Lecture notes in Internal Auditing

Unit 1: THE INTERNAL AUDIT ROLE

SCOPE

This chapter covers the role of internal auditing and describes what it takes to become a good
auditor. The areas covered are:
1. Internal Audit 1 Review 5. Police Officer versus Consultant
2. The Audit Charter 6. Audit Competencies
3. Audit Services 7. Training and Development
4. Audit Ethics

I. Internal Audit Review

The starting place for internal audit theory is the definition of internal audit. A standard definition is
made up of important issues that form the basic framework of internal audit principles. The Institute of
Internal Auditors’ (IIA) definition appears once again:
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes.

We can analyse the IIA’s formal definition in detail by examining each of the material concepts:
‘Internal auditing’ The service is provided within the organization and is distinct from the external audit
role (but see ‘activity’ below). Years ago the IIA considered changing the name of internal auditing to
reflect the modern and increasingly professional approach. No alternative was forthcoming and the idea
was dropped.
‘Independent’ The concept of independence is fundamental. Internal auditing cannot survive if it is not
objective. All definitions of internal audit feature an element of independence, although its extent, and
how it is achieved, is a topic in its own right. The audit function must have sufficient status and be able to
stand back from the operation under review for it to be of use. If this is not achieved, then this forms a
fundamental flaw in the audit service and some internal audit functions may not be able to subscribe to
the standards.
‘Assurance and consulting’ This part of the definition refers to the fundamental shift in the role of
internal audit. The shift makes clear that the past tinkering with the advice and consulting aspect of
auditing is now a full-blown additional consultancy arm of the function. Internal audit may provide advice
and assistance to management in a way that best suits each manager’s needs. Even consulting work
should take on board the impact of risks and IIA Implementation Standard 2110.C1 says that: ‘during
consulting engagements, internal auditors should address risk consistent with the engagement’s
objectives and should be alert to the existence of other significant risks’. Meanwhile the primary role of
internal audit is to provide independent assurances that the organization is, or is not, managing risk well.
‘Activity’ The fact that the internal audit function as an activity is important. This means it is a defined
service, although not necessarily located within the organization (e.g. it may be outsourced).
‘Designed to add value’ As a service, auditing has to form a client base and understand the needs of
the organization. Here the service role should lead to a defined benefit to the organization rather than
internal audit working for its own mysterious goals. Adding value should be uppermost in the minds of
chief audit executives (CAE) and this feature should drive the entire audit process.
‘And improve an organization’s operations’ This brings into play the notion of continuous
improvement. The auditors are really there to make things better and not inspect and catch people out.
In one sense, if the CAE cannot demonstrate how the auditors improve the business, there is less reason
to resource the service.
‘It helps an organization accomplish its objectives’ The task of internal audit is set firmly around the
organization’s corporate objectives. Making an organization successful is the key driver for corporate
governance (a badly governed organization will not be successful), for risk management (where risks to
achieving objectives are the main focus) and internal controls (that seek to ensure objectives are realized).
1 of 7
Lecture notes in Internal Auditing

Moreover, it is the search for long-term corporate success that must steer the internal audit shop, or
there is little point setting up the team.
‘Systematic, disciplined approach’ Internal audit is now a full-blown profession. This means it has a
clear set of professional standards and is able to work to best practice guidelines in delivering a quality
service. One measure of this professionalism is that the organization can expect its auditors to apply a
systematic and disciplined approach to its work. Be it consulting or assurance work, IIA Performance
Standard 2040 requires that: ‘The CAE should establish policies and procedures to guide the internal audit
activity.’
‘Evaluate and improve’ We have mentioned the need to focus on making improvements in the
organization and part of this search for improvement entails making evaluations. Internal audit set what
is found during an audit against what should be present to ensure good control. This necessarily entails
the use of evaluation techniques that are applied in a professional and impartial manner to give reliable
results. Many review teams leave out the evaluation aspect of review work and simply ask a few questions
or check a few records and their results are not robust. Internal audit, on the other hand, has built into its
definition the formal use of evaluation procedures to support steps to improve operations.
‘Effectiveness’ Effectiveness is a bottom-line concept based on the notion that management is able to
set objectives and control resources in such a way as to ensure that these goals are in fact achieved. The
link between controls and objectives becomes clear, and audit must be able to understand the
fundamental needs of management as it works to its goals. The complexities behind the concept of
effectiveness are great, and by building this into the audit definition, the audit scope becomes potentially
very wide.
‘Risk management, control and governance processes’ Organizations that have not developed vigorous
systems for these matters will fail in the long run and fall foul of regulators in the short term. The internal
auditors are the only professionals who have these dimensions of corporate life as a living and breathing
component of their role. They should therefore be the first port of call for anyone who needs to get to
grips with corporate governance and IIA Performance Standard 2130 makes it clear that the internal audit
activity should assess and make appropriate recommendations for improving the governance process in
its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization.

• Ensuring effective organizational performance management and accountability.

• Effectively communicating risk and control information to appropriate areas of the organization.

• Effectively coordinating the activities of and communicating information among the board, external

and internal auditors and management.

The Four Main Elements
The scope of internal auditing is found in the Institute of Internal Auditors’ Implementation Standard
2110.A2 which states that:
The internal audit activity should evaluate risk exposures relating to the organization’s governance,
operations and information systems regarding the:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
Reliability and integrity of financial and operational information Internal auditors review the
reliability and integrity of financial and operating information and the means used to identify, measure,
classify and report such information.
Effectiveness and efficiency of operations Internal auditors should appraise the economy and
efficiency with which resources are employed. They should also review operations or programmes to
ascertain whether results are consistent with established objectives and goals and whether the operations
are being carried out as planned.
Safeguarding of assets Internal auditors should review the means of safeguarding and, as appropriate,
verifying the existence of such assets.

2 of 7
 Lecture notes in Internal Auditing

Compliance with laws, regulations and contracts Internal auditors should review the systems
established to ensure compliance with those policies, plans, procedures, laws, regulations and important
contracts that could have a significant impact on operations and reports, and should determine whether
the organization is in compliance.
Internal audit reviews the extent to which management has established sound systems of internal
control so that objectives are set and resources applied to these objectives in an efficient manner. This
includes being protected from loss and abuse. Adequate information systems should be established to
enable management to assess the extent to which objectives are being achieved via a series of suitable
reports. Controls are required to combat risks to the achievement of value for money and it is these areas
that internal audit is concerned with. Compliance, information systems and safeguarding assets are all
prerequisites to good value for money.

II. The Audit Charter

The audit charter may be used in a positive fashion to underpin the marketing task that is discharged
by audit management. It can also be used to defend audit services in the event of a dispute or an awkward
audit. The Institute of Internal Auditors has issued a statement of responsibilities that covers the role of
internal auditing and this document may be used to form the basis of such a charter. The audit charter
constitutes a formal document that should be developed by the CAE and agreed by the highest level of
the organization. If an audit committee exists then it should be agreed in this forum although the final
document should be signed and dated by the chief executive officer. The audit charter establishes audit’s
position within the organization and will address several issues:
1. The nature of internal auditing 2. The audit objectives
3. The scope of audit work 4. Audit’s responsibilities
5. Audit’s authority 6. Outline of independence

Structure of the Charter

It is possible to outline a suitable structure for the charter bearing in mind the different models that
will be applied by different types of organizations per Figure 5.1.

DEFINITIONS
formal definition of internal audit

SCOPE OF WORK

covers the four key control areas

SERVICES
management’s responsibilities, planned
assurance work, investigations and consultancy

ACCESS
rights of access

INDEPENDENCE
cornerstone of IA: organizational status and professional standards
FIGURE 5.1 Structure of the audit charter.

The Audit Charter—an Example

Each individual charter will vary depending on the needs of the organization, views of the CIA and type
of services offered. We have produced a charter for a fictional company, Keystone Ltd.

KEYSTONEAUDITSERVICES—AUDITCHARTER
This audit charter sets out the role, authority and responsibilities of the internal audit function and has been
formally adopted by Keystone Ltd. on 1 January 20xx.
1. Role
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. It helps organizations accomplish their objectives by bringing a

3 of 7
 Lecture notes in Internal Auditing

systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and
governance processes. Internal audit is concerned with controls that ensure:
• reliability and integrity of financial and operating information
• effectiveness and efficiency of operations
• safeguarding of assets
• compliance with laws, regulations and contracts.
2. Responsibilities
Management is responsible for maintaining an adequate system of internal control to manage risks to the
organization. Internal audit will provide assurance services to management, the board and the audit
committee in terms of reviewing the adequacy of these systems of internal control. Internal audit will also
provide a consulting role in helping promote and facilitate the development of effective systems of risk
management and internal control. In addition, and subject to the availability of resources, audit will seek to
respond to management’s requests for investigations into matters of fraud, probity and compliance. Internal
audit will provide advice on addressing these problems, which remain the responsibility of management.
Furthermore, internal audit shall have no responsibilities over the operations that it audits over and above
the furnishing of recommendations to management. The results of consulting and ad hoc projects requested
by management will be used to inform internal audit’s position on assurances where appropriate.
3. Plans
Internal audit is required to publish an annual audit plan to the board and audit committee and perform the
audits that are contained within this plan, to the standards set out in the audit manual. Annual audit plans will
be based on the risk assessments carried out by management and the board and take into account issues
derived from the current audit strategy that is approved by the audit committee.
4. Reports
All audit reports will be cleared with the relevant management and once agreed will be copied to the
appropriate director, the audit committee and external audit. Management is expected to implement all
agreed audit recommendations within a reasonable time frame and each audit will be followed up to assess
the extent to which this has happened. The audit committee will be given a summary of audits where agreed
recommendations have not been implemented by management without reasonable explanation. The audit
committee will also receive a summary of all audits where management have decided not to implement an
audit recommendation without reasonable explanation. The overall results of audit work will be reported
quarterly to the audit committee (who in turn report to the board of directors). Internal audit is also required
to furnish an annual assurance on the state of internal control in the organization.
5. Access
Internal audit has access to all officers, buildings, information, explanations and documentation required to
discharge the audit role. Any interference with this right of access will be investigated and, if found to be
unreasonable, will be deemed a breach of organizational procedure and dealt with accordingly.
6. Independence
Internal audit is required to provide an objective audit service in line with professional auditing standards (as
embodied within the audit manual) and the auditor’s code of ethics. To this end it is essential that sufficient
independence attaches to this work for it to have any impact on Keystone Ltd. This is dependent on sufficient
organizational status and the ability to work to professional standards and the audit committee will undertake
an ongoing review of the impact of these two factors.

CHIEF EXECUTIVE CHAIR OF AUDIT COMMITTEE

DATE DATE

III. Audit Services

The role of internal auditing is wide. Within the context of improving risk management, control and
governance processes, the type of work undertaken to add value to an organization will vary greatly. It all
depends on the context and best use of resources. Internal audit shops that focus on the corporate
governance arrangements, rather than take on any work that comes its way, will tend to have a better
direction. The remit is the audit charter, the parameters are the professional standards while the context
is the success criteria that is set by the organization. Within these factors will fall the range of audit

4 of 7
Lecture notes in Internal Auditing

products that are on offer. These may include one or more of the following possible interpretations of the
audit role. Note the following are SOME listed internal audit services selected at random from various
websites that feature internal audit shops from both private and public sector organizations:

• Cyclical audit (stock petty cash payroll). • Information system reviews.

• Investigations into specific problems. • Financial and compliance audits.
• Responding to requests by management. • Performance audits.
• Operational efficiency and effectiveness • Internal control reviews and testing poor
reviews. areas.
• Internal control reviews. • Investigative audits into reported
• Fraud investigations. irregularities.
• Compliance reviews. • Verify assets and review safeguards.
• Reviewing controls over revenue, contracts • Evaluation of reporting systems and
administration and operational expenses. procedures.
• Acting as a contact point for allegations of
fraud, waste and abuse.

IV. Audit Ethics

The Institute’s Code of Ethics extends beyond the definition of internal auditing to include two essential
components:
1. Principles that are relevant to the profession and practice of internal auditing;
2. Rules of conduct that describe behaviour norms expected of internal auditors. These rules are an aid to
interpreting the Principles into practical applications and are intended to guide the ethical conduct of
internal auditors.

Principles Internal auditors are expected to apply and uphold the following principles:
 Integrity - The integrity of internal auditors establishes trust and thus provides the basis for reliance
on their judgement.
 Objectivity -Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgements.
 Confidentiality - Internal auditors respect the value and ownership of information they receive and
do not disclose information without appropriate authority unless there is a legal or professional
obligation to do so.
 Competency - Internal auditors apply the knowledge, skills and experience needed in the performance
of internal auditing services.

Rules of Conduct

1. Integrity
Internal auditors:
1.1 Shall perform their work with honesty, diligence, and responsibility.
1.2 Shall observe the law and make disclosures expected by the law and the profession.
1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.
1.4 Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity
Internal auditors:
2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in
conflict with the interests of the organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional judgement.

5 of 7
Lecture notes in Internal Auditing

2.3 Shall disclose all material facts known to them that if not disclosed, may distort the reporting of
activities under review.

3. Confidentiality Internal auditors:

3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives of the organization.

4. Competency
Internal auditors:
4.1 Shall engage only in those services for which they have the necessary knowledge, skills and experience.
4.2 Shall perform internal auditing services in accordance with the Standards for the Professional Practice
of Internal Auditing.
4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.

V. Police Officer versus Consultant

The alternatives to the word ‘Audit’ from a standard thesaurus include the following terms: 1.
examination 2. review 3. investigation 4. inspection 5. scrutiny
These terms do not conjure up the concept of a helpful, value-add service and here we tackle the fallout
of negativity and the need to manage this problem by adopting the stance that merely being genuine is
not enough.

Human Behavioural Aspects

This covers a wide area and touches on topics such as industrial psychology, communication skills and
group theory. Auditors should be skilled in dealing with people and as such this aspect is seen as a valid
audit skill. Unfortunately this skill does not always form part of the auditors’ professional training and
development programme. In fact a poor recruitment policy may result in bringing in auditors who see
little value in developing good interpersonal skills. The old-fashioned detailed checker had little time to
discuss the real-life issues that fall outside the scope of the audit programme. Nowadays auditors are
required to do more than operate on a detailed technical level; they are expected to be able to converse
openly with senior management.

Understanding and Participating with Management

Where an auditor understands management and the management process it is easier to work in a
partnership mode. The participative approach brings audit closer to a consultancy role where
management needs are foremost. Many audit departments have moved along this route and the
explanatory models suggest that a continuum may be designed where one may move further along the
direction of participation. It must, however, be noted that the more participation that is promoted, the
greater the strain in maintaining a satisfactory level of independence. As such there will be limits on how
far one might go. It is possible to use an established model of audit styles ranging from a traditional
through to a participative style. There is a continuum for each of the components of this established model
as shown in Table 5.1.
TABLE 5.1Traditional versus participative styles.
Factor Traditional style Participative style
Role Policeman Advisor
Authority Formal Informal
Source of authority Office Personal attributes
Sanction Coercion Suggestion

These are two extremes which might on the one hand mean that an audit function is imposed on
management to police the organization. Alternatively, the audit service may be more like a partnership
with audit providing professional advice in line with management’s needs. Clearly modern internal
auditing is moving towards the partnership role with management as it does not report to itself, or work
6 of 7
Lecture notes in Internal Auditing

towards its own mysterious goals. The auditor should recognize the culture that exists in the area being
audited and ensure that audit recommendations are framed in a way that fits into management’s needs.
Participative auditing means working with management rather than auditing them. This is in line with the
view that controls belong to management and they should be encouraged to maintain and improve them.

VI. Audit Competencies

The first thing that needs to be in place to ensure competent internal auditors is effective human
resource policies and practices. Here we are concerned with the attributes of successful internal auditors.
The IIA Practice Advisory 1210-1 deals with proficiency and requires that each internal auditor should
possess certain knowledge, skills, and other competencies:
• proficiencies in applying internal auditing standards and procedures ...
• proficiency in accounting principles and techniques ...
• an understanding of management principles ...
• appreciation of accounting, economics, commercial law, taxation, finance, quantitative methods and IT.
• skilled at dealing with people and communicating ...
• skilled in oral and written communications ...
CAE should establish suitable criteria for education and experience for filling internal auditing
positions ... the IA staff should collectively possess the knowledge and skills essential to the practice
of the profession within the organization.

VII. Training and Development

Training is an important aspect of developing internal auditors, and has to be carefully planned in line
with a career developmental programme. There is an entire spectrum of developing people at work that
includes:
• Training—programmes for getting people to learn to do things differently.
• Development—untaught activity to increase/improve performance.
• Education—formal courses to develop knowledge and qualifications.
• Learning—acquiring better skills, knowledge and attitudes.

There are various ways that audit staff may be trained and developed:
1. Specialist skills training via internal or external skills workshops These can be extremely efficient in
terms of auditor development.
2. Professional training This may be based on passing examinations of a defined professional body such
as the Institute of Internal Auditors, which is a completely different form of training from skills-based
courses.
3. The trainingco-ordinator Appointing a training co-ordinator is a positive way of promoting various
training programmes, particularly where the co-ordinator can undertake some of the actual training.
4. Directed reading This is one way of encouraging auditors to research aspects of internal audit. The
department should subscribe to all relevant journals and publications.
5. Training through work Programmed audits enable audit management to ensure auditors are rotated
and exposed to a variety of audits and experiences. It is possible to designate smaller audits as ‘training
audits’ where they form part of the auditors’ personal development programme.
6. The audit review The audit review process enables audit managers and team leaders to direct the work
of junior staff and also provides experience in staff management.
7. Professional affiliations These can be part of continuing professional development (CPD) and
stimulate group discussions.
8. The audit manual This sets out the defined methods and procedures required to discharge the audit
mission.

7 of 7