3. DEFINITION OF
INTERNAL AUDITING1
âAN INDEPENDENT AND OBJECTIVE
ASSURANCE AND CONSULTING ACTIVITY
DESIGNED TO ADD VALUE AND IMPROVE AN
ORGANIZATIONâS OPERATIONS. IT HELPS AN
ORGANIZATION ACCOMPLISH ITS OBJECTIVES
BY BRINGING A SYSTEMATIC, DISCIPLINED
APPROACH TO EVALUATE AND IMPROVE THE
EFFECTIVENESS OF RISK MANAGEMENT,
CONTROL AND GOVERNANCE PROCESSESâ.
1 INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (1999)
4. DEFINITION OF
INTERNAL AUDITING2
âTHE EVALUATION OF MANAGEMENT CONTROL
AND OPERATIONS PERFORMANCE AND THE
DETERMINATION OF THE DEGREE OF COMPLIANCE
WITH LAWS, REGULATIONS, MANAGERIAL POLICIES
AND CONTRACTUAL OBLIGATIONS. IT IS THE
APPRAISAL OF THE PLAN OF ORGANIZATION AND
ALL THE COORDINATE METHODS AND MEASURES TO
RECOMMEND COURSES OF ACTION ON ALL
MATTERS RELATING TO MANAGEMENT CONTROL
AND OPERATIONS AUDIT.
2 PHILIPPINE GOVERNMENT INTERNAL AUDIT MANUAL (PGIAM-2011),
DEFINITION IN âTHE ADMINISTRATIVE CODE OF 1987â AND P.D. 1445
5. SCOPE OF INTERNAL AUDITING
The internal audit activity must evaluate the adequacy
and effectiveness of controls in responding to risks
within the organizationâs governance, operations and
information systems regarding the:
⢠Achievement of the organizationâs strategic
objectives;
⢠Effectiveness and efficiency of operations;
⢠Reliability and integrity of financial and
operational information;
⢠Safeguarding of assets; and
⢠Compliance with laws, rules, regulations, standards
policies, procedures and contracts.
7. ADMINISTRATIVE ORDER 278
SERIES OF 1992
SECTION 1
1.1 The Internal Audit Service (IAS) shall be an
integral part of the office/organization and
shall assist the institution management in
the effective discharge of its responsibilities
insofar as the same would not encroach on
or be adversarial with those of the auditors
of the Commission on Audit.
8. ADMINISTRATIVE ORDER 70
SERIES OF 2003
SECTION 1.
Second Paragraph â
The IAS shall be an integral part of the
office and shall assist in the management and
effective discharge of the responsibilities of the
office, without intruding into the authority and
mandate of the Commission on Audit (COA),
granted under the Constitution.
10. 1. The IAS activities shall include the following:
a. Ascertaining the reliability and integrity of
financial and operational information and
means used to identify measures, classify
and report such information;
b. Ascertaining the extent of compliance with
established policies, and applicable laws and
regulations, and reviewing the system
established to ensure compliance with
government policies, plans and procedures,
laws and regulations which could have a
significant impact on operations;
11. c. Ascertaining the extent to which the assets and
other resources of the institutions are accounted
for and safeguarded from losses of all kinds;
e. Reviewing operations or programs to ascertain
whether or not results are consistent with
established objectives and goals and whether or
not such programs are being carried out as
planned;
d. Reviewing and evaluating the soundness,
adequacy and application of accounting, financial
and other operating controls and promoting the
most effective control at reasonable cost;
12. f. Evaluating the quality of performance of
groups/individual in carrying out their
assigned responsibilities; and
g. Recommending corrective actions on
operational deficiencies observed.
13. 2. In addition to its above duties, the IAS may be called
upon to perform special assignments by the Head of the
Agency. However, it shall not be responsible for or
required to participate in procedures which are
essentially a part of a regular operating activities or in
operations which are primarily responsibility of another
unit in the organization. The IAS shall be detached
from all functions of routine operating character, such
as the following:
a. Pre-audit of vouchers and counter-
signature of checks;
14. d. Development and installation of
systems and procedures; however, in
exceptional cases, the internal auditor
may assist by way of giving
suggestions preferably during the
development stage;
b. Inspection of deliveries, although the
internal auditor may, as part of his
examination, observe inspection;
C. Preparation of treasury and bank
reconciliation statements;
15. e. Taking physical inventories; however,
the internal auditor may review the
plans in advance and observe the test-
check the accuracy of counting,
costing and summarizing;
f. Maintaining property records; and
g. All other activities related to operations.
16. AUDIT FUNCTIONS AND TOTAL
QUALITY APPROACHES
Today, more and more audit functions are
implementing quality improvement programs
which are a significant departure from the
traditional approach. These total quality
approaches are characterized by:
⢠Focusing on the areas of highest risk to
the organization.
17. ⢠Working paper documentation that
meets the evidence requirements of the
IIAâs Standards but which are quickly
prepared and are often computer-based.
⢠Reporting methods and styles that
better fit the needs of those for whom
the reports are intended.
⢠Audit team approach using facilitators,
subject-matter-experts from the
organization being audited, etc.
18. ⢠Encouraging management to request
internal audit reviews rather than have
to impose them on an organization.
⢠Self-assessment reviews where the
organization being reviewed performs
the review as a team facilitated by
internal auditors.
19. Purpose, Authority and Responsibility
The purpose, authority, and responsibility of the
internal auditing activity must be defined in an internal
audit charter, consistent with the Definition of
Internal Auditing, the Code of Ethics and the
Standards. The Chief Audit Executive should seek
approval of the charter by senior management and
final approval by the board. The internal audit
charter establishes the internal audit activityâs
position within the organization; authorizes access to
records, personnel, and physical properties relevant to
the performance of engagements; and defines the
scope of internal audit activities.
20. Purpose, Authority âŚcontinuedâŚ
Throughout the world internal auditing is performed
in diverse environments and within organizations which
vary in purpose, size and structure. In addition, the laws
and customs within various countries differ from one
another . These differences may affect the practice of
internal auditing in each environment. The
implementation of the Standards for the Professional
Practice of Internal Auditing, {now in the
International Professional Practices Framework (IPPF)}
therefore, will be governed by the environment in which
the internal auditing department carries out its assigned
responsibilities.
21. Purpose, Authority andâŚcontinuedâŚ
Compliance with the concepts enunciated by the
International Standards for the Professional Practice
of Internal Auditing is essential before the
responsibilities of internal auditors can be met. As
stated in the Code of Ethics, members of the Institute
of Internal Auditors, Inc. and Certified Internal
Auditors shall adopt suitable means to comply with the
International Standards for the Professional
Practice of Internal Auditing.
24. Assurance Services involve the internal
auditorâs objective assessment of
evidence to provide an independent
opinion or conclusions regarding an
entity, operation, function, process,
system, or other subject matter. The
nature and scope of the assurance
engagement are determined by the
internal auditor.
25. There are generally three parties involved in
assurance services; (1) the person or group
directly involved with the entity, operation,
function, process, system, or other subject
matter â the process owner, (2) the person or
group making the assessment â the internal
auditor, and (3) the persons or group using the
assessment â the user. Examples may include
financial, performance, compliance, system
security, and due diligence engagements.
26. Advisory (Consulting) Services are
advisory in nature, and are
generally performed at the
specific request of an
engagement client. The nature
and scope of the advisory
(consulting) engagement are
subject to the agreement with the
engagement client.
27. Advisory (Consulting) services generally
involve two parties: (1) the person or
group offering the advice â the internal
auditor, and (2) the person or group
seeking and receiving the advice â the
engagement client. When performing
consulting services the internal auditor
should maintain objectivity and not
assume management responsibility.
Examples include counsel, advice,
facilitation, and training.
30. TRADITIONAL AUDIT
APPROACH
Derived from the Report of the Special Advisory
Committee on Internal Accounting Control
(Minahan Committee)
⢠System Documentation and Evaluation
⢠Program Development
⢠Testing
⢠Report Development
31. ADVANTAGES
⢠Obtaining detailed
coverage of
potentially risky
areas every three to
five years
⢠Comprehensive
coverage of financial
and accounting
functions
⢠Because of the
extensive nature of
these audits, coverage
is often completed on a
three or five year cycle,
not annually
⢠Audit coverage is very
detailed and very
expensive.
DISADVANTAGES
ADVANTAGES AND DISADVANTAGES
OF TRADITIONAL APPROACH
32. ADVANTAGES DISADVANTAGES
⢠Professionally qualified
audit staff
⢠Independence from
operating managers
⢠Assurance that controls
are in place at a given
point in time for a given
entity.
⢠Coverage often only
addresses accounting
controls, not the higher risk
and higher value-added
operating controls
⢠Audit staff skills are
narrowly focused on acctg
and finance issues
⢠Audit staff is not only
independent but isolated
from the operating
functions.
33. Internal Control System can help
management manage or control the degree
of business risk inherent in any business
operation. Internal control is a risk
management process.
RISK-BASED AUDITING
âInternal Control Systemsâ â âRisk Management Systemsâ
34. Fundamental to COSO Model and to risk
management:
ďś Objectives are established and
communicated.
ďś risk is dependent upon people,
organization, climate, characteristics ,
situational pressures, and conditions
of opportunity.
35. Primary Causes of Fraud
(Study of KPMG Peat Marwick)
1. Poor internal control
2. Collusion between employees and a third
party
3. Management override of internal controls
4. High-risk industry where there was a risk of
decline or loss
The system of internal control must address the
âred flagsâ that might herald management or
employee override of the internal controls.
36. NEW PARADIGM SHIFT:
1. New definition of control: Control is broadly
defined and includes both formal and informal
controls.
2. Total Quality: TQM demands participative
team approaches to problem identification and
solution development.
3. Management/Employee Expectations:
Managers and employees expect tools that add
value to their own arsenal of resources.
37. RISK-BASED AUDIT METHODOLOGY:
1. Determine the key risks or objectives which
internal auditors should address
2. Identify limits of risk used by management
or deemed appropriate to controlling the
processes designed to achieve the
objectives (reduce the risk of failure)
38. 3. Conduct initial survey and form hypothesis
regarding how well the risk appears to be
controlled or how well controls appear to
ensure achieving the objectives.
4. Verify through the most cost-effective
means the validity of the hypothesis.
5. Report results
39. ADVANTAGES DISADVANTAGES
⢠Extremely cost
effective
⢠Focuses on areas of
highest risk, thus adds
greatest value to the
organization
⢠Helps managers with
problems of importance
to them.
⢠Requires significant
auditor experience and
judgment
⢠Requires auditors to
change their paradigm
⢠Requires significant
interface with
management and
employees
RISK BASED AUDIT METHODOLOGY
40. ADVANTAGES DISADVANTAGES
⢠Uses ideas and concepts
understood by managers
rather than by auditors
only.
⢠Provides opportunity to
train management and
employees on how
controls work to achieve
business objectives of
importance to them.
⢠May not provide an
overall assessment of the
organizationâs system of
internal control.
41. CONTROL SELF-ASSESSMENT (CSA)
CSA is a relatively new method for examining and
evaluating the organizationâs system of internal control.
It is an amalgam of traditional internal auditing
concepts, risk analysis, and self assessment approaches.
CSA has the following elements:
1. Front-end planning and preliminary audit work.
42. 2. The gathering of a group of people into a same
time/same place meeting, - study of relationships
among elements of information (for example
fluctuation in recorded interest expense
compared to changes in related debt balances)
typically involving a facilitation seating
arrangement (U-shape table) and a meeting
facilitator. The participants are âprocess
ownersâ â management and staff who are
involved with the particular issues under
examination, who know them best, and who are
critical to the implementation of appropriate
process control.
43. 3. Structured agenda which the facilitator uses to
lead the group through an examination of the
processâs risks and controls. Frequently, the
agenda will be based on a well-defined
framework or model so that participants can be
sure to address all necessary issues framework
for that project.
4. Optionally, the presence of a scribe to take an
on-line transcription of the session and of
electric voting technology to enable participants
to anonymously voice their perceptions of the
issues.
5. Reporting and the development of action plans
44. CSAâs BASIC PHILOSOPHY
Is that the control is the responsibility of
all employees in the organization. The
people who work within the process,
including employees as well as the
managers of the process, are asked for
their assessments of risks and controls in
their process.
45. ADVANTAGES DISADVANTAGES
⢠Uses ideas and concepts
understood by managers
rather than by auditors
only.
⢠Provides opportunity to
train management and
employees on how
controls work to achieve
business objectives of
importance to them.
⢠Requires significant
planning and
coordination
⢠Provides only a high-
level review of the
organizationâs internal
controls.
CONTROL SELF-ASSESSMENT
46. CONTROL SELF-ASSESSMENT
⢠Very cost effective.
⢠Provides overall, annual
assessment of the
organizationâs system of
internal control
⢠Helps managers with
problems of importance
to them.
⢠Requires significant
facilitation skills and
team leading ability.
⢠Requires auditors to
change their paradigm
⢠Requires significant
interface with
management and
employees.
ADVANTAGES DISADVANTAGES
47. ADVANTAGES DISADVANTAGES
⢠Fosters buy-in to
recommendations and
action plan since
employees participated
in their development
CONTROL SELF-ASSESSMENT
49. INTERNAL AUDIT PRACTICE
INTERNAL AUDITING ACTIVITIES
⢠Internal Control Audits
⢠Compliance Audits
⢠Fraud Audits
⢠Operational Audits
⢠Other
Internal Control Audits
The objective of internal control audits is to apprise
management of how adequately a particular
system of internal control provides reasonable
assurance that objectives are achieved.
50. Compliance Audits
Compliance audits are largely focused on apprising
management of the degree of compliance with
established policies, laws, procedures, regulations,
contractual provisions, etc.
Fraud Audits (Forensic Auditing)
Where fraudulent activity is present or suspected,
specialized audit activities maybe performed to assist
management in detecting or confirming the
presence and extent of fraud and in providing
necessary evidence for legal purpose. Also called
forensic auditing or investigative auditing.
51. Operational Audits
Stating the obvious, operational audits are audits of
operations. They focus on the ability of an
organization to achieve its business objectives in
the areas of efficiency and effectiveness.
Efficiency â is a measure of the ability of a
process to function at a low cost in relation to
similar or alternative processes
Effectiveness - is a measure of the ability of a
process to accomplish its functional objective.
52. OTHER AUDIT ACTIVITIES :
Internal Auditors may be asked to participate
in many other activities for their
organization. These may include duties
routinely expected of all employees such as
participating in quality improvement teams
or they may be unique activities such as
performing studies for management for
which the the auditorâs skills are considered
helpful.
55. 1. Establishing audit objectives and scope of
work.
2. Obtaining background information about
the activities to be audited.
3. Determining the resources necessary to
perform the audit.
ENGAGEMENT PLANNING -
(PLANNING THE AUDIT)
56. 4. Communicating with all who need to know
about the audit.
5. Performing, as appropriate, a survey to
become familiar with activities, risks and
controls; to identify areas for audit
emphasis; and to invite auditee comments
and suggestions.
ENGAGEMENT PLANNING -
(PLANNING THE AUDIT)
57. 6. Writing the audit program.
7. Determining how, when and to whom
audit results will be communicated.
8. Obtaining approval of the audit work plan.
ENGAGEMENT PLANNING -
(PLANNING THE AUDIT)
58. SETTING OF AUDIT OBJECTIVES
AND SCOPE OF WORK
Audit objectives are broad statements developed by
internal auditors and define intended audit
accomplishments
Audit procedures are the means to attain audit objectives
Audit objectives and audit procedures, taken together,
define the scope of the internal auditorsâ work.
Audit objectives and audit procedures should address the
risks associated with the activity under audit
59. THE PRELIMINARY SURVEY
The preliminary or on-site survey allows
for the gathering of information,
without, detailed verification about the
activities to be audited. The internal
auditor learns about the auditeeâs
objectives, organization, operations,
information systems, personnel and
internal controls.
60. 1. Understand the activity under review
2. Identify significant areas warranting special
emphasis
3. Obtain information for use in performing the
audit
4. Determine whether further auditing is
necessary.
MAIN PURPOSES OF THE SURVEY:
61. PERFORMING THE ENGAGEMENT:
(EXAMINATION AND EVALUATION OF
INFORMATION)
Internal Auditors should collect, analyze interpret and document
information to support audit results.
Process of Examining and Evaluating Information
1. Extent of information collection -- audit objectives
and scope of work.
2. Information â SUFFICIENT, COMPETENT,
RELEVANT, USEFUL to provide sound basis for
audit findings and recommendations
62. 3. SELECTION IN ADVANCE of audit
procedures, testing and sampling techniques
4. Supervision of the process of examination
and evaluation of information to provide
reasonable assurance
- auditors objectives
- audit goals are met
5. Workpapers should be prepared and
reviewed by IAD management.
63. AUDIT REPORT PREPARATION
1. Purpose Statements
2. Scope Statements
a) Identify audit activities and period
covered
b) Related activities not audited
c) Nature and extent of auditing
performed
65. AUDIT FINDINGS:
are pertinent statements of fact. Audit findings
emerge by a process of comparing âwhat should
beâ âwith what isâ, whether or not there is
difference, the internal auditor has a foundation on
which to build the report. Findings should be
based on the following attributes:
a. Criteria: The standards, measures, or
expectations used in making an evaluation
and/or verification (what should exist/the
correct state).
66. b. Condition: The factual evidence which
the internal auditor found in the course
of the examination (what does exist/the
current state).
c. Cause: The reason for the difference
between the expected and actual
conditions (why the difference exists).
67. d. Consequences: The risk or exposure the auditee
organization and/or others encounter because the
condition is not the same as the criteria (the impact of
the difference). In determining the degree of risk or
exposure, internal auditors should consider the effect
their engagement observations and recommendations
may have on the organizationâs operations and
financial statements.
e. Observations and recommendations can include
engagement client/auditee accomplishments, related
issues, and supportive information.
68. COMMUNICATING RESULTS:
Internal Auditors must communicate the
engagement results.
Criteria for Communicating
Quality of Communications
Use of âConducted in Conformance with the
International Standards for the Professional
Practice of Internal Auditing
Disseminating Results
70. Criteria for Communicating:
1. Final communication of engagement results
must, where appropriate, contain internal
auditors, overall opinion and/or conclusions.
2. Internal auditors are encouraged to
acknowledge satisfactory performance in
engagement communications.
71. Criteria for Communicating:
3. When releasing engagement results to
parties outside of the organization, the
communication must include limitations on
distribution and use of the results.
4. Communication of the progress and results
of consulting engagements will vary in form
and content depending upon the nature of
the engagement and the needs of the client.
73. Quality of Communications:
Accurate Communications are free from errors and
distortions and are faithful to the underlying facts.
Objective Communications are fair, impartial, and
unbiased and are the result of a fair-minded and
balanced assessment of all relevant facts and
circumstances.
Clear Communications are easily understood and
logical, avoiding unnecessary technical language and
providing all significant and relevant information.
74. Quality of Communications:
Concise Communications are to the point and
avoid unnecessary elaboration, superfluous
detail, redundancy, and wordiness.
Constructive Communications are helpful to the
engagement client and the organization and lead
to improvements where needed.
75. Quality of Communications:
Complete Communications lack nothing that is
essential to the target audience and include all significant
and relevant information and observations to support
recommendations and conclusions.
Timely Communications are opportune and
expedient, depending on the significance of the issue,
allowing management to take appropriate corrective
action.
76. Quality of Communications:
1. Gather, evaluate, and summarize data and
evidence with care and precision.
2. Derive and express observations, conclusions,
and recommendations without prejudice,
partisanship, personal interests, and the undue
influence of others.
3. Improve clarity by avoiding unnecessary
technical language and providing all
significant and relevant information in
context.
77. Quality of Communications:
4. Develop communications with the objective
of making each element meaningful and
succinct.
5. Adopt a useful, positive, and well-meaning
content and tone that focuses on the
organizationâs objectives.
78. Quality of Communications:
6. Ensure communication is consistent with
the organizationâs style and culture.
7. Plan the timing of the presentation of
engagement results to avoid undue delay.
79. Use of âConducted in Conformance with the
International Standards for the Professional
Practice of Internal Auditingâ
Internal auditors may report that their
engagements are âconducted in conformance
with the International Standards for the
Professional Practice for Internal Auditing,â
only if the results of the quality assurance and
improvement program support the statement.
80. STANDARD 2430
Use of âConducted in Conformance with the Internal
Auditing Standards for the Philippine Public Sectorâ
⢠Indicating that engagements are
âconducted in conformance with the
Internal Auditing Standards for the
Philippine Public Sector (IASPPS)â is
appropriate only if the results of the
quality assurance and improvement
program support the statement.
81. Philippine Application Guidelines 2430
⢠1. The head of internal audit should understand
the requirements related to developing and
maintaining a quality assurance and
improvement program (QAIP) (the 1300 series
of standards) and be familiar with the results of
the IASâs current internal and external
assessments. The head of internal audit may also
consider the head of agency or governing
body/audit committeeâs expectations for using
the statement âconducted in conformance with
the IASPPSâ in engagement reports.
82. Philippine Application Guidelines 2430
⢠2. When an IAS reports on an engagement, there
is no requirement to indicate whether the
engagement was conducted in conformance with
the IASPPS. However, using this statement
builds the IASâs credibility. This Standard
prohibits using the statement unless the results of
the IASâs QAIP --- including current internal
and external assessments --- support a
conclusion that the IAS generally conforms with
the IASPPS.
83. Philippine Application Guidelines 2430
⢠3. When an IAS does not conform with the
IASPPS, the IAS may choose to state that the
engagement was not conducted in conformance
with the IASPPS. However, such a statement is
not required (see Standard 2431).
84. Disseminating Results:
The chief audit executive must communicate
results to the appropriate parties.
The chief audit executive or designee reviews
and approves the final engagement
communication before the issuance and
decides to whom and how it will be
disseminated.
85. AUDIT REPORT REVIEW
AND DISTRIBUTION:
THE HEAD OF INTERNAL AUDITING
OR DESIGNEE SHOULD REVIEW
AND APPROVE THE FINAL AUDIT
REPORT BEFORE ISSUANCE AND
SHOULD DECIDE TO WHOM THE
REPORT WILL BE DISTRIBUTED.
86. AUDIT REPORT REVIEW
AND DISTRIBUTION:
AUDIT REPORTS SHOULD BE DISTRIBUTED
TO THOSE MEMBERS OF THE
ORGANIZATION WHO ARE ABLE TO ENSURE
THAT AUDIT RESULTS ARE GIVEN DUE
CONSIDERATION.
THIS MEANS THAT THE REPORT SHOULD
GO TO THOSE WHO ARE IN A POSITION TO
TAKE CORRECTIVE ACTION OR ENSURE
THAT CORRECTIVE ACTION IS TAKEN.
87. AUDIT REPORT REVIEW
AND DISTRIBUTION:
CERTAIN INFORMATION MAY NOT BE
APPROPRIATE FOR DISCLOSURE TO
ALL REPORT RECIPIENTS BECAUSE IT
IS PREVILEGED, PROPRIETARY, OR
RELATED TO IMPROPER OR ILLEGAL
ACTS.
SUCH INFORMATION, HOWEVER, MAY
BE DISCLOSED IN A SEPARATE
REPORT.
89. MONITORING PROGRESS:
To effectively monitor the disposition of results, the chief
audit executive (CAE) establishes procedures to include:
⢠The timeframe within which managementâs
response to the engagement observations and
recommendations is required.
⢠Evaluation of managementâs response.
⢠Verification of the response (if appropriate).
⢠Performance of a follow-up engagement
(if appropriate).
⢠A communication process that escalates
unsatisfactory responses/actions, including the
assumption of risk, to the appropriate levels of
senior management or the board.
90. Internal auditors determine whether
management has taken action or
implemented the recommendation.
Internal auditor determines whether the
desired results were achieved or if senior
management or the board has assumed the
risk of not taking action or implementing
the recommendation.
Follow-up Process:
91. Follow-up Process:
Follow-up is a process by which internal auditors
evaluate the adequate effectiveness, and timeliness
of actions taken by management on reported
observations and recommendations, including
those made by external auditors and others. This
process also includes determining whether senior
management and/or board have assumed the risk
of not taking corrective action on reported
observations.
92. The internal audit activityâs charter should define the
responsibility for follow-up. The chief audit executive
(CAE) determines the nature, timing, and extent of follow-
up, considering the following factors:
a. Significance of the reported observation and
recommendation.
b. Degree of effort and cost needed to correct the
reported condition.
c. Impact that may result should the corrective action
fail.
d. Complexity of the corrective action.
e. Time period involved.
Follow-up Process:
93. The CAE is responsible for scheduling
follow-up activities as part of developing
engagement work schedules.
Scheduling of follow-up should be based on
the risk and exposure involved, as well as the
degree of difficulty and the significance of
timing in implementing corrective action.
Follow-up Process:
94. Where the CAE judges that
managementâs oral or written
response indicates that action taken
is sufficient when weighed against
the relative importance of the
observation or recommendation,
internal auditors may follow up as
part of the next engagement.
Follow-up Process:
95. Internal auditors ascertain whether
actions taken on observations and
recommendations remedy the
underlying conditions. Follow-up
activities should be appropriately
documented.
Follow-up Process:
96. CHARACTERISTIC OLD PARADIGM NEW PARADIGM
INTERNAL AUDIT FOCUS
INTERNAL AUDIT RESPONSE
RISK ASSESSMENT
INTERNAL AUDIT TESTS
INTERNAL AUDIT METHODS
INTERNAL CONTROL,
REACTIVE, AFTER-THE-FACT
DISCONTINUOUS
OBSERVERS OF STRATEGIC
PLANNING INITIATIVES
RISK FACTORS
IMPORTANT CONTROLS
EMPHASIS ON THE
COMPLETENESS OF DETAIL
CONTROL TESTING
BUSINESS RISK
COACTIVE, REAL- TIME
CONTINUOUS MONITORING
PARTICIPANTS IN
STRATEGIC PLANS
SCENARIO PLANNING
IMPORTANT RISKS
EMPHASIS ON THE
SIGNIFICANCE OF BROAD
BUSINESS RISKS COVERED
THE CHANGING INTERNAL AUDITORâS PARADIGM
97. THE CHANGING INTERNAL AUDITORâS PARADIGM
CHARACTERISTIC OLD PARADIGM NEW PARADIGM
INTERNAL AUDIT
RECOMMENDATIONS
INTERNAL AUDIT REPORTS
INTERNAL AUDIT ROLE IN
THE ORGANIZATION
INTERNAL CONTROL:
STRENGHTENED
COST-BENEFIT
EFFICIENT/EFFECTIVE
ADDRESSING THE FUNCTIONAL
CONTROLS
INDEPENDENT APPRAISAL
FUNCTION
RISK MANAGEMENT:
AVOID/DIVERSIFY RISK
SHARE/TRANSFER RISK
CONTROL/ACCEPT RISK
ADDRESSING THE
PROCESS RISKS
INTEGRATED RISK
MANAGEMENT AND
CORPORATE GOVERNANCE
99. PROFICIENCY â Internal auditors must
possess the knowledge, skills and other
competencies needed to perform their
individual responsibilities. The internal
audit activity collectively must possess
or obtain the knowledge, skills, and
other competencies needed to perform
its responsibilities.
PROFICIENCY AND DUE
PROFESSIONAL CARE
100. PROFICIENCY AND DUE PROFESSIONAL CARE
DUE PROFESSIONAL CARE â
Internal auditors must apply the care
and the skill expected of a reasonably
prudent and competent internal auditor.
Due professional care does not imply
infallibility.
101. Exercising due professional care means using
reasonable audit skill and judgment in
performing the audit. The internal auditor must
exercise due professional care by considering
the:
1. The extent of audit work needed to
achieve audit objectives.
2. The relative complexity, materiality or
significance of matters to which
audit/assurance procedures are applied.
102. 3. The adequacy and effectiveness of
governance, risk management and control
processes.
4. The probability of significant errors, fraud, or
noncompliance; and
5. The cost of auditing in relation to potential
benefits.
103. In exercising due professional care, internal
auditors must consider the use of technology-
based audit and other data analysis techniques.
Internal auditors must be alert to the significant
risks that might affect objectives, operations, or
resources. However, assurance procedures
alone, even when performed with due
professional care, do not guarantee that all
significant risks will be identified.
104. Internal Auditors Can Audit Anything â but Not Everything.
By Richard Chambers
Former Chairman, Institute of Internal Auditors (IIA)
â There are times when internal audit clients
and others have unrealistic expectations
about our profession. Itâs not surprising,
then, that there may be confusion about our
role. After all, internal auditors wear many
hats. We are analysts, control experts,
consultants, teachers, business partners,
watchdogs, financial advisers.â