Internal Audit

Starting The Internal Audit

Engagement Letter Auditee Management

1. Addressee.
The communication should be addressed to the manager directly responsible for the unit being audited.
2. Objectives and scope of the planned audit.
The auditee should be clearly advised of the purpose of the planned internal audit and the areas it will cover.
3. Expected start date and planned duration of the audit.
4. Persons responsible for performing the review.
5. Advance preparation needs.
6. Engagement letter copies.
 Internal Audit Field Survey
1. Organization.
The auditor should confirm that organization charts, whether online or on paper, are correct and include the
names of key personnel.
2. Manuals and directives.
Copies of applicable policy and procedure manuals, extracting data of interest for the audit workpapers.
3. Reports.
Relevant management reports and minutes of meetings covering areas appropriate to the audit – budgeting,
operations, cost studies, and personnel matters, and the results of any inspections or management reviews as
well as actions taken – should be analyzed.
4. Personal observations.
A tour or walk – through of the activity familiarizes internal auditor with the entity, its basic operation,
personnel, and space utilization.
5. Discussion with key personnel.
Discussion with key personnel in the area being audited help to determine known problems, the current results
of the unit’s operations, and any planned changes or reorganization.
 The Audit Activity Structure and Strategy
Internal audit activities are divided into two or three segments.

Administrative
- Chief Audit Executive
- Audit assistant executive
- Personnel Director

- Support
- Policy and procedurs
- Information System Specialists
- Acturial specialist
- Report processing (editing, illustrations, audiovisual)
- Special staff coordinator (outsourcing and cosourcing)
- Tax specialists

- Service Staff
- Financial (budgeting, accounting, asset control)
- Payroll
- Travel
- Library (periodicals, books, information systems)
 Operational Segment of the Audit Organization
Type of Audit Organization
Financial Organization X
Performance Organization Y
Compliance Organization Z

Function Geographically
Purchasing New York
Production Indonesia
Marketing Singapura
Legal

Product
Product A
Product B
Product C
 Types of Auditing
Process Auditing
Many internal audit activities are auditing products, organizations, financial accounts, or geographical locations
of activity.

Some of the benefits of this process auditing are :

Internal audit reports normally relate to major activities of the organization; those that are essential to surviving
and growing and of interest to top management.

Familiarity of the internal audit staff with the process operations

A structure where internal audit findings are bought to senior management’s attention.

There is a continuity of internal audit supervision. Advice and consultation relative to problems in the process.

The decentralization and downsizing produces audit reports issued promptly after the completion of field work.
 Types of Auditing
A means of implementing less material findings relative to supporting activities at a lower level of support
management.

A cohesion between the internal audit staff and the process personnel developing into a unity of objective, the
well – being and productivity of the process.

Evaluation of the processing of transactions through information systems operations.

The online audit operations would be ongoing and would audit continuously.

The artificial intelligence could also point to where the weak point in the controls existed and could even suggest
a probable malefactor.
 Value Added Concept
Guidance resulting of several internal audit activities :
1. Become a catalyst for change.
2. Make auditing more collaborative.
3. Use self-assessment to buy in.
4. Bring business staff into auditing.
5. Concentrate business risk.
6. Aim to increase profits.
7. Attack problem areas, such as health-care costs.
8. Share technology with business units.
9. Align with customers.
10. Issue audit advisories company wide.
11. Conduct preventive auditing.
12. Reduce external auditor costs.
13. Place auditors in special assignments.
14. Get the audit report out fast.
15. Go back to basics.
 Developing Audit Manuals
Audit manuals instruct staff auditors how audit operations should be carried out, provide for stability,
continuity, standards of acceptable performance, and the means of coordinating the efforts of people or units
within the auditing organization.

Prevent individuals from going off in different and inconsistent directions

Establish standards that lift the level of performance

Provide some assurance that the auditing activity’s final product meets the executive ‘s standards.

The audit manuals are a mirror of the philosophy of the individual audit activity and its executive.
 Grouping in Internal Audit Function

Internal Audit Function

Technical Function Administrative Function

The job of conducting internal audits The internal audit activity, as a unit,
meets acceptable standards. runs smoothly.

MiscellenousFunction
To provide answers to the complete
spectrum of day to day problems that
arise in the audit activity.
 Technical Functions
The technical audit manual will guide the performance of an internal audit.
Preliminary reviews. Preliminary
Objectives of the Theory of the Scope of the
Provide guides on the discussions.
audit audit. audit.
matters to be Identify the levels of
Establish the audit Describe audit
considered in the initial management where
Establish the approach scope.
phase of audit : the preliminary
scope of the audit
review of prior discussions should
project so that an
working papers, the be held, the nature
audit program
research of internal of the assistance the
can be written.
auditing literature on auditors may offer to
the activity to be management, and
reviewed, and the the explanations
examination of they should make of
organization charts, the audit
correspondence, and objectives,
relevant organization approaches, and
reports and directives. programs.
 Technical Functions

Preliminary Audit Programs.

surveys. The requirement for
each segment of the
Indicate the nature audit program so as
of the preliminary Working Papers.
to be tailored to the Budget and
survey, the kind of Establish standards
particular Schedules.
information to be for the structure of
assignment to Describe the controls
obtained, the ways in working papers, for
determine operating to be exercised over
which it can be methods of
objectives and the audit project to
obtained, and the summarizing data, for
related controls. assist in the
uses of the indexing and cross –
Show the detail with compliance with
information. referencing work
which the programs budget and schedule
sheets, and for
should be prepared. constraints.
appropriate reviews.
Show the relationship
to risk assessment
and to the
preliminary survey.
 Technical Functions

Procedure for reviews Report Writing.

with clients. Provide guidelines on the Replies to reports.
Set forth policies on format of reports, their Provide instruction on
reviews of findings, length, the philosophy of how to deal with replies,
obtaining corrective reporting (problems only, what action to take if
action, the evidence of or comprehensive they are not acceptable,
corrective action needed analysis of and opinions and how to close reports
to close a finding, and on the activity reviewed), in which the internal
the levels at which and the levels of auditor finds the replies
findings should be management to which acceptable.
discussed. receive report.
 Administrative Function
Audit Reports
Administration Audit Projects 1. Interim or
Personnel 1. Assignment of the audit project progress reports.
1. Organization of the
1. Methods of 2. Human relations – dealing with 2. Supervisory
audit activity.
recruiting client. review of auditv
2. Audit office filling
2. Personnel records 3. Permanent files for audit reports.
system.
3. Code of conduct projects. 3. Proofreading,
3. Reference library. 4. Budget estimates for audit reference
4. Travel instructions
4. Supplies projects. checking
and expense
5. Time Reports 5. Requests for program revisions processing final
reports
6. Housekeeping or budget adjustments. reports.
5. Staff evaluations
7. Security 6. Uses of statistical sampling. 4. Distributing audit
6. Incentive awards. 7. Uses of computers on audit reports
requirements
7. Reporting Injuries. projects. 5. Request for copies
8. Miscellaneous
8. Jury duty 8. Preparation of safequarding of audit reports
correspondence
9. Military duty. working papers. 6. Report filing &
9. Periodic
10. Separation 9. Destroying working papers. retention.
administrative 10. Exit interviews with clients. 7. Handling
Procedures
reports 11. Closing audit projects. classified audit
material.
 The Qualities of Professional Internal Auditors
1. Knowledge and skills :
a. Proficiency in applying internal auditing standards, procedures, and techniques is required in
performing engagements.
b. Proficiency in accounting principles and techniques is required of auditors who work extensively with
financial records and reports.
c. An understanding of management principles is required to recognize and evaluate the materiality and
significance of deviations from good business practice.
d. An appreciation is required of the fundamentals of such subjects as accounting, economics, commercial
law, taxation, finance, quantitative methods, and information technology.

2. Internal auditors should be skilled in dealing with people and in communicating effectively.

3. The chief audit executive should establish suitable criteria of education and experience for filling internal
auditing positions, giving due consideration to scope of work and level of responsibility.
4. The internal auditing should establish suitable collectively possess the knowledge and skills essential to the
practice of the profession within the organization.

Factors should be considered in audit management :
1 The Nature & Complexity of the
Audit Engagement.
Provide reasonable assurance : audit
team collectivity possess the
knowledge, skills, and discipline to
complete the audit in a professional
manner.
3 degrees of complexity and subject
The desirability of rotating
assignments.
To enhance objectivity, provides a
fresh look at and a new perspective on
the engagement.
Audit Assignments
5
The need for developing and
training staff auditors.
Providing experience through different
types of assignments with varying
matter and under different supervisors
will lead to the development of a
better audit staff.
2
The need for objectivity.
Assignments should take into account
any potential for conflict of interest or
bias.
4
The need for supervision.
Supervision will depend on the nature
and complexity of the assignment as
well as experience, knowledge, and
proficiency of the auditors.
 The Audit Operation

Staff Innovation & Productivity

Five Central Focus :

- Develop partnership with customers.
- Provide cost effective services.
- Strive for continuous improvement.
- Develop diversity, empowerment, innovation, and
team work among staff members.
- Open communication in all directions.
 Plans for Internal Audit

Determine the audit objectives.

To establish plans for internal audit activities that typically
cover a fiscal – year period, based on management and
audit committee request, audit staff capabilities, the nature
of prior audit work, available resources , and general risks
facing the enterprise.

Audit Schedule and Time Estimates.

Preliminary time estimates are established and
time frames set for performing each audit.

Internal Audit Preliminary Surveys.

Review of prior workpapers; knowing the amount of time
from the prior audit; review of prior audit reports;
organization of the entity; other related audit materials.
 Starting The Internal Audit

Addressee.
The communication should be
addressed to the manager
directly responsible for the
unit being audited.
Expected start date and
planned duration of the
audit.
Understanding of the timing
of the audit.
Engagement Letter
To informs the auditee of when the
internal audit is scheduled, who
will be performing the review, and
why the audit has been planned
(regularly scheduled audit,
management or auditor committee
request, etc
Objectives & Scope of the
planned audit.
The auditee should be clearly
advised of the purpose of the
planned internal audit and
the areas it will cover.
Engagement letter copies.
Copies of the engagement
letter should be directed to
appropriate persons in the
enterprise with a need to
know.

Persons responsible for Advance preparation needs.

performing the review. Any requirements needed in
The in-charge auditor should advance of the field visit or at
be identified for this planned the audit site should be
audit. outlined.
 Internal Audit Field Surveys
1. Familiarize themselves with the major local processes in place;
2. Evaluate the control structure and level of control risk in the various processes and systems included within
the audit.
1 2
Organization.
Manuals and Directives.
Confirm organization chart, familiar with
Copies of applicable policy and procedure
functional responsibilities and key people
manuals.
involved in the operations.

3 4 Personal Observations.
Reports. A tour or walk – through of the activity
Relevant management reports and minutes of familiarizes internal auditors with the entity, its
meetings covering areas appropriate to the audit basic operations, personnel, and space
– budgeting, operations, cost studies, & utilization.
personnel matters & the results of any
5
inspection or management reviews should be
analyzed. Discussion with key personnel.
To help determine known problems, the
current results of the unit’s operations, and any
planned changes or reorganizations .
 Developing and Preparing Audit Programs

Audit Programs. Audit Programs :

To perform audit procedures in Is a procedure describing the
a consistent and effective steps and tests to be performed
manner for similar types of by the auditor when actually
audits. doing fieldwork.

After the completion out the

preliminary and field surveys
and before starting the actual
audit.

Evidence Classification
Audit Procedures/Technique
Origin of the evidence
Relationship of the Auditee
Form of Audit Evidence
Sophistication of Evidence
Location of Evidence
Source of Audit Evidence
Types of Audit Evidence
Audit Evidence : covers everything
an internal auditor reviews or
observers in support of the auditor’s
evaluation – what internal audit
standards call sufficient, competent,
relevant, and useful audit evidence.
Internal Audit “Best Evidence” Classifications
Strongest Weakest
Observation/Confirmation Casual Inquiry
Corroborative Materials Underlying Statistics
External Document Auditee Internal Document
Written with signatures Oral Comments
Formal Documentation Informal (Notes)
Connected to area reviewed Derived/Supporting Materials
Product of Internal Audit Work Other Supporting Materials
 Internal Audit Fieldwork Initial Procedures

Technical help to perform an Familiar by audit team, if it not seek

internal audit. assistance.

Potential Audit Findings : audit Audit Management Fieldwork

preliminary findings sheet to Monitoring : review the audit’s
describe deficiencies or progress and provide technical
opportunities for improvement direction through visits and
that were identified during the communications; resolve problems
audit. encountered.
 Elements of Preliminary Audit Findings
1 2 3 References to the documented
audit work .
The conditions of the completed
Identification of the findings. The audit point sheet should
audit.
An identification for the audit and contain cross – references to the
To give management an
a description of the potential step in the audit program that
understanding of the conditions
findings. initiated the comment, as well as
found.
where it is documented in the
audit workpapers.
6 5 4
Recommended Disposition
of the matter.
Results discussing the findings Auditor ‘s preliminary
On the basis of the
with management. recommendations.
conservation with
The in charge auditor should Audit report space should be
management, the in – charge
discuss all potential finding on n used to document the nature of
auditor should include
informal basis with the manager the potential audit finding and
comments on the
directly responsible for the matter. what was wrong.
recommended disposition of
the findings.
 Audit Program and Schedule Modifications

New Evidence

The audit program is the Changes in

overall guide for conducting supporting Adjustment
an internal audit. systems

Other Changes in
conditions
Reporting Preliminary Audit Findings to Management

The identification of areas where the unit

reviewed is not in compliance with good
internal control procedures and where
improvements are needed.

Factual and Appear

to be significant
Preliminary Findings

Discuss to

The unit
supervisors directly Unit Management
responsible
 Internal Auditing in A Big Data Environment

Issue Surrounding The

Big data : velocity,
Volume, Variety &
Veracity

Riskk
Reviewing Systems and
Processes Big Data
In Internal
Control Issues

IT Applications
 Enterprise Content Management (ECM)

ECM : the strategies, methods, and tools used to capture , manage, store, preserve , and deliver content and documents
related to enterprise processes (form of a paper document, an electronic file, a database print stream, bar code images,
even an e-mail.

Improved ECM is an umbrella term covering document

Efficiency management, web content management , search,
collaboration, records management, digital asset
and workflow management, documents capture
and scanning processes, etc.
Better
Internal
Controls
Reduce
costs
 ECM Overview
Business
Process Record
Management Management
Transactional
Content Social
Cloud Management
Imaging
Enterprise Document
Infrastructure Content Management
Web Content
Content Management
Management
Management Return on
Information

Online
Video Channel Mobility
Archiving Optimization
Collaboration

Digital Asset Web content

Management Management
 Auditing Big Data Internal Controls
I. Big Data Application Selection Criteria.
a. Review data volume, transaction activity statistics,
and other factors to identify enterprise big data
applications.
b. Document scope of identified big data
applications, including other system feeds and
internet connections.
c. Use internal audit planning risk assessment tools to
evaluate big data applications risks and
appropriateness for reviews.
II. Big Data Enterprise Environment Factors
a. Document special software used for big data
applications and determine that versions are
regularly updated.
b. Determine that general IT controls from other
reviews are in place and operative for identified
big data applications.
 Auditing Big Data Internal Controls
III. Applicability and Relevance of Big Data Sources.
a. Review and document the types and sources of
processes that supply date to identified big data
applications.
b. Review controls in place to accept only data from
relevant sources.
c. Determine that data governance rules have been
established and have been appropriately communicated
to application users.
IV. Collect Information from Appropriate
Sources.
a. Determine that security controls have been
installed t only accept valid, authorized input
transactions.
b. Review procedures for authorizing and
validating input transactions to determine
that transactions appear to come from only
valid sources.
 Auditing Big Data Internal Controls
V. Integration and Verification of Collected VI. Information Storage and Retrieval Processes.
Information
a. Determine that transaction and process activity
a. Review logging and cut-off procedures to is sufficiently retained and is consistent with
determine that the timing of input transactions are enterprise continuity management controls.
tracked.
b. Assess whether clear audit trails are part of the
b. Review error logging procedures for selected selected big data application.
application and determine that appropriate
accept/reject processes are in place.
c. Review customer service processes to assess
controls to adjust errors and correct system input
problems.
 Auditing Bid Data Internal Controls
VII. Information Classification and Analysis VIII. Identification of big data user controls.
a. Assess and review analytical review processes in a. Review controls to allow various classifications
place. of users to access the big data application
b. Determine that the bug data system reviewed reviewed.
c. Determine the data quality rules have been b. Select a sample of several recently recorded
implemented that appear appropriate for the application transactions and determine that they
application reviewed. were performed by authorized persons.
d. Interview several big data application users to assess c. Determine that input and application controls
whether they have a good understanding of the have been documented and communicated to
supplication reviewed and its controls and error the user community as appropriate.
review techniques.
 Auditing Bid Data Internal Controls
IX. Linkages with other related applications. X. Cut – off and Balancing Controls.
a. Through discussions with the IT database a. Determine that automated balancing procedures
administration function and other users, identify are in place to determine that balancing controls
other applications that interface with this big data are adequate.
application and assess whether linkages appear b. Assess the appropriateness and relevance of the
appropriate. bug data application reviewed as an element of
b. Determine that adequate traffic reports are available the enterprise’s IT assets.
to monitor activities with other applications.
 ECM Internal Audit Review Procedures
1. Organization ECM status.
a. Meet with enterprise IT management to review the current software installed and the status of ECM current plans and
activities.
b. Review and assess the adequacy of current and long –range plans for enterprise ECM activities.
c. Review and document features of the current ECM application and the number of personnel with rights.
d. Determine that procedures and other polices have been established to manage ECM processes.

2. ECM software status

a. Document and obtain understanding of the software installed to manage ECM operations.
b. Determine that procedures and controls have been established for ECM software and appropriate personnel were trained
to manage it.
c. Assess whether adequate error handling and revision control procedures have been established for ECM software.

3. ECM strategic planning

a. Meet with members of the CEO’s office to determine that there is an effective long-range plan in place for implementing
ECM in the enterprise and assess progress toward any plan goals.
b. Meet with key members of other enterprise functional groups, such as sales or quality management, to determine their
activities are consistent with ECM goals.
c. Assess whether effective project management techniques are being used to build and develop ECM processes.
 ECM Internal Audit Review Procedures
4. ECM compliance issues
a. Determine that the ECM process supports major enterprise compliance issues.
b. On a test basis, determine that the ECM process provides significant support for Sarbanes-Oxley Act
compliance issues.

5. ECM cost issues

a. Review enterprise processes to monitor the hourly human resources, and software and equipment costs of
building and maintaining ECM facilities.
b. Determine that return on investment or similar techniques are used to evaluate installed ECM components.

6. ECM collaboration
a. Assess whether the installed ECM allows collaboration across multiple technologies, such as instant
messaging, whiteboards, social media, and others.
b. Assess whether goals have been established implementing collaboration techniques, such as better records
management, knowledge capture, and improved compliance.
 ECM Internal Audit Review Procedures
7. ECM continuity issues
a. Determine that ECM processes have been closely integrated with enterprise continuity planning processes.
b. Determine that ECM continuity processes are tested at least annually and that processes are updated to the
plan with application changes.

8. ECM internal controls

a. Assess whether the ECM is consistent with the COSO internal control framework.
b. Determine that all processes tied to the enterprise ECM process have been mapped, with an going objective
of streamlining them for minimum results.
 References
Sawyer.,L.B. , Dittenhofer.,M.A., and Scheiner.,J.H. (2005) ,” Sawyer’s Internal Auditing : The Practice of
Modern Internal Auditing. The Institute of Internal Auditors.5th edition.

Moeller.,R.R. Brink’s Modern Internal Auditing (2009),” John Wiley & Sons,Inc., Hoboken,New Jersey.