Subject: AUD 1201 – Internal Audit and Entity’s Control Environment

Module: Introduction to Assurance Principles

Professor: Normandy P. Yco
Target Date of Discussion: February 15, 2024

Lesson/Topics:
➢ Discuss the overview of Corporate Governance by providing applicable government rules and
regulations Philippine and other related countries’ settings (e.g., Philippines’ Code of Corporate
Governance for Publicly Listed Companies, United States’ Sarbanes-Oxley Act of 2002, and
other related rules and regulations);
➢ Explain the roles and responsibilities of the Board of Directors and Senior Management in
managing Corporate Governance;
➢ Explain the roles and responsibilities of Audit Committee in managing External Auditors and
Internal Auditors;
➢ Discuss the definition of Assurance, including its different elements and levels;
➢ Discuss the similarities and differences between External Auditing and Internal Auditing.
Topics Discussion:
Corporate Governance Overview
Corporate Governance - is something altogether different from the daily operational management
activities enacted by a company’s executives. It is a system of direction and control that dictates how a
board of directors governs and oversees a company.

A Key Principle of Corporate Governance – Shareholder Primacy

Perhaps one of the most important principles of corporate governance is the recognition of
shareholders. The recognition is two-fold. First, there is the basic recognition of the importance of
shareholders to any company – people who buy the company’s stock fund its operations. Equity is one
of the major sources of funding for businesses. Second, from the basic recognition of shareholder
importance follows the principle of responsibility to shareholders.

The policy of allowing shareholders to elect a board of directors is critical. The board’s “prime directive”
is to be always seeking the best interests of shareholders. The board of directors hires and oversees the
executives who comprise the team that manages the day-to-day operations of a company. This means
that shareholders, effectively, have a direct say in how a company is run.

Transparency
Shareholder interest is a major part of corporate governance. Shareholders may reach out to the
members of the community who don’t necessarily hold an interest in the company but who can
nonetheless benefit from its goods or services.

Reaching out to the members of the community encourages lines of communication that promote
company transparency. It means that all members of the community – those who are directly or
indirectly affected by the company – and members of the press get a clear sense of the company’s
goals, tactics, and how it is doing in general. Transparency means that anyone, whether inside or
outside the company, can choose to review and verify the company’s actions. This fosters trust and is
likely to encourage more individuals to patronize the company and possibly become shareholders as
well.
Security
An increasingly important aspect of corporate governance is security. Shareholders and
customers/clients need to feel confident that their personal information is not being leaked or accessed
by unauthorized users. It’s equally important to ensure that the company’s proprietary processes and
trade secrets are secure. A data breach is not just very expensive. It also weakens public trust in the
company, which can have a drastically negative effect on its stock price. Losing investor trust means
losing access to capital that is necessary for corporate growth.

Everyone in a company, from entry-level staffers to members of the board, needs to be well-versed in
corporate security procedures such as passwords and authentication methods.

Consequences of Poor Corporate Governance

One of the biggest purposes of corporate governance is to set up a system of rules, policies, and
practices for a company – in other words, to account for accountability. Each major piece of the
“government” – the shareholders, the board of directors, the executive management team, and the
company’s employees – is responsible to the others, therefore keeping them all accountable. Part of
this accountability is the fact that the board regularly reports financial information to the shareholders,
which reflects the corporate governance principle of transparency.

Poor corporate governance is best explained with an example, and there is no better example than
Enron Corp. Many of the executives used shady tactics and covert accounting methods to cover up the
fact that they were essentially stealing from the company. Erroneous figures were passed along to the
board of directors, who failed to report the information to shareholders.

With responsible accounting methods gone out the window, shareholders were unaware that the
company’s debts and liabilities totaled much more than the company could ever repay. The executives
were eventually charged with a number of felonies, and the company went bankrupt. It killed employee
pensions and hurt shareholders immeasurably.

When good corporate governance is abandoned, a company runs the risk of collapse, and shareholders
stand to suffer substantially.
Figure 2.1 – Corporate Governance

Key Terminologies Relevant to Corporate Governance:

➢ Board of Directors – the governing body elected by the stockholders that exercises the
corporate powers of a corporation, conducts all its business, and controls its properties.
➢ Management – a group of executives given the authority by the Board of Directors to
implement the policies it has laid down in the conduct of the business of the corporation.
➢ Independent director – a person who is independent of management and the controlling
shareholder, and is free from any business or other relationship which could, or could
reasonably be perceived to, materially interfere with his exercise of independent judgment in
carrying out his responsibilities as a director.
➢ Executive director – a director who has executive responsibility of day-to-day operations of a
part or the whole of the organization.
➢ Non-executive director – a director who has no executive responsibility and does not perform
any work related to the operations of the corporation.
➢ Conglomerate – a group of corporations that has diversified business activities in varied
industries, whereby the operations of such businesses are controlled and managed by a parent
corporate entity.
➢ Internal control – a process designed and effected by the board of directors, senior
management, and all levels of personnel to provide reasonable assurance on the achievement
of objectives through efficient and effective operations; reliable, complete and timely financial
and management information; and compliance with applicable laws, regulations, and the
organization’s policies and procedures.
➢ Enterprise Risk Management – a process, effected by an entity’s Board of Directors,
management and other personnel, applied in strategy setting and across the enterprise that
is designed to identify potential events that may affect the entity, manage risks to be within
its risk appetite, and provide reasonable assurance regarding the achievement of entity
objectives.
➢ Related Party – shall cover the company’s subsidiaries, as well as affiliates and any party
(including their subsidiaries, affiliates, and special purpose entities), that the company exerts
direct or indirect control over or that exerts direct or indirect control over the company; the
company’s directors; officers; shareholders and related interests (DOSRI), and their close
family members, as well as corresponding persons in affiliated companies. This shall also
include such other person or juridical entity whose interest may pose a potential conflict with
the interest of the company.
➢ Related Party Transactions – a transfer of resources, services or obligations between a
reporting entity and a related party, regardless of whether a price is charged. It should be
interpreted broadly to include not only transactions that are entered into with related parties,
but also outstanding transactions that are entered into with an unrelated party that
subsequently becomes a related party.
➢ Stakeholders – any individual, organization or society at large who can either affect and/or be
affected by the company’s strategies, policies, business decisions and operations, in general.
 This includes, among others, customers, creditors, employees, suppliers, investors, as well as
the government and community in which it operates.

The first broad area of governance is depicted in the exhibit as strategic direction. The board is
responsible for providing strategic direction and guidance relative to the establishment of key business
objectives, consistent with the organization’s business model and aligned with stakeholder priorities.
Directors bring varied and diverse business experience to the board and, thus, are in a position to
provide the information and direction that will help ensure the organization is successful. The board
also can influence the organization’s risk-taking philosophy and establish broad boundaries of conduct
based on the organization’s overall risk appetite and cultural values. Monitoring progress toward
meeting the goals and objectives of the organization is another key reason for the board’s existence.

The second broad area of governance is depicted in the exhibit as governance oversight, which focuses
on the board’s role in managing and monitoring the organization’s operations. Expanding on the view
in exhibit 3-3, the key components of governance oversight are shown in exhibit 3-4. Because this
oversight responsibility is where the risk management and internal audit activities are most relevant,
governance oversight is discussed in greater detail following this exhibit.
The key points that should be taken from this depiction of governance are:
➢ Governance begins with the board of directors and its committees. The board serves as the
"umbrella" of governance oversight for the entire organization. It provides direction to
management, empowers them with the authority to take the necessary actions to achieve that
direction, and oversees the overall results of operations.
➢ The board must understand and focus on the needs of key stakeholders. Ultimately, the board
has a fiduciary responsibility to the organization’s stakeholders.
➢ Day-to-day, governance is executed by management of the organization. Both senior
management and line managers have important, although somewhat different, roles in
governance. These roles are carried out through risk management activities.
➢ Internal and external assurance activities provide management and the board with assurances
regarding the effectiveness of governance activities. These parties include, but are not limited
to, internal auditors and the independent outside auditors.
Roles and Responsibilities within Governance: The Board and Its Committees
Governance is ultimately the responsibility of the board, although this responsibility is frequently
carried out by its various committees (for example, the audit committee). The first of the board’s
responsibilities is to identify the key stakeholders of an organization. A stakeholder is any party with a
direct or indirect interest in an organization’s activities and outcomes. Stakeholders can be viewed as
having one or more of the following characteristics (examples follow this list):
• Some stakeholders are directly involved in the operation of the organization’s business.
• Other stakeholders are not directly involved but are interested in the organization’s business;
that is, they are affected by the success or other outcomes of the business.
• Some stakeholders are neither directly involved nor interested in the success of an
organization’s business, but these stakeholders may nonetheless influence aspects of the
organization’s business and, as a result, the organization’s success

The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial
regulations for public companies.

Lawmakers created the legislation to help protect shareholders, employees and the public from
accounting errors and fraudulent financial practices. Auditors, accountants and corporate officers
became accountable for the new set of rules. These rules were amendments and additions to several
laws enforced by the Securities and Exchange Commission (SEC), including the Securities and Exchange
Act of 1934 and the Investment Advisers Act of 1940. The SEC enforces the Sarbanes-Oxley Act. The
main areas that the Act is focused on are:
• Increasing criminal punishment
• Accounting regulation
• New protections
• Corporate responsibility

The Act primarily sought to regulate financial reporting, internal audits and other business practices at
publicly traded companies. However, some provisions apply to all enterprises, including private
companies and nonprofit organizations.
History and why the Act was created
The legislation sought to both improve the reliability of public companies' financial reporting as well as
restore investor confidence in the wake of high-profile cases of corporate crime. The act was named
for its sponsors: U.S. Sen. Paul Sarbanes (D-Md.), and U.S. Rep. Michael Oxley, (R-Ohio). Former U.S.
President George W. Bush, who signed the act into law on July 30, 2002, called the act "the most far-
reaching reforms of American business practices since the time of Franklin Delano Roosevelt."

Federal lawmakers enacted the Sarbanes-Oxley Act in large part due to corporate scandals at the start
of the 21st century. One such scandal involved energy firm Enron Corp. Enron was considered one of
the largest, most successful and innovative companies in the United States.

Around 2000, Enron unraveled in less than two years as both the company's fraudulent practices and
its executives' criminal activities came to light.

Similarly, the telecommunications giant WorldCom became embroiled in scandal as its own fraudulent
accounting practices made the news. After filing for bankruptcy in 2002, the company was hit with a
$750 million SEC fine. Its chief executive officer (CEO) was sentenced to 25 years in prison, and the chief
financial officer (CFO) received a five-year jail sentence as a result of criminal charges in the case.

The financial scandal at Tyco International also preceded the Act. In this case, the company's former
CEO and CFO were convicted of stealing hundreds of millions of dollars from the company, falsifying
business records and violating other business laws. The Act enhanced accounting compliance
regulations to keep such a scandal from occurring again.

Additionally, the Act established penalties for noncompliance with its provisions. Compliance with the
Act is about financial disclosure and corporate governance.

Key provisions and requirements

The Sarbanes-Oxley Act is arranged into 11 sections, or titles. Two sections of particular note are
Section 302 and Section 404.
 ➢ Section 302 pertains to "Corporate Responsibility for Financial Reports." It established, in
part, that CEOs and CFOs must review all financial reports and that the reports are "fairly
presented" and don't contain misrepresentations. This section also established that CEOs and
CFOs are responsible for internal accounting controls. The Act requires year-end financial
disclosure reports and that all financial reports come with an Internal Controls Report.
Financial disclosures must contain reporting of material changes in financial condition.

➢ Section 404 deals with "Management Assessment of Internal Controls" and requires
companies to publish details about their internal accounting controls and their procedures
for financial reporting as part of their annual financial reports. Section 404 requires corporate
executives to personally certify the accuracy of their company's financial statements and
makes them individually liable if the SEC finds violations.

The Whistleblower Protection Act under the Sarbanes-Oxley Act mandates protection for
whistleblowers, stating that employees and contractors who report fraud and/or testify about fraud to
the Department of Labor are protected against retaliation, including dismissal and discrimination.

Code of Corporate Governance for Publicly-Listed Companies (SEC Memo Circular No.19 Series of
2016):

➢ Establishing a Competent Board (Principle 1)

➢ Establishing Clear Roles and Responsibilities of the Board (Principle 2)
➢ Establishing Board Committees (Principle 3)

Principle 1
The company should be headed by a competent, working board to foster the long-term success of the
corporation, and to sustain its competitiveness and profitability in a manner consistent with its
corporate objectives and the long-term best interests of its shareholders and other stakeholders.

Recommendation 1.1
The Board should be composed of directors with a collective working knowledge, experience or
expertise that is relevant to the company’s industry/sector. The Board should always ensure that it has
an appropriate mix of competence and expertise and that its members remain qualified for their
positions individually and collectively, to enable it to fulfill its roles and responsibilities and respond to
the needs of the organization based on the evolving business environment and strategic direction.

Recommendation 1.2
The Board should be composed of a majority of non-executive directors who possess the necessary
qualifications to effectively participate and help secure objective, independent judgment on corporate
affairs and to substantiate proper checks and balances

Principle 2
The fiduciary roles, responsibilities and accountabilities of the Board as provided under the law, the
company’s articles and by-laws, and other legal pronouncements and guidelines should be clearly made
known to all directors as well as to shareholders and other stakeholders.

Recommendation 2.2
The Board should oversee the development of and approve the company’s business objectives and
strategy, and monitor their implementation, in order to sustain the company’s long-term viability and
strength.

Recommendation 2.3
The Board should be headed by a competent and qualified Chairperson.

Recommendation 2.10
The Board should oversee that an appropriate internal control system is in place, including setting up a
mechanism for monitoring and managing potential conflicts of interest of Management, board
members, and shareholders. The Board should also approve the Internal Audit Charter.

Principle 3
Board committees should be set up to the extent possible to support the effective performance of the
Board’s functions, particularly with respect to audit, risk management, related party transactions, and
other key corporate governance concerns, such as nomination and remuneration. The composition,
functions and responsibilities of all committees established should be contained in a publicly available
Committee Charter.

Recommendation 3.1
The Board should establish board committees that focus on specific board functions to aid in the
optimal performance of its roles and responsibilities.

Recommendation 3.2
The Board should establish an Audit Committee to enhance its oversight capability over the company’s
financial reporting, internal control system, internal and external audit processes, and compliance with
applicable laws and regulations. The committee should be composed of at least three appropriately
qualified non-executive directors, the majority of whom, including the Chairman, should be
independent. All of the members of the committee must have relevant background, knowledge, skills,
and/or experience in the areas of accounting, auditing and finance. The Chairman of the Audit
Committee should not be the chairman of the Board or of any other committees.

The Audit Committee

The Audit Committee is responsible for overseeing the senior management in establishing and
maintaining an adequate, effective and efficient internal control framework. It ensures that systems
and processes are designed to provide assurance in areas including reporting, monitoring compliance
with laws, regulations and internal policies, efficiency and effectiveness of operations, and safeguarding
of assets.
a) Recommends the approval the Internal Audit Charter (IA Charter), which formally defines the
role of Internal Audit and the audit plan as well as oversees the implementation of the IA
Charter;
b) Through the Internal Audit (IA) Department, monitors and evaluates the adequacy and
effectiveness of the corporation’s internal control system, integrity of financial reporting, and
security of physical and information assets. Well-designed internal control procedures and
processes that will provide a system of checks and balances should be in place in order to (a)
safeguard the company’s resources and ensure their effective utilization, (b) prevent
occurrence of fraud and other irregularities, (c) protect the accuracy and reliability of the
company’s financial data, and (d) ensure compliance with applicable laws and regulations;
 c) Oversees the Internal Audit Department, and recommends the appointment and/or grounds
for approval of an internal audit head or Chief Audit Executive (CAE). The Audit Committee
should also approve the terms and conditions for outsourcing internal audit services;
d) Establishes and identifies the reporting line of the Internal Auditor to enable him to properly
fulfill his duties and responsibilities. For this purpose, he should directly report to the Audit
Committee;
e) Reviews and monitors Management’s responsiveness to the Internal Auditor’s findings and
recommendations;
f) Prior to the commencement of the audit, discusses with the External Auditor the nature, scope
and expenses of the audit, and ensures the proper coordination.

The Board (IPPF Glossary)

The highest level of governing body charged with the responsibility to direct and/or oversee the
activities and management of the organization. Typically, this includes an independent group of
directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees).

If such a group does not exist, the “board” may refer to the head of the organization. “Board” may refer
to an audit committee to which the governing body has delegated certain functions.

Board members make decisions about issues, such as:

• Establishing compensation for executives
• Hiring and firing senior executives
• Creating dividend policies and payouts
• Establishing stock option policies
• Leading acquisitions and mergers
• Responding to crises within the company
• Setting company goals
• Supporting executive duties
• Providing necessary resources
The Internal Audit Activity
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an organization’s
operations.

The internal audit activity must assess and make appropriate recommendations to improve the
organization’s governance processes (Performance Standards 2110) for:
➢ Making strategic and operational decisions.
➢ Overseeing risk management and control.
➢ Promoting appropriate ethics and values within the organization
➢ Ensuring effective organizational performance management and accountability.
➢ Communicating risk and control information to appropriate areas of the organization.
➢ Coordinating the activities of, and communicating information among, the board, external, and
internal auditors, other assurance providers, and management.

Performance Standards 2110.A1

The internal audit activity must evaluate the design, implementation, and effectiveness of the
organization's ethics-related objectives, programs, and activities.

Performance Standards 2110.A2

The internal audit activity must assess whether the information technology governance of the
organization supports the organization's strategies and objectives.

The Chief Audit Executive (CAE)

The CAE describes a person in a senior position responsible for effectively managing the internal audit
activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code
of Ethics, and the Standards. The specific job title of the chief audit executive may vary across
organizations.
 Entry-level Internal audit
internal supervisor /
auditor manager

Lead / Senior Internal audit

internal executive /
auditor chief audit
executive
(CAE)

What is Assurance?
Assurance means an engagement in which a practitioner expresses a conclusion designed to enhance
the degree of confidence of the intended users other than the responsible party about the outcome of
the evaluation or measurement of a subject matter against criteria. This was defined in the
International Framework for Assurance Engagements.

Elements of an assurance engagement:

➢ Existence of three-party relationship – A three-party relationship is one of the five elements
of an assurance engagement. These parties are typically: the responsible party, users, and the
practitioner.

➢ Appropriate subject matter - This guidance looks at the questions practitioners should ask to
identify which aspects of a subject matter to focus on in an engagement.

➢ Suitable criteria - This guidance provides a definition of criteria and their characteristics,
examines what ensure criteria are suitable and provides examples of criteria.
High level questions
In the context of assurance engagements, the practitioner may ask detailed questions to clarify
the subject matter. Examples, include:
 ➢ How well developed is management control over the subject matter?
➢ What degree of documentation is available regarding the subject matter?
➢ What is the most cost-effective way to address the needs of the users and achieve an
appropriate degree of credibility over the subject matter?

Depending on these factors, an assurance engagement may focus on a different aspect (or
aspects) of a subject matter (or subject matter information), such as:
➢ Fairness of description of the subject matter or criteria in place.
➢ Design of processes where relevant (for example, business activities, control
procedures).
➢ Operating effectiveness of processes where relevant.
➢ Outcome (for example, in terms of the compilation or calculation of data outcome
based on data in and processes used).
➢ A comprehensive report (for example, a report that may include elements of all of the
above with an overall view from management of the subject matter).

➢ Sufficient appropriate evidence - This guidance explores how materiality informs the
assurance engagement risk posed by evidence. The practitioner plans and performs an
assurance engagement with an attitude of professional skepticism to obtain sufficient
appropriate evidence about whether the subject matter information satisfies the criteria or is
free of material misstatement.

➢ Expression of opinion / Assurance report - This guidance outlines what commonly appears in
such reports.

The practitioner tailors these elements for the specific engagement depending on the subject
matter and, where appropriate, considers a qualified conclusion. In addition, the practitioner
considers other reporting responsibilities, including communicating with those charged with
governance where it is appropriate.
 It would be unusual, but not impossible, for a single report to cover more than one subject
matter. It is relatively straight-forward and relatively common for a report to cover more than
one aspect of a single subject matter.

Where the subject matter information comprises a number of aspects of a single topic,
separate conclusions may be provided on each aspect. This is achieved by clearly identifying
each aspect separately in the:
➢ scope of the assurance report (including the: level of assurance being provided;
description of what reporting standard is being applied and criteria being used)
➢ description of the work performed; and
➢ conclusion to the report.

Levels of assurance
➢ Absolute Assurance - Absolute assurance means that there is no assurance risk. Reducing
assurance risk to zero is very rarely attainable or cost beneficial; primarily because the evidence
available to an audit team is persuasive rather than conclusive, and audit team leaders are
required to use judgement in gathering and evaluating assurance evidence.
➢ Reasonable Assurance (audit) - a high level of assurance regarding material misstatements,
but not an absolute one. Reasonable assurance includes the understanding that there is a
remote likelihood that material misstatements will not be prevented or detected on a timely
basis. To achieve reasonable assurance, the auditor needs to obtain sufficient appropriate audit
evidence to reduce audit risk to an acceptably low level. This means that there is some
uncertainty arising from the use of sampling, since it is possible that a material misstatement
will be missed.
➢ Limited Assurance (review) - In a limited assurance engagement, the evidence gathering
procedures are more limited than in a reasonable assurance engagement, and therefore less
assurance is obtained than in a reason- able assurance engagement.

However, for an assurance engagement to be an audit engagement one additional requirement is that
level of assurance provided by such engagement needs to be of reasonable level.

What is Audit? IFAC Defined.

 ➢ Objective examination of factual evidence.
➢ Providing an independent and reasonable assurance against an established criteria.

What is External Audit? Brink’s Modern Internal Auditing Defined.

An independent examination of financial statements of an entity that enables an auditor to express
an opinion whether the financial statements are prepared (in all material respects) in accordance with
an identified and acceptable financial reporting framework (e.g., international, or local accounting
standards and national legislations).

What is Internal Audit? IPPF of the IIA Defined.

An independent, objective assurance and consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.

External Audit vs. Internal Audit

There are multiple differences between the internal audit and external audit functions, which are as
follows:
➢ Internal auditors are company employees, while external auditors work for an outside audit
firm.
➢ Internal auditors are hired by the company, while external auditors are appointed by a
shareholder vote.
➢ Internal auditors do not have to be CPAs, while a CPA must direct the activities of the external
auditors.
➢ Internal auditors are responsible to management, while external auditors are responsible to
the shareholders.
➢ Internal auditors can issue their findings in any type of report format, while external auditors
must use specific formats for their audit opinions and management letters.
➢ Internal audit reports are used by management, while external audit reports are used by
stakeholders, such as investors, creditors, and lenders.
➢ Internal auditors can be used to provide advice and other consulting assistance to employees,
while external auditors are constrained from supporting an audit client too closely.
 ➢ Internal auditors will examine issues related to company business practices and risks, while
external auditors examine the financial records and issue an opinion regarding the financial
statements of the company.
➢ Internal audits are conducted throughout the year, while external auditors conduct a single
annual audit. If a client is publicly held, external auditors will also provide review services three
times per year.

In short, the two functions share one word in their names, but are otherwise quite different. Larger
organizations typically have both functions, thereby ensuring that their records, processes, and
financial statements are closely examined at regular intervals.

External Audit vs Internal Audit Primary Difference

Independent outside audit firms provide their financial reporting assurance services primarily for the
benefit of third parties. Third parties rely on a firm’s independent attestations when making financial
decisions about the organization. The independent attestations provide credibility to the information
being used by the third-party decision-makers and, accordingly, increase the users’ confidence
regarding the accuracy, completeness, and validity of the information upon which they base their
decisions.

Internal auditors also provide financial reporting assurance services. The primary difference between
internal and external financial reporting assurance services is the audience. Internal auditors provide
their financial reporting assurance services primarily for the benefit of management and the board of
directors. For example, Sarbanes-Oxley requires the CEO and chief financial officer (CFO) of U.S. public
companies to certify the company’s financial statements as part of their quarterly and annual filings. It
also requires management to assess and repot on the effectiveness of internal control over financial
reporting. Management relies on the financial reporting assurance services provided by the company’s
internal audit function to provide them with confidence regarding the truthfulness of their financial
reporting assertions.
Text References:
• https://corporatefinanceinstitute.com/resources/knowledge/other/corporate-governance/
• https://searchcio.techtarget.com/definition/Sarbanes-Oxley-Act
• https://www.indeed.com/career-advice/career-development/board-of-directors
• https://global.theiia.org/standards-guidance/performance-
standards/_layouts/mobile/dispform.aspx?List=970bb745%2D8c5b%2D4b0a%2D8ec9%2D48
0964d28030&View=e0bd0f2b%2D253c%2D48a3%2D8cc6%2Dc5d40493ab60&ID=
• https://www.icaew.com/technical/audit-and-
assurance/assurance/process/scoping/assurance-decision/the-five-elements
• http://www.cleanenergyregulator.gov.au/Infohub/Audits/Pages/Forms%20and%20resources
/Audit%20determination%20handbook/Levels-of-assurance-explained.aspx
• https://quantivate.com/blog/internal-external-audit-comparison/
• https://www.accountingtools.com/articles/the-difference-between-internal-and-external-
audits.html
• https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx
• https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-
Professional-Practice-of-Internal-Auditing.aspx
• Internal Auditing Assurance and Advisory Services 4th Edition

Video References:
• The Basics of Corporate Governance - https://www.youtube.com/watch?v=c_EuVEXQMRk
• Understanding the Sarbanes-Oxley Act - https://www.youtube.com/watch?v=wZ8xDBgMat8
• Financial Accounting - Lesson 5.3 - Sarbanes Oxley Act -
https://www.youtube.com/watch?v=n0KfyLVgSIs
• The Role of Audit Committee - https://www.youtube.com/watch?v=zJJfFOLcCXU
• Five (5) Differences Between External Audit vs Internal Audit -
https://www.youtube.com/watch?v=NCxkS06y2MY