Connect Support Advance

Whitepaper

Internal Audit
Service Catalogue
Updated 2022

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E [email protected] www.iia.org.au

© 2022 - The Institute of Internal Auditors - Australia

 Internal Audit Service
Catalogue
Contents Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
Background 2 improve an organisation’s operations. It helps an
- Purpose 2 organisation accomplish its objectives by bringing
- Background 2 a systematic, disciplined approach to evaluate and
Discussion 4 improve the effectiveness of risk management, control,
and governance processes.
- Issue 4
- Discussion 4 Source: ‘International Professional Practices Framework’ issued by the
Institute of Internal Auditors.
- Possible Service Offerings 4
Conclusion 8 This change reflected two important elements:
- How to proce 8 › Acceptance that Internal Audit could in fact provide
- Summary 8 both assurance and consulting (advisory) services.
- Conclusion 8 › The scope of internal audit work had broadened
Bibliography and References 8 from pure controls to risk management, control and
Purpose of White Papers 8 governance.
Author’s Biography 8 At the time, this philosophy was hotly debated (and still is
About the Institute of Internal Auditors–Australia 9 in some circles), but it is indisputable the mantra of modern
Copyright 9 management is that Internal Audit is there to do more than
Disclaimer 9 just confirm compliance and tell management what they
already know.
Background
These days, Audit Committees and management are
Purpose seeking a lot more value from Internal Audit, with a view to
The purpose of this White Paper is to identify ways improving the business. After all, Internal Audit works for
in which Internal Audit can move from a largely one- the organisation and should have a keen interest in seeing
dimensional approach to the service it delivers, to an it do well.
approach offering more dynamic and flexible service
offerings to the Audit Committee and management.

Background
The evolution of Internal Audit outlined in the table on the
following page shows how internal audit work has evolved
over time.

Internal auditors who have a lengthy career with internal

auditing can generally identify points in time when the
focus and emphasis of internal audit activities changed.
This was often over a period of time, for example the
‘assurance versus consulting’ debate that occurred in the
1990s and resulted in the ‘Definition of Internal Auditing’
being changed to:

© 2022 - The Institute of Internal Auditors - Australia 2

 Internal Audit Service
Catalogue
Evolution of Internal Audit

Features Checking Compliance System-based Risk-based Partnership Value-based

Up to 1960s 1960s – 1980s 1980s – 1990s 1990s – 2010s 2010s – Emerging

Independence Independent of Independent of Independent of Independent of Independent of Independent of

activities audited activities audited activities audited activities audited activities audited activities audited

Serving Finance Finance Finance / Business units Organisation Organisation

Business units

Reporting to Generally CFO Generally CFO Generally CFO Emerged to Audit Committee Audit Committee
CEO and then for operations for operations
Audit Committee / CEO for / CEO for
reporting administration administration
Objective Assurance Assurance Assurance Assurance Assurance and Assurance and
advisory / Value- advisory / Value-
adding adding / Proactive
/ Offer insights
/ Key agent of
change
Focus Historical Historical Historical Historical Forward-looking Forward-looking /
Insights
Coverage Controls Controls Controls Controls Governance / Risk Governance / Risk
management / management /
Controls Controls
Outcome Detect mistakes Detect mistakes Improve controls Improve business Improve business Improve
unit controls units organisation /
Actively seek
innovation / Help
organisation
achieve strategic
intent
Fraud focus Detect fraud Detect fraud Detect fraud Detect fraud Prevent fraud Prevent fraud

Reports go to Management Management Management Management / Management and Management and

emerged to Audit Audit Committee Audit Committee
Committee
Standards No Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit
Standards in 1978 Standards Standards Standards Standards

Resourcing In-house In-house In-house In-house / Co-sourced / Co-sourced /

Emerged to co- Subject matter Subject matter
sourced experts and guest experts and guest
auditors auditors
Staff Financial Financial Financial Financial Some non- Many non-
qualifications financial financial
disciplines disciplines
Planning Cyclical annual Cyclical annual Cyclical 5-year Risk-based 3-year Risk-based 3-year Risk-based rolling
plan plan plan plan or annual plan plan
Audit types Compliance Compliance System Operational Integrated Service catalogue

Management No No No Some Yes Yes - many

requested
services

© 2022 - The Institute of Internal Auditors - Australia 3

 Internal Audit Service
Catalogue
Discussion Acquisition assurance
Issue Internal Audit can provide input to the due diligence
The issue to be discussed is: process when an acquisition is being considered. This may
include such things as assisting with:
How can Internal Audit offer more dynamic and flexible
service offerings to the Audit Committee and management? › Investigation of material future matters.
› Examination to help answer key questions such as –
Discussion
how to buy, how to structure, and how much to pay.
Internal Audit generally performs internal audit
› Investigation of the company policies, processes and
engagements derived from the organisation’s higher risk
practices.
areas matched to available internal audit resources. Over
› Examination to assist an acquisition decision through
time the scope of services has expanded, with Internal
valuation and shareholder value analysis.
Audit functions offering additional services such as
advisory services and management requested services. Assurance advisory services
Management may request Internal Audit to provide
Internal Audit has the ability to offer a comprehensive
assurance advisory services. This service differs from
range of services which could be contained in an internal
traditional internal audit engagements and may involve
audit service catalogue. It is reasoned a range of services
advisory work around governance, risk management and
can better serve an organisation, while spreading the
control matters.
internal audit budget and resources further.
Management requested services
Examples of elements which could comprise an internal
Internal Audit can offer ‘on request’ services by way of
audit service catalogue are described below, followed by
management requested reviews in areas where business
a table showing the features of various service offerings.
issues may occur or emerging risks arise.
However, it should be noted the decision on whether to
Internal Audit attempts to satisfy these requests, subject
deploy a particular service should rest with the Chief Audit
to the assessed level of risk, availability of resources, and
Executive in consultation with the Audit Committee.
endorsement of the Audit Committee.
The Chief Audit Executive should periodically report to
Business unit control advisory
the Audit Committee the types of services provided to the
Management may request Internal Audit to perform
organisation and how these added value.
a review of their business unit controls to assure their
Possible Service Offerings control environment is operating effectively and risks are
being mitigated. The reviews are designed to encompass
Internal audit engagements
business unit activities, with special attention on higher risk
An internal audit engagement is the traditional method
activities.
used to perform internal audit work. The objective is to
assess evidence and provide an independent opinion on The report includes gap analysis, with the output being
the quality and effectiveness of risk management, control an improvement roadmap to strengthen the control
and governance processes of the area being audited. environment where opportunities are identified.
Engagements are performed in phases – planning,
Health checks
fieldwork and reporting.
Management may request Internal Audit to perform a
Operational audits should generally be performed as they quick health check of a part of their business unit.
offer greater value than a simple compliance or finance
The idea is to quickly evaluate the health of the area
audit. An operational audit will cover a wider range and
reviewed to assess the state of its governance, risk and
include efficiency, effectiveness, economy and ethics of
control environment.
the area being audited.
They may also be called pulse audits.
These are often ‘deep dive’ audits.

© 2022 - The Institute of Internal Auditors - Australia 4

 Internal Audit Service
Catalogue
Multi-stage audits › Compliance with laws and policies.
Internal Audit can have a role in relation to projects and › Effective management of conflicts of interest.
major business initiatives where there are often major › Fairness and impartiality.
organisation risks, for example ICT projects but also › Security and confidentiality.
infrastructure and construction projects. › Open and competitive procurement process.
› Accountability – consistency and transparency of the
One method used successfully in organisations is the
procurement process.
concept of multi-stage audits. These can be a valuable
› Proactive mitigation of probity risks.
assurance tool, especially for auditing projects and
business improvement initiatives which will be planned The Internal Audit role may be as:
and implemented over a period of time. The idea is that
› Probity advisor – Advise the client, but not third
Internal Audit can provide assurance by adopting a life
parties unless specifically authorised.
cycle audit approach through ‘short and sharp’ audits at
› Probity auditor – Advise the client principally, but may
key stages.
also provide advice to third parties.
This provides immediate feedback as the implementation
Preliminary reviews
progresses and any areas requiring remedial action can
Business unit management may seek ways to reduce
be addressed at the time. It is widely acknowledged this
risk in their activities. Where internal audit resources may
approach is cost-effective, provides added assurance,
be limited or a detailed audit is not required at the time,
improves outcomes, and reduces later rework than the
Internal Audit can perform a preliminary review.
alternative which is a post-implementation audit some time
after completion. This would be a quick review of key business unit
or program elements. It is not designed to be a
Project assurance
comprehensive audit, rather an independent review to
Internal Audit can provide assurance services for major
work in partnership with management to review risks and
projects to:
controls, then provide a brief improvement roadmap and
› Provide an independent assurance link between a recommendations for improvement.
project and the steering committee.
Generally the results would not be reported to the Audit
› Review governance arrangements from project
Committee at the time. Later, Internal Audit would return
inception to completion.
and performed a more detailed audit to follow-up progress
› Provide reports over the life of a project to report and
and effectiveness of implementation of recommendations.
highlight the quality of governance arrangements.
These results would then be reported to the Audit
› Recommend improvements where identified.
Committee.
Project assurance work generally focuses on effectiveness
One week reviews
of governance, risk management, scope, schedule, cost,
With limited resources, Internal Audit cannot cover every
quality, and artefact alignment to the project management
part of the organisation with a traditional internal audit
methodology.
engagement approach. What can be done is to offer a
It is good practice for the Chief Audit Executive to limited assurance service through one week reviews.
periodically attend key board or executive committee
These reviews seek to provide high level assurance
meetings as an observer, and report on significant insights
through a ‘short and sharp’ review of a business area.
to the Audit Committee.
They may take a few days to complete, with planning and
Procurement advisory reporting taking the elapsed time to one week.
Procurement processes must be fair, open, transparent to
Reviews of this nature do not profess to be as evidence-
all parties, and be defensible. Internal Audit can provide
based as an internal audit engagement. What they seek
procurement advisory and integrity services through the
to provide is a snapshot of risks and controls in a business
life of major procurement activities to assure:
area, together with improvement suggestions.

© 2022 - The Institute of Internal Auditors - Australia 5

 Internal Audit Service
Catalogue
Risk and control improvement facilitation
When requested, Internal Audit can form a partnership with
management to assist with risk and control improvement
over business activities. This may include:
› Becoming a non-voting adviser to steering
committees.
› Providing expert advice to assure activities
adequately consider risks and controls.
› Facilitate workshops of key stakeholders to actively
review and improve risks and controls.
› Prepare summary reports of activities and
effectiveness of controls to manage risk.
Control self-assessment (CSA)
CSA is a technique that allows managers and work teams
to participate in assessing their risk management and
control processes. In its various formats CSA can cover
objectives, risks, controls and processes.
The first CSA step in is to document control processes
with the aim of identifying suitable ways of measuring or
testing each control. The actual testing of the controls is
performed by the people whose day-to-day role is within
the area being examined, as they have the greatest
knowledge of how the processes operate.
The two common techniques for performing the
evaluations are:
› Workshops that may be independently facilitated and
involve staff from the business unit being tested.
› Surveys or questionnaires completed independently
by staff.
Both approaches differ from formal audits where
the auditors, not the business unit staff, perform the
assessment.
On completion of the assessment, each control may be
rated based on the responses received, to determine the
probability of its failure and the impact if a failure occurred.
These ratings can be mapped to produce a heat-map
showing potential areas of vulnerability.
Continuous auditing
Processes subject to continuous auditing are generally the
more stable and mature controls within the business, with
sufficient data transactions to make the continuous audit
investment worthwhile. Automating data analysis in the
form of continuous auditing brings benefits including:
© 2022 - The Institute of Internal Auditors - Australia
› Improved financial and operating controls.
› Rapid decision-making and business improvement.
› Real-time response to real-time issues.
› Implementing automated detective controls.
As Internal Audit becomes embedded within an
organisation, projects may be scoped to consider
introduction of continuous auditing for corporate and
operational ICT systems. This initiative has potential to
reduce the internal audit footprint for business units, while
delivering greater audit coverage and providing timely
exception reporting. It should ideally commence with a
pilot project, after which a full roll-out over time could be
considered.
Forensic and fraud reviews
A forensic review is different to an audit in that it is a
detailed and focused examination of an issue or issues.
It is a specialty practice area that deals with actual or
anticipated disputes or litigation. ‘Forensic’ means ‘suitable
for use in a court of law’, and it is to that standard and
potential outcome that forensic reviews are performed.
In most organisations, forensic reviews will be initiated in
response to allegations of fraud or corruption. Categories
of financial forensic engagements may include:
› Fraud and corruption.
› Economic damages calculations, whether suffered
through tort or breach of contract.
› Post-acquisition disputes such as breaches of
warranties.
› Bankruptcy, insolvency and reorganisation.
› Securities fraud.
› Tax fraud.
› Money laundering.
› Business valuation.
› Computer forensics.
Subsidiary assurance monitoring
There are two elements to the control environment:
› The organisation itself.
› The organisation subsidiaries and investments, where
these exist.
Risk-based assurance may be extended to subsidiaries to
provide independent assurance in addition to their internal
sources of assurance.
The extent of potential internal audit coverage would vary
6
 Internal Audit Service
Catalogue
according to the risk profile of a subsidiary. For example,
if a subsidiary’s assurance environment is demonstrated
to be strong, less secondary assurance from Internal
Audit is likely to be necessary. Likewise, if the assurance
environment is demonstrated to be weak, it may be
necessary for greater Internal Audit involvement with a
subsidiary.
Special audits
From time-to-time, the Board of Directors, Audit Committee,
Chief Executive Officer or Executive Management may
request Internal Audit to perform a special audit at a
subsidiary.
A special audit is a limited scope examination of financial
records or other information designed to investigate
allegations of fraud, theft or misappropriation of funds. It
may also seek to quantify the extent of losses.

Special audits are needed when it is suspected that

laws or regulations have been violated in the financial
management of an organisation. In conjunction with
investigating violations, audits can be performed pertaining
to duties, authorisations, responsibilities and controls.

Example Internal Audit Service Catalogue

Service Offerings Service Type Source Elapsed Persuasive Opinion Deliverable Internal Audit
Timeframe Evidence* Monitor
Action Plans
Internal audit engage- Assurance Internal Audit 90 days Yes Yes Report Yes
ments
Acquisition Assurance Internal Audit / on request 60 days Yes Yes Report Yes
assurance
Assurance advisory Advisory On request Quick Yes No Brief report No
services
Management requested Assurance / On request Various Yes Yes / No Report Yes / No
services Advisory
Business unit control Advisory On request Quick Yes No Brief report No
advisory
Health checks Assurance Internal Audit / on request Quick Yes Yes Brief report Yes

Multi-stage audits Assurance Internal Audit / on request Life of activity Yes Yes Reports at key timings Yes

Project assurance Assurance Internal Audit / on request Life of project Yes Yes Reports at key project Yes
milestones
Procurement advisory Advisory On request Quick Yes No Summary No

Preliminary reviews Advisory On request Quick Yes No Improvement roadmap No

One week reviews Advisory Internal Audit Quick Yes No Brief report No

Risk and control im- Advisory On request Quick Yes No Improvement roadmap No
provement
facilitation
Control self- Advisory On request Quick Yes No Brief report No
assessment
Continuous auditing Assurance Internal Audit Continuous Yes Yes Ongoing reports Yes

Forensic and fraud Assurance Internal Audit / on request 60–90 days Yes Yes Report Yes
reviews
Subsidiary assurance Assurance Internal Audit 30 days Yes Yes Report Yes
monitoring
Special audits Assurance Internal Audit / on request 60–90 days Yes Yes Report Yes
* Audit evidence is any information used by the auditor to determine whether the information being audited is stated in accordance with established criteria. Two determinants of persuasive-
ness of evidence are (1) Competence – the degree to which evidence can be considered trustworthy (2) Sufficiency – amount of evidence is enough to form a reasonable opinion.

© 2022 - The Institute of Internal Auditors - Australia 7

 Internal Audit Service
Catalogue
Conclusion
How to proceed
Chief Audit Executives seeking to broaden their internal
audit service offerings could consider the following steps:
› Draft a brief paper on possible service offerings that
may be suitable for their organisation.
› Discuss options with the Audit Committee.
› Discuss types of service offerings the Chief Executive
Officer and management view as potentially the most
valuable.
› Implement pilot activities to trial service offering
candidates considered to be most useful.
› Seek Audit Committee and management feedback on
results of pilot activities.
› Evaluate what worked well and what did not work as
well as expected.
› Modify service offerings as necessary and consider
additional service offerings.
› Don’t try to do it all at once – have a phased plan to
add more service offerings over time.
› Periodically report to the Audit Committee on the
types of services provided to the organisation and
how these added value.
Summary
This White Paper describes the concept of an internal
audit service catalogue to offer more dynamic and flexible
service offerings to the Audit Committee and management.
For many internal auditors, this concept will be a quantum
leap from a traditional internal audit approach, and one
which may be strongly resisted.
Apart from resistance by some internal auditors, there
are still some organisations where management believes
Internal Audit comes in after the event to tell management
what they got wrong.
More enlightened management will recognise the potential
of an internal audit service catalogue.
Internal Audit needs to remain relevant. Otherwise, in hard
times, Internal Audit risks being one of the first non-core
areas to have its budget and resourcing cut.
By continually evolving its service offerings and value-add,
Internal Audit can embed itself in the organisation as an
agent of change, build its profile and reputation, and be
truly valued by the Audit Committee and management for
the forward-looking insights it can provide.
© 2022 - The Institute of Internal Auditors - Australia
Conclusion
Audit Committees and management are seeking a lot more
value from Internal Audit to help improve the business.
An internal audit service catalogue has potential to further
build the partnership between Internal Audit, the Audit
Committee and management, while delivering a wider
range of internal audit services offering more value to the
organisation.
Bibliography and References
‘International Professional Practices Framework’, Internal
Audit Foundation
‘Internal Audit in Australia - Second Addition’, Institute of
Internal Auditors – Australia
‘Evolution of Internal Audit’, Institute of Internal Auditors –
Australia
Purpose of White Papers
A White Paper is a report authored and peer reviewed
by experienced practitioners to provide guidance on a
particular subject related to governance, risk management
or control. It seeks to inform readers about an issue and
present ideas and options on how it might be managed. It
does not necessarily represent the position or philosophy
of the Institute of Internal Auditors – Global and the
Institute of Internal Auditors –Australia.
Author’s Biography
Written by: Andrew Cox
MBA, MEC, GradDipSc, GradCertPA, DipBusAdmin,
DipPubAdmin, AssDipAcctg, CertSQM, PFIIA, CIA, CISA,
CFE, CGAP, CSQA, MACS Snr, MRMIA
Andrew Cox is Manager of Technical Services at the
IIA-Australia, responsible for technical matters including
contributions to the body of knowledge around
governance, risk management and internal audit. He
was previously a chief audit executive at significant
organisations.
He further developed the internal audit external quality
assessment process in Australia and has performed
more than 300 of these in corporate and public sector
organisations in Australia, Bahrain, Brunei, Kuwait, Qatar,
Saudi Arabia and the United Arab Emirates.
He has made presentations on internal auditing in forums
in Australia and internationally and has taught internal
auditing in Australia and other countries. He co-authored
the IIA-Australia publication ‘Internal Audit in Australia’ and
co-authored ‘Audit Committees – A Guide to Good Practice,
3rd edition’ issued by AICD / AUASB / IIA-Australia. He
8
 Internal Audit Service
Catalogue
contributed to ‘Sawyer’s Internal Auditing, 7th Edition’. Disclaimer
He is an independent member of a number of audit Whilst the Institute of Internal Auditors – Australia has
committees. attempted to ensure the information in this White Paper is
Edited by: Bruce Turner AM as accurate as possible, the information is for personal and
CRMA, CGAP, CISA, CFE, PFIIA, FFin, FFA, FIPA, FAIM, MAICD, educational use only, and is provided in good faith without
JP any express or implied warranty. There is no guarantee given
to the accuracy or currency of information contained in this
About the Institute of Internal Auditors–Australia White Paper. The Institute of Internal Auditors – Australia does
not accept responsibility for any loss or damage occasioned
The Institute of Internal Auditors (IIA) is the global professional
by use of the information contained in this White Paper.
association for Internal Auditors, with global headquarters in
the USA and affiliated Institutes and Chapters throughout the
world including Australia.
As the chief advocate of the Internal Audit profession, the IIA
serves as the profession’s international standard-setter, sole
provider of globally accepted internal auditing certifications,
and principal researcher and educator.
The IIA sets the bar for Internal Audit integrity and
professionalism around the world with its ‘International
Professional Practices Framework’ (IPPF), a collection of
guidance that includes the ‘International Standards for the
Professional Practice of Internal Auditing’ and the ‘Code of
Ethics’.
The IIA-Australia ensures its members and the profession
as a whole are well-represented with decision-makers and
influencers, and is extensively represented on a number of
global committees and prominent working groups in Australia
and internationally.
The IIA was established in 1941 and now has more than
200,000 members from 190 countries with hundreds of local
area Chapters. Generally, members work in internal auditing,
risk management, governance, internal control, information
technology audit, education, and security.

Copyright
This White Paper contains a variety of copyright material.
Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors – Global or
the Institute of Internal Auditors – Australia. Some material
is owned by others which is shown through attribution and
referencing. Some material is in the public domain. Except
for material which is unambiguously and unarguably in the
public domain, only material owned by the Institute of Internal
Auditors – Global and the Institute of Internal Auditors –
Australia, and so indicated, may be copied, provided that
textual and graphical content are not altered and the source
is acknowledged. The Institute of Internal Auditors – Australia
reserves the right to revoke that permission at any time.
Permission is not given for any commercial use or sale of the
material.

© 2022 - The Institute of Internal Auditors - Australia 9