Overview of lnternal Auditing

After going through this chapter, you should be able to:

. Provide a professional overview of internal auditing.

. Differentiate internal auditors and external auditors.
. Learn the different types of internal audits.
. Describe the evolution and development ofinternal audit practices.
. Understand the roles of the Institute of Internal Auditors of Malaysia (IIAM).

lntroduction
Previously, internal auditing was accounting-oriented and focused more on accuracy
and reliability of financial statements as well as historical performance reporting. To
date, an internal auditor has an enhanced and complex role, with a wider scope and
a greater expectation from stakeholders. Modern internal auditors provide services
that include examination and appraisal of controls, performance, risk and gover-
nance for public and private entities. The new roles also encompass suggestions to
improve performance, generate new ideas or proposals for new corporate direction
towards achieving organizational objectives.
An internal auditor acts as management control and performs independent
checks on the control systems in an organization. The recent global financial crisis
demands more competent internal auditors to deal with dynamic yet complicated
changes in the industry. Several guidelines are available for internal auditors to fulfil
their responsibility. Primarily, internal auditors are required to adhere to the IIA
Code of Ethics and International Professional Practices Framework.
Currently, it is a requirement for public listed companies to have an internal
audit function. This requirement has also extended to regulatory bodies and gov-
ernment agencies. The internal audit function has become the 'in-thing' in orga-
nizations, and by having one, stakeholders can rest assured that an independent
mechanism is in place to control and monitor how the organization operates. I

Definition of Internal Auditing

Traditionally, internal auditing is defined as:

An independent appraisal activity established within an organization as a service

to the organization. It is a control which functions by examining and evaluating the
adequacy and effectiveness of other controls. The objective of internal auditing is to
assist members of the organization in the effective discharge of their responsibilities.
Part One Introduction to Internal Auditing

To this end, internal auditing furnishes them with analyses, appraisals, recommenda-
tions, counsel, and information concerning the activities reviewed. The audit objec-
tive includes promoting effective control at reasonable cost.

The IIA Board of Directors has redefined internal auditing as:

An independent, objective assurance and consultiag activity designed to add value

and improve an organizationt operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness ofrisk management, control, and governance processes.

I ndepe ndence qnd ohjectivity

Independence is the freedom from conditions that threaten the ability ofthe internal
audit activity to carry out internal audit responsibilities in an unbiased manner. To
achieve the degree ofindependence necessary to effectively carry out the responsi-
bilities of the internal audit activity, the chief audit executive has direct and unre-
stricted access to senior management and the board. This can be achieved through a
dual-reporting relationship. Threats to independence must be managed at the indi-
vidual auditor, engagement, functional, and organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to
perform engagements in such a manner that they believe in their work product and
that no quality compromises are made. Objectivity requires that internal auditors
do not subordinate their judgment on audit matters to others. Threats to objectivity
must be managed at the individual auditor, engagement, functional, and organiza-
tional levels.

Assuronce ond consulting octivity

The primary purpose of an assurance activity is to assess evidence relevant to the
subject matter of interest and provide conclusions regarding the said matter. A con-
sulting activity, on the other hand, provides advice and other assistance relating to
the subject matter of interest under the capacity of the work that internal auditors
are involved in. Internal auditors should provide recommendations for improve-
ments in areas of deficiencies in order to add value and improve an organization's
risk management, control and governance processes.

Systematic and disciplined opproach

Internal auditing is a systematic and guided process. The internal audit function
should establish its own policies and procedures to guide any internal audit activity
to ensure that the audit service provided is of good quality.

Add vqlue
The assurance and consulting activity allows improvements in an organization's
operational activities to achieve its objectives and to ensure effective risk manage-
ment, control and governance processes.

Risk monogement
Risk management is the process conducted by the management of an organization
to understand and deal with risks (uncertainties) that could negatively affect the
organization's ability to achieve its objectives. At the same time, risk could also lead
to opportunities when an event occurs and positively affects the achievement of an
organization's obj ectives.
 Chapter I Oterview oflnternal Auditing

Control
An organization needs to have in place effective internal control that reasonably
assures the safeguarding of an organization's assets against loss. Hence, internal
auditors are responsible for ensuring that such controls are well established by the
management of an organization.

Governance
Governance is the act of managing an organization. It relates to decisions that define
expectations, grant power or verif, performance. It consists of either a separate pro-
cessor part of the management or leadership processes. Hence, internal auditors
should assess the corporate governance process and provide recommendations to
achieve effective governance.
In )anuary 2004, the IIA modified and expanded the definition of the internal
audit activity to include the following additional activities and services:

Internal auditing is conducted in diverse legal and cultural environments; within

organizations that vary in purpose, size, complexity, and structure; and by persons
within or outside the organization. While differences may affect the practice of
internal auditing in each environment, conformance with The IIAs International
Standards for the Professional Practice of Internal Auditing (Standards) is essential
in meeting the responsibilities of internal auditors and the internal audit actMfy.

If internal auditors or the internal audit activity is prohibited by law or regulation

from conformance with certain parts of the Standards, conformance with all other
parts ofthe Standards and appropriate disclosures are needed.

Assurance services involve the internal auditor's objective assessment of evidence

to provide an independent opinion or conclusions regarding an entity, operation,
function, process, system, or other subject matter. The nafure and scope of the assur-
ance engagement are determined by the internal auditor. There are generally three
parties involved in assurance services: (1) the person or group directly involved with
the entiry operation, function, process, system, or other subject matter-the process
owner, (2) the person or group making the assessment-the internal auditor, and
(3) the person or group using the assessment-the user.

Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting ser-
vices generally involve two parties: (1) the person or group offering the advice-the
internal auditor, and (2) the person or group seeking and receiving the advice-
the engagement client. When performing consulting senrices the internal auditor
should maintain objectivity and not assume management responsibility.

Development of lnternal Auditing Practice

The internal audit function is not a profession that rose overnight. It has been in our
history since 3500 sc with the use of tick marks as a form of verification during the
Mesopotamian civilization. The evolution of internal auditing practice is shown in
Table 1.1.

. The rise of audit during the Industrial Revolution in England.

. The Foreign Corrupt Practices Act 1977 demands for IA to assist management
in complying with the act.
Part One lntroduction to Internal Auditing

TABLE 1.1 | Evolution of lnternal Audit Profession

Provi d es
appraisal of control and Perfor
organ zation

Functionsas junior sibling to independent Establishes itself as a distinctive discipline'

accounting profession.
lq to

. Treadway Commission
- In 1987, recommended the need to establish an effective and objective
internal audit function and to coordinate internal auditing with external
auditing.
.Inlgg2,producedarePortonlnternalControl-IntegratedFrameworkthat
emphasizes the importance of internal control in organizations.
In Malaysia, the evolution of the internal audit function started in the 1970s with the
establishment of an internal audit unit in the Ministry of Defence'

. In 1970, the Ministry of Defense set up its internal audit unit'

. ln t979,the Federal Government issued a circular expanding the establishment
audit.
of lA to other ministries with a broader role that included operational
. In 1993, the Ministry of Finance requested all government-owned organizations
to set up an audit committee:
- To protect government interest as a shareholder'
- To oversee the internal audit function in these organiz2tions'
. Internal auditing in private sector: /
- Mainly focuses on evaluating the efficiency and /fectjness of the internal
control systems and compliance. I I
it for all public listed orlanizations to establish
- Since 1993, is mandatory
independence
their audit committees to monitor accountability, governance,
and objectivity of their internal audit department'
- Bursa Malaysia Listing Requirements, amended in 2008' has mandated
publiclistedorganizationstosetuPaninternalauditfunction.

Roles and Responsibilities of lnternal Auditors

areas in an
The roles and responsibilities of internal auditors cover three broad
organization-risk^ management, control and governance' Internal auditors shall
management in terms of
not assume management'i responsibilities, but support the
reliability of financial and man-
ensuring efficienJy and effectiveness of operations,
may
ug.r.r.rri r.porting and compliance with laws and regulations. Internal auditors
uiro b" involved in fraud urrditr to identif,i potentially fraudulent acts, participating
in fraud investigations under the direction of fraud investigation professionals
and conducting post-investigation fraud audits to identify control breakdowns
and establish fiirancial loss. Internal auditors are not responsible for
the execution
of company activities; however, they may advise management and the board of
 Chapter L Owrriew of Internal Auditing

directors on how to better execute their responsibilities. Internal auditors can have
access to every part of an organization's operations, and have unlimited access to the
company's personnel, records and physical properties.
iid The roles and responsibilities of internal auditors with respect to risk manage-
ment, control and governance include:

Risk monagement
. Test-check the adequacy of risk management processes, models and systems
. Educate and create awareness among the management and staff concerning the
risk issues
. Assist the management in developing risk management framework and its
implementation
. Provide feedback on the appropriateness of risk management infrastructure
ctive
ernal Control

r that . Assess the effectiveness of the organization's internal control system, including
the adequacy ofcontrol model or design
h the . Monitor management's compliance with the organization's code of conduct and
ethical policies
. Review corporate policies relating to compliance with laws and regulations,
conflict ofinterests
ment . Analyze the controls for critical accounting and management functions
L . Provide feedback and reporting on control deficiencies
tions
Governonce
. Advise on the adequacy and appropriateness of the composition of the board of
directors
. Assess the effectiveness of the board of directors in discharging their duties
ternal
. Ensure that internal audit chartet role and actirrities are clearly understood and
responsive to the needs of the audit committee and the board of directors
rblish
ilence
. Help keep the board informed on any matters related to the companyt interest

dated Differences between lnternal Auditor

and ExternalAuditor
Internal auditors may at times be perceived as redundant when compared to exter-
nal auditors. Their functions are in fact different in several aspects, and are summa-
ln an
rized in Table 1.2:
i shall
ms of TABTE 1.2 | Different Features of lnternal Auditor and External Auditor

man- INTERNAL AUDITOR EXTERNAL AUDITOR

s may
Reporting responsibility Reports to audit committee/ Reports to shareholders
Pating'
board of directors
ionals
lowns Status Ir: generai part of an o!'qaniza ls an independent aontiaclot a

;ution tron s etrlployees iat times. tt third partv

ud of can be o,rtsourcedl

(Continued)
TABLE 1.2 | (Continued)

INTERNAL AUDITOR EXTERNAL AUDITOR

Stakeholder Serves third party needing

reliable fi nancial performance
report

&i &it{iW.{ . ,Jeilt :,cieni (}f rhe .liiiv;- Sird.pend"r,t g

:. - , r'jr.,
"*""age-
rfleflt and the board ofditE€-
'. :a;r!;:il
i l,1i:
t- .-,, i,,j iii ii,a r:r,+il1
"1:1j
@s' both in fa€t and rAental
.-;. : ri,:. ,i ail ,:ip,rc,nI_r ll ettifl.tr&,
,:::.i.:lt,iP(iPl-11

Responsibility towards fraud ls incidentally concerned with

the prevention and detec-
tion of fraud in general, but
is directly concerned when
financial statements may be
materially affected.

Scope of work ! 11,..11... !l(.t!a-f jrjiri,.:,-t rnlrili

.
Revievus the ffnamial stfie-
dilir ri!{ ilanJopll)eal ill,-l- ,&&
, I ),!r': Ia ell:rrlra l l'le ar-aiJl rnen$ are free frsn.materb I
' ; l.-! r;:; rni sstaternents ard expr$ses
opinbn whether the fnrarrid.
,!.1i@1t6ry :9l,rysryr
fdr view.

Timing and frequency of audit Reviews records supporting

financial statements periodi-
cally (usually once a year) and
focuses on the accuracy and
understandability of historical
events as expressed in financia
statements.

Professional qualification Not necessary, but may acquire -Pgrg 69 3 rnember of

a Certifieci lnternal Auditor Malaysian krstirute of Accodn-
(ciA). tans ffiA) and beffanted
audit liqence by ttre mnistry
of Frnance (MoF) before b,eirq
oesogrilzed at a Chanered
Ac<ountant{CA}

Organizational Status of lnternal Audit Function

To achieve the objectives of having an internal audit function within an organiza-
tion, the internal auditor must have adequate authority and freedom to carry out
the audit activities. It is important to establish that internal audit is a function that is
essential in the organization and thus cooperation from organizational members is
necessary. In the event this fails, the effectiveness of the internal audit function will
be diminished.
In order to have the necessary status, the internal audit function must rePort
functionally to the audit committee (board of directors) and administratively to the
top management (CEO). The internal auditors need to be supported by both the
audit committee and the board in order to make sure that those who are audited
cooperate with them. The support of the board and audit committee will demon-
strate that the work is viewed as imPortant for the organization. If the board and
 Chapter I Overview of Internal Auditing

audit committee do not support the work of the internal auditors, others in the orga-
nization will not support the efforts of the internal auditors either.
The correct level of organizational status will provide the internal audit depart-
ment with organizational independence. This means that the internal audit func-
tion must not have any direct relationships with the departments it will be auditing.
Reporting directly to the audit committee and also having policies about the assign-
ment of internal auditors to engagements in departments where they previously
worked may strengthen internal auditors' independence.

Overview of the Relationship between lnternal Auditor

and Various Stalrcholders
Internal auditors co-exist with other stakeholders, and they shall maintain a harmo-
nious working relationship with various stakeholders, which include the board of
directors, audit committee, senior management and external auditors.

Boord of directors
The board of directors has a critical role in discharging its governance duty in an
organization. Their responsibilities include driving and supporting the internal audit
process. Internal audit function requires strategic direction and adequate mandate to
exercise their duties, and in this regard the board of directors has to ensure inter-
nal auditors are not alienated both in terms of existence and function. The board of
directors must allow internal auditors to carry'out their duties independently and
ensure that internal auditors can perform their work free from interference.

AuditCommittee
The audit committee forms a part of the board committee and has a direct role in ensur-
ing that the internal auditors perform their work independently and meet the organiza-
tional expectations. Audit committee shall safeguard the interest of the internal auditors
and ensure that internal audit charter, activities and process are appropriate. Audit
committee must also ensure that internal audit charter, role and activities are clearly
understood and responsive to the needs of the management and board of directors.

Senior Monogement
Senior management shall not interfere in the internal audit activity, and similarly inter-
nal auditors shall have no influence on the operational conduct of an organization.
Internal auditors and senior management must co-exist and should clearly under-
stand the demarcation of their function. If this demarcation is failed to be observed,
n\7.4-
the function of internal auditors to work independently will not be achievable.
t out
rat is Externol Auditors
lrs is Internal auditors and external auditors have distinct functions; however, their paths
r will do cross in certain areas. Both parties have to clearly understand their roles and
responsibilities and co-exist to complement each other.
ryort
o the
I the Types of Internal Audit Engagements
dited There are many types of internal audit engagements that can be conducted by inter-
mon- nal auditors, but broadly classified into assurance and consultancy. The different
I and types of internal audits have different purposes and characteristics that only apply to
rt One Introduction to Internal Auditing

appropriate circumstances and risk assessments.

The following provides six types of
internal audit engagements:

FinanciolAudit
Independent evaluation to attest the fairness, accuracy
and reliability ofthe financial
data. Internal auditors conduct audits by focusing
on a financial ,yste-,s control to
ensure that the contror is adequate and effective
in safeguarding the accuracy and
reliability of the financial statements. This audit has
a different focus than the finan_
cial audit performed by external auditors.

Operationol Audit
Assessment of methods of operations and evaluation
on how to improve performance
of an area, department or functionar operation.
This pro."r, urr.rr.r'the adequacy, effi_
ciency and effectiveness ofcontrol procedures
to meet the objectives oforganizations.

Monogement Audit
Assessment of_the competencies and capabirities
of an organization,s management
in order to evaluate their effectiveness, especiany
with..g;t;;;;fo.mututron
implementation of strategic objectives, pori.i", "nd
and procedures of the business. The
objective of a management audit is noi to appraise
the performance of individual
executives, but to evaluate the management
team of a uniior the entire organization.

Complionce Audit
Assessment of an organization's adherence
to applicable rules and laws that may
originate internally or externally. The audit process may assess the extent of compli_
ance with internal policies, regulatory rures
and requirements u"Juppri.uure raws.

I nformation System/I nformotion Technology Aud it

Assessment of computer systems and management of information, incruding
the integrity of information. Invorves appraisJ -"-p*r.,
and testing or systems
through the various stages of system deveiopment-pranning,
anarysis, design and
implementation.

Froud/Forensic Audit
An in-depth investigation into any irregurarities such
as reported fraud or anega_
tions. Its scope is in the area specified to-determine
modus operandi and collection
ofevidence to support the case that would eventually
lead t" r"g"r .;"r.quences.

The lnstitute of lnternal Auditors of Malaysia (llAM)

The Institute of Internar Auditors Maraysia (IIAM)
is a non-profit organization
dedicated to the advancement_and development
of the interna lrJit p.or"ssion in
Malaysia' IIAM was established in 7977 as a chapter
of the Institute of Internal Audi-
tors Inc. (usA) and elevated to the status of a National
Institute in 19gg. In /uly
1994' IIAM was incorporated as a company
Limited by guarantee urrd b..u-. u,
affiIiate of the Institute of Internal Auditors inc. (USA).
IIAM provides various services for both members and
non-members:
' certification-offering certification for certified Internar
Auditors (cIA), cer_
tified Financiar Services Auditor (CFSA), certified
Government Auditing pro-
fessional (cGAp) and certification in control
Self-Assessm..,t riiial,
 Chapter I Overview oflnternalAuditing

es of . Professional develc
training.
. Guidance and adv
technical enquiries
rcial . Surveys-conducti
)l to others, Bursa Mala
and
. Quality assurance
tan-
Assurance and Im1

Members of IIAM rece at

expected to comply wit teg
.ance
rity, objectivity, confidt rh
behaviour of internal ar
,em-
ions.
Career Prospects for Internal Auditors
A minimum bachelor's deE au(Irlor
nent
whilst having relevant pro Interna
r and
auditors, once they join ar,: .rs gain.
The
ing adequate experience an ut as ar
idual
entry-level internal auditor. ral audi
tion.
suPervlsor/manager and a Lal audi.
department, commonly by
internal auditor (CIA). Pr<
nay nally in the organization o
Pli- bigger organizations. Career development prospects are enhanced fr
s- tors who are flexible and
anyone who specialize in r

tions, such being a charl

as
dlng Internal auditins pro\,
lems an organization's internal operations and how they work and at the s

and some key transferable skillr

to move into other areas o{
the knowledge of how the rcq
by being an internal audit< 2n,
ailega- and understanding during
lection organization.
les.
Internal auditors may r

sultant and be self-employ

base that often takes severa
r)
ization
iion in
lAudi-
tn fuly . SLTMMARY
llne an Reler.ant authorities thrt;uql-rorri iirt I ,iri,:t:.r'' ,, r('i!: i:r'a l:1,- ,,,r-l

nifici,rnce of an internaL aiidii i.irirr ti,:r: lii.r:' .l ;li.ililr r :;i l,r,! l, i ,\

than ever before. Tlieil iLrir.ti,-;i; .:r,.1 'l

tors; nr:r,ertheless, thet, {-.onliIi:!i-ririrI

I, Uer-
g Pro-
irait (,nr. ltiit,,tt!itrii,,', :. lii!.'t t.,, ",,iit'

internal allditing risk,:ma:raggm!nt

intelnai iruditors

I sr I F*REVIEW OUESTIONS I nte

Frar