2/7/2023

Fundamentals of Auditing

Chapter 3:
Internal control

PhD. Thao Bui

2023

Learning objectives
Understand what internal control is and its importance.

Identify the components of internal control.

Learn how to develop an understanding of an entity’s internal control.

Learn the types of tests of controls.

Know how to assess and document the level of control risk.

Understand limitation of internal control.

Understand the considerations for the timing of audit procedures.

1
 2/7/2023

3.1. Internal Control – An Overview

3.1.1. Defined
3.1.2. The components of internal control

3.2. Internal control in a financial statement

audit Content
3.2.1. Obtaining and understanding of internal
control (Phase 1)
3.2.2. Assessing control risk (Phase 2,3,4)
3.2.3. Substantive procedures (Phase 4)

References
Document reference
• COSO, Internal Control – Intergrated Framework (New
York: AICPA, 1992).
• ISA/VSA 315, “Identifying and assessing the risks of
material misstatement through understanding the entity
and its environment”
• ISA/VSA 330, “The auditor’s responses to assessed
risks”.

2
 2/7/2023

3.1. Internal Control – An Overview

3.1.1. Defined
3.1.2. The components of internal control

3.2. Internal control in a financial statement audit Content

3.2.1. Obtaining and understanding of internal
control (Phase 1)
3.2.2. Assessing control risk (Phase 2,3,4)
3.2.3. Substantive procedures (Phase 4)

3.1.1. Internal Control – Defined

Internal control
A process designed, implemented and
maintained by those charged with
governance, management and other
personnel to provide reasonable
assurance about the achievement of an
entity’s objectives with regard to
 reliability of financial reporting,
 effectiveness and efficiency of
operations, and
 compliance with applicable laws and
regulations.
(VSA 315)
Internal control
A process, effected by an entity’s board of
directors, management, and other
personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
 effectiveness and efficiency of
operations.
 reliability of reporting.
 compliance with applicable laws and
regulations
(COSO, 1992)

3
 2/7/2023

3.1.1. Internal Control – Defined

Process People
• A process consisting of • People establish the
ongoing tasks and entity’s objectives and put
activities, being control mechanisms in
persuasive and inherent in place
the way management runs
• People at every level of
the business an organization can impact
internal control
Reasonable
assurance
• Reasonable assurance
that the company’s
objectives are achieved
• Limitations exist in all
systems of internal control,
uncertainties and risks
may exist, cost vs benefits
Objectives
• Operation objectives –
effectiveness and
efficiency of the entity’s
operations, including
operations and financial
performance goals and
safeguarding assets
against loss.
• Reporting objectives –
reliability of reporting,
including internal and
external financial and non-
financial reporting.
• Compliance objectives –
adherence to laws and
regulations to which the
entity is subject.

The definition of Internal control reflects four fundamental concepts

6

3.1.1. Internal Control – Defined

Auditor’s perspective
Management’s
- Plan the audit
perspective
- Determine the nature,
- Provide a way to meet its timing, extent of tests to
stewardship or agency be performed
responsibilities

The
importance
of internal
control

4
 2/7/2023

Questions

What best describes the purpose of the independent auditors’ consideration of internal control in a
financial statement audit for a public company?
A. To determine the nature, timing, and extent of audit testing.
B. To make recommendations to the client regarding improvements in internal control.
C. To train new auditors on accounting and control systems.
D. To identify opportunities for fraud within the client’s operations

3.1.2. The Components of Internal Control

Control
activities
Information
Risk
and
assessment
communication

Control Internal Monitoring

environment control activities

5

3.1.2. The Components of Internal Control
(I) Control environment
Actions, policies and
procedures that reflect the
overall attitude of top
management, directors,
and owners of an entity
about controls and its
importance
3.1.2. The Components of Internal Control
(I) Control environment
1) Integrity and ethical values
2) Commitment to competence
3) Participation of the board of directors or
audit committee
4) Management’s philosophy and
operating style
5) Organizational structure
6) Assignment of authority and
responsibility
7) Human resource policies and practices
2/7/2023
1) Integrity and ethical values
2) Commitment to competence
3) Participation of the BOD or audit
committee
4) Management’s philosophy and
operating style
5) Organizational structure
6) Assignment of authority and
responsibility
7) Human resource policies and practices
10
• 1) Integrity and ethical values: establish ethical and
behavioral standards that are communicated to
employees and are reinforced by day-to-day practice
(policy statements and codes of conduct)
• 2) Commitment to competence: specify the
competence level for a particular job and translate it
into the required level of knowledge and skills
• 3) Participation of BODs or audit committee: take
their responsibilities seriously and actively oversee the
entity’s accounting and reporting policies and
procedures
11
6

3.1.2. The Components of Internal Control
(I) Control environment
1) Integrity and ethical values
2) Commitment to competence
3) Participation of the board of directors or
audit committee
4) Management’s philosophy and
operating style
5) Organizational structure
6) Assignment of authority and
responsibility
7) Human resource policies and practices
3.1.2. The Components of Internal Control
(I) Control environment
 Integrity and ethical values
 Commitment to competence
 Participation of the board of directors or
audit committee
 Management’s philosophy and
operating style
 Organizational structure
 Assignment of authority and
responsibility
 Human resource policies and practices
2/7/2023
• 4) Management’s philosophy and operating style:
significantly affect the quality of internal control,
including
 Management’s approach to taking and monitoring
business risks.
 Management’s attitudes and actions toward financial
reporting
 Management’s attitudes toward information processing
and accounting functions and personnel
• 5) Organizational structure: depends on its size and
the nature of its business (e.g. level of technology,
regulations, etc.)
12
• 6) Assignment of authority and responsibility:
assignment of authority and responsibility for operating
activities and establishment of reporting relationships
and authorization hierarchies (policies regarding
acceptable business practices, the knowledge and
experience of key personnel, and the resources
provided for carry our duties)
• 7) Human resource policies and practices: sound
personnel policies for hiring, training, evaluating,
counseling, promoting, compensating, and taking
remedial action
13
7
 2/7/2023

3.1.2. The Components of Internal Control

(II) Risk assessment 1) Determine goals and objectives

a dynamic and iterative 2) Risk identification
process for identifying 3) Risk analysis
and analyzing risks to 4) Risk response
achieve the entity’s
objectives, forming a
basis for determining
how risks should be
managed.
14

3.1.2. The Components of Internal Control

(II) Risk assessment
1) Determine goals and objectives
2) Risk identification
3) Risk analysis
4) Risk response
• 1) Determine goals and objectives: setting
goals and objectives is a precondition to internal
controls, including
 At the highest levels, goals and objectives – a
strategic plan including a mission statement and
broadly defined strategic initiatives.
 At the department level: objectives supporting the
organization’s strategic plan

15

8

3.1.2. The Components of Internal Control
(II) Risk assessment
1) Determine goals and objectives
2) Risk identification
3) Risk analysis
4) Risk response
3.1.2. The Components of Internal Control
(II) Risk assessment
1) Determine goals and objectives
2) Risk identification
3) Risk analysis
4) Risk response
2/7/2023
• 2) Risk identification:
 Entity – Level Risks: arise from external or internal
factors.
+ External factors: technological developments,
changing customer needs, new legislation and
regulation, economic changes…
+ Internal factors: a disruption of information systems
processing, the quality of personnel and training,
changes in management responsibilities, …
 Transaction – Level Risks: risks are identified at
the transaction level within subsidiaries, divisions,
operating units, or functions.
16
• 3) Risk analysis: Management should conduct a risk
analysis to:
 Assessing the likelihood of their occurrence;
 Estimating the significance of the risks; and
 Deciding about actions to address those risks
• 4) Risk response:
 Acceptance: no action is taken to affect risk likelihood or
impact.
 Avoidance: exiting the activities giving rise to risk (e.g.,
exiting a product line, declining expansion to a new
market, or selling a division).
 Reduction: action is taken to reduce risk likelihood or
impact, or both (typically involves any of everyday
business decisions).
 Sharing: reducing risk likelihood or impact by transferring
or otherwise sharing a portion of the risk.
17
9
 2/7/2023

3.1.2. The Components of Internal Control

(III) Control activities 1) Top level reviews
actions established through policies 2) Activity controls
and procedures that help ensure 3) Segregation of Duties
that management’s directives to Function
4) Information Processing
mitigate risks to the achievement
of objectives are carried out 5) Physical Controls
6) Analytical Review
Purpose

 Preventive control: designed to avoid an unintended event or result at the time of initial occurrence
 Detective control: designed to discover an unintended event or result after the initial processing has
occurred but before the ultimate objectives has concluded
 Corrective controls: designed to take corrective action on discovered mistakes.
18

3.1.2. The Components of Internal Control

(III) Control activities  1) Top level reviews: BODs or senior management
conducts reviews of actual performance versus budgets,
1) Top level review forecasts, prior periods, and competitor results
2) Activity controls  2) Activity controls:
3) Segregation of Duties  Department or division level management receives
4) Information Processing and reviews standard performance and exception
5) Physical Controls reports on a daily, weekly or monthly basis.
6) Analytical Review  Functional reviews occur more frequently than top
level reviews and usually are more detailed.

19

10

3.1.2. The Components of Internal Control
(III) Control activities
1) Top level review
2) Activity controls
3) Segregation of Duties
4) Information Processing
5) Physical Controls
6) Analytical Review
3.1.2. The Components of Internal Control
(III) Control activities
1) Top level review
2) Activity controls
3) Segregation of Duties
4) Information Processing
5) Physical Controls
6) Analytical Review
2/7/2023
 3) Segregation of Duties: Duties are divided, or
segregated, among different people to reduce the risks of
error or inappropriate actions.
A separation of these three functions is an essential
element of control:
 Authorization and custody
 Custody and recording
 Authorization and recording
20
 4) Information Processing: Information processing
control procedures are primarily of two types:
 General controls: operation and data controls, systems
software controls, security and access controls.
 Application controls
 5) Physical controls: procedures to ensure the physical
security of assets (authorization for assess, physical
security of assets, periodic counting and comparison)
 6) Analytical review: reviewing reports, statements,
reconciliations, and other information by management is
an important control activity
21
11
 2/7/2023

3.1.2. The Components of Internal Control

(IV) Information
and communication
Methods used to identify,
 Information
assemble, classify, record,
and report an entity’s  Communication
transactions and to maintain
accountability for related
assets

22

3.1.2. The Components of Internal Control

Information and communication support the achievement of the
(IV) Information entity’s objectives:
and communication  Information: necessary to carry out internal control
responsibilities in support of the achievement of its objectives.
 Information • Management obtains or generates and uses relevant and quality
 Communication information from both internal and external sources to support the
functioning of other components of internal control.
 Communication is the continual, iterative process of providing,
sharing, and obtaining necessary information.
• Internal communication: enables personnel to receive a clear
message from senior management that control responsibilities
must be taken seriously.
• External communication: enables inbound communication of
relevant external information and provides information to external
parties in response to requirements and expectations.

23

12

3.1.2. The Components of Internal Control
(V) Monitoring
Management’s ongoing
and periodic assessment
of the effectiveness of the
design and operation of an
internal control structure to
determine if it is operating as
intended and modified when
needed
3.1.2. The Components of Internal Control
(V) Monitoring
 Ongoing evaluations
 Separate evaluation
2/7/2023
 Ongoing evaluations
 Separate evaluation
24
• Monitoring provides reasonable assurance that an
entity’s objectives will be achieved.
• Monitoring involves assessing the design of
controls and their operation on a timely basis and
taking necessary corrective actions.
 Ongoing evaluations: includes regular management
and supervisory activities, and other actions
personnel take in performing their duties
 Separate evaluations: conducted periodically by
objective management personnel, internal audit,
and/or external parties, among others
25
13
 2/7/2023

3.1.2. Limitations of Internal Control

Internal control only provides mananagement and BOD with reasonable assurance in
achievement of entity’s objectives because internal control has inherent limitations.

Costs of control outweigh the benefit

Potential for human error

Possibility of collusion in fraud between employees

Controls could be bypassed/ overridden by management

Controls are designed to cope with routine transactions not non-routine ones

26

Questions

Which of the following is not a component of an entity’s internal control?

A. Control risk
B. Control activities
C. Control environment
D. Monitoring

27

14
 2/7/2023

Questions

The overall attitude and awareness of an entity’s board of directors concerning the importance of
internal control usually is reflected in its:

A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.

28

Questions

The philosophy and operating style of management would most likely have a significant influence
on an entity’s control environment when:

A. The duties of all management are specifically designated.

B. The audit committee is active in overseeing the financial reporting process.
C. Management is dominated by one individual.
D. The internal auditors report directly to management.

29

15
 2/7/2023

Questions

Proper segregation of functional responsibilities calls for separation of the functions of:

A. Authorization, execution, and payment.

B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.

30

Questions

When considering internal control, an auditor should be aware of the concept of “reasonable
assurance”, which recognizes that:
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity’s internal control should not exceed the benefits expected to be derived.

31

16
 2/7/2023

Group discussion
For each case, discuss (i) the case is relevant to which components of internal control and (ii) which items in
the FSs may be involved?
1. The company should issue internal code of conduct for employees in Purchase Department in dealing with
Suppliers.
2. Invoices from suppliers must be approved by authorized person based on the review and compare the
calculation on the invoices, the amounts in Inventory delivery note and the relevant orders.
3. The Internal Auditors should report directly to the BOD, not to the CFO.
4. Periodically count the inventory and adjust the information in accounting book according to the actual counting
numbers.
5. All of the payment vouchers must be stamped with “Paid” when they have been paid.
6. All of the Inventory received notes must be pre-printed with sequential numbers before using.
7. The Management, on monthly basis, reviews the reports on revenue and expense in comparison to the plan, and
analyze the reasons for the fluctuation (if any) in revenue and expenses.

32

3.1. Internal Control – An Overview

3.1.1. Defined
3.1.2. The components of internal control

Content 3.2. Internal control in a financial statement audit

3.2.1. Obtaining and understanding of internal
control (Phase 1)
3.2.2. Assessing control risk (Phase 2,3,4)
3.2.3. Substantive procedures (Phase 4)

33

17
 2/7/2023

3.2. Internal control in a financial statement audit

Phase 1:
Auditor to obtain an Obtain an
understanding of
understanding of internal control internal control
relevant to the audit
(VSA 15)

Phase 2:
Assess the control risk
(preliminary)
Evaluate the design and
implementation of the internal
control Phase 3:
Perform test of controls
audit procedures

Phase 4:
Assess the control risk
and perform substantive
procedures
34

3.2.1. Obtaining an understanding of Internal control (Phase 1)

 Understanding of internal control assists the auditor in

• identifying types of potential misstatements and factors that
affect the risks of material misstatement, and
• designing the nature, timing and extent of further audit
procedures.

 Understanding of the Control Environment

 Understanding of the Risk Assessment
 Understanding of the Information and Communication System
 Understanding of the Control Activities
 Understanding of the Monitoring

35

18
 2/7/2023

3.2.1. Obtaining an understanding of Internal control (Phase 1)

Communication and
enforcement of integrity
and ethical values

Commitment to
competence
Auditors evaluate whether:
Participation by those  Management has created and maintained a culture of
charged with
governance honesty and ethical behavior
 The control environment elements provide an appropriate
(1) Understanding Management’s foundation for the other components of internal control,
of the Control philosophy and
operating style
Environment  Other components are not undermined by deficiencies in
the control environment.
Organizational structure

Assignment of authority
and responsibility

Human resource
policies and practices
36

3.2.1. Obtaining an understanding of Internal control (Phase 1)

(2) Understanding
of the Risk
Assessment
• Obtain understanding its process and results:
Identifying business  Evaluate whether there was an underlying risk
risks relevant to  Evaluate whether there is a significant deficiency in
financial reporting internal control with regard to the entity’s risk assessment
objectives process
Yes

Estimating the
significance of the Entity’s risk
risks assessment process
No
• Discuss with management whether business risks
Assessing the relevant to financial reporting objectives have been
likelihood of their
occurrence identified and how they have been addressed.
• Evaluate whether the absence of a documented risk
assessment process is appropriate in the
Deciding about circumstances, or determine whether it represents a
actions to address significant deficiency in internal control.
those risks
37

19
 2/7/2023

3.2.1. Obtaining an understanding of Internal control (Phase 1)

Accounting system

Information system

(3) Understanding of Business processes

Information and
communication system
Roles and
Communication
responsibilities over
system
financial reporting

38

3.2.1. Obtaining an understanding of Internal control (Phase 1)

(4) Understanding of
the control activities

Control activities Entity’s responses to IT

relevant to the audit risks

to assess the risks of material controls over IT systems are effective

misstatement at the assertion level and when they maintain the integrity of
design further audit procedures information and the security of the data such
responsive to assessed risks systems process, and include effective
general IT controls and application controls

39

20
 2/7/2023

3.2.1. Obtaining an understanding of Internal control (Phase 1)

(5) Understanding of the
Monitoring
Activities used to monitor internal control over
financial reporting

Internal audit
(if available)
• The nature of the internal audit function’s responsibilities and
how the internal audit function fits in the entity’s
organizational structure; and
• The activities performed, or to be performed, by the internal
audit function.

40

3.2.1. Obtaining an understanding of Internal control

(Phase 1)

 Methods to Obtain Understanding of Internal Control

Auditors obtain an understanding of the internal control through
several sources of information, including:
• Previous experience with the company as found in last year’s
audit;
• Inquiry of appropriate management, supervisory, and staff
personnel;
• Inspection of documents and records;
• Observation of activities and operations made in a “walk-
through” of one or a few transactions;
• Review of the client’s policy and procedure manuals.

41

21
 2/7/2023

3.2.1. Obtaining an understanding of Internal control (Phase 1)

 Document
Understanding of
• a written
Internal Control
Audit processes
require
documentation of the
understanding obtained
regarding each of the
five internal control
components.
Narrative
Questionnaires Checklist Flow chart
descriptions
• series of questions • a list of • a symbolic,
description of a about the controls considerations or diagrammatic
client’s internal in each audit area procedures that representation of
control structure as a means of are followed by the client’s
indicating to the the auditor. In the documents and
auditor aspects of case of internal their sequential
the internal control controls, it is a list flow in the
structure that may of controls that organization
be inadequate. In should normally
most instances, it be in place
is designed to
require a “yes” or
“no” response,
with “no”
responses
indicating potential
internal control
difficulties

42

3.2.2. Assessing control risk (Phase 2,3,4)

a) Assess the control risk (preliminary)
• The preliminary assessment of control risk is the process of evaluating the effectiveness of an
entity's internal control system in preventing or detecting and correcting material misstatements.
• A preliminary assess of control risk:
 At assertion level for each material account balance or class of transactions
 At a high level for some or all assertions when entity's internal control systems not effective or
evaluating the effectiveness of the entity's internal control system not be efficient.

43

22
 2/7/2023

3.2.2. Assessing control risk (Phase 2,3,4)

b) Perform test of controls audit procedures
• Test of controls – An audit procedure designed to evaluate the operating effectiveness of controls
in preventing, or detecting and correcting, material misstatements at the assertion level.
• The auditor shall design and perform tests of controls to obtain sufficient appropriate audit
evidence as to the operating effectiveness of relevant controls if:
 The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively; or
 Substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level.

44

3.2.2. Assessing control risk (Phase 2,3,4)

•Tests of controls generally consist of one (or a combination)

of four types of evidence-gathering techniques:
•Inquiry of client personnel: seeking information of
knowledgeable persons inside or outside the entity. Inquiry
evidence is based on interviews concerning the
effectiveness of controls.
•Observation: looking at a process or procedure being
performed by others
•Inspection (examination of documents): examining
records, documents, or tangible assets.
•Reperformance (or recalculation): performing the task
done by an employee to verify the result of the transaction.

45

23
 2/7/2023

3.2.2. Assessing control risk (Phase 2,3,4)

c) Final Assessment of Control Risk
• Based on the results of the tests of control, the auditor should
 evaluate whether the internal controls are designed and operating as contemplated in the
preliminary assessment of control risk, and
 conclude whether sufficient appropriate audit evidence has been obtained to reduce risk of
material misstatement in the financial statements.
• If the evidence from tests of controls does not support the planned assessed level of control risk, the
auditor should assess control risk higher and revise the audit strategy to increase substantive tests.

46

 Substantive procedures are tests

performed to obtain audit evidence
3.2.3. Substantive to detect material misstatements in
procedures (Phase 4) the financial statements, inluding
two types:
 Substantive analytical
procedures; and
 Tests of details (of classes of
transactions, account
balances, and disclosures).

47

24
 2/7/2023

3.2.3. Substantive procedures (Phase 4)

 Substantive analytical procedures
• Purposes: to ensure that overall audit results, account balances or other data presented in the financial
statements are stated reasonably.
• Generally most accepted technique:
 Develop the expectation of each account balance and the acceptable variation or threshold.
 Compare the threshold with the actual figure.
 Further investigation is required only when the difference between actual and expectation balances falls out
of the acceptable variation range prescribed (extending analytical procedures, detail examination of
supporting documents, conducting additional inquiries and performing other substantive tests).

48

3.2.3. Substantive procedures (Phase 4)

 Tests of details of transactions
• To ensure that the transaction-related audit
objectives are met in each accounting transaction
– the confidence on transactions will lead to the
confidence on the account total in the general
ledger.
• Testing techniques: examination of relevant
documents and re-performance.
• The extent of tests remains a matter of
professional judgement – varied from a sufficient
amount of samples to all transactions depending
on the level of assurance that auditors want to
obtain.
 Tests of details of balances
• Focus on the ending balances of each general
ledger account.
• Testing techniques: account reconciliation, third
party confirmation, observation of the items
comprising an account balance and agreement of
account details to supporting documents.
• The extent of tests depends on the results of tests
of control, analytical procedures and detailed tests
of transactions relating to each account.
• The sample size can be varied and remains a
matter of professional judgement.

49

25
 2/7/2023

3.2.4. Timing of Audit Procedures

• The auditor may perform tests at an interim date or at period end.
• Certain audit procedures can be performed only at or after the period end:
 Agreeing the FSs to the accounting records;
 Examining adjustments made during the course of preparing the FSs; and
 Procedures to respond to a risk that, at the period end, the entity may have entered into improper sales contracts, or transactions may
not have been finalized.
• Further relevant factors influencing the auditor’s consideration of when to perform audit procedures:
 The control environment.
 Available time of information
 Nature of the risk
 Period or date to which the audit evidence relates.

50

3.2.4. Timing of Audit Procedures

 Timing of Test Controls
• As VSA 330, the auditor shall test controls for the particular time, or throughout the period, for which the auditor
intends to rely on those controls in order to provide an appropriate basis for the auditor’s intended reliance.

 Timing of Substantive Procedures

• Conducting substantive tests at an interim date may increase the risk that material misstatements are present in
the financial statements.
• The auditor can control for this potential problem by considering when it is appropriate to examine an account at
an interim date and by performing selected audit procedures for the period between the interim date and year-
end.

51

26
 2/7/2023

Questions

A primary objective of procedures performed to obtain an understanding of internal control is to

provide the auditors with:

A. Audit evidence to use in reducing detection risk.

B. An evaluation of the control risk
C. A basis for modifying tests of controls.
D. An evaluation of the consistency of application of management policies

52

3.1. Internal Control in a FS audit – Questions

Controls over financial reporting are often classified as preventative, detective, or corrective.
Which of the following is an example of a detective control?

A. Segregation of duties over cash disbursements.

B. Requiring approval of purchase transactions.
C. Preparing bank reconciliations.
D. Maintaining backup copies of key transactions.

53

27
 2/7/2023

3.1. Internal Control in a FS audit – Questions

Controls over financial reporting are often classified as preventative, detective, or corrective.
Which of the following is an example of a preventative control?

A. Segregation of duties over cash disbursements.

B. Requiring approval of purchase transactions.
C. Maintaining backup copies of key transactions.
D. A,B and C are correct

54

3.1. Internal Control in a FS audit – Questions

When a CPA decides that the work performed by internal auditors may have an effect on the nature,
timing, and extent of the CPA’s procedures, the CPA should consider the competence and
objectivity of the internal auditors. Relative to objectivity, the CPA should:

A. Consider the organizational level to which the internal auditors report the results of their work.
B. Review the internal auditors’ work.
C. Consider the qualifications of the internal audit staff.
D. Review the training program in effect for the internal audit staffs.

55

28