Internal Auditing and Controls

Supplementary Lesson Notes – Module 2

Note: Supplementary Lesson Notes only provide brief discussions on topics covered in each
module. The notes are not substitutes for the recommended textbook and additional readings.
Students are required to complete all assigned readings to adequately prepare for classes.

Refer to your Course Textbook guide and Supplementary Readings for a list of assigned
readings.

2 Internal Auditing Standards

2.1 Overview

Internal Auditing, like accounting, is a self-governing profession. This means that the
standards for the profession are determined by the profession itself, not by government
or another outside body. Professional associations have standards to establish
performance expectations for their members, and they are able to enforce their
standards because membership is required in order to practice the profession.
In the profession of internal auditing, there is no requirement for membership in a
professional association. The largest professional association for internal auditing is the
Institute of Internal Auditors (IIA). The International Standards for the Professional
Practice of Internal Auditing (The Standards) are generally regarded as the most
accepted standards for internal auditing in Canada, the United States, and many other
countries. However the standards may not be applicable in every situation, which means
that internal auditors must use their own professional judgement. The standards
discussed in this learning material are those of the IIA. The relevant sections of the IIA
document are provided in parentheses in subheadings.

2.2 International Standards for the Professional Practice of Internal Auditing

The Standards are grouped into three levels, each of which comprise several individual
standards.

1 School of Business
© 2016, Southern Alberta Institute of Technology
 Internal Auditing and Controls

Attribute Standards address © 2015 SAIT Polytechnic

the high-level characteristics of
organizations and individuals
performing internal audit
services.
Performance Standards Attribute
address the nature of internal Standards
audit services to be provided
and provide quality criteria for Performance
measuring performance Standards
Implementation Standards,
Practice Advisories, Practice Implementation Standards, Practice
Guides, and Position Papers Advisories, Practice Guides, and
are more detailed. They Position Papers
address individual types of audit
engagements, interpret the
higher-level standards, and
outline the specific audit steps
to be taken.

2.3 Attribute Standards

There are five attribute standards:

1. Purpose, Authority, and Responsibility

2. Independence and Objectivity
3. Impairment to Independence and Objectivity
4. Proficiency and Due Professional Care
5. Quality Assurance and Improvement Program

2.3.1 Purpose, Authority, and Responsibility (1000 to 1010)

Standard 1000 states that “the purpose, authority, and responsibility of the internal audit
activity must be formally defined in a charter, consistent with the Standards, and
approved by the Board of Directors”. The charter should be in writing and approved by
senior management and the Board of Directors. Having the charter in writing helps to
avoid confusion, and helps establish the authority of the internal auditor.

2.3.2 Independence and Objectivity (1100 to 1130.C2)

Standard 1100 states that “the internal audit activity should be independent, and internal
auditors should be objective in performing their work.” Independence from the activities
being audited allows internal auditors to render impartial judgments. Objectivity is a
perspective that is neutral and free from undue influence.

To ensure independence, the Chief Audit Executive (CAE) must report to someone in
the organization with enough authority to ensure unrestricted audit coverage. The CAE

2 School of Business
© 2016, Southern Alberta Institute of Technology
 Internal Auditing and Controls

must also have direct access to the Board of Directors. Usually, the CAE reports to
senior management, and often, the CAE reports to both the Audit Committee and/or
Board of Directors. (Standard 2060: Reporting to Senior Management and the Board)

The Standards require internal auditors to be objective. Internal auditors should not be
placed in situations where they are, or where they appear to be unable to exercise
objective professional judgment.

2.3.3 Impairment to Independence and Objectivity

Standard 1130 requires that “if independence or objectivity is impaired in fact or

appearance, the details must be disclosed to appropriate parties.” Impairment can
include things like conflict of interest, restrictions on scope, limitations on resources,
restricted access to records or personnel, etc.

An internal audit is a staff function and the auditor must not have any authority over the
activities subject to audit. An internal auditor with a management role should not audit
activities within their area of management. If people are transferred to an internal audit
position from another department, they should not audit their old activities until a
reasonable length of time has passed (usually one year or more).

2.3.4 Identifying & Managing Threats to Objectivity

Internal auditors, like external auditors, must at times face challenges to their
independence and objectivity. Threats to auditor’s independence and objectivity as well
as mitigating factors that can help reduce the threats. IS Audit and Assurance Guideline
2003 Professional Independence discusses threats to auditor’s independence and
objectivity as well as mitigating factors that can help reduces the threats. IS Audit and
Assurance Guideline 2003 Professional Independence”

2.3.5 Proficiency and Due Professional Care (1200 to 1230)

Standard 1200 requires that “engagements … be performed with proficiency and due
professional care.”

The internal audit department should have the technical proficiency and educational
background needed to carry out the audit functions. Due professional care refers to the
care and skill that would be expected of a reasonably competent internal auditor. This
does not mean that internal auditors are infallible, but that they should exercise good
judgment and have appropriate knowledge and skills.

2.3.6 Quality Assurance and Improvement Program (1300 to 1322)

The attribute standards require that the CAE develop and continually maintain quality
assurance and improvement programs. The Standards require the internal audit
department to develop a quality assurance program that includes periodic internal and
external quality assessments. External assessments must be performed at least every
five years.
3 School of Business
© 2016, Southern Alberta Institute of Technology
 Internal Auditing and Controls

If the internal audit department is in full compliance with the Standards, audit reports can
contain the statement “conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing.” This adds authority and respectability to the
audit report.

2.4 Performance Standards

There are seven performance standards:

1. Managing the Internal Audit Activity

2. Nature of Work
3. Engagement Planning
4. Performing the Engagement
5. Communicating Results
6. Monitoring Progress
7. Resolution of Management’s Acceptance of Risks

2.4.1 Managing the Internal Audit Activity (2000 to 2070)

This standard requires that the CAE effectively manage the internal audit activity to
ensure it adds value to the organization by ensuring that:

 The results of the internal audit activity’s work achieve the purpose and responsibility
included in the internal audit charter
 The internal audit activity conforms with the Definition of Internal Auditing and the
Standards
 The individuals who are part of the internal audit activity demonstrate conformance
with the Code of Ethics and the Standards

2.4.2 Nature of Work (2100 to 2130.C1)

This standard requires that the internal audit activity evaluate and contribute to the
improvement of governance, risk management, and control processes using a
systematic and disciplined approach.

Engagement Planning (2200 to 2240.C1)

Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations. The standard
specified that the CAE is responsible for the establishment of a risk-based plan to
determine the priorities of the internal audit activity, consistent with the organization’s
goals.

Plan of engagements must be based on a documented risk assessment, undertaken

periodically, at least annually. The CAE must identify and consider the expectations of
senior management, the board and other stakeholders. The CAE should consider

4 School of Business
© 2016, Southern Alberta Institute of Technology
 Internal Auditing and Controls

accepting proposed consulting engagements with the potential to improve management

of risks, add value, and improve the organization’s operations

2.4.3 Performing the Engagement (2300 to 2340)

Internal auditors must identify, analyze, evaluate, and document sufficient information to
achieve the engagement’s objectives. Internal auditors must develop and document
work programs that achieve the engagement objectives.

Work programs are expected to include the procedures for identifying, analyzing,
evaluating, and documenting information during the engagement. The work program
must be approved prior to its implementation, and any adjustments approved promptly

2.4.4 Communicating Results

Internal auditors are required to communicate their opinions based on their findings to
management and authorized persons only. This is expected to be adequate, relevant
and conclusions and recommendations made should be communicated to authorized
persons such as the management, board or audit committee members only.

2.4.5 Monitoring Progress

The CAE must ensure the establishment of a process of following up with the
management’s action on the opinion and recommendations communicated to them.

2.4.6 Resolution of Management’s Acceptance of Risks

The CAE must conclude that management has accepted a level of risk that may be
unacceptable to the organization, as well as discuss the matter with senior management.
Where the matter has not been resolved, the CAE must communicate the matter to the
board. It’s not the responsibility of the CAE to resolve risks.

Identification of risk accepted by management may be observed through an assurance

or consulting engagement as well as monitoring progress on actions taken by
management as a result of prior engagements, or other means.

Each standard is supported by specific Implementation Standards, and Practice

Advisories.

It is very important to know and be able to apply each of the attribute and performance
standards. Although you don’t need to know the numbers of each standard, you should
be able to explain them in your own words.

2.5 Outsourcing Internal Audit

Outsourcing is a very common activity in most companies. Outsourcing allows the

company to focus on their core competencies by hiring an outside firm to perform those
activities (which are their core competencies).

5 School of Business
© 2016, Southern Alberta Institute of Technology
 Internal Auditing and Controls

Since few internal audit departments can be experts in every area, many outsource
some aspects of internal audits to an outside firm (typically one of the big accounting
firms or another company in the same industry). Some companies have outsourced their
entire internal audit function to outside suppliers.

2.5.1 Advantages of Outsourcing an Internal Audit

a) Outsourcing provides access to expertise that would not normally be available in-
house, access to leading-edge practices, increased subject matter and geographical
coverage, and increased flexibility.
b) External expertise helps in auditing relatively complex areas where few internal
auditors are sufficiently knowledgeable about the risks, opportunities, and
appropriate controls over such activities.
c) It can be less expensive to outsource to public accounting firms, as it is often
possible to schedule internal audit work to be done during the least busy times in the
public accounting firm’s schedule.
d) Outsourcing can enable companies to focus their audit activities. Some public
accounting firms have developed enterprise risk frameworks that can be used to
identify business risks. Staff from the firms who have developed the risk frameworks
can provide training in the use to internal audit staff.

2.5.2 Disadvantages of Outsourcing an Internal Audit

a) An outsourced auditor might have a lack of familiarity with the company and its
corporate culture or specific industry, so there will be a learning curve each time a
new consultant begins an assignment.
b) Outsourcing is not economical for routine, non-specialized assignments. Even if
costs are lower at the outset, it may increase over time.
c) Where a company relies extensively on external resources for internal auditing, they
may have difficulty responding to urgent management requests.

2.6 References

Institute of Internal Auditors (IIA). (2011). International Standards for the Professional
Practice of Internal Auditing. IIA Internal Auditing Standards Board. Accessed from:
http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/?
search=standards
IS Audit and Assurance Guideline 2003 Professional Independence. Assessed from:
http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-
Assurance/Pages/Guideline-2003-Professional-Independence.aspx

6 School of Business
© 2016, Southern Alberta Institute of Technology