POST-TEST L1 INTRODUCTION TO INTERNAL AUDITING

1. Why do you think an Internal Auditor shall comply with the International Standards for the
Professional Practice of Internal Auditing in conducting an internal audit engagement?

The International Standards for the Professional Practice of Internal Auditing as part of The
IIA’s Professional Practices Framework outlines the tenets of the internal audit profession.
Other applicable guidance, pronouncements, and regulations may have an impact on how
internal auditing is performed; and may provide clarification and delineation of acceptable and
recommended processes.

The Institute of Internal Auditors (IIA) is the internal audit profession's acknowledged leader, recognized
authority, and principal educator. Although the practice of internal auditing is not regulated, The IIA
provides comprehensive guidance for the profession through its Professional Practices Framework (PPF).
The PPF comprises the official definition of internal auditing, the International Standards for the
Professional Practice of Internal Auditing (the Standards), the Code of Ethics, Practice Advisories, and
development and practice aids. Compliance with the Standards and the Code of Ethics is mandatory for
all members of The IIA and Certified Internal Auditors (CIAs). The IIA also provides guidance on
assessing, maintaining, and improving quality within the internal audit activity.

Public sector auditors are required to comply with specific governmental guidelines. For example, in the
U.S., government audits are performed in accordance with the General Accounting Office s Government
Auditing Standards (the Yellow Book); government auditors in the United Kingdom comply with the HM
Treasury’s Government Internal Audit Standards; and in Canada, government auditors perform in
accordance with the Office of the Auditor General’s Comprehensive Auditing Manual. In addition, many
public sector audit groups are members of the International Organization of Supreme Audit Institutions
(INTOSAI), and thus adhere to the auditing standards promulgated by INTOSAI.

Several professional organizations offer certification programs. The IIA’s Certified Internal Auditor®
(CIA) is the only globally accepted certification for internal auditors and remains the standard by which
individuals demonstrate their competence and professionalism in the internal audit field. The IIA also
offers several specialty certification programs, including the Certification in Control Self-Assessment
(CCSA); the Certified Government Auditing Professional (CGAP); and the Certified Financial Services
Auditor (CFSA). ISACA offers the Certified Information Systems Auditor (CISA) certification; the
Association of Certified Fraud Examiners offers the Certified Fraud Examiner (CFE) certification; and
the Board of Environmental, Health and Safety Auditor Certifications (BEAC) offer the Certified
Professional Environmental Auditor (CPEA). - FAQs on Internal Audit by IIA (2004).

2. Is the Internal Audit function important in a business organization? Why?

Yes. A cornerstone of strong governance, internal auditing bridges the gap between management and the
board, assesses the ethical climate and the effectiveness and efficiency of operations, and serves as an
organization’s safety net for compliance with rules, regulations, and overall best business practices.

The purpose of auditing internally is to provide insight into an organization’s culture, policies,
procedures, and aids board and management oversight by verifying internal controls such as operating
effectiveness, risk mitigation controls, and compliance with any relevant laws or regulations.
Internal auditing programs are critical for monitoring and assuring that all of your business assets have
been properly secured and safeguarded from threats. It is also important for verifying that your business
processes reflect your documented policies and procedures. As per Morris (2017) the following are the “5
Reasons Why an Internal Audit is Important”:

● Provides objective insight - You can’t audit your own work without having a definite conflict of
interest. Your internal auditor, or internal audit team, cannot have any operational responsibility
to achieve this objective insight. In situations where smaller companies don’t have extra
resources to devote to this, it’s acceptable to cross-train employees in different departments to be
able to audit another department. By providing an independent and unbiased view, the internal
audit function adds value to your organization.
● Improves efficiency of operations - By objectively reviewing your organization’s policies and
procedures, you can receive assurance that you are doing what your policies and procedures say
you are doing, and that these processes are adequate in mitigating your unique risks. By
continuously monitoring and reviewing your processes, you can identify control
recommendations to improve the efficiency and effectiveness of these processes. In turn,
allowing your organization to be dependent on processes, rather than people.
● Evaluates risks and protects assets - An internal audit program assists management and
stakeholders by identifying and prioritizing risks through a systematic risk assessment. A risk
assessment can help to identify any gaps in the environment and allow for a remediation plan to
take place. Your internal audit program will help you to track and document any changes that
have been made to your environment and ensure the mitigation of any found risks.
● Assesses organizational controls - Internal auditing is beneficial because it improves the control
environment of the organization by assessing efficiency and operating effectiveness. Are your
controls fulfilling their purpose? Are they adequate in mitigating risk?
● Ensures legal compliance - By regularly performing an internal audit, you can ensure
compliance with any and all relevant laws and regulations. It can also help provide you with
peace of mind that you are prepared for your next external audit. Gaining client trust and avoiding
costly fines associated with non-compliance makes internal auditing an important and worthwhile
activity for your organization.

3. What are the differences of external audit (financial audit) and internal audit (operational audit)?

Although they are independent of the activities they audit, internal auditors are integral to the
organization and provide ongoing monitoring and assessment of all activities. On the contrary,
external auditors are independent of the organization, and provide an annual opinion on the
financial statements. The work of the internal and external auditors should be coordinated for
optimal effectiveness and efficiency.

Internal and external auditors have mutual interests regarding the effectiveness of internal financial
controls. Both professions adhere to codes of ethics and professional standards set by their respective
professional associations. There are, however, major differences with regard to their relationships to the
organization, and to their scope of work and objectives.

The internal auditors are part of the organization. Their objectives are determined by professional
standards, the board, and management. Their primary clients are management and the board. External
auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by
statute and their primary client the board of directors.
The internal auditors scope of work is comprehensive. It serves the organization by helping it accomplish
its objectives, and improving operations, risk management, internal controls, and governance processes.
Concerned with all aspects of the organization both financial and non-financial the internal auditors focus
on future events as a result of their continuous review and evaluation of controls and processes. They also
are concerned with the prevention of fraud in any form.

The primary mission of the external auditors is to provide an independent opinion on the organisation's
financial statements, annually. Their approach is historical in nature, as they assess whether the
statements conform with generally accepted accounting principles, whether they fairly present the
financial position of the organization, whether the results of operations for a given period of time are
accurately represented, and whether the financial statements have been materially affected.

The internal and external auditors should meet periodically to discuss common interests; benefit from
their complementary skills, areas of expertise, and perspectives; gain understanding of each other s scope
of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to
reports, programs and working papers; and jointly assess areas of risk. In fulfilling its oversight
responsibilities for assurance, the board should require coordination of internal and external audit work to
increase economy, efficiency, and effectiveness of the overall audit process (FAQs on Internal Audit by
IIA, 2004).

In addition, as stated by Braggs (2019), there are multiple differences between the internal audit and
external audit functions, which are as follows:

● Internal auditors are company employees, while external auditors work for an outside audit firm.
● Internal auditors are hired by the company, while external auditors are appointed by a shareholder
vote.
● Internal auditors do not have to be CPAs, while a CPA must direct the activities of the external
auditors.
● Internal auditors are responsible to management, while external auditors are responsible to the
shareholders.
● Internal auditors can issue their findings in any type of report format, while external auditors
must use specific formats for their audit opinions and management letters.
● Internal audit reports are used by management, while external audit reports are used by
stakeholders, such as investors, creditors, and lenders.
● Internal auditors can be used to provide advice and other consulting assistance to employees,
while external auditors are constrained from supporting an audit client too closely.
● Internal auditors will examine issues related to company business practices and risks, while
external auditors examine the financial records and issue an opinion regarding the financial
statements of the company.
● Internal audits are conducted throughout the year, while external auditors conduct a single annual
audit. If a client is publicly-held, external auditors will also provide review services three times
per year.

4. What are the reasons why the internal auditor function needs to be independent?

To comply with the standard, internal auditors must understand what independence and objectivity are
and what is required in practice. In short, independence and objectivity means that internal auditors and
the internal audit activity have, and maintain, the ability to make unbiased judgement and decisions based
on the audit activities and facts and that they are free from any internal or external interference or
obstruction with functional accountability being to the board, either directly or through an audit
committee (CIIA, 2019).

In accordance with The Institute of Internal Auditors (2014), independence and objectivity are two critical
components of an effective internal audit activity.

Independence & Objectivity

“The internal auditor occupies a unique position he or she is employed by the management but is
also expected to review the conduct of management which can create significant tension since the
internal auditor's independence from management is necessary for the auditor to objectively
assess the management s action, but the internal auditor s dependence on the management for
employment is very clear.”

Therefore, the internal audit activity should have a mandate through a written audit charter that
establishes its purpose, authority, and responsibility to support its independence and objectivity within an
organization.

Internal auditors are independent when they render impartial and unbiased judgment in the conduct of
their engagement. To ensure this independence, best practices suggest the CAE should report directly to
the audit committee or its equivalent. For day to day administrative purposes, the CAE should report to
the most senior executive (i.e., the chief executive officer [CEO]) of the organization. The CAE should
have direct communication with the audit committee which reinforces the organizational status of internal
auditing, enables full support and unrestricted access to organizational resources, and ensures that there is
no impairment to independence. This provides sufficient authority to ensure broad audit coverage,
adequate consideration of engagement communications, and appropriate action on recommendations.
Independence is further enhanced if the CAE reports to the board through its audit committee on the
planning, execution, and results of audit activities. The audit committee is also responsible for the
appointment, removal, and fixation of compensation of the CAE. The committee should safeguard the
independence by approving the internal audit charter and mandate periodically.

5. What is the connection of business controls and the internal audit function? How will it affect the
decision of the Internal Auditor?

Internal (business) Control is made up of procedures, policies and measures designed to make sure that
an organization meets its objectives, and that risks that can prevent an organization from meeting its
objectives are mitigated. While the Internal Audit function is performed by internal auditors. Internal
Control is the responsibility of operational management functions. Another point of contrast is frequency
- an internal audit is a check that is conducted at specific times, whereas internal control is responsible for
checks that are on-going to make sure operational efficiency and effectiveness are achieved through the
control of risks. Some risk experts even say that Internal Control is a part of a company’s day-to-day
management and administration (Manoukian, 2016).

Internal Control is part of the first line of defense because it is the responsibility of Operational
Management, which itself is accountable to Senior Management. Internal Audit is part of the third line of
defense. It even assesses the effectiveness of the first (Operational Management functions) and second
(Risk and Compliance Management functions) lines of defense. Moreover, unlike Internal Control,
Internal Audit may report directly to the Board of Directors and specifically the Audit Committee, in
order to maintain a certain independence and objectivity when assessing other functions in the company
that operate at the first two lines of defense.
Internal Control and
Internal Audit are not
necessarily mutually
exclusive because some of
the procedures and records
comprehended in
accounting control may
also be involved in
administrative control. For
example, sales and cost
records classified by
products may be used for
accounting control
purposes and also in
making management
decisions concerning unit
prices or other aspects of operations. Examples of records used solely for administrative control are those
pertaining to customers contacted by salesmen and to defective work by production employees
maintained only for evaluation personnel per performance.

Effective internal control reduces the risk of asset loss, and helps ensure that plan information is complete
and accurate, financial statements are reliable, and the plan's operations are conducted in accordance with
the provisions of applicable laws and regulations (AICPA, 2014).

In light of the above highlights of internal control and internal audit, it is clear that there is a
complementary relationship where the internal control establishes the controls based on which a business
entity should be managed while the internal audit represents a detective activity, which verifies the
implementation of internal controls. This complementary relationship is further confirmed by the
matching objectives of internal control and internal audit as both disciplines are ultimately intended to
protect the shareholders – the entity’s owners (Baker Tilly Kuwait, 2018).
References:

American Institute of CPAs. (2014). The importance of internal control in financial reporting and
safeguarding plan assets. Retrieved October 24, 2020, from
https://www.aicpa.org/content/dam/aicpa/interestareas/employeebenefitplanauditquality/resources/pl
anadvisories/downloadabledocuments/plan-advisoryinternalcontrol-hires.pdf

Baker Tilly Kuwait. (2018, February 28). Relationship between Internal Control and Internal Audit.
Retrieved October 24, 2020, from https://www.bakertilly.com.kw/en/relationship-internal-control-
internal-audit/

Bragg, S. (2019, July 09). The difference between internal and external audits. Retrieved October 24,
2020, from shorturl.at/jkIV7

Chartered Institute of Internal Auditors. (2019, September). Position paper: Independence and objectivity.
Retrieved from https://www.iia.org.uk/resources/delivering-internal-audit/position-paper-
independence-and-objectivity/#:~:text=In short, independence and objectivity,interference or
obstruction with functional

Manoukian, J. (2016, May 05). What’s the Difference Between Internal Audit & Internal Control? [Web
log post]. Retrieved October 24, 2020, from https://enablon.com/blog/whats-the-difference-between-
internal-audit-internal-control/#:~:text=An internal audit is a,through the control of risks.

Morris, S. (2017, May 11). 5 Reasons Why Internal Audit are Important [Web log post]. Retrieved
October 24, 2020, from https://kirkpatrickprice.com/blog/5-reasons-why-internal-audit-is-
important/#:~:text=The purpose of auditing internally,any relevant laws or regulations.

The Professional Practices Framework, The IIA Research Foundation, January 2004. Retrieved from
https://louisvilleky.gov/sites/default/files/internal_audit/brochures/frequently_asked_questions.pdf