MODULE 1.

INTERNAL AUDITING

Governance, Risk Management, and Internal Control are interconnected processes

that help organizations achieve their objectives by providing reasonable assurance.

Governance sets the overall direction for risk management activities and considers risk
when formulating strategies.

Risk management depends on effective governance, including risk culture, appetite, and
oversight.

Internal controls are vital for effective governance and help manage risks, such as
compliance and fraud.

Governance involves setting risk appetite, while the CEO and senior management are
responsible for operational risk management and control. The Board ensures ongoing
review of management’s response to risks through mechanisms that involve adequate line
functions. These concepts are especially crucial for professional accountants in Internal
Auditing, which acts as the third line of defense in risk management.

The Three Lines of Defense model outlines a structure for risk management and control
within an organization

First line of defense: Management controls, where risk control and compliance functions
are established.
A second line of defense: Various risk control and compliance oversight functions.
The third line of defense: Internal Audit, assesses and provides recommendations to
improve governance, evaluates risk management processes, and helps maintain effective
controls.

International Standards for the Professional Practice of Internal Auditing (Standards)

Internal audit operations are guided by the International Standards for the Professional
Practice of Internal Auditing (Standards) to preserve and improve organizational value. The
framework strongly emphasizes harmonizing with Internal Audit's mission, which is to
provide risk-based assurance, guidance, and insight. Internal auditing contributes value as
an independent assurance and consulting function by increasing the efficiency of
governance, risk management, and control procedures. Integrity, objectivity, competency,
good communication, and alignment with business risks and strategies are all required by
the Standards.
Internal auditing addresses risks and offers an organized evaluation of governance and
controls to support business goals. There are two types of Internal Audit Services:

Assurance Services- These services involve the objective evaluation of evidence by

internal auditors to provide independent opinions or conclusions on specific areas of the
organization. These services aim to assess and enhance the effectiveness of risk
management, control, and governance processes. For example, in compliance audit, they
evaluate whether an organization is following applicable laws and regulations.

Consulting Services- These are the advisory activities provided to help organizations
improve their operations. It focuses more on providing insights, recommendations, and
guidance tailored to the client's needs. For example, advising on process improvements

Effective internal auditing requires independence, competence, integrity, a sufficient amount

of resources, and proactive insights.

Code of Ethics
The Code of Ethics establishes the norms for moral conduct for internal auditors, defining
the values and guidelines that should direct their work. Instead of dictating particular
behaviors, its main objective is to promote an ethical culture inside the industry by
highlighting fundamental principles and standards.

Fundamentals of the Ethics Code

Integrity ensures auditors' work is trustworthy and their judgment is believable, which
fosters trust.
Avoiding biases or conflicts of interest, objectivity ensures fairness in the evaluation and
communication of findings.
Protecting sensitive information by preventing its disclosure without the appropriate
authority or unless mandated by law is known as confidentiality.
Competency calls on auditors to use the knowledge, abilities, and experience they need to
produce valuable work.

Independence and Objectivity

Independence helps the internal auditors to carry out their responsibilities without bias and
influence. The Chief Audit Executive should directly and freely access senior management
and the board of directors, usually through a dual reporting structure.

Objectivity requires the internal auditors to preserve an unbiased mental attitude and sound
judgments uncompromised by others.

Proficiency and Due Professional Care

Proficiency refers to the knowledge, skills, and competencies required for internal auditors
to perform their duties effectively. It also encompasses awareness of emerging trends and
issues to be able to provide relevant advice. Due Professional Care requires internal audits
to be conducted with such competence and skill as would be expected of a reasonably
prudent internal auditor but does not preclude errors.

Quality Assurance and Improvement Program (QAIP)

A QAIP requires both internal, continuous monitoring and periodic reviews of the internal
auditing activity

Governance, Risk Management, and Control

The internal audit function is responsible for assessing and recommending improvements to
the organization's governance, risk management, and control processes.

Achieving organizational goals requires effective governance, risk management, and

control. Governance entails procedures and frameworks established by the board to direct
and oversee organizational operations. Finding, evaluating, and controlling possible
hazards are the main goals of risk management. Actions made to control risks and
guarantee that goals are reached makeup control.

Fraud

Internal auditors are involved in assessing how the company manages fraud risks, but
management and governance are in charge of stopping and identifying fraud. Fraud is the
use of deception to obtain an advantage and is caused by three factors: opportunity,
pressure, and rationalization.

Rationalization, opportunity, and pressure are the three main elements.

The term "pressure" describes the need or motivation—such as monetary hardship or

outside expectations—that propels someone to conduct deception. Opportunities occur
when fraud can be committed undetected due to inadequate oversight or lax internal
controls. The process of rationalization entails defending the fraudulent act as essential,
reasonable, or harmless.

Gaining an understanding of these components enables firms to spot weaknesses and

strengthen systems to stop fraud.