1.

1 Introduction to Internal Auditing

“Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization’s operations.
It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”
The internal audit activity’s responsibility is to provide the organization with
assurance and consulting services that will add value and improve the
organization’s operations. The nature of its work is to evaluate and improve
the effectiveness of the organization’s governance, risk management, and
control processes. Oversight of the work of external auditors, including
coordination with the internal audit activity, is the responsibility of the
board.
Governance: “The combination of processes and structures implemented by
the board to inform, direct, manage, and monitor the activities of the
organization toward the achievement of its objectives.”
Risk management: “A process to identify, assess, manage, and control
potential events or situations to provide reasonable assurance regarding the
achievement of the organization’s objectives.”
Control processes: “The policies, procedures (both manual and
automated), and activities that are part of a control framework, designed and
operated to ensure that risks are contained within the level that an
organization is willing to accept.”
Control: “Any action taken by management, the board, and other parties to
manage risk and increase the likelihood that established objectives and goals
will be achieved. Management plans, organizes, and directs the performance
of sufficient actions to provide reasonable assurance that objectives and
goals will be achieved.
The chief audit executive (CAE) interviews the board and senior management
about the responsibilities of each stakeholder. Ordinarily, the board is
responsible for guiding governance processes, and senior management
is responsible for leading risk management and control processes.
An understanding of the business also is necessary. The framework (e.g.,
COSO) may be that adopted by senior management. If the organization has
not adopted such a framework, the CAE may recommend one.
To acquire this understanding, the CAE ordinarily reviews the organization’s
mission, strategic plan, key objectives, related risks and controls, and the
minutes of the board.
When determining the strategy for assessing GRC, the CAE typically
considers:
 the maturity of these processes,
 the seniority of the persons responsible, and
 the organizational culture.
Internal auditors may use their knowledge, experience, and best practices to
provide:
 observations of weaknesses and
 recommendations
Compliance is “adherence to policies, plans, procedures, laws, regulations,
contracts, or other requirements.”
The internal audit activity must evaluate:
 the risks involved in governance, operations, and information systems
that relate to compliance and
 the controls over compliance.
Reasonable assurance is provided if the most cost-effective measures are
taken in the design and implementation of controls to reduce risks and
restrict expected deviations to a tolerable level.
Governance, risk management, and control processes are adequate if
management has planned and designed them to provide reasonable
assurance of achieving the organization’s objectives efficiently and
economically.
 Efficient performance accomplishes objectives in an accurate,
timely, and economical fashion.
 Economical performance accomplishes objectives with minimal use
of resources (i.e., cost) proportionate to the risk exposure.
Types of Internal Audit Engagements:
 Assurance services is “An objective examination of evidence for the
purpose of providing an independent assessment on governance, risk
management, and control processes for the organization.
Examples may include: financial, performance, compliance, system
security, and due diligence engagements.”
  Consulting services is “Advisory and related client service activities,
the nature and scope of which are agreed with the client, are intended
to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor
assuming management responsibility.
Examples include: counsel, advice, facilitation, and training
Reporting completes a feedback loop to management and the board.
Reporting provides assurance about
 Governance,
 Risk management, and
 Control.
Periodic reports also are issued on the internal audit activity’s purpose,
authority, responsibility, and performance.
1.2 Internal Audit Administrative Activities
The internal audit activity is effectively managed when:
 It achieves the purpose and responsibility included in the internal audit
charter.
 It conforms with the Standards.
 Its individual members conform with the Code of Ethics and the
Standards.
 It considers trends and emerging issues that could impact the
organization.
The internal audit activity adds value to the organization and its stakeholders
when it considers strategies, objectives, and risks; strives to offer ways to
enhance governance, risk management, and control processes; and
objectively provides relevant assurance.
The chief audit executive must establish policies and procedures to guide the
internal audit activity.
The CAE is responsible for day-to-day operations, including the following
administrative activities (activities listed are not all-inclusive):
 Creating an operating and financial budget.
 Implementing policies and procedures to provide reasonable assurance
that the internal audit activity has sufficient personnel selected using
well-developed criteria. They should have the qualifications,
competence, capabilities, and commitment to perform internal audit
engagements.
  Allocating the internal audit activity’s resources where they can be
used most effectively.
 Communicating internal audit activities and engagement findings to
applicable stakeholders.
 Preparing and monitoring time budgets to assist with meeting
engagement deadlines or adjusting accordingly to projected time
overruns.
 Conducting internal audit personnel evaluations to determine:
 the knowledge, skills, and competencies of the staff;
 training needs;
 whether external resources are required; and
 compensation adjustments based on position requirements and
individual performance
The form and content of policies and procedures are dependent upon the
size and structure of the internal audit activity and the complexity of its
work.
A large, mature internal audit activity may include detailed policies and
procedures in a formal operation manual. If the activity is smaller or less
mature, less detailed policies and procedures may be in separate documents
or an audit management software program. A small internal audit activity
may be managed informally through daily close supervision and memos.
The following content generally is included in an operations manual or other
separate document:
 Policies on
 Purposes and responsibilities of the internal audit activity
 Compliance with mandatory guidance
 Independence of the internal audit activity and objectivity of
internal auditors
 Ethics requirements
 Maintaining the confidentiality of information
 Retention of internal audit records
 Procedures for
 Drafting the audit plan based on the risk assessment
 Drafting plans and work programs for specific engagements
 Performance and documentation of engagements
 Communicating results of engagements
 Monitoring and follow-up
 Guidance on the quality assurance and improvement programs
 Management of the internal audit activity related to
 Professional training and certification
  Continuing professional education to obtain professional
certifications and qualifications
 Regular evaluations of auditors to aid professional development
internal audit policies and procedures should be reviewed periodically, either
by the CAE or an internal audit manager assigned to monitor internal audit
processes and emerging issues.
The CAE is responsible for hiring associates to fill the organizational structure
of the internal audit function in a way that maximizes efficiency, effectively
provides the necessary skill base, and makes good use of the financial
budget. However, the day-to-day management of the hiring process is by the
human resources department.
Internal auditors should be qualified and competent. Because the selection of
a superior staff is dependent on the ability to evaluate applicants, selection
criteria must be well-developed.
Appropriate questions and forms should be prepared in advance to evaluate,
among other things, the applicant’s
 Technical qualifications
 Educational background
 Personal appearance
 Ability to communicate
 Maturity
 Persuasiveness
 Self-confidence
 Intelligence
 Motivation
 Potential to contribute to the organization
Developing effective interviewing methods ensures that the internal audit
function acquires the proper set of skills, capabilities, and technical
knowledge needed to accomplish its goals
Effective interviewing methods are: structured interviews and
behavioral interviews.
 Structured interviews are designed to eliminate individual bias.
These interviews use a set of job-related questions with standardized
answers, which then are scored by a committee of three to six members.
interviewers can use four general types of questions:
 Situational – “What would you do if you saw two people arguing loudly
in the work area?”
  Job knowledge – “Do you know how to do an Internet search?”
 Job sample simulation – “Can you show us how to compose and send
an e-mail message?”
 Worker requirements – “Are you able to spend 25 percent of your time
on the road?”
 Behavioral interviews determine how candidates managed past
situations. Past performance generally is indicative of future
performance.
1.3Stakeholder Relationships
For internal auditors to be effective, they must build and maintain strong
constructive relationships with managers and other stakeholders within the
organization.
Key stakeholders include: the board of directors, audit committees,
management, external auditors, shareholders, and regulators.
These relationships require conscious ongoing focus to ensure that risks are
appropriately identified and evaluated to best meet the needs of the
organization.
Internal auditors have a responsibility to work together with external auditors
and other stakeholders to facilitate work efforts and compliance with
regulators.
board is the highest-level governing body charged with the responsibility to
direct and/or oversee the organization’s activities and hold senior
management accountable.” Accordingly, “board” is an inclusive term for the
highest-level governing bodies of firms.
Some jurisdictions have imposed the following significant restrictions on the
membership of the audit committee:
 Every member must be an outside director, i.e., not an employee of
the organization except in the capacity of a board member. Such
requirements improve public perception of financial reporting.
 At least one member must be a financial expert
To avoid creating conflict between the CEO and the audit committee, the CAE
should request board establishment of policies covering the internal audit
activity’s relationships with the audit committee.
The most important function of the audit committee is to promote the
independence of the internal and external auditors by protecting them from
management’s influence.
The following are other functions of the audit committee regarding the
internal audit activity:
 Selecting or removing the CAE and setting his or her compensation
 Approving the internal audit charter
 Reviewing and approving the internal audit activity’s work plan
 Ensuring that the internal audit activity is allocated sufficient resources
 Resolving disputes between the internal audit activity and
management
 Communicating with the CAE, who attends all audit committee
meetings
 Reviewing the internal audit activity’s work product (e.g., interim and
final engagement communications)
 Ensuring that engagement results are given due consideration
 Overseeing appropriate corrective action for deficiencies noted by the
internal audit activity
 Making appropriate inquiries of management and the CAE to determine
whether audit scope or budgetary limitations impede the ability of the
internal audit activity to meet its responsibilities
The following are other functions of the audit committee regarding the
external auditor:
 Selecting the external auditing firm and negotiating its fee
 Overseeing and reviewing the work of the external auditor
 Resolving disputes between the external auditor and management
 Reviewing the external auditor’s internal control and audit reports
Internal auditors are responsible for performing their mission, maintaining
their objectivity, and ensuring the internal audit activity’s independence.
Good relationships are developed by communicating effectively, resolving
conflicts constructively, and using participative auditing methods.
Participative auditing is a collaboration between the internal auditor and
management during the auditing process. The objective is to minimize
conflict and build a shared interest in the engagement. People are more
likely to accept changes if they have participated in the decisions and in the
methods used to implement changes.
However, internal auditors are ultimately responsible for guiding and
directing the audit because the responsibility for the final audit opinion is
theirs.

1.4Internal Audit Resource Requirements

to achieve the approved plan, The chief audit executive must ensure that
internal audit resources are:
 appropriate,
Appropriate refers to the mix of knowledge, skills, and other
competencies needed to perform the plan.
 sufficient, and
Sufficient refers to the quantity of resources needed to accomplish
the plan
 effectively deployed.
Resources are effectively deployed when they are used in a way that
optimizes the achievement of the approved plan.
The CAE is primarily responsible for the sufficiency and management of
resources, including communication of needs and status to senior
management and the board.
Senior management and the board ultimately must ensure the adequacy of
resources because the CAE is not directly able to hire employees, and the
board sets the budget.
Resources may include employees, service providers, financial support, and
IT-based audit methods.
To determine the sufficiency of resource allocation, the CAE considers
relevant factors, including:
 Organizational objectives;
 Communications received from management and the board;
 Information about ongoing and new engagements;
 Consequences of not completing an engagement on time; and
 Knowledge, skills, and competencies of the internal audit staff.
The competencies of the internal audit staff should be appropriate for the
planned activities.
Internal auditing collectively must have or obtain the knowledge, skills, and
other competencies needed to perform its responsibilities. But each member
need not be qualified in all disciplines.
The CAE may conduct a documented skills assessment based on the needs
identified in the risk assessment and audit plan.
A job description summarizes the duties and qualifications required for a job.
Properly formulated job descriptions provide a basis for identifying job
qualifications, such as training and experience. They also facilitate recruiting
the appropriate internal audit staff with the necessary attributes for the
planned activities.
Resources need to be sufficient for audit activities to be performed in
accordance with the expectations of senior management and the board.
The CAE is responsible for resource planning, which considers
 The audit universe,
 Relevant risk levels,
 The internal audit plan,
 Coverage expectations, and
 An estimate of unanticipated activities.
The CAE also is responsible to ensure resources are effectively deployed by
assigning qualified auditors and developing an appropriate resourcing
approach and organizational structure.
Some organizations maintain field offices to improve the internal audit
function’s efficiency and effectiveness.
The advantages of field offices compared with sending internal auditors from
the home office include
 Reduced travel time and expense,
 Improved service in the operating locations served by the field offices,
 Better morale of internal auditors as a result of increased authority,
and
 The possibility of employing persons who do not wish to travel.
When selecting the appropriate audit staff, the CAE must consider the
following factors:
 Complexity of the engagement
 Experience levels of the auditors
 Training needs of the auditors
 The expanding scope of internal auditing requires continual
training to achieve individual and organizational goals.
 An advantage of hiring an experienced outsider for a
management role is a reduction in training costs.
 Available resources, including special skills required
The CAE considers succession planning, staff evaluation and development,
and other human resource disciplines.
The CAE also addresses resourcing needs, including whether those skills are
present.
Other ways to meet needs include external service providers, specialized
consultants, or other employees of the organization.
The CAE’s ongoing communications with senior management and the board
include periodic summaries of resource status and adequacy, such as the
effect of temporary vacancies and comparison of resources with the audit
plan.
Periodic summaries are important because senior management and the
board provide the resources the CAE needs to operate the internal audit
activity.
An organization’s governing body may decide that an external service
provider is the most effective means of obtaining internal audit services.
In such cases, the Performance Standard (2070) requires those performing
internal audit services to remind the organization that the organization is
ultimately responsible for maintaining an effective internal audit activity.
Thus, the board has responsibility for maintaining the internal audit activity
and cannot pass this responsibility off to a third party.
When an external service provider serves as the internal audit activity, the
provider must make the organization aware that the organization has the
responsibility for maintaining an effective internal audit activity.
This responsibility is demonstrated through the quality assurance and
improvement program which assesses conformance with the Code of Ethics
and the Standards.

1.5Coordination

Performance standard 2050 coordination and reliance

The chief audit executive should share information, coordinate

activities, and consider relying upon the work of other internal and
external assurance and consulting service providers to ensure proper
coverage and minimize duplication of efforts.

Interpretation of standard 2050

in coordinating activities, the chief audit executive may rely on the work
of other assurance and consulting service providers. A consistent process for
the basis of reliance should be established, and the chief audit executive
should consider the competency, objectivity, and due professional
care of the assurance and consulting service providers. The chief audit
executive should also have a clear understanding of the scope, objectives,
and results of the work performed by other providers of assurance and
consulting services. Where reliance is placed on the work of others, the chief
audit executive is still accountable and responsible for ensuring
adequate support for conclusions and opinions reached by the internal audit
activity.
Whether reporting administratively to the quality audit function or to the
board and senior management, the CAE should identify appropriate
liaison activities with the quality audit function to ensure coordination of
audit schedules and overall audit responsibilities.
The quality audit standards proposed by the quality audit manager
should comply with the applicable standards for internal auditing
(i.e., the Standards).
The internal audit activity as a whole, not each auditor individually,
must be proficient in all necessary competencies.
Internal vs external assurance and consulting providers
Internal providers may report to senior management or be part of
senior management. Their activities may address such functions as
environmental, financial control, health and safety, IT
security, legal, risk management, compliance, or quality
assurance.
External providers, who are not limited to independent external
auditors, may report to senior management, external parties, or the
CAE.
They should assess the competence and objectivity of the internal
auditors but only when reliance is intended.
Moreover, coordination does not extend to the attest function provided for
external parties. Internal auditors are not independent of their employer.
Subject to the organization’s confidentiality constraints, “the parties share
the objectives, scope, and timing of upcoming reviews, assessments, and
audits; the results of prior audits; and the possibility of relying on one
another’s work.” (Implementation Guide 2050)
Accordingly, internal and external auditors may share engagement
communications, management letters, work programs, and working
papers.
For example, the CAE should determine whether management has taken
the corrective action recommended in the external auditor’s management
letter.
Coordination requires scheduling sufficient meetings.
Process and methods of coordinating assurance activities
The process varies by organization.
 Smaller entities may have informal coordination.
 Large or regulated entities may have formal and complex coordination.
Assurance mapping
  Connects significant risk categories and sources of assurance and
 Assesses each category.
In an assurance map, risk is determined by judging:
 the inherent risk of the activity (the risk that internal controls may not
prevent or detect noncompliance) and
 the potential consequences of noncompliance
The CAE then can determine whether sharing the results of
assurance services with other providers avoids duplication and
maximizes efficiency and effectiveness of coverage.
In the combined assurance model, the internal audit activity coordinates
activities with second line activities, such as compliance, to minimize “the
nature, frequency and redundancy of internal audit engagements.
Coordinating activities include the following:

 Simultaneity of the nature, extent, and timing of scheduled work

 Mutual understanding of methods and vocabulary
 The parties’ access to each other’s programs, workpapers, and
communications of results
 Reliance on others’ work to avoid overlap
 Meeting to adjust the timing of scheduled work given results to date
Criteria the CAE may consider in determining whether to rely on the work of
another service provider include the following:
 The objectivity, independence, competency, and due professional care
of the provider relating to the relevant assurance or consulting
service
 The scope, objectives, and results of the service provider’s work to
evaluate the degree of reliance
 Assessing the service provider’s findings to determine whether they
are reasonable and meet the information criteria in the Standards
 The incremental effort required to obtain sufficient, reliable,
relevant, and useful information as a basis for the degree of
planned reliance
Reliance on another service provider does not excuse the CAE
from final responsibility for conclusions and opinions.
Coordinating with regulatory oversight bodies
Businesses and not-for-profit organizations are subject to governmental
regulation in many countries. Below is a sample of typical subjects of
regulation:
 Labor relations
 Occupational safety and health
 Environmental protection
 Consumer product safety
  Business mergers and acquisitions
 Securities issuance and trading
 Trading of commodities
NOTE: Local and regional governments may have their own regulatory
bodies.
Particularly in larger organizations, entire departments or functions
are established to monitor compliance with the regulations issued by
these governmental bodies.
Among the responsibilities of the internal audit activity is the
evaluation of the organization’s compliance with applicable laws and
regulations.
The internal audit activity coordinates its work with that of inspectors
and other personnel from the appropriate governmental bodies and
with personnel from internal assurance functions.
Three Lines Model
The Three Lines Model helps organizations identify structures and
processes that best assist the achievement of objectives and facilitate
strong governance and risk management.” (The IIA’s Three Lines Model)
An important aspect of the Three Lines Model is creating and protecting
value through alignment, communication, coordination, and collaboration.
The IIA’s Three Lines Model is based on six principles:
Principle 1: Governance. Appropriate structures and processes should
enable
 Accountability by a governing body (generally the board) to
stakeholders for organizational oversight. Stakeholders are those
whose interests are served or affected.
 Managerial actions (including risk management) to achieve objectives
through risk-based decisions.
 Assurance and advice by a competent, objective, and independent
internal audit function that provides confidence and clarity and
facilitates continuous improvement.

Principle 2: Governing body roles. They include

 Ensuring structures and processes exist for effective governance.
 Ensuring objectives and activities align with stakeholder interests.
 Giving management the responsibility and resources to achieve
objectives and compliance with laws, regulations, and ethics.
 Establishing and overseeing the internal audit function.
Principle 3: Management – First- and second-line roles (both report to
senior management).
 First line roles most directly relate to delivery of products or
services to clients. They include support functions (e.g., human
 resources, IT, legal, operations, finance). They are directly
responsible for risk management.
 Second line roles (some of which may be assigned to specialists)
assist with risk management (a first line role) by providing
expertise, support, monitoring, and challenge. Specific objectives
may relate to compliance, sustainability, ethics, internal control, IT,
quality, or ERM. (control functions e.g. Compliance, risk officers)
Principle 4: Third line roles.
 Internal audit
 provides assurance and advice on the adequacy and
effectiveness of governance, risk management, and
compliance, and
 reports to management and the governing body on
objective achievement and continuous improvement. It
may consider assurance from other internal or external
providers when performing these responsibilities.
Principle 5: Third line independence.
 Internal audit independence is achieved through
 accountability to the governing body;
 unaffected access to people, resources, and data; and
 freedom from bias and interference.
Principle 6: Creating and protecting value.
Alignment of the activities of roles (communication, cooperation, and
collaboration) collectively create and protect value. It ensures the
reliability, coherence, and transparency of risk-based decisions.