Professional Documents
Culture Documents
1. Definition of Internal Auditing (IA) – based on Institute of Internal Auditor (IIA)’s BoD
- An independent, objective assurance and consulting activity designed to add value and improve an organization’s
operations.
- Helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes
2. Key terms:
- Independence & objectivity:
Independence – organisational status of internal audit function.
IA to be independent; IA should have direct access, report directly and be accountable to the Audit Committee
Objectivity – mental attitude of the individual internal auditors
IA should be free from influence/interference to allow them to render impartial/unbiased opinions in terms of
audit engagements
(should not involve in day-to-day operations/make management decisions/put in any situation that could lead to
a conflict of interest)
- Assurance & consulting activity:
Assurance activity – primary purpose; to assess evidence related to subject matter of interest & provide
conclusion
Consulting activity – provides advice and other assistance (should provide recommendations for improvements
to add value & improve an organisation’s risk management, control & governance process
- Systematic & disciplined approach:
IA function should establish its own policies & procedures; to guide any internal audit activity to ensure audit
services provided is of good quality
- Add value:
Assurance & consulting activity allows improvements in an organisation’s operational activities to achieve its
objectives and to ensure effective risk management, control and governance processes
- Risk Management:
Process conducted by the management of an organisation; to understand and deal with risks (uncertainties) that
could negatively affect the organisation’s ability to achieve its objectives
- Control:
Organisation need to have an effective control that reasonably assures safeguarding of an organisation’s asset
against loss – IA are responsible to ensure that such controls are well established by the management
- Governance:
Act of managing an organisation – IA should assess the corporate governance process and provide
recommendations to achieve effective governance
3. Differences between Internal Auditor & External Auditor:
Internal Auditor External Auditor
Reporting Reports to Audit Committee/Board of Report to shareholders
responsibility Directors
Status Part of an organisation’s employees A third party
Independent Independent of activities audited, but Independent of management and BoD and
status ready to respond to the needs & desires mental attitude
of management
Responsibility Directly involved with prevention and Indirectly concerned with the prevention and
towards fraud detection of fraud detection of fraud, but concerned when FS
may be materially affected
Scope of work Evaluate governance, control & risk Review FS – to ensure that they are free from
management process – to assure the material misstatements and express opinion
accomplishment of entity’s goals and whether FS present a true and fair view
objectives
Timing & Review activities continually by focusing Reviews records supporting FS periodically &
frequency of on future events focus on the accuracy and understandability of
audit historical events as expressed in FS
Professional Not necessary but may acquire a Must be a member of MIA & be granted audit
qualifications Certified Internal Auditor (CIA) license by MoF before being recognised as
Chartered Accountant
4. Roles & responsibilities of IA – risk management, control & governance
- Risk management:
Test check the adequacy of risk management processes, models and systems
Educate and create awareness among the management and staff concerning the risk issues
Provide feedback on the appropriateness of risk management infrastructures
- Control:
Assess the effectiveness of the organisations’ internal control system, incl. the adequacy of control model/design
Monitor management’s compliance with the organisation’s code of conduct & ethical policies
Review corporate policies relating to compliance with laws and regulations, conflict of interests
Analyse the controls for critical accounting and management functions
Provide feedback and reporting of control deficiencies
- Governance:
Advise on the adequacy and appropriateness of the composition of BoD
Assess the effectiveness of BoD in discharging their duties
Ensure that internal auditor charter, role and activities are clearly understood and responsive to the need of the
Audit Committee and BoD
Help to keep the BoD informed on any matters related to company’s interest
5. Line of Defence – providing risk assurance (understand organisation’s system of internal control & risk management
- First line of defence; functions that own & manage risks
Delivered by business operations to provide adequate level of assurance – identify risks, implementing controls
and reporting on progress within their functional areas
Formed by managers & staffs (responsible to identify and manage the risks)
Ensure cautious control in absorbing risk into organisation
- Second line of defence; functions that oversee risks/specialise in compliance/management of risk)
Activities (IC); compliance, risk management, quality, IT and other control departments
Provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in
first line of defence
Monitors and facilitates the implementation of effective risk management practices by operational management
- Third line of defence; functions that provide independent assurance
Offer an independent approach to audit and assurance in order to monitor
To ensure that the first two line of defence; operating effectively and advise how they could be improved
IA plays a crucial role in assuring robust risk management within an organisation
6. Overview relationship between IA and other stakeholders:
- Board of Directors; discharging its governance duty in an organisation – has to ensure that IA are not alienated in
terms of existence and function (must allow IA to carry out their duties independently & ensure that IA can perform
their work free from interference
- Audit Committee; direct role in ensuring IA perform their work independently and meet the organisational
expectations – shall safeguard the interest of IA & ensure the IA charter, activities and processes are appropriate
(ensure that IA charter, role and activities are clearly understood and responsive to the need of management and
BoD
- Senior Management; shall not interfere the IA activity & IA shall have no influence on the operational conduct –
both must co-exist and should clearly understand the demarcation of their functions (fails demarcation, IA
independency is not achievable)
- External Auditors; both have to clearly understand their roles and responsibilities and co-exist to complement each
other
7. Types of Auditors:
- Financial Audit; attest the fairness, accuracy & reliability of financial data
- Operational Audit; assess the adequacy, efficiency & effectiveness of control procedures to meet the objectives of
organisation
- Management Audit; evaluate their effectiveness, especially with regard to the formulation and implementation
- of strategic objectives, policies and procedures of the business
- Compliance Audit; assess the extent of compliance with internal policies, regulatory rules and requirements and
applicable laws
- Information System/Information Technology Audit; appraisal and testing of computer systems through the various
stages of system development — plan, analyse, design and implement
- Fraud/Forensic Audit; determine modus operandi and collection of evidence to support the case that would
eventually lead to legal consequences
8. International Professional Practices Framework (IPPF) - a structural blueprint that facilitates consistent development,
interpretation and application of concepts, methodologies and techniques useful to the internal audit profession
Core principles of IPFF:
- Demonstrates integrity
- Demonstrates competence and due professional care
- Is objective and free from undue influence (independent)Aligns with the strategies, objectives, and risks of the
organisation
- Is appropriately positioned and adequately resourced
- Demonstrates quality and continuous improvement
- Communicates effectively
- Provides risk-based assurance
- Is insightful, proactive, and future-focused
- Promotes organisational improvement
IPPF – outlines Code of Ethics for IA that states the principles & expectations governing the behaviour of individuals &
organisations in the conduct of internal auditing
9. IIA Code of Ethics:
- Integrity; establishes trust and thus provides the basis for reliance on their judgment (honesty, straightforwardness,
trustworthiness)
- Objectivity; rendering unbiased judgement + exhibit the highest level of professional objectivity in gathering,
evaluating and communicating information Principles Objectivity Confidentiality Integrity Competency 10 about the
activity or process being examined
- Confidentiality; respect the value and ownership of information they receive and do not disclose information without
appropriate authority unless there is a legal or professional obligation to do so
- Competency; apply the knowledge, skills and experience needed in the performance of internal audit services
CH03: CORPORATE GOVERNANCE MECHANISM
1. Definition of Corporate Governance:
Process & structure used to direct and manage the business and affairs of the company towards enhancing business
prosperity and corporate accountability with the ultimate objective of realising long-term shareholder value, whilst
taking into account the interest of stakeholders
- CG emphasizes the transparency on the decision-making process, fairness and trustworthiness in managing a
company.
- An effective IA function plays a key role in assisting the BoD to discharge its governance responsibilities
2. Function of Audit Committee (in regards to MCGG):
Audit Committee is required to ensure that the internal audit function is effective and able to function independently
from the management
- Internal audit personnel are free from any relationship or conflict of interest, which could impair their objectivity
and independence
- The number of resources in the internal audit dept. shall be adequate and competent in carrying out the function
- The internal audit function is carried out in accordance with a recognised framework
- The person responsible for the internal audit must report directly to Audit Committee
- Appointment and removal, scope of work, performance evaluation and budget for the internal audit function must be
determined by Audit Committee
3. Corporate Governance Mechanism:
- Board of directors; oversee the organisation is well-governed and that the financial reporting and other information
delivered to BoD and communicated to other stakeholders are accurate and trustworthy – in establishing an audit
committee
- Audits; an independent assessment of a company’s business and financial operations
- Balance of Power; it ensures that no one individual has the ability to overextend resources
4.