Nature of Internal Audit Work

Material: Chapter 5 in Coetzee et al

1
 • This chapter discusses the nature of an
internal auditor’s work
• Before starting with an internal audit
Nature of Internal Audit Work engagement, it is important to understand
management’s strategic plan for the
Introduction
organisation
• A clear set of strategic objectives and
strategies, supported by sub-objectives, are
fundamental to success
• It gives focus to the organisation’s operational
activities and the use of resources
• See pp. 84 and 85 for more info

2
 • Per the definition of internal auditing,
internal auditors’ three focus areas are
governance, risk management and control
(“GRC”)
Nature of Internal Audit Work
• It is management’s responsibility to ensure
Introduction
that these three areas are established within
the organisation
• Various best practice frameworks exist to guide
them in that regard – see Table 5.2 on p. 86

3
 • Performance Standard 2100 and related
implementation guidance
• 2100 Nature of work
Nature of Internal Audit Work
• The internal audit activity must evaluate
Professional guidance re GRC and contribute to the improvement of
governance, risk management, and control
processes using a systematic and
disciplined approach
• Old news

4
 • 2110 Governance
• The internal audit activity must assess and make
appropriate recommendations to improve the
organisation’s governance process for…
Nature of Internal Audit Work • See p. 87

Professional guidance re GRC • 2110.A1

• The internal audit activity must evaluate the design,
implementation and effectiveness of the
organisation’s ethics-related objectives, programmes
and activities
• 2210.A2
• The internal audit activity must assess whether the IT
governance of the organisation sustains and
supports the organisation’s strategies and objectives
• Why is IT governance important?

5
 • 2120 Risk management
• The internal audit activity must
evaluate the effectiveness and
Nature of Internal Audit Work contribute to the improvement of
Professional guidance re GRC risk management processes
• Interpretation/explanation
• The evaluation involves an assessment
of whether:
• Significant risks are identified and assessed
• Appropriate risk responses are selected,
given the organisation’s risk appetite
• Relevant risk information is captured and
communicated in a timely manner across
the organisation, to enable staff and board
members to carry out their responsibilities

6
 • 2120.A1
• The internal audit activity must evaluate
the adequacy and effectiveness of controls
Nature of Internal Audit Work in responding to risks within the
organisation’s governance, operations, and
Professional guidance re GRC
information systems, regarding the:
• Achievement of the organisation’s strategic
objectives
• Reliability and integrity of financial and
So controls are
operational information
supposed to
mitigate threats to • Effectiveness and efficiency of operations and
the… programs
• Safeguarding of assets
• Compliance with laws, regulations, policies,
procedures and contracts

7
Recap

Internal auditor must Risk assessment Assess controls put in

know department’s/unit’s
(Risk = ?) place by management
objectives

8
 • 2120.A2
• The internal audit activity must evaluate the
potential for the occurrence of fraud and how the
organisation manages fraud risk
Nature of Internal Audit Work
• 2120.C1
Professional guidance re GRC • During consulting engagements internal auditors
must address risk consistent with the
engagement’s objectives and be alert to the
existence of other significant risks
• 2120.C2
• Internal auditors must incorporate knowledge of
risks gained from consulting engagements into
their evaluation of the organisation’s risk
management processes

9
 • 2120.C3
• When assisting management in
establishing or improving risk
Nature of Internal Audit Work management processes, internal auditors
must refrain from assuming management
Professional guidance re GRC
responsibility by actually managing risks
• Threat to objectivity

10
 • 2130 Control
• The internal audit activity must assist the
organisation in maintaining effective
Nature of Internal Audit Work controls by evaluating their effectiveness
and efficiency and by promoting
Professional guidance re GRC
continuous improvement
• Interpretation/explanation
• The CAE should form an overall opinion on the
adequacy and effectiveness of the control
processes by considering if significant
discrepancies or weaknesses were discovered,
and corrections or improvements were made
afterwards
• The internal audit plan should make provision
for the evaluation of the adequacy and
effectiveness of the organisation’s control
processes

11
 • 2130 Control
• Interpretation/explanation
• The CAE should report to senior management
Nature of Internal Audit Work and to the board, at least once a year, on the
organisation’s control processes
Professional guidance re GRC
• 2130.A1
• Same text as 2120.A1
• 2130.C1 Internal auditors must
incorporate knowledge of controls
gained from consulting engagements
into the evaluation of the organisation’s
control processes
• See pp. 89 and 90 for more on this

12
 • Introduction
• Per the internal audit definition one of the main
areas that internal auditors should focus their
efforts on is (internal) control
Nature of Internal Audit Work • Involves attempts to manage risk in the business
The importance of internal environment
control • We all try to manage risk in our daily lives,
sometimes by applying the same methods as
businesses
• See p. 90 for more detail
• What is internal control?
• Refer to the three definitions on pp. 90 and 91,
and note the second one:
• “Control is any action taken by management, the
board and other parties to manage risks and
increase the likelihood that established objectives
and goals will be achieved”

13
 • What is internal control?
• A few points to be noted:
• Control involves a process or an action taken
Nature of Internal Audit Work • Management is responsible for implementing
internal control, but other parties also may be
The importance of internal involved
control • Controls are implemented to minimise risks, so
ensuring that the organisation’s objectives are
attained
• But can only provide reasonable assurance, at best,
due to the limitations of controls – see slide 34

14
 Nature of Internal Audit Work
The importance of internal control

• The objectives of internal control

• The primary purpose of internal controls is to ensure that organisational
objectives are met, which include:

Operational objectives Reporting objectives Compliance objectives

• Reliability and integrity of • Reliability, timeliness and • Compliance with:

financial and operational transparency of: • Laws
information • Internal and external • Regulations
• Effectiveness and efficiency of reporting • Contracts
operations • Financial and non-financial
• Safeguarding of assets reporting
 • The objectives of internal control
• On p. 91: “Internal control forms the backbone of
any organisation, as weaknesses and the total
absence of internal control activities may result in
Nature of Internal Audit Work chaos and the eventual demise of the
organisation.”
The importance of internal
• The textbook chapter is based on the COSO
control framework of 2013

16
 • The five internal control
components/elements per the COSO
framework:
Nature of Internal Audit Work 1. The control environment – see slide 18
The COSO framework 2. Risk assessment – see slide 22
3. Control activities – see slide 23
4. Information and communication – see
slide 27
5. Monitoring – see slide 27

Important!

17
 1. The control environment
• Introduction
• The control environment forms the
Nature of Internal Audit Work foundation of the COSO control
The COSO framework framework
• It provides the atmosphere within
which staff members conduct their
activities and carry out their control
responsibilities
• Does senior management regard the
proper functioning of the internal
control structure as important?
• The “tone at the top”
• See p. 93 for more detail

18
 1. The control environment
• Some aspects of the control
environment of importance to the
Nature of Internal Audit Work internal audit activity
The COSO framework • The philosophy and style of senior
management
• See p. 94 for factors that increase the risk
in this regard
• Management should set an example
• The organisation’s values and behavioural
standards should be communicated to
staff
• A code of conduct is important in this regard

19
 1. The control environment
• Some aspects of the control
environment of importance to the
Nature of Internal Audit Work internal audit activity
The COSO framework • The organisational structure
(hierarchy)
• It should be suitable for the type of
organisation
• The grouping of activities affects
information flow
• Methods used to communicate tasks
and responsibilities to staff
• Code of conduct, memoranda,
organisational and operational plans, job
descriptions, etc.

20
 1. The control environment
• Some aspects of the control
environment of importance to the
Nature of Internal Audit Work internal audit activity
The COSO framework • HR management
• See p. 96

21
 2. Risk assessment
Nature of Internal Audit Work
The COSO framework
• The risk assessment done to identify
where controls are needed
• Management’s responsibility
• Not to be confused with the risk assessment
that the internal auditors do during an audit
engagement
• Need to consider:
• Likelihood of the bad thing happening
• Impact if it does
22
 3. Control activities (techniques)
• Introduction
• Don’t get mixed up here – not the
Nature of Internal Audit Work same thing as the internal control
The COSO framework components/elements
• Classification of control activities
• Preventive: they prevent errors
• Most cost-effective type
• Works like a filter
• Detective: they find errors
A detective control • Corrective: they fix the problem that has
also becomes a been detected
preventive one, once
staff members know
about its existence

23
 3. Control activities
• Some types of control activities
• Segregation of duties
Nature of Internal Audit Work • Assigning the tasks that make up a
The COSO framework transaction to different people
• Particularly important that recording and
custody should be segregated
• See p. 100
• Logic: you force the wannabe-fraudster to
rope in at least one other staff member to
help him
• Note that it doesn’t prevent collusion
• Proper authorisation (approval) of
activities and transactions
• Authorisation can be general or specific
• Normally evidenced by sign-off

24
 3. Control activities
• Some types of control activities
• Adequate documents and records
Nature of Internal Audit Work • Includes good source document design
The COSO framework • See p. 101 for more on this
• Safeguarding of assets (including
information)

25
 3. Control activities
• Some types of control activities
• Independent checks
Nature of Internal Audit Work • By management and internal auditors
The COSO framework • Or a staff member at the same level
• Comparisons and reconciliations (not
mentioned in the textbook)
• Between records and records (e.g. a bank
reconciliation)
• Between records and tangible items (e.g.
a stocktake)
• Must be proper follow-up to make it a
proper control!

26
 4. Information and communication
• On p. 102: “[There is a] need for pertinent
information to be identified, captured and
Nature of Internal Audit Work communicated in a form and time-frame
that enables people to carry out their
The COSO framework
responsibilities.”
• See p. 102 for more on this
5. Monitoring
• This is needed because organisations
function in a changing environment
• Risks must be re-assessed, controls must
be revised and compliance must be
assessed

27
 • The responsibility of management
Nature of Internal Audit Work
Responsibility for internal
control
• The overall responsibility resides with the
board of directors
• The board then delegates this
responsibility to management
• Management designs and implements
control activities; accountable to the
board in this regard
• Not the internal audit activity!
• Controls must be adequate
• This means that “management has planned
and designed controls in such a manner that
reasonable assurance is provided that risks are
managed effectively and organisational
objectives will be achieved” (p. 103)
28
 • The external auditor
• What is the external auditor’s task again?
• During their audit they test the client
Nature of Internal Audit Work entity’s controls insofar useful to their
Responsibility for internal work
control • And give management a report of control
weaknesses detected during the audit, with
recommendations

29
 • The function of the internal auditor
Nature of Internal Audit Work
Responsibility for internal
control
• Control is one of the three major elements
on which an internal activity should focus
• Per Performance Standard 2130 the
internal audit activity should assist the
organisation in maintaining effective
controls by evaluating their effectiveness
and efficiency and by promoting
continuous improvement
• Should follow a risk-based approach,
rather than a compliance-based approach
• Important that you understand the difference
• See the next slide
30
 • The function of the internal auditor
• The risk-based approach (essentially the
diagram on p. 104:
Nature of Internal Audit Work
Are control
Responsibility for internal activities sufficient
to prevent risks for
control occurring?

Yes:
No:
Test for Report
compliance

Compliance:
Non-compliance
No further action Report
required

31
 • The function of the internal auditor
• See p. 105 for more on this
• P. 106:
Nature of Internal Audit Work • If management does not implement adequate
controls the residual (remaining) risk goes up,
Responsibility for internal and management must accept the higher risk
control • If the CAE believes that senior management
has accepted a level of residual risk that is
unacceptable to the organisation, he should
discuss it with senior management
• And if the issue is not resolved it should be reported
to the board of directors

32
 • Advantages
• Internal control can assist an organisation
to:
Nature of Internal Audit Work • Achieve its goal for profitability and outputs
• Prevent resource losses
Advantages and limitations
• Promote reliable financial reporting
of internal control
• Ensure compliance with legislation and
regulations
• Prevent the reputation of the organisation
becoming tarnished and the related results

On p. 107: “In
summary, internal
control can assist the
organisation to
attain its goals…”

33
 • Limitations
• But internal control cannot do either
of the following:
Nature of Internal Audit Work
• Ensure an organisation’s success
Advantages and limitations • See p. 107
of internal control • Ensure the reliability of financial
reporting and compliance with
legislation and regulations
• Limitations that are inherent to all
structures of internal control:
To a large extent it • Faulty judgements being applied in the
has to do with the decision-making process
weaknesses of • Ordinary errors being made
people: they make • Collusion (which can “beat” segregation)
mistakes or are • Management overriding the structure
dishonest • Cost/benefit considerations

34
 • Introduction
Nature of Internal Audit Work
Control in an IT environment
• Per the textbook most organisations use IT
in the processing of financial, operational
and other information
• That’s euphemistic: most organisations are
dependent on their IT systems
• On p. 108: “Internal control objectives
and principles do not change from a
manual environment to an IT
environment, they merely take on
different forms.”
• E.g. custody controls and segregation
• IT controls are divided into general
controls (see next slide) and application
controls (see slides 36 and 37)
35
 • General controls
Nature of Internal Audit Work
Control in an IT environment
• Relate to the IT environment as a whole;
not application-specific
• So very important to the IT system, and
the internal auditor
• Examples of general controls:
• Organisational controls related to IT personnel
• Standard operating procedures for systems
• System documentation controls
• System development and program change
controls
• Hardware and software controls
• Security controls relating to IT
36
 • Application controls
• Application-specific
• Designed to ensure completeness,
Nature of Internal Audit Work accuracy, authorisation and validity of data
Control in an IT environment captured and processed
• Edit checks is one of the most important
types of controls
• Used to ensure that errors in data input will be
detected and prevented
• Examples:
• Check digits
• Reasonableness tests
• Limit tests
• Value tests
• Alphanumeric tests

37
 • Application controls
• Can be categorised as:
• Input controls – to prevent bad input
Nature of Internal Audit Work • Processing controls – to prevent inaccurate
processing
Control in an IT environment • Output controls – to prevent the output from
going to the wrong persons

38