Fundamentals of Internal Auditing

Agenda
• Overview of Internal
Auditing

AGENDA • Key Components of

Internal Audit
• Internal Audit Process

• Workshops / Case Studies

 Learning Objectives

At the end of the program, the participants should be able

to:
• Understand the basic concepts of internal auditing
• Understand the code of ethics and professional standards
governing the internal audit profession
• Identify significant risks and key controls within their
organization
• Apply the internal audit concepts in individual
engagements
 Overview of
Internal Auditing
 What is Internal Auditing?

Internal Auditing (IIA Definition)

- is an independent, objective assurance and consulting

activity designed to add value and improve an
organization’s operations.

- It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of governance, risk management,
and control processes.
The Institute of Internal Auditors

The IIA is the internal audit profession's global

voice, recognized authority, acknowledged
leader, chief advocate, and principal educator.

global.theiia.org

The only globally accepted designation for internal auditors and the standard by which
individuals demonstrate their professionalism in internal auditing.
Why do organizations perform Internal Audit?

Strategic Operating

Add value and improve

operations

Compliance Reporting
Core Principles of Internal Auditing
Input Process Output
• Demonstrates • Aligns with the strategies, • Provides risk-based
integrity, objectives, and risks of the assurance
competence and organization • Is insightful,
due professional • Is appropriately positioned proactive, and future-
care and adequately resourced focused
• Is objective and • Demonstrates quality and • Promotes
independent continuous improvement organizational
• Communicates effectively improvement
Purpose, Authority and Responsibility of IA

Formal Charter
Independent, objective assurance and consulting
Purpose activity designed to add value and improve the
organization’s operations.
Should be adequately empowered to perform audit
Authority engagements.
Provide assurance and consulting services that will
Responsibility add value and improve the organization’s operations.

Code of Ethics Integrity, Objectivity, Confidentiality, Competency

• Attribute Standards
Standards • Performance Standards
 Risk-Based Auditing vs Traditional Auditing
Risk-Based Auditing
(Part Controls Testing / Part Analytical Review / Part
Substantive Testing)
- Dynamic process that links internal auditing to an
organization’s overall risk management framework.

Traditional Auditing
(Fully Substantive Testing)

- Typical audit work performed by internal auditors which

involves verification of transactions, with minimal focus on
overall risks related to the audited processes and
requirements for risk management.
 Risk-Based Auditing Process and Advantages
General Procedures:
1. Assess Risk Maturity
2. Periodic Audit Planning
3. Conducting Individual Engagements
Advantages
- Improved understanding and communication of risks and related
mitigation options
- Facilitates achievement of company requirements for risk
management
- Provides a basis upon which to create contingency plans
- Enhancing information for informed decision-making
 IIA Professional Standards
Attribute Standards address the characteristics of organizations and individuals
performing internal auditing.
1000 Purpose, authority and responsibility
1100 Independence and objectivity
1200 Proficiency and due professional care
1300 Quality assurance and improvement program

Performance Standards describe the nature of internal auditing and provide quality criteria
for measuring performance of services.
2000 Managing the internal audit activity
2100 Nature of work
2200 Engagement planning
2300 Performing the engagement
Internal audit
2400 Communicating resultsprofessionals should comply with appropriate
2500 Monitoring progress Standards.
2600 Communicating the acceptance of risks
Code of Ethics (Based on IIA Standards)
 Principles that are relevant to the
profession and practice of internal
auditing.
1. Integrity
2. Objectivity
3. Confidentiality
4. Competency

 Rules of conduct that describe

behavior or norms expected of internal
auditors.
IIA Code of Ethics - Integrity
Internal auditors shall:
• Shall perform their work with honesty,
diligence, and responsibility.
• Shall observe the law and make
disclosures expected by the law and the
profession.
• Shall not knowingly be a party to any
illegal activity, or engage in acts that are
discreditable to the profession of
internal auditing or to the organization.
• Shall respect and contribute to the
legitimate and ethical objectives of the
organization
IIA Code of Ethics - Objectivity
Internal auditors shall:

• not participate in any activity or

relationship that may impair or be
presumed to impair their unbiased
assessment

• not accept anything that may impair or

be presumed to impair their
professional judgment

• disclose all material facts known to

them that, if not disclosed, may distort
the reporting of activities under review
IIA Code of Ethics - Confidentiality
Internal auditors shall:

• be prudent in the use and protection

of information acquired in the course
of their duties

• not use information for any personal

gain or in any manner that would be
contrary to the law or detrimental to
the legitimate and ethical objectives
of the organization
IIA Code of Ethics - Competency
Internal auditors shall:

• engage only in those services for

which they have the necessary
knowledge, skills, and experience.

• perform internal audit services in

accordance with the International
Standards for the Professional
Practice of Internal Auditing
(Standards).

• continually improve their proficiency

and the effectiveness and quality of
their services.
Internal Audit Manual

The chief audit executive must

establish policies and
procedures to guide the
internal audit activity.
 Internal Audit vs External Audit

Internal auditors are independent External auditors are independent

of the activities they audit. of the organization, and provide
They provide ongoing assurance an annual opinion on the financial
and consulting activities. statements.

• The work of the internal and external auditors should be coordinated for
optimal effectiveness and efficiency, and minimize duplication of efforts.

• Internal and external auditors have mutual interests regarding the

effectiveness of internal financial controls.
Internal audit professionals should comply with appropriate
• Both professions adhere to codes of ethics and professional standards
Standards.
set by their respective professional associations.
Key Components of Internal
Auditing
Organizational Independence and Objectivity
ROLE

Oversight Board Audit Committee

Board of Directors / Trustees

Functional

Administrative
Strategic Senior
(Stewardship) Management

Internal Audit

Operative Operating
(Performance) Management
Three Lines of Defense Model

Internal audit professionals should comply with appropriate

Standards.
 Assurance / Consulting

3rd
Party

Auditor Management Auditor Management

Assurance
objective examination of
evidence for the purpose of
providing an independent
assessment on risk
management, control, or
governance processes for the
organization
Consulting
advisory and related client
service activities, the nature
and scope of which are
agreed upon with the client
and which are intended to add
value and improve an
organization’s operations.
 Basic Approach in Internal Auditing
Method: Follows risk-based, process-focused approach

Initiation Authorization Recording Processing Reporting

Objectives

Risks

Controls
What are the areas covered or scope by
Internal Auditing?

Using a disciplined
approach, evaluate and
contribute to the
improvement of the
following processes:

a. Governance
b. Risk Management
c. Control
 Stakeholders

Governance

Oversight Board

Board of Directors / Trustees

What is Governance? Strategic Senior

(Stewardship) Management
The combination of people, policies,
procedures and processes (including
internal control) that help ensure that
an entity effectively and efficiently
directs its activities toward meeting
the objectives of its stakeholders.
Major Components of Governance

• Strategic Direction – determines the business

model, overall objectives, approach to risk taking
(including the risk appetite) and limits of
organizational conduct.

• Oversight – component to which risk management

and control activities are most likely to be applied.
Elements of oversight are:
 Risk management activities performed by senior
management and risk owners
 Internal and external assurance activities

What component is internal audit mostly

concerned with?

Who has the ultimate responsibility for oversight?

Role of Internal Audit in Governance
The internal audit activity must assess and make
appropriate recommendations for improving the
organization’s governance processes in its
accomplishment of the following objectives:

• Promoting appropriate ethics and values

within the organization
• Ensuring effective organizational performance
management and accountability
• Communicating risk and control information to
appropriate areas of the organization
• Coordinating the activities of and
communicating information among the board,
internal and external auditors, and
management
What is Risk Management?

A process to identify, assess,

manage and control potential
events or situations to provide
reasonable assurance regarding
the achievement of the company’s
objectives. (IIA Definition)

(COSO Enterprise Risk Management – Integrated Framework)

Risk Management Process - Overview
Stakeholders
Risk is the possibility of an event occurring
that will have an impact on the achievement of Governance
objectives.
Oversight Board
Risk Management Process Board of Directors / TrusteesRisk
Management
Strategic
1. Identification (Stewardship
Senior
) Management
2. Assessment
3. Prioritization Operative
Operating
(Performanc
e) Management
4. Formulate Risk Responses
5. Monitor Risk Responses
What is Control?

• Control – any action taken by

management, the board, and
other parties to manage risk and
increase the likelihood that
established objectives and goals
will be achieved. (IIA Definition)

(COSO Internal Control – Integrated Framework, 2013)

Control Process - Overview
Stakeholders
1. Establishing standards for the
operation to be controlled Governance

2. Measuring performance against Board

standards Board of Directors Risk

Management

3. Examining and analyzing Senior

Management
deviations
Control

4. Taking corrective action Operative

Operating
(Performanc
Management
5. Reappraising the standards based e)

on experience
Types of Primary Controls
• Preventive Controls – deter the
occurrence of unwanted events

• Detective Controls – alert the company

/ personnel after an unwanted event

• Corrective Controls – correct the

negative events of unwanted events

• Directive Controls – cause or

encourage the occurrence of a desirable
event.
Role of Internal Audit in Control
Evaluate the adequacy and effectiveness of
controls in responding to risks within the
organization regarding:

• Achievement of strategic objectives

• Reliability and integrity of financial and
operational information
• Effectiveness and efficiency of operations
• Safeguarding of assets
• Compliance with internal and external
regulations
Internal Audit Process
Agenda
• Developing the Risk-based Internal
Audit Plan
• Planning Engagements
• Conducting Engagements
AGENDA
• Developing Credible Audit
Observations and Recommendations
• Communicating Results
• Monitoring the Implementation of
Audit Recommendations
Internal Audit Framework

Develop the
risk-based
internal audit
plan

Company–wide
Planning
Monitoring
engagements

Individual engagements

Communicating
Conducting
observations and
engagements
recommendations

Managing the internal audit function

Developing the Risk-Based
Internal Audit Plan
Risk-Based Internal Audit Plan

The Chief Audit Executive

must establish a risk-based
internal audit plan to
determine the priorities of the
internal audit activity,
consistent with the
organization’s goals.

(IIA Performance Standard

2010)
Basis of Risk-Based Internal Audit Plan
• Audit Universe

• Assessment of Risks
and Exposures

• Inputs from Senior

Management and the
Board
Internal Audit Annual Planning Methodology

• Understanding of the organization

Scoping • Identification of audit universe and auditable entity
Audit Project
Identification

Risk • Assessment of risks

Assessment • Identification of risks in every auditable entity

Risk
Audit Project
Assessment • Identification of audit projects based on the risk assessment
Identification • Identification, evaluation and ranking of audit projects

Resource • Assessment of the appropriateness and sufficiency of

Planning
Scoping internal audit resources

Approval of / • Inputs from Senior Management and the Board

Inputs from SM • Approval by the Board (Audit Committee) of the risk-based
and Board IA annual plan
 Understanding the Organization
Understand the environment Review organizational structure Review strategic plans and
objectives
 Major functions and  Entity structure and
responsibilities reporting lines  Mission and Vision

 Financial Statements /  Organizational charts  Long-term and significant

Financial Information initiatives (e.g., Capital
 Key personnel (Officers, Projects, IT Implementation)
 Recent challenges, trends, Executives and Staff)
issues facing the
organization

Review the information systems Interview the key management

environment personnel

 Manual or automated  Confirm understanding

systems based on gathered
information
 Information flow within the
organization  Management may identify
areas for increased audit
 Software applications attention
 What is an Audit Universe?
• The Audit Universe includes all
units, processes, or operations
(Audit Entity / Area) than can be
defined and evaluated.
• They include accounts, divisions,
functions, procedures, products,
systems and other possibilities.
• Many entity operations and
functions (vital functions) are
audited periodically / cyclically.
Key Considerations for Identification of Audit
Entities / Areas
Area Related Information
The audit entity / area and its structure, goals, products or
Background
services, environment and stakeholders.
The audit entity’s / area’s expected accomplishments or
Objectives
contributions.
The principal tasks that the audit entity / area unit performs or
Activities
administers to accomplish its objectives.

The products, goods or services that are produced or directly

Outputs controlled by the audit entity / areas and distributed inside and
outside the department.

The intended accomplishments or longer term outcomes of the

Expected Results
audit entity, expressed in quantitative or qualitative terms.
The authorized operating, capital, transfer payment and salary
Resources
devoted to the audit entity.
Sample Template on the Identification
of Audit Entities / Audit Areas
Implementation /
Adoption of New
Complex Systems / Months/ Year last
Materiality / Values Nature of Accounts
Audit Entity / Area Transactions / High Processes and audited/ Results of
Involved Involved / Level of
Volume of Recent Significant the last audit, if
Existing Controls
Transactions Economic, audited
Accounting & Other
Developments
Audit Entity: • Total Micro Loans Entity-Level and  Involves significant  Recent changes in With previous audit
Operations for the year ended Process-Level amount and the ARDCI report released on
December 31, Controls volume of Microfinance December 2016 /
Audit Area: 2017 – P150 transactions System Negative observations
Micro / SME Loans million were noted in the
Process  Loan transactions  New Operation and previous audit
• Total SME Loans involves different Branch Heads
for the year ended level of approvals during 2017
December 31, and complex
2017 – P100 computation for
million each type of loan
Audit Entity: Finance Total Disbursements Payables / Process  Involves significant No known change With previous audit
for the year 2017 – Level Controls amount and from previous year report released on
Audit Area: P170 million volume of September 2014 /
Disbursements transactions Negative observations
were noted in the
 Involves various previous audit
types of
disbursements with
different processes
Sample Risk Assessment Template
Auditable Risk Overall Risk Relevant Priority
Main Audit Risk Risk Nature of Start End
Audit Project Title (Gen. Risk Category - Risk Evaluation Values Considerations Proposed Audit Focus
Client/s Impact Likelihood Values Month Month
Significant Risk) Rating
Sample General Risk Categories and Auditable Risks
Service
Financial Operational Compliance Security Fraud Reputation
Quality

Non-
Operational compliance Asset
Over budget Sub-standard Kickbacks Bad publicity
failure with internal protection
policy

Delayed Non-
Fictitious Cash
attainment of compliance Hacking Late delivery Mass action
transactions Embezzlement
objectives with laws

Non-
Non-
compliance Data / Under Massive
Overpayment attainment of Padding
with Information delivery complaints
objectives
regulations

Excessive System Poor Diversion of

Overspending
costs breach maintenance resources

Improper Financial reporting

Personnel
reporting fraud
Risk Analysis - Likelihood
Likelihood Description
Strong evidence to suggest high
5 Almost Certain probability of occurrence in the near
term
Some evidence to suggest expected
4 Likely
occurrence in the near term
Possible; has occurred before, and
3 Possible some indications to suggest possibility
of re-occurrence in the near term
Conceivable but no indications or
2 Unlikely evidence to suggest occurrence in the
near term
Remote and not conceivable; has not
1 Improbable
occurred before
Risk Matrix
CONSEQUENCE or IMPACT
Insignificant Minor Moderate Major Extreme
1 2 3 4 5
L
I Almost Certain (5) H (5) H (10) C (15) C (20) C (25)
K
E Likely (4) M (4) H (8) H (12) C (16) C (20)
L
I
H Possible (3) L (3) M (6) H (9) C (12) C (15)
O
O Unlikely (2) L (2) L (4) M (6) H (8) C (10)
D

Improbable (1) L (1) L (2) M (3) H (4) H (5)

Priority Considerations and Audit Focus
Sample Priority Considerations
1 – Annual review is required by policy
or regulation
2 – High overall risk rating
3 – High value at risk
4 – Area not yet audited
5 – Recent re-organizations and
changes in the systems and
processes
Sample Audit Focus
1 – Prevention of fraud
2 – Controls over accounting and
financial reporting
3 – Reliability of managerial and
operational information
4 – Economical acquisition and use of
resources
5 – Attainment of programs, plans and
objectives
6 – Quality of service and continuous
improvement
7 – Compliance with policies,
procedures, laws and regulations
Sample Risk Assessment Template
Auditable Risk Overall Risk Relevant Priority
Main Audit Risk Risk Nature of Start End
Audit Project Title (Gen. Risk Category - Risk Evaluation Values Considerations Proposed Audit Focus
Client/s Impact Likelihod Values Month Month
Significant Risk) Rating

Review of • Operations Operational 4 4 16 C P250 millionMicro and - High overall April June - Prevention of fraud
Processes and - Failure SME Loans risk rating
Controls over - Delayed / non-attainment - Controls over
Micro and SME of objectives / plans - High value at accounting and
Loans risk financial reporting
Financial
- Fictitious transactions - Recent re- - Attainment of
- Improper Reporting organizations programs, plans and
and changes in objectives
Fraud the systems
- Kickbacks and processes - Quality of service
- Cash Embezzlement and continuous
improvement
Compliance
- Policies and procedures - Compliance with
- Laws policies, procedures,
- Regulations laws and regulations
Sample Template – Priority List of Audit Projects
Audit Timing
2018 Internal Audit Plan Main Staff
Auditable Risks
(Audit Projects) Client/s Start End Assigned
Month Month

 Operational
 Financial
Review of Processes and Controls over
1 Operations  Fraud April June Auditor 1 / Auditor 2
Micro and SME Loans
 Service Quality
 Compliance

6
Practice Question – Risk-Based Audit Plan
The Chief Audit Executive uses the risk assessment model to establish the
internal audit plan. Which of the following CAE’s actions would be
appropriate?

• Maintain ongoing dialogue with management and the audit committee

(Ongoing consultation is a way for the internal audit activity to be up to date
to new information, strategies and emerging risks.)
• Ensure that the schedule of audit priorities remains unchanged
(The schedule of audit priorities is not fixed.)

• Employ only quantitative methods to determine risk weightings

(Risk should be assessed in terms of impact and likelihood.)

• Revise the risk assessment and audit priorities as warranted

(Audit priorities should be revised if there are substantial changes in the
risk assessment.)
Resource Planning
• The Chief Audit Executive must ensure
that internal audit resources are
appropriate, sufficient, and effectively
deployed to achieve the approved plan.

(IIA Performance Standard 2030)

• Resources include employees, service

providers, financial support and IT-based
audit software. / applications
Approval of / Inputs from Senior Management and
the Board
• The Chief Audit Executive must
communicate the internal audit activity’s
plans and resource requirements,
including significant interim changes, to
senior management and the board for
review and approval.

The Chief Audit Executive must also

communicate the impact of resource
limitations.

(IIA Performance Standard 2020)

Planning Engagements
Planning Engagements

Conduct
Develop
Select the Preliminary Develop entrance
audit
engagement Survey audit plan meeting /
program
conference
Internal Audit Engagements - Assurance

• Financial Assurance

• Compliance Assurance

• Operational Assurance

• IT Assurance
Internal Audit Engagements - Assurance

IT Auditing

Compliance Operational
Financial Audit
Audit Audit
Internal Audit Engagements - Consulting

• Formal Consulting

• Informal Consulting

• Special Consulting

• Emergency Consulting
Developing a Documented Audit Plan
Internal auditors must develop
and document a plan for each
engagement, including
engagement’s objectives, scope,
timing and resource allocations.
(IIA Performance Standard
2200)
• Objectives
• Criteria / Background
• Scope
• Transactions Covered
Components of Preliminary Survey

• Input from the engagement client

• Policies and Procedures

• Analytical Procedures

• Interviews and walkthroughs

• Prior audit reports and relevant

documentations

• Process Mapping

• Checklists
Preliminary survey
Authorization
• Identifying controls, and approval
controls
specifically key controls, is
a judgmental process. Supervisory
Physical and
security
controls
controls
• Not all steps in the process
are controls or key controls. Control
activities

• Effectively designed
processes should have a Verification Reconciling
controls controls
good mix of control
activities.
Processing
controls
Analytical Procedures
Analyzing relationships among
items of financial and non-
financial information

• Ratio and Trend Analysis

• Reasonableness Tests

• Period-to-Period Comparisons

• Comparisons with budgets,

forecasts, and other reports
Develop the Audit Plan
Component Sample Statements
The objectives of the audit are assess whether:

1. Micro and SME Loans are:

a. properly authorized, valid and adequately supported; and,

Objectives b. properly recorded in the Company’s books and reported in the Financial
Statements.

2. Internal controls over the loan process are adequate and effective; and,

3. Policies and procedures over Micro and SME loans are existing and complied with.
Sample information to be included in this area follows:

Criteria / Background 1. Policies and procedures over Micro and SME Loans
2. Loan Balances as of the cut-off period
3. Organizational units involved and related functions and responsibilities

Transactions Covered All Micro and SME Loans from January 1 to December 31, 2017

1. Review of the validity of transactions pertaining to Micro and SME Loans

Scope 2. Review of compliance with policies, procedures, laws and regulations
3. Assessment of the adequacy and effectiveness of internal controls over loans
processing, including IT Environment and controls
Identification of Specific Objectives, Risks and
Controls
Objective Initiation Authorization Processing Recording Reporting Risks Controls

To determine To check To To check To determine - Invalid Micro - The CDO / CED

whether Micro whether loans determine whether new whether loan and SME Loans reviews and
and SME loans are properly whether loans and balances are - Lack of approves Micro
are properly approved by loans are loan accurately supporting loan and SME loans
supported by appropriate processed amortizations reported in the documents for
complete authority based and released are properly Financial - Improperly completeness of
requirements on established based on recorded in Statements approved loans supporting
Propriety levels established the documents,
and validity To determine guidelines, Company’s To check performance of
of Micro and whether a policies and books whether credit
SME Loans credit procedures internal reports investigation
investigation pertaining to and cash flow
and cash flow loans are analysis.
analysis are prepared,
conducted prior reviewed and
to endorsement communicated
for loan to concerned
approval units

Adequacy of,
and
compliance
with policies,
procedures,
laws,
regulations

Adequacy
and
effectiveness
of internal
controls
Audit Work Program
Internal auditors must develop
and document work programs
that achieve the engagement
objectives.

(IIA Performance Standard

2240)
Sample Audit Work Program
Objective Controls Nature Timing Extent Procedures

All loans should be Inspection As needed Samples for Micro and What is the procedure to
properly approved SME Loans will be 10% be performed?
based on of the total loans for the
Propriety and established levels. period January 1 to
validity of Micro December 31, 2017, to
and SME Loans be determined
statistically

Adequacy of and,
compliance with
policies,
procedures, laws,
regulations

Adequacy and
effectiveness of
internal controls
Conduct Entrance Meeting / Conference

• Engagement objectives

• Scope

• Timing of work

• IA Team’s and
Management’s concerns and
requests
Conducting Engagements
Conduct Fieldwork
Fieldwork is the process of
collecting, analyzing, interpreting
and documenting information on
matters related to the audit
objectives and scope.

The objective is to obtain

sufficient, competent, relevant,
and useful information to provide
a sound basis for audit
observations and
recommendations.
Conducting the Engagement

Gather information Execute Audit Program

- Interviews, walkthroughs and - Perform audit procedures
observation - Assess the design and
- Data analysis / Analytical operating effectiveness of
review controls
- Questionnaires - Obtain evidence
- Document observations
- Formulate recommendations

 Supervise the Audit

 Prepare working papers
 Constant communication with audit client during fieldwork
Test Plan for Control Design

Identify and
summarize Review process
design gaps and documentation
weaknesses

Document and
Walkthrough
confirm
the process
walkthrough

Observe and
obtain
evidence
Test Plan for Control Operating Effectiveness

Design your
Conclude on
testing strategy
the
(sampling and
effectiveness of
testing
controls
procedures)

Perform and
Select and
document
document
testing,
procedures to
including
be done
evidences
Nature, Timing and Extent

Nature Timing Extent

What type of testing will we When and how many times the Do we test 100% or a sample?
perform? control is performed? How many?

Re-performance

Inspection

Observation

Inquiry
Working Papers
Working Papers facilitate
supervision of the engagement.

• Serve as a means of
communication between
internal auditors and auditor-in-
charge / managers.

• Ensures that all necessary

procedures are performed.
Developing Audit Observations
and Recommendations
Basic Concept of Audit Observation
• Audit observations result from a process that compares an existing
condition against an established criteria. Audit observations are the
basis for conclusions and recommendations.

• Recommendation is the action required to address the root cause of

an audit observation.

Criteria

VS. Gap Audit

Observation

Existing
condition
Recommendation
Characteristics of a Well-developed Audit
Observation

• Material / Significant

• Objective

• Accurate
• Supported by sufficient and
appropriate evidence
• Logical and reasonable

• Convincing
Main Attributes of an Audit Observation (5Cs)

Criteria What should be?

Condition What is happening?

Cause Why did this happen (root cause)?

Consequence
So what (consequences, impact)?
(Effect)

Corrective
What should be done?
Action
Examples
Criteria
Internal policies, procedures Insufficient and ineffective
and manual
Best business practices
Accounting standards
Performance goals or
targets
Industry norms and normal
operating practices
Technical analysis
Independent opinion of
subject matter experts
Condition
procedures
Lack of training and
resources
Unfamiliarity with the
business processes
Improper implementation
and delayed completion
Deviation from policies and
procedures
Negligence / carelessness
Inadequate monitoring over
the processes
Consequence
Wastage of resources
Loss of Company funds
Non-attainment of
objectives
Loss of potential income
Violation of external laws
and regulations
Monetary penalties and
sanctions
Lowered employee morale
 Root Cause Analysis
• Identification of why an Why?
issue occurred versus only
identifying or reporting on Why?

the issue itself.

Why?

• Internal audit can be the Why?

ideal group to analyze
issues given their
independence and Why?
Root Cause
objectivity.
Root Cause Analysis - Example

The worker fell.

Because of oil on the floor.

Because of a broken machine

part.

Because the part keeps

falling from machine.

Because of changes in
the procurement
practices.
Objectives of 5Cs

• Criteria
Inform • Condition

Convince /
• Consequence / Effect
Persuade

• Cause
Get
Results • Corrective Action
Sample Audit Observation
• Company policy requires a project manager’s continuous
Criteria monitoring of capital expenditures over P3 million and
officer approval of change orders.

• Capital Expenditures of P6 million for the building project

Condition were not monitored and change orders were not
approved.

• There is no project manager monitoring the building

Cause project.

• The building project was over budget by 30% and change

Consequence orders were excessive.

• The VP for Project Management should establish a process to ensure a

Corrective project manager for capital expenditures over P3 million is appointed.
Action Moreover, the VP should require written approval of all project plans and
change orders.
Sample Risk Rating of Audit Observations
Risk Level Definitions Concerning
Risk Level Processes and Controls Custodianship and Accountability
May involve any of the following:
 Significant control weakness which may  Neglect of custodial responsibilities resulting to
result to potential fraud or significant potential fraud or significant losses
losses, or misleading financial results  Substantial non-compliance with policies and
 Substantial non-compliance with policies procedures
High
and procedures  May entail risk of possible lawsuits against the
 Significant impact on internal work Company
processes which may cause major
disruptions in operations
This requires immediate action by management.
 Control weakness which may result to  Neglect of custodial responsibilities / employee
potential losses or may cause misconduct which may result to potential losses
inefficiencies in operations  Several instances of non-compliance with
Medium  Several instances of non-compliance policies and procedures
with policies and procedures
This should be included in management’s action plan for the next six months.
 Omission of certain processes causing  Omission of minor documentation / procedures
minimal impact on operations  Rare instances of non-compliance with policies
 Rare instances of non-compliance with and procedures
Low policies and procedures  Least potential for fraud or losses
 Least potential for fraud or losses
This should be included in the business / support unit’s action plan for the next 12 months.
Levels of Persuasiveness of Evidence

Physical
Examination
Observation
Third-
Party
Audit
Client
Qualities of Information / Evidence

Sufficient Reliable

Relevant Useful
Best Practices – Formulating and Documenting
Audit Evidence and Observation
• State the nature of the problem clearly and exactly.

• Avoid generalities and extreme language while

formulating the findings (e.g. inadequate, some, few,
many, sometimes, occasionally, insufficient or careless,
terrible, dangerous, intentional, incompetent).

• Be specific and confirm that audit evidence fully support

the observations.

• Do not focus criticism on individuals or their mistakes.

Best Practices – Formulating and Documenting
Audit Evidence and Observation

 Confirm audit observations with the audit clients

 Options should be exhausted to resolve any
difference in opinion concerned audit observations.
Conceptual Application of Recommendations

Action plans establish accountability. They

include:

• What action has been or will be taken?

• Who will be responsible for the action?

• When will the action be implemented?

Writing Recommendations

• Should address or be responsive to the ROOT CAUSE of

audit observations and capable of correcting the deficiency

• Reasonable, feasible, action oriented

• Specific and helpful as possible, not simply a suggestion to

comply or strengthen controls, etc.

• Addressed to personnel who can implement actions

• Benefits should outweigh the costs

Writing Recommendations

Internal auditors should avoid

general recommendations such
as:

• Controls should be
strengthened

• Additional efforts should be

exerted

• Steps should be taken to

comply
Sample Application of Recommendations
Does the company have a control, policies and procedures which should detect or prevent the
inefficient or ineffective practice?

Yes No No

Is it a one time Is it a system What are the alternatives to detect/prevent

Failure? weakness? the inefficient / ineffective practice?

Yes

Is it worth fixing?
Yes Is it worth instituting a system?
(Cost-benefit)

Yes Yes No

Recommend Recommend to fix

Recommend to fix instituting a the individual
Recommend fixing
the individual system of internal instance, if
the system
instance, if possible control possible
Communicating
Results
Audit Communication Framework

Audit
Communication
Planning

Company–wide Developing
Preliminary
Overall Report
and Final
Reports

Individual engagements

Monitoring Delivering
Results of Audit Reports

Managing the internal audit function

Main Components of an Audit Report

Objectives
Purpose
Background
Scope
Period Covered
Scope
Internal Policies and Procedures / Criteria
General Audit Procedures, including Sampling Methods
Overall Conclusion or Opinion
Executive Summary
Positive Observations
Results/ Details of Negative Audit Observations
Conclusion Criteria, Condition, Cause, Effects
Recommendations
Action Plans (Management Response)
Conduct Exit Conference

• Operating management –
to convince / persuade

• Executive / Senior
management – to inform

• Board – to assure
Monitoring and Reporting

Monitor Progress
• Monitor implementation of audit
recommendations
• Consider impact of status to risk
assessment
• Client satisfaction survey
Develop the Annual Report
• Monitor business units audited
• Periodic reports: monthly,
quarterly, annual
Other Topics
 Use active voice instead of passive voice

Examples Recommended Wording

Events are being performed manually Users perform manual procedures
by users

The handling of collections performed The department handles collections

by the department

Reconciliations of suspense accounts The supervisor reconciles suspense

are performed by the supervisor accounts

A management review will be The manager will review the account

completed of the account

Performance evaluations have been Staff have received performance

received by staff evaluations
 Avoid using drawn out verbs

Examples Recommended Wording

Ensure the implementation of Implement

Perform a verification of Verify

Make an adjustment to Adjust

Conduct an analysis of Analyze

Do a review of Review

Perform testing of Test

Perform a reconciliation of Reconcile

 Avoid using filler phrases
Examples Recommended Wording

During our review

It was noted

Review of . . . Disclosed

It was determined that

This is to inform you that Delete these filler phrases.

There is potential . . . could . .

Develop and implement procedures

to ensure that . . .

It is understood that
 Avoid using redundant modifiers

Examples Recommended Wording

Current tools that are available in the System tools
system
Support functions that would be of Support functions
assistance to users
In the month of June In June
On a daily basis Daily
A wide variety of processing steps Many steps
Charges that resulted from these Charges resulting from this
transactions transactions
Competent and responsible personnel Independent, experienced
from outside the organization personnel
 Use concrete and precise words instead
of empty words
Examples Recommended Wording
Enhance controls
Improve efficiencies
Used to its full advantage
Appropriate
Improvement is needed
It appears that
Auditors should use concrete
and precise words instead of
Areas requiring attention
empty words.
Ensure appropriateness
Some issues
Generally adequate
Inefficient
Several
 Avoid overstated language

Examples Recommended Wording

Utilization Use

Additionally Also

Due to the fact that Because

In order to To

Formal written procedures Written procedures

By means of By; through

At this point in time Now

Sufficient to provide reasonable Sufficient

assurance that
 Avoid repetition on sentences

Examples Recommended Wording

Our test of expense reports Expense reports contained

revealed that expense reports exceptions.
contained exceptions.

Supporting documentation was not Supporting documentation was

attached to support expenses. not attached.

Procedures are in place to prioritize Procedures are in place to

program changes and properly prioritize and monitor program
monitor program changes. changes.
“Deadly Internal Audit Sins”*
1. Publishing an erroneous report

2. Submitting incomplete / false working papers

3. Losing your temper with a client

4. Auditing with an “agenda”

5. Betraying a bond of confidentiality

6. Violating company policies

7. Issuing internal audit reports that are petty or don’t add value

* Based on the article entitled “Deadly Internal Audit Sins”, by Richard F. Chambers – President and
CEO of IIA
Things Not to Say in an Audit Report*
1. Don’t say “Management should consider…”
2. Don’t use “weasel words”
3. Use “intensifiers” sparingly
4. The problem is rarely “universal”
5. Avoid the “blame game”
6. “Auditee” is old school
7. Don’t say “Management failed…”
8. Avoid unnecessary technical jargons
9. Avoid taking all the credit

* Based on the article titled “Ten Things Not to Say in an Audit Report”, by Richard F. Chambers –
President and CEO of IIA
Questions?
Thank you!