CH01: OVERVIEW OF INTERNAL AUDITING

1. Definition of Internal Auditing (IA) – based on Institute of Internal Auditor (IIA)’s BoD
- An independent, objective assurance and consulting activity designed to add value and improve an organization’s
operations.
- Helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes
2. Key terms:
- Independence & objectivity:
 Independence – organisational status of internal audit function.
IA to be independent; IA should have direct access, report directly and be accountable to the Audit Committee
 Objectivity – mental attitude of the individual internal auditors
IA should be free from influence/interference to allow them to render impartial/unbiased opinions in terms of
audit engagements
(should not involve in day-to-day operations/make management decisions/put in any situation that could lead to
a conflict of interest)
- Assurance & consulting activity:
 Assurance activity – primary purpose; to assess evidence related to subject matter of interest & provide
conclusion
 Consulting activity – provides advice and other assistance (should provide recommendations for improvements
to add value & improve an organisation’s risk management, control & governance process
- Systematic & disciplined approach:
 IA function should establish its own policies & procedures; to guide any internal audit activity to ensure audit
services provided is of good quality
- Add value:
 Assurance & consulting activity allows improvements in an organisation’s operational activities to achieve its
objectives and to ensure effective risk management, control and governance processes
- Risk Management:
 Process conducted by the management of an organisation; to understand and deal with risks (uncertainties) that
could negatively affect the organisation’s ability to achieve its objectives
- Control:
 Organisation need to have an effective control that reasonably assures safeguarding of an organisation’s asset
against loss – IA are responsible to ensure that such controls are well established by the management
- Governance:
 Act of managing an organisation – IA should assess the corporate governance process and provide
 recommendations to achieve effective governance
3. Differences between Internal Auditor & External Auditor:
Internal Auditor External Auditor
Reporting Reports to Audit Committee/Board of Report to shareholders
responsibility Directors
Status Part of an organisation’s employees A third party
Independent Independent of activities audited, but Independent of management and BoD and
status ready to respond to the needs & desires mental attitude
of management
Responsibility Directly involved with prevention and Indirectly concerned with the prevention and
towards fraud detection of fraud detection of fraud, but concerned when FS
may be materially affected
Scope of work Evaluate governance, control & risk Review FS – to ensure that they are free from
management process – to assure the material misstatements and express opinion
accomplishment of entity’s goals and whether FS present a true and fair view
objectives
Timing & Review activities continually by focusing Reviews records supporting FS periodically &
frequency of on future events focus on the accuracy and understandability of
audit historical events as expressed in FS
Professional Not necessary but may acquire a Must be a member of MIA & be granted audit
qualifications Certified Internal Auditor (CIA) license by MoF before being recognised as
Chartered Accountant
4. Roles & responsibilities of IA – risk management, control & governance
- Risk management:
 Test check the adequacy of risk management processes, models and systems
 Educate and create awareness among the management and staff concerning the risk issues
 Provide feedback on the appropriateness of risk management infrastructures
- Control:
 Assess the effectiveness of the organisations’ internal control system, incl. the adequacy of control model/design
 Monitor management’s compliance with the organisation’s code of conduct & ethical policies
 Review corporate policies relating to compliance with laws and regulations, conflict of interests
 Analyse the controls for critical accounting and management functions
 Provide feedback and reporting of control deficiencies
- Governance:
  Advise on the adequacy and appropriateness of the composition of BoD
 Assess the effectiveness of BoD in discharging their duties
 Ensure that internal auditor charter, role and activities are clearly understood and responsive to the need of the
Audit Committee and BoD
 Help to keep the BoD informed on any matters related to company’s interest
5. Line of Defence – providing risk assurance (understand organisation’s system of internal control & risk management
- First line of defence; functions that own & manage risks
 Delivered by business operations to provide adequate level of assurance – identify risks, implementing controls
and reporting on progress within their functional areas
 Formed by managers & staffs (responsible to identify and manage the risks)
 Ensure cautious control in absorbing risk into organisation
- Second line of defence; functions that oversee risks/specialise in compliance/management of risk)
 Activities (IC); compliance, risk management, quality, IT and other control departments
 Provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in
first line of defence
 Monitors and facilitates the implementation of effective risk management practices by operational management
- Third line of defence; functions that provide independent assurance
 Offer an independent approach to audit and assurance in order to monitor
 To ensure that the first two line of defence; operating effectively and advise how they could be improved
 IA plays a crucial role in assuring robust risk management within an organisation
6. Overview relationship between IA and other stakeholders:
 - Board of Directors; discharging its governance duty in an organisation – has to ensure that IA are not alienated in
terms of existence and function (must allow IA to carry out their duties independently & ensure that IA can perform
their work free from interference
- Audit Committee; direct role in ensuring IA perform their work independently and meet the organisational
expectations – shall safeguard the interest of IA & ensure the IA charter, activities and processes are appropriate
(ensure that IA charter, role and activities are clearly understood and responsive to the need of management and
BoD
- Senior Management; shall not interfere the IA activity & IA shall have no influence on the operational conduct –
both must co-exist and should clearly understand the demarcation of their functions (fails demarcation, IA
independency is not achievable)
- External Auditors; both have to clearly understand their roles and responsibilities and co-exist to complement each
other
7. Types of Auditors:
- Financial Audit; attest the fairness, accuracy & reliability of financial data
- Operational Audit; assess the adequacy, efficiency & effectiveness of control procedures to meet the objectives of
organisation
- Management Audit; evaluate their effectiveness, especially with regard to the formulation and implementation
- of strategic objectives, policies and procedures of the business
- Compliance Audit; assess the extent of compliance with internal policies, regulatory rules and requirements and
applicable laws
- Information System/Information Technology Audit; appraisal and testing of computer systems through the various
stages of system development — plan, analyse, design and implement
- Fraud/Forensic Audit; determine modus operandi and collection of evidence to support the case that would
eventually lead to legal consequences
8. International Professional Practices Framework (IPPF) - a structural blueprint that facilitates consistent development,
interpretation and application of concepts, methodologies and techniques useful to the internal audit profession
Core principles of IPFF:
- Demonstrates integrity
- Demonstrates competence and due professional care
- Is objective and free from undue influence (independent)Aligns with the strategies, objectives, and risks of the
organisation
- Is appropriately positioned and adequately resourced
- Demonstrates quality and continuous improvement
- Communicates effectively
- Provides risk-based assurance
 - Is insightful, proactive, and future-focused
- Promotes organisational improvement
IPPF – outlines Code of Ethics for IA that states the principles & expectations governing the behaviour of individuals &
organisations in the conduct of internal auditing
9. IIA Code of Ethics:

- Integrity; establishes trust and thus provides the basis for reliance on their judgment (honesty, straightforwardness,
trustworthiness)
- Objectivity; rendering unbiased judgement + exhibit the highest level of professional objectivity in gathering,
evaluating and communicating information Principles Objectivity Confidentiality Integrity Competency 10 about the
activity or process being examined
- Confidentiality; respect the value and ownership of information they receive and do not disclose information without
appropriate authority unless there is a legal or professional obligation to do so
- Competency; apply the knowledge, skills and experience needed in the performance of internal audit services
CH03: CORPORATE GOVERNANCE MECHANISM
1. Definition of Corporate Governance:
Process & structure used to direct and manage the business and affairs of the company towards enhancing business
prosperity and corporate accountability with the ultimate objective of realising long-term shareholder value, whilst
taking into account the interest of stakeholders
- CG emphasizes the transparency on the decision-making process, fairness and trustworthiness in managing a
company.
- An effective IA function plays a key role in assisting the BoD to discharge its governance responsibilities
2. Function of Audit Committee (in regards to MCGG):
Audit Committee is required to ensure that the internal audit function is effective and able to function independently
from the management
- Internal audit personnel are free from any relationship or conflict of interest, which could impair their objectivity
 and independence
- The number of resources in the internal audit dept. shall be adequate and competent in carrying out the function
- The internal audit function is carried out in accordance with a recognised framework
- The person responsible for the internal audit must report directly to Audit Committee
- Appointment and removal, scope of work, performance evaluation and budget for the internal audit function must be
determined by Audit Committee
3. Corporate Governance Mechanism:
- Board of directors; oversee the organisation is well-governed and that the financial reporting and other information
delivered to BoD and communicated to other stakeholders are accurate and trustworthy – in establishing an audit
committee
- Audits; an independent assessment of a company’s business and financial operations
- Balance of Power; it ensures that no one individual has the ability to overextend resources

- Role of BoD in CG:

 Should set the company’s strategic aims, ensure that the necessary resources are in place for the company to
meet its objective and review management performance
 Should set the company’s values and standards, and ensure that its obligations to its shareholders and other
stakeholders are understood and met
 Should collectively with senior management, promote good practices of corporate governance culture within
the organisation to reinforce ethical, prudent and professional behaviour
 Should review, dispute and determine management’s proposals for the company and monitor the
implementation with the involvement of the management
  Should ensure that the strategic planning of the organisation will add value to long term wealth and include
strategies on economic, environmental and social considerations underpinning sustainability
 Should supervise and determine the management performance to ensure that the wealth of the organisations
is properly managed
 Should ensure that there is a sound framework for internal controls and risk management
 Should understand the major risk of the company’s business and recognise some of the organisation’s
decision may involve some risk taking
 Should set the risk level in which the BoD expects management to operate and make certain that there is
good structure of risk management framework identify, analyse, evaluate, control and monitor both financial
and non-financial risks
 Ensure that senior management has the necessary skills and experience in order to achieve the succession of
BoD and senior management
 Ensure that the organisation has strategies to enable effective communication with stakeholders
- Key responsibilities of Chairman:
 imparting leadership to the Board of Directors so that the Board of Directors can perform its obligations
effectively
 laying down the agenda and ensuring that the members of the Board of Directors receive complete and
correct records in a timely manner
 chairing the Board of Directors meetings and discussions
 encouraging participation and allowing dissenting views to be freely expressed
 managing the collusion between Board of Directors and management
 ensuring strategic steps are taken to ensure effective communication with stakeholders and that their views
are communicated to the Board of Directors as a whole
 leading the Board of Directors in establishing and monitoring good corporate governance practices in the
company
 ensuring the Board of Directors is effective in its task of setting and implementing the company’s direction
and strategy
- Role of Audit Committee in CG
 Chairman of Audit Committee responsible for ensuring the overall effectiveness and independence of the
Committee
 Ensure the Audit Committee is fully informed about significant matters related to the company’s audit and
its financial statements and addressees this matter
 Ensure the Audit Committee appropriately communicates its insight, views and concerns about relevant
transactions and events to internal and external auditors
  Audit Committee’s concerns on matters that may have an effect on the financial or audit of the company are
communicated to the external auditor
 There is co-ordination between internal and external auditors
 In assessing the sustainability, objectivity and independence of the external auditor, the Audit Committee
establishes the policies and procedures that consider among others
 The competence, audit quality and resource capacity of the external auditor in relation to the audit
 The nature and extent of the non-audit services rendered and the appropriateness of the level of fees
 Obtaining written assurance from the external auditors confirming that they are and have been, independent
throughout the conduct of audit engagements in accordance with the terms of all relevant professional and
regulatory requirements
- Audit Committee; to provide assurance that the corporation is in reasonable compliance with pertinent laws and
regulations, conducting its affair ethically & maintaining effective control against employee conflict of interest and
fraud.
Steps involved in carrying out the responsibility;
 Reviewing corporate policies relating to compliance with laws and regulations, ethics, conflict of interest,
and the investigation of misconduct and fraud
 Reviewing current/pending litigation or regulatory proceedings bearing on corporate governance in which
the corporation is a party
 Reviewing significant cases of employee’s conflict of interest, misconduct or fraud
 Requiring the internal auditor to report in writing annually the scope of the reviews of corporate governance
and any significant findings
- Roles of senior management in CG; have the expertise necessary to manage the day-to-day operations of the
regulated entity in carrying out strategic objectives of the BoD + Effective senior management must also possess and
demonstrate the leadership qualities necessary to coordinate and organise resources and guide and motivate
personnel to achieve the organisational objectives
 Develop strategic and operational plans and risk management policies for approval by BoD
 Implement strategic and operational plans and risk management policies following approval by BoD
 Assess and implement an effective internal control framework and risk management process to address and
monitor critical processes and mission activities of the regulated entity
 Establish procedures and controls to address compliance with key laws and regulations applicable to
regulated entity
 Develop and implement management information systems that adequately address the regulated entity’s
business environment and risk profile;
 Develop written policies, procedures, and standards to address critical processes and mission activities and
 controls of the regulated entity;
 Establish procedures to identify, report, assess, and correct deviations from key standards, risk tolerances,
and controls in a timely manner
 Implement timely corrective action on significant control deficiencies and issues that were reported by the
external or internal auditors, and governmental authorities;
 Implement timely corrective action on examination of audit findings.
 Senior management must ensure that all functions are carried out in accordance with policies established by
the Board of Directors and that the regulated entity has adequate systems in place to effectively monitor and
manage risks

4.