Chapter 1: Introduction to Internal Auditing

1. Evolution of Internal Auditing:

 Traditional Role: Focused on financial audits and internal controls, primarily aimed at detecting fraud.
Internal auditors were seen as the "eyes and ears" of management.

 Modern Role: Now includes a wide range of services beyond just financial audits:

o Assurance Services: Financial audits, performance/operations audits, compliance audits, special

audits, due diligence.

o Consulting Services: Advising on new accounting software, designing control systems, creating
codes of conduct.

2. Reasons for the Growth of Internal Auditing:

 Increased Complexity: Company growth, globalization, and complex business operations make it hard to
control everything without internal audits.

 Legal and Regulatory Pressure: More laws, regulations, and public policy considerations demand better
internal controls.

 Fraud Prevention: Rising cases of frauds and scams require robust internal auditing systems.

 Mandatory Requirements: In many countries, including the Philippines, internal audits are mandatory for
certain organizations.

3. Internal Auditing in the Philippines:

 Regulatory Requirements:

o Listed companies must follow the SEC's Corporate Code of Good Governance.

o The Board of Directors must establish an Audit Committee with at least three members:

 One independent director as chair.

 At least one member with an accounting or finance background.

 At least one member with audit experience.

Summary: Internal auditing has grown from a narrow focus on financial controls to a broad discipline that supports
organizations in various ways. It’s now essential and, in some cases, mandatory, particularly in environments with
complex operations, regulations, and high risks of fraud.

Definition of Internal Auditing

Institute of Internal Auditors (IIA) Definition:

 Internal Auditing is:

o Independent: Free from outside influence, ensuring impartiality.

o Objective: Based on facts, without bias or prejudice.

 Purpose:

o Assurance Services: Providing confidence in the accuracy and reliability of financial and operational
reports.

o Consulting Activity: Offering advice to improve processes and decision-making.

 Designed To:

o Add Value: Enhance the organization's effectiveness and efficiency.

 o Improve Operations: Streamline processes, improve risk management, control, and governance.

Overall Goal:

 Support Organizational Objectives: Through a systematic, disciplined approach, internal auditing helps in
evaluating and improving the effectiveness of:

o Risk Management: Identifying and mitigating risks.

o Control Processes: Ensuring that controls are in place and working as intended.

o Governance Processes: Ensuring that the organization is managed in a way that aligns with its
goals and regulations.

Visual Summary:

 Independent + Assurance = Add Value

 Objective + Consulting = Improve Operations

Takeaway: Internal auditing is a crucial function that helps organizations operate more effectively by providing
independent, objective assessments and advice, ultimately adding value and improving overall performance.

Independence

1. Independence

 Definition by IIA:

o Independence is the freedom from conditions that could threaten the unbiased execution of internal
audit duties.

o It's the foundation of the auditing profession, ensuring that auditors can perform their work without
external influence.

 Importance of Independence:

o Cornerstone of Auditing: Ensures the integrity and objectivity of audit findings.

o Prerequisite for Adding Value: Without independence, the credibility of the audit and assurance
engagements is compromised.

 Chief Audit Executive (CAE):

o The CAE and the internal audit activity must be truly independent to be effective.

o Globally, companies align their reporting structures with the IIA's International Standards for the
Professional Practice of Internal Auditing to uphold this independence.

2. Independence in the Philippines

 SEC's Corporate Code of Good Governance:

o Requirement for Independent Directors: Listed companies must have at least two independent
directors or 20% of the board, whichever is lesser, but never fewer than two.

o Reporting Lines:

 Internal audit reports should go directly to the Board of Directors, not to the President or
CEO.

 This structure prevents conflicts of interest, as the CEO or President might influence audits if
they are subject to examination.

3. IIA Related Standards

  Standard 1100:

o Internal audit activity must be independent and auditors must be objective.

 Standard 1110:

o The CAE must report to a level within the organization that enables the internal audit activity to fulfill
its responsibilities.

o The CAE must confirm the organizational independence of the internal audit activity to the Board at
least annually.

Summary: Independence is a critical aspect of internal auditing, ensuring that audits are conducted without bias and
that findings are credible. The CAE plays a key role in maintaining this independence by reporting directly to the Board
and confirming the audit activity's independence regularly. In the Philippines, regulatory requirements emphasize the
need for independent directors and proper reporting lines to safeguard the integrity of internal audits.

Organizational Independence and Auditor's Objectivity

1. Achieving Effective Internal Auditing

 Two Key Components:

o Organizational Independence

o Individual Objectivity

2. Auditor's Objectivity

 Definition:

o Objectivity is an unbiased mental attitude that allows internal auditors to perform their duties with
integrity.

 Importance:

o Ensures auditors believe in their work product.

o Guarantees that no quality compromises are made during the audit process.

3. Organizational Independence

 Definition:

o Achieved when the Chief Audit Executive (CAE) reports functionally to the Board of Directors.

 Dual Relationship:

o The CAE should have direct and unrestricted access to both:

 Senior Management

 The Board of Directors

o This structure is essential for maintaining the independence of the internal audit function.

4. Internal Audit Activity

 Definition:

o It refers to a department, division, or team of consultants that provide independent, objective

assurance and consulting services aimed at adding value and improving the organization's
operations.

Summary:
To ensure effective internal auditing, both Organizational Independence and Auditor's Objectivity are crucial.
Objectivity ensures that auditors maintain an unbiased attitude, while Organizational Independence is secured when
the CAE has a direct reporting line to the Board, allowing for unbiased and unrestricted auditing practices. The Internal
Audit Activity encompasses all entities providing these essential services within the organization.

Dual Reporting

1. Dual Reporting Structure:

 Internal Audit Reporting Lines:

o Direct Reporting (Functional):

 Internal audit reports directly to the Board of Directors (BOD) through the Internal Audit
Committee (IAC).

 The Board is the true superior of the internal audit group, ensuring that internal audit remains
independent from the CEO's direct influence.

o Administrative Coordination:

 Internal audit also coordinates administratively with the CEO, but this is not a direct
reporting relationship.

2. Ideal vs. Actual Practice:

 Ideal Setup:

o The dual reporting structure, as shown in the diagram, is based on IIA guidelines and standards
and is considered the best practice.

 Actual Practice:

o Some companies, especially smaller entities or those under the direct control of an owner/President,
might not follow this structure. In such cases, internal auditors report exclusively to management,
which could work well in stable environments but poses risks.

3. Risks of Not Having Dual Reporting:

 Potential Influence:

o If the internal audit only reports to management, the CEO or other executives might unduly influence
the audit plan, scope, and the reporting of issues.

 Scope Limitation:

o This influence can lead to scope limitations, which threaten auditor independence and may prevent
the internal audit from being truly effective.

4. Examples of Functional Reporting to the Board:

 Approvals by the Board:

o Internal Audit Charter: Approval of the charter that defines the scope and purpose of internal audit.

o Risk-Based Audit Plan: Approval of the audit plan based on the organization's risk assessment.

o Budget and Resources: Approval of the internal audit's budget and resource plan.

 Communications and Performance Review:

o The Board receives regular updates from the CAE on internal audit performance.

 Decisions on CAE:

o The Board approves the appointment, removal, and remuneration of the CAE.

 Inquiries and Oversight:

 o The Board ensures there are no inappropriate scope or resource limitations by making appropriate
inquiries to management and the CAE.

Summary:
The dual reporting structure, where internal audit reports functionally to the Board and administratively to the CEO, is
essential for maintaining the independence and effectiveness of the internal audit function. This structure helps
prevent undue influence and ensures that internal audits are conducted without scope limitations. The Board's
involvement in approving key aspects of internal audit work further supports this independence.

Scope Limitation

1. Definition of Scope Limitation:

 Scope Limitation: A restriction on the internal audit activity that prevents it from fully achieving its
objectives and plans.

 Impact: Such limitations hinder the effectiveness and independence of the internal audit function.

2. Importance of Addressing Scope Limitations:

 Serious Concern: Any reporting relationship or restriction that compromises the independence and
effectiveness of internal auditing is a serious issue.

 Responsibility of the CAE: The Chief Audit Executive (CAE) must bring any significant scope limitations to
the attention of the board, audit committee, or equivalent authority.

 IAA Standard: The CAE is required to confirm the organizational independence of the internal audit
activity to the board at least annually.

3. Examples of Scope Limitation (as per Practice Advisory 1130-1):

 Restrictions May Include:

o Scope Defined in the Charter: Limits on what the internal audit can cover, based on its charter.

o Access to Information: Restricted access to records, personnel, or physical properties needed for
the audit.

o Engagement Work Schedule: Interference with the approved audit work schedule.

o Engagement Procedures: Preventing necessary audit procedures from being carried out.

o Staffing and Budget: Limitations on approved staffing or financial resources for the audit.

4. Communication of Scope Limitations:

 Written Communication: Scope limitations and their potential effects should be communicated in writing to
the board.

 Reassessment: The CAE should consider whether to inform the board of scope limitations that were
previously communicated and accepted, especially if there have been changes in the organization or
leadership.

5. Objectivity and Ethical Considerations:

 Gifts and Entertainment: Internal auditors should not accept fees, gifts, or entertainment from anyone
that could create the appearance of impaired objectivity.

o This applies to current and future engagements.

 Exceptions: Receiving promotional items of minimal value (e.g., pens, calendars) that are generally available
to employees and the public is acceptable and does not impair judgment.

 Reporting Requirements: Internal auditors must report any offer of material fees or gifts to their supervisors
immediately.
Summary: Scope limitations are significant restrictions that can impede the internal audit function's ability to achieve
its goals. These limitations, whether they involve access to information, scope, or resources, must be communicated
to the board. The CAE plays a crucial role in ensuring that these issues are addressed to maintain the independence
and effectiveness of the internal audit. Additionally, auditors must remain objective and avoid accepting gifts or
entertainment that could compromise their impartiality.

Reporting Line vs. Administrative Line

1. Reporting Line (Functional Reporting):

 Definition: The reporting line is the internal audit activity’s primary source of independence and
authority.

 Best Practice: It is recommended that the Chief Audit Executive (CAE) directly reports to the audit
committee, board of directors, or an equivalent governing authority.

 Purpose: The reporting line ensures that the internal audit function has the independence necessary to carry
out its duties effectively and without undue influence from management.

2. Administrative Line:

 Definition: The administrative line is the relationship within the organization’s management structure that
supports the day-to-day operations of the internal audit activity.

 Purpose: It provides the necessary coordination and interface within the organization to ensure the internal
audit function operates smoothly and effectively.

 Typical Administrative Responsibilities:

o Budgeting and Management Accounting: Handling the financial planning and accounting needs of
the internal audit department.

o Human Resource Administration: Managing personnel matters such as recruitment, training, and
performance evaluations for the internal audit staff.

o Internal Communications and Information Flows: Ensuring that the internal audit team has access
to the necessary information and communication channels within the organization.

o Administration of Internal Policies and Procedures: Overseeing the implementation of company

policies such as expense approvals and leave approvals for the internal audit team.

3. Key Differences:

 Authority and Independence:

o Reporting Line: Provides the internal audit function with the authority to operate independently, free
from management influence.

o Administrative Line: Supports the operational needs of the internal audit function but does not
provide independence or authority.

 Focus:

o Reporting Line: Focuses on strategic oversight and ensuring the internal audit's autonomy.

o Administrative Line: Focuses on operational efficiency and day-to-day management tasks.

4. Importance of Distinction:

 Maintaining Independence: Clear separation between the reporting line and the administrative line helps
ensure that the internal audit activity remains independent and objective.

 Effectiveness of Internal Audit: A well-defined reporting line to the board or audit committee ensures that
the internal audit can report on sensitive issues without interference from management.

Summary: The reporting line (functional reporting) is crucial for maintaining the independence and authority of the
internal audit function, typically involving direct reporting to the board or audit committee. In contrast, the
administrative line handles the day-to-day operational aspects and coordination within the organization, supporting
but not influencing the internal audit’s independence. Understanding the distinction between these two lines is
essential for ensuring that internal auditing remains effective and unbiased.

Objectivity

1. Objectivity in Internal Auditing:

 Definition: Objectivity is a mental attitude that internal auditors must maintain to ensure their work is carried
out with impartiality and unbiased judgment.

 Mindset: Internal auditors should have an appropriate mindset that allows them to exercise judgment,
express opinions, and present recommendations impartially.

 Independence: Auditors should be in a sufficiently independent position to avoid conflicts of interest that
could impair their objectivity.

2. Importance of Avoiding Conflicts of Interest:

 Conflict of Interest: A situation where an internal auditor has a competing professional or personal
interest that could impair their ability to perform their duties impartially.

o Examples: Conflicts of interest can arise from professional or personal relationships, financial
interests, or other connections to the organization or activity under audit.

 IIA Standard 1120: Internal auditors must maintain an impartial, unbiased attitude and avoid any conflict
of interest.

3. Managing Conflict of Interest:

 Approaches to Address Conflicts:

1. Avoidance: Stay clear of situations that could lead to a conflict of interest.

2. Disclosure: Inform stakeholders relying on the audit results about any potential conflicts.

3. Management: Ensure that any judgments made, despite potential conflicts, are beneficial and
outweigh the costs.

4. Individual Objectivity (PA 1120-1):

 Honest Belief: Internal auditors must believe in the integrity and quality of their work product, ensuring that
no compromises are made.

 Preventing Bias: The Chief Audit Executive (CAE) must:

o Organize staff assignments to prevent potential and actual conflicts of interest.

o Periodically obtain information from audit staff to identify potential conflicts.

o Rotate audit staff assignments when practicable to avoid bias.

 Review Process: Engaging in peer reviews of audit work before finalizing communications ensures that the
work was conducted objectively.

5. Summary:

 Objectivity in internal auditing is fundamental to maintaining credibility and effectiveness. Auditors must
avoid any situation that could create a conflict of interest, and the CAE plays a critical role in ensuring that all
audit work is done with integrity and independence. By adhering to these principles, internal auditors can
confidently express their judgments and recommendations, contributing to the organization's success while
upholding professional standards.
Illustration of Activities Affecting Auditor's Objectivity

Case A: Recommending Standards vs. Involvement in Implementation

 Scenario: An internal auditor recommends standards of control for systems or reviews procedures before
they are implemented.

 Outcome: Objectivity Not Impaired. The auditor's role is advisory, providing recommendations without direct
involvement in the execution.

 Impaired Objectivity: The auditor's objectivity is impaired if they design, install, draft procedures for, or
operate the systems. In this case, the auditor would be acting in a management capacity, creating a conflict of
interest that compromises their ability to audit those systems objectively.

Case B: Invitation from a Potential External Auditor

 Scenario: Fermin, the Chief Audit Executive (CAE) of XYZ Company, is invited by Patricia, the engagement
partner of a potential external accounting firm, to join her for a week of hunting at her private lodge.

 Outcome: Answer: No. Accepting such an invitation would create a conflict of interest.

o Rationale: This situation presents a potential conflict of interest because Fermin is in a position of
influence over the decision to appoint the external auditors. By accepting personal favors, Fermin's
impartiality could be compromised, leading to a loss of objectivity in evaluating the external audit
firm's suitability.

Case C: Ownership in a Supplier Company

 Scenario: U, the internal audit manager of Celine Manufacturing Company, is also one of the owners of LJM
Marketing, a company supplying raw materials to Celine. The board suspects that bidding processes were
manipulated to favor LJM Marketing and orders an audit.

 Outcome: Answer: Yes, there is a conflict of interest.

o Rationale: U has a pecuniary interest in LJM Marketing, which directly conflicts with his duties as an
internal auditor at Celine. His dual role creates a situation where it is difficult, if not impossible, for him
to act without bias. As an auditor, he must ensure the integrity of the bidding process, but as an owner
of a supplier company, he would naturally want to protect his financial interests. This duality
undermines his ability to perform his audit duties objectively and damages the credibility of the internal
audit activity.

Key Takeaways:

 Objectivity is critical for internal auditors to maintain trust and credibility.

 Conflicts of interest can arise from personal, financial, or professional relationships and must be carefully
managed or avoided to maintain objectivity.

 Practical Examples:

o Advisory roles that avoid direct involvement in implementation help maintain objectivity.

o Personal favors or relationships with parties under audit create significant risks to objectivity and must
be avoided.

o Ownership or financial interest in entities under audit creates a clear conflict of interest, requiring
recusal or reassignment.

Occasional Performance of Non-Audit Work & Impairment to Independence or Objectivity

Occasional Performance of Non-Audit Work

 Definition: Sometimes, internal auditors may be required to perform non-audit tasks.

  Key Point: This does not automatically impair objectivity as long as full disclosure is made during the
reporting process.

 Considerations:

o Management's Role: Must carefully assess whether the non-audit work might affect the auditor’s
objectivity.

o Auditor’s Role: Should ensure that their ability to conduct unbiased audits remains intact, even after
performing non-audit duties.

Impairment to Independence or Objectivity

 Impairment Definition: Occurs when an auditor's independence or objectivity is compromised, either in

reality or in appearance.

 Disclosure Requirement:

o Mandatory: If any impairment occurs, it must be disclosed to relevant parties.

o Nature of Disclosure: The specifics of the disclosure depend on the type and extent of the
impairment.

 Why It Matters: Protecting the integrity of the audit process ensures that the internal audit function remains
credible and effective.

Key Takeaways:

 Objectivity can be maintained despite occasional non-audit work, but transparency is crucial.

 Impairment to independence or objectivity must be disclosed to preserve trust and accountability in the audit
process.

Assurance Engagements

Definition:

 Assurance Engagement: An objective examination of evidence aimed at providing an independent

assessment of an organization's risk management, control, or governance processes.

Types of Internal Audit Services:

 Assurance Services: Involves the internal auditor's objective assessment of evidence to provide an
independent opinion or conclusions regarding a specific entity, operation, function, process, system, or other
subject matter.

 Consultancy Services: In contrast, involves advisory activities designed to add value and improve an
organization's governance, risk management, and control processes without the auditor providing an
independent opinion.

Key Assurance Activities:

1. Financial Audits: Examining financial records like cash and expenditures, distinct from traditional external
financial audits.

2. Performance or Operational Audits: Evaluating the efficiency and effectiveness of operations.

3. Risk Management Assurance:

o Assessing the design and effectiveness of risk management processes.

o Confirming that risks are correctly evaluated.

o Evaluating the reporting on key risks and controls.

o Reviewing the management of key risks, including the effectiveness of controls.

Role of Internal Audit in Assurance:

  Internal audit provides assurance to various stakeholders, including regulators, employees, providers of
finance, and shareholders.

 The scope and nature of the assurance engagement are determined by the internal auditor, as outlined in the
internal audit charter.

Parties Involved in an Assurance Engagement:

1. Process Owner: The individual or group directly involved with the subject matter being audited (also known
as the "auditee" in external audits).

2. Internal Auditor: The individual or group conducting the assessment.

3. User: The individual or group who will use the results of the assessment.

Key Points to Remember:

 Assurance engagements provide an independent and objective evaluation, which is crucial for effective risk
management and governance.

 Understanding the roles of each party involved helps clarify the responsibilities and expectations during an
assurance engagement.

 The internal auditor has the responsibility to determine the scope and nature of these engagements, ensuring
they align with the internal audit charter.

Consulting

Definition:

 Consulting Services: According to the IIA Glossary, these are "advisory and related client service activities,
the nature and scope of which are agreed with the client, intended to add value and improve an organization's
governance, risk management, and control processes, without the internal auditor assuming management
responsibility."

Parties Involved in a Consulting Engagement:

1. Internal Auditor: The individual or group offering the advice.

2. Engagement Client: The person or group seeking and receiving the advice, which could be a business unit,
department, group, individual, or another subdivision of the organization.

Scope Limitation in Consulting Services:

 Objectivity: The internal auditor must maintain objectivity and avoid assuming any management
responsibility while performing consulting services.

 Request-Based: Consulting services are usually performed at the specific request of the engagement clients.

Role of the Internal Audit Charter:

 The internal audit charter typically defines the nature of consulting engagements the internal audit can
perform.

 The board or audit committee may empower the internal audit to perform "additional services" not mentioned
in the charter, provided these services do not create a conflict of interest or interfere with the internal audit's
obligations to the committee.

 Any additional empowerment should be reflected in the updated internal audit charter.

Key Points to Remember:

 Purpose of Consulting Services: These services are designed to add value and improve the organization's
processes without the internal auditor taking on management duties.
  Client-Centric: The scope and nature of consulting engagements are tailored to the needs of the
engagement client, ensuring that the advice provided is relevant and useful.

 Empowerment and Objectivity: Internal auditors must stay objective and ensure any additional services
provided align with their overall responsibility and do not lead to conflicts of interest.

These notes will help you clearly explain the concept of consulting services and effectively participate in class
discussions on this topic.

Categories of Consulting Engagements (Based on IIA Practice Advisories)

1. Formal Consulting Engagements:

 Definition: Planned engagements with a written agreement.

 Examples:

o Assessment of internal controls in systems (e.g., accounts payable systems).

o Reviewing controls in newly developed systems.

2. Informal Consulting Engagements:

 Definition: Routine and typically less formal activities.

 Examples:

o Participation in standing committees.

o Involvement in limited-life projects or ad-hoc meetings.

o Routine information exchanges.

o Serving on task forces for operational analysis and recommendations.

3. Special Consulting Engagements:

 Definition: Involvement in high-impact projects.

 Examples:

o Participation in a merger and acquisition team.

o Assisting in a system conversion.

o Evaluating a proposed organizational restructure for efficiency and practicality.

4. Emergency Consulting Engagements:

 Definition: Rapid-response involvement in critical situations.

 Examples:

o Assisting in recovery or maintaining operations after a disaster.

o Providing temporary help for special requests or urgent deadlines.

Important Note for Auditors:

 Conduct of Consulting Engagements:

o Auditors should not undertake consulting engagements simply to bypass the stricter requirements of
assurance engagements.

o Exception: If a service, previously performed as an assurance engagement, is more appropriately

reclassified as a consulting engagement, adjustments in methodology are acceptable.
Effect of Consulting Services on Auditor's Objectivity

1. Enhancing Understanding:

 Key Point: Performing consulting services may enhance the auditor’s understanding of the client's business
processes or issues.

 Why it Matters: This deeper understanding can lead to more effective assurance engagements, without
necessarily impairing the auditor's objectivity.

2. Internal Auditing Role:

 Key Point: Internal auditing is not a decision-making function.

 Management's Role: Decisions to adopt or implement recommendations from consulting services should be
made by management, not the auditor.

3. Disclosing Potential Impairments:

 Standard 1130.C2: If there are potential impairments to independence or objectivity related to consulting
services, the auditor must disclose these to the engagement client before accepting the engagement.

Independence and Objectivity in Consulting Engagements

1. Previous Responsibilities:

 Scenario: Internal auditors might be asked to provide consulting services on operations they previously
managed or audited.

 Chief Audit Executive's Role: Before offering consulting services, the Chief Audit Executive (CAE) should
ensure that the board understands and approves these services.

 Action Required: If approved, the internal audit charter must be updated to include the authority and
responsibilities for consulting activities, and proper policies and procedures should be established.

2. Maintaining Objectivity:

 Key Point: Auditors must remain objective when offering advice or drawing conclusions during consulting
engagements.

 Impairments: If independence or objectivity impairments exist, either before or during the engagement, they
must be immediately disclosed to management.

3. Assurance Services After Consulting:

 Key Point: Objectivity may be compromised if assurance services are provided within one year of a formal
consulting engagement.

 Minimizing Impairment:

o Assign different auditors to each service.

o Establish independent management and supervision.

o Define separate accountability for each project.

o Disclose any presumed impairment.

4. Avoiding Unintended Management Roles:

 Caution: During ongoing or continuous consulting engagements, auditors should be careful not to assume
management responsibilities unintentionally.

 Original Objectives: Auditors should stick to the original objectives and scope of the engagement to avoid
conflicts.
Add Value

1. Understanding What Adds Value:

 Varies by Client: Value can differ based on the specific needs of the organization.

 External Auditor's Perspective: Sees internal audit as an additional internal control, which can reduce their
work if it operates effectively.

 Suppliers and Creditors: Rely on internal audit for assurance regarding the reliability and security of the
information systems connecting them with the organization.

2. What Internal Audit Customers Value (Based on Scope of Work):

Customer Focus Area Value

Audit Committee/Board Safeguarding assets, compliance, reliability of data Improve quality of information

Operating Management Effectiveness and efficiency of operations Agent of Change

3. Four Factors for Adding the Most Value (According to the IIA):

 1. Deep Knowledge of the Organization:

o Understanding the culture, key players, and competitive environment is crucial.

 2. Courage to Innovate:

o Being bold enough to introduce innovations that stakeholders might not expect or initially want.

 3. Broad Knowledge of Value-Added Practices:

o Staying informed about practices considered valuable by the internal audit profession.

 4. Creativity in Adaptation:

o Adapting innovations in ways that exceed stakeholder expectations and yield surprising results.

4. How Internal Audit Activity Adds Value:

 IIA Glossary Definition: Internal audit adds value by providing objective, relevant assurance and contributing
to the effectiveness and efficiency of governance, risk management, and control processes.

 Role as In-House Consultant:

o Assists the organization in effectively discharging responsibilities.

o Promotes cost-effective controls.

o Assesses risks and recommends measures to mitigate them.

5. Practice Advisory 2100-1 on Adding Value:

 Systematic, Disciplined Approach:

o Internal audit uses a structured approach to evaluate and improve the adequacy and effectiveness of
risk management, control, and governance processes.

 Purpose of Evaluation:

o Ensures that the organization’s risk management, control, and governance processes are functioning
as intended.

o Provides recommendations to improve the efficiency and effectiveness of the organization’s

operations.

Summary:
  Internal audit adds value by ensuring that key processes within the organization are functioning effectively,
providing stakeholders with reliable information, and serving as an agent of change. By understanding the
organization's unique environment and challenges, internal audit can innovate and adapt practices to exceed
stakeholder expectations. This approach not only safeguards assets and ensures compliance but also drives
continuous improvement and operational excellence.

Governance

1. Definition of Governance:

 Governance: The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of an organization to achieve its objectives.

2. Role of Internal Auditing in Corporate Governance:

 Informal Role: Internal auditing’s role in corporate governance is often informal, primarily involving
participation in meetings and discussions with the Board of Directors.

 Corporate Governance Structure:

o A mix of processes and organizational structures that the Board of Directors uses to guide and
monitor the organization’s resources, strategies, and policies.

 Four Pillars of Corporate Governance:

o 1. Internal Auditor: Ensures that governance processes are working effectively.

o 2. Board of Directors: Provides oversight and strategic direction.

o 3. Management: Executes day-to-day operations.

o 4. External Auditor: Offers independent assurance on financial statements and controls.

3. Internal Audit's Focus in Corporate Governance:

 Supporting the Audit Committee:

o Helps the Audit Committee of the Board of Directors fulfill its responsibilities effectively.

 Key Contributions:

o Reporting Internal Control Issues: Identifying and reporting critical internal control problems.

o Private Briefings: Informing the Audit Committee privately about the capabilities of key managers.

o Agenda Input: Suggesting questions or topics for the Audit Committee’s meeting agendas.

o Coordination: Working closely with the external auditor and management to ensure the Audit
Committee receives accurate and useful information.

Enterprise Risk Management (ERM)

1. Definition of ERM:

 Enterprise Risk Management (ERM): A process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement of the organization's objectives.

2. Designing Risk Management Processes:

 Tailored Approach: Risk management processes should be designed to fit the nature of an organization's
activities.

 Variability in Processes:

o Size and Complexity: Processes may vary based on the organization's size and complexity.
 o Formality: Can be formal or informal.

o Methodology: May be quantitative (data-driven) or subjective (based on judgment).

o Structure: Can be embedded within business units or centralized at the corporate level.

3. Role of Internal Audit in ERM:

 Key Resource: A well-functioning, adequately resourced internal audit activity is crucial for identifying risks
and recommending improvements in governance, risk management, internal controls, and operations.

 Unique Perspective: Internal auditors offer:

o Independence and Objectivity: Free from bias, offering a neutral perspective.

o Organizational Knowledge: Deep understanding of the organization.

o Consulting and Audit Principles: Expertise in applying sound audit and consulting practices.

4. Internal Auditors’ Contribution to ERM:

 Assurance and Consulting Roles:

o Assurance Role: Evaluating the effectiveness of ERM processes and providing objective
assessments.

o Consulting Role: Recommending improvements and supporting management in risk management.

 Scope of Internal Auditing:

o According to IIA Standards, the internal audit scope should encompass both risk management and
control systems.

This overview highlights the importance of ERM and the critical role internal auditors play in ensuring its effectiveness.
Their independent and knowledgeable approach makes them key contributors to managing risks and enhancing
organizational performance.

Control

1. Definition of Control:

 Control: Any action taken by management, the board, or other parties to manage risk and increase the
likelihood that the organization’s objectives and goals will be achieved.

2. Objectives of Controls:

 Safeguarding Assets: Ensuring that the organization’s assets are protected from loss, theft, or misuse.

 Effectiveness and Efficiency of Operations: Making sure that operations are functioning as intended and
achieving their goals.

 Reliability of Financial Reporting: Ensuring that financial reports are accurate, timely, and reliable.

 Compliance: Adhering to the company’s objectives, as well as applicable laws and regulations.

3. Types of Controls:

 Preventive Controls:

o Purpose: To deter undesirable events from occurring.

o Example: Implementing authorization procedures before processing transactions.

 Detective Controls:
 o Purpose: To identify and correct undesirable events that have already occurred.

o Example: Reconciling bank statements to catch discrepancies.

 Directive Controls:

o Purpose: To encourage or cause desirable events to occur.

o Example: Providing training programs to ensure employees follow best practices.

This summary outlines the key aspects of control within an organization, highlighting its importance in safeguarding
assets, ensuring operational efficiency, producing reliable financial reports, and maintaining compliance with laws and
regulations. Understanding these concepts will help you explain the role of controls effectively in your class recitation.

Systematic and Disciplined Approach

Purpose:

 Goal: To add value and improve operations by conducting internal assurance and consulting engagements in
a systematic and disciplined manner.

 Benefit: Prevents random actions that could lead to ineffective and inefficient audits.

Prerequisite:

 Planning: A well-defined plan of activities is essential to achieve the audit objectives. This involves a
thorough investigation and analysis of systems, controls, and records. Audit judgments must be evidence-
based to determine whether pre-determined criteria have been met.

Elements of a Systematic and Disciplined Approach:

1. Defined Audit Objectives:

o Clearly articulate what the audit aims to achieve.

2. Risk Analysis:

o Identify and assess risks to focus audit efforts on the most critical areas.

3. Audit Work Plan:

o Develop a detailed plan that outlines the steps and resources required to complete the audit.

4. Defined Audit Procedures:

o Establish specific procedures to be followed during the audit to ensure consistency and thoroughness.

5. Use of Technology:

o Leverage technology to enhance the efficiency and effectiveness of the audit process.

6. Independent Review of Audit Work:

o Conduct a review of the audit work by an independent party to ensure objectivity and quality.

7. Review of Conclusions with Management:

o Discuss audit findings and conclusions with management to ensure they understand the results and
implications.

This summary captures the essence of performing internal audits using a systematic and disciplined approach,
emphasizing the importance of planning, risk analysis, and evidence-based judgments to achieve audit objectives
efficiently and effectively.
Purpose of Internal Audit

1. Primary Purpose:

 Service Unit: Internal audit functions as a service unit designed to assist all levels of management in
effectively discharging their responsibilities. This aligns with the broader goal of adding value to the
organization.

2. Adding Value:

 Assurance and Consulting Services: Internal audit provides reasonable assurance to management that the
company’s resources are being managed effectively. It evaluates all business systems, processes,
operations, functions, and activities within the organization.

3. Comprehensive Scope of Internal Audit:

 Risk Management System: Ensures that the organization’s risk management system is effective in
identifying, assessing, and managing risks.

 Internal Control System: Confirms that the system of internal control is both effective and efficient in
safeguarding assets, ensuring accuracy in financial reporting, and supporting operational efficiency.

 Governance Process: Assesses the effectiveness of the governance process, focusing on:

o Establishing and Preserving Values: Ensuring that the organization’s core values are upheld.

o Setting Goals: Helping the organization define and pursue its objectives.

o Monitoring Activities and Performance: Overseeing the organization’s activities to ensure

alignment with objectives.

o Defining Accountability: Clarifying roles and responsibilities to ensure that individuals and teams
are held accountable for their actions.

This summary explains the primary purpose of internal audit, emphasizing its role in adding value to an organization
by supporting management through comprehensive evaluations of risk management, internal controls, and
governance processes.

Three Main Objectives of Internal Audit

1. Helping the Organization Achieve Its Objectives

o Definition: Business objectives are measurable targets set to achieve the organization's goals.

o Role of Internal Audit: Internal auditors help by aligning their audit objectives with the business
objectives, ensuring all efforts contribute to the overall goals.

o Categories of Business Objectives:

 Strategic Objectives: Focus on value creation and long-term goals.

 Operations Objectives: Ensure efficient and effective operations, focusing on performance

and profitability.

 Reporting Objectives: Ensure reliable internal and external reporting of both financial and
non-financial information.

 Compliance Objectives: Ensure adherence to laws and regulations.

o Background: These categories were established by COSO (Committee of Sponsoring Organizations

of the Treadway Commission), which focuses on risk management, internal control, and fraud
prevention.
 2. Evaluating and Improving the Effectiveness of Risk Management, Control, and Governance Processes

o Purpose: Internal audit assesses and enhances how well the organization manages risks, controls its
operations, and governs its processes.

o Activities Include:

 Asking managers and employees about processes

 Observing operations and procedures

 Reviewing resources and documentation

 Testing controls and analyzing data

 Gathering external verification from third parties

o Impact: By performing these activities, internal auditors help ensure the organization’s processes are
robust, reducing risks and improving performance.

3. Assurance and Consulting Activities Designed to Add Value and Improve Operations

o Function: Internal auditors provide both assurance and consulting services, helping management
improve business processes rather than just checking for compliance.

o Approach: Internal auditors act as partners to the business, identifying issues, suggesting
improvements, and aiding in problem resolution.

o Focus Areas: They cover all aspects of the organization, including financial and non-financial
activities, and are also proactive in preventing fraud.

Key Takeaways:

 Internal Audit’s Role: It’s not just about finding faults; it’s about enhancing the organization’s overall
effectiveness and efficiency.

 Holistic Approach: Internal auditors look at everything from strategy to compliance to ensure the
organization meets its goals.

 Value Addition: By focusing on improvement and partnership, internal auditors contribute significantly to the
organization’s success.

Relationship Between Auditing and Accounting

1. Difference Between Auditing and Accounting:

o Accounting:

 Involves collecting, classifying, summarizing, and communicating financial data.

 Focuses on measuring and reporting business events and conditions.

 Aims to condense large amounts of financial information into understandable reports.

o Auditing:

 Does not create or communicate financial data but reviews it for accuracy and propriety.

 Is analytical and investigative, focusing on verifying the reliability of accounting

measurements and assertions.

 Emphasizes proof and validation, providing assurance on the financial statements prepared
by accountants.

o Core Distinction:

 Accounting is about constructing financial records and reports.

  Auditing is about critically analyzing and providing an opinion on those records and reports.

2. Internal vs. External Auditors:

o Internal Auditors:

 Are part of the organization and provide continuous monitoring and assessment.

 Focus on evaluating the effectiveness of internal controls, risk management, and governance.

 Their objectives are set by professional standards, the board, and management.

 Serve primarily the organization’s management and board.

o External Auditors:

 Are independent of the organization and provide an objective opinion on its financial
statements.

 Focus on whether the financial statements fairly present the financial position and results of
operations according to generally accepted accounting principles (GAAP).

 Must maintain strict independence, with no ties or conflicts of interest with the organization
they audit.

o Key Differences:

 Independence: External auditors must be completely independent of the company they audit,
while internal auditors, though independent in their work, are employed by the company.

 Objective: Internal auditors focus on improving internal processes and controls, whereas
external auditors provide an opinion on the financial statements' accuracy and fairness.

3. Coordination Between Internal and External Auditors:

o Both internal and external auditors share a common interest in the effectiveness of internal financial
controls.

o Coordination between them enhances the efficiency and effectiveness of audit processes.

o Both adhere to professional standards and ethical codes set by their respective professional bodies.

o Main Distinctions in Scope and Objectives:

 Internal Auditors: Broader scope, focusing on all aspects of internal controls, risk
management, and governance.

 External Auditors: Narrower scope, primarily concerned with financial statement accuracy
and compliance with GAAP.

Key Takeaways:

 Auditing vs. Accounting: Accounting creates financial data; auditing reviews and verifies it.

 Internal vs. External Auditors: Internal auditors focus on continuous improvement and risk management
within the organization, while external auditors provide an independent assessment of financial statements.

 Collaboration is Key: Effective auditing involves coordination between internal and external auditors, each
playing distinct but complementary roles in ensuring the accuracy and reliability of financial reporting.

Aspect Internal Auditing External Auditing

Focus - Provides financial, operational, assurance, - Primarily attests to financial statements.

consultative, governance, computer, and
fraud-related services.
 - Focuses on future events by evaluating - Focuses on accuracy and understandability of
controls to ensure entity goals and objectives historical events in financial statements.
are met.

Management - Reports to executive management - Primarily reports to the audit committee on

administratively and functionally through the financials and internal controls.
Audit Committee.

- Builds relationships to identify and resolve

concerns timely.

Standards - Follows the IIA International Standards for - Governed by accounting and auditing
the Professional Practice of Internal Auditing. standards such as PFRS and PSAs.

Independence - Demonstrates organizational independence - Independent of the organization.

but is not independent of the organization.

- Employer-employee relationship exists,

making internal auditors independent only of
the activities audited.

Results - Identifies problems, makes - Meets statutory requirements and provides

recommendations, and facilitates resolution. necessary adjustments to ensure fairness in
financials.

- Audit Period: Continuously reviews - Audit Period: Reviews records supporting

activities. financial statements periodically, usually once a
year.

- As to Fraud: Directly concerned with fraud - As to Fraud: Incidentally concerned with fraud
prevention in any reviewed activity. prevention and detection in general, especially in
financial statements.

Types of Audit

1. Financial Audit

o Objective: External auditors evaluate financial statements to ensure they present a true and fair view
and comply with applicable accounting standards.

o Focus: Accuracy and fairness of financial reporting.

o Outcome: An independent opinion on the financial statements.

2. Compliance Audit

o Objective: Determine whether specific activities conform to contractual, regulatory, or statutory

requirements.

o Focus: Adherence to laws, regulations, standards, and policies.

o Outcome: Reports on whether the organization is complying with specified regulations.

o Specialization: Often conducted by individuals with legal expertise; does not evaluate the efficiency
of business processes.

3. Performance Audit (Operational Audit/Value for Money Audit)

o Objective: Evaluate the efficiency and effectiveness of organizational or business unit performance.

o Focus: Assessing how well resources are used to achieve objectives.

o Outcome: Recommendations for improving performance.

 o Role: Typically carried out by internal auditors in a consulting capacity.

4. Management Audit

o Objective: Provide an independent appraisal of managers' effectiveness and the corporate structure
in achieving entity objectives and policies.

o Focus: Identifying management weaknesses and recommending improvements.

o Outcome: Insight into management performance and suggestions for better management practices.

5. Environmental Audit

o Objective: Assess how well an organization is managing its environmental responsibilities.

o Focus: Safeguarding the environment by evaluating management control of environmental practices

and compliance with policies and regulations.

o Outcome: Recommendations for improving environmental performance and compliance.

6. Systems-Based Audit

o Objective: Focus on the functioning of the accounting system rather than the accuracy of accounting
records.

o Focus: Evaluation of controls and control systems within the accounting process.

o Outcome: Assurance that the accounting system is functioning as intended.

7. Risk-Based Audit

o Objective: Review the organization's risk management processes.

o Focus: How the organization identifies, manages, and mitigates risks, including the use of controls.

o Outcome: Assurance that risks are being effectively managed and mitigated.

Key Takeaways:

 Different Types of Audits: Each type of audit serves a unique purpose and focuses on different aspects of
an organization.

 Auditor Roles: The type of audit determines whether it will be conducted by internal or external auditors and
the specific skills required.

 Importance of Compliance and Performance: While some audits focus solely on adherence to rules and
regulations (compliance audits), others look at efficiency and value (performance audits).

 Environmental and Risk Considerations: Modern audits also consider environmental impacts and risk
management, reflecting broader organizational responsibilities and proactive risk strategies.

Internal Audit's Responsibility for Other/Non-Audit Functions

1. General Principle:

o Internal auditors should not accept operational responsibilities for activities they might later
audit. Doing so compromises their independence and objectivity, which are core to the internal audit
function.

o Practice Advisory 1130.A2-1 emphasizes that if internal auditors take on such operational roles,
they are not acting in their capacity as internal auditors.

2. Scenario of Management Requesting Non-Audit Functions:

o Management may sometimes request internal auditors to take on operational roles, especially when
resources are limited, and the organization is under pressure to "do more with less."
 o If management insists on such assignments, the Chief Audit Executive (CAE) must carefully review
the internal audit charter to identify any restrictions or guidelines related to auditors performing non-
audit functions.

3. Steps for CAE When Assigning Non-Audit Functions:

o Review Internal Audit Charter: The CAE should check the charter for any specific language or
restrictions on auditors performing non-audit roles.

o Disclosure and Discussion: If the charter contains restrictions, the CAE must disclose the situation
and discuss it with the board to ensure transparency and maintain trust.

o Minimizing Objectivity Impairment:

 If internal auditors do take on operational roles, the CAE should use a third party (such as
an external auditor or contractor) to perform the audit of that operation. This helps maintain
an objective stance and reduces conflicts of interest.

 Separate Responsibilities: Ensure that individuals who have taken on operational

responsibilities do not participate in any audits related to those operations. This separation
helps preserve audit integrity and objectivity.

Key Takeaways:

 Independence and Objectivity: Internal auditors must maintain independence and objectivity to perform their
role effectively. Taking on non-audit roles threatens these principles.

 Role of the CAE: The CAE plays a crucial role in navigating requests for non-audit functions, balancing
organizational needs with professional standards.

 Third-Party Involvement: Using external auditors or contractors can help maintain objectivity when internal
auditors are assigned operational roles.

 Transparency with the Board: Open communication with the board ensures that any potential conflicts of
interest are managed appropriately, preserving the integrity of the audit function.

The Institute of Internal Auditors (IIA)

1. Overview of The IIA:

o Established: 1941

o Headquarters: Altamonte Springs, Florida, United States

o Membership: Over 150,000 members worldwide

o Recognition: The IIA is globally recognized as the leader in the internal audit profession, providing
certification, education, research, and technological guidance.

2. Mission of The IIA:

o The IIA aims "to enhance and protect organizational value by providing risk-based and objective
assurance, advice, and insight." This mission highlights the focus on risk management, objective
assessments, and the provision of valuable advice to improve organizations.

3. Key Objectives of The IIA:

1. Knowledge Promotion:

 Cultivate and disseminate knowledge related to internal auditing and related subjects.

2. Standards of Integrity:

 Establish and uphold high standards of integrity, honor, and character among internal
auditors.
 3. Information Sharing:

 Provide members, interested persons, and the general public with information about internal
auditing practices and methods.

4. Publication of Articles:

 Publish articles on internal auditing practices, methods, and related subjects.

5. Facilities for Members:

 Establish and maintain libraries, reading rooms, and social spaces for the use of its members.

6. Member Networking:

 Promote social interaction among its members.

7. Lawful and Appropriate Actions:

 Undertake any lawful and appropriate activities that further the IIA's objectives.

4. Global Role:

o The IIA is the leading authority in internal auditing, providing certifications, education, research, and
technological guidance to its members.

o Areas of Focus: Internal auditing, risk management, governance, internal control, IT audit, education,
and security.

Key Takeaways:

 Global Leader: The IIA is the premier global organization for internal auditors, setting the standards for the
profession.

 Role of The IIA: The Institute of Internal Auditors serves as the global voice and authority for the internal
auditing profession, advocating for high standards and continuous improvement in the field.

 Comprehensive Mission: The IIA aims to enhance organizational value through objective assurance, advice,
and insight based on risk assessments.

 Broad Objectives: The IIA’s goals cover knowledge dissemination, maintaining high ethical standards,
fostering professional development, and promoting social and professional interaction among members.

 Educational and Advocacy Role: The IIA serves as both an educator and advocate for the internal audit
profession, providing essential resources and support to its members.

Professional Qualifications in Internal Auditing

1. Certified Internal Auditor (CIA) Program:

o Purpose: The CIA Program was established to help achieve the goals and objectives of The Institute
of Internal Auditors (IIA) by providing a globally recognized certification for internal audit professionals.

o Role of the IIA Board of Directors:

 Policy Development: The Board of Directors is responsible for developing, approving, and
modifying policies and procedures to support and promote the CIA Program.

 Recognition of Other Designations: While the CIA is the primary global certification, the IIA
recognizes that other organizations may have similar designations. The Board may approve
and recognize these certifications as appropriate.

 Additional Certifications: The Board can approve other certifications that align with the IIA’s
mission and objectives.

2. IIA’s Efforts to Professionalize Internal Auditing:

 o Common Body of Knowledge: The IIA has established a common body of knowledge outlining the
disciplines and competencies that internal auditors need to develop.

o Certification Program: The CIA certification requires passing an examination to demonstrate the
knowledge and skills necessary for effective internal auditing.

o Continuing Professional Education (CPE): The IIA administers a CPE program to ensure internal
auditors maintain and enhance their professional capabilities throughout their careers.

o Publications and Resources:

 Technical Journal: The IIA publishes "The Internal Auditor," a technical journal that provides
insights, research, and updates on internal auditing.

 Professional Practices Framework: This framework includes the definition of internal

auditing, the IIA Code of Ethics, Standards, Practice Advisories, and Development and
Practice Aids to guide internal auditors in their work.

3. Institute of Internal Auditors - Philippines (IIA-P):

o Primary Role: IIA-P is the leading association for internal auditors in the Philippines, focused on
developing and promoting internal auditing practices in the region.

o Commitment to Members and Profession:

 Education and Guidance: IIA-P serves as the principal educator for internal auditors in the
Philippines, providing training and guidance on emerging issues and trends.

 Professional Authority: IIA-P positions itself as the recognized authority on internal auditing
within the Philippines, leading the profession through advocacy, education, and standards
development.

o Role: The primary association of internal auditors in the Philippines.

o Commitment:

 Develop and promote the practice of internal auditing.

 Serve as the principal educator and provide professional guidance on emerging issues and
trends.

o Objectives:

 Member Support: Assist members in fulfilling their professional responsibilities and maintain
a professional organization.

 Professional Leadership: Be the recognized authority and leader in the internal auditing
profession.

4. Certified Internal Auditor (CIA) Designation:

o Global Recognition: The CIA is the only globally accepted certification specifically for internal
auditors, serving as the benchmark for competency and professionalism in the field.

o Program Benefits: Candidates who complete the CIA program gain valuable educational
experiences, knowledge, and practical tools that can be immediately applied in various organizational
and business environments. Enhances competency and demonstrates a high level of professionalism
in internal auditing.

Key Takeaways:

 CIA Program’s Importance: The CIA certification is vital for establishing professional credibility and
competence in internal auditing, recognized worldwide as the standard for internal audit professionals.
 IIA’s Role in Professional Development: The IIA actively promotes the professionalization of internal
auditing through certification, education, and the development of a comprehensive professional framework.

 IIA-P’s Role in the Philippines: The IIA-P focuses on enhancing the skills and knowledge of internal auditors
in the Philippines, ensuring they are equipped to meet local and global standards.

 Ongoing Learning: Continuous professional education and adherence to ethical standards are crucial for
internal auditors to maintain their skills and uphold the integrity of the profession.