Part I Managing the Internal Audit

Activity
A Introduction to Internal Auditing
B Administrative activities of Internal Audit
C Relationship and Coordination with Other
Stakeholders /Service Providers
D Basic Types of Internal Audit Engagements
E Internal Audit Planning
Basic Types of Internal Audit Engagements

Assurance Consultancy
Services Services
Assurance Engagements 1/4

An objective examination of evidence for the purpose of providing an

independent assessment on governance, risk management, and
control processes for the organization.

An assurance audit may start with an analysis of an existing process

map and proceed to a comparison of the map with actual
performance and an analysis of the process from the perspective of
efficiency and effectiveness.

Examples may include financial, performance, compliance, system

security, and due diligence engagements.
Assurance Engagements 2/4

Definition per IIA Global Glossary – an objective examination of

evidence for the purpose of providing an independent
assessment on governance, risk management, and control
processes for the organization.

With these engagements, internal auditors provide reasonable

assurance whether organizational goals are being accomplished.
Assurance Engagements 3/4

Assurance providers are internal and external stakeholders that are

responsible for implementing or maintaining assurance services.

Management provides assurance through compliance with laws and

regulations, quality assurance, and self-assessments.

The board of directors provides assurance through the internal audit

function.

External stakeholders provide assurance through the independent

external auditor, government regulators, and trade associations such
as ISO.
Assurance Engagements 4/4
Audits of Information
Operational Compliance third parties System &
Audit Audit and Contract Security
Audit Audit
Financial
Performance Audit and Corporate
Privacy Audit Audit Internal Goverrance
Controls

Control Self-
Risk Assessment
Management (CSA)
Operational Audit 1/2
An operational audit assesses the efficiency and
effectiveness of an organization’s operations.

Typical processes or functions are:

• Purchasing and receiving
• Distribution of services, materials, and supplies to users in the
organization
• Modification of products
• Safety practices
• Scrap handling and disposal
• Development of budgets
• Marketing
• Management of depreciable assets
Operational Audit 2/2
Measures used to assess effectiveness and efficiency

The productivity ratio measures output relative to input.

The productivity index measures production potential.

The resource usage rate measures resource use relative to

available resources.

The operating ratio measures the operational efficiency of

an organization.
Compliance Audit 1/6
Audit in respect of adherence to policies, plans, procedures, laws,
regulations, contracts, or other requirements.

Internal auditors also follow-up and report on management’s response to

regulatory body reviews.

Internal auditors are encouraged to consult legal counsel in all matters

involving legal issues.

The internal audit activity’s responsibilities are as follow:

• The internal audit activity must evaluate risk exposures relating to governance,
operations, and information systems with regard to Compliance and the adequacy and
effectiveness of controls responding to these risks.
• Compliance programs assist organizations in preventing unintended employee
violations, detecting illegal acts, and discouraging intentional employee violations.
• Internal auditors need to evaluate an organization’s regulatory compliance programs.
Compliance Audit 2/6
Organizational Standards and Procedures
The organization establishes compliance standards and procedures that are
reasonably capable of reducing the probability of criminal conduct by its employees
and other agents.

A clearly written, straightforward, and fair business code of conduct that provides
guidance to employees on relevant issues and is user-friendly

An organizational chart identifying personnel responsible for compliance programs

Financial incentives that do not reward misconduct

For an international organization, a compliance program on a global basis that

reflects local conditions and laws
Compliance Audit 3/6

Reporting and Applicant Screening

Reporting

• Compliance personnel should have adequate access to

senior management, and the chief compliance officer
should report directly to the CEO.

Applicant Screening

• Due care should be used to avoid delegating authority to

those with a tendency to engage in illegal activities.
Applications should inquire about criminal convictions or
discipline by licensing boards.
Compliance Audit 4/6
Communication

Standards and procedures should be communicated effectively, preferably in an

interactive format and on multiple occasions.

Training programs and publications are typical methods.

Compliance information should be targeted to the areas important to each

functional employee group and its job requirements.

For example, environmental compliance information should be directed to

subunits, such as manufacturing, that are more likely to violate (or detect
violations of) such laws and regulations.
Compliance Audit 5/6

Training

New employees should receive basic compliance training as part of their

orientation, and agents of the organization should be given a presentation
specifically for them.

Agents should understand the organization’s core values and that their
actions will be monitored.

Organizations also should require employees to certify periodically that they

have read, understood, and complied with the code of conduct.

This information is relayed annually to senior management and the board.

Compliance Audit 6/6
Monitoring and Reporting

An attorney monitoring the hotline is best able to protect the privileges.

Employees may have confidence in hotlines answered by an in-house representative and backed by a
non-retaliation policy.

An on-site official may be assigned to receive and investigate complaints.

This individual (an ombudsperson 監察員 ) is more effective if (s)he

1) reports directly to the chief compliance officer or the board,
2) keeps the names of informants secret,
3) provides guidance to informants, and
4) undertakes follow-up to ensure that retaliation has not occurred.
An ethics questionnaire should be sent to each employee asking whether the employee is aware of
kickbacks, bribes, or other wrongdoing.

Organizational compliance standards should be consistently enforced. Punishment should be appropriate

to the offense, such as a warning, loss of pay, suspension, transfer, or termination.
Audit of Third Parties 1/3
Organizations have multiple external/extended business
relationships (EBRs).
EBR partners may offer lower costs, better operational efficiency,
special expertise, new technology, a known brand, or economies of
scale.

• Service providers (e.g., for providing internal audit services,

processing of payroll, sharing of services, or use of IT services)

• Supply-side partners (e.g., outsourcing of production or R&D)

• Demand-side partners (e.g., licensees or distributors)

• Strategic alliances and joint ventures (e.g., cost-, revenue-, and

profit-sharing in media production and development)

• Intellectual property (IP) partners (e.g., licensing of software)

Audit of Third Parties 2/3

Significant risks of EBRs

They may not be managed in accordance with relevant policies.

EBRs may adversely affect the organization’s reputation, e.g., by violating

laws, committing fraud, or not complying with contracts.
EBRs may have inadequate insurance coverage.

Licensing of intellectual property may result in misuse, theft, or loss of

revenue.
The organization may be overcharged for services.

The organization’s confidential information (e.g., personally identifiable

information) may be lost.
Audit of Third Parties 3/3
EBR audit cycle

Understanding the organization, its environment, its processes, and the nature of each
EBR and the risks of noncompliance by EBR partners.

The internal auditors need to understand the EBR’s inherent risks and the design of
relevant controls.

Performing the audit – whether to do on-site work at the EBR

Evaluate results and identify findings and their application.

The internal auditors need to determine the frequency and content of reports to the
board and senior management.

Monitoring progress - The internal auditors may determine whether findings

(especially deficiencies) have been addressed.
Contract Audit 1/2
Internal auditors often perform engagements to
monitor and evaluate significant construction
contracts and operating contracts that involve the
provision of services.

Cost-plus contracts are ways to cope with

uncertainties about costs by setting a price equal to
(1) cost plus a fixed amount or
(2) cost plus a fixed percentage of cost.
• A problem is that the contractor may have little incentive for
economy and efficiency, a reason for careful review by the
internal auditors.
• These contracts may have provisions for
• Maximum costs, with any savings shared by the parties, or
• Incentives for early completion.
Contract Audit 2/2
Unit-price contracts are often used when a convenient measure of work is
available, such as acres of land cleared, cubic yards of earth moved.

The key issue is the accurate measurement of the work performed.

To protect the organization, internal auditors should be involved throughout

the contracting process, not merely in the performance phase.

They should review the terms of the contract and the following:
• Procedures for bidding (e.g., competitive bidding)
• Procedures for cost estimation and control
• Budgets and financial forecasts
• The contractor’s information and control systems
• The contractor’s financial position
• Funding and tax matters
• Progress of the project and costs incurred
Information System & Security Audit
 The review and testing of IT (for example, computers, technology
infrastructure, IT governance, mobile devices, and cloud computing)
to assure the integrity of information.
 Works closely with senior management and the board to assist in the
performance of the governance function with respect to information
security.
 The internal audit activity also may act in a consulting capacity by
identifying security issues and by working with users of information
systems and with systems security personnel to devise and
implement controls.
 Traditionally, IT auditing has been done in separate projects by IT
audit specialists, but increasingly it is being integrated into all audits.
Privacy Audit 1/3

The following are various definitions of

privacy:
• Personal privacy (physical and psychological)
• Privacy of space (freedom from surveillance)
• Privacy of communication (freedom from monitoring)
• Privacy of information (collection, use, and disclosure
of personal information by others)
Privacy Audit 2/3

The internal auditors may

• Facilitate the development and implementation of the privacy

program,
• Evaluate management’s privacy risk assessment, or
• Perform an assurance service regarding the effectiveness of the
privacy framework.
The internal auditor identifies

• Personal information gathered,

• Collection methods, and
• Whether use of the information is in accordance with its
intended use and applicable law.
Privacy Audit 3/3
 Use of Personal Information in Performing Engagements
 Internal auditors need to consider the protection of personally identifiable
information gathered during audits.
 Privacy controls are legal requirements in many jurisdictions.
 Many jurisdictions require organizations to identify the purposes for which
personal information is collected at or before collection.
 These laws also prohibit using and disclosing personal information for
purposes other than those for which it was collected except with the
individual’s consent or as required by law.
 Internal auditors must understand and comply with all laws regarding the
use of personal information.
Performance Audit 1/4

Also called Value–for-money Audit, Assess a function/ program’s efficiency,

effectiveness, economy, internal control systems and compliance

The audit scope can include elements of operational, compliance, financial and
Information system audits.

Efficiency can be improved: restructuring outmoded business functions/operations,

re-engineering key processes, deploying new technology methods etc.

Performance audit can also be Performance Indicator Review, Balanced Scorecard

Review.
Performance Audit 2/4
- Key Performance Indicator Review
KPIs are a type of metrics to show if the business activity/ function is achieving its
stated objectives, established milestones, or performance targets.

KPIs should be few in number (KEY measurements).

Must be reliable, valid appropriate and meaningful; quantitative is better than

qualitative.

Quantitative is better than Qualitative.

Performance Audit 2/4
- Balanced Scored Card Review
Balanced Scorecard system is a management control system balances traditional
financial with non-financial measures.

Organizational performance traditionally based solely on financial or accounting –

based data (e.g. ROI or EPS).

These traditional indicators stress quantity over quality.

Kaplan & Norton divided the scorecard into 4 perspective: Financial, Internal
Business Process, Customer and Innovation & Learning
Performance Audit 4/4
Financial Audit

 The financial reporting process is to create information and prepare

financial statements, related notes, and other accompanying disclosures in
the organization’s financial reports according to the acceptable accounting
methods.

 Internal auditors provide assurance regarding financial reporting to

management and the board. For example, in many countries, laws require
that management certify that the general-purpose financial statements are
fairly stated in all material respects.

 Looks at the past to determine whether financial information was properly

recorded and adequately supported.

 Assesses whether the financial statement assertions about past

performance are fair, accurate, and reliable.
Financial Statement Assertions
- Account Transactions Assertions
1/3
Existence Completeness
 the transactions and events  all transactions and events that
that have been recorded or should have been recorded
disclosed, have occurred, and have been recorded and all
such transactions and events related disclosures that should
pertain to the entity. have been included in the
 financial statements.
Audit testing: a recorded sale
represents goods which were  Audit testing: select a sample
ordered by valid customers and of customer orders and check
were dispatched and invoiced to dispatch notes and sales
in the period. invoices and the posting to the
sales account in the general
ledger.
Financial Statement Assertions
- Account Transactions Assertions 2/3

Accuracy Cut–off
 amounts and other data relating to  transactions and events have
recorded transactions and events been recorded in the correct
have been recorded appropriately, accounting period.
and related disclosures have been
appropriately measured and  Audit testing: recording last
described. goods received notes and
 Audit testing: re-performance of
dispatch notes at the inventory
calculations on invoices, payroll, count and tracing to purchase
etc, and the review of control and sales invoices to ensure
account reconciliations are that goods received before the
designed to provide assurance year–end are recorded in
about accuracy. purchases at the year end.
Financial Statement Assertions
- Account Transactions Assertions
3/3
Classification Presentation
 transactions and events have  transactions and events are
been recorded in the proper appropriately aggregated or
accounts. disaggregated and clearly
described, and related
disclosures are relevant and
understandable in the context
of the requirements of the
applicable financial reporting
framework.
Financial Statement Assertions
- Account Balance Assertions 1/3

Existence Rights and obligations

 means that assets and  means that the entity has a
liabilities really do exist and legal title or controls the rights
there has been no to an asset or has an obligation
overstatement. to repay a liability.
 Audit testing – physical  Audit testing – in the case of
verification of non–current property, deeds of title can be
assets, confirmation of reviewed. Long term liabilities
receivables, payables and the such as loans can be agreed to
bank letter. the relevant loan agreement.
Financial Statement Assertions
- Account Balance Assertions 2/3
Completeness Accuracy, valuation and
allocation
 that there are no omissions and assets  means that amounts at which
and liabilities that should be recorded assets, liabilities and equity
and disclosed have been. In other words
there has been no understatement of
interests are valued, recorded
assets or liabilities. and disclosed are all appropriate.
 Audit testing – A review of the repairs
The reference to allocation refers
and expenditure account can sometimes to matters such as the inclusion
identify items that should have been of appropriate overhead amounts
capitalized and have been omitted from into inventory valuation.
non–current assets. Reconciliation of
payables ledger balances to suppliers’  Audit testing – Vouching the cost
statements is primarily designed to of assets to purchase invoices
confirm completeness although it also and checking depreciation rates
gives assurance about existence.
and calculations.
Financial Statement Assertions
- Account Balance Assertions 3/3

Classification Presentation
 means that assets, liabilities  this means that the
and equity interests are descriptions and disclosures of
recorded in the proper assets and liabilities are
accounts. relevant and easy to
 understand.
Audit testing – the test for
transactions of checking  Audit testing – auditors often
purchase invoice postings to use disclosure checklists to
the appropriate accounts in the ensure that financial statement
general ledger. presentation complies with
accounting standards and
relevant legislation.
Risks Affecting Reliability & Integrity

 Key Risks affecting the reliability and integrity of financial information

include:
 Overstating revenues (e.g., improper timing of revenue recognition)
 Understating expenses (e.g., improperly capitalizing expenditures that
should be recorded as an expense in the current period)
 Applying unreasonable accounting estimates (e.g., accounting estimates
are neither consistent with past results nor reasonable in light of expected
future events)
 Applying accounting principles that are no longer in effect
Risk of Fraud
The auditor plans and performs the audit to obtain reasonable
assurance about whether the financial statements are free of
material misstatement, whether caused by fraud or error.

The types of fraud relevant to the financial statement include

misstatements arising from:
• Fraudulent financial reporting. These are intentional misstatements or omissions
to deceive users, such as altering accounting records or documents,
misrepresenting or omitting significant information, and misapplying accounting
principles.

• Misappropriation of assets. These result from theft, embezzlement, or an action

that causes payment for items not received.
Assessment of Internal Control Over Financial
Reporting
Many countries require management to provide an
assessment of the organization’s internal control over
financial reporting.

Implementation Standard 2120.A1 - The internal

audit activity must evaluate risk exposures relating to
the organization’s governance, operations, and
information systems regarding the:
• Achievement of the organization’s strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and
contracts.
A Framework for Internal Control
Internal control is not limited to accounting controls or
financial reporting.

Accounting and financial reports are important. However,

other matters also are important, such as
• resource protection;
• operational efficiency and effectiveness; and
• compliance with rules, regulations, and organization policies. These factors
affect financial reporting.
Internal control is management’s responsibility. The
participation of all persons within an organization is required
if it is to be effective.
The control framework should relate to business objectives
and be adaptable.
Evaluating the Effectiveness of
Control
 Controls should be assessed relative to risks at each
level
 A risk and control matrix may be useful to:-
 Identify objectives and related risks.
 Determine the significance of risks (impact and likelihood)
 Determine responses to the significant risks (for example, accept,
pursue, transfer, mitigate, or avoid).
 Determine key management controls.
 Evaluate the adequacy of control design.
 Test adequately designed controls to ascertain whether they have
been implemented and are operating effectively.
Promoting Continuous Improvement

of Control
 Continuous improvement of control involves
 Training and ongoing self-monitoring
 Control (or risk and control) assessment meetings with managers
 A logical structure for documentation, analysis, and assessment of
design and operation
 Identification, evaluation, and correction of control weaknesses
 Informing managers about new issues, laws, and regulations
 Monitoring relevant technical developments
Roles for the Internal Auditor
- Financial Reporting 1/2
Providing information relevant to the appointment of the
independent accountants.

Coordinating audit plans, coverage, and scheduling with the

external auditors.

Communicating pertinent observations to the external

auditors and board about
• Accounting policies and policy decisions (including accounting decisions for
discretionary items and off-balance-sheet transactions),
• Specific components of the financial reporting process, and
• Unusual or complex financial transactions and events (e.g., related party
transactions, mergers and acquisitions, joint ventures, and partnership
transactions).
Roles for the Internal Auditor
- Financial Reporting 2/2
Participating in the financial reports and disclosures review process with the board, external auditors,
and senior management.

Evaluating the quality of financial reports, including those filed with regulatory agencies.

Assessing the adequacy and effectiveness of the This assessment considers the organization’s susceptibility to
organization’s internal controls, specifically those fraud and the effectiveness of programs and controls to mitigate
or eliminate those exposures.
controls over the financial reporting process.

Monitoring management’s compliance with the organization’s code of conduct and ensuring that
ethical policies and other procedures promoting ethical behavior are being followed.

An important factor in establishing an effective ethical culture in the organization is that members of
senior management set a good example of ethical behavior and provide open and truthful
communications to employees. (i.e. Tone at the top).
Roles for the Internal Auditor
- Corporate Control

Reviewing the reliability and integrity of the operating

and financial information compiled and reported by
the organization.

Performing an analysis of the controls over critical

accounting policies and accounting estimates.
 Policies

• Reviewing the organization’s policies

Roles for the relating to compliance with laws and
regulations, ethics, conflicts of interest
Internal and fraud investigations.

Auditor - Litigation/ regulatory

Proceedings
Governance • Reviewing pending litigation or
regulatory proceedings bearing upon
organizational risk and governance.
Risk Management 1/2
- Performance Standard 2120

The internal audit

activity must
evaluate the Risks may be
effectiveness and financial, operational,
contribute to the legal /regulatory, or
improvement of risk strategic in nature.
management
processes.
Risk Management 2/2
Performance Standard 2120

Through conversations with senior management and the board, CAE would consider the risk
appetite, risk tolerance, and risk culture of the organization.

The internal audit activity should alert management to new risks, as well as risks that have not
been adequately mitigated, and provide recommendations and action plans for an appropriate
risk response (e.g. accept, pursue, transfer, mitigate, or avoid).

Internal auditors should thoroughly explore how the organization identifies and addresses risks
and how it determines risks are acceptable.

To assess whether relevant risk information is captured and communicated timely across the
organization, internal auditors may interview staff at various levels.

Finally, the internal audit activity should take the necessary steps to ensure that it is managing
its own risks, such as audit failure, false assurance, and reputation risks.
ISO 31000 Guide 1/2
ISO 31000 Guide 1/2

1)
2) Scope,
Communicatio 3) Risk
Context and
n and Assessment
Criteria
Consultation

4) Risk 5) Monitoring 6) Recording

Treatment and Review and Reporting
ISO 31000 Guide
– 1) Communication and Consultation

Bringing different areas of expertise together for

each step of the RM process;

Ensuring different views are considered when

defining risk criteria and evaluating risks;

Providing sufficient information to facilitate risk

oversight and decision-making; and

Building a sense of inclusiveness and ownership

among those affected by risk.
ISO 31000 Guide
– 2) Scope, Context and Criteria

Defining the purpose Identifying the

and scope of risk external and internal
management context for the
activities; organization;

Defining criteria to
Defining risk criteria
evaluate the
by specifying the
significance of risk
acceptable amount
and to support
and type of risk; and
decision-making.
ISO 31000 Guide
– 3) Risk Assessment
Risk identification to find, recognize and describe risks
that might help or prevent achievement of objectives and
the variety of tangible and intangible consequences;

Risk analysis of the nature and characteristics of risk,

including the level of risk, risk sources, consequences,
likelihood, events, scenarios, controls and their
effectiveness; and

Risk evaluation to support decisions by comparing the

results of the risk analysis with the established risk
criteria to determine the significance of risk.
 ISO 31000 Guide
– 4) Risk Treatment

Designing risk
Selecting the most treatment plans
appropriate risk specifying how the
treatment treatment options
option(s). will be
implemented.
ISO 31000 Guide
– 5) Monitoring and Review
Improving the quality and effectiveness of process design,
implementation and outcomes;

Monitoring the RM process and its outcomes, with

responsibilities clearly defined;

Planning, gathering and analyzing information, recording

results and providing feedback; and

Incorporating the results in performance management,

measurement and reporting activities.
 Communicating risk management
activities and outcomes across the
organization;

ISO 31000 Providing information for decision-

making;
Guide
– 6) Recording Improving risk management activities;
and
and Reporting
Providing risk information and
interacting with stakeholders.
ISO 31000 Guide
- Risk Management Principles
1) Framework and processes should be customized and proportionate.
2) Appropriate and timely involvement of stakeholders is necessary.
3) Structured and comprehensive approach is required.
4) Risk management is an integral part of all organizational activities
5) Risk management anticipates, detects, acknowledges and responds
to changes.
6) Risk management explicitly considers any limitations of available
information.
7) Human and cultural factors influence all aspects of risk management.
8) Risk management is continually improved through learning and
experience.
COSO’s ERM Framework 1/5

COSO stands for “Committee of Sponsoring Organizations of the

Treadway Commission”.

The COSO framework is applicable to all industries and all types of

risks.
The COSO ERM framework is geared to achieve the following
organizational objectives (i.e. what the organization strives to
achieve):
• Strategic - Tied to high-level organizational goals and aligned to and supporting
the organization’s mission.
• Operations - Related to the effective and efficient use of organizational resources.
• Reporting - Related to the reliability of reporting.
• Compliance - Related to organizational compliance with applicable laws and
regulations.
COSO’s ERM Framework 2/5

Major
Components
COSO’s ERM Framework 3/5
Major Components
The tone at the top sets the basis for risk
Internal Control management philosophy and risk appetite,
integrity and ethical values, and the environment
environment in which they operate.

ERM ensures that management has a process in

place to set objectives and the chosen objectives
Objective Setting support and align with the entity’s missions and
are consistent with the risk appetite.

Internal and external events affecting achievement

of entity’s objectives are identified, distinguishing
Event Identification between risks and opportunities. Opportunities are
channeled back to management’s strategy or
objective-setting process.

Risks are analyzed, considering likelihood and

Risk assessment impacts. Risks are assessed on the inherent or
residual basis.
COSO’s ERM Framework 4/5
Major Components
Risk response

• Management select among avoiding, accepting, reducing or sharing risks to align with
entity’s risk appetite.

Control activities

• Policies and procedures are set to ensure risk responses are effectively carried out.

Information & communication

• Has the organization identified information requirements to manage internal control over
risks?
• Has the organization defined internal and external communication channels that support the
functioning of internal control? How will the organization respond to, manage, and
communicate a risk event?
• Effective communication enables people to capture and exchange the information needed
to conduct, manage and controls its operations.
Monitoring activities

• Monitoring is accomplished through ongoing management activities and evaluations.

COSO’s ERM Framework 5/5
Roles and Responsibilities

 Management assumes the

primary responsibility for ERM
process.
 The specific responsibilities of
managers at the different
levels vary from organization to
organization. But a fairly
universal truth is that CEO has
ultimate ownership for the ERM
process, setting the “tone at
the top” and ensuring a
positive internal control
environment.
Control Self-Assessment (CSA)

CSA increases awareness of risk and control throughout the

organization.
Risk assessment, business processes, and internal controls are not
treated as exclusive concerns of senior management and the
internal audit activity.
CSA’s basic philosophy is that control is the responsibility of
everyone in the organization.
The people who work within the process, i.e., the employees and
managers, are asked for their assessments of risks and controls in
their process.
How Internal Auditors Use CSA
(Control Self-Assessment 控制自我評估 )
CSA program assists management in fulfilling its responsibilities to establish
and maintain risk management and control processes and by evaluating the
adequacy of that system.

Through a CSA program, the internal audit activity and the business units and
functions collaborate to produce better information about how well the control
processes are working and how significant the residual risks are.

CSA program increases the coverage of

The internal audit activity often finds assessments of control processes
that CSA program may reduce the Improves the quality of corrective actions made by
effort spent in gathering information the process owners, and
about control procedures and eliminate Focuses the internal audit activity’s work on
reviewing high-risk processes and unusual
some testing. situations.
Approaches of CSA 1/2

The objective-based format focuses on controls presently in place to support the

objective and then determines the residual risks remaining. The aim is to decide
whether the control procedures are working effectively and are resulting in residual
risks within an acceptable level.

The risk-based format focuses on listing the risks to achieving an objective and then
examines the control procedures to determine whether they are sufficient to manage
the key risks. The aim is to determine significant residual risks.

The control-based format focuses on key risks and controls before the beginning of
the workshop. The aim of the workshop is to produce an analysis of the gap between
how controls are working and how well management expects those controls to work.

The process-based format focuses on selected activities that are elements of a chain
of processes. The workshop’s aim is to evaluate, update, validate, improve, and even
streamline the whole process and its component activities.
Approaches of CSA 2/2

Self-Certification
Survey Approach uses a
Approach is based on
questionnaire that tends to
management-produced
ask mostly simple “yes/no” or
analyses to produce
“have/have not” questions
information about selected
that are carefully written to
business processes, risk
be understood by the target
management activities, and
recipients.
control procedures.

The internal auditor may

Surveys often are used if the
synthesize this analysis with
desired respondents are too
other information to enhance
numerous or widely dispersed
the understanding about
to participate in a workshop or
controls and to share the
if management desires to
knowledge with managers in
minimize the time spent and
business or functional units as
costs incurred in gathering the
part of the organization’s CSA
information.
program.
Consulting Engagements 1/3

Consulting services are advisory and related client service activities.

The nature and scope of which are agreed with the client, are intended to add value
and improve an organization’s governance, risk management, and control processes
without the internal auditor assuming management responsibility.

Examples include counsel, advice, facilitation, and training.

The board empowers the internal audit activity to perform additional services if they do
not represent a conflict of interest or detract from its obligations to the board. That
empowerment is reflected in the internal audit charter.
Consulting Engagements 2/3
Consulting services may enhance the auditor’s understanding
of business processes or issues related to an assurance
engagement and do not necessarily impair the auditor’s or the
internal audit activity’s objectivity.

Internal auditing is not a management decision-making

function. Decisions to adopt or implement recommendations
made as a result of an internal audit advisory service are
made by management.

Consulting services permit the CAE to enter into dialogue with

management to address specific managerial issues. In this
dialogue, the breadth of the engagement and time frames are
made responsive to management needs.
Consulting Engagements 3/3
2120. C1 – During consulting engagements, internal
auditors must address risk consistent with the engagement’s
objectives and be alert to the existence of other significant
risks.

2120. C2 – Internal auditors must incorporate knowledge of

risks gained from consulting engagements into their
evaluation of the organization’s risk management processes.

2021.C3 - When assisting management in establishing or

improving risk management processes, internal auditors
must refrain from assuming any management responsibility
by actually managing risks.
Types of Consulting Engagements
Formal consulting engagements are planned and subject to
written agreement

participation on standing committees,

Informal consulting
limited-life projects,
engagements involve routine ad-hoc meetings, and
activities, such as routine information exchange.

Special consulting engagements include participation on a

merger and acquisition team or system conversion team.

established for recovery or maintenance of

Emergency consulting operations after a disaster or other
engagements include extraordinary business event or
assembled to supply temporary help to meet a
participation on a team special request or unusual deadline.
Independence and Objectivity

 It may be impaired if assurance services are provided within 1 year

after a formal consulting engagement.
Controls to reduce the potential threats to auditor
independence or objectivity posed by consulting 1/2

Charter language defining consulting service parameters

Policies and procedures limiting type, nature, or level of participation in consulting

Screening consulting projects, with limits on engagements threatening objectivity

Segregation of consulting units from assurance units in the audit function

Rotation of auditors

Employing external service providers for (a) consulting or (b) assurance engagements involving
activities subject to prior consulting work that impaired objectivity or independence

Disclosure in audit reports when objectivity was impaired by participation in a prior consulting
project
Controls to reduce the potential
threats to auditor independence or
objectivity posed by consulting 2/2
 The internal auditor declines to perform consulting
engagements that
 Are prohibited by the charter,
 Conflict with the policies and procedures of the internal audit
activity, or
 Do not add value and promote the best interests of the
organization.
Due Professional Care
The CAE must decline the consulting engagement or obtain
competent advice and assistance if the internal auditors lack
the knowledge, skills, or other competencies needed to
perform all or part of the engagement.

Internal auditors must exercise due professional care during

a consulting engagement by considering the:
Needs and expectations of
Relative complexity and
clients, including the Cost of the consulting
extent of work needed to
nature, timing, and engagement in relation to
achieve the engagement’s
communication of potential benefits.
objectives; and
engagement results;
Record Retention

In formal consulting engagements, auditors adopt

appropriate record retention policies and ownership
of the engagement records.

Legal, regulatory, tax, and accounting matters may

require special treatment in the records.
Types of Consulting Engagements
- Benchmarking
 Benchmarking is a continuous evaluation of the practices of the best
organizations in their class and the adaptation of processes to reflect
the best of these practices.
 Competitive benchmarking studies an organization in the same
industry.
 Process (function) benchmarking studies operations of organizations
with similar processes regardless of industry.
 Thus, the benchmark need not be a competitor or even a similar organization.
This method may introduce new ideas that provide a significant competitive
advantage.
 Strategic benchmarking is a search for successful competitive
strategies.
 Internal benchmarking is the application of best practices in one part of
the organization to its other parts.
Types of Consulting Engagements
- Internal Control Training

Internal auditors may perform consulting engagements to provide

internal control training to the employees of the organization, including
the organization’s objectives, policies, standards, procedures,
performance measurements, and feedback methods.

Control self-assessment provides training for people in business units.

Participants gain experience in assessing risks and associating control
processes with managing those risks.
Types of Consulting Engagements
- Due Diligence Auditing
 Due diligence is applied to a service in which internal auditors
and others (external auditors, tax experts, finance
professionals, attorneys, etc.) determine the business
justification for a major transaction (e.g. wider markets, more
skilled employees, access to intellectual property, operating
synergies are likely to be realized via business combination,
joint venture, divestiture, etc.).
Types of Consulting Engagements
- Business Process Mapping 1/2
Business process reengineering involves process innovation and core process
redesign.

The emphasis is on simplification and elimination of nonvalue-adding

activities, so as to improve productivity and decrease the number of clerical
workers.

The emphasis is on developing controls that are automated and self-

correcting and that require minimal human intervention.

Re-engineering is not continuous improvement, it is not simply downsizing or

modifying an existing system, and it should be reserved for the most
important processes.
Types of Consulting Engagements
- Business Process Mapping 2/2

Internal auditors may

perform the functions
of determining However, they should
Re-engineering is whether the re-
technology
usually a cross- not become directly
departmental process
engineering process involved in the
of innovation requiring has senior implementation of the
substantial investment management’s process. This
in information support, involvement would
technology and recommending areas impair their
retraining. for consideration, and independence and
developing audit objectivity.
plans for the new
system.
Types of Consulting Engagements
- System Development Review

Internal auditor involvement Providing independent, ongoing

advice throughout the project and
can ensure that the appropriate
Identifying key risks or issues early,
internal controls and audit trails which enables project teams to
are included in the application. mitigate risks.

Whether developments are

Project management performed in-house or are
outsourced.
techniques and controls should
Management should know whether
be part of the development projects are on time and within
process budget and that resources are used
efficiently.
Types of Consulting Engagements
- Design of Performance
Measurement Systems

As an assurance engagement, internal auditors conduct

performance audits to measure how well an organization is
achieving its targets for its key performance indicators.

As a consulting engagement, internal auditors work with

clients to improve the performance measured by the key
performance indicators.