INTERNAL AUDIT FRAMEWORK

1. 1. A presentation by Ahmad Tariq Bhatti FCMA, FPA, MA (Economics), BSc

Dubai, United Arab Emirates 2nd Edition
2. 2. Internal Audit Framework 2
3. 3. WHAT? Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes. [The Institute of
Internal Auditors, USA] Remember, The definition of I/A provides
comprehensive guidelines for the framework of internal audit. It should
always be kept in mind while I/A work is being carried out. It helps in devising
the complete internal audit approach. Internal Audit Framework 3
4. 4. WHY? Internal Audit Framework 4 The main objectives of I/A are: to
provide assurance on the adequacy, efficiency and effectiveness of the whole
control environment, advise at an early stage in the implementation of any
system developments, amendments to processes, making recommendations
in the formation of policies, procedures and controls, and noting deviations
from organizational policies, procedures and controls and recommending
actions to mitigate the risks arising out of such deviations. Further I/A
provides: assurance that the organizations values are preserved, and
that rules, laws and regulations are complied with in their letter and spirit.
to ensure that financial statements and other information are accurate and
reliable and that human, financial and other resources are managed
efficiently and effectively, wider anti-fraud and anti-corruption framework
for a company, both feedback and feed forward controls.
5. 5. TYPES Internal Audit Framework 5 Following types of audits make the
framework of I/A: Compliance audit: To ensure compliance with rules,
regulations and laws applicable to a company. Operational audit: To ensure
efficient and effective conduct of operations of a company. Information
system audit: To ensure proper functioning of the information system
throughout the life of a business. Performance audit: To ensure the efficient
use of resources to obtain the objectives of a company. Environmental
audits: To ensure compliance with the environmental laws and regulations.
Special assignments relate to investigations on fraud and corruption, or any
other special service with the approval of the board.
6. 6. INDEPENDENCE & OBJECTIVITY Internal Audit Framework 6 The internal
audit activity must be free from interference by any influence that hinders
the progress of work, including matters of audit selection, scope, procedures,
frequency, timing, or report content to permit maintenance of a necessary
independent and objective mental attitude. Internal auditors should have no
direct operational responsibility or authority over any of the activities

audited. Accordingly, they will not implement internal controls, develop

procedures, install systems, prepare records, or engage in any other activity
that may impair internal auditors judgment. Internal auditors must exhibit
the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined.
Internal auditors must make a balanced assessment of all the relevant
circumstances and not be unduly influenced by their own interests or by
others in forming judgments. Chief Audit Executive (CAE) should confirm to
the board, at least annually, the organizational independence of the internal
audit activity. An approved internal audit charter and a competent audit
committee may protect the independence of the internal audit activity.
7. 7. ASSURANCE & CONSULTING ACTIVITY Internal Audit Framework 7
Assurance services are the services that improve the quality of information
about the processes, effectiveness of controls, reliability of information, or
compliance with statutory framework, efficiency and effectiveness of the
operations being carried out. Consulting services means that apart from
highlighting problems, internal auditors provide quality solutions to the
problems. It is very much a value adding service. Remember, Internal
auditors do not implement their recommendations. Implementation of
solution alternatives is the sole responsibility of the management. The I/As
powers pertain to recommendations only. The internal auditors should setup
a mechanism to monitor objectivity in every assurance and consulting
activity. Prompt actions must be taken to prevent potential loss to objectivity.
The internal auditors should review the potential loss and impairment to
their independence during and after the work, by any action of the
management.
8. 8. ROLE IN GOVERNANCE PROCESS Internal Audit Framework 8 Management
is primarily responsible for overall risk management. Internal audit activity
assesses risks embedded in all functions across all the departments of a
company and recommends controls to mitigate them. The purpose is to
eliminate all risks in the system. The successful elimination of all risks
ensures efficient and effective accomplishment of business plans and
guarantees business success. Management has a key role to play in the
development and implementation of controls system. The assessment of the
risks by the internal auditors provides refinement to the process of control
systems. The reinforcement of controls upon the recommendation of the
internal auditors helps a company in improving the effectiveness of risk
management, control system and governance process.
9. 9. AUDIT COMMITTEE Internal Audit Framework 9 An audit committee is an
arm of the board of directors, generally composed of 3 to 5 members of the
board, with a chairperson selected from among the committee members. The
members should be board members and outsiders i.e. the individuals who are
neither employees nor part of management. The audit committee has an
oversight responsibility for internal and external audit functions. Audit

committee acts as an independent check on management and helps the

external financial statements users in assuring that financial statements
accurately portray the business activities of a company. And that effective
internal control system is in place. Further, all laws and regulations are
complied by the company.
10.10. INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF) Internal
Audit Framework 10 Mandatory Guidance Strongly Recommended Guidance
Definition of I/A Code of Ethics The standards Position Papers (PPs) Practice
Advisories (PAs) Practice Guides (PGs)
11.11. THE STANDARDS Internal Audit Framework 11 Internal auditors carry out
their work in accordance with the given set of rules, guidelines, regulations
and standards. These standards are provided by the Institute of Internal
Auditors, USA, are known as, International Standards for the Professional
Practice of Internal Auditing (the standards). The standards provide guidance
on assurance and consulting activities of an internal auditor. The application
of these standards is mandatory for internal auditors during their work.
Following are the types of the standards: Attribute Standards pertain to the
company and team/staff performing the audit work. Performance Standards
are about the nature of internal auditing and provide quality criteria for the
performance of the work. Implementation Standards provide guidance for
each attribute or performance standard to be applicable to assurance (A) or
consulting (C) activity.
12.12. AUTHORITY Internal Audit Framework 12 The staff of Internal Audit
Department reports to CAE who reports to Audit Committee or the board
directly. CAE has full and free access to the audit committee or the board for
discussion and resolution of all matters and issues pertaining to his work. For
administrative purposes, CAE may report to CEO/GM but for functional
purposes shall always report to audit committee or the board directly. Internal
audit is fully authorized to: Have complete and unrestricted access to
records, personnel, and physical properties/assets relevant to the
performance of I/A engagement. Delegate duties, allocate resources, select
team, determine scope of work, budget time & cost, and select required
techniques/procedures to accomplish objectives. Obtain necessary
assistance of personnel in audited company and other specialized services
within or outside the organization. Internal audit staff is not authorized to:
Perform any operational duties for a company. Initiate or approve
accounting transactions external to the Internal Audit Department. Direct
the activities of any departments employees not employed by the Internal
Audit Department, except those who have been assigned to assist the audit
team.
13.13. Internal Audit Framework 13 RESPONSIBILITY CAE normally performs the
following responsibilities: Provide annual assessment on the effectiveness
of the companys controls in managing all risks and activities. Identify and

assess potential risks to the operations during a particular year. Review the
adequacy of controls established to ensure compliance with policies, plans,
procedures, management guidelines, and business objectives. Provide
periodic information on the status of the annual audit plan and the sufficiency
of the Internal Audit Departments resources. Present a periodic (say
monthly/quarterly) report to the audit committee. Assess the reliability and
security of the information produced from financial, management, and
operations system of the company. Assess the means of safeguarding
assets and resources. Review established procedures & systems and
propose improvements. Appraise the use of resources with regard to
economy, efficiency and effectiveness. Follow up recommendations to
make sure that effective remedial action is taken.
14.14. RESPONSIBILITY (continued) Internal Audit Framework 14 Carry out
appraisals, investigations, or reviews requested by the management. CAE
and staff of the Internal Audit Department, in the discharge of their duties,
have the responsibility to: Develop an annual audit plan based on
comprehensive risk assessment, including risks identified by the
management. Submit the annual audit plan to the audit committee or the
board for approval. Implement the annual audit plan as approved, including
special requests by management. Issue periodic reports to the audit
committee summarizing the results of the audit. Coordinate with and
provide oversight of other controls and monitoring functions related to risk
management, compliance, security, ethics, and environmental issues.
Assist in the investigation of suspected fraudulent activities within the
organization upon request made from management. Consider the scope of
work of the external auditors and regulators to provide wider audit coverage.
Consider the scope of work required of external service providers or
consultants.
15.15. CONTROL ENVIRONMENT Internal Audit Framework 15 The philosophy,
attitude and actions of the board and management regarding the importance
and existence of control system within the organization defines the control
environment. The control environment provides the discipline and structure
for the achievement of the primary objectives of the system of internal
controls. The control environment includes the following elements: Integrity
& ethical values, Managements philosophy & operating style,
Organizational structure, Assignment of authority & responsibility,
Human resource policies & practices, and Competence of personnel. N.B.:
External auditors consider internal audit framework as a component of the
control environment.
16.16. FRAUD DETERRENCE Internal Audit Framework 16 Managing the risk of
fraud and corruption is the responsibility of management. Audit procedures
alone, even when performed with due professional care, cannot guarantee
the detection of fraud or corruption, illegal practices . Internal auditors do not

have responsibility for the prevention or detection of fraud and corruption.

Internal auditors will, however, be alert in all their work to risks and
exposures that could allow them to find fraud or corruption. Internal auditors
may be requested by management to assist in fraud examination work.
17.17. SCOPE Internal Audit Framework 17 The scope of internal auditing
encompasses, but is not limited to, the examination and evaluation of the
adequacy and effectiveness of the organization's governance, risk
management, and internal process as well as the quality of performance in
carrying out assigned responsibilities to achieve the organizations stated
goals and objectives. This scope of I/A generally includes the following:
Evaluating the reliability and integrity of information and the means used to
identify, measure, classify, and report such information. Evaluating the
systems established to ensure compliance with those policies, plans,
procedures, laws, and regulations which could have a significant impact on
the organization. Evaluating the means of safeguarding assets and, as
appropriate, verifying the existence of such assets. Evaluating the
effectiveness and efficiency with which resources are employed.
18.18. INTERNALAUDIT CHARTER Internal Audit Framework 18 According to the
standards, the purpose, scope, authority and responsibility must be clearly
mentioned in an internal audit charter. A typical internal audit charter
outlines the following information: 1. Mission 2. Scope 3. Responsibilities of
management 4. Responsibilities of internal auditors 5. Relationship with
external auditors 6. Status of internal auditors 7. Authority of internal auditors
8. Reporting 9. Conclusion N.B.: Internal audit charter must be reviewed on
periodic basis and should be approved by the board. It helps a lot in the
conduct of work. For all special assignments approval should be taken from
the board.
19.19. ANNUALAUDIT PLAN In cooperation with the senior management, perform
the following: Conduct a preliminary risk assessment by utilizing a group
interview. Gather top management input on the preliminary risk
assessment. Prepare a Draft Annual Audit Plan based upon the results of the
risk assessment process. Obtain the formal approval of the Audit Committee
or the board. This plan will be subject to reviews during the course of audit
work to ensure that the focus continues to be on the higher risk areas. In
addition, the need to conduct special assignments requested from the Audit
Committee and senior management may also require the deferral of planned
audit work. Additional work may require additional staff and the help of
specialist or consultant coming from outside the company. N.B.: The approval
of audit committee is suffice, however, where no audit committee is existing,
approval of the board should be taken. Internal Audit Framework 19
20.20. COMMUNICATION OF I/A PLAN Distribute annual audit plan to senior
management. Keep senior management informed of all changes made to
annual audit plan. Ensure that management is informed about the internal

audit work at least a month prior to starting the work. Note that special
assignments may require different procedures involving little or no
notification to management. If there is any special assignment going parallel
with the normal audit work, intimation should be made about the time frame
for the completion of the additional assignment to audit committee and
management. If there is need for additional persons in the team because of
additional work, raise the requisition at most appropriate time. Internal Audit
Framework 20
21.21. INTERNALAUDIT PROCESS FOR ALL BUSINESSES
22.22. PLANNING Internal Audit Framework 22 Evaluating operations or
programs to ascertain whether results are consistent with established
objectives and goals and whether the operations or programs are being
carried out as planned. Monitoring and evaluating governance processes.
Monitoring and evaluating the effectiveness of the organization's risk
management processes. Evaluating the quality of performance of external
auditors and the degree of coordination required with internal audit work.
Performing consulting and advisory services related to governance, risk
management and control as appropriate for the company. Reporting
periodically on the internal audit activitys purpose, authority, responsibility,
and performance relative to its plan. Reporting significant risk exposures
and control issues, including fraud risks, governance issues, and other
matters needed or requested by the Board. Evaluating specific
operations/activities/processes at the request of the board or management,
as appropriate.
23.23. PERFORM AUDIT FIELDWORK Carry out fieldwork as indicated in the
annual audit plan. Obtain cooperation from the management and the staff
as necessary to identify, obtain documentation and conduct interviews, etc.
Conduct fieldwork with minimal disruption to operations of the company
being audited. Build friendly environment with the management. Internal
Audit Framework 23
24.24. Internal Audit Framework 24 RISK COMPOSITION Internal audit has a
responsibility to cover financial, operational, information system,
legal/regulatory and all other risks that may have significant impact on the
business of an entity.
25.25. RISK MANAGEMENT PROCESS Internal Audit Framework 25 Risk
identification Expert interviews with management personnel Risk
assessment meetings with the relevant persons Review of previous risk
assessment working papers by I/A department Filling detailed
questionnaires for adequate existence of internal controls Ensuring the
appropriateness of these questionnaires in alignment with the operations of
the company Carefully reviewing the results of internal audit questionnaires

and marking red flags where serious control violations are found Reviewing
management working papers for risk assessments made by them Reviewing
system descriptions available from management and from available manuals
for operations, financial controls and accounting and noting down risks, weak
controls or absence of controls Risk qualification & prioritization Risk
monitoring Risk mitigation & avoidance
26.26. Internal Audit Framework 26 Risk identification Risk qualification &
prioritization Once risks are identified, it is important to determine the
probability and impact of each risk on efficient and effective conduct of the
business activities. Risks which are more likely to occur and have a significant
impact on the business will be the highest priority risks while those which are
more unlikely or have a low impact will be a much lower priority. This is
usually done with a probability impact matrix. Once the risks are assigned a
probability/impact and placed in the appropriate position on the chart, the
auditor moves the process to the next step: risk monitoring.. Risk
monitoring Risk mitigation & avoidance RISK MANAGEMENT PROCESS
27.27. Internal Audit Framework 27 RISK MANAGEMENT PROCESS Risk
identification Risk qualification & prioritization Risk monitoring Normally
each control is assigned a number say 1 to 5, 1 is showing the lowest
strength and 5 showing the highest strength of a control. Internal audit
assigns these numbers to each control. And after all controls are marked with
these numbers then an average is taken by adding all numbers and dividing
them by the number of controls. The number obtained defines overall
strength of the set of controls being examined. Based on the overall strength
of controls extent of work is calculated. Risk mitigation & avoidance
28.28. Internal Audit Framework 28 RISK MANAGEMENT PROCESS Risk
identification Risk qualification & prioritization Risk monitoring Risk
mitigation & avoidance Once risks have been qualified, the team must
determine how to eliminate those risks which have the greatest probability
and impact on the business. This section explains the considerations which
must be made and the options available to the management in mitigating
and avoiding these risks. Internal auditor shall exercise his judgment as to
how, he can eliminate the risks identified during the process. After
examination is completed, he shall recommend management in writing to
follow certain procedures that shall ensure elimination of risks.
29.29. Risk Register Internal Audit Framework 29 The purpose of risk
management is to proactively establish programs and processes that support
business objectives while protecting the organization's assetsits employees,
property, income and reputationfrom loss or harm, at the lowest possible
cost. The risk register will help the organization record the following risk
management information: Type of risk, who raised it and how it could affect
the organization. Likelihood of the risk occurring and its potential impact to

the organization. Risk priority, based on its effect on the organization.

Actions taken to prevent the risk from happening. Risk mitigation/reduction
actions taken in case the risk does occur. Robert E. Higgins, CIC, CRM
30.30. Components of Risk Register Internal Audit Framework 30 Date: As the
risk register is a living document, it is important to record the date that risks
are identified or modified. Optional dates to include are the target and
completion dates. Risk number: A unique identifying number for the risk.
Risk description: A brief description of the risk, its causes and its impact.
Existing controls: A brief description of the controls that are currently in place
for the risk. Consequence: The consequence (severity or impact) rating for
the risk, using scales (e.g., 1-5, with 5 being most severe). Likelihood: The
likelihood (probability) rating for the risk, using scales (e.g., 1-5, with 5 being
most likely). Overall risk score: Determined by multiplying likelihood
(probability) times consequence (impact) for a scale ranging from 1 to 25.
Risk ranking: A priority list which is determined by the relative ranking of the
risks by their overall risk score. Risk response: The action which is to be
taken if the risk occurs. Trigger: Something which indicates that a risk is
about to occur or has already occurred. Risk owner: The person whom the
project manager assigns to watch for triggers, and manage the risk response
if the risk occurs. Robert E. Higgins, CIC, CRM
31.31. Internal Audit Framework 31 <Company Name> File No.: <xxx> Rating
for Likelihood and Seriousness for each risk L Rated as Low E Rated as
Extreme (Used for Seriousness only) M Rated as Medium NA Not Assessed H
Rated as High Grade: Combined effect of Likelihood/Seriousness Seriousness
Likelihood Low Medium High EXTREME Low E D C A Medium D C B A High C B
A A Risk Register Template Risk Register for the year ending on... <Date>
Audit Manager: <Name> Audit Scope: <A brief description of the scope of
the work>
32.32. Internal Audit Framework 32 Recommendations Grade Risk Mitigation
Actions A Mitigation actions to reduce the likelihood and seriousness to be
identified and implemented as soon as the project commences. B Mitigation
actions to reduce the likelihood and seriousness to be identified and
appropriate actions implemented during project execution. C Mitigation
actions to reduce the likelihood and seriousness to be identified and costed
for possible action if funds permit. D To be noted - no action is needed unless
grading increases over time. E To be noted - no action is needed unless
grading increases over time.
33.33. Examples of Risk Rating Internal Audit Framework 33 # Description of
Risk Identify consequences Likelihood Seriousness Grade Change Mitigation
Actions Responsible Officer Cost 1.1 Inadequate funding to complete the
project M M B New Re-scope project, focusing on time and resourcing Project
Manager NA 1.2 Lack of technical skills in partner H H A Develop training

plan Consultant 2000 1.3 Too much dependence on the work of subcontractors H H A Written Assurance from partner Partner NA
34.34. REPORT RESULTS Share important and sensitive findings with
responsible managers immediately upon verification; short memo reports
may be used in this process of communication. Make notes of the
comments/responses of the management/personnel on all observations
discussed with them. Prepare a first draft of the final report and discuss it
with responsible managers immediately following the fieldwork. Internal Audit
Framework 34
35.35. FINALIZE AUDIT WORK Schedule an exit meeting after management has
received the first draft of the audit report; this meeting will provide the
opportunity for management to discuss findings, conclusions, and
recommendations with the auditor. During or immediately after exit meeting,
I/A requests management to provide their responses to the auditor's findings
and recommendations, either in writing or in sufficient detail for the auditors
to capture them and reduce them to writing in the final draft report. Internal
Audit Framework 35
36.36. REVIEW FINAL REPORT Send final draft of the audit report to management
and discuss suggested changes by them. After processing changes, issue the
final report to the distribution as indicated on the cover letter to the report.
Note All reports contain an executive summary which provides in a short form
the observations, risks, recommendations, management responses, and
auditor's conclusion on his work. Internal Audit Framework 36
37.37. FINAL REPORT Issue final report to the management. Prepare checklist
of issues to be discussed with the management in next period audit. Write
down the comments of the management on audit report. Internal Audit
Framework 37
38.38. FOLLOW UP At the completion of each audit, the auditor will send an
evaluation survey form to the clients of the audit. This form should be
completed and returned to the Office of Internal Audit, in order to ensure
continuous improvement of these procedures and the internal audit function.
Approximately six months following completion of each audit, the auditor will
conduct a follow-up review to verify the completion of agreed-upon
management actions and ascertain the status of open recommendations. A
follow-up report will be generated annually for distribution to senior
management and members of the Audit Committee. Internal Audit
Framework 38
39.39. AVOID PITFALLS Internal Audit Framework 39 Richard Chambers, CIA, has
shared his experience about failure of internal audit assignments. He has
mentioned 6 main reasons for the failure of internal audit. They are as given
below: 1. Not setting aside enough time to properly plan the audit work.
Proper planning is the glorious road to successful audit work. 2. Trying to

audit too much, be relevant to risk. Keep one eye on relevance of work being
done with overall objectives of the audit. 3. Not involving the client or the
auditee personnel. 4. Failing to augment the audit team with functional
expertise. 5. Forgetting that the audit should ultimately add value. 6.
Forgetting to follow the risks. New risks may emerge during the progress of
audit work. Change work plan according to them.
40.40. Internal vs. External Auditing Internal Audit Framework 40 # Internal
Audit External Audit 1 Internal auditors are appointed and removed by the
management of the company any time. External auditors are appointed and
removed by the shareholders directly during AGM. 2 The scope of I/A is much
broader and covers all risks to a business entity. The scope of E/A is specified
in the terms of reference signed with the company. 3 The objective of I/A is to
help management in risk management and add value by creating efficiency
in systems and finally obtain the objectives of a business entity. The objective
of E/A is to report on the truth and fairness of the financial statements by
examining underlying records and based on the evaluation of evidence
gathered during the work. 4 Internal auditors report to the audit committee.
External auditors report to the shareholders representatives, the members
on the board of directors. They directly interact with members while sitting in
AGM or EGM. 5 The report of internal auditors is shared with management via
audit committee. The report of external auditors is shared with the
shareholders and after being published is shared with public, in the case of
listed company having share capital from public.
41.41. CODE OF ETHICS - FOR INTERNALAUDITORS AS GIVEN BY THE IIA, USA
42.42. PRINCIPLES Internal Audit Framework 42 The internal auditors are
expected to apply and uphold the following principles: Integrity The
integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment. Objectivity Internal auditors exhibit the highest
level of professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Internal auditors
make a balanced assessment of all the relevant circumstances and are not
unduly influenced by their own interests or by others in forming judgments.
Confidentiality Internal auditors respect the value and ownership of
information they receive and do not disclose information without appropriate
authority unless there is a legal or professional obligation to do so.
Competency Internal auditors apply the knowledge, skills, and experience
needed in the performance of internal audit services..
43.43. RULES OF CONDUCT Internal Audit Framework 43 1. Integrity Internal
Auditors: Shall perform their work with honesty, diligence, and responsibility.
Shall observe the law and make disclosures expected by the law and the
profession. Shall not knowingly be a party to any illegal activity, or engage
in acts that are discreditable to the profession of internal auditing or to the
organization. Shall respect and contribute to the legitimate and ethical

objectives of the organization. 2. Objectivity Internal Auditors: Shall not

participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment. This participation includes those activities
or relationships that may be in conflict with the interests of the organization.
Shall not accept anything that may impair or be presumed to impair their
professional judgment. Shall disclose all material facts known to them that,
if not disclosed, may distort the reporting of activities under review.
44.44. Internal Audit Framework 44 3. Confidentiality Internal Auditors: Shall be
prudent in the use and protection of information acquired in the course of
their duties. Shall not use information for any personal gain or in any
manner that would be contrary to the law or detrimental to the legitimate
and ethical objectives of the organization. 4. Competency Internal Auditors:
Shall engage only in those services for which they have the necessary
knowledge, skills, and experience. Shall perform internal audit services in
accordance with the International Standards for the Professional Practice of
Internal Auditing. Shall continually improve their proficiency and the
effectiveness and quality of their services. RULES OF CONDUCT (continued)
45.45. INTERNALAUDIT - OFFICIAL TERMINOLOGY AS PROVIDED BY THE IIA, USA
46.46. Internal Audit Framework 46 1. Add Value The internal audit activity adds
value to the organization (and its stakeholders) when it provides objective
and relevant assurance, and contributes to the effectiveness and efficiency of
governance, risk management, and control processes. 2. Adequate Control
Present if management has planned and organized (designed) in a manner
that provides reasonable assurance that the organizations risks have been
managed effectively and that the organizations goals and objectives will be
achieved efficiently and economically. 3. Assurance Services An objective
examination of evidence for the purpose of providing an independent
assessment on governance, risk management, and control processes for the
organization. Examples may include financial, performance, compliance,
system security, and due diligence engagements. 4. Board A board is an
organizations governing body, such as a board of directors, supervisory
board, head of an agency or legislative body, board of governors or trustees
of a nonprofit organization, or any other designated body of the organization,
including the audit committee to whom the chief audit executive may
functionally report. 5. Charter The internal audit charter is a formal document
that defines the internal audit activitys purpose, authority, and responsibility.
The internal audit charter establishes the internal audit activitys position
within the organization; authorizes access to records, personnel, and physical
properties relevant to the performance of engagements; and defines the
scope of internal audit activities.
47.47. Internal Audit Framework 47 6. Chief Audit Executive Chief audit
executive describes a person in a senior position responsible for effectively
managing the internal audit activity in accordance with the internal audit

charter and the Definition of Internal Auditing, the Code of Ethics, and the
Standards. The chief audit executive or others reporting to the chief audit
executive will have appropriate professional certifications and qualifications.
The specific job title of the chief audit executive may vary across
organizations. 7. Code of Ethics The Code of Ethics of The Institute of Internal
Auditors (IIA) are Principles relevant to the profession and practice of internal
auditing, and Rules of Conduct that describe behavior expected of internal
auditors. The Code of Ethics applies to both parties and entities that provide
internal audit services. The purpose of the Code of Ethics is to promote an
ethical culture in the global profession of internal auditing. 8. Compliance
Adherence to policies, plans, procedures, laws, regulations, contracts, or
other requirements. 9. Conflict of Interest Any relationship that is, or appears
to be, not in the best interest of the organization. A conflict of interest would
prejudice an individuals ability to perform his or her duties and
responsibilities objectively. 10. Consulting Services Advisory and related client
service activities, the nature and scope of which are agreed with the client,
are intended to add value and improve an organizations governance, risk
management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation,
and training. 11. Control Processes The policies, procedures, and activities
that are part of a control framework, designed to ensure that risks are
contained within the risk tolerances established by the risk management
process.
48.48. Internal Audit Framework 48 12. Control Any action taken by
management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient
actions to provide reasonable assurance that objectives and goals will be
achieved. 13. Control Environment The attitude and actions of the board and
management regarding the importance of control within the organization. The
control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The
control environment includes the following elements: Integrity and ethical
values. Managements philosophy and operating style. Organizational
structure. Assignment of authority and responsibility. Human resource
policies and practices. Competence of personnel. 14. Control Processes The
policies, procedures, and activities that are part of a control framework,
designed to ensure that risks are contained within the risk tolerances
established by the risk management process. 15. Engagement A specific
internal audit assignment, task, or review activity, such as an internal audit,
control self- assessment review, fraud examination, or consultancy. An
engagement may include multiple tasks or activities designed to accomplish
a specific set of related objectives. 16. External Service Provider A person or
firm outside of the organization that has special knowledge, skill, and
experience in a particular discipline.

49.49. Internal Audit Framework 49 17. Engagement Objectives Broad

statements developed by internal auditors that define intended engagement
accomplishments. 18. Engagement Work Program A document that lists the
procedures to be followed during an engagement, designed to achieve the
engagement plan. 19. Fraud Any illegal act characterized by deceit,
concealment, or violation of trust. These acts are not dependent upon the
threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or
loss of services; or to secure personal or business advantage. 20. Governance
The combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the activities of the organization toward
the achievement of its objectives. 21. Impairment Impairment to
organizational independence and individual objectivity may include personal
conflict of interest, scope limitations, restrictions on access to records,
personnel, and properties, and resource limitations (funding). 22.
Independence The freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an
unbiased manner. 23. Information Technology Controls Controls that support
business management and governance as well as provide general and
technical controls over information technology infrastructures such as
applications, information, infrastructure, and people.
50.50. Internal Audit Framework 50 24. Information Technology Governance
Consists of the leadership, organizational structures, and processes that
ensure that the enterprises information technology supports the
organizations strategies and objectives. 25. Internal Audit Activity A
department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed
to add value and improve an organizations operations. The internal audit
activity helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
governance, risk management and control processes. 26. International
Professional Practices Framework (IPPF) The conceptual framework that
organizes the authoritative guidance promulgated by The IIA. Authoritative
Guidance is comprised of two categories (1) mandatory and (2) strongly
recommended. 27. Must The Standards use the word must to specify an
unconditional requirement. 28. Objectivity An unbiased mental attitude that
allows internal auditors to perform engagements in such a manner that they
believe in their work product and that no quality compromises are made.
Objectivity requires that internal auditors do not subordinate their judgment
on audit matters to others. 29. Risk Appetite The level of risk that an
organization is willing to accept. 30. Risk Management A process to identify,
assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organizations
objectives.

51.51. Internal Audit Framework 51 31. Should The Standards use the word
should where conformance is expected unless, when applying professional
judgment, circumstances justify deviation. 32. Significance The relative
importance of a matter within the context in which it is being considered,
including quantitative and qualitative factors, such as magnitude, nature,
effect, relevance, and impact. Professional judgment assists internal auditors
when evaluating the significance of matters within the context of the relevant
objectives. 33. Residual Risk The risk remaining after management takes
action to reduce the impact and likelihood of an adverse event, including
control activities in responding to a risk. 34. Risk The possibility of an event
occurring that will have an impact on the achievement of objectives. Risk is
measured in terms of impact and likelihood. 35. Standard A professional
pronouncement promulgated by the Internal Audit Standards Board that
delineates the requirements for performing a broad range of internal audit
activities, and for evaluating internal audit performance. 36. Technologybased Audit Techniques Any automated audit tool, such as generalized audit
software, test data generators, computerized audit programs, specialized
audit utilities, and computer-assisted audit techniques (CAATs).
52.52. LIST OF INTERNALAUDIT SOFT-WARES FOR ALL KINDS OF BUSINESSES
53.53. Internal Audit Framework 53 # Software name Website 1 TeamMate
http://www.teammatesolutions.com 2 Compliance 360
http://www.compliance360.com 3 MetricStream Internal Audit Management
Software Solution http://www.metricstream.com 4 Audit Management
Software - MKinsight http://www.mkinsight.com 5 Methodware
http://www.methodware.com 6 easy2comply Internal Audit Management
software http://www.easy2comply.com 7 Barnowl Internal Audit
http://www.barnowl.co.za 8 Cura Audit http://www.curasoftware.com 9
Enterprise GRC For Internal Audit http://accelus.thomsonreuters.com 10
RSAArcher Audit Management http://www.emc.com 11 TrackWise audit
management software http://www.spartasystems.com 12 Enablon IA - Internal
Audit http://enablon.com
54.54. Internal Audit Framework 54 # Software name Website 13 Symbiant
Tracker http://www.symbiant.co.uk 14 ACL http://www.cqs.co.za 15 Mega
internal audit management solution http://www.mega.com 16 Galileo Audit
Management http://www.horwathsoftware.com 17 BPS Resolvers GRC Suite
http://www.bpsresolver.com 18 IBM OpenPages Internal Audit
Management http://www-142.ibm.com/software 19 RSM TENON
http://www.rsmtenon.com/Services/Internal- Audit/Internal-Audit-Tools.aspx 20
Intelex's Audits Management Software http://www.intelex.com 21 Rivo's webbased, Audit http://www.rivosoftware.com 22 KMIs Audit & Inspection module
http://www.kminnovations.com 23 Accusystems - Bank Audit Preparation
http://www.accusystem.com 24 Aline http://www.align-alytics.com
55.55. Internal Audit Framework 55 # Software name Website 25 Infor Approva
Continuous Monitoring http://www.infor.com 26 Bulldog Tax Audit - Bulldog

Tax Audit http://www.bulldogtaxaudit.com 27 CCH - CCH TeamMate

http://www.cchgroup.com 28 CMO Compliane http://www.cmocompliance.com 29 Complyant http://www.complyant.com 30
ComplianceAnalyzer http://www.complianceease.com 31 Cornerstone
OnDemand - Cornerstone Compliance Management Software
http://www.cornerstoneondemand.com 32 Dakota Software - Dakota Auditor
http://www.dakotasoft.com 33 Datawatch - Monarch Professional
http://www.datawatch.com 34 Enterprise Auditor http://www.ecora.com/Ecora
35 AuditXL http://www.solutionsforbusinessmanagement.com 36 EZ-R Stats Audit Commander http://www.ezrstats.com 37 UMT Audit Software
http://www.laubrass.com
56.56. ABBREVIATIONS Internal Audit Framework 56 # Abbreviation Description
1 AGM Annual General Meeting 2 I/A Internal Audit 3 CAE Chief Audit
Executive 4 CEO Chief Executive Officer 5 Deptt. Department 6 E/A External
Audit 7 EGM Extraordinary General Meeting 8 IIA Institute of Internal Auditors,
USA 9 IPPF International Professional Practices Framework 10 ISPPIA
International Standards for the Professional Practice of Internal Auditing (the
standards) 11 PAs Practice Advisories 12 PPs Position Papers 13 PGs Practice
Guides
57.57. Internal Audit Framework 57
58.58. ACKNOWLEDGEMENT Internal Audit Framework 58 THE DEFINITION, THE
OFFICIAL TERMINOLOGY AND THE CODE OF ETHICS USED IN THE
PRESENTATION ARE GIVEN BY THE IIA. WE OWE A DEBT OF GRATITUDE TO
THE IIA FOR USING THEM IN OUR PRESENTATION.
59.59. Internal Audit Framework 59 A presentation by Ahmad Tariq Bhatti FCMA,
FPA, MA (Economics), BSc Dubai, United Arab Emirates