Definition, Characteristics, and Guidance

Internal audit
- is undergoing a massive transformation.
- Role: to provide independent, objective assurance and consulting services to organizations in
ways that improve their operations has remained constant for decades and remains true
today, how this has been accomplished has changed over time.
Institute of Internal Auditors (IIA)
- 1941
- the profession has evolved to adapt its personality, purpose, and approach to the changes
taking place in the fields of management and organizational behavior.
- Universities and other academic institutions capital ized on the lessons of the industrial era
and developed organization theories that created systems whereby centralization, a defined
hierarchy, distinct authority levels and reporting lines, clear rules, and the division of labor
were the norm.
Standardization
- was the norm and organizations implemented rigid guidelines for how they functioned.
Audit Function
- focused on assessing an organization’s control or operational effectiveness with this
standardization and could do so quickly by using checklists, prepared questionnaires, and
reviewing the same documents year after year to verify consistency.
Concealed Risk
- became apparent in the 1960s and lasted through the 1980s.
Enterprise resource planning (ERP)
- system provided the necessary separation of duties and limited transaction processing to
those authorized
Early 1990s
- internal audit began a transformation process that is bringing it more in line with the true
needs of the organizations it serves and the related stakeholders.
The State of Internal Audit 2013
- report from Thomson Reuters Accelus states that although internal auditors are beginning to
evaluate more strategic level risk management and monitoring activities, most internal audit
departments continue to focus primarily on process assurance and monitoring activities.
Professional Practice of Internal Auditing (the Standards).

Definition and Characteristics of Operational Auditing

Operational Auditing
 - is defined as “A future-oriented, systematic, and independent evaluation of organizational
activities.
- Financial Data (may be used)
- Primary sources of evidence:
a. Operational Policies
b. Achievements related to Organizational Objectives
- Business Dictionary: “A review of how an organization’s management and its operating
procedures are functioning with respect to their effectiveness and efficiency in meeting stated
objectives.
Internal Auditing
- is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations.
- it helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
The definition contains some key language that is important to note:
1. Independence
- has to do primarily with the position of internal audit within the organization’s hierarchy.

2. Objectivity
- is related to the auditors’ frame of mind and their ability to examine documents, processes,
and programs without a bias, without an agenda, with no other motive than to find the truth
and communicate it accurately and promptly
- Conflicts of interest are one of the biggest threats to objectivity

3. Assurance
- relates to the auditors’ ability to give confidence and make statements regarding the
condition of matters within the organization
- It is often considered a synonym to “compliance” as has been the traditional focus of internal
auditors for millennia.
- Compliance audits focus on verifying conformity and adherence of a particular area,
process, or system with policies, plans, procedures, laws, regulations, contracts, or other
requirements that govern the conduct and actions of that area, process, or system.
- According to the report, there are four main reasons why organizations report:
a. Provide shareholders more transparency
b. Gain competitive advantage
c. Improve risk management capabilities
d. Respond to stakeholder pressure
- GRIG = Global Reporting Initiative Guidelines
- CSR = Corporate Social Responsibility
- Triple bottom line: people (social), planet (environment/ecology), profit (economic)

4. Consulting
- means giving advice to management and the board, and engaging in activities
that helps the organization resolve nagging business issues

5. Designed to add value

- If you ask a gathering of internal auditors if they add value in their organizations, they
unanimously raise their hands in agreement.
 6. Improve an organization’s operations
- is a very interesting statement because many auditors see their role as that of checking
things and verifying the accuracy of various items and activities within the organization

7. Help an organization accomplish its objectives.

- Many auditors practice what has been commonly referred to as controls-based auditing.

8. By bringing a systematic, disciplined approach.

- refers to the approach followed when per forming the work.

9. To evaluate and improve the effectiveness.

- Our role as auditors goes beyond evaluating business dynamics and writing reports that
merely lists the problems identified.
- The definition indicates that we evaluate, but also help to improve the organization’s ability
to achieve the goals and objectives related to:
a. Risk management- This refers to the identification, measurement, assessment, and
response to risk
b. Control - This refers to those activities that mitigate relevant risks and helps the
organization avoid surprises.
c. Governance processes

Certified Public Accountant (CPA)

Certified Internal Auditor (CIA)
Certified Information Systems Auditor (CISA)
Certified Fraud Examiner (CFE)

The Risk-Based Audit

Risk-based Auditing
- means that internal auditors must exercise and apply a broader view of organizational risks.
Limited number of the many risks organizations face:
- Accounting risks
- Financial risks
- Other examples, risk of
o delays,
o waste,
o inefficiency,
o poor customer service,
o excessive customer and employee turnover,
o poor quality data
o system failures.

Concept of Risk-based Auditing

- is in contrast to what has been dubbed controls-based auditing.
 - The latter is defined as audits that focus on identifying and evaluating internal controls
without enough regard to their value to the process.
- This can happen because auditors take a preexisting work program without researching the
nuances of the present audit scope sufficiently or even when they perform planning activities,
their interviews and other research only focuses on identifying existing controls without fully
understanding the key risks and objectives of the process under review.
Performing controls-based audits
- the auditor then listens and searches for references to controls with the intention of verifying
their existence and effectiveness.
- In effect, they are testing the controls in relative isolation, without fully understanding their
connection to the underlying objectives and risks of the process or program under review.
Performing risk-based audits
- requires more brainstorming, more interactions with process owners, a more in-depth
understanding of the organization’s business, and a mechanism to address past, present, and
future vulnerabilities and scenarios that threaten the achievement of business objectives.
2015 Common Body of Knowledge (CBOK); global survey entitled “Driving Success in a Changing
World: 10 Imperatives for Internal Audit” and it con firms that the internal audit profession is
making substantial progress in making itself relevant to business overall.

Auditing Beyond Accounting, Financial, and Regulatory Requirements

Over time, business leaders and managers witnessed business failures caused by poor management
decisions and practices. By poor management, I am referring to inadequate:
1. Operations management
- Some of the related issues are waste, inefficiencies, supplies that arrive late, poor customer
satisfaction, and limited capacity to grow as opportunities arise or customers’ demands
change.

2. Human resources
- As evidenced by poorly supervised, trained, and evaluated employees who sometimes become
unmotivated and unproductive.

3. IT
- Computer systems designed with an inaccurate understanding of the business needs and uses
of these systems, poor data capture, and inadequate reporting mechanisms.

4. Marketing
- Mass marketing of products and services at a time when customers prefer to feel unique, or
wasteful campaigns because they target the wrong audience.

5. CSR
- Issues range from child labor, sweatshop conditions, abusive management, and inap
propriate waste disposal.

6. Environmental Health and Safety (EHS)

 - practices and conditions related to poor ventilation, excessive heat, extreme noise levels, and
workplace hazards caused by chemicals, machinery, and workplace configurations, among
others.
The Value Auditors Provide
The Cornell University Law School Legal Information Institute defines fiduciary responsibility as
follows:
➢ Fiduciary Duty
- is a legal duty to act solely in another party’s interests.
- Parties owing this duty are called fiduciaries.
- The individuals to whom they owe a duty are called principals.

➢ Fiduciaries
- may not profit from their relationship with their principals unless they have the principals’
express informed consent.
- They also have a duty to avoid any conflicts of interest between themselves and their
principals or between their principals and the fiduciaries’ other clients.

Primary (economic) stakeholders

1. Employees
2. Suppliers
3. Customers
4. Creditors
5. Investors

This process is called stakeholder analysis, which asks three fundamental questions:
1. Who are the relevant stakeholders?
2. What are the interests of each stakeholder?
3. What is the power of each stakeholder?

Secondary (noneconomic) stakeholders

1. Governments
2. Media
3. Activist groups
4. Business support groups
5. Communities
6. General public
 Primary Stakeholders, Nature of Interest, and Power

Secondary Stakeholders, Nature of Interest, and Power

Identifying Operational Threats and Vulnerabilities

Traditional Approach to internal auditing
- was to perform postmortem reviews to verify that what was done was done appropriately.
- This was a practice that followed in the footsteps of public accounting firms, which inspect
transactions that occurred during the preceding fiscal year.
These future-oriented threats and vulnerabilities can be:
1. Operational, such as maintaining operational capacity, speed of execution (i.e., cycle time),
staffing levels, employee motivation, knowledge transfer, system development, and
implementation

2. Technological, including protection of intellectual property and personally identifiable

information, denial of service attacks, business continuity due to staff turnover, and system
development

3. Strategic, referring to concerns related to strong customer and vendor relations, customer
loyalty, building effective business partnerships, outsourcing arrangements, and mergers and
acquisitions

4. Environmental, which may include reliable supply of water and electricity, achieving a lower
car bon footprint, and reducing the amount of natural resources used during business
activities

The Skills Required for Effective Operational Audits

The paradigm shift in the work of internal auditing from being controls-based to risk based means
that internal auditors must acquire and apply different skills to their trade from what they did in the
past.

According to the IIA Research Foundation Core Competencies Report, the following are the top
general competencies of internal auditors:
1. Communication skills, such as oral, written, report writing, and presentation skills
2. Problem identification and solution skills, such as conceptual and analytical thinking
3. Ability to promote the value of internal audit
4. Knowledge of industry, regulatory, and standards changes
5. Organization skills
6. Conflict resolution/negotiation skills
7. Staff training and development
8. Accounting frameworks, tools, and techniques
9. Change management skills
10. IT/CT* framework, tools, and techniques
11. Cultural fluency and foreign language skills

The three common core competencies identified in the report are

1. communication skills,
2. problem identification
3. solution skills
In terms of behavioral skills, internal auditors should possess the following skills:
1. Confidentiality
2. Objectivity
3. Communication
4. Judgment
5. Work well with all management levels
6. Possess governance and ethics sensitivity
7. Be team players
8. Relationship building
9. Work independently
10. Team building
11. Leadership
12. Influence
13. Facilitation
14. Staff management
15. Change catalyst skills

How to acquire these skills should be done along two dimensions.

1. individual level
2. internal audit unit level.
At the individual level, internal auditors, like most professionals today, are expected to take
ownership of their own training and development and not leave it to their employers to decide and
implement. Whereas, in the past, it was common for employees to take a passive approach, waiting
for their employers to tell them when, what, and why training would occur, today’s auditors should
take a more active and engaged approach to their training needs. They should
1. Reflect on their present competencies, identify their job needs, and perform a gap analysis to meet
their current skill requirements
2. Define their career ambitions and chart a roadmap to acquire the skills and competencies needed
in the future

Integrated Auditing
As we examine the approach employed by public accountants, their focus was centered on financial
assertions, such as occurrence, completeness, accuracy, classification, existence, and valuation of
accounting, and financial information, as inputs for the organization’s financial statements.
It is important to remember the key objectives of financial audits:
1. Ascertain whether in all material respects, the income statement and the statement of cash f
lows accurately and reliably reflect the activities during the fiscal year
2. Ascertain whether in all material respects, the balance sheet shows the condition of the
organization as of the last day of the fiscal year
 Internal Audit Capability Model (IA-CM)

The Standards
International Standards for the Professional Practice of Internal Auditing (Standards)

1210—Proficiency Internal auditors must possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity collectively must
possess or obtain the knowledge, skills, and other competencies needed to perform its
responsibilities.

1210.A3—Internal auditors must have sufficient knowledge of key IT risks and controls and available
technology-based audit techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an internal auditor whose primary responsibility is IT
auditing.
1220.A2—In exercising due professional care internal auditors must consider the use of technology-
based audit and other data analysis techniques.

1220.A3—Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be identified.

2010—Planning. The CAE must establish a risk-based plan to determine the priorities of the internal
audit activity, consistent with the organization’s goals.

2120—Risk management. The internal audit activity must evaluate the effectiveness and contribute
to the improvement of risk management processes.

2120.A1—The internal audit activity must evaluate risk exposures relating to the organization’s
gover nance, operations, and information systems regarding the:
▪ Achievement of the organization’s strategic objectives
▪ Reliability and integrity of financial and operational information
▪ Effectiveness and efficiency of operations and programs
▪ Safeguarding of assets
▪ Compliance with laws, regulations, policies, procedures, and contracts

2130.A1—The internal audit activity must evaluate the adequacy and effectiveness of controls in
responding to risks within the organization’s governance, operations, and information systems
regarding the:
▪ Achievement of the organization’s strategic objectives
▪ Reliability and integrity of financial and operational information
▪ Effectiveness and efficiency of operations and programs
▪ Safeguarding of assets
▪ Compliance with laws, regulations, policies, procedures, and contracts

2130—Control. The internal audit activity must assist the organization in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2201—Planning considerations In planning the engagement, internal auditors must consider:

▪ The objectives of the activity being reviewed and the means by which the activity controls its
performance
▪ The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level
2220.A1—The scope of the engagement must include consideration of relevant systems, records,
personnel, and physical properties, including those under the control of third parties.

2310—Identifying information Internal auditors must identify sufficient, reliable, relevant, and
useful information to achieve the engagement’s objectives.
▪ Sufficiency - This means that the auditor needs enough information, including quantifiable
facts and figures.
▪ Reliability - Meaning that the information must be trustworthy and free from distortion.
▪ Relevance -This relates to the information being consistent with the objectives and scope of
the review.
▪ Usefulness - This relates to the information helping the organization accomplish its objectives

2330—Documenting information. Internal auditors must document relevant information to support

the conclusions and engagement results

2410.A2—Internal auditors are encouraged to acknowledge satisfactory performance in engagement

communications.

2420—Quality of communications. Communications must be accurate, objective, clear, concise,

constructive, complete, and timely.
▪ Accurate - There are no mistakes or errors in the information presented.
▪ Objective - The auditor’s work is focused on facts and informed judgment, there is no bias
involved, and the results are neither inflated nor understated.
▪ Clear - Easy to understand and interpret.
▪ Concise - Brief by using only as many words as necessary—gone are the days of very lengthy
reports.
▪ Constructive - Serves the purpose of helping the organization improve its activities and pro
mote advancement through excellence.
▪ Complete - Nothing relevant or important missing.
▪ Timely - Issued promptly because the value of the message decreases with time