Professional Documents
Culture Documents
Learning objectives:
A. Discuss the definition of Internal Auditing according to the Institute of Internal Auditing (IIA)
B. Share the risk management-related profession by providing trends, career opportunities, and
global certifications (i.e., CIA, CRMA) – refer to the PowerPoint Presentation
C. Illustrate Governance, Risk Management, and Controls
D. Explain the different definitions of Risk and Risk Management
E. Discuss globally accepted frameworks on Risk Management (i.e., COSO ERM, ISO 31000, GAIT,
NIST, CoCo, COBIT)
F. Discuss the Risk Management Process according to the following COSO.
According to the Definition of Internal Auditing in The IIA's International Professional Practices
Framework (IPPF), internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness
of risk management, control, and governance processes.
At its simplest, internal auditing involves identifying the risk that could keep an organization from
achieving its goal, making sure the organization’s leaders know about these risks and proactively
recommending improvements to help reduce the risks.
For internal auditing to be effective, the organization’s leaders must be open to discussing tough issues
and seizing opportunities to make necessary changes for improvement. And the internal auditors must
have an independent reporting line to the highest governing body (e.g., the audit committee of the
board of directors), ensuring them the requisite authority to access all areas of the organization and
know that they will be supported when their views differ from those of management.
Internal auditors’ independence and broad perspective of the organization make them a valuable
resource to executive management and the board of directors. They ensure that the organization is held
accountable to its stakeholders, whether those stakeholders are investors (as in the case of a publicly
traded company) or the public, served by a government organization.
Ultimately, internal auditors add value to their organizations by providing assurance, insight, and
objectivity.
Internal auditors are explorers, analysts, problem-solvers, reporters, and trusted advisors. They bring
objectivity and a variety of skills and expertise to the organization. They come from diverse areas such
as finance, operations, IT, and engineering. Today’s internal audit professionals are revered for their
critical thinking and communication skills, as well as their general IT and industry-specific business
knowledge. Still, people often confuse internal auditors with accountants or external auditors (entities
the organization engages to provide an annual review of the financial statements). The differences are
significant:
Depending on the structure, maturity, and resources of the function, internal auditors may perform
some or all the following tasks.
OFFER INSIGHT AND ADVICE – There are times when internal auditors’ expertise, knowledge of
controls, and broad perspective of the organization make them ideal candidates for consulting on a
project to ensure that risks are considered and controls are built into a process on the front end (e.g.,
mergers and acquisitions, new technology implementation). Internal auditors may offer insight
regarding strategic risks and advice, though management must maintain ultimate responsibility for the
processes in their area.
EVALUATE RISKS – Risks are everywhere (natural disasters, loss of key suppliers, reputation
damage, inefficient operations, fraud, lawsuits, policy violations, regulatory compliance, theft, etc.). It’s
the internal auditor’s job to assess the significance of the organization’s many risks and the effectiveness
of risk management efforts, communicate these to management and the board, and develop
recommendations to improve risk management.
ASSESS CONTROLS – Internal auditors evaluate control efficiency and effectiveness and provide
management and the board assurance that the controls in place are adequate to respond to the risks
that threaten the organization.
ENSURE ACCURACY – Internal auditors ensure financial statement accuracy. They examine the
reliability and integrity of financial and operational information.
PROMOTE ETHICS – Professional internal auditors agree to abide by a Code of Ethics that upholds
the principles of integrity, objectivity, confidentiality, and competency. They raise red flags when they
discover improper conduct.
REVIEW PROCESSES AND PROCEDURES – Internal auditors review operations closely and assess
whether existing processes are well designed to help the organization achieve its goals.
MONITOR COMPLIANCE – Internal auditors assess the organization’s compliance with applicable
laws, regulations, and contracts to ensure that management is addressing these requirements
adequately. They also offer insight into the impact that non-compliance would have on an organization
and inform senior management and the board of noncompliance.
ASSURE SAFEGUARDS – The organization’s tangible property, human resources, and intellectual
property are valuable and must be guarded against potential damage. Internal auditors evaluate the
procedures used to safeguard assets from theft, fire, illegal activities, or other types of loss. They bring
deficiencies to light and make recommendations for enhanced protection.
INVESTIGATE FRAUD – Because fraud can affect any level of the organization, it’s important that
the board of directors grants the internal audit function access to all records and authority to conduct
audits and investigate possible fraudulent behavior throughout the organization.
COMMUNICATE RESULTS – After auditing a particular area, internal auditors report their findings
and recommend appropriate courses of action.
The very nature of the internal audit activity’s unique and valuable perspective is it is independent of
senior management and from the decision and responsibilities of senior management. Its work must
be free from interference and bias. It cannot take managerial decisions or “own” risk. If it does, then it
is unable to provide credible, authoritative, and objective assurance and advice over the activity. At the
same time, independence should not be mistaken for isolation and aloofness.
Understanding independence, its nature, and its importance are critical to determining an appropriate
balance of assurance and advisory services.
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out
internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to
effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and
unrestricted access to senior management and the board. This can be achieved through a dual-reporting
relationship.
That “direct and unrestricted access” both to senior management and the board is one of the core
requirements for independence.
The internal audit activity provides reports to both senior management and the board, but the primary
(functional) reporting line of the CAE is the board. A secondary (administrative) reporting line may be
to an appropriate member of the senior management.
Being “free from interference” is a further integral component of internal audit independence. The key
requirements can be summarized as follows:
• The presence of a formally defined charter (i.e., a mandate) establishing the internal audit activity’s
purpose, authority, and responsibilities.
• Unfettered access to the people, resources, and information needed to carry out its work as well as
the requisite resources to deliver the scope and level of assurance required by the board.
• The absence of interference from senior management in determining and carrying out its work
• Accountability (i.e., “functional reporting”) to the board, either directly or through an independent
audit committee, including time without senior management being present.
• Access (including the freedom to report) to the board and senior management, which usually
includes “administrative reporting” at a level in the organization that enables the completion of its
work without interference.
Moving beyond the provision of “pure” assurance to provide consulting (or advisory) services is
sometimes regarded as “stepping over the line” beyond the “proper limits” of internal audit. However,
there is significant value the internal audit activity can deliver through consulting, and which can be
achieved without compromising independence by not assuming decision-making, risk-taking
responsibility.
Independence is closely related to, but not the same as, objectivity. It may be reasonably claimed
independence is not valuable for its own sake but only as a means for establishing credibility, authority,
and objectivity.
…an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they
believe in their work product and that no quality compromises are made. Objectivity requires that internal
auditors do not subordinate their judgment on audit matters to others.
There are clear links to independence – and the appearance of independence – but there is also more to
achieving objectivity. The requirements include the “systematic, disciplined approach” referred to in
the definition of internal auditing; following professional standards; being subject to performance
review and monitoring.
Threats to the Independence of the Internal Threats to the Objectivity of the Internal Auditor
Audit Activity
• No clear mandate • Self-interest
• Restricted access to people, data, and • Self-review
resources • Advocacy
• Insufficient resources • Familiarity
• Restricted access and reporting to the board. • Intimidation
• Restricted access and reporting to senior • Lack of proficiency
management. • Lack of due professional care
• Inappropriate level of reporting
• Conflicting roles beyond internal auditing.
Safeguards for Threats to Independence of the Internal Audit Activity and Objectivity of Internal
Auditors
• Conformance with the requirements of the IPPF
• Alignment of activity with the internal audit charter
• “Cooling off” periods, such that internal auditors do not provide assurance on areas of the
organizations where they have recently had responsibility or provided consultation.
• Adherence to the requirements for internal auditor competence
• Clearly defined and time-limited consulting engagements
• Consultation with the board on impairments
• Continuous professional development
• Appropriate policies and procedures, as reflected in the audit manual.
• Audit supervision and performance management.
As required by Standard 2130 – Control, “Internal auditors must incorporate knowledge of controls gained
from consulting engagements into the evaluation of the organization’s control processes.
It sometimes works the other way around when consulting engagement identified the need for some
assurance work.
Risk Management is an essential ingredient of organizational success. Whenever we act with a goal in mind,
there is uncertainty. It is in focusing on desirable outcomes and acting (sometimes inaction) to achieve them
that we are taking (accepting) risks. As risk exists at every level of activity and objective, failure to manage
it effectively (which includes measures to reduce or exploit risk) can result in failure to maximize
performance and guard against failure. Risk management is an attempt to understand risk and deal with
it in such a way as to optimize outcomes. Risk management enables successful risk-taking rather than
trying to prevent it, and does so through a process of identification, analysis, and evaluation, followed by
selection, implementation, and monitoring of responses, together with continuous attentiveness.
Risk management assurance through internal audit provides an independent and objective review and
assessment of the adequacy and effectiveness of risk management, either to give confidence to senior
management and the board that everything is operational as it should or to alert them to significant issues
that can and should be addressed.
As senior management is responsible for achieving organizational objectives, it is also responsible for
managing risk. Senior management benefits considerably from looking to the internal audit activity for an
independent perspective on opportunities for greater effectiveness and efficiency.
The board values assurance from senior management and from other internal and external providers, but
assurance from internal audit provides the highest level of confidence and can validate information
received from other sources.
A. What is Risk?
SOURCE DEFINITION
The possibility of an event occurring that will have an impact on the achievement of
IIA objectives. Risk is measured in terms of impact and likelihood. (IPPF Glossary, 2016)
The possibility that events will occur and affect the achievement of objectives.
COSO (Enterprise Risk Management – Integrating with Strategy and Performance, COSO,
2017)
Concept of Risk
Enterprise risk may be individual risks with very high impact or a combination of risks that together are
more significant. Often, when discussing enterprise-wide risk, we are considering new and emerging risks
not yet well understood due to limited prior experience if such circumstances as well as broader potential
sources of risk, such as technology, climate, and demographics.
ERM represents a concerted effort to focus on significant risk in a systematic, coordinated fashion. There
are different approaches to achieving this, but they have common characteristics.
ERM Responsibilities