Internal Auditing AUDB433

Special Semester, 2014-2015

INTRODUCTION TO INTERNAL AUDITING

Overview of Internal Auditing
Introduction
Although the internal audit profession is ancient, many people associate the birth of
modern internal auditing with the establishment of The Institute of Internal Auditors (IIA)
in 1941.
Changing Roles of Internal Auditing
Over the last 70 years, the roles played by internal auditors have changed dramatically:
Traditional Roles ===>

Transitional Roles ===>

Ensuring accuracy of the Emergence of operational

financial records:
auditing:
IA was merely an IA more focused on
extension
of
the
controls within the
Accounts Department
organization
IA
assumed
a
IA
performed
management
accounting
oriented
consultant role
tasks
focused
on
checking accuracy & Checked compliance with
reliability
of company
policies
&
historical/past
procedures:
performance
(e.g., Evaluated the effective
counting
inventories,
& efficient use of
verifying petty cash,
resources
auditing payroll records, Investigated fraud &
audit by re-doing tasks)
other special events
such as mergers
IA acting as in-house Reviewer
of
assistants assisting the
management processes
external auditors
(playing the role of
policeman checking
on management)

Current Roles ===> ??

IA serves the entire
organization (IA work is
focused on ensuring that the
organizations current &
future performance helps it
achieve its objectives see
main textbook, page 1)
Independent from operating
management.
Partners with management
(IA acting as business
consultants providing a
service to the organization).
Participates
with
Improvement Teams & Task
Force Processes.
Uses Technology.

These changing roles require internal auditors to acquire new knowledge and skills sets to
keep pace with the changes and to succeed in the profession.

Internal Auditing AUDB433

Special Semester, 2014-2015

Molding Forces
Circumstances / events / forces which have helped to fuel increased demand for internal
audit services and helped shape internal auditing into what it is today:

Corporate scandals (for e.g., Enron, WorldCom, and Parmalat) which have brought
about new laws and regulations (for e.g., latest amendments to Malaysian Cos Act
1965 and amended Bursa Malaysias Listing Requirements issued on 31 January
2008: see textbook, page 1).
Globalization.
Increasingly complex corporate structures.
E-commerce and other technological advances.

These forces bring about new and different types of risks that can prevent an organization
from achieving its business objectives. To help an organizations senior management and
BODs understand and address these risks, internal auditors are increasingly being called
upon to help organizations strengthen their corporate governance, risk management, and
internal control processes.
Definition of Internal Auditing
The Institute of Internal Auditors (IIA) current definition of internal auditing:
Internal auditing is an independent, objective, assurance and consulting activity
designed to add value and improve an organizations operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve effectiveness of risk management, control, and governance processes.
Lets look at the key components of the above definition in turn:
Helping the Organization Accomplish its Objectives
The overarching objective of the internal audit function is to help an organization achieve
its business objectives.
An organization exists for a number of purposes or business objectives, e.g., make
profits, increase shareholder wealth, add growth to stakeholders value, etc. Its success
depends on the accomplishment of these objectives. But events taking place may prevent
a company from achieving its objectives.
Understanding an organizations business objectives > helps an internal auditor
understand the risks of events arising that can potentially side-track or hinder
objectives being met > helps define the internal auditors own audit engagement
objectives (i.e. what it needs to do) in order to help the organization accomplish its
business objectives:
[See Exhibit 1-1]
2

Internal Auditing AUDB433

Special Semester, 2014-2015

Evaluating and Improving the Effectiveness of Risk Management, Control, and

Governance Processes
All 3 processes focus on the achievement of the organizations objectives.
Governance process the process conducted by the BOD to authorize, direct, and
oversee management towards achievement of the organizations objectives.
Risk management process the process conducted by management to understand and
deal with uncertainties (i.e. risks) that could affect the organizations ability to achieve its
objectives (e.g. employee fraud).
Control processes the process conducted by management to reduce risks to acceptably
low levels / to a level acceptable to the organization (risk appetite).
The internal audit function plays a prominent role in evaluating and improving these
processes.
Assurance and Consulting Activity Designed to Add Value and Improve Operations
2 types of services internal auditors provide to add value and improve operations:
Assurance services an objective examination of evidence for the purpose of providing
an independent assessment on risk management, control, or governance processes for the
organization. [auditee] [auditor] [user]
Consulting services advisory and related services, the nature and scope of which are
agreed to with the customer and which are intended to improve an organizations
governance, risk management, and control processes without the internal auditor
assuming management responsibility. [auditee] [auditor]
They differ in three respects: (1) purpose (2) who determines nature and scope of
engagement, and (3) the parties involved.
Adding Value a well run internal audit function adds value in a number of ways, for
example:
It acts as a training ground for future line managers, by exposing fast track members
of the department to a variety of situations, activities and functions within the
organisation.
It provides a one stop shop for best practice advice.
It provides an independent, objective opinion as to the quality of the business controls.
It stimulates risk awareness throughout the organisation.
It is a source of qualified, experienced talent that can aid management in business
improvement programmes.

Internal Auditing AUDB433

Special Semester, 2014-2015

It provides specialist professional independent opinions on a variety of situations; such

as due diligence exercises.
It reports on fraudulent activity within the organisation, with a view to understanding
how it happened and how to prevent it occurring again.
It ensures that the company wide initiatives, such as a code of conduct, are being
adhered to.
Independence and Objectivity
Independence refers to the organizational status of the internal audit function.
Independence the freedom from conditions that threaten objectivity or the appearance
of objectivity. Such threats to objectivity must be managed at the individual auditor,
engagement, functional and organizational levels.
For the internal audit function to be independent, the Chief Audit Executive must report
to a level within the organization that has sufficient authority to enable it to carry out its
function properly without undue influence from other parties. The IIA recommends that
the CAE reports functionally to the BOD and where it exists, to the audit committee, and
administratively to the organizations chief executive officer (CEO) (Practice Advisory
1110-1, Organizational Independence).
Objectivity refers to the mental attitude of individual auditors.
Individual objectivity an impartial, unbiased mental attitude and avoidance of conflicts
of interest, allowing internal auditors to perform engagements in such a manner that they
have an honest belief in their work product and that no significant quality compromises
are made.
To ensure objectivity, internal auditors should not involve themselves in day-to-day
operations, make management decisions, or otherwise put themselves in situations that
result in actual or potential conflicts of interest.

A Systematic and Disciplined Approach

Specifically, this refers to the internal audit engagement process itself: planning the
engagement, performing the engagement, and communicating engagement outcomes.
Planning the engagement involves obtaining an understanding of the auditees business
risks and objectives, auditees personnel, resources, operations, etc.

Internal Auditing AUDB433

Special Semester, 2014-2015

Performing the engagement involves application of specific audit procedures, for e.g.,
making enquiries, observing operations, inspecting documents, and analyzing
information to gather evidence. Documenting the evidence. Evaluating the evidence.
Communicating outcomes of the engagement should be accurate, objective, clear,
concise, constructive, complete, and timely.
Types of Internal Audit Engagements

Operational audit
Programme audit
Fraud audit
Ethical business practices audit
Compliance audit
Information technology audit
Control self-assessment audit
Financial audit

(For explanation of above, see main textbook, pages 4-5)

Differences and Similarities between Internal Auditing and External Auditing
The Different Objectives
The starting place is to clearly set out the different objectives of internal and external
audit. The external auditor seeks to test the underlying transactions that form the basis
of the nancial statements. The internal auditor, on the other hand, seeks to advise
management on whether its major operations have sound systems of risk management
and internal controls.
The Main Similarities
Both the external and internal auditor carry out testing routines and this may involve
examining and analysing many transactions.
Both the internal auditor and the external auditor will be worried if procedures were
very poor and/or there was a basic ignorance of the importance of adhering to them.
Both tend to be deeply involved in information systems since this is a major element
of managerial control as well as being fundamental to the nancial reporting process.
Both are based in a professional discipline and operate to professional standards.
Both seek active co-operation between the two functions.

Internal Auditing AUDB433

Special Semester, 2014-2015

Both are intimately tied up with the organizations systems of internal control.
Both are concerned with the occurrence and effect of errors and misstatement that
affect the nal accounts.
Both produce formal audit reports on their activities.
The Main Differences
The external auditor is an external contractor and not an employee of the organization
as is the internal auditor. Note, however, that there is an increasing number of
contracted-out internal audit functions where the internal audit service is provided by
an external body.
The external auditor seeks to provide an opinion on whether the accounts show a true
and fair view, whereas internal audit forms an opinion on the adequacy and
effectiveness of systems of risk management and internal control, many of which fall
outside the main accounting systems.
External audit is a legal requirement for limited companies and most public bodies,
while internal audit is not essential for private companies and is only legally required
in parts of the public sector.
Internal audit may be charged with investigating frauds and, although the external
auditors will want to see them resolved, they are mainly concerned with those that
materially affect the nal accounts.
Internal auditors cover all the organizations operations whereas external auditors
work primarily with those nancial systems that have a bearing on the nal accounts.
Internal audit may be charged with developing value-for-money initiatives that
provide savings and/or increased efciencies within the organization.
The internal auditor reviews systems of internal control in contrast to the external
auditor who considers whether the state of controls will allow a reduced amount of
testing.
Internal audit works for and on behalf of the organization whereas the external auditor
is technically employed by and works for a third party, the shareholders.
The internal audit cover is continuous throughout the year but the external audit tends
to be a year-end process even though some testing may be carried out during the year.
(See also main textbook, pages 5-6)

Internal Auditing AUDB433

Special Semester, 2014-2015

Evolution of the Internal Auditing Profession

See article: The Americas literature review on internal auditing. The purpose of this
article is to show how the roles played by the internal audit function have changed and
how its scope has expanded in response to shifts in global business practices.

Discussion Questions for Tutorial Class

1. Define the formal definition of internal auditing. Using this definition, what in your
opinion would be the benefits that might accrue from resourcing such a service?
2. Define governance, risk management, and control.
3. Explain the difference between internal assurance services and internal consulting
services.
4. Define independence and objectivity as they pertain to internal auditors.
5. How should the internal audit function be positioned within the organization so that it
maintains its independence?
6. What roles that you carry out in your capacity as the companys internal auditor might
compromise your objectivity?
7. List the types of procedures an internal auditor might use to test the design and
operating effectiveness of risk management, control, and governance process.
8. What are the three fundamental phases in the internal audit engagement plan?
9. What is the association between the clients business objectives, risks, and controls?
What is the internal auditors role in this?
10. How does an internal audit function add value to the organization?
11. Discuss the differences and similarities between internal and external auditing.
12. Identify some of the significant change factors that have led to increasingly more
significant roles being carried out by the internal audit function over the past 30
years.

Internal Auditing AUDB433

Special Semester, 2014-2015

13. The changing roles require internal auditors to acquire new sets of skills and
competencies to keep pace with the changes and to succeed in the profession. What
new skills and competencies should the modern internal auditors acquire?