CH01 Introduction to Internal Audit
1. Internal Audit vs. External Audit: purpose, authority, and responsibility
1) What is the scope of audit work?
2) Who does the auditor report to?
3) What are the main categories of services provided?
4) What is the purpose?
5) Who is the beneficiary of the audit work?
6) Who is the auditee?
7) What is the relationship between auditor and auditee?
8) What are the qualifications of the auditor?
9) What is the audit work plan based upon?
10) What determine the scope of the audit?
11) What is the first and foremost requirement of external auditor and why?
How about internal auditor?
2. Examples of internal audit works
 The preparation for scheduled external audit for public companies
 Post-mortem diagnoses
 The compliance of anti-money laundering law (GT)
 The system security assurance of a private company (KPMG)
3. Main services: Assurance and Advisory (consulting)
4. What are Assurance Services?
1) Assurance services are an
objective examination of evidence
for the purpose of providing an independent assessment on the processes of



Governance
Risk management
Control
for the organization (auditee)
i. Governance is
1
the combination of
processes and structures
implemented by the
board
to inform, direct, manage, and monitor the activities of the
organization
toward the achievement of its objectives.
ii. Risk management is
A process to
identify, assess, manage, and control
potential events or situations to provide
reasonable assurance
regarding the achievement of the organization’s
objectives.
iii. Control is
Any action taken by
management, the board, and other parties to
manage risk and
increase the likelihood that
established objectives and goas will be achieved
2) What is adequate Governance, Risk Management, and Control
(GRC)?
i. When GRC provides reasonable assurance of achieving
objectives of the auditee.
ii. The most cost-effective measures are taken in the design and
implementation of controls to reduce risks and restrict expected
deviations to a tolerable level.
3) What CAE needs to do about GRC?
i. Gain understanding of the GRC processes:
a. Interview: BOD & Sr. Mgmt.
b. Understand the roles and responsibilities of BOD,
Sr. Mgmt., and I/A
ii. Gain understanding of business and its frameworks
a. Review: organization’s mission, strategic plan, key
objectives, related risks and controls, and the
minutes of the board
2
iii. Document in the internal audit charter
a. The roles and responsibilities of BOD, Sr. Mgmt.,
and I/A.
iv. Assess GRC
a. Process: maturity?
b. Persons responsible: seniority?
c. Organization: culture?
4) Examples of Assurance Services
i. Operational audits
ii. Financial audits
iii. Compliance audits
iv. Performance audits
v. System security audits
vi. Due diligence audits
I/A provides:
•
•
•
Observations (findings)
Conclusions and opinions
Recommendations (action
plan)
5. What are advisory services?
1) Add value and improve GRC through consulting
2) Nature and scope: subject to agreement with the client
3) Examples:
i. Counsel
ii. Advice
iii. Facilitation
iv. Training
v. Forensic
3