upon objectives and
responsibilities.
25
c) The Audit Committee must consider resourcing the internal audit
function to ensure that:
i. there is adequate manpower and supporting infrastructure, such

as auditing tools, knowledge repositories and databases to
cover key risk areas of the organisation’s operations within a
reasonable time frame;
ii. co-sourcing is undertaken to supplement manpower and skills

required by the internal audit function, when necessary; and
iii. internal auditors have the required qualifications, competence,

and experience.
d) The CAE must ensure that the internal audit function’s resources are:
i. appropriate in terms of the mix of knowledge, skills, and other

competencies needed to perform the audit plan;
ii. sufficient in terms of the number of resources needed to perform

the planned audits, such as manpower, equipment, technology,
and time; and
iii. effectively deployed to optimise the achievement of the approved

audit plan.
e) Public listed companies are also recommended by the Minority

Shareholders Watch Group (MSWG) to prioritise and allocate more
resources into the internal audit function, based on its finding in
the MSWG-ASEAN CG Scorecard 2019 assessment which indicate
that the financial investment in the internal audit function did not
commensurate with the level of operations and risks faced by the
organisation.
4.1.6 Principle 6: Demonstrates Quality and Continuous Improvement
a) The internal audit function is to have a continuous quality assurance

and improvement programme that covers all aspects of an internal
audit function and includes both internal and external assessments.
This programme should:
i. evaluate the internal audit function’s conformance with ISPPIA;
ii. assess the efficiency and effectiveness of the internal audit

function and identify opportunities for improvement; and
iii. evaluate whether internal auditors have adhered to the IIA Code of
Ethics.
26
b) Internal assessments must include:
i. ongoing monitoring of the performance of the internal audit

function; and
ii. periodic self-assessments or assessments by other persons

within the organisation who have sufficient knowledge of internal
audit practices.
c) External assessments must be conducted at least once in every

five years by a qualified, independent assessor or assessment team
from outside the organisation. In the selection of the independent
assessor, the Audit Committee must discuss with the CAE:
i. the scope and frequency of the external assessment; and
ii. the qualifications and independence of the external assessor or

assessment team, including any potential conflict of interest.
d) The CAE must communicate the results of both assessments to the

Audit Committee and the Audit Committee must ensure that
corrective action plans are undertaken.
4.1.7 Principle 7: Communicates Effectively
a) The Audit Committee is to expect communications from the CAE

regarding:
i. the audit work objectives, scope, and applicable

recommendations and/or action plans arising from the internal
audit work performed;
ii. the internal audit function’s resource requirements, including

significant interim changes, impact of resource limitations, and
any other challenges;
iii. situations where the internal audit function does not conform
to the IPPF. The reason(s) for non-conformance, any alternative
measures are taken, and the impact of non-conformance on the
overall scope or operation of the Internal audit function should
also be communicated; and
iv. scope limitations and their impact on the overall audit opinion.
b) Communications is to be accurate, objective, clear, concise,

constructive, complete, and timely. Communicating effectively with
the Audit Committee and Management is an essential responsibility
of the CAE.
27
c) The CAE must discuss with the Audit Committee and Management
to:
i. understand their reporting expectations;
ii. determine the frequency and form of internal audit reporting; and
iii. agree in advance on protocols for reporting on important and

urgent risk or control events and the related actions to be taken
by the Audit Committee and Management.
4.1.8 Principle 8: Provides Risk-based Assurance
a) The internal audit function is to use a risk-based approach to

conduct assurance work. All risk areas should be identified and
prioritised to provide an independent assessment of the
organisation’s governance, risk management, and internal control
processes. Assurance work includes financial, performance,
compliance, system security, and due diligence audit work.
b) Internal auditors can identify key risks by reviewing the organisation’s

risk profile and from discussions with the Risk Management
Department, if available while taking into account the organisation’s
risk appetite. Internal auditors need to understand the organisation’s
business to perform meaningful evaluations and may use established
governance, risk management, and control frameworks to guide
them in their evaluation. Additionally, internal auditors may use
their knowledge, experience, and best practices to proactively
highlight observed weaknesses and make recommendations for
improvement.
c) The Audit Committee must enquire if there were any areas where
Management has accepted a level of risk that may be unacceptable
to the organisation, and subsequently must deliberate on the risk
and consider further necessary action.
4.1.9 Principle 9: Insightful, Proactive, and Future-focused
a) The CAE should:
i. document and discuss relevant observations and conclusions

from audit work with Management;
ii. make recommendations to strengthen processes;
iii. escalate significant observations from assurance work to the

Audit Committee;
28
iv. communicate insights on governance, risk management, and
internal control processes that can contribute to positive changes
in the organisation’s practices; and
v. communicate risk-based assessments that address current and

future conditions that test the organisation’s preparedness for
factors that enable and factors that inhibit the organisation’s
success.
b) Internal auditors should be proactive, and their evaluations should

identify root-causes of issues and exceptions, offer new insights,
and consider future impact. This begins with the audit planning
process where internal auditors should consider industry
developments and trends. Data analytics can be employed in audit
work to provide insights and identify potential risks that have a future
impact on the organisation.
4.1.10 Principle 10: Promotes Organisational Improvement
a) The internal audit function is to assess and make appropriate

recommendations to improve the processes for:
i. making strategic and operational decisions;
ii. promoting appropriate ethics and values within the organisation;
iii. ensuring effective organisational performance management and

accountability;
iv. coordinating the activities of and communicating information

among the Audit Committee, external auditors, other assurance
providers, and Management;
v. ensuring that organisational objectives support and align with the

organisation’s mission;
vi. identifying and assessing significant risks;
vii. ensuring that appropriate risk responses are selected to align

risks with the organisation’s risk appetite;
viii.capturing relevant risk information and communicating such

information in a timely manner across the organisation to enable
staff, Management, and the Board to carry out their responsibilities;
ix. enhancing the control environment, such as tone at the top that
promotes a culture of ethical behaviour and a low tolerance for
non-compliance; and
29
x. communicating risk and control information to appropriate areas of
the organisation.

4.2 A series of articles published by IIA (2018) titled “Insights to Quality: How
The IIA Core Principles Support Successful Internal Audit Practices”
provides further literature to promote the adherence to the core principles
that is recommended to be validated by Quality Assessments and
Improvement Programme of IIA (see Section 7.0).
5.0 INTERNAL AUDIT COMPETENCY FRAMEWORK

a) In efforts to further enhance the effectiveness of the internal audit function,
the Internal Audit Competency Framework was developed by IIA (2020)
which provides a clear and concise professional development plan for
internal auditors at every level of their careers.

b) The Framework defines four knowledge areas as illustrated in the diagram
below with three distinct competency levels of (1) general awareness; (2)
applied knowledge, and (3) expert.
Figure 4: Internal Audit Competency Framework
c) The Competency Framework can be used to support:

i. training and professional development activities;

ii. scheduling of resources for internal audit engagements;

iii. decisions regarding the use of third-party subject matter experts for
internal audit engagements;

iv. identification of professional certification requirements;

v. hiring of new staff into internal audit; and

vi. succession planning for the CAE and experienced internal auditors.
30
6.0 ROLE OF THE INTERNAL AUDIT FUNCTION IN
ENVIRONMENTAL, SOCIAL, AND GOVERNANCE (ESG)
PERFORMANCE AND REPORTING
a) The United Nation’s Sustainable Development Goals (SDGs) blueprint to end
poverty, reduce inequality, and spur economic growth while tackling climate
change in 2015 by the United Nations General Assembly, with the aim to
achieve a better and more sustainable future for all by 2030.
b) In this regard, the internal audit function is to play the Third Line role in
providing independent and objective assurance and advice on the adequacy
and effectiveness of governance and risk management in relation to ESG
matters.
c) Internal Audit Foundation et al. (2022) published a white paper on “Prioritizing

Environmental, Social and Governance: Exploring Internal Audit’s Role as a
Critical Collaborator” which outlines how organisations utilise Internal audit
functions to support ESG initiatives and build confidence in ESG disclosures.
d) IIA (2021) publication on Internal Audit’s Role in ESG Reporting: Independent

Assurance is Critical to Effective Sustainability Reporting more specifically
recommended that the internal audit function provides:
i. assurance by
• reviewing ESG reporting metrics for relevancy, accuracy, timeliness,
and consistency;
• reviewing ESG reporting for consistency with formal financial
disclosure filings;
• conducting materiality or risk assessments on ESG reporting; and
• incorporating ESG into audit plans.
ii. advisory by
• building an ESG control environment;
• recommending reporting metrics; and
• advising on ESG governance.
e) Effective Board leadership and oversight require the management of

ESG issues to create durable and sustainable value and maintain confidence
of their stakeholders, as also stated in Practice 4.2 of MCCG 2021 which
recommends that the Board takes into account sustainability considerations
when exercising its duties including, among others, the development and
implementation of company strategies, business plans, major plans of
action and risk management.
f) The Board’s role specifically with regards to ESG is to ascertain that

Management has identified material ESG risks faced by the company, and
whether controls are in place to ensure ESG information is reliable.
31
g) A Sustainability Reporting Guide was also published by Bursa Malaysia
which provides specific guidance on the information that should be disclosed
when a public listed company makes a Sustainability Statement in the
annual report in accordance with the Listing Requirements. Reference is also
made to the Enterprise Risk Management: Integrating with Strategy and
Performance published by COSO (2017) which provides guidance on
integrating ESG risks into the Enterprise Risk Management (ERM) structure
and processes of an organisation.
7.0 QUALITY ASSURANCE AND IMPROVEMENT

PROGRAMME (QAIP) FOR THE INTERNAL AUDIT
FUNCTION
a) A comprehensive Quality Assurance and Improvement Programme (QAIP)
can assist in demonstrating achievement of the Core Principles, as stated
in the “Insights to Quality: How the IIA Core Principles Support Successful
Internal Audit Practices” by IIA (2018). The QAIP includes an on-going
monitoring process to promote quality on an audit-by-audit basis and a
periodic internal assessment process that evaluates conformance with the
Standards and the IIA Code of Ethics in periods between external
assessments. Both internal and external assessments are tools for confirming
effectiveness and continuous improvement.
b) The CAE must develop and maintain a quality assurance and improvement
programme that covers all aspects of the internal audit activity, as stated
in Standard 1300 of the ISPPIA, which are to include both internal and
external assessments.
c) Standard 1311 of ISPPIA requires internal assessments which include:
i. ongoing monitoring of the performance of the internal audit activity; and
ii. periodic self-assessments or assessments by other persons within the

organisation with sufficient knowledge of internal audit practices.
d) Standard 1312 requires external assessments at least once every five years
by a qualified, independent assessor or assessment team from outside the
organisation, such as assessors from IIA Malaysia. The CAE must discuss
with the Board:

i. the form and frequency of external assessments; and
ii. the qualifications and independence of the external assessor or

assessment team, including any potential conflict of interest.
32
e) External assessments may be accomplished through a full external
assessment, or a self-assessment with independent external validation.
The external assessor must conclude as to conformance with the Code of
Ethics and the Standards; the external assessment may also include
operational or strategic comments.
f) The CAE must communicate the results of the QAIP to Senior Management
and the Board (Standard 1320). Disclosure should include:
i. the scope and frequency of both the internal and external assessments;
ii. the qualifications and independence of the assessor(s) or assessment

team, including potential conflicts of interest;
iii. conclusions of assessors; and

iv. corrective action plans.
8.0 OUTSOURCING AND CO-SOURCING OF THE

INTERNAL AUDIT FUNCTION
a) Outsourcing and co-sourcing (partially outsourcing) of the internal audit
function can be undertaken after an assessment of the quality, experience
and expertise of the function, and whether it is appropriate for the business
of the company, as stated in the Corporate Governance Guide of Bursa
Malaysia (2021).
b) Notwithstanding such arrangements, the Audit Committee still retains the

duty to ensure that relevant criteria, such as independence, qualification,
skills and experience, adequacy of resources, and remuneration have been
considered for the work to be carried out effectively.
c) Where there is no in-house internal audit function or group internal auditors,

the Audit Committee must engage external firms to provide internal audit
services to the organisation. The Audit Committee is responsible for ensuring
that the scope of audit work performed by the external firm is sufficient
to provide reasonable assurance on the governance, risk management, and
internal control processes. The scope of audit work must be comprehensive
and cover key risks and controls.
33
d) The Audit Committee is to consider the following in outsourcing internal
audit function, as published in the Corporate Governance Guide – Pull-Out I
of Bursa Malaysia (2021):
i. assessment of outsourcing risks (e.g. contracts and

confidentiality agreements including any sub-contracting
arrangements);
ii. scope of internal audit work to be outsourced;
iii. service provider selection process including the

independence, qualification, skills and experience, as well
as knowledge;
iv. adequacy of resources deployed and remuneration of the

outsourced service provider;
v. internal audit framework adopted by the outsourced

service provider;
vi. roles and responsibilities of the outsourced service

provider;
vii. access to information, records, physical properties, and

personnel as well as the reporting workflow;
viii. effectiveness of the internal audit service rendered by the

outsourced service provider; and
ix. continuity of such service (for subsequent outsourcing

arrangements).
Table 6: Considerations in the Outsourcing of the Internal Audit Function
e) If the function is outsourced, disclosure in conjunction with Practice 11.2

of MCCG 2021, and as stated in Corporate Governance Guide – Pull-Out I
of Bursa Malaysia (2021) shall include:
i. name of the outsourced service provider/external firm;
ii. name and qualification of the lead individual in charge of the engagement
(from the outsourced service provider/external firm); and
iii. number of resources deployed by the outsourced service provider/

external firm for the said engagement.
34
f) For co-sourced internal audit functions, disclosure is to be on both the
name and qualification of the CAE as well as that of the lead individual
in charge of the engagement from the outsourced service provider/external
firm. A statement should also be made on the nature of work that is
outsourced.
g) The implication of these considerations and disclosures is that, it is in

the interest of the organisation to engage service providers who uphold the
highest standard of internal audit practice as represented by individuals who
are certified by IIA, and to provide stakeholders with information on the
adequacy and effectiveness of the function.
h) In a study by the Malaysian Institute of Accountants and IIA Malaysia (2017),

it is recognised that many co-sourcing or outsourcing arrangements with
external service providers have been effective in helping organisations obtain
internal audit services that contribute to management’s controls objectives.
However, there must be safeguards by the Board to ensure that the internal
audit function is performed efficiently and effectively in conformance to the
IPPF.
9.0 MEASURING INTERNAL AUDIT PERFORMANCE

a) The notion of internal audit performance may be subjected to differing
expectations by various stakeholders and may vary across sectors,
industries, geographies, organisational size, and culture.
b) The IPPF Practice Guide – Measuring Internal Audit Effectiveness and

Efficiency (2010) provides that in addition to compliance with the Standards,
internal auditing’s performance measurement objectives may include the
following specific measures:
i. level of contribution to the improvement of risk management and control

and governance processes;
ii. achievement of key goals and objectives assigned;
iii. evaluation of progress against audit plan;
iv. staff productivity;
v. cost efficiency of the audit process;
vi. number of action plans for process improvements;
vii. effectiveness in meeting the needs of stakeholders; and
viii. the sufficiency of quality assurance reviews.
35
c) The achievement of the above measures can be determined by methods
and criteria as shown in Figure 5 below, and examples of performance
measurement matrices, dashboard, and client feedback surveys are
provided in Appendix 3, 4 and 5, respectively:

Source: IPPF Practice Guide – Measuring Internal Audit Effectiveness and Efficiency (2010)
Figure 5: Internal Audit Performance Measurement Methodologies and Criteria
d) The internal audit function can consider utilising Balanced Scorecards in

internal auditing to manage and measure internal audit performance through
Key Performance Indicators (KPIs) which allow showcasing of its contribution
and achievements, as proposed in the whitepaper on Balanced Scorecard
Reporting by IIA Australia (2019).
e) The Balanced Scorecard is proposed by the Internal Audit Community of

Practice (2020) to have quadrants as shown in Figure 6 below:
01 02
INTERNAL EXTERNAL
STAKEHOLDERS STAKEHOLDERS
ADDED
VALUE
Source: Internal Audit Community

of Practice (2020).
INTERNAL AUDIT
AUDITORS CLIENTS Figure 6: Proposed Balanced Scorecard
for Internal Audit Functions
03 04
36
f) In setting KPIs, the criteria employed are illustrated in Figure 7 below:
1 2 3 4 5

Source: Internal Audit Community of Practice (2020).
Figure 7: Criteria Employed in Internal Audit KPI Setting
g) Examples of KPIs of an internal audit function are provided in Appendix 6.
h) The 10 action steps for the implementation of the Balanced Scorecard and
KPI reporting are provided by IIA Australia (2019) in Figure 8 below:
i. Step 1: Collaborate with the Audit Committee and Chief

Executive Officer to agree on establishment of balanced
scorecard reporting;
ii. Step 2: Establish KPIs in consultation with the Audit

Committee and Chief Executive Officer;
iii. Step 3: Incorporate KPIs and the requirement for Balanced

Scorecard reporting in the Internal Audit Charter;
iv. Step 4: Modify the internal audit QAIP to establish a

source of assurance that integrity of reporting is being
maintained;
v. Step 5: Develop and document key elements of the

reporting arrangements;
vi. Step 6: Inform internal audit leaders and auditors

(including outsourced and co-sourced service providers) of
the introduction of balanced scorecard reporting;
37
vii. Step 7: Modify the personal performance goals of internal
audit leaders and auditors so there is a direct and clearly
understood relationship between personal goals and those
of the internal audit function;
viii. Step 8: Provide visibility to internal audit leaders and

auditors on how their personal goals align to the KPIs of
the internal audit function as reported through the
balanced scorecard report;
ix. Step 9: Design and introduce balanced scorecard

reporting that suits the needs and expectations of the
Audit Committee; and
x. Step 10: Periodically refine the performance measures

(KPIs) so the scorecard remains relevant.
Figure 8: Ten Action Steps for Implementation of Balanced Scorecard and KPI Reporting for
Internal Audit Functions
10.0 CONCLUSION
a) Internal auditors are professionals who play crucial roles in evaluating and
improving the effectiveness of risk management, control, and governance
processes, which contribute to the achievement of strategic and operational
objectives of organisations.
b) The content provided throughout this Guidance is expected to significantly

contribute to the understanding of the roles of internal auditors, which serves
as both a catalyst and an enabler in fulfilling the prescribed roles by internal
auditors and all relevant stakeholders in every organisation.
c) Enhancing internal audit effectiveness is an ongoing process based on the

notion that having a good blend of skills from a technical, financial, and
operational perspective within the context of internal audit would yield
proficiency and efficiency.
d) Internal audit functions that are effective are also better positioned to
help navigate organisations through volatile landscapes that are fraught
with various thematic developments such as ESG compliances, anti-
corruption commitments, and fraud risk management, each of which carries
differing degrees of impact and likelihood to organisations.
e) IIA continues to support the internal audit function in the provision of

continuous training, certification and professional development of internal
auditors to equip internal auditors and all stakeholders to be at the forefront
of corporate governance both nationally and internationally.
38
REFERENCES AND RESOURCES
Bank Negara Malaysia (2016). Policy Document on Corporate Governance (for licensed banks,
investment banks, Islamic banks, insurers, takaful operators, and financial holding companies).
Bank Negara Malaysia (2019). Policy Document on Shariah Governance.
Bank Negara Malaysia (2019). Policy Document on Corporate Governance (for Developmental
Financial Institutions).
Bank Negara Malaysia (2010). Shariah Governance Framework.
Bursa Malaysia (2022). Main Market Listing Requirements.
Bursa Malaysia (2022). ACE Market Listing Requirements.
Bursa Malaysia (2021). Corporate Governance Guide – 4th Edition – Pull-Out I
Bursa Malaysia (2021). Corporate Governance Guide – 4th Edition – Pull-Out II
Bursa Malaysia & The Institute of Internal Auditors Malaysia (2021). Effectiveness of Internal audit
function: Thematic Review Findings and Key Takeaways.
Bursa Malaysia (2015). Sustainability Reporting Guide.
Bursa Malaysia (2012). Statement on Risk Management and Internal Control – Guidelines for
Directors of Listed Issuers.
Committee of Sponsoring Organizations of the Treadway Commission (2017). Enterprise Risk

Management Integrating with Strategy and Performance.
Companies Act 2016 (Malaysia).
Co-operative Societies Act 1993 (Malaysia).
Department of Islamic Development Malaysia (Jabatan Kemajuan Islam Malaysia) (2017). Guidelines
on Shariah-based Management (Garis Panduan Umum Tadbir Urus Berteraskan Shariah.
Financial Procedure Act 1985 (Revised 1972).
Institute of Internal Auditors (2021). Internal Audit’s Role in ESG Reporting: Independent Assurance
is Critical to Effective Sustainability Reporting.
Institute of Internal Auditors (2020). Internal Audit Competency Framework.
Institute of Internal Auditors (2017). International Professional Practices Framework.
Institute of Internal Auditors (2020). The IIA’s Three Lines Model: An Update of the Three Lines of
Defense.
39
Institute of Internal Auditors (2019). Practice Guide: Demonstrating the Core Principles for the
Professional Practice of Internal Auditing.
Institute of Internal Auditors (2018). Insights to Quality: How the IIA Core Principles Support
Successful Internal Audit Practices.
Institute of Internal Auditors (2010). Practice Guide: Measuring Internal Audit Effectiveness and
Efficiency.
Internal Audit Community of Practice (2020). Key Performance Indicators for Internal Audit Function.
Internal Audit Foundation et al (2022). Prioritizing Environmental, Social and Governance: Exploring
Internal Audit’s Role as a Critical Collaborator.
Malaysia Co-operative Societies Commission (2019). GP28: Garis Panduan Tadbir Urus Syariah.
Malaysian Institute of Accountants and The Institute of Internal Auditors Malaysia (2017).
Outsourcing or Co-Sourcing of Internal Audit Function.
Malaysian Institute of Accountants (2021). By-laws (on Professional Ethics, Conduct and Practice
of the Malaysian Institute of Accountants.
Malaysian Treasury Circular (Pekeliling Perbendaharaan Malaysia). Implementation of Internal

Audit at Federal Ministries or Departments and State Governments (Pelaksanaan Audit Dalam Di
Kementerian Atau Jabatan Persekutuan Dan Kerajaan Negeri) (PS 3.1).
Malaysian Treasury Circular (Pekeliling Perbendaharaan Malaysia). Establishment of Audit

Committees at Federal Ministries and State Governments (Penubuhan Jawatankuasa Audit di
Peringkat Kementerian Persekutuan dan Kerajaan Negeri) (PS 3.2).
Minority Shareholders Watch Group (2019). MSWG-ASEAN CG Scorecard 2019.
Securities Commission Malaysia (2021). Malaysian Code on Corporate Governance (as at 28 April
2021).
Securities Commission Malaysia (2022). Guidelines on Conduct of Directors of Listed Corporations

and Their Subsidiaries.
Statutory Bodies (Accounts and Annual Reports) Act 1980.
The Institute of Internal Auditors Australia (2019). Balanced Scorecard Reporting.
The Internal Audit Foundation (2019). Sawyer’s Internal Auditing: Enhancing and Protecting
Organizational Value, 7th Edition.
40
APPENDIX 1: EXAMPLES OF QUESTIONS RELATING TO THE
ROLE OF AUDIT COMMITTEE ON THE INTERNAL AUDIT
FUNCTION
(Source: Bursa Malaysia (2021) Corporate Governance Guide - 4th Edition - Pull-Out I)
1. Does the AC Chairman support contribution on meeting agendas from Board members,
management, the external auditors and the internal auditors? (Question 14 of the Questionnaire);
2. Does the AC appraise the external auditors, internal auditors and management on the
experience and adequacy of the company’s accounting and finance staff? (Question 19);
3. Does the AC review the appointment, replacement or dismissal of the Head of the Internal
audit function, to ensure continued objectivity of internal audit function? (Question 21);
4. Does the AC regularly review the adequacy (including the scope, methodology, competency,
resources and authority) and performance (including compliance with relevant standards and
regulations, quality of internal audit and quality of report) of the internal audit function?
(Question 23);
5. Does the AC review the internal audit plan, processes and results of internal audit assessments
or investigation undertaken? (Question 24);
6. Does the AC meet with the lead audit partner, and other members of the audit team if necessary,
at least annually, without the presence of management, to discuss issues arising from the
audit, evaluation of the systems of internal control, and any other matters that the auditor may
wish to raise with the AC and vice versa? (Question 30);
7. Does the AC have private sessions with the internal audit and external audit that facilitates
candid discussions of pertinent issues? (Question 31);
8. Does the AC review the management letters and reports written by the external and internal
auditors respectively and monitor the process to conclude that all important matters are
resolved/addressed? (Question 32).
41
APPENDIX 2: EXAMPLES OF QUESTIONS RELATING TO
THE EFFECTIVENESS OF THE INTERNAL AUDIT FUNCTION
(Source: Bursa Malaysia (2021) Corporate Governance Guide - 4th Edition - Pull-Out II)
1. Is the CAE a member of The Institute of Internal Auditors Malaysia?

(Question 1 of the Questionnaire);
2. Does the Audit Committee decide on the scope and functions of the internal audit as required
in the Listing Requirements? (Question 2);
3. Does the internal audit function understand the company’s business and the peculiarities of
the industry(ies) of which the company operates in? (Question 3);
4. Do internal auditors meet with the audit committee without the presence of non-audit
committee members whenever deemed necessary in relation to the operations of the
company? (Question 4);
5. Does internal audit function perform regular reviews to test the effectiveness of the financial,
operational and compliance controls and processes of the company? (Question 5);
6. Does the internal audit function test the effectiveness of risk management framework and
policies? (Question 6);
7. Does the internal audit function have sufficient resources and competency to carry out its
work? (Question 7);
8. Do the internal auditors undertake their functions according to the standards set by recognised
professional bodies? (Question 8);
9. Does the internal audit function provide input into developing action plans to monitor risks and
internal controls based on the internal audit plan and processes undertaken? (Question 9);
10. Is the scope of internal audit limited to certain areas only? If so, please state the reason for the
limitation. (Question 10);
11. Does the internal audit function include detection and investigation of fraud? If it does not,
please comment its role in relation to investigation of fraud? (Question 11);
12. Has the listed issuer carried out a Quality Assessment Review (QAR) of the internal audit
function? (Question 12);
13. Do the listed issuer’s external auditors rely on the internal audit assessment? If not, why?
(Question 13);
14. Does the internal audit function work in collaboration with external auditors, particularly in the
area of evaluation of internal controls? (Question 14).
42
APPENDIX 3: EXAMPLES OF INTERNAL AUDIT
EFFECTIVENESS AND EFFICIENCY METRICS
(Source: IPPF Practice Guide (2021): Measuring Internal Audit Effectiveness and Efficiency)
PERFORMANCE MEASURES OF MEASURES OF MEASURE OF EFFICIENCY

MEASUREMENT CATEGORY EFFICIENCY EFFECTIVENESS AND EFFECTIVENESS
Basic Measures • Number of audits scheduled. • Client satisfaction ratings. • Training/CPE hours.
• Number of audit completed. • Staff satisfaction ratings. • Staff turnover/retention.
• Timeliness of performance • Number of significant audit

feedback. findings.
• Staff utilization – direct vs. • Percentage of

indirect time. recommendations
implemented.
• Completed audits per
auditor. • Number of repeat findings.
• Actual hours vs. budgeted • Number of open audit

hours. findings past planned
corrective action date.
• Audit report cycle time:
elapsed time from opening • Number of unsatisfactory
conference to fieldwork internal audit opinions.
completion and elapse time
from fieldwork completion to
final report.
• Number of internal audit

reports issued vs. planned
internal audits.
Service to Stakeholders • Responsiveness to special • Delivery of high quality • Client survey scores (see
requests. service. example survey letter in
Appendix E).
• Average response time to • Management of auditee
management request. expectations. • Senior Management survey
scores.
• Number of control self- • Building strong relationships.
assessment (CSA) sessions • Audit Committee survey
conducted. • Number of management scores.
requests.
• Number of auditors per • Number of positive and
1,000 employees. • Number of committees and negative feedback about
task forces audit is involved audits/auditors.
• Number of auditor per $1 in.
million of revenue/$1 million
of assets. • Amount of identified cost
savings and percentage of
• Completed vs. planned recoveries.
audits.
• Cost savings as a percent

age of department budget.
43
Knowledge of Business • Applying business

knowledge to help solve
complex client issues.
• Development of deep
industry knowledge.
• Developing and contributing

best practices, emerging
issues, and industry trends.
• Best practices
benchmarked.
Technical Development • Development of relevant

technical knowledge:
Internal auditing.
Accounting.
Regulatory.
Business.
• Compliance with audit

methodology set.
Innovation • Use of technology in audits. • Enhanced audit process.
• Creativity and efficiency. • Number of best practices
• Number of internal audit • Identified and

improvement teams and communicated within an
time spent (by team). organisation or internal audit
activity.
• Number of hours spent in

industry or other specialized
training.
• Involvement in professional
organisations (e.g., IIA,
auditor rountables).
• Thought leadership.
44
People Development • Number of coaching • Average months in position. • Assistance in recruiting by

sessions in a year. Number of staff rotations in team members (participation
and out of the internal audit in review of resume,
• Tracking of development activity. interview etc.).
plan (plan vs. actual).
• Average years of audit
• Achievement of minimum experience.
training hours required.
• Percentage of auditors with
professional certifications.
• Percentage of auditors with

advanced degree.
• Training hours per auditor.
• Auditor turnover.
• Number/percentage of
auditors transferred/
promoted to other functions
in the organisation vs. the
number that left the
company.
45
APPENDIX 4: EXAMPLE OF REPORTING INTERNAL AUDIT
EFFECTIVENESS AND EFFICIENCY DASHBOARD
QUANTITATIVE MEASURES
Area Measure Target Actual
Q1 Q2 Q3 Q4
Budget Management. Budget vs. actual.
Delivering the annual Percentage of audit plan delivered
audit plan. during the year.
CUSTOMER SERVICE
Q1 Q2 Q3 Q4
Number/types of ad-hoc Record to be kept of ad-hoc
requests received for nonroutine requests by the
non-routine work. management.
STAFF SATISFACTION AND DEVELOPMENT

Q1 Q2 Q3 Q4
Staff training hours/year. Actual training hours vs. budget.
Staffing plan (hiring). Plan vs. actual hired.
AUDIT DELIVERY/EFFICIENCY
Q1 Q2 Q3 Q4
Audit reviews completed Budget vs. actual.
within budget and to
agreed target date.
Revise the audit Plan vs. actual revision.
methodology.
RELATIONSHIP WITH THIRD PARTIES

Q1 Q2 Q3 Q4
Use of subject matter Use of SMEs for specialized work.
experts. (SMEs)
46
APPENDIX 5: EXAMPLE OF INTERNAL AUDIT FEEDBACK
SURVEY
AUDIT REPORT TITLE: __________________________________________________________________
BUSINESS OWNER: ____________________________________________________________________
The rating scale provided below is from 5 (strongly agree) to 1 (strongly disagree).
AUDIT QUALITY 5 4 3 2 1
Strongly Agree Neither Disagree Strongly Not
Agree Agree or Disagree Done
Disagree
1. Opening conference was held and

all questions/comments were
adequately addressed.
2. The final audit objectives and scope
were agreed to.
3. The Audit team was knowledgeable
about your business.
4. The audit was completed within the
timeframe communicated.
5. The audit was conducted efficiently
and effectively with minimal disruption
to your business.
6. The audit was conducted in a
professional and courteous manner.
7. The audit team kept you informed of
key issues throughout the audit.
8. All of your key business concerns/risks
were addressed during the audit.
9. The closing conference allowed both
sides to adequately discuss and
address all comments.
10. The audit report was accurate and
findings clearly communicated.
11. The audit report fairly reflected
your team’s comments and corrective
action.
12. The overall audit provided value to
your area.
47
APPENDIX 6: EXAMPLE OF KEY PERFORMANCE
INDICATORS BASED ON BALANCED SCORECARD
ELEMENTS
(Source: Internal Audit Community of Practice (2020). Key Performance Indicators for Internal Audit
Function)
FOR INTERNAL STAKEHOLDERS
.
Possible Performance Indicators Comment
Materiality of audit findings. Help managers understand whether internal audit has identified
serious issues.
Percentage of unsatisfactory ratings. Measures how many audits result in poor or unsatisfactory ratings.
This may be an indicator of the control maturity of the organization.
Percentage of the audit plan delivered A low percentage may indicate that internal audit is taking on too
during the year. many unplanned assignments. But it could also indicate that internal
audit is being agile in responding to requests for assistance.
Percentage of recommendations An indicator of the relevance, credibility, and quality of internal audit
implemented by taking corrective work.
action.
Number of complaints from regulatory Provides an indication of areas that may have been overlooked by
bodies. internal audit. Plus the control maturity/culture of the organisation.
Number of frauds per annum and the The quantity of frauds and the total value of fraud measure different
value of frauds. aspects of fraud risks within the organisation.
Percentage of high-risk audit universe How far is internal audit covering the major areas of risk within the
covered each year. organisation.
Percentage of internal auditors May indicate that internal audit is developing high quality staff that are
being promoted elsewhere in the valued elsewhere in the organisation.
organization.
Results of client satisfaction survey Provides senior managers with an indicator of how well internal audit
questionnaire at the end of audit is performing its individual audit assignments.
assignments.
Cost savings generated by Senior managers are interested in knowing to what extent internal
implementing internal audit audit recommendations result in cost savings across the organisation.
recommendations.
Changes to processes resulting Measures the level of improvement generated by internal audit.
from implementing internal audit
recommendations.
48
FOR EXTERNAL STAKEHOLDERS
Audit committee rating. An overall rating of the internal audit function provided by the Audit
Committee- this may be descriptive rather than a rating within a scale.
Percentage of recommendations The proportion of recommendations accepted is a measure of the

accepted or not. success of internal audit work.
Number of frauds per annum and value The quantity of frauds and the total value of fraud measure different
of frauds. aspects of fraud risks within the organisation.
Indicators of the independence of These may be qualitative rather than quantitative for example the
internal audit. results of external quality assessments or CHU reviews, plus annual
declaration by internal audit.
Percentage of high-risk audit universe How far is internal audit covering the major areas of risk within the
covered each year. organisation.
Percentage of audit assignments that Measures whether internal audit is responding to the needs of the
respond directly to concerns raised by Audit Committee.
the audit committee.
Results of client satisfaction survey Helps the Audit Committee to assess the level of satisfaction from
questionnaire at the end of audit Senior Management.
assignments.
Results of annual client satisfaction A critical indicator of the quality of audit work undertake by the
survey of senior managers. internal audit function.
Result of internal quality assessments. The highest value indicator of the quality of internal audit work.
Results of periodic external quality
assessments.
49
FOR INTERNAL AUDIT FUNCTION
Percentage of audits completed versus May indicate there is too much unplanned work.
those planned.
The elapsed time for completing an A general indicator of the overall efficiency of the audit.
audit from start to finish.
The mean or average time from a A good measure of efficiency in the report writing process which
closing meeting to issuing the audit in turn indicates that the audit was well planned to generate the
report. evidence needed.
Percentage of annual audit costs Looks at how good an audit unit is at managing costs.
versus annual budget.
Number of years of relevant business A useful indicator of the level of required business expertise.
experience across all staff.
Number of years of audit experience A useful indicator of the level of direct audit experience.
across all staff.
The percentage of certified auditors. A good indicator of the level of trained auditors.
Percentage of planned and unplanned High levels of turnover may be an indication of staffing problems in
staff turnover during the year. the unit.
Number of training hours per auditor Measures the extent to which auditors are meeting continuing
per year. professional development expectations. This is also an indicator of the
priority internal audit gives to training.
Number of innovative improvements. An indicator of whether the internal audit unit is regularly reviewing
its own processes.
50
FOR AUDIT CLIENTS
Satisfaction survey rating. May indicate satisfaction or problems with individual assignments or
managers.
Percentage of issues that are open, May indicate that managers are not taking sufficient action to address
closed or past due. recommendations raised by internal audit.
Percentage of recommendations May indicate that internal audit is not selling their findings to clients
accepted or not. well.
Number of repeat findings. May indicate that systemic weaknesses are not being addressed.
Number of requests by local May indicate that clients are seeking out internal audit help and value
management for audit support. their services.
51
The Institute of
Internal Auditors
Malaysia
52
53
THE INSTITUTE OF INTERNAL AUDITORS MALAYSIA
1-17-07, Menara Bangkok Bank, Berjaya Central Park, 105 Jalan Ampang,
50450, Kuala Lumpur, Malaysia
Tel: +603 2181 8008 ext.204/222 Fax: +603 2181 1717
Email: [email protected]
Like us on The Institute of Internal Auditors Malaysia mainpage
: @IIAMalaysia
54

Internal Audit Guidance Note

Uploaded by

Copyright:

Available Formats

Internal Audit Guidance Note

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Guidance Note

Uploaded by

Copyright:

Available Formats

The Institute of

Internal audit’s mission is to enhance and protect organisational value by providing

It is imperative that we work in an eco-system that upholds corporate governance to the

Having good corporate governance is a virtue that must be encouraged in every

Departing from existing coverage of governance relating to regulatory requirements of

In the context of achieving an effective internal audit function, areas deliberated

Mohd Khaidzir bin Shahari Geetha Kanny

Roshni Jayantilal TECHNICAL WRITER

Noorlida Binti Mohd Khalid Alyssa Hew Li Min

Dr Azleen Binti Ilias

Prof Dr Zurina Binti Shafii

Figure 1: Elements of the IPPF 4

Table 1: Summary of IPPF Elements 6

Appendix 1 Examples of Questions Relating to the Role of Audit Committee on the 41

Board Board of Directors

CAE Chief Audit Executive

CG Guide Corporate Governance Guide

COSO Committee of Sponsoring Organizations of the Treadway Commission

ERM Enterprise Risk Management

ESG Environmental, Social and Governance

IIA Institute of Internal Auditors Inc.

IIA Malaysia The Institute of Internal Auditors Malaysia

IPPF International Professional Practices Framework

ISPPIA International Standards for the Professional Practice of Internal Auditing

KPI Key Performance Indicator

LR Bursa Malaysia Main Market Listing Requirements

MCCG Malaysian Code on Corporate Governance

MIA Malaysian Institute of Accountants

MSWG Minority Shareholder Watch Group

PDCG Policy Document on Corporate Governance of Bank Negara Malaysia

PDSG Policy Document on Syariah Governance of Bank Negara Malaysia

PS Malaysian Treasury Circular (Pekeliling Perbendaharaan)

QAIP Quality Assurance and Improvement Programme

SC Securities Commission Malaysia

a) This Guidance aims to provide internal auditors, Board of Directors,

i. a comprehensive outline of the respective roles and responsibilities

ii. the required performance and attributes that need to be demonstrated

iii. the competencies required, and the accompanying performance

iv. a systematic and structured approach to evaluate and improve the

b) For internal auditors, this Guidance is ancillary to The Institute of Internal

c) This Guidance aims to recommend best practices in achieving the

i. Compliance with the Companies Act 2016, particularly Section 246

ii. Compliance with the Bursa Malaysia Main Market Listing

iii. Adoption of the Malaysian Code on Corporate Governance 2021

v. Compliance with the Policy Document on Corporate Governance

vi. Compliance with the Policy Document on Shariah Governance

vii. Compliance with public sector statutes such as the Financial

viii. Compliance with the Malaysian Treasury Circular on Implementation

ix. Compliance with the Malaysian Treasury Circular on Establishment of

xii. Adherence to Guidelines on Shariah-based Management (Garis

d) The existence of an effective internal audit function is recommended for

e) While the following sections are predominantly based on the internal

a) This Guidance is primarily based on the International Professional

b) In the internal audit universe, an effective internal audit function is

Figure 1: Elements of the IPPF

Mission Articulates the aspirations of an

Definition of Internal auditing is an independent,

Core Principles Defines tangible internal audit

International Standards for These Standards are principle-