Chapter 14
Internal auditing
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-1
Learning objective 1:
The evolving nature of internal
auditing (IA)
• The traditional view of internal auditing is that it is
an independent appraisal function evaluating the
adequacy and effectiveness of other controls within
an organisation (controls orientation). (Refer
AUASB Glossary).
• This view is evolving in many organisations so that
internal audit is now seen as a service that
promotes understanding and provides confidence to
an organisation about risk exposures and control
strategies (risk orientation).
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-2
IIA definition of internal auditing
• ‘Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organisation’s operations. It
helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control and governance processes.’
–
The definition of internal auditing contained on the
Institute of Internal Auditors (IIA) website
<http://www.theiia.org>
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-3
Institute of Internal Auditors (IIA)
• Professional organisation, represented in
> 165 countries.
• Aim is to represent, promote and develop professional
practice of internal auditing.
• First established in Australia in 1952.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-4
Certified Internal Auditor (CIA)
• The IIA professional recognition is its Certified
Internal Auditor (CIA) qualification.
–
–
To be able to sit the CIA exam, a candidate must:
 Be a member of IIA
 Hold a Bachelor’s degree or equivalent
 Exhibit high moral and professional character
 Complete 24 months of internal audit experience
 Keep the contents of the exam confidential.
The CIA examination covers:
 The internal audit activity’s role in governance, risk and
control
 Conducting the internal audit engagement
 Business analysis and information technology; and
 Business management skills.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-5
Learning objective 2:
Current standards for internal auditor
(issued by IIA)
• The IIA is the global standard setter for internal
auditing.
• The International Professional Practices Framework
(IPPF) is issued by IIA.
• Purposes:
–
–
–
–
Delineate basic principles
Provide a framework for performing and promoting IA
activities
Establish the basis for the measurement of IA performance
Foster improved organisational processes and operations.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-6
International Professional Practices
Framework (IPPF)
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-7
Attribute and performance standards
The International IIA Standards consist of:
• Attribute standards (the 1000 Series):
– Address characteristics of organisations and
individuals performing IA activities.
• Performance standards (the 2000 Series):
–
Describe the nature of IA activities and provide
criteria against which performance of these
services can be measured.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-8
Current attribute and performance
standards of the IIA
Attribute standards
Performance standards
1000 Purpose, authority, and responsibility 2000 Managing the internal audit activity
1100 Independence and objectivity
2100 Nature of work
1200 Proficiency and due professional
care
2200 Engagement planning
1300 Quality assurance and improvement 2300 Performing the engagement
program
2400 Communicating results
2500 Monitoring process
2600 Resolution of senior management’s
acceptance of risks
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-9
Internal audit charter
• Attribute standard 1000 outlines that the purpose,
authority and responsibility of the internal audit
activity should be formally defined and set out in an
internal audit charter.
• The internal audit charter should:
–
–
–
Establish IA’s position within the organisation
Establish access to records, personnel and physical
properties relevant to the performance of engagements,
and
Define the scope of internal audit activities.
• This charter should be approved by the board of
directors.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-10
Independence and objectivity
(IIA standard 1100)
• Essential that IA is, and is seen to be, independent
•
•
•
•
of the area being audited.
IA department should report to board of directors
or audit committee.
Head of IA should have direct access to board
of directors.
Board should approve appointment or removal
of head of IA.
Management and Board should be aware of
work schedules, staff requirements and budgets
of IA department.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-11
Independence and objectivity (cont.)
–
Organisational independence is aided by:




–
Reporting to a level that allows IA to fulfill its responsibilities
Head of IA having direct access to the board
The board concurring with appointment or removal of head of
IA
Management and the board being kept informed.
Individual objectivity is aided by:





Audit staff assignments should be made to prevent possible
bias
IAs immediately reporting any conflicts of interest
Staff assignments being periodically rotated
IAs not assuming operating responsibilities
Persons should not audit those activities they previously
carried out until a reasonable period of time has elapsed.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-12
Proficiency and due professional care
• IIA Standard 1220 outlines that it is the internal audit
department’s responsibility to assign staff to each
audit who collectively possess the knowledge, skills
and other competencies needed to conduct the audit.
• The audit planning process should include a strategic
audit plan and a tactical audit plan.
• In undertaking their planning, the auditor should
consider the audit universe, which is an inventory of
audit areas that is compiled and maintained to identify
areas for audit during the audit planning process.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-13
Performance standards
• Require IAs to plan each audit; collect, analyse,
interpret and document information to support results;
report results; and take appropriate follow up action.
• Should also be a periodic report to the board on IA’s
purpose, authority, responsibility and performance
relative to its plan. Require IA to consider:
–
–
–
–
–
–
2000: Management of the IA department
2100: Evolving nature of IA work
2200: Engagement planning
2300: Performing the engagement
2400: Communicating results
2500- 2600: Monitoring progress and management’s
acceptance of risks.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-14
Learning objective 3:
The practice of internal audit
• The responses to the 2009 PricewaterhouseCoopers
survey of the current scope of IA work being
undertaken in the US, showed the most common
practices (in order) were traditional IA practices:
–
–
–
–
Financial audit
Operational audit
Compliance audit
IT audit
• Fraud was not specifically addressed in the 2009
survey.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-15
Learning objective 4:
The future of internal audit
• Major issues confronting IA include:
– Outsourcing of IA, especially to Big Four (Note that a
client cannot outsource IA to their external auditor in the
USA under the Sarbanes-Oxley Act)
– Difficulty in changing profile of the IIA, so that members
are seen to be more value adding than checking
– Expectations gap between chief executive officers and
internal audit managers
– Development of specialised IA groups; e.g. quality and
environmental auditors, and whether IIA can adequately
cater for these groups.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-16
Factors driving change
• Ability of IA to show that it adds value.
• Benchmarking of IA departments as a means of
assessing quality.
• Greater emphasis on corporate governance and risk
management in current environment, and IA’s
increasing role in these areas.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-17
Risk-related tasks of importance to IAs
• Provide advice about risk exposures and their
•
•
•
•
•
management
Raise awareness about risk exposures
Contribute to the improvement of risk management
systems
Provide ongoing assurance about the efficiency and
effectiveness of risk-management systems
Focus on those risk exposures associated with the
achievement of an organisation’s objectives
The services provided by IA will be related to the
management of risk exposures
–
Refer Exhibit 14.3 (p. 707)
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-18
Control-related tasks of importance
to IAs
• Provide advice about control strategies, structures and systems
• Raise awareness about risk exposures and related controls
• Contribute to improvement of control systems
• Provide assurance about efficiency and effectiveness of control
strategies, structures and systems
• Contribute enhanced understandings of different types
of control that can be used in organisations
• Focus on control as a facet of risk management
• The services provided by IA will be distinctly related
to management of risk exposures
–
Refer Exhibit 14.4 (p. 708)
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-19
Expected future relationship with
external auditors
• As both groups of auditors move to the risk
analysis approach, greater co-ordination between
IA and EA can be expected.
• Co-ordination aided by recent developments
in corporate governance, with audit committee playing
key co-ordination role.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-20
Learning objective 5:
Approaches to assessing risk management,
control and governance processes
• IA is expected to use similar approaches to assessing
risk management, control and governance processes
to those used by EA in evaluating business risk.
• There are two major frameworks that are used in
practice to guide this analysis:
–
In Australia and New Zealand, the framework outlined
under the standard AS/NZS 4360 Risk Management,
and
– Internationally, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
Enterprise Risk Management (ERM) framework.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-21
AS/NZS 4360 Risk Management
• The emphasis in AS/NZS 4360 is on business risk
management.
• The main elements of the risk-management process
are as follows:
–
–
–
–
–
–
–
Establishing the context
Identity risk
Analyse risk
Evaluate risk
Treat risks
Monitor and review
Communicate and consult.
• For each stage of the process adequate records
should be kept, sufficient to satisfy independent audit.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-22
COSO Enterprise Risk Management
(ERM) framework
• Another framework that is gaining acceptance for
assessing risk and quality control in organisations is
the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) Enterprise Risk
Management (ERM) framework.
• Enterprise risk management (ERM) is a process
designed to identify potential events that may affect
the entity, to manage risks within the entity’s risk
‘appetite’ and to provide reasonable assurance
regarding the achievement of the entity’s objectives.
• There is a direct relationship between the entity’s
objectives and the ERM components, which represent
what is required in order to achieve those objectives.
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-23
The relationship of objectives and
components of COSO ERM framework
Copyright  2010 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
14-24