Internal Auditing

Module 1
Prepared by MCM Romero
What is Audit?
An examination/ review of an
individual's or organization's accounts,
typically by an independent body.

Auditor - is a person authorized to review and verify the

accuracy of financial records and ensure that companies
comply with regulatory bodies and business laws.

Auditee - refers to an individual, organization, or entity

that is subject to an audit conducted by an
independent party
Internal Audit vs External Audit
Category Internal Audit External Audit

Enhances the efficiency of a business by

Objective identifying loopholes and advising means to Makes financial reports reliable
improve accordingly

Stakeholders or external members

Reports to Board of Directors or higher officials
of the organization

Detects all kinds of risks an organization is Identifies finance-related risks and

Covers
likely to face issues

Guides organizations to improve their

Not responsible for giving any
Consultancy services processes and functions in accordance with
improvement advice.
the issues and risks identified

Source:
Audit vs. Assurance Difference
Basis – Audit vs.
Audit Assurance
Assurance

Assurance is the process of analyzing and used in the

assessment of accounting entries and financial records.
The audit is the process of evaluating the accounting entries
Assurance is a process of verifying the records
Definition present in the financial statement of the company. The audit
available in the company’s accounting record as per
checks the accuracy of the financial reports.
accounting standard and principle, and it also verifies
that the accounting record is accurate or not.

Step The audit is the first step. Assurance if followed by the audit.

Done by An internal auditor or external auditor does the audit; An audit firm does assurance.

The audit tells about any misrepresentation done in financial Assurance specializes in assessing the improving the
Aim records, any misuse of funds, any fraud, and any fraudulent quality of the information in a company. It helps in
activities done in a company or done by the company. decision making in an organization.

The use of Assurance is to check the accuracy of

financial reports. It also assures all the stakeholders
Auditing includes making sure ethically presented, fairly
that there is no misrepresentation done in financial
Uses presented, accurate, and it also checks whether financial reports
records, no misuse of funds, no fraud, and no
are as per accounting standard and accounting principle.
fraudulent activities done in a company or done by the
company.
What is Internal Audit?
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations.
It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
-According to the Definition of Internal Auditing
in The IIA's
International Professional Practices Framework (IP
PF)
,
 Internal Audit Functions
These audits can be conducted daily, monthly, quarterly, or annually, given how
frequently the directors want the companies to be inspected and supervised.
The main motives behind conducting the audits internally are:
Through this audit, auditors monitor internal controls to ensure that the
accounting processes are effectively conducted and the accuracy is maintained
in the released financial reports.
The internal audit manager checks governance to ensure companies do not
compromise their ethical values. They see if the firms in question adopt fair
practices for a growing business.
Risk management is easier as the audits conducted internally also involve
auditors’ consultancy services whereby they identify the loopholes and let the
businesses improve their standards and become more efficient.
Auditors review the activities, be it human resources procedures or
operating activities, or compliance with laws and regulations. They examine the
means used to measure the financial and other information. The auditor may
make inquiries about transaction balances and other specific matters.
The International Professional
Practices Framework (IPPF)
The International Professional Practices Framework
(IPPF) is the conceptual framework that organizes
authoritative guidance promulgated by The IIA. A
trustworthy, global, guidance-setting body, The IIA
provides internal audit professionals worldwide with
authoritative guidance organized in the IPPF as
mandatory guidance and recommended guidance.
 An updated edition of the International

Professional Practices Framework (IPPF) guide,

more commonly known as the Red Book, is
available. Visit the IIA Bookstore for more
information.
Mandatory Guidance
 The International Professional Practices Framework (IPPF)®
is the conceptual framework that organizes authoritative
guidance promulgated by The Institute of Internal Auditors.
A trustworthy, global, guidance-setting body, The IIA
provides internal audit professionals worldwide with
authoritative guidance organized in the IPPF as mandatory
guidance and ​recommended guidance.
 Conformance with the principles set forth in mandatory
guidance is required and essential for the professional
practice of internal auditing. Mandatory guidance is
developed following an established due diligence process,
which includes a period of public exposure for stakeholder
input. The mandatory elements of the IPPF are:
Core Principles for the Profession of
Internal Auditing
 Demonstrates integrity.
 Demonstrates competence and due professional care.
 Is objective and free from undue influence
(independent).
 Aligns with the strategies, objectives, and risks of the
organization.
 Is appropriately positioned and adequately resourced.
 Demonstrates quality and continuous improvement.
 Communicates effectively.
 Provides risk-based assurance.
 Is insightful, proactive, and future-focused.
 Promotes organizational improvement
Code of Ethics — Principles
Internal auditors are expected to apply and uphold the following principles:
 Integrity

The integrity of internal auditors establishes trust and thus provides the
basis for reliance on their judgment.
 Objectivity

Internal auditors exhibit the highest level of professional objectivity in

gathering, evaluating, and communicating information about the activity
or process being examined. Internal auditors make a balanced assessment
of all the relevant circumstances and are not unduly influenced by their
own interests or by others in forming judgments.
 Confidentiality

Internal auditors respect the value and ownership of information they

receive and do not disclose information without appropriate authority
unless there is a legal or professional obligation to do so.
 Competency

Internal auditors apply the knowledge, skills, and experience needed in

the performance of internal audit services.
International Standards for the
Professional Practice of Internal Auditing
 Standards are principle-focused and provide a framework for
performing and promoting internal auditing. The Standards are
mandatory requirements consisting of:
 Statements of basic requirements for the professional practice of
internal auditing and for evaluating the effectiveness of its
performance. The requirements are internationally applicable at
organizational and individual levels.
 Interpretations, which clarify terms or concepts within the
statements.
 Glossary terms.
 It is necessary to consider both the statements and their
interpretations to understand and apply the Standards correctly.
The Standards employ terms that have been given specific meanings
as noted in the Glossary, which is also part of the Standards.
Types of Internal Audit
Audits conducted internally assess firms based
on a wide range of parameters. Depending on
these determinants, such audits are classified
into different categories. These include
 Compliance Audits
 IT Audits
 Performance Audits
 Operational Audits
 Environmental Audits
COSO Internal Control
 Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
 private sector initiative led by the American Institute of
Certified Public Accountants (AICPA), Institute of
Management Accountants (IMA), American Accounting
Association (AAA), Institute of Internal Auditors (IIA), and
Financial Executives International (FEI).
 Formed to investigate the fraud scandals of the 1970s
and 1980s, releasing an internal controls framework in
1992.
 Provided guidance for how organizations can implement
controls to prevent, detect, and manage fraud risk
related to external financial reporting.
Overview of the COSO Framework
 Sarbanes-Oxley Act (SOX) requires public companies to implement
and maintain effective internal controls across the organization
related to financial statements
 Companies subject to SOX regulations adopted COSO as one of the
primary frameworks to satisfy these requirements.
 The COSO Internal Control - Integrated Framework (ICIF) The COSO
Internal Control - Integrated Framework (ICIF) , was revised and
reissued in 2013 with updated guidance, and periodic updates are
issued by the Committee.
 COSO also provides guidance for establishing an
Enterprise Risk Management (ERM) program, which often times
works hand in hand wtih a Company’s control environment.
 In March of 2023, COSO released a study and guidance regarding
internal controls over sustainability reporting (ICSR) by leveraging
the COSO internal controls framework
Five Pillars of the COSO Framework?
Control Environment
 1. The company commits to integrity and ethical
values.
 2. The Board of Directors maintains independence from
management and oversees internal controls programs.
 3. Management defines organizational structure,
authority, reporting lines, and responsibilities to
execute on the company’s operational, reporting,
compliance, and business objectives.
 4. The company prioritizes the recruitment,
development, and retention of capable, competent
individuals aligned to internal controls objectives.
 5. The company establishes accountability for control
responsibilities.
Risk Assessment
 6. The company establishes objectives with
enough specificity to enable the identification
and assessment of risks to the objectives.
 7. The company identifies risks to objectives

and scrutinizes identified risks to develop an

action plan for risk treatment.
 8. When evaluating risks, fraud is explicitly

considered as part of the assessment.

 9. The organization anticipates and assesses

any changes that may affect internal controls.

Control Activities
 10. Control activities address and mitigate
risks to the company’s objectives.
 11. The company establishes control

activities over technology in line with the

company’s objectives.
 12. Policies and procedures define the control

activities that should be taking place at the

company as part of the internal controls
program
Information and Communication
 13. The company uses quality data and
information to support control objectives.
 14. The company communicates relevant

information, objectives, assignments,

accountability, and responsibilities for
internal control activities.
 15. When necessary, the company

communicates with external entities

regarding internal controls.
Monitoring Activities
 16. Regular or ongoing evaluations occur to
determine if the internal controls program is
operating effectively.
 17. Any internal control deficiencies are

reported timely to the accountable parties,

including the Board of Directors and upper
management when necessary.