MODULE: INTERNAL

AUDITING

Updated by: Muthyaah Mohd Jamil

Reviewed by: Sharifah Nazatul
Faiza Syed Mustapha Nazri
MODULE: INTERNAL AUDITING
© 2024 by Updated by: Muthyaah Mohd Jamil
Reviewed by: Sharifah Nazatul Faiza Syed Mustapha Nazri

ALL RIGHTS RESERVED

No part of this book may be reproduced, distributed, or transmitted in any form or by any means without the
publisher's prior written permission, except in the case of brief quotations embodied in critical reviews and
certain other noncommercial uses permitted by copyright law.
 “
This textbook is dedicated to the previous author. Your unwavering
commitment to understanding, exploring, and pushing the boundaries of
human understanding inspires us every day. May this book serve as a
guiding light on your educational journey, empowering you to grasp
complex concepts, solve intricate problems, and embark on new intellectual
adventures

In the pursuit of wisdom, let us forge ahead together, embracing the

challenges, celebrating the discoveries, and never ceasing to marvel at the
wonders of the universe

100
Table of Contents
Introduction 9

Chapter 1: Overview of Internal Auditing 10

Introduction 10
Definition of Internal Auditing 11
Development of internal Auditing Practices 12
Differences between Internal Auditor and External Auditor 13
Roles and Responsibilities of Internal Auditors 15
Organisational Status of Internal Audit Function 16
Line of Defence 17
Overview of the Relationship between Internal Auditor and Various Stakeholders 19
Types of Internal Audit Engagements 20
Summary 22
Review Questions 22
References 22

Chapter 2: Ethics and Professionalism 24

Introduction 24
Ethics 24
The International Professional Practices Framework (IPPF) 28
The Institute of Internal Auditors of Malaysia (IIAM) 28
Summary 29
Review Questions 29
References 29

Chapter 3: Corporate Governance Mechanism 31

Introduction 31
Definition of Corporate Governance 32
Malaysian Code on Corporate Governance 32
Corporate Governance Mechanism 34
Role of Board of Directors in Corporate Governance 35
Role of Audit Committee in Corporate Governance 36
Roles of Senior Management in Corporate Governance 38
Roles of Internal Auditors towards the Board of Directors, Audit Committee and Senior
Management 39

100
 Summary 40
Review Questions 41
References 41

Chapter 4: Risk Management and Control 43

Introduction 43
Risk and Risk Management 44
Enterprise Risk Management 45
Roles of the Board of Directors, Management and Risk Officers in Risk Management 45
Role of Internal Auditor in Risk Management 46
Division of Roles on Risk Management Between Management and Internal Auditor 47
Evaluation of Risk Management Process by Internal Auditor 47
Alternative Risk Management Frameworks 50
Controls 56
Division of Roles on Controls between Management and Internal Auditor 57
Evaluating Controls by Internal Auditor 57
Reporting and Communication by Internal Auditor 58
Alternative Control Frameworks 60
COSO Integrated Internal Control Framework 61
Categories of Control Objectives 63
Components of Internal Controls 63
Limitations of Controls 69
Summary 70
Self-Review Questions 70
References 70

Chapter 5: Managing the Internal Audit Function 72

Introduction 72
Internal Audit Charter 72
Staffing in Internal Audit Department 72
Responsibilities of Those Charged with Governance to the Internal Audit Function 76
Attributes of an Effective Internal Audit Function 78
Conflict Management 79
Outsourcing the Internal Audit Function 82
Quality Assurance and Improvement Program 87
Purposes of a QAIP 88
Quality Assurance Methodologies 88
Reporting on the Quality Program 96
Advantages of a QAIP 97
100
 Best Approach for a QAIP 98
Common Issues in Quality Assurance Assessment 98
Summary 99
Self-Review Questions 99
References 99

Chapter 6: Internal Audit Process 101

Introduction 101
Framework of Internal Audit Process 102
Strategic Audit Planning 103
Risk-Based Internal Auditing 106
Risk-Based Audit Planning 108
Engagement Planning 110
Performing the Engagement 117
Evaluation and Conclusion 119
Communication 121
Follow Up 123
Summary 124
Self-Review Questions 124
References 125

Chapter 7: Internal Audit Reporting and Monitoring 126

Introduction 126
Purpose of Internal Audit Report 127
Process of Report Writing 128
Structure of the Report 130
Opinions and Ratings of the Internal Audit Report 134
Quality of the Report Writing 135
Strategies in Preparing Internal Audit Report 137
Communicating Results 138
Dissemination of the Audit Report 138
Monitoring the Progress and Follow-up Audit 139
Summary 141
Summary 141
Self-Review Questions 141
References 141

Chapter 8: IT in Internal Audit Practices 143

Introduction 143
100
 Definition of IT Audit 145
Elements of IT Audit 145
Guide To Conduct an IT Audit 147
Scope and Objectives of an IT Audit 148
Steps in IT Audit 152
Evaluation of General and Application Controls 153
Auditing of System Development Life Cycle 154
Internal Auditors Involvement in the SDLC 157
Auditing of E-Commerce 158
Computer-Assisted Audit Techniques (CAATs) 160
Internal Auditing and The Fourth Industrial Revolution 162
Summary 164
Self-Review Questions 164
References 164

Chapter 9: Investigation of Fraud 166

Introduction 166
Definition of Fraud 167
Fraud Triangle and Fraud Diamond 167
Types of Fraud 170
Red Flags of Fraud 172
Internal Audit’s Role in Fighting Fraud 174
Other Responsibilities of Fraud Prevention and Detection 175
Internal Audit’s Role in Anti-Bribery and Anti-Corruption Programs 177
Fraud Risk Assessment 179
Fraud Prevention and Detection 181
Forensic Audit 183
Fraud Investigation 186
Summary 188
Self-Review Questions 188
References 189

Chapter 10: Current Issues in Internal Auditing 190

Introduction 190
Introduction Whistle blowing 191
Definition of Whistleblowing 192
Forms of Whistleblowing 192
Internal Auditor as a Whistleblower 193
Advantages and Disadvantages of Whistleblowing 193
100
 Whistleblower Protection Act 2010 194
Code of Conduct in Relation to Whistleblowing 195
Definition of Environmental Auditing 197
Objectives of Environmental Auditing 197
Advantages of Environmental Audit 198
Examples of Environmental Audit in a Manufacturing Company 199
Environmental Audit Report 200
Environmental Management Systems (EMS) 200
Four Pillars of EMS Adoption 201
Commitments for a Successful EMS Adoption 205
Summary 206
Self-Review Questions 206
References 206

Appendix 1 : Sample of Audit Program 208

100
Introduction

S
pecial thanks to previous authors who can complete this module: Mary Lee Siew Cheng,
Yusarina Mat Isa, Azleen Ilias, Sharifah Nazatul Faiza Syed Mustapha Nazri, Nadzira
Yahaya, Amizahanum Adam, Mohd Amran Mahat, Aida Hazlin Ismail, Azharudin Ali,
Tay Boon Hock, Grace Mui, Sanjeev Ghatani, Mohd Amran Mahat, Amizahanum Adam, Fairuz
Fauzee.

This module is an upgraded version of the previous module, which provides the latest
amendments to internal audit practices. Eleven chapters cover the discussion from the overview
of internal audit practices to current internal audit practices. This module upgraded from the
previous module in several ways. In Chapter 1, the updating process considers the new
definitions of terms in internal auditing.

Chapter 2 is a new chapter that discusses ethics and professionalism. In the previous module,
this chapter was embedded in Chapter 1. The new module discusses five elements of ethics:
integrity, objectivity, confidentiality, professional care, and competency. Moreover, several
chapters have been combined. For example, quality management and improvement programs
are now under managing internal audit functions.

Whistleblowing and environmental auditing have been merged into a chapter on current issues
in internal auditing practices. This version has been improved by adding a graphical design for
some discussions to make it easier for the students to understand.

Updated by: Muthyaah Mohd Jamil

Reviewed by: Sharifah Nazatul Faiza Syed Mustapha Nazri
05 October, 2024

100
 1
Chapter 1: Overview of Internal
Auditing

After going through this chapter, you should be able to:

• Provide a professional overview of internal auditing

• Differentiate internal auditors and external auditors
• Learn the different types of internal audits
• Describe the evolution and development of internal audit practices
• Understand the roles of the Institute of Internal Auditors of Malaysia (IIAM)
• Describe factors that enhance the image of the internal audit profession

Introduction
Previously, internal auditing was accounting-oriented and focused more on the accuracy and
reliability of financial statements and historical performance reporting. Now, an internal auditor
has an enhanced and complex role with a wider scope and greater stakeholder expectations.
Modern internal auditors provide services that include examination and appraisal of controls,
performance, risk, and governance for public and private entities. The new roles also include
suggestions to improve performance and generate new ideas or proposals for new corporate
direction to achieve organisational objectives.

An internal auditor acts as management control and performs independent checks on an

organisation's control systems. The recent global financial crisis demands more competent
internal auditors to deal with dynamic yet complicated industry changes. Several guidelines are
provided to internal auditors to fulfill their responsibilities. Primarily, internal auditors are
required to adhere to the Institute of Internal Auditors’ (IIA) International Professional Practices
Framework (refer to https://global.theiia.org).

Currently, public-listed companies must have an internal audit function. This requirement has
also extended to regulatory bodies and government agencies. The internal audit function has

100
become the ‘in-thing’ in organisations, and by having one, stakeholders can rest assured that an
independent mechanism is in place to control and monitor how the organisation operates.

Definition of Internal Auditing

Internal auditing is an independent, objective

“
assurance and consulting service designed to enhance
an organisation’s ability to serve the public interest.
Internal auditing is an
The primary objective is strengthening the governance,
independent, objective risk management and control processes. The role of
assurance and internal auditors extends beyond the organisations by
fostering public trust and confidence towards the
advisory service
organisations. It helps an organisation accomplish its
designed to enhance
objectives by taking a systematic, disciplined approach
the organizations’ to evaluating and improving the effectiveness of risk

ability to serve public management, control, and governance processes.

interest. Internal auditing is an independent appraisal function

established within an organisation to examine and
evaluate its activities as a service to an organisation.
The objective of internal auditing is to assist members of any organisation in effectively
discharging their responsibilities. Internal auditing furnishes them with analysis, appraisals,
recommendations, counsel and information concerning the activities reviewed. The audit
objective includes promoting effective control at a reasonable cost.

The key terms in the definition of internal auditing are:

Independence
The freedom from conditions that impair the ability of the internal auditor function to carry out
internal audit responsibilities in an unbiased manner.

Objectivity
An unbiased mental attitude that allows internal auditors to make professional judgements fulfil
their responsibilities and achieve the purpose of internal auditing practices without compromise.

Assurance services
Provide confidence about governance, risk management, and control processes to the
organization’s stakeholders, especially the board, senior management, and the management of
the activity under review
100
Advisory services
Provides advice and other assistance relating to the subject matter of interest in the capacity of
internal auditors' work. This includes designing and implementing new policies, processes,
systems, and products.

Risk Management
The process conducted by an organisation's management to understand and deal with risks
(uncertainties) that could negatively affect the organisation’s ability to achieve its objectives. At
the same time, risk could also lead to opportunities when an event occurs and positively affect
the achievement of an organisation’s objectives.

Control
An organisation needs effective internal controls that reasonably assure the safeguarding of its
assets against loss. Hence, internal auditors are responsible for ensuring that such controls are
well established by the organisation's management.

Governance
Governance is the act of managing an organisation. It relates to decisions that define expectations,
grant power or verify performance. It consists of either a separate process or part of the
management or leadership processes. Hence, internal auditors should assess the corporate
governance process and provide recommendations for effective governance.

Development of internal Auditing Practices

The internal audit function is not a profession that arose overnight. It has existed since 3500 BC
with the use of tick marks as a form of verification during the Mesopotamian civilisation. At the
global level, the establishment and evolution of internal audit as a profession is closely linked to
the history of the IIA, a body founded in the United States in 1941.

Nevertheless, in the early establishment of the internal audit profession, internal auditing was
perceived as a function closely related to the work of external auditors — with both involved in
checking the financial affairs of organisations. Throughout the years, internal auditors have been
getting their recognition to be established as a distinct function from external auditors. Table 1.1
illustrates the evolution of the internal audit profession from the initial years of its establishment
till now. If you want to write the chapter title on the header instead of using the book title, then
you can modify it on the header (by creating every new chapter in its section).

Table 1.1: Evolution of Internal Audit Profession

100
 THEN NOW
Concentrates on attesting to the Provides services that include examination and
accuracy of financial matters. appraisal of control and performance of an
organisation.
Functions as a junior sibling to the Set up as a separate, distinct department within
independent accounting profession. the organisation.
Once acted as auditee’s adversary. Guides to improve operations, seeking to maintain
a cooperative working relationship with clients and
auditees.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has elevated
the importance of internal auditing by recommending the need to establish an effective and
objective internal audit function and coordinate internal auditing with external auditing.
Furthermore, COSO has also emphasised the importance of internal control in organisations,
making internal audit a significant function.

In Malaysia, the evolution of the internal audit function started in the 1970s with establishing an
internal audit unit in the Ministry of Defence. In 1979, the Federal Government issued a circular
expanding the establishment of internal audit functions to other government ministries with a
broader role, which included operational audit. In 1993, the Ministry of Finance requested all
government-owned organisations to set up an Audit Committee to protect the government's
interests as a shareholder and to oversee the internal audit function in these organisations. Since
1993, it has also been mandatory for all publicly listed organisations to establish an Audit
Committee to monitor their internal audit department's accountability, governance,
independence and objectivity. The internal audit function has gained significance by establishing
an Audit Committee.

In the private sector, internal auditing was first established to focus mainly on evaluating the
efficiency and effectiveness of internal control systems and compliance. In 2008, Bursa Malaysia
Listing Requirements made it mandatory for public-listed organisations to set up an internal
audit function. For private companies, setting up an internal audit function is mandatory despite
the absence of a mandatory requirement.

Differences between Internal Auditor and External Auditor

Internal auditors may sometimes be perceived as redundant compared to external auditors.
Their functions are, in fact, different in several aspects, as summarized in Table 1.2.

100
 Table 1.2: Differences between Internal and External Auditor

CRITERIA INTERNAL AUDITOR EXTERNAL AUDITOR

Reporting Reports to Audit Reports to shareholders
Responsibility Committee/Board of
Directors
Status In general, part of an Is an independent contractor, a
organisation’s employees third-party
Serves the public interests Serves third parties needing
Stakeholder reliable financial performance
report
It is independent of the It is independent of management
Independent status audited activities but ready to and the Board of Directors, both in
respond to the needs and fact and mental attitude.
desires of all management
elements.
Is directly involved with It is indirectly concerned with
Responsibility preventing and detecting preventing and detecting fraud in
towards fraud fraud in any form or extent in general but is directly concerned
any activity reviewed. when financial statements may be
materially affected.
Evaluate governance, control Review the financial statements to
and risk management ensure that the statements are free
processes to ensure the from material misstatements and
Scope of work
accomplishment of entity express opinions on whether the
goals and objectives. financial statements present a true
and fair view.
Reviews activities continually Reviews records supporting
by focusing on future events. financial statements periodically
(usually once a year) and focuses
Timing and
on the accuracy and
frequency of audit
understandability of historical
events as expressed in financial
statements.
Not necessary but may Must be a member of Malaysian
acquire a Certified Internal Institute of Accountants (MIA) and
Professional Auditor (CIA). be granted audit license by the
qualification Ministry of Finance (MoF) before
being recognised as a Chartered
Accountant (CA).

100
Roles and Responsibilities of Internal Auditors

Internal auditors’ roles and responsibilities cover three broad areas in an organization - risk
management, control and governance. Internal auditors shall not assume management’s
responsibilities but support the management in ensuring efficiency and effectiveness of
operations, reliability of financial and management reporting and compliance with laws and
regulations. Internal auditors may also be involved in fraud audits to identify potentially
fraudulent acts. They may participate in fraud investigations under the direction of fraud
investigation professionals and conduct post-investigation fraud audits to identify control
breakdowns and establish financial loss. Internal auditors are not responsible for executing
company activities; however, they may advise management and the Board of Directors on how
to execute their responsibilities better. Internal auditors can access every part of an
organisation’s operations and unlimited access to the company’s personnel, records and physical
properties.

The internal auditors’ roles and responsibilities for risk management, control and governance
include:

100
 Risk Management Test check the adequacy of risk management processes, models and systems

Educate and create awareness among the management and staff concerning the
risk issues

Assist the management in developing risk management framework and its

implementation

Provide feedback on the appropriateness of risk management infrastructure

Control Assess the effectiveness of the organisation’s internal control system, including
the adequacy of control model or design
Monitor management’s compliance with the organisation’s code of conduct and
ethical policies
Review corporate policies relating to compliance with laws and regulations,
conflict of interests
Analyse the controls for critical accounting and management functions

Provide feedback and reporting of controls deficiencies

Governance Advise on the adequacy and appropriateness of the composition of the Board of
Directors
Assess the effectiveness of the Board of Directors in discharging their duties

Ensure that internal audit charter, role and activities are clearly understood and
responsive to the need of the Audit Committee and Board of Directors

Assess the effectiveness of the Board of Directors in discharging their duties

Help to keep the Board of Directors informed on any matters related to company’s
interest

Organisational Status of Internal Audit Function

To achieve the objectives of having an internal audit function within an organisation, it must
have adequate authority and freedom to carry out the audit activities. It is important to establish
that internal audit is an essential function in the organisation, and cooperation from
organizational members is necessary. If the above fails, the effectiveness of the internal audit
function will be diminished.

To have the necessary status, the internal audit function must report functionally to the Audit
Committee and administratively to the top management (i.e. the CEO). As shown in Figure 1.1,
the CAE needs to have a direct reporting line to the Audit Committee on the matters that concern
their task as internal auditor. For administrative purpose, for instance for matters concerning

100
operating budget and day-to-day operations of internal audit activity, the CAE has an indirect
reporting line to the CEO shown by the ‘dotted’ line.

Figure 1.1 Reporting Line of Internal Auditors

Board of
Director

Audit
Committee

Chief Audit
Committee

Internal
Auditors

Chief Executive
Officer (CEO)

The internal auditors need to be supported by both the Audit Committee and the Board
of Directors to ensure that those who are audited cooperate with them. The support of
the board and Audit Committee will demonstrate that the work is viewed as important
for the organisation. If the board and Audit Committee do not support the work of the
internal auditors, others in the organisation will not support their efforts either.

The correct level of organisational status will provide the internal audit department with
organisational independence. This means the internal audit function must not directly
relate to the departments it will be auditing. Reporting directly to the Audit Committee
and having policies about the assignment of internal auditors to engagements in
departments where they previously worked may strengthen internal auditors’
independence.

Line of Defence
The three lines of the defence model define an approach to providing risk assurance.
Understanding the organisation’s internal control and risk management system is a great
starting point for helping ensure effective risk management and control. The three lines of
defence explain the relationships between the organisation's functions and act as a guide on how
responsibilities should be assigned, as in Figure 1.2.

100
 Figure 1.2: Three Lines Model

Source: The IIA’S Three Line Model

First Line of Roles/Defense

Business operations deliver the first line of defence to provide adequate level of assurance in
identifying risks, implementing controls, and reporting on progress within their functional areas.
This is formed by managers and staff who are responsible for identifying and managing risks in
the organisation. The managers and staff should have the necessary knowledge, skills,
information, and authority to operate the relevant policies and procedures of risk control. They
are the first contact point where risk is concerned, hence, should ensure cautious control in
absorbing risk into the organisation.

Second Line of Roles /Defense

The functions that oversee risk management and compliance processes provide the second line
of defense. It consists of activities covered by several components of internal governance, such
as compliance, risk management, quality, IT, and other control departments. This level provides
the policies, frameworks, tools, techniques, and support to enable risk and compliance to be
managed in the first line of defence. This line of defense monitors facilitates operational
management's implementation of effective risk management practices.

100
Third line of Roles / Defense
The third line of defence is provided by functions that offer an independent approach to audit
and assurance to monitor. Commonly, this is provided by the internal audit function. The main
role of third line of defence is to ensure that the first two lines are operating effectively and advise
how they could be improved. The internal audit function is positioned within an organisation to
assure the Audit Committee and senior management on the effectiveness of risk management,
control and governance processes. As the third line of defence, the internal auditor plays a crucial
role in assuring robust risk management within an organisation.

Overview of the Relationship between Internal Auditor and

Various Stakeholders
Internal auditors coexist with the other stakeholders and maintain harmonious working
relationships with them, including the Board of Directors, the Audit Committee, senior
management, and external auditors. As shown in Figure 1.3, the internal auditor plays a
significant role in various capacities.

Figure 1.3: Relationship with Various Stakeholders

Audit
Commitees

External Internal Board of

Auditors Auditors Directors

Senior
Management/
Management
Team

Board of Directors
The Board of Directors is critical in discharging its governance duty in an organisation. Among
its responsibilities are driving and supporting the internal audit process. The internal audit
100
function requires strategic direction and an adequate mandate to exercise its duties, and in this
regard, the Board of Directors has to ensure that the internal auditors are not alienated both in
terms of existence and function. The Board of Directors must allow internal auditors to carry out
their duties independently and ensure that internal auditors can perform their work free from
interference.

Audit Committee
The Audit Committee forms part of the board committee and has a direct role in ensuring that
internal auditors perform their work independently and meet organisational expectations. The
Audit Committee shall safeguard the interests of the internal auditors and ensure that the
internal audit charter, activities, and processes are appropriate. The Audit Committee must also
ensure that the internal audit charter, role, and activities are clearly understood and responsive
to the needs of the management and Board of Directors.

Senior Management
Senior management shall not interfere in the internal audit activity, and similarly, internal
auditors shall not influence an organisation's operational conduct. Internal auditors and senior
management must coexist and clearly understand the demarcation of their functions. If this
demarcation fails to be observed, the function of internal auditors to work independently will not
be achievable.

External Auditors
Internal auditors and external auditors have distinct functions (Refer Table 1.2); however, their
paths do cross in certain areas. Both parties must clearly understand their roles and
responsibilities and co-exist to complement each other.

Types of Internal Audit Engagements

Internal auditors can conduct many types of internal audit engagements, but they are broadly
classified into assurance and consultancy. The different types of internal audits have different
purposes and characteristics that only apply to appropriate circumstances and risk assessments.
The following provides six examples (as in Figure 1.4) of internal audit engagements:

100
 Figure 1.4: Types of Internal Audit Engagements

Financial
Audit

Fraud/ Operational
Forensic Audit
Audit

Types of IA
Engagment
Information
Technology Management
Audit Audit

Compliance
Audit

CRITERIA ELABORATION
Financial Audit Independent evaluation attests to financial data's fairness,
accuracy and reliability. Internal auditors conduct audits by
focusing on a financial system’s control to ensure that the control
is adequate and effective in safeguarding the accuracy and
reliability of the financial statements. This audit has a different
focus than the financial audit performed by external auditors.
An operational audit is a future-oriented, systematic, and
independent evaluation of organizational activities. It assesses
operations methods and evaluates how to improve the
Operational Audit
performance of an area, department, or functional operation.
This process assesses the adequacy, efficiency, and effectiveness
of control procedures to meet organizational objectives.
Assessment of the competencies and capabilities of an
organisation’s management to evaluate their effectiveness,
especially in formulating and implementing strategic objectives,
Management Audit policies and procedures of the business. The objective of a
management audit is not to appraise the performance of
individual executives but to evaluate the management team of a
unit or the entire organisation.
Assessment of an organisation’s adherence to applicable rules
and laws that may originate internally or externally. The audit
Compliance Audit process may assess the extent of compliance with internal
policies, regulatory rules and requirements and applicable laws.
Assessment of computer systems and management of
Information information, including the integrity of information. Involves
System/Information appraisal and testing of computer systems through the various
Technology Audit stages of system development — plan, Analyse, design and
implement.

100
 CRITERIA ELABORATION

Fraud/ An in-depth investigation into any irregularities, such as reported

fraud or allegations. Its scope is in the area specified to determine
Forensic Audit
modus operandi and collect evidence to support the case that
would eventually lead to legal consequences.

Summary
Relevant authorities worldwide, including in Malaysia, recognise the significance of an internal
audit function. Internal auditors have a greater role nowadays than before. Although their
function and focus are different from those of external auditors, they complement each other,
particularly within the scope of governance, risk management, and control.

Review Questions
1. Briefly explain the role of an internal auditor today.
2. List four reasons an internal auditor should ensure the effectiveness of an organisation's
risk management, control and governance processes.
3. What is the purpose of an operational audit?
4. Discuss five types of internal audit activities.
5. Explain the differences between internal auditors and external auditors.
6. Elaborate on the evolution of internal auditing as a profession.
7. Discuss five critical successful factors to be considered in establishing the internal audit
function as a reputable profession.

References
Mohd Johari Alwi (2017). Study Guide for Internal Auditing Course, Universiti Teknologi MARA.

Puan Sri Datin Dr. Mary Lee et.al. (2009). Principles and Contemporary Issues in Internal
Auditing, Second Edition, Kuala Lumpur: McGraw-Hill (Malaysia) Sdn Bhd.

Reding F. Kurt et. al. (2009). Internal Auditing: Assurance and Consulting Services, 2nd Edition,
The Institute of Internal Auditors Research Foundation, USA.

The Institute of Internal Auditors (2016). International Professional Practices Framework,

Altamonte Spring, FL., The IIA Research Foundation. http://www.iiam.com.my

The Institute of Internal Auditors (2024). Two-way Mapping: 2017 IPPF Mandatory Eleements
to 2024 Global Internal Audit Standards (and Back). The Institute of Internal Auditors

100
The Institute of Internal Auditors (2024). Condensed Version of the Global Internal Audit
Standards. The Institute of Internal Auditors

100
 2
Chapter 2: Ethics and
Professionalism

After going through this chapter, you should be able to:

• Understand the Code of Ethics and International Standards for the Professional Practice
of Internal Auditing
• Integrate the Code of Ethics and International Standards for the Professional Practice of
Internal Auditing into the roles of internal auditors

Introduction
Ethical issues are paramount for any professional. Ethics are the core principles that bind
internal auditors in performing audit engagements. This principle is derived from the IIA’s
International Standards for the Professional Practice of Internal Auditing. The internal auditor
may utilise these principles to maintain the audit judgement.

Ethics
The IIA Global Internal Auditors Standards published the code of ethics to guide professionals
providing internal audit services, including internal auditors and chief audit committees.
Conformance with ethics instils trust in the profession. The Chief Audit Committee is expected
to support and promote compliance with the code of practice. Internal auditors must conform to
the code, which has five elements: integrity, objectivity, competency, the exercise of due
professional care, confidentiality and professional scepticism.

100
 Ethics
Confidentiality

Exercise Due
Professional Integrity
Care

Competency Objectivity

Integrity
Integrity is related to how internal auditors perform

“
their work with honesty and professional courage.
Internal auditors must not make false, misleading, or Integrity is related to how
deceptive statements or conceal findings that affect internal auditors perform
the organisation’s decision-making ability. They must
their work with honesty
also encourage an ethics-based culture and refrain
from engaging in illegal and discreditable activities and professional
that may harm the organisation and profession. In courage.
promoting this ethical behaviour, internal auditors
must have professional courage by communicating
truthfully and taking appropriate action when
confronted with dilemmas and difficult situations. Therefore, the Chief Audit Executive must
support the internal auditors during those situations through continuous education and training.

100
Objectivity
Objectivity is an unbiased mental attitude that

“
Objectivity is an unbiased
mental attitude that
allows internal auditors to make professional
judgements. The internal auditors must apply an
impartial and unbiased judgement to ensure
balanced assessments of events within the

allows internal auditors organisation. The internal audit function has the
freedom to carry out the internal audit
to make professional
responsibilities in an unbiased manner, it is a
judgements. concept of independence.

Internal auditors must mitigate or avoid receiving

any gifts, whether tangible or intangible, that
impair objectivity. During the audit engagement, the internal auditors must refrain from
assessing the previous responsible activities. If the internal auditors require assurance services
for previous advisory services, the Chief Audit Executive must confirm that advisory services are
consistent with the internal auditors' objectivity.

Objectivity can be impaired in two ways: in facts and appearance. Impairment compromises
objectivity in delivering audit judgments. To minimise the risk of impairment in judgement
(facts), the Chief Audit Executive can exclude the impaired internal auditors from previous
engagements, reschedule the work engagement, adjust the scope of engagement, and outsource
the supervision of work engagements.

The impairment in appearance is defined as the concern arising from the other party about the
ability of the internal auditor to fulfil their responsibilities. The Chief Audit Executive must
discuss the concern with the Board and/or senior management and determine the appropriate
action to be taken. Internal auditors must discuss impairments and take appropriate actions
according to relevant methodologies. If objectivity is impaired in fact or appearance, the details
of the impairment must be disclosed promptly to the appropriate parties.

100
Competency
Internal auditors must ensure they have professional

“
skills relevant to the audit engagements. They should
also develop competencies related to communication, Competency is
governance, risk management and control processes, knowledge, skills and
business functions, auditing techniques, supervision,
abilities of the internal
and leadership.
auditors to perform their
Internal auditors must maintain continuous
responsibilities
professional development, including education and
training. The Chief Audit Executive must implement a
specific plan to increase their competency. The plan
includes identifying areas where competencies can be improved (e.g., introducing new
technology and changes in audit practices), approving the budget, and implementing quality
assurance and improvement programs.

Exercise Due Professional Care

The internal auditors must apply due care professional in performing the audit engagements.
The internal auditors must plan and perform the details of the internal auditors’ work. It
includes assessing the audit engagement following relevant regulations and internal audit
standards and communicating with the related parties. The internal auditors must thoroughly
plan the techniques, tools, technology, and the extent of the work for the audit engagement.
Several considerations are needed while determining a thorough audit plan, such as the
organisation’s goal, the stakeholder's interests, and the program's cost and benefits.

Internal auditors must exercise professional skepticism. This means questioning and critically
assessing the reliability of information. In exercising professional skepticism, internal auditors
must assess whether the information is relevant, reliable, and sufficient. The internal need to
maintain an inquisitive mind, critically assess the reliability of the information, be
straightforward and honest with inconsistent information, and seek additional evidence for
incomplete, inconsistent, false, or misleading information.

Confidentiality
Internal auditors can access any information to fulfil the internal audit mandate. Some
information is confidential to the public. The internal auditors must be aware of and comply with
any policies and procedures while handling the secrecy of the information. This process applies
to any information, whether physical or digital. Internal auditors must not disclose confidential
information to unauthorized parties unless there is legal requirement. The chief executive

100
should consult with legal counsel to understand the legal impact if the internal auditors obstruct
information.

The International Professional Practices Framework (IPPF)

For the internal audit profession, the IPPF has also prescribed that conformance with the IIA’s
International Standards for the Professional Practice of Internal Auditing (the Standards) is
essential in meeting the responsibilities of internal auditors and the internal audit activity. If
internal auditors or the internal audit activity are prohibited by law or regulation from
conforming to certain parts of the Standards, conformance with all other parts of the Standards
and appropriate disclosures are needed.

If the Standards are used in conjunction with standards issued by other authoritative bodies,
internal audit communications may also cite the use of other standards as appropriate. If
inconsistencies exist between the Standards and other standards, internal auditors and the
internal audit activity must conform to the Standards and may conform to the other standards if
they are more restrictive.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing.

2. Provide a framework for performing and promoting a broad range of value-added
internal
auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organisational processes and operations.

The Institute of Internal Auditors of Malaysia (IIAM)

The Institute of Internal Auditors Malaysia (IIAM) is a non-profit organisation dedicated to
advancing and developing the internal audit profession in Malaysia. The IIAM was established
in 1977 as achapter of the Institute of Internal Auditors Inc. (IIA Global) and was elevated to a
national institute in 1988. In July 1994, the IIAM was incorporated as a company limited by
guarantee and became an affiliate of IIA Global. The IIAM maintains its motto “Progress through
sharing” and shares with its members information on new trends, latest internal audit techniques,
regulatory and statutory requirements and the emerging issues affecting the internal audit
profession.

The IIAM provides various services for both members and non-members:

• Certification — offering certification for Certified Internal Auditors (CIA), Certified

Financial Services Auditor (CFSA), Certified Government Auditing Professional (CGAP) and
100
Certification in Control Self-Assessment (CCSA), Certification in Risk Management Assurance
(CRMA) and Qualification in Internal Audit Leadership (QIAL).

• Professional development providing quality and ‘value for money’ internal audit
training.
• Guidance and advice — providing research, technical advice and responding to
technical enquiries.
• Surveys — conducting surveys on various topics in collaboration with, among others,
Bursa Malaysia, MICG, KPMG and Ernst & Young.
• Quality assurance services — providing assistance and expertise for Quality
Assurance and Improvement Program (QAIP).

Summary
There are five basic principles for ethical elements: integrity, objectivity, competency,
the exercise of due professional care, and professional skepticism. These elements have been
widely discussed in the IIA’s International Standards for the Professional Practice of Internal
Auditing, which is the main basis for internal auditors to evaluate ethical issues. The IIA 's
standards are the basis for developing the internal audit profession in Malaysia.

Review Questions
1. Briefly explain the ethical values of an internal auditor today.
2. Explain the role of the International Professional Practice Framework.
3. Elaborate on the role of The Institute of Internal Auditors of Malaysia.

References
Mohd Johari Alwi (2017). Study Guide for Internal Auditing Course, Universiti Teknologi MARA.

Puan Sri Datin Dr. Mary Lee et.al. (2009). Principles and Contemporary Issues in Internal
Auditing, Second Edition, Kuala Lumpur: McGraw-Hill (Malaysia) Sdn Bhd.

Reding F. Kurt et. al. (2009). Internal Auditing: Assurance and Consulting Services, 2nd Edition,
The Institute of Internal Auditors Research Foundation, USA.

The Institute of Internal Auditors (2016). International Professional Practices Framework,

Altamonte Spring, FL., The IIA Research Foundation. http://www.iiam.com.my

The Institute of Internal Auditors (2024). Two-way Mapping: 2017 IPPF Mandatory Eleements
to 2024 Global Internal Audit Standards (and Back). The Institute of Internal Auditors

100
The Institute of Internal Auditors (2024). Condensed Version of the Global Internal Audit
Standards. The Institute of Internal Auditors

100
 3
Chapter 3: Corporate Governance
Mechanism

After going through this chapter, you should be able to:

• Define corporate governance

• Understand the Malaysian Code of Corporate Governance
• Understand the roles of the Board of Directors, Audit Committee, senior management
and internal audit functions in corporate governance.

Introduction

Corporate governance provides a framework of control mechanisms that support the company
in achieving its goals while preventing unwanted conflicts. The pillars of corporate governance,
such as ethical behaviour, accountability, transparency, and sustainability, are important to the
governance of companies and the stewardship of investors’ capital. Companies that embrace
these principles are more likely to produce long-term value than those lacking in one or all.

Proper governance identifies the distribution of rights and responsibilities among different
company participants and outlines, among other things, the rules and procedures for decision-
making, internal control, and risk management. Corporate governance is not only concerned
with shareholder interests but also requires balancing the needs of other stakeholders such as
employees, customers, suppliers, society, and the communities in which the companies conduct
their business.

100
Definition of Corporate Governance
Corporate governance is defined as:

The process and structure used to direct and manage the company's business and
affairs aim to enhance business prosperity and corporate accountability. The
ultimate objective is to realise long-term shareholder value while considering the
interests of other stakeholders.

From the definition, corporate governance focuses mainly on the process used to direct and
control business and affairs of the company, which specifies the distribution of rights and
responsibilities among the different parties in the organisation, which include the Board of
Directors, managers, shareholders and other stakeholders. Thus, corporate governance can be
described as the proper procedure on how the ‘government’ of a company (the managers and
Board of Directors) should be responsible to their ‘voters’ (the shareholders, creditors and
investors).

Corporate governance emphasizes transparency in decision-making processes, fairness, and

trustworthiness in managing a company. An effective internal audit function plays a key role in
assisting the Board of Directors in discharge of its governance responsibilities.

Malaysian Code on Corporate Governance

The Malaysian Code on Corporate Governance (MCCG), first introduced in 2000, has since been
a significant tool for corporate governance reform in Malaysia. The MCCG reflects accepted
principles and internationally recognized corporate governance practices that apply to all
organizations, particularly publicly listed companies.

The MCCG was reviewed and updated in 2007, 2012, 2017 and 2021 to ensure it remains relevant
and is aligned with globally recognized best practices and standards. In 2017, the MCCG, which
supersedes its earlier edition, took on a new approach, as shown in Figure 2.1, to promote greater
internalization of corporate governance culture. Known as CARE or Comprehend, Apply and
Report, this approach encourages companies to identify the thought processes involved in
practising good corporate governance, including providing a fair and meaningful explanation of
how the company has applied the practices.

100
 Figure 2.1 Key Features of the New Approach (CARE)

(Source: MCCG 2021)

Comprehend
Understand and internalize the spirit and intention behind the principles and practices and their
intended outcomes.

Apply
Implement the practices in substance to achieve the intended outcomes of building and
supporting a strong corporate governance culture throughout the company. The company is
strongly encouraged to demonstrate a higher commitment to corporate governance practices.

Report
Provide a fair and meaningful disclosure of the company’s corporate governance practices.

The latest amendment of MCCG in 2021 emphasis the roles of the Board of Directors, Audit
Committee, and senior management to strengthen the corporate governance culture by adopting
new best practices and supplementary guidance for good governance. The MCCG 2021 focuses
on improving board policies and processes for director selection, nomination and appointment.
This code strengthens board oversight and integrates sustainability into the strategy and
operation of the companies.

Please refer to https://www.sc.com.my/regulation/corporate- governance for further

information on MCCG 2021. In the MCCG, the roles of internal auditors are emphasised through
the function of the Audit Committee. The Audit Committee is required to ensure that the internal
audit function is effective and can function independently from the management.

MCCG prescribes that the Audit Committee should ensure that:

• Internal audit personnel are free from relationships or conflicts of interest that could
impair their objectivity and independence.

100
 • the number of resources in the internal audit department shall be adequate and
competent in carrying out the function.
• the internal audit function is carried out per a recognised framework.
• the person responsible for the internal audit must report directly to the Audit Committee.
• appointment and removal, scope of work, performance evaluation, and budget for the
internal audit function must be determined by the Audit Committee

Corporate Governance Mechanism

Corporate governance refers to the policies and procedures a company implements to control
and protect the interests of internal and external business stakeholders. It often represents the
framework of policies and guidelines for each individual in the business. Because of their size
and complexity, larger organisations often use corporate governance mechanisms to manage
their businesses. Publicly held corporations are also primary users of corporate governance
mechanisms.

Board of Directors
The Board of Directors is ultimately responsible for the governance of the organisation;
establishing an effective audit committee is the key tool that the Board of Directors has to oversee
that the organisation is well-governed and that the financial reporting and other information
delivered to the Board of Directors and communicated to other stakeholders are accurate and
trustworthy. The Board of Directors is accountable for reviewing corporation administration.
The Board of Directors should also establish formal and transparent arrangements for
considering how they should apply the corporate reporting, risk management and internal
control principles and maintain an appropriate relationship with the company’s auditors.

Audits
Audits are an independent assessment of a company’s business and financial operations. These
corporate governance mechanisms ensure that businesses or groups observe international
accounting standards, regulations or other guidelines. Shareowners, on the other hand, with
expectations that their money and interests are well-protected and that various systems within
their companies are sufficient and functioning the way they should be. Therefore, the external
auditor is appointed to evaluate such systems and provide recommendations or assurances to
the owners.

Balance of Power

100
Balancing power in an organisation ensures that no one individual can overextend resources.
Segregating duties between the members of the Board of Directors, directors, managers, and
other individuals ensures that each individual’s responsibility is well within reason for the
organisation. Corporate governance can also separate the number of functions one division or
department completes. Creating well-defined roles also keeps the organisation flexible, ensuring
that operational changes or new hires can be made without interrupting current operations. The
key players of corporate governance are depicted in Figure 2.2.

Corporate Governance
A System Composed of Key Players

Board of
Audit

External auditors

(Source: Alain Laurin, 2002)

Figure 2.2 Key Players of Corporate Governance

Role of Board of Directors in Corporate Governance

The Board of Directors should set the company’s strategic aims, ensure the necessary resources
are in place to meet its objectives and review management performance. The Board should also
set the company’s values and standards and ensure that its obligations to its shareholders and
other stakeholders are understood and met.

A board of directors chairman is appointed and responsible for instilling good corporate
governance practices, leadership, and effectiveness in the board. Different individuals hold the
positions of Chairman and CEO.

To enable the Board of Directors to discharge its responsibilities in meeting the goals and
objectives of the company, the Board of Directors should, among others:

• collectively with senior management, promote good practices of corporate

governance culture within the organisation to reinforce ethical, prudent and
professional behaviour;
• Review, dispute, and determine management’s proposals for the company and
monitor their implementation with management involvement.
100
 • Ensure that the organisation's strategic planning will add value to long-term wealth
and include strategies on economic, environmental, and social considerations
underpinning sustainability.
• supervise and determine the management performance to ensure that the wealth of
the organisation is properly managed.
• ensure there is a sound framework for internal controls and risk management.
• understand the major risks of the company’s business and recognise that some of the
organisation’s decisions may involve some risk-taking;
• set the risk level in which the Board of Directors expects management to operate and
make certain that there is a good structure of risk management framework to identify,
analyse, evaluate, control and monitor financial and non-financial risks.
• Ensure senior management has the necessary skills and experience to succeed the
Board of Directors and senior management.
• ensure that the organisation has strategies to enable effective communication with
stakeholders

Key responsibilities of the Chairman include:

• imparting leadership to the Board of Directors so that the Board of Directors can
perform its obligations effectively.
• laying down the agenda and ensuring that the members of the Board of Directors
receive complete and correct records on time.
• chairing the Board of Directors meetings and discussions.
• encouraging participation and allowing dissenting views to be freely expressed.
• managing the collusion between the Board of Directors and management.
• ensuring strategic steps are taken to ensure effective communication with
stakeholders and that their views are communicated to the Board of Directors.
• Led the Board of Directors in establishing and monitoring good corporate governance
practices in the company and
• ensuring the Board of Directors is effective in its task of setting and implementing the
company’s direction and strategy.

Role of Audit Committee in Corporate Governance

An effective Audit Committee can bring transparency, focus and independent judgment needed
to oversee the financial reporting process. However, the ultimate responsibility for a company’s
financial reporting process rests fully with the Board of Directors.

100
The Audit Committee plays a key role in a company’s governance structure. An independent
Audit Committee is better positioned to rigorously challenge and ask probing questions on the
company’s financial reporting process, internal controls, risk management and governance.

The appropriate level of knowledge, skills, experience and commitment of its members is critical
to the Audit Committee’s ability to discharge its responsibilities effectively. A strong
understanding of financial reporting process complemented with a wide range of diverse
perspectives can significantly strengthen the quality of Audit Committee deliberations.

Collectively, the Audit Committee should possess a wide range of necessary skills to discharge its
duties. All members should be financially literate and able to understand matters under the
purview of the Audit Committee including the financial reporting process.

All members of the Audit Committee should undertake continuous professional development to
stay abreast of relevant developments in accounting and auditing standards, practices, and rules.

The Chairman of the Audit Committee is responsible for ensuring the committee's overall
effectiveness and independence. Having the positions of Chairman of the Board of Directors and
Chairman of the Audit Committee assumed by the same person may impair the objectivity of the
board’s review of the Audit Committee’s findings and recommendations.

The Chairman of the Audit Committee, together with other members of the Audit Committee,
should ensure, among others, that:

• the Audit Committee is fully informed about significant matters related to the
company’s audit and financial statements and addresses them.
• the Audit Committee appropriately communicates its insights, views and concerns
about relevant transactions and events to internal and external auditors.
• The Audit Committee’s concerns on matters that may have an effect on the financial
or audit of the company are communicated to the external auditor and
• there is coordination between internal and external auditors.
• In assessing the suitability, objectivity and independence of the external auditor, the
Audit Committee establishes policies and procedures that consider, among others:
• the competence, audit quality and resource capacity of the external auditor with the
audit;
• the nature and extent of the non-audit services rendered and the appropriateness of
the level of fees; and
• obtaining written assurance from the external auditors confirming that they are, and
have been, independent throughout the audit engagement under the terms of all
relevant professional and regulatory requirements.
• The responsibility of Audit Committees in the area of corporate governance is to
assure that the corporation is in reasonable compliance with pertinent laws and
100
 regulations, conducting its affairs ethically, and maintaining effective controls against
employee conflict of interest and fraud. The specific steps involved in carrying out this
responsibility include:
• Reviewing corporate policies relating to compliance with laws and regulations, ethics,
conflict of interest, and investigating misconduct and fraud.
• Reviewing current/pending litigation or regulatory proceedings bearing on corporate
governance in which the corporation is a party.
• Reviewing significant cases of employee conflict of interest, misconduct or fraud.
• Requiring the internal auditor to report in writing annually the scope of the reviews
of corporate governance and any significant findings.

Roles of Senior Management in Corporate Governance

Senior management must have the expertise necessary to manage the regulated entity's day-to-
day operations and carry out the strategic objectives of the Board of Directors. Senior
management team members, including the CEO, should possess certain fundamental qualities
and qualifications: integrity, financial and management experience, technical competence, and
good character.

Effective senior management must also possess and demonstrate the leadership qualities
necessary to coordinate and organise resources and guide and motivate personnel to achieve the
organisational objectives. As part of its responsibilities, senior management advises the Board of
Directors about the regulated entity’s activities and corresponding risks to ensure that directors
are fully informed. Senior management is also responsible for implementing corrective actions
specified by the Board of Directors. This includes management’s willingness and ability to take
timely corrective action in response to audit, review, and examination findings and
recommendations.

Examples of specific senior management responsibilities include, but are not limited to, the
following:

• Develop strategic and operational plans and risk management policies for approval by
the Board of Directors.
• Implement strategic and operational plans and risk management policies following
approval by the Board of Directors.
• Assess and implement an effective internal control framework and risk management
process to address and monitor the regulated entity's critical processes and mission
activities.
• Establish procedures and controls to address compliance with key laws and regulations
applicable to the regulated entity.

100
 • Develop and implement management information systems that adequately address the
regulated entity’s business environment and risk profile.
• Develop written policies, procedures, and standards to address the regulated entity's
critical processes, mission activities, and controls.
• Establish procedures to identify, report, assess, and correct deviations from key
standards, risk tolerances, and controls promptly.
• Implement timely corrective action on significant control deficiencies and issues that the
external or internal auditors reported, and governmental authorities; and
• Implement timely corrective action on examination of audit findings.
• Senior management must ensure that all functions are carried out under policies
established by the Board of Directors and that the regulated entity has adequate systems
to monitor and manage risks effectively.

In addition, senior management must ensure that the regulated entity maintains internal risk
controls appropriate for its size, activities, and business and that information and reporting
systems produce timely, accurate, and complete information.

Roles of Internal Auditors towards the Board of Directors, Audit

Committee and Senior Management
Internal audit assures by assessing and reporting on the effectiveness of governance, risk
management, and control processes designed to help the organisation achieve strategic,
operational, financial, and compliance objectives.

An internal audit is best positioned to provide assurance when its resource level, competence,
and structure are aligned with organisational strategies and when it follows IIA standards. It can
do this best when it is free from undue influence. By maintaining its independence, internal audit
can perform its assessments objectively, providing management and the Board of Directors an
informed and unbiased critique of governance processes, risk management, and internal control.

Based on its findings, internal audit recommends changes to improve processes and follows up
on their implementation. Functioning independently within the organisation, an internal audit
is performed by professionals who have a deep appreciation of the importance of strong
governance, an in-depth understanding of business systems and processes, and a fundamental
drive to help their organisations succeed.

Internal audits provide insight by acting as catalysts for management and the Board of Directors
to better understand governance processes and structures. The IIA believes internal audit
insights on governance, risk, and control provoke positive changes and innovation within the
organisation. It inspires organisational confidence and enables competent and informed
decision-making. Moreover, successful internal auditing can mature to provide foresight to the
100
organisation by identifying trends and bringing attention to emerging challenges before they
become crises.

Internal audits can add value by providing advisory and consulting services intended to improve
governance, risk management, and control processes, so long as they assume no management
responsibility. This is vital to maintaining internal audit objectivity and avoiding conflicts of
interest. The type of audits or services to be performed should be selected based on the audit
activity’s authority, maturity, purpose, and the organisation’s needs and issues.

Recent events have highlighted the critical role of directors in promoting good corporate
governance. In particular, the Board of Directors is charged with the ultimate responsibility for
the effectiveness of their organisation’s internal control systems. These events have highlighted
the key role that internal audit can play in supporting the Board in ensuring adequate oversight
of internal controls and the effectiveness of corporate governance.

The definition of internal auditing and International Standards identifies that internal audit has
a role in evaluating and improving governance processes.

The key role of an internal audit is to assist the Board of Directors / Audit Committee in
discharging its corporate governance responsibilities by delivering:

• An objective evaluation of the existing risk and internal control framework.

• Systematic analysis of business processes and associated controls.
• Reviews of the existence and value of assets.
• A source of information on major frauds and irregularities.
• Ad hoc reviews of other areas of concern, including unacceptable levels of risk.
• Reviews of the compliance framework and specific compliance issues.
• Reviews of operational and financial performance.
• Recommendations for more effective and efficient use of resources.
• Assessments of the accomplishment of corporate goals and objectives.
• Feedback on adherence to the organisation’s values and code of conduct/code of ethics.

Summary
The chapter covers the framework of the Malaysian Code of Corporate Governance,
recently revised in 2021. It further explains the role of the Board of Directors, Audit
Committee, senior management, and internal audit function to assist the Board of
Directors in discharging their corporate governance function.

100
Review Questions
1. List two duties of the Board of Directors by the Malaysian Code of Corporate
Governance.
2. Define corporate governance.
3. How does an internal audit assist the Board of Directors / Audit Committee in
discharging its corporate governance responsibilities?
4. Identify whether the following statements are TRUE or FALSE.
a. The same individual should hold the positions of chairman and CEO.
b. The tenure of independent directors is capped to a cumulative period of
nine years.
c. The Board of Directors should form a remuneration committee to
establish formal and transparent remuneration policies and procedures to
attract and retain directors.
5. Which of the following are the roles of internal auditing in risk management?
a. Participates as part of a formal risk management program
b. Reviews operational and financial performance
c. Provides independent assurance on risk management
d. Assists and advises a new, separate risk management function

References
Ahlawat, S.S., and Lowe, D.J. (2004). An Examination of Internal Auditor Objectivity: In-House
versus Outsourcing Auditing, A Journal of Practice & Theory, 23 (2), pp. 147–158.

Aldbizer, G.R., Casbell, J.D., and Martin, D.R. (2003). Internal Audit Outsourcing, CPA Journal,
38–42. Badawi, I.M., Elifoglu, I.H., Latshaw, C.A., and Zollo, R.A. (2003). New Interagency
Guidance on the Internal Audit Function, Bank Accounting & Finance, 16, pp. 32–42.

Bai, C., Liu, Q., Lu, J., Song, F., and Zhang, J. (2003). “Corporate Governance and Market
Valuation in China”, Working Paper , University of Hong Kong.

Chaithanakij, S. (2005). Theory of Corporate Governance: Trimiti Analysis,

SetthasatThammasat Journal, 23, pp. 1–89 (in Thai).

Chaithanakij, S. (2006). The Determinants for Success and Failure of Corporate Governance
System: The Analysis of Thai Corporate Governance Through the Lens of Three-Pillared
Framework. Doctor of Philosophy Dissertation, Thammasat University, Bangkok, Thailand (in
Thai).

Denis, D.K., and McConnel, J.J. (2003). International Corporate Governance, Journal of
Financial and Quantitative Analysis, 38, 1–36. ECGI. http://www.ecgi.org/codes/documents/.
(accessed September 30, 2006).

Fiss, P.C. (2004). Corporate Governance and the Symbolic Management of Stakeholders: The
mergence of shareholder Value Orientation in Germany.

Glass, A.J. (2004). Outsourcing under imperfect protection of intellectual property, Review of
International Economics, 12, pp. 867–884.

100
Gordon, E.A., Henry, E., and Palia, D. (2004). Related Party Transactions: Association with
Corporate Governance and Firm Value. (http://papers.ssrn.com).

Haniffa, R.M., and Cooke, T.E. (2002). “Culture, Corporate Governance and Disclosure in
Malaysian Corporations”, Abacus, Volume 38 (3), pp. 317–349

Malaysian Code on Corporate Governance, (2017).

Roe, M. (2004). The Institutions of Corporate Governance. Harvard Law and Economic
Discussion Paper No. 488.

100
 4
Chapter 4: Risk Management and
Control

After going through this chapter, you should be able to:

• Understand the internal auditor’s roles in risk management

• Understanding various risks faced by the organisation
• Know the various risk management framework, in particular, the Enterprise Risk
Management (ERM)
• Know the different risk management frameworks developed across the world
• Understand internal auditor’s roles concerning control
• Understand the basic internal control principles
• Learn the basic elements of the COSO control framework
• Understand the relationship between risk and controls

Introduction
An organisation, whether for profit or non-profit, is set up to achieve certain objectives. Similar
to achieving our personal objectives and goals, along the journey, there will be uncertain events
or risks that may impact our chances of achieving them.

The organisation’s management must be prepared to effectively manage its risks to provide
reasonable assurance that the objectives and goals set can be achieved. It is important to
acknowledge the relationship between objectives, risks and controls. Risks and controls should
be considered in the context of the organisation’s objectives.

The internal audit activity must evaluate and contribute to improving the organisation’s
governance, risk management, and control processes using a systematic, disciplined, and risk-
based approach. Internal audit credibility and value are enhanced when auditors are proactive,
and their evaluations offer new insights and consider future impact. Therefore, one main focus
of an internal audit activity is to evaluate the effectiveness of an organisation's risk management
and control aspects.
100
Risk and Risk Management

Definition of Risk
Risk is the possibility of an event that will impact the achievement of objectives. It is measured
in terms of impact and likelihood. Generally, organisational objectives can be classified into four
main categories: strategic, financial, operations, and compliance. Whenever there are objectives,
there will be risks attached to them as Figure 4.1:

Strategic Risk Financial Risk

Operational Risk Compliance RIsk

a) Strategic risk is the exposure to damage or loss arising from an inappropriate high-level
strategic or business plan, such as expanding into an emerging market, diversifying to a new
market segment, making an acquisition or join-venture decision, or developing a new
product or brand.
b) Financial risk refers to the exposure to damage or loss incurred, mainly in monetary terms,
as a result of uncertainties or risk such as changes in domestic or world economy, volatility
of exchange rates, liquidity risk and credit risk, inadequate resource allocation or failure to
respond to changes in the business environment.
c) Operational risk is the possibility of damage or loss arising from internal inadequacies or
breakdown in its systems, controls, procedures, machines or equipment. Some examples
are outdated or obsolete information technology and systems, which lead to wrong decision-
making, engagement of incompetent staff or third-party contractors, and internal fraud due
to poor control activities and management.
d) Compliance risk is the possibility of damage or loss arising from non-compliance with the
laws, rules and regulations or terms of contracts or agreements entered into by the
organisation with its vendors, partners or employees.

Definition of Risk Management

Risk management is a process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding achieving the organisation’s objectives.
Risk management is management’s responsibility. The management should establish a sound
100
risk management and ensure the system functions effectively. Risk management requires
strategic and tactical decisions to ensure that organisations can minimise losses. The Board of
Directors or governors of an organisation must oversee the organisation’s risk management
function. The Board of Directors can receive assistance from internal auditors to facilitate their
oversight role.

Enterprise Risk Management

Enterprise risk management (ERM) is a structured, consistent, and continuous process across
the whole organisation to identify, assess, decide on responses to, and report on opportunities
and threats that affect the achievement of objectives. ERM is a more comprehensive approach to
managing risk in organisations. It requires constant evaluation of internal and external risks and
their potential impact on the organisation’s business activities, separately and collectively.

Roles of the Board of Directors, Management and Risk Officers in

Risk Management
An effective ERM requires the participation of various parties within the organisation,
particularly the Board of Directors, management, risk officers, and internal auditors. The
responsibilities of these various parties are explained below.

Board of Directors
The Board of Directors sets directions and oversees the organisation's management. A Board of
Directors is involved in formulating its company’s strategies and objectives and in determining
the resource allocation and the ethical environment. As part of the internal environment for ERM,
a Board of Directors’ role is vital to the effective functioning of the ERM in an organisation. To
be effective, a

The Board of Directors will delegate its function to the various committees, i.e. Audit Committee,
nomination committee and governance committee. Based on the Committee of Sponsoring
Organizations of Treadway Commission (COSO), a Board of Directors can perform its oversight
roles by:

• Knowing how much management has established effective ERM in an organisation.

• Being aware of the organisation’s risk appetite.
• Reviewing the organisation’s risk portfolio to match its risk appetite.
• Being apprised of the most significant risk and management’s response to the risk.

100
Management
An organisation's management team comprises the chief executive officer (CEO) and senior
managers. General management is responsible for managing the organisation's overall activities.
The CEO sets the tone at the top and must ensure that activities conducted are within the
organisation’s risk appetite through proper risk management procedures. Senior managers must
provide necessary information to risk officers to enable them to effectively identify and assess
the significant risks faced by the organisation.

Risk Officers
A risk officer is a senior management personnel who coordinates and facilitates risk management.
The risk officer works with other managers to establish a risk management plan in their
respective areas of responsibility. A risk officer has the following responsibilities as outlined by
COSO:

• Establishing risk management policies

• Framing authority and accountability
• Promoting competency in risk

Role of Internal Auditor in Risk Management

The internal auditor is responsible for evaluating the effectiveness of risk management processes
and contributing to their improvement. The internal audit activity may gather information to
support this assessment during multiple engagements. When viewed together, the results of
these engagements provide an understanding of the organisation’s risk management processes
and their effectiveness. Risk management processes are monitored through ongoing
management activities, separate evaluations, or both.

The internal audit activity must evaluate risk exposures relating to the organisation’s governance,
operations, and information systems regarding the:

• Achievement of the organisation’s strategic objectives

• Reliability and integrity of financial and operational information
• Effectiveness and efficiency of operations and programs
• Safeguarding of assets
• Compliance with laws, regulations, policies, procedures, and contracts

Roles of internal auditors concerning risk management include:

• Giving assurance on risk management processes

• Giving assurance that risks are correctly evaluated
• Evaluating risk management processes
100
 • Evaluating the reporting of key risks
• Reviewing the management of key risks
• Facilitating identification and evaluation of risks

However, the internal auditor is prohibited from exercising their roles in the following scope:

• Setting the risk appetite

• Imposing risk management processes
• Managing assurance on risks
• Taking decisions on risk responses
• Implementing risk responses on management’s behalf
• Being accountable for risk management

In essence, it is argued that internal auditors should not assume the role of management to risk
management. They should not make decisions on any aspects of risk management, including
setting the risk appetite, choosing the risk response measures, implementing the measures, or
being accountable for the process.

Division of Roles on Risk Management Between Management

and Internal Auditor
Organisations must have a proper plan to anticipate and manage risk to meet objectives. Risk
management requires strategic and tactical decisions to ensure that organisations can minimise
the severity of risk events and ultimately enable the organisation to achieve its objectives. Risk
management is management’s responsibility. The Board of Directors or governors of an
organisation must oversee the establishment and execution of the organisation’s risk
management function. Management should establish a sound risk management process and
ensure the system functions effectively.

To facilitate the Board of Directors' oversight role, the internal audit assists the Board of
Directors in evaluating the effectiveness and contributing to the overall improvement of the risk
management processes established and executed by management. An organization can manage
risk in many different ways. The most widely known risk management strategy is Enterprise Risk
Management (ERM).

Evaluation of Risk Management Process by Internal Auditor

The evaluation of the risk management process involves understanding the overall maturity of
risk management practices, the established organisation’s objectives, and the risk assessment
processes, including identifying, analysing, and evaluating risks, as well as how risks are treated,
reported, and monitored in the organisation.
100
 Understanding the
Current Risk
Management Process

Risk Assessment
Process

Risk Responses

Reporting Risk
Management

Understanding the Current Risk Management Process

In evaluating the effectiveness of the risk management processes, the internal auditors:

• must first understand the mission, vision and objectives of the organisation,
• must examine and understand the current risk management processes, in which risks
are identified, assessed, monitored, treated and reported in the organisation,
• must know the risk appetite and risk culture of the organisation,
• must consider the risk management frameworks adopted and put into practice by the
organisation, if any.

Risk Assessment Process

The risk assessment process includes identifying, analyzing, and evaluating its severity. The
severity can be determined by identifying the likelihood and impact (or consequence) of the risk.
Risk assessment should be done across the whole entity perspective to functional and specific
transaction levels. Risk events can either be internal or external. Management must identify and
evaluate negative events and devise an action plan to eliminate or mitigate these risks.

(a) Risk identification

The internal auditors may discuss with the Board of Directors, the senior management and
review the recently completed risk management assessment and related reports or perform its
own assessment to assess whether all significant risks are being identified by the management.
The auditors consider both the internal (organisation mission, vision, objectives, structure and
culture, infrastructure, policies and procedures, system and processes, people and level of

100
competencies etc.) and external factors (political, social, economic, cultural, environmental, legal
framework, competition, relevant trends and technological changes etc.) or uncertainties
affecting the organisation particularly in the context of its strategic objectives.

(b) Risk analysis and evaluation

The auditors review the management’s evaluation relating to the extent of the risks identified
which pose as threats to the organisation. The evaluations are made on two dimensions, the
likelihood (the probability of the risk) and impact (the consequence of the risk should the event
occur). The results will allow the management to know the severity of the risks towards their
operational, financial or compliance objectives and allow management to consider their action
plans. One way to assess risk is to prepare a risk map. An example of a risk map is given in Figure
4.2.

Risk evaluation, which considers the cumulative effect of likelihood and impact of risks, helps
management prioritise resource allocation.

Risk Response
The internal audit activity assesses management’s responses, actions, or plans for addressing the
risks assessed to ensure all identified risks have been adequately mitigated. The auditor should
alert management to new risks that have not been identified or have been neglected.

Generally, there are four types of responses: avoidance (terminate), reduction (treat), sharing
(transfer), and acceptance (tolerate), which are also known as the 4Ts in risk management
literature.

• Avoidance—an organisation withdraws from events or activities that give rise to risk.
For example, an organisation will terminate its operation in a region that has recently
been involved in war or has new entries of strong competition or stop producing its

100
 products that are found to have contaminated ingredients, which may be subject to
legal implications or penalties.
• Reduction—An organisation will engage in activities that can reduce the impact or
likelihood of risk. For example, the organisation may introduce new control measures,
such as tightening the approval procedures or installing CCTV, to reduce the risk of
internal theft in its warehouse.
• Sharing—An organisation shares its burden of risk with another party. Common risk-
sharing methods include purchasing insurance coverage, hedging future transactions,
or investing via partnering or joint venture.
• Acceptance—An organisation may choose to do nothing about a risk. This is only
permissible when the risk's impact and likelihood are low. In this case, the
organisation must bear the risk's impact should the event actually happen.

Reporting of Risk Management

The audit activity must assess the effectiveness of management processes in recording and
reporting risks and actions to ensure that relevant risk information, responses, and plans are
captured and communicated timely across the whole entity and that adequate controls are
executed to manage the risks.

The audit activity will communicate the results of the assurance audit on risk management
processes to the management, highlighting the gaps or weaknesses of the processes for
improvement purposes. In addition, the Chief Internal Auditor will discuss with the management
any inadequacy of risk responses that, in the opinion of the auditor, are not acceptable or not
aligned with the organisation's risk appetite.

Alternative Risk Management Frameworks

In assessing the effectiveness of risk management processes, internal auditors consider the risk
management frameworks that are available and accepted globally and use them to benchmark
and assess the maturity of risk management practices in the organisation, contributing to their
improvement.

Several risk management frameworks are available from different countries. This book will
discuss the following two frameworks.

• ISO31000 (2018) Risk Management Guidelines

• COSO Enterprise Risk Management (ERM) Framework 2017

ISO 31000 Risk Management Guidelines (2018)

100
The ISO 31000:2009 on Risk Management was first issued in 2009. A second edition of ISO
31000:2018(E) was issued in February 2018 to replace the first edition. The new version puts
great emphasis on value creation and protection for the organisation. It positions risk
management as a fundamental part of governance and leadership and as part of all activities
across all levels of the organisation. ISO 31000:2018 illustrated risk management as three
components: principles, framework, and processes. The ISO clearly explained that the
principles of risk management must be considered when establishing the organisation’s risk
management framework and processes. The ISO is reproduced as shown in Figure 4.3

(a) Principles

The main purpose of risk management is to create and protect the organisation’s value. It
improves performance, encourages innovation and supports the achievement of objectives.

Figure 4.3 ISO 31000:2018(E) Risk Management Guidelines

(i) Integrated - Risk management is an integral part of an organisational activity. In other

words, it should not be treated as an isolated or stand-alone activity. This activity should
be embedded in all levels of organisation, including the strategic settings, planning for
execution, operations, units and functional processes.
(ii) Structured and comprehensive - A structured and comprehensive approach to risk
management contributes to consistent and comparable results. The risk management
processes should be planned and organized considering all perspectives including how
the placement of risk management, its reporting structure, its duties and

100
 responsibilities, as well as the allocation of resources to ensure a systematic, timely and
structured approach that can lead to effective and efficient risk management activities.
(iii) Customised - The risk management framework and process are customised and
proportionate to the organisation’s external and internal context to its objectives. There
is no one size fits all scenario, risk management must be organised and planned in
accordance with its nature of business, size, competency and culture of its stakeholders,
organisation structure, the maturity of the existing risk management process as well as
the environment and conditions of which the organisation is operating.
(iv) Inclusive - Appropriate and timely involvement of stakeholders enable their knowledge,
views and perceptions to be considered. This results in improved awareness and
informed risk management. It should embrace the notion that all stakeholders’
perspective counts. It considers the internal and external environment and changes as
well as the views of all its people and stakeholders.
(v) Dynamic - Risks are not static, they can emerge, evolve, change or reduce, disappear as
an organisation’s internal and external context changes. Risk management need to
detect, analyse, monitor, reassess, acknowledge and respond to those changes and
events in a timely and appropriate manner. Depending on the nature of the business,
the speed of change on risks affecting the organisation can vary in its likelihood and
impact.
(vi) Best available information - Risk management relies on various information sources
such as current and historical data and information including experiences, stakeholder
feedback, observation, forecasts and expert judgement. Therefore, it should also take
into account, any limitations of the data or modelling used or the possibility of
divergence among experts.
(vii) Human cultural factors - The risk management process considers the behavior and
culture of its people at all levels including the attitude, characters, knowledge and their
perception towards risks.
(viii) Continual improvement - Risk management is a progressive process which considers
the existing processes, seeking to achieve incremental improvement over the adequate
period depending on the maturity level and resources of the organisation.

(b) Framework

Leadership and commitment is fundamental in determining the success of any risk framework.
Risk management should be integrated into the governance of the organisation and must gain
support from all stakeholders, particularly the Board of Directors and top management.

(i) Integration—Risk management must be inclusive, comprehensive, integrated, and

customised. It is important to understand the organisation’s mission, vision,
objectives, and goals, as well as its organizational structure. The risk management

100
 activities must be tailored to ensure they operate effectively at all levels of the
organisation to achieve its objectives and ultimate purposes.
(ii) Design – When designing (or adopting with modification) the risk framework, the
organisation must consider the internal and external factors (as described in section
4.4.2 (a)), taking into account the perception and tone from the top (Board of Directors
and top management), the organisational structure including authority, duties and
accountabilities and responsibilities of the respective roles on risk management. This
would include how risks are being identified, managed, reported and monitored.
(iii) Implementation – To ensure successful implementation, the following requirements
are necessary: awareness, participation and engagement from all stakeholders
particularly the tone and involvement of the top management to allow adequate time
and resources to be allocated. Considering the four Ws (Why, What, When and Who)
and one H (How) should be constantly applied and embedded into the decision-
making processes at all levels to ensure everyone understands their roles and
accountability in identifying and managing risks relevant to the work.
(iv) Evaluation—To evaluate the effectiveness of its risk framework in accommodating the
dynamic nature of risks, the organisation must ensure that information is available to
measure the framework's performance.
(v) Improvement – The organisation must continually adapt and adjust to improve and
enhance the effectiveness of its risk framework.

(c) Process

Several processes are involved in managing risk management:

(i) Communication and consultation - Communication promotes awareness,

understanding, and participation towards risk management at all levels. Consultation
involves obtaining feedback and information to facilitate decision making which
considers all relevant risks.
(ii) Scope, context, and criteria—Risk management should be customized to ensure it is
adequately and objectively driven. It must consider the organisation’s structure, size,
and nature of business, the current risk management process in place, and the
resources available and define a specific scope as well as the amount and type of risks
it may or may not take relative to the objectives.
(iii) Risk assessment – The process include risk identification, analysis and evaluation
which must be organised and conducted systematically, iteratively and collaboratively.
(iv) Risk treatment—The purpose of risk treatment is to select and implement options for
addressing risks. It is an iterative process of formulating, selecting, planning, and
implementing the options for treating the risks, monitoring the results, and adjusting
to ensure adequate risk treatment.

100
 (v) Monitoring and review—Monitoring and review are part of the continual improvement
program to ensure the effectiveness of risk management processes at all levels. The
results should be incorporated into the organisation’s performance management,
measurement, and reporting activities.
(vi) Recording and reporting—The risk management process and its outcome should be
documented and reported through appropriate mechanisms to support the risk
management and decision-making processes of all levels and enhance communication
and dialogue with stakeholders.

The COSO Risk Management Framework

COSO is a well-known body that develops, updates, and publishes comprehensive frameworks.
Its mission is to improve organisations' performance and governance. Two frameworks relating
to risk management are COSO ERM 2004—Integrated Framework and the updated document
COSO ERM 2017—Integrating Strategy and Performance Framework.

The focus of COSO ERM 2014 was to help organisations protect and enhance their value. Many
organisations use it as guidance to enhance risk management processes. However, significant
new risks have emerged, and thus, the new update introduced components and supporting
principles that drive better thinking processes and practices of risk management to reflect the
importance of aligning risks to strategy and performance.

Figure 4.4 COSO 2004 ERM Framework

(a) COSO ERM 2004 – Integrated Framework

COSO illustrates ERM using a three-dimensional cube linking business objectives (at the top of
the cube) with the eight components of risk management (at the front of the cube). The cube
emphasises that risk management should be implemented on an entity-wide basis across all

100
business units, subsidiaries, divisions, functions, locations, and all activities within the
organisation, as shown in Figure 3.3.

(b) COSO ERM 2017 – Integrating with Strategy and Performance

COSO ERM 2017 is referred to as an updated document, and its adoption is not mandatory.
Therefore, an organisation’s management may continue utilising the original framework 2004.
However, COSO stated that it reserves the right to supersede or retire the 2004 version in future.

COSO ERM 2017 introduces a new graphic to illustrate the focus on aligning risk with strategy
and performance across all activities of the entire organisation. It also emphasises the
importance of aligning the strategy to the organisation's mission, vision and core values. With
these comprehensive considerations, organisations will improve their approach in managing
risks, whether existing or emerging risks, internal and external, to help create, preserve, sustain
and realise value of the organisation. The COSO 2017 framework is reproduced in Figure 4.5.

(Source: Reproduced with kind permission of the Association of International Certified

Professional Accountants)

Figure 4.5 COSO 2017 ERM Framework

The framework consists of five interrelated components of ERM which illustrates their
relationship with the entity’s mission, vision, and core values and show how these interrelated
components flow through the entire activities and processes and ultimately help to enhance the
organisation’s value.

The first and the last components (depicted by the two banded ribbon), Governance and Culture,
and Information, Communication & Reporting are the important foundation and supporting
aspects for an effective ERM. The three components in between (depicted by the three banded
ribbon) namely, Strategy and Objective setting, Performance and Review and Revision represent
the common activities and processes that flow through an entity. The diagram clearly shows that
ERM is not a static but a dynamic process, ERM is not an isolated process but a process which

100
should be integrated with the day-to-day decision-making process across from strategy
development, business objective formulation, and implementation and performance.

Each of the components are supported with three to five principles which are important to ensure
an effective risk management. The diagram is reproduced in Figure 4.6 and the detailed
descriptions can be found in the COSO guidance on their website (www.coso.org).

Figure 4.6 Principles for COSO ERM Framework

Controls

Definition of Controls
Controls are any actions taken by management, the Board of Directors, and other parties to
manage risk and increase the likelihood that established objectives and goals will be achieved.
Management plans, organises, and directs the performance of sufficient actions to provide
reasonable assurance that objectives and goals will be achieved.

The Role of Internal Auditor in Controls

The internal audit activities must assist the organisation in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous improvement.
Internal audit activity must incorporate knowledge of controls gained from consulting
engagements into evaluation of the organisation’s control processes. Internal audit activity must
evaluate the adequacy and effectiveness of controls in responding to risks on organisation’s
governance, operations, and information system regarding the:

• Achievement of organisation’s strategic objectives

• Reliability and integrity of financial and operational information
• Effectiveness and efficiency of operations and programs
• Safeguarding of assets
100
 • Compliance to law, regulations, policies and contracts

Division of Roles on Controls between Management and Internal

Auditor
It is important to understand the division of responsibilities on control between the senior
management, management and internal auditor. Senior management oversees the
establishment and execution of the control system, the management holds the responsibilities
for establishing, implementing, maintaining and monitoring the systems of control within the
organisation. The internal auditor evaluates the system of controls to assure the effectiveness of
the controls set out by the management. The evaluations by the internal auditor do not in any
way relieve the management’s responsibilities assigned to them.

Evaluating Controls by Internal Auditor

In evaluating the effectiveness and efficiency of controls, the auditor must first identify and
understand the organisation’s existing key control processes used to manage the organisation’s
risks. Controls are considered effective when they help to mitigate the risks and ultimately
improve the chances of achieving the organisation’s objectives and goals. Controls are considered
efficient when the benefits derived exceed the costs of implementing the controls.

A common tool used by an internal auditor to evaluate controls is the risk and control matrix. An
example is given in Figure 4.7

100
 RISK AND CONTROL MATRIX
TASK RISKS RISK RISK CONTROL RESULT OF ADEQUACY OF
ACTIVITY ASSESSMENT RATING MEASURES TEST CONTROL (Y/N)
LIKELI- IMPACT
HOOD
Procurement Not obtaining Possible Moderate Medium • Three quotations to be • Final price N
for renovation the right price obtained for comparison substantially New control
project and/or quality higher than procedures
or price market price required
rigging • Common eg. tender
shareholders committee and
noted among procedures to be
vendors set up
submitted for
quotations
Payment Unauthorised/ Likely Moderate High • Payment according to • Five out of 20 N
to vendors favouritism terms given by suppliers deviations noted. • Payment
<RM20,000 advance • Accounts payable Early payment to based on
payment reconciliation done certain suppliers terms to be
• All payments submitted • No deviation. set in system
with supporting Allcome with • Exceptions to
documents attached supporting be approved
• Approval with documents by Chief
accountant’s signature • Accounts Operating
payable not Officer
reconciled but
payment made

RISK AND CONTROL MATRIX

TASK RISKS RISK RISK CONTROL RESULT OF ADEQUACY OF
ACTIVITY ASSESSMENT RATING MEASURES TEST CONTROL (Y/N)
LIKELI- IMPACT
HOOD
Payment Payment to Unlikely Major High • Payment require three No deviationnoted
to vendors unauthorised signatories (Procurement Y
>RM100,000 party Manager, Accoutant &
Chief Operating Officer)
• All paymentssubmitted
with supporting
documents attached
• Reconciliation to monthly
statement
Petty cash Loss due to Possible Minor Low • Maximum claim amount No deviationnoted Y
handling theft / double RM100
/ fictitious • Recording of transaction
claims in petty cash book
• All payment are
supported with receipts
and invoices

Figure 4.7 Risk and Control Matrix

Reporting and Communication by Internal Auditor

The internal auditor will communicate and disseminate the results of its evaluation of controls
to the parties at the appropriate management level. The evaluation results would include whether
controls are operating as intended, the significance and pervasiveness of the weaknesses, and the

100
root of the causes. In addition, internal auditors discuss and provide recommendations for
corrective actions, improvement to current procedures, or new procedures that are required.

Management will be responsible for ensuring that corrective actions are taken on time to improve
the control weaknesses identified in the internal audit report.

Types of Controls
Controls can be classified as soft or hard. Hard controls are formal and tangible and can be
measured and evaluated easily. Examples of hard controls include budgets, written approval, and
segregation of duties. Soft controls, on the other hand, are informal, intangible, and subjective,
such as an organisation’s ethical climate, integrity, and corporate culture. Both are important in
an effective internal control system.

Generally, controls can be either reactive or proactive. Proactive control focuses on avoiding or
preventing an unwanted event, while reactive control is a measure or response after an unwanted
event.

The four main types of controls are:

a) Detective controls (reactive) are designed to detect undesirable events such as errors,
irregularities or fraudulent activities when they occur. Detective controls include a smoke
detector, which detects if fire incidents occur, a review of a computer-generated exception
report, a review of budget versus actual performance, etc.
b) Corrective controls (reactive) are designed to correct undesirable events such as errors,
irregularities or fraudulent activities once detected. It is, therefore, an after-event control
activity and thus not ideal nor economical. However, it is important to help improve the
situation or to prevent the future occurrence of undesirable events. Examples of
corrective controls are system recovery after a server has crashed, a remote site disaster
recovery of data after a fire incident which burnt down the main server at the head office,
etc.
c) Preventive controls (proactive) are the ideal control activities designed to prevent
undesirable events such as unnecessary errors, irregularities, or fraud. Good examples of
preventive controls are the installation of an alarm system, centralised video surveillance
and monitoring, automatic or system-built-in authorisation or dual authorisation to
approve a high-value transaction, etc.
d) Directive controls (proactive) controls that encourage a desirable event to occur. This can
be classified as part of Preventive Controls. Examples of directive controls are training,
guidelines and incentives.

Other types of controls include:

100
 a) Compensating Controls (reactive) controls that work as an additional control mechanism
should an expected control fail. This may be grouped under detective control. An example
of a compensating control is a supervisory review.
b) Mitigating Controls (reactive) is designed or set up to reduce any potential negative
impact if an undesirable event occurs. This may be classified under corrective controls.
An example of mitigating control is insurance.

Alternative Control Frameworks

Several control frameworks have been established around the world, which include:

1) the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which

is widely used in the United States and across the world,
2) the Guidance on Control (CoCo) in Canada,
3) the Control Self Assessment (CSA) in the United States,
4) the Cadbury Report of the Committee on the Financial Aspects of Corporate Governance
in the United Kingdom,
5) the Turnbull Model in the United Kingdom,
6) the King Model in South Africa and
7) the KonTraG Model in Germany.

Globally, only three internal control frameworks are recognized, which are the COSO Internal
Control Integrated Framework, the CoCo Framework — Guidance on Control and the Turnbull
Report — Internal Control: Revised Guide for Directors on the Combined Code. In general, these
three frameworks have similar objectives for internal controls, such as effectiveness and
efficiency of operations, reliability of reporting and compliance and similar components of
internal controls. Table 3.1 delineates the three frameworks based on specific terms used in each
one.

100
 Table 3.1 Recognised Internal Control Frameworks

COSO Integrated Internal Control Framework

COSO stands for the ‘Commission of Sponsoring Organizations of the Treadway Commission’, a
private commission chartered to research and report on improving quality of financial reporting
through business ethics, effective internal controls and corporate governance. The sponsoring
organisations of COSO are the American Institute of Certified Public Accountants, the Institute
of Internal Auditors, the Financial Executive International, the Institute of Management
Accountants and the American Accounting Association. The initial COSO framework (often
called COSO I) was described in a document from 1992: Internal Control – An Integrated
Framework. Later in 1994 it was republished with minor amendments. This report presented a
common definition for internal controls and provided a unified approach for the evaluation of
internal control systems. Since the SEC (U.S. Securities and Exchange Commission) later
specifically mentioned the COSO Internal Control-Integrated Framework as an appropriate

100
framework for the management of internal controls, many companies across the world have
chosen to employ this framework.

In 2006, COSO published the Internal Control Over Financial Reporting Guidance for Smaller
Public Companies (COSO’s 2006 Guidance), which further developed the understanding of how
all five internal control components work cohesively to form an effective internal control system.
Although targeted at smaller public companies’ reporting on internal control over financial
reporting, COSO’s 2006 Guidance contains information that should be helpful to all
organisations, regardless of size.

In 2013, COSO updated its original 1992 Internal Control Integrated framework. These updates
took into consideration the changes in current business and operating environments. Based on
the COSO (2013) framework, internal control is defined as a process, effected by the an entity’s
Board of Directors, management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting and compliance. It is
achieved by applying the 17 principles associated with the five components namely, control
environment, risk assessment, control activities, information and communication and
monitoring activities, across the entire organisation (i.e. entity, division, operation unit and
functional level). The three elements are depicted in a cube format as shown in Figure 3.7.

100
Figure 3.7 COSO
Integrated Internal
Control

Framework (2013)

Categories of Control Objectives

Operations: Effectiveness and efficiency of operations. Operational objectives are directly related
to the basic mission and vision of an organisation. The focus of operational objectives are to
improve financial performance, productivity, quality, employee and customer satisfaction as well
as the business processes.

Reporting: Reliability of financial reporting. The reporting objectives are related to the
generation of reports for internal and external consumptions. External reports are generated to
fulfill the needs of various stakeholders and generally driven by regulation and standards set by
regulators and standard setting bodies. Internal reports are produced by organisations to
facilitate decision making processes by various parties within the organisation. These reports,
which can be financial or nonfinancial, need to be reliable for them to be useful to the parties
involved.

Compliance: Compliance with applicable laws and regulations: An organisation operates not in
isolation but within a society with specified laws and regulations. As such, an organisation must
make sure that every aspect of its operations is in compliance with these laws and regulations.

Components of Internal Controls

Based on COSO internal control framework, there are five components of internal control, which
are:

100
 Control
environment

Monitoring Risk
activities assessment
Components
of Internal
Control

Information and Control

communication activities

Control Environment
Control environment is the structure, culture and processes that surround the internal control
implementation in the organisation. Control environment encompasses the Board of Directors
and management’s attitude and action on the importance of control in the organisation. Control
environment ensures that the internal control system is working as intended. The five principles
articulated under control environment are:

Principles underlying control environment

1. A commitment to integrity and ethical values

2. The Board of Directors has an oversight function and is independent of management
3. Management establishes structures, clear assignment of authority and responsibility
4. The organisation is committed to hiring competent individuals
5. Every individual is held accountable for the internal control assigned

Integrity and ethical values set by the Board of Directors and senior management can create
control consciousness among employees. The ‘tone at the top’ with respect to adherence to
control is an important element in ensuring that everyone else in the organisation complies with
control policies and procedures. The control environment helps create a conducive climate for
effective controls in the organisation and serves as a foundation for all the other components of
internal control.

Sound integrity and ethical values are critical to internal control effectiveness. These are achieved
by establishing a clear code of conduct for the whole organisation. The Board of Directors and
Audit Committee play a vital role in ensuring all employees abide by the organisation’s code of

100
conduct. All employees must have the needed competencies to carry out their respective
functions, with the level of authority and accountability being clearly delineated among them.
The human resource function must demonstrate consistent commitment towards upholding
integrity and ethical behaviour among employees. A clear organisational structure can
strengthen internal control by defining the reporting and accountability lines for employees.

Risk Assessment
Risk assessment is the process of identifying and analysing risks to allow the entity to consider
how the risk events, if it occurs, will affect the achievement of its objectives. Risk assessment
should be done across the whole entity, the entity’s perspective to a function as well as a specific
transaction level. Risks are assessed based on the likelihood of them occurring and the impact
they will have on the achievement of objectives. The results from the assessment will allow the
management to know the severity of the risks towards their operational, financial or compliance
objectives. The four principles articulated under risk assessment are:

Principles underlying risk assessment

1. The organisation has clear objectives to identify and assess risk

2. The organisation identifies risk across the entity and analyses risk as a basis to determine
how the risk should be managed
3. The organisation considers the potential for fraud when assessing risk
4. The organisation identifies and assesses changes that could significantly impact the
system of internal control

Control Activities
Control is defined as actions taken by management, the Board of Directors, and other parties to
manage risk and increase the likelihood of establishing objectives and goals that will be achieved.
Management plans organises and directs the performance of sufficient actions to provide
reasonable assurance that objectives and goals will be achieved. The control activities occur at all
levels across the organisation, from entity-wide, business unit, functional process level, and
specific transactions. The three principles articulated under control activities are:

Principles underlying control activities

1. The organisation has selected and developed the control activities addressing the risks
identifed
2. The organisation has selected and developed the general control over technology
3. The organisation has deployed the control activities via policies and procedures Examples
of general types of controls are as follows:

100
 o Any policies and procedures that ensure management’s plans are carried out as
intended across all levels, functions and transactions within the organisation
o Control activities include approvals, authorisations, verifications, reconciliations,
reviews of operating performance, security of assets and segregation of duties
o Control activities cover controls over IT infrastructure, system access, software
security
o Control covers physical controls such as access to building or premises such as
door access system, alarm, CCTV surveillance system, fire alarm etc.
o Controls also include legal advice, contract and agreement, terms and condition
protecting the interest of the organisation

Control Deficiency
COSO defines internal control deficiency as “a condition within an internal control system
worthy of attention”. A control measure is considered deficient if it does not serve its purpose,
which is to eliminate or mitigate risk. For example, a fire exit is not a good control measure if the
exit is blocked with unused furniture, which will prevent employees from using it during a fire.

(Source: Reproduced with kind permission of the Association of International Certified Professional Accountants)

Figure 3.8 Effects of Control Activities on Risk

Entity-wide controls
Entity-wide controls are controls that apply across units, functions, and locations within an
organisation. These controls can be grouped into two types: governance and management
oversight. Governance controls include the ‘tone at the top’, the organisational climate, and
management philosophy that support an organisation’s strategic objectives. Management
oversight controls are important to ensure that business risks faced by different business units
within an organisation are properly managed.
100
Business process controls
Organisations rely on different functions to achieve their objectives. These functions have
operational risks, which, if unattended, could ultimately prevent the organisations from
achieving their objectives. So, controls are established to eliminate or mitigate these risks. These
controls comprise policies and procedures which are formal. Policies are broad statements
stating the principles, rules and guidelines, while procedures are specific activities to be carried
out. Each organisation's function must have specific policies and procedures that would enable
the function to serve the organisation effectively. Process-level controls include performance
evaluation, reconciliations of accounts and physical inventory counts.

Transaction level controls

Transaction controls relate to each business activity that is carried out within the organisation.
Examples of these activities include making check payment to suppliers or receiving goods from
suppliers. Categories of transaction control activities include the following:

1. Adequate separation of duties

2. Proper authorisation of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records 5-Independent checks on performance

Information and Communication

Information allows business to make informed decisions. Due to modern information technology,
information can come from internal or external sources and in many forms. In terms of risk
management controls, the organisation must generate useful, relevant and quality information
to support the functions of internal control including identifying, assessing and responding to
risks.

Communication enables the dissemination of information both internally and externally, so that
everyone in the organisation knows what is expected of them with regard to internal control
activities. The three principles related to information and communication are:

Principles underlying information and communication

1. Information to support the functioning of internal control must be relevant and of high
quality.
2. All relevant information including objectives and responsibilities of internal controls are
communicated internally to enable the functioning of internal control.
3. The organisation should also communicate to external party regarding matters related to
internal control.

100
The quality of system-generated information affects management’s decision. The quality of
information includes aspects of appropriateness, timing, accuracy and accessibility of
information. Communication must also take place in order for individuals within the
organisation to know what is expected of them so that control can be implemented correctly.

In summary, the process of information and communication are as follows:

• All employees must receive a clear message from top management to take control of
activities seriously.
• Employees' information needs to carry out their functions effectively must be
identified, captured, and communicated to them in a timely manner.
• Access to internal (operational, financial and compliance) reports must be provided
to employees to perform their tasks.
• External communication with customers, suppliers, regulators, investors and
shareholders must be part of the framework.
• Effective employee communications of their findings to those in management and the
Board of Directors must be established.

Monitoring Activities
Monitoring is a process that assesses the presence and function of controls over time. It can be
done on an ongoing basis, on a separate evaluation basis, or a combination of the two. Ongoing
monitoring occurs during the normal course of operation, while a separate evaluation occurs
based on management’s evaluation of the current state of controls.

An organisation should establish a sound system to ascertain the presence and effectiveness of
the five components (control environment, risk assessment, control activities, information and
communication and monitoring activities) of internal controls, including controls over the
principles of each component. Any deficiencies should be communicated in a timely manner that
warrants immediate action by management. Senior management and the Board of Directors
should be informed of any serious matter discovered during the process. Monitoring could be
done on an ongoing basis, separately or as a combination of ongoing and separate exercises to
capture the essence of internal controls comprehensively. The two principles relating to
monitoring activities are:

Principles underlying monitoring activities

1. The monitoring process is carried out to ascertain whether the components of internal
control are present and functioning.
2. The organisation evaluates and reports on internal controls deficiencies in a timely
manner to those responsible to take corrective actions, including senior management and
the Board of Directors for serious matters.
100
According to the COSO report, the effectiveness of an internal control system changes over time.
Once-effective procedures can become less effective in later years. Monitoring ensures that the
internal control continues to operate effectively. Monitoring can be done in two ways: through
ongoing activities or separate evaluations. An internal control system usually is structured to self
monitor on an ongoing basis. The greater the degree of effectiveness of ongoing monitoring
activities, the lesser the need for separate evaluation.

Ongoing Monitoring
The purpose of ongoing monitoring is to identify any weaknesses, flaws, or deficiencies in an
internal control system immediately and carry out rectifying procedures without delay. Some
monitoring is built into operations through automation. The focus of these monitoring
procedures is on identifying deviations or exceptions from the norm. Ongoing monitoring should
also provide continual feedback on controls that can trigger investigations.

Separate Evaluations
Separate evaluations are normally carried out periodically to identify weaknesses in the internal
control system. A separate monitoring exercise normally relies on human intervention that can
provide a fresh look at all the other components of internal control. An example of monitoring
that is classified as a separate evaluation is the internal audit activity. The evaluations rely on
observations, inquiries, reviews and other examination techniques. Separate evaluation
monitoring may also be needed to cater to specific needs of an organisation in case of business
expansion or in a high priority risk area.

In summary, monitoring consists of the following points:

• Internal control systems need to be monitored over time

• Combination of ongoing and separate evaluations of the internal control systems
must be conducted by management
• Management and supervisory activities are required to be evaluated and monitored
on an ongoing basis
• Auditing the internal control systems needs to be done by management to ensure that
the internal controls are functioning as expected

Limitations of Controls
Controls can bring many benefits but provide reasonable but not absolute assurance that the
organisation will achieve its objectives. External factors beyond the organisation’s control, such
as geopolitical risks, natural disasters, or epidemic diseases, can affect the organisation’s results.
The factors that limit the benefits of controls:

100
 • Judgement errors and management overrides could result in a well-designed control
system not functioning as intended
• Collaborations by two or more parties may circumvent the basic controls set out
under the segregation of duties
• Excessive or over-reliance on controls may deter people’s creativity or flexibility
• Some controls may be obsolete or become redundant due to changes in business
objectives, structures, technologies or environment, which could lead to employee
demoralization
• Lack of understanding of risk priorities causing inefficiency or cost of implementing
controls outweighing the benefits

Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions
1. Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines.
2. How does an organisation assess risk? Give specific examples based on an organisation
which operates in the retail industry.
3. Describe the importance of internal controls to an organisation.
4. Explain how a control environment can affect an internal auditor’s work.

References
International Professional Practice Framework (IPPF) and the The Standards of Institute of
Internal Audit The International Organisation for Standardisation – ISO 31000:2018(E)

Committee of Sponsoring Organisations of the Treadway Commission. USA.

(a) COSO Enterprise Risk Management (2017) – Integrating Risk with Strategy and
Performance.
(b) COSO Enterprice Risk Management (2004) – Integrated Framework
(c) COSO (2013). Internal Control – Integrated Framework

100
Epstein, M. J., & Rejc, A. (2005). Evaluating performance in information technology.
Management accounting guideline. Hamilton: The Society of Management Accountants of
Canada.

Reding, K.F, Sobel, P.J., Anderson, U.L, Head, M. J., Ramamoorti, S. Salamasick, M. And Riddle,
C. (2013). Internal Auditing – Assurance and advisory Services. 3rd Edition. The Institute of
Internal Auditors Research Foundation, Florida, USA.

100
 5
Chapter 5: Managing the Internal
Audit Function

After going through this chapter, you should be able to :

• Understand the importance of managing the internal audit function

• Identify areas that affect the internal audit function
• Comprehend the issues in managing internal audit conflicts
• Understand the different ways of outsourcing the internal audit function

Introduction
This chapter discusses the importance of managing the internal audit function as part of an
organisation’s component. It is divided into three main topics: staffing, managing internal audit
conflicts, and outsourcing. These functions are important and necessary in ensuring that an
internal auditor functions effectively and efficiently and adds value to the organisation. The lack
or failure to manage this function will significantly affect the organisation’s operations.

Internal Audit Charter

A competent and skilled department is adequately staffed. It is not easy to determine the ideal
number of staff required as the right size involves considering a wide range of elements. These
elements include staffing strategies, understanding customer needs, adding value, addressing
risks, and using audit tools. It is important that a chief audit executive (CAE) review staffing
needs regularly to ensure that adequate staff members are available to discharge the internal
audit function effectively, both in terms of numbers and expertise. Inadequate staffing can lead
to a failure to provide high-quality internal auditing.

Staffing in Internal Audit Department

100
The CAE is responsible for ensuring the department is efficiently and effectively managed.
Internal audit staff must ensure that they conform to the definition of internal auditing and the
standards. Any problems relating to the staff should be dealt with professionally. The CAE is also
responsible for ensuring that the internal audit staff assigned to a particular audit activity
optimises the achievement of the approved plan. When deciding on the appropriate staff for the
internal audit department, the CAE must justify to the Audit Committee and the Board of
Directors.

An internal audit department should comprise professional individuals with knowledge, skills,
and other competencies. These attributes will enable internal auditors to perform their
professional responsibilities effectively. Hence, the CAE must consider the necessary attributes
of knowledge, ability, and character when deciding who is to be assigned to the internal audit
team. Another important attribute that has to be considered is the value-added attribute to the
organisation.

Internal auditors' proficiency can be demonstrated through their professional certifications and
qualifications. They should strive for improvement and enhancement so that they can keep
abreast of the demands of the organisation and the profession. Continuing professional
education and development should be on the internal audit department’s agenda.

Body of Knowledge and Character

It is ideal when the CAE can employ experienced staff, as this can eliminate much of the overhead
costs incurred in supervision, training, and working paper reviews. This is based on the view that
internal audit must operate as a business that adds value and is responsive rather than an
expensive cost to the customer or becoming an outsourcing target.

The knowledge and skills that internal auditors should possess include:

• Proficiency in applying internal auditing standards, procedures and techniques to

perform effective and efficient internal audits. This is where internal auditors should be
able to apply their knowledge to the audit situations and deal with them without having
to resort to detailed research and assistance.
• Adequate knowledge on accounting principles and techniques, management principles
as well as, fundamentals of law, economics, taxation, finance and other related subject
matters

Nowadays, internal auditors face numerous demands and challenges when performing their
activities. The ever-changing environment they encounter during assignments calls for the ability
to react quickly to problems, new organizational objectives, and management viewpoints. They
should also be diligent and persevering when dealing with difficult problems.

100
Another critical trait of internal auditors is the ability to communicate effectively, both orally and
in writing, such as expressing their professional opinions on factual needs.

The IIA Common Body of Knowledge (CBOK) suggests the following guidelines to assist the CAE
in The IIA Common Body:

• Consider the overall current and anticipated workload, evaluate audit projects, and base
strategies according to risk priority rather than available resources. Internal auditors
should focus on risk areas that pose the greatest threat to the organisation.
• Maintain good relationships with governance parties, especially the Audit Committee and
executive management, by informing them about the internal auditors’ capabilities and
the emerging trends affecting the profession. The internal auditors’ audit plan should
address the governance parties’ concerns so that their perceptions on the internal
auditors will change from assuring financial and compliance controls to other challenging
issues, namely, risk assessment, e-commerce and environmental assessment.
• Evaluate the internal audit processes and continuously improve performance. The CAEs
should assess the audit teams’ recent workflow trends and update the staffing strategy
accordingly. Delays in responding to staffing needs might negatively affect the internal
audit activity and the organisation.

Internal auditors need to acquire the appropriate skills, have the right aptitude, relevant
experience, and be passionate about the profession to ensure the effectiveness of the function.
The benefit element should always be considered when developing the staffing strategies. Proper
training and evaluation will boost the performance of the internal auditors and thus fulfil the
expectations of the Audit Committee and executive management.

Selecting Internal Auditors

The CAE should design an appropriate process for hiring, normally through testing and
interviewing, to ensure that only candidates with the appropriate qualifications and experience
are selected. Screening the prospective candidates’ backgrounds and references should be
undertaken. Potential candidates must sit for a test, and the test results will be used to shortlist
the candidates to be interviewed. The interview session should be conducted positively to ensure
that information about the candidates can be obtained, and candidates can respond comfortably.
Successful candidates must then attend some form of orientation and basic training conducted
by the internal audit department or the human resource department.

Internal Audit Hierarchy

The internal audit department should comprise professionals with relevant and related
qualifications (e.g., possessing the Certified Internal Auditing (CIA) qualification and being a
member of a professional body), experience, and skills. Years of experience in the internal audit
100
profession would promote an internal auditor to the appropriate senior level. Figure 4.1 depicts
the normal hierarchy of an internal audit department. Figure 4.2 shows the responsibilities of
the internal audit staff.

Figure 4.1 Internal Audit Hierarchy

Position Responsibilities
Chief audit executive The CAE is fully responsible for the internal audit function,
(CAE) including examining and evaluating the adequacy and
effectiveness of the organisation's risk management, internal
controls, and corporate governance process.
Audit manager (AM) The AM is responsible for planning and coordinating the audit
assignments. He reports directly to the CAE on matters
pertaining to the audit assignments, such as information
technology, special projects, delivery networks, and other
assignments for a large multinational organisation.
Audit supervisor (AS) The AS is responsible for ensuring that designated audit teams
conduct audits according to planned schedules and man-hours.
Duties involve reviewing working papers, coordinating, and
preparing reports. The AS may come from diverse
backgrounds, such as accounting, systems and information
technology, valuation, engineering, and others; they can be
assigned to various financial and operational activities.
Team leader (TL) The TL is responsible for field audits under the direction of the
AS. Duties include closely supervising the audits and
implementing changes in the audit programmes accordingly.
Auditor The auditor is responsible for detailing the audit work of each
assignment and is supervised by the TL. This is normally the
entry level into the internal audit department.

Figure 4.2 Responsibility of Internal Audit Staff

Training and Promotions

Internal auditors should undergo the necessary training to ensure continuous improvement in
internal audit performance. The purpose of the training is to enhance and upgrade internal

100
auditors' knowledge, skills, and competencies and keep them abreast of developments in internal
auditing.

The CAE should plan the different combinations of orientation from basic audit skills and
techniques training to more specialised training in staffing strategies. Internal auditors should
be exposed to hard skills (such as basic internal auditing skills, audit sampling, risk management,
risk analysis and control) and soft skills (such as business communication, analytical thinking,
persuasive skills, problem-solving, and managing performance).

Staff evaluation is a prerequisite and should be carried out without any biasness. An evaluation
can be conducted bi-annually or annually, depending on the organisation’s staff appraisal
policies. The purpose of the evaluation is many folds, namely for promotion, salary increments
and bonus awards, and assignment allocations. The use of key performance indicators (KPIs) is
one of the evaluation procedures, where a balance scorecard is used and can be of benefit to both
the management and internal auditors.

Responsibilities of Those Charged with Governance to the

Internal Audit Function

The Board of Directors

The ultimate responsibility of the Board of Directors is on the company’s governance, risk
management, and internal controls. Besides that, the Board of Directors should set appropriate
policies for the company and seek assurance that the supporting processes and activities are
functioning effectively by establishing an Audit Committee. In addition, the Audit Committee is
also involved in performance of the internal audit function. These responsibilities include in
addition to other oversight activities, such as the performance of the external auditors and the
integrity of the company’s financial statements.

However, the Board of Directors continues to be responsible, among others, for ensuring that:

• There is a sound framework for governance, risk management, and internal controls.
• An internal audit function is established and appropriately positioned within the
company.
• The CAE reports directly and functionally to the Audit Committee.
• The internal audit function is independent of management and the functions which
it audits.
• A corporate disclosure policy and process are implemented to ensure that all
information disclosed to the public, including reports relating to the internal audit
function, are timely, comprehensive, and reliable, effective internal audit activities
during the year. The Board of Directors must take cognizance that the mere
100
 appointment of an internal auditor is not sufficient to be considered as having an
internal audit function.

The Audit Committee

The Audit Committee’s responsibilities in respect of the internal audit function include:

• Approving the appointment and removal of the CAE or service provider, if the internal
audit function is outsourced.
• Assessing the performance and approving the remuneration of the CAE.
• Reviewing and approving the internal audit charter. The internal audit charter may
also be presented to the Board of Directors for approval.
• Reviewing and approving the risk-based internal audit plan, internal audit budget
and resource plan.
• Reviewing the progress of the audit plan.
• Ensuring the adequacy of the scope of the audit and addressing resource and scope
limitations.
• Deliberating on internal audit reports and recommendations raised, and ensuring
that management implements the recommendations.
• Communicating reports of investigations to the Board of Directors, where
appropriate.
• Ensuring that a quality assurance and improvement programme is conducted
continuously and an independent Quality Assessment Review is conducted once
every five years.

To enable the achievement of the audit plan, the Audit Committee must be satisfied that the
internal audit function:

• Is sufficiently resourced with qualified, competent, and experienced internal auditors

and adequate infrastructure such as auditing tools, knowledge repositories and
databases.
• Has direct and unrestricted access to information, records, physical properties, and
personnel, enabling it to carry out its role and responsibilities effectively.
• The Audit Committee must conduct a separate meeting with the CAE without the
presence of management at least once a year.

Management
100
The management’s role is establishing and maintaining governance, risk management, and
internal control processes. The internal audit function evaluates the adequacy and effectiveness
of these processes and recommends improvements.

The management supports the internal audit function by:

• Inviting the CAE as an observer to management meetings and deliberations on

governance, risk management, and internal control processes.
• Providing unrestricted access to information, records, physical properties, and
personnel, including management, which are relevant to internal audit work.
• Providing input and feedback to the internal audit planning process.
• Implementing internal audit recommendations to improve the effectiveness of
governance, risk management, and internal control processes.

Attributes of an Effective Internal Audit Function

Table 4.1 lists ten attributes of an effective internal audit function. These attributes may assist
the company in accomplishing its objectives by introducing a systematic and disciplined
approach to evaluating and improving the effectiveness of governance, risk management, and
internal control processes.

Table 4.1 Attributes of an Effective Internal Audit Function

Principle 1 Demonstrates integrity An internal auditor demonstrates integrity when:

• performing tasks honestly, diligently, and
responsibly
• making appropriate disclosures when
communicating with the Audit Committee,
management, and regulatory authorities, where
applicable
• supporting ethical conduct of the organisation
and reporting illegal or discreditable acts
• maintaining confidentiality of information
acquired in the course of their work

Principle 2 Demonstrates The internal auditors should exercise due professional

competence and due care by applying the care and skill expected of a
professional care reasonably prudent and competent internal auditor.
Principle 3 Objective and free The Audit committee must ensure that:
from undue influence • the reporting relationships of the Head of
(independent) Internal Audit and Internal Auditors do not
hinder the independent judgment
• establishing mechanism to address and manage
situation when there is a threat to the
independence of the Internal Auditor
• ensure that the Internal Audit Charter
addresses the independence and objectivity of
the Internal Audit Function

100
 • lastly, ensure that the Head of Internal Audit
confirms the organisational independence of
the Internal Audit Function at least once a year

Principle 4 Aligns with the The Audit Committee must ensure that the risk-based
strategies, objectives, audit plan is aligned with the organisation’s strategies,
and risks of the objectives, and risks, and is developed in consultation
organisation with management.
Principle 5 Appropriately The Head of Internal Audit must be positioned at a
positioned and level of sufficient seniority in the organisation to be
adequately resourced recognised as an authoritative voice.

The Internal Audit Charter must specify the level of

authority, including unrestricted access to
information, records, physical properties, and
personnel, required for the Internal Audit Function to
perform engagements and to fulfil its agreed-upon
objectives and responsibilities.

The Head of Internal Audit must ensure that the

Internal Auditors have the mix of knowledge, skills,
and other competencies needed to perform the audit
plan. The quantity of resources needed to perform the
planned audits, such as manpower, equipment,
technology, and time must be taken into
consideration.

Principle 6 Demonstrates quality The Audit Committee must ensure that the Internal
and continuous Audit Function has a continuous quality assurance
improvement and improvement programme that covers all aspects
of an Internal Audit Function and includes both
internal and external assessments.
Principle 7 Communicates Communicating effectively with the Audit Committee
effectively and management is an essential responsibility of the
Head of Internal Audit. Communications must be
accurate, objective, clear, concise, constructive,
complete, and timely.
Principle 8 Provides risk-based The Audit Committee must ensure that the Internal
assura nce Audit Function uses a risk-based approach to conduct
assurance work. The Audit Committee must enquire if
there were any areas where management has accepted
a level of risk that may be unacceptable to the
organisation. The Audit Committee must deliberate
on the risk and consider further action, where
warranted.
Principle 9 Insightful, proactive, Internal auditors should be proactive and their
and future-focused evaluations should identify root-causes of issues and
exceptions, offer new insights, and consider future
impact.
Principle 10 Promotes The Audit Committee must ensure that the Internal
organisational Audit Function assesses and makes appropriate
improvement recommendations to improve the independent,
objective assurance and consulting function of the
Internal Audit.

Conflict Management

100
In the internal auditor’s working environment, conflicts may arise either between internal
auditors or between internal auditors and the other staff within the organisation (auditee). These
conflicts which are inherent should be dealt with professionally as internal auditors routinely
deal with organisational conflicts that affect the internal auditors’ reputation and the efficacy of
the profession.

These conflicts can arise from a simple wording in an audit report to disagreements during
negotiations with management or over-implementation of internal auditor’s recommendations.
Effective communication throughout the organisation can reduce conflict issues and enhance
relationship and co-operation between internal auditors and the auditees.

Conflicts within the internal audit department normally exist when:

• Internal auditors do not understand the internal audit process due to ambiguity and
uncertainty.
• Internal auditors fail to think strategically and systematically.
• There is a lack of understanding on the importance of the internal audit and the
trends and challenges facing the profession.

Not all conflicts can be resolved as the financial costs associated with audit conflicts can be very
high. It can also have significant effects on staff morale and increases staff turnover, thus affect
adversely the entire audit process.

Effective communication has been accepted as one way to minimise or eliminate internal audit
conflicts that are due to ambiguity. People are more receptive to situations when they are given
the relevant information rather than being kept in the dark. The CAE must communicate the
internal audit activity’s plans and resource requirements, including significant interim changes,
to senior management and to the Board of Directors for review and approval. The CAE should
also communicate the impact of resource limitations.

The CAE must establish policies and procedures to guide the internal audit activity. Well-
established and well-designed policies and procedures, together with effective communication
channels within an organisation, can help minimise or avoid conflicts. Less or no conflicts can
increase the efficiency of the internal audit function.

The CAE must periodically report to the Board of Directors and senior management on the
internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
Reporting should also include significant risk exposures and control issues, corporate
governance issues, and other matters needed or requested by senior management and the Board
of Directors. Prompt communication with those charged with governance will enhance the
internal auditors’ trust and relationship within the organisation.

100
Types of Conflicts
Internal auditors might encounter two types of conflict when performing their tasks: inherent
conflicts and avoidable conflicts.

Inherent Conflicts
Inherent conflicts are inherent within an organisation, such as the lack of communication in the
organisation, the Audit Committee and management's misconceptions of the audit function, and
a lack of cooperation from auditees. This type of conflict is difficult to overcome but can be
minimised through proper action by management and the organisation. These actions should be
developed and reviewed continuously by management.

Avoidable Conflicts
Avoidable conflicts exist within the internal audit department and process, for example, absence
or lack of guidance or reference, unclear instructions for assignments, incomplete review of
working papers, and favouritism relating to assignments. Internal auditors can avoid These
conflicts by establishing proper audit guidance and manuals; clear instructions, directions and
supervision and less biasness.

How to Deal with Conflicts?

The ability to deal with conflicts would increase internal auditors’ confidence and morale. It
improves the relationship between the internal auditors and auditees. These recommended
practices could help internal auditors reduce the likelihood of conflicts:

• Internal auditors need to develop trust. This can be done by showing a genuine intention
in assisting to improve the organisation, thus ensuring co-operation. For example, internal
auditors liaising their work with the production department to review the high wastage of
raw materials used in production. Internal auditors will forward some recommendations
to the production manager to undertake with the view to reduce the percentage of wastage
and subsequently improve the efficiency and economics of the production department.
• Internal auditors have to be salespersons. This is true when they want to sell their “product”,
that is, recommendations for audit findings. They cannot assume that everyone will
immediately react positively to the submission of their recommendations. Internal
auditors should be able to explain the problems or issues to auditees, instead of identifying
problem and telling the auditees how to fix them.

100
• Help the auditees to understand the audit objectives. When the auditees know the
objectives and the information needed, conflict can be avoided.
• Internal auditors should be objective and factual about their findings. Different words or
phrases can affect the auditees’ value judgment. Hence, allowing the auditees to review the
findings and suggesting changes, before submission to the Board of Directors or
management, can reduce the possibility of conflicts.
• Consider the positive aspects of the conflict because some of these conflicts may help an
organisation move towards its objectives. Some negative conflicts could have positive
effects on the audit process, for example, conducting a formal interview with top
management might be resented but could be considered a valuable gathering technique for
internal auditor.
• Compromise in situations, where the auditees are more responsive to important findings
rather than on less important findings. Internal auditors should be firm but at the same
time fair in taking the stance over their findings.
• Internal auditors should try to appreciate and anticipate all potential sources of conflict
and consider all possible solutions to the conflicts prior to any negotiation with auditees.
Listening to what the auditees have to say is a crucial part of the whole process of
negotiations.
• Seek support from high-level management especially the Audit Committee. Internal
auditors should be able to segregate personal differences in opinion from critical control
issues or ethical questions that the Audit Committee should be informed about. This is to
ensure effective operation of the audit function.
• Internal auditors should not feel guilty or be made responsible for situations having
negative consequences as a result of the audit findings, such as auditees’ termination,
relocation or mental ailments or conditions.

Managing conflicts accordingly can move the organisation forward or make auditees miserable.
It is up to internal auditors to negotiate effectively with auditees in a harmonious manner, which
will then increase the chances that their recommended changes will be implemented timely by
the organisation. Conflicts can help internal auditors to be more receptive of the auditees and
their expectations on the value internal auditors can add to the organisation. It is thus important
for internal auditors to be proactive when dealing with conflicts instead of reactive, as this will
assist them in minimising or in fact avoiding the conflicts.

Outsourcing the Internal Audit Function

Outsourcing developments have made a great impact on the business arena and millions have
been spent on and budgeted for outsourced services. Irrespective of the services being outsourced,
good things have resulted in adopting this alternative. On a negative tone, an uncontrollable
resort to outsourcing had caused the downfall of many large corporations, the famous Enron and
100
WorldCom, to name a couple. Hence, before opting for any outsourced services, careful
consideration should be made by the strategic planners (management) to ensure that the benefits
actually outweigh the costs.

Outsourcing involves the use or employment of independent parties to perform a function within
an organisation’s business activities. An external provider can be an individual or a firm
independent of an organisation and must be one who has special knowledge, skill and experience
in a particular discipline. An external provider includes, among others, accountants, actuaries,
engineers, lawyers, environmental specialists, fraud investigators and security specialists. The
internal audit activities that are outsourced usually relate to:

• areas where specialised skills and knowledge are required

• valuations of assets
• determining work-in-progress
• fraud and security investigations
• mergers and acquisitions
• risk managements consultancy

It has become a new way of obtaining services without the need to invest in a large capital
investment of setting up a department to undertake those activities. Establishing and
maintaining a department can be a challenging and daunting task for a company. Effective
internal audit functions require diverse skills that many organisations find difficult to source and
retain. Significant investment is required in recruiting, training, and developing professional
internal auditors who are equipped with the latest methodology, technology, and time and
resource management. By opting to outsource, management can hire fully dedicated internal
audit professionals without the day-to-day managerial requirements that an in-house internal
audit department would require. The outsourcing arrangements take many forms, from limited
assistance to internal auditors who lack expertise to providing the entire internal audit function.

Reasons for Outsourcing

Many organisations, particularly small organisations, consider the outsourcing alternative as an
appropriate measure where internal audit resources are unavailable. A temporary or permanent
outsourcing solution may be necessary to acquire timely, professional internal audit services and
competent staff. Temporary staff shortages, the need for special skills, especially on special
projects, remote geographical business locations and additional staff to meet deadlines will
demand management to resort to outsourcing alternatives. The external provider will indirectly
perform operational and financial reviews as part of the engagement activities, thus reducing
costs for a company in terms of time and expert skills. With these reasons in mind, organisations
can make better decisions on outsourcing alternatives that would enhance and add value to the
business and internal audit function.

100
Outsourcing internal audit activities has several problems and risks, the major being a possible
impairment of independence. This impairment arises from the external provider’s continuous
involvement in the management functions and may eventually become an integral part of an
organisation’s internal controls.

Roles of CAE in Outsourcing

The CAE should assess the relationship of an external provider, whether financial, organisational
or personal, to ensure that independence and objectivity are maintained throughout the
engagement (Enron is a classic case of independence impairment). There are situations where
the external auditor is the external provider, and this can lead to ethical issues. A thorough
understanding of an external provider’s objectives and scope of service must be obtained to
ensure that it is adequate for an internal audit activity. All these matters need to be documented
in an engagement letter or contract. The letter or contract should also specify compliance with
the related standard.

The CAE must review the work the external provider performs and report accordingly to those
charged with governance. Any external communications of the engagement findings to third
parties should only be made with the Board of Directors’ approval. The code of confidentiality
prohibits any internal auditor from disseminating the organisation’s information to external
parties except in certain circumstances, such as by court order or public interest (whistleblowing).

Outsourcing Arrangements
There are four types of outsourcing arrangements:

Partial
Co-Sourcing
outsourcing

Full Sub-
outsourcing Contracting
Outsourcing
Arrangements

Full Outsourcing
Execution of a full scope and risk-focused internal audit plan contracted to an external provider,
usually from professional accounting firms. An in-house contract with reporting responsibility
to the Board of Directors and Audit Committee will be appointed as a liaison with the selected
100
accounting firm. The oversight and responsibility for the internal audit activity cannot be
outsourced. Should require the approval of the Audit Committee and reporting to the Board of
Directors or other governing body.

Partial Outsourcing
An internal provider partly executes the internal audit plan on an ongoing basis. The external
provider reports to the head of the internal audit department.

Co-Sourcing
An accounting of an internal audit plan is shared between an accounting firm and the
organisation. In most cases, the outsourced party handles specialised areas (e.g., computer
security auditing, special investigations, financial or operational auditing) or those that are more
cost-effective to co-source. Reporting should be made to management and the Board of Directors.

Sub-Contracting
It involves engaging an external party for a limited period to undertake a specific engagement or
a portion of an engagement. The in-house internal audit department will normally provide the
management and oversight functions.

Advantages of Outsourcing
When choosing the external provider for the outsourced internal audit activity, the CAE should
consider the merits and limitations or risks inherent in the engagement. A careful assessment
and review of the in-house internal audit capabilities and work performed can act as a benchmark
in deciding whether outsourcing is required. In order to ensure a high return of the outsourced
activity, management must assess the long-range planning of the organisation to opt for
outsourcing as an alternative action. The main objective in making the final decision is normally
based on cost and performance effects. The following include some of the merits of outsourcing.

• Focus on core competencies

Outsourcing allows management to focus on core competencies instead of the day-to- day
low payback activities that are time-consuming. The resulting improvements in staff
allocation allow business to afford the luxury of having access to global expertise and
cutting-edge technology. It will increase business returns and effective management of
existing resources.

• Costs
Internal audit outsourcing helps a business to reduce its costs by converting fixed costs
of an internal audit function to variable costs. The costs of overlapping positions and
audit effort can also be reduced, thus creating more flexibility in increasing and
decreasing workload demands.

100
 • Efficiency of the business
An external provider can also perform quality checks 24/7 while executing internal audit
activities. This continuous review enables a business process or function to be performed
without any flaws and in tune with the latest technologies.

• External audit-
The knowledge obtained during an internal audit engagement can increase the efficiency
of the annual independent statutory audit in situations where an external provider is also
the internal auditor; example, knowledge on the internal control systems should reduce
the work to document the internal controls, assess the control risks and design test of
controls.

• Business geographical locations

Businesses with numerous and remote locations will benefit from outsourcing as more
locations can be reviewed and improved. The coverage undertaken by an external
provider is more extensive and the co-ordination with an in-house internal audit staff will
increase accessibility to best practices or insight to alternative approaches.

• Future expectations
The existence of an external provider can be used as a training ground for future in- house
internal audit staff to gain specialised skills, especially with partial outsourcing. The
retention of knowledge for future assignments through the working papers and
information available can assist the internal audit staff to plan their assignment.

• Credibility
An external provider with a good reputation carries greater credibility compared to the
work done by the internal audit staff.

Limitations of Outsourcing
While the merits or benefits of outsourcing are apparent, there are a number of constraints or
limitations that reduce its effectiveness to the organisation, namely:

• The allegiance of in-house staff versus external service provider, where the elements of
motivation and loyalty are questionable.
• The culture of an organisation towards an external provider might limit or hinder the
outsource providers from performing their assignments. They may find it difficult to
access information, whether verbal or written. Hence, to overcome this, the Board of
Directors will have to ensure that an external provider is given the required authority and
assistance.

100
 • The Sarbanes-Oxley Act 2002 states that an external audit firm engaged as the outsource
provider should not provide internal audit services to its existing clients as this might
impair the external auditor’s independence.
• Outsourcing internal activities will result in the business incurring significant amount of
resources in the form of fees and time assisting the external provider. Eventually, in the
long term, these costs will become a fixed cost to the organisation.
• Lack of knowledge about the organisation will affect the performance of the outsourced
activity, as an external provider might not be well informed about the organisation’s
objectives and operations. On the other hand, the in-house internal audit staff is normally
well-informed and the competencies possessed represent a unique perspective of the
organisation.
• Internal audit department provides a training ground for future managers as they are
involved in organisation risk control and governance processes. The absence of such
department may affect management succession plans.
• The outsourcing alternative lacks long-range development that an in-house department
provides and this may limit the appreciation of internal auditing by the Board of Directors
and Audit Committee.

Quality Assurance and Improvement Program

Quality can be defined as conformance to requirements, and requirements are what the
customers say they need. Quality helps to ensure customers’ satisfaction, investors’ confidence,
efficient use of resources and effective corporate governance. Thus, quality assessment is a
measurement of effectiveness, efficiency, or any non-conformance, and it looks into areas for
improvement. Quality also can come from prevention, and prevention is normally the result of
finding and correcting problems within the system. Opportunities for improvement can be found
in any operations, processes or methods. As such, it is essential to gain management’s attention
to prioritise or correct any non-conformance problems or to monitor any progress in the
operation or system.

Quality assurance is part of quality management focused on providing confidence that quality
requirements will be fulfilled. Both customers and managers need quality assurance as they
cannot oversee operations themselves. Thus, to maintain and improve the quality required, an
organisation needs to establish a quality assurance and improvement program. This program
needs to be documented and to include activities that aim to provide the evidence needed as to
ensure quality procedures are being appropriately followed and quality requirements are being
met.

100
The CAE must develop and maintain a QAIP that covers all aspects of internal audit activities.
This program must be designed to enable an evaluation of internal audit activities, including
operations, processes, and methods, in conformance with the definition of internal auditing, the
Standards, and the Code of Ethics. The program should assess the efficiency and effectiveness of
an internal audit activity and identify opportunities for improvement.

Each part of the program should be designed to help add value to the internal auditing activity
improve an organisation’s operation and to provide assurance that the internal audit activity
conforms to the Standards and the Code of Ethics. In addition, the program may include
implementation of new internal audit policy, updates to the system for evaluation of audit risk,
internal audit staff training and improvement in administrative and monitoring systems for
internal audit functions.

Purposes of a QAIP
The primary purpose of a QAIP is to ensure that the scope of work of the internal audit activity
should include all activities documented in the Standards and application of the Code of Ethics.
The secondary purpose of the QAIP is to provide reasonable assurance to the various
stakeholders that the internal audit activity:

• is performed in accordance with its charter, which should be consistent with the
Standards and the Code of Ethics;
• is carried out in an effective and efficient manner; and
• help to identify opportunities for improvement to the organisation’s operations.

Quality Assurance Methodologies

100
 Ongoing
Monitoring
Internal
Asssessments
Periodic Self
Assessments
Quality Assurance
Methodologies
Full External
Assessment
External
Assessments
Self Assessment
with Independent
External Validation

The program must include the following two methods:

1) Internal Assessments
2) External Assessments

The internal assessments are composed of rigorous, comprehensive processes, continuous

supervision and testing of internal audit and consulting work, and periodic validations of
conformance with the Standards and whether internal auditors apply The IIA’s Code of Ethics.
On the other hand the external assessments provide an opportunity for an independent assessor
or assessment team to conclude as to the internal audit activity’s conformance with the Standards
and whether internal auditors apply the Code of Ethics, and to identify areas for improvement.

The difference between these two assessments is that an external assessment requires the
involvement of a qualified independent assessor or assessment team from outside of the
organisation. The QAIP also includes ongoing measurements and analysis of performance
metrics such as accomplishment of the internal audit plan, cycle time, accepted
recommendations, and customer satisfaction.

Internal Assessments
Internal assessments consist of:

a. Ongoing monitoring:
This ongoing monitoring can be conducted routinely throughout the audit process. It can be an
integral part of the day-to-day supervision, review, and measurement of the internal audit
activity. The monitoring process can be incorporated into the routine policies and practices used
100
and should include the processes, tools, and information considered necessary to evaluate
conformance with the Code of Ethics and the Standards.

The mechanisms used for ongoing monitoring include:

• Adequate engagement supervision.

• Checklist or procedures manual.
• Feedback from audit customers and other stakeholders regarding the efficiency and
effectiveness of the internal audit team.
• Staff and engagement key performance indicators (KPIs) such as the number of certified
internal auditors and their years of experience in internal auditing.
• Other measurements that may be valuable in determining the efficiency and effectiveness
of the internal audit activity such as project budgets, timekeeping systems, audit plan
completion and budget-to-actual variance.

Assessment findings and reports should be developed to measure the quality of ongoing
performance; follow-up action should be taken to ensure appropriate improvements are
implemented.

b. Periodic self-assessments or assessments by other persons within the

organisation with sufficient knowledge of internal audit practices:
This assessment is not routine but is performed through self-assessments or by other persons
with sufficient knowledge of internal audit practices within an organisation. It can be conducted
through special-purpose reviews and will usually involve compliance testing.

The internal audit activity conducts periodic self-assessments to validate its continued
conformance with the Standards and Code of Ethics and to evaluate:

• The quality and supervision of work performed.

• The adequacy and appropriateness of internal audit policies and procedures.
• How the internal audit activity adds value.
• The achievement of key performance indicators.
• The degree to which stakeholder expectations are met.

To accomplish this, the individual or team conducting the self-assessment typically assesses each
standard to determine whether the internal audit activity is operating in conformance. This may
include in-depth interviews and surveys of stakeholders. The internal audit activity may perform
additional steps to support the self-assessment, such as conducting post-engagement reviews or
analysing KPIs.

The results of internal assessments and necessary action plans should be shared with appropriate
persons outside the activity, such as the Board of Directors, senior management and external
auditors.
100
Establishing the Performance Measurement Process
To establish effective performance measurements, the CAE should establish a measurement
process that:

I. Identifies critical performance categories. According to the balance scorecards

approach, there are three main performance categories:
a. Stakeholder satisfaction — internal (the Board of
Directors/ Audit Committee, top management) and external stakeholders
(government bodies, regulators and external auditors).
b. Innovation and capabilities — effective use of technology, training and
industry knowledge.
c. Internal audit processes — risk assessment/audit planning, planning and
performing the audit engagement and audit reporting.
II. Identifies performance strategies and measurements. Strategies based on methods in
compliance with the Standards or stakeholder expectations.
III. Provides an effective ongoing performance measurement and reporting process.
IV. Establishes links to strategies and includes specific baseline and target measurements
to monitor progress.

Finally, the CAE should ensure that the measures used are specific to the organisation and
appropriate for the size of its activity as well as applicable to its industry, country, national laws
and regulations and operating environment.

External Assessments
External assessments must be conducted once every five years by a qualified, independent
assessor or assessment team from outside of the organisation. The CAE must discuss with the
Board of Directors:

• The form and frequency of external assessments; and

• The qualifications and independence of the external assessor or assessment team,
including any potential conflict of interest.

Two approaches to an external quality assessment approved by the IIA for all organisations are
as follows:

a. Full external assessment

A qualified, independent external assessor or assessment team would conduct a full external
assessment. The team should comprise competent professionals and be led by an experienced
and professional project team leader.

100
The scope of a full external assessment includes the following three core components:

• The level of conformance with the Standards and Code of Ethics.

• The efficiency and effectiveness of the internal audit activity.
• The extent to which the internal audit activity meets expectations of the Board of
Directors, senior management, and operations management, and adds value to the
organisation.

b. Self-assessment with independent external validation (SAIV)

This external assessment is typically conducted by the internal audit activity and then validated
by a qualified, independent external assessor.

According to Standard 1312, the scope of a SAIV consists of:

• A comprehensive and fully documented self-assessment process that emulates the full
external assessment process, at least concerning evaluating the internal audit
activity’s conformance with the Standards and Code of Ethics.
• Onsite validation by a qualified, independent external assessor.
• Limited attention to other areas such as benchmarking; review, consultation, and
employment of leading practices; and interviews with senior and operation
management.

Approval from the senior management and the Board of Directors is needed in selecting the
approach to be followed by the department. Regardless of which approach is selected for the
external assessment, a qualified independent external assessor or assessment team must be
retained to complete the assessment. The CAE will consult with senior management and the
Board of Directors to select the assessor or assessment team. They must be competent in two
main areas: the professional practice of internal auditing (including current in-depth knowledge
of the IPPF), and the external quality assessment process.

Their qualifications and competencies should include:

• Certification as an internal audit professional (Certified Internal Auditor).

• Knowledge of leading internal auditing practices.
• Sufficient recent experience in internal auditing at a management level, demonstrating a
working knowledge and application of the IPPF.
• Must complete the external quality assessment training by the IIA

The organisations may seek additional qualifications and competencies for assessment team
leaders and independent validators which include:

• An additional level of competence and experience gained from previous external

assessment work.

100
 • Completion of the IIA’s quality assessment training course or similar training.
• CAE (or comparable senior internal audit management) experience.
• Relevant technical expertise and industry experience.

Another important consideration for external assessors that should be discussed by the CAE,
senior management, and the Board of Directors is factors related to independence and objectivity.
All team members should be free from actual, potential, or perceived conflicts of interest that
could impair objectivity.

The factors that should be considered with the independence of external assessors are:

• Individuals who perform the assessment must not have a real or apparent interest in
present or previous relationships with the organisation or its internal audit activity.
• Individuals from different departments or in a related organisation and organizationally
separated from the internal audit activity. A related organisation may be a parent
organisation, an affiliate in the same group of entities or an entity with regular oversight,
supervision or quality assurance responsibilities concerning the organisation whose
internal audit activity is the subject of the external assessment.
• Reciprocal peer review arrangements among three or more organisations may be
structured to alleviate independence concerns.
• One or more independent individuals could be part of the external assessment team or
scheduled to participate subsequently to validate the work of that external assessment
team independently.

Scope for External Quality Assessment

An external assessment should consist of a broad scope of coverage that includes the following
elements:

• Conformance with the Code of Ethics and the Standards, plus the internal audit activity’
s charter, plans, policies, procedures, practices, and applicable legislative and regulatory
requirements;
• Expectations of the internal audit activity expressed by the Board of Directors, senior
management and operational managers.
• Integration of the internal audit activity into the organisation’s governance process,
including the relationships between and among the key groups involved in the process;
• Tools and techniques employed by the internal audit activity;
• combination of knowledge, experience, and discipline within the staff, including staff
focus on process improvement; and
• Determining whether the internal audit activity adds value and improves the organisation’
s operations.
100
Procedures for External Quality Assessment
Before the commencement of fieldwork, the quality review team leader should ensure that all
team members are aware of the following information:

I. Objectives of the external quality assessment:

a. Purpose of the external quality assessment;
b. Compliance with organisation policies; and
c. Suggestions for more efficient internal audit procedures.
II. Team members’ ethics and behaviour:
a. IIA’s Code of Ethics;
b. Constructive approach during the assessment process;
c. Important communications with internal audit department staff; and
d. Confidentiality statement signed by team members.
III. Initial arrangements:
a. Fieldwork and reporting schedule;
b. A questionnaire for the CAE;
c. List of documents and materials to be requested;
d. Identify personnel to be interviewed and
e. Format and structure of working papers for assessment.
IV. Distribution of work and time schedules need to include:
a. The operations of the internal audit department;
b. The purpose, the expected amount of details and how information is used to
evaluate the internal audit department;
c. A questionnaire to be answered by the CAE;
d. Tentative fieldwork schedule;
e. Tentative members in the external quality assessment team;
f. Selected internal audit clients and internal audit staff to be interviewed and
g. Workplace and computer facility for external quality assessment of team
members during the field visit.

An example of steps for the External Quality Assessment:

100
Table 5.1 lists some examples of questions for interviews of the internal audit staff, the CAE and
the Audit Committee/Board of Directors:

Table 5.1 Sample Questions for Interview

Table 5.1: Internal Audit Staff Survey

No Evaluation Criteria Excellent Good Fair Poor N/A

Knowledge/Skills to perform work
1 Audit Committee’s expectations
2 Senior Management’s expectations
3 Understanding governance, risk
management and control processes
4 Understanding the activity’s mission and
goals
5 Audit activity’s policies and procedures
6 Overall relationship with audit clients
7 Understanding internal auditing standards
8 Knowledge of the agency’s operations and
processes
9 Documentation and review of systems or
processes
10 Significant risk exposures and control
weaknesses
11 Disclosure of conflicts and lack of
independence
12 Audits conducted using a risk-based audit
approach
13 Use of CAAT, analytical and trend analysis

14 Availability of audit resources to complete

audit assignments
15 Overall information technology
governance
16 Availability of information and access to
records
17 Audit focus on improving effectiveness and
efficiency of control processes
18 Quality of audit reports
Training/Experience Alternatives

19 Availability of sufficient professional

training to satisfy continuing professional
education requirements
20 Quality of training obtained in relationship
to directly enhancing professional
proficiency to perform audit engagements
21 Ability to obtain professional certifications
and/or participate in professional
organisations
22 Encouragement for career growth
Internal Audit Organisation
Practices
23 Free from operational duties that would
impair independence

100
 24 Ability to participate in audit planning and
scope
25 Quality of communication and supervision

Chief Executive Officer and Audit Committee Questionnaire

No Evaluation Criteria Yes No Comments

FCIAA/IIA Requirements
1 Does the Chief Internal Auditor report directly to you
on all matters? If “No” to whom, do they report to and
on what matters?
2 Does the Chief Internal Auditor have direct access to
you whenever it is necessary? If not, why?
3 Do you receive copies of all Internal Audit reports and
respond to them?
4 Does the Chief Internal Auditor or any of his/her staff
perform any operational duties besides internal
auditing?
5 Are you familiar with the general provisions of the
Fiscal Control and Internal Auditing Act (FCIAA)?
6 To your knowledge, does the Internal Audit coverage
comply with the FCIAA provisions?
7 Did the Auditor General’s last agency compliance audit
find any discrepancies in the Internal Audit program?
If “Yes” describe them and state what corrective
actions were taken.
8 Did the Chief Internal Auditor include your requested
special areas of concerns within the two-year audit
plan?
9 Does the Chief Internal Auditor have access to all
agency information and freedom to include all
functional areas in the biennial audit plan?
10 Does the Chief Internal Auditor have the freedom to
consult with outside agencies specified in the FCIAA?
11 Does the Chief Internal Auditor provide periodic
review of the internal audit charter and present it to
you and the Audit Committee/Board of Directors, if
applicable, for approval?
12 Does the Chief Internal Auditor discuss or provide
IIA’s Definition of Internal Auditing, Code of Ethics
and Standards periodically to you and the Audit
Committee/Board of Directors, if applicable?
13 Does the Chief Internal Auditor confirm annually with
you, and the Audit Committee/Board of Directors, if
applicable, the Internal Audit Organisation’s
independence?

Source: State Internal Audit Advisory Board, State of Illinois (http://siaab.audits.uillinois.edu/)

Reporting on the Quality Program

100
A CAE must communicate the results of the quality assurance and improvement program to
senior management and the Board of Directors. The disclosure should include:

• The scope and frequency of both the internal and external assessments.
• The qualifications and independence of the assessor(s) or assessment team, including
potential conflicts of interest.
• Conclusions of assessors.
• Corrective action plans.

The form, content, and frequency of communicating the results will be determined by discussions
with senior management and the Board of Directors, taking into consideration the
responsibilities of the internal audit activity and the CAE as contained in the audit charter.
Normally, the results are communicated upon completion of each assessment, and the results of
ongoing monitoring are communicated at least annually. The results will normally include the
assessor’s or assessment team’s evaluation for the degree of conformance.

The IIA provides three categories of rating on the level of conformity (Table 5.2):

• Generally conforms
• Partially conforms
• Does not conform

Table 5.2 IIA Conformity Rating

Standard Explanation
Rating
Generally This is the top rating, which means that an internal activity has a charter,
conforms policies, and processes, and the execution and results of these are judged to
be in conformance with the Standards.
Partially Shows that deficiencies in practice are noted and judged to deviate from the
conforms Standards, but these deficiencies do not preclude the internal audit activity
from performing its responsibilities in an acceptable manner.
Does not Shows that deficiencies in practice are judged to be so significant as to
conform seriously impair or preclude the internal audit activity from performing
adequately in all or in significant areas of its responsibilities.

If there is non-conformance to the Standards or the Code of Ethics, recommendations on what

to be done to the internal audit activity are needed from the team. However, if the non-
conformance is with regard to the Implementation Guides, recommendations for improvement
in the areas concerned are required from the team. This category of offence is considered less
serious as compared to the non- conformance to the Standards or the Code of Ethics.

Advantages of a QAIP

100
A QAIP can be one of the most significant methodologies that can improve the internal audit
department in a several ways:

• Increase the quality of audit performance in meeting the expectations of various

stakeholders, thus creating better recognition for internal audit activities.
• Improve the reliability of sources for information risk, internal control and corporate
governance.
• Assist the internal audit department in benchmarking its operations, activities, and
policies against best practices from other industries.
• Assurance that the internal audit department has the right reporting structure and
competent staff to cope with any critical issues in the organisation.
• Improve the quality of the audit activities to meet stakeholders’ expectations.
• Explore possibilities to improve the operation of the internal audit department.
• Improve efficiency, resulting in cost savings for internal audit activities.
• Allow internal auditors to use the phrase “per the ISPPIA” in their stakeholder reports.
• Build stakeholders ’ confidence by documenting management ’ s commitment to
quality and leading practices, and gear up the internal auditors ’ mindset for
professionalism.
• Provide evidence to the Board of Directors, management, and staff that the Audit
Committee and the internal audit activity are concerned with the organisation’s internal
controls, ethics, governance and risk management processes.

Best Approach for a QAIP

In order to get better results when a QAIP is conducted, a greater commitment from management
is needed. Management must show their commitment to ensure the success of a QAIP. Apart
from that, all activities performed must be consistent with the IIA’s standards of quality as well
as the Code of Ethics. Nevertheless, an organisation should develop policies, procedures and
controls for its QAIP. As required by the Standards, a QAIP should implement both internal and
external methods of assessment. An organisation must implement all corrective actions
recommended by both assessments.

Common Issues in Quality Assurance Assessment

Even though a QAIP is beneficial, the internal audit department might face outdated charters
limiting their quality assurance assessment planning and program. The CAE might issue
inappropriate reporting to the Board of Directors and Audit Committee, which could result in
wrong interpretation by them. Sometimes, they might have the perception of inadequate audit
staff knowledge, which could result in their lack of confidence in relying on the reporting.
100
However, if a QAIP is implemented successfully, it can lead to the following areas of strengths or
‘leading practices’:

1. Enhance the risk assessment and audit planning, which can include management input,
the introduction of a new ‘auditing process’, and internal audit brainstorming sessions.
2. Improve governance by ensuring management’s awareness of governance, risk
assessment, internal audit, and the value of a strong control environment; incorporate
Enterprise Risk Management (ERM).
3. A QAIP with various performance measurement tools (e.g., balance scorecard) provides
reports on performance to the Audit Committee.
4. Professional Development — participates regularly in professional organisations related
to internal audits and holds leadership positions; should have employment policies
concerning competencies.
5. Improve audit efficiency: Use an automated audit management information system,
software tools, and a database of audit findings.

Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions
1. Discuss the two types of quality assessments found in the internal audit activity that the CAE
can adopt to comply with the requirement of the Standards.
2. The external quality review team should include individuals who possess certain attributes.
List and explain the qualities required for the external reviewers.
3. Discuss the matters to be considered by all the members of the quality reviewer team before
the commencement of external quality assessment fieldwork.
4. Briefly explain the steps in the implementation of external quality assessment.
5. Discuss the benefits of a QAIP.

References
Assoc. Prof. Puan Sri Datin Dr Mary Lee et al. (2004). Internal Audit Practices in Malaysia, 1st
edition, Pearson Prentice Hall.

100
Assoc. Prof. Puan Sri Datin Dr Mary Lee et al. (2008). Principles and Contemporary Issues in
Internal Auditing.

IIA Position Paper on Resourcing Alternatives for the Internal Audit Function, The Institute of
Internal Auditors, June 2005.

Lawrence B. Sawyer and Mortimer A. Dittenshofer, The Practice of Modern Internal Auditing,
4th edition. Gene H. Johnson, Tom Means, and John Pullis, Managing Conflict, Internal Auditor,
December 1998.

George R. Aldhizer III and James D. Cashell, Internal Audit Outsourcing, The CPA Journal, 1996.
Norman Marks, February 2000, How Much Is Enough? Internal Auditor.

Robert D. Allen, Managing Internal Audit Conflicts, Internal Auditor. August 1996.

Robert G. Kralovetz, A Guide to Successful Outsourcing, Management Accounting, October 1996.

Staffing, CBOK of the Month – May 2008, IIA Research Foundations.

Sunita S. Ahlawat & Jordan Lowe, An Examination of Internal Auditor Objectivity: In-House
versus Outsourcing, Auditing: A Journal of Practice & Theory, September 2004

100
 6
Chapter 6: Internal Audit Process

After going through this chapter, you should be able to:

• Describe the overall framework for the internal auditing process

• Explain the importance and relationship between strategic planning and engagement
planning
• Define and explain the risk-based internal audit (RBIA)
• Describe the internal audit planning process using risk-based internal audit (RBIA)
• Explain step- by- step implementation of risk-based internal audit (RBIA) for
assurance and consulting engagement

Introduction
This chapter describes the various steps necessary to conduct an internal audit engagement. The
overall framework of an internal audit process is generically suitable for any internal audit
engagements (e.g. the operation of an information technology audit, fraud audit, strategic audit,
performance audit, compliance audit or financial audit), which is applicable across all internal
audit services (e.g. assurance or consulting services) provided by internal auditors or internal
audit function. The internal audit process consists of all activities related to (1) planning, (2)
performing (fieldwork), (3) communicating, (4) monitoring, and (5) quality assurance.

These five interrelated processes are illustrated in the two audit models shown in figures 6.1 (a)
and 6.1

(b). The model will adopt the risk-based internal audit (RBIA) approaches throughout the whole
internal audit process. Generally, the internal audit process commences with the planning stage,
followed by the performing stage, communicating (reporting) stage, monitoring (follow-up
processes and procedures) stage and ends with the quality assurance stage. However, this
chapter will not cover the quality assurance stage to well-suit the chapter objective. It is very
important to have a good overview of the overall process before looking into the detail of each
stage of the internal audit process to enable coherent understanding of the relationship between
one stage to another.
100
Figure 6.1(a) An Audit Model Figure 6.1(b) An Audit Model

Framework of Internal Audit Process

Figure 6.2 depicts the overall framework of an internal audit process based on the above IPPF
standards.

Strategic Audit
Planning

Engagement
Planning

Performing the
Engagement

Evaluation and
Conclusion

Communication
(Reporting)

Follow-Up

Figure 6.2 Overall Framework of Internal Audit Process

Each stage shown in Figure 6.2 is discussed in detail in the subsequent sections.

100
Strategic Audit Planning
An internal audit function can improve an organisation’s operations, add value to an
organisation and become a trusted advisor to assist the Board of Directors and executive
management in achieving the organisation’s desired goals and objectives. The internal audit
function also helps evaluate and improve the effectiveness of governance, risk management and
control processes. Particularly, this can be achieved if the internal audit function is capable
enough to effectively and carefully plan its works and activities, and this should be in line with
the organisation’s objectives and fulfil its key stakeholder’s needs and demands.

The chief audit executive must establish a risk-based plan to determine the priorities of the
internal audit activity consistent with the organisation’s goals. The cornerstone of successful
auditing begins with developing effective planning. Poor and ineffective planning will cause audit
failure and unachieved organisation’s objectives. Therefore, the internal auditor should plan the
audit well to be performed effectively, efficiently, and on time. This plan should incorporate a
detailed approach for the expected nature, timing and extent of the audit and the strategies
employed by the internal audit function to deliver value to assurance and consultancy services
that assist an organisation in meeting its vision, mission and objectives. To ensure that all audits
are performed effectively, efficiently and timely, there must be a clear direction before any audit
work begins, at three levels. The levels are strategic audit planning, annual audit planning, and
detailed individual engagement audit planning. The strategic plan is drawn up after considering
various factors such as the organisation’s strategic plan, internal audit function charter, Board of
Directors and management needs, risks and controls, the budget, resources and the IIA
Standards.

IIA issued a practical guide in July 2012, outlining the necessary steps to develop an internal
audit strategic plan. Its purpose is to provide a systematic and structured process that internal
audit functions and Audit Committees can use to ensure that audit plans remain relevant and
value-added, maintain alignment with the organisation’s objectives and make meaningful
contributions to the organisation’s overall governance, risk management and control processes.
The steps for developing the internal audit strategic plan are listed as follows:

i. Understand the Relevant Industry and the Organisation’s Objectives

First and foremost, the CAE should thoroughly understand the organisation’s objectives and its
industry (or industries). For the internal audit activity to deliver any value, it should contribute
to achieving the organisation’s strategic and operational objectives and the financial and
compliance objectives while assuring that the organisation maintains a sound ethical
environment and a sensible culture of accountability. Therefore, the internal audit activity and
function must have a rigorous knowledge and an in-depth understanding of the pertinent
industries (including the applicable regulations and laws), the changes in the external and
100
internal business environment, and the organisation’s objectives. To achieve this, the CAE should
refer to the organisation’s strategy formulation, goals and objectives setting and strategic
planning documents as a beginning step for achieving effective internal audit strategic planning.

As the organisation goes through change, most of the internal audit function in an organisation
has an established mission and vision that has developed over time and gets revisited periodically.
Certainty organisational goals, objectives and risks are vigorously or speedily changing, thus
internal audit function must proactively, continuously and appropriately react with a proactive
planning that focuses on protecting and enhancing current value and delivering future value to
the organisation. The internal audit function’s current and future mandate must always
streamline with the internal audit’s mission and vision so that it can provide value-added services
and proactive contributions to strategic risk for the organisation beyond simple and ordinary
execution of the audit plan and also beyond the Board of Directors and management expectations.

ii. Consider the International Professional Practices Framework (IPPF)

The professionalism of internal auditors and the internal audit function much reflect on their
capability and intensity in implementing IPPF. The CAE should be well versed in the IPPF and
consider its requirements and guidance when developing the internal audit strategic plan. The
values the personnel in charge of all the internal audit activities should adopt are contained
within the IPPF’s Standards and Code of Ethics (along with their organisation’s values).

iii. Understand Stakeholder Expectations

Understanding stakeholders’ expectations and needs is critical in developing the internal audit
strategic plan. Including key internal and external stakeholders (e.g., board members, senior
management, external auditors and regulators) is important. Normally, the CAE will engage
senior management, such as the chief executive officer (CEO) and the Audit Committee, when
identifying the organisation’s needs. The internal audit function must understand how, where,
and what stakeholders expect or seek to perform. The CAE should communicate directly with
each key stakeholder to understand his or her expectations for the internal audit activity, hence
enabling the internal audit function to add value to the organisation.

iv. Update the Internal Audit Vision and Mission

The strategic plan is a means by which the internal audit activity’s vision and mission are being
pursued. The CAE should develop and update the vision and mission statements based on
stakeholders’ expectations and IIA guidance. In writing these statements, it is important to
recognise that internal audit cannot be all things to all people. Therefore, it is necessary for the
CAE to make tough choices — recommending to the Board of Directors what should be pursued
and what not to pursue.

100
v. Define the Critical Success Factors

Identifying the critical success factors (CSFs) allows the internal audit function to select the
limited number of elements required to achieve its vision and mission. These factors provide the
internal audit function with the essential elements that all major initiatives should be vetted
against to ensure that resources are directed to the most important activities. Three questions
that may be helpful in identifying the CSFs are:

• Positioning — Is the internal audit status and activity strategically positioned in an

organisation (e.g. respected, appreciated) and supported?
• Processes—Does the internal audit activity enable an ingenious, innovative, dynamic,
efficient, and effective process for meeting the organisation’s objectives?
• People — Does the internal audit activity have the capability and right people to deliver
its mission?

The CSF needs to be carefully monitored to ensure that management is giving them continuous
attention.

vi. Perform a Strengths, Weaknesses, Opportunities and Threats

(SWOT) Analysis
Performing an assessment on the current and future state of the internal audit activity will help
identify what should be incorporated into a strategic plan. One technique is to perform a
strengths, weaknesses, opportunities and threats (SWOT) analysis against the vision, mission,
and critical success factors. The aim of any SWOT analysis is to identify the key internal and
external factors that are important in achieving the strategy.

vii. Identify Key Initiatives

Based on the results of the SWOT analysis, it is possible to identify and prioritise the key
initiatives that have a significant impact in achieving the internal audit activity’s critical success
factors and therefore, its vision and mission statements. For each initiative, it is valuable to
identify a timeline for implementation, the desired objectives, the performance measurements
(qualitative and quantitative), and the associated SWOT elements.

Apart from the above steps, further activities should be carried out as per Figure 6.3 below in
producing the internal audit strategic plan. The plan can be formulated for five years, three years
or any period depending on the internal audit function needs.

100
 Figure 6.3 An Internal Audit Strategic Planning Process

Risk-Based Internal Auditing

The IIA defines RBIA as a methodology which the internal audit function uses to link internal
audit to an organisation’s overall risk management framework and processes. It also aims to
provide assurance to the Board of Directors that risks are being managed effectively to align with
organisation’s risk appetite. This means the risk management processes that an organisation
develop and embed to manage risks is working effectively and efficiently and has reached a level
considered acceptable by the Board of Directors.

RBIA is a new approach at the cutting edge of internal audit practice that emphasises on the
contemporary expression of the internal audit transition from addressing the past activities to
managing the future. It is an approach that is evolving rapidly and still fine-tuning on the best
way to implement it. In general, not all organisations are ready for RBIA; considering that each
organisation is different, with a different risk appetite, attitude to risk, risk structure, risk
processes, risk framework, risk model and risk system. Proficient internal auditors need to adapt
these differences, which are the different levels of maturity (see Figure 6.4), practice, culture and
effectiveness of their organisational risk management process in order to implement RBIA. If the
risk management process and framework is naïve, poor or does not exist, the organisation is not
ready for RBIA. Therefore, internal auditors in such an organisation should promote good risk
management practice to improve the maturity level and effectiveness of risk management and
internal control process. Practically, organisations that achieved risk defined status (3rd level)
enable their internal audit function to use RBIA approach in their internal audit process. If RBIA
is relatively new to an organisation, the CAE needs to promote the concept to the Board of
100
Directors and management and win their support for building effective risk management
practice.

Risk Key Characteristics Internal Audit Approach

Maturity
Risk Naive No formal approach developed for Promote risk management and rely on
risk management audit risk assessment
Risk Aware Scattered silo-based approach to Promote enterprise-wide approach to
risk management risk management and rely on audit risk
assessment
Risk Strategy and policies in place and Facilitate risk management/liaise with
Defined communicated. Risk appetite risk management and use management
defined assessment of risk where appropriate
Risk Enterprise-wide approach to risk Audit risk management processes and
Managed management developed and use management assessment of risk as
communicated appropriate
Risk Risk management and internal Audit risk management processes and
Enable control fully embedded into the use management assessment of risks as
operations appropriate
(Source: Position Statement on Risk-Based Internal Audit, The Institute of Internal Auditors,
UK and Ireland)

Figure 6.4 Levels of Risk Management Maturity and the Internal Audit Approach

The implementation of RBIA is based on assumptions that (a) audit resources are limited, (b)
auditable unit are subject to different risks, and (c) auditable unit have relatively different degree
of importance. By effectively implementing RBIA, the internal audit function and the
organisation should be able to experience the following advantages:

• RBIA links the internal audit plan with the enterprise risk assessment, strategic objectives,
the Board of Directors and management expectations and management’s performance
measures and reward systems
• RBIA is a simple concept, yet, it provides integration and unity, where the
recommendations made can be traced
• The organisation buys in to the audit process as it suits what the Board of Directors and
management have in their mind. Auditors and managers are now speaking the same
language
• Resources needed can be justified
• The work is more challenging and interesting to internal auditors
• RBIA is more efficient, it directs audits at the high-risk areas
• RBIA can rank recommendations to provide the greatest value added in terms of the risks
mitigated
• RBIA highlight risks which are over-controlled to improve efficiency
• The responses to risks are effective but not excessive in managing inherent risks within
the risk appetite
100
 • Where residual risks are not in line with the risk appetite, action is being taken to remedy
that
• Risk management processes, including the effectiveness of responses and the completion
of actions, are being monitored by management to ensure they continue to operate
effectively
• Risks, responses and actions are being properly classified and reported

Risk-Based Audit Planning

An effective internal audit function can be achieved through a well-developed audit planning
using RBIA methodology. RBIA refers to a methodology that links the overall audit process such
as planning, performing and reporting to the risk management framework of the organisation.
This methodology enables the internal audit function to address prioritised areas of the
organisation, which are aligned to its strategic objectives. Planning is the process where risk
management techniques should be embedded.

The internal audit activity’s plan of engagements must be based on a documented risk
assessment, undertaken at least annually. The input of senior management and the Board of
Directors must be considered in this process. As depicted in Figure 6.3, the CAE and the internal
audit function teams need to identify organisational objectives and assess the risk priorities
based on risk registers maintained by the management. In the absence of a risk management
function in the organisation, internal audit function may need to identify the risks with the input
from senior management and the Board of Directors. The link between risk assessment and
strategic objectives processes are described schematically in Figure 6.5.

Audit planning at the macro level (annual audit plan for the entire organisation) shows the
important links among strategic processes, risks universe processes and audit universe processes.
Risk universe derived from risk management techniques, which uses the strategic plan to derive
the elements of the audit universe. The most important of these insights is that the audit universe
contains the essential elements to support the overall business plan. Parallelism is the key in
running the organisation through annual business plans and running the internal audit function
through annual audit plans. The use of RBIA enables risk factors to derive directly from the
business process instead of the audit process. It means RBIA provide linkages between the
annual plans (audit and business plan) to ensure that the current (not past) risks are addressed
and the utmost current and future value is extracted from the internal audit process.

Figure 6.5 underscores the essential communication between strategic plans and audit universe
plans as well as operational business plans and annual audit plans. The significant outcome is
the direction of interaction and the content of that communication. The strategic planning

100
process drives the audit universe, and the audit universe contains the strategic elements of the
organisation.

RBIA utilise risk scenarios in developing macro risk assessment and annual audit plans, this
process is vital in creating the ability to combine both qualitative and quantitative data in
imaginative ways. Traditionally, in the past most current audit schedules are cyclical, including
those that claim to be risk based. This is illogical. Fortunately, RBIA offers creative ways to deal
with this problem.

Figure 6.5 Risk Assessment and Strategic Objectives

(Source: Position Statement on Risk-Based Internal Audit, The Institute of Internal Auditors,
UK and Ireland)

100
Engagement Planning
At the individual engagement level, the internal auditor must establish what is going to be
audited (planning), carry out the approved plan (performing), and communicate the results
accomplished (reporting). Before starting an audit engagement, planning documents must be
prepared which state the engagement objective of the audit. The planning document should
contain:

• Relevant information relating to the individual audit engagement.

• The timing and quantity of resources required for each engagement.
• Results of the reviews.
• Details of transaction testing performed; and
• Conclusions reached regarding the stated objectives of the audit engagement.

Figure 6.6 Flow Chart of Internal Auditing Planning Process Using RBIA

Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations.

An audit engagement refers to an individual audit assignment for each of the activities included
in the annual audit plan. The activities could comprise of an audit, review, fraud investigation or

100
consultancy, which would require the drawing up of an engagement plan. There are four aspects
that need to be considered when preparing a plan for the engagement:

• The objectives of the activity being reviewed and the means by which the activity controls
its performance.
• The significant risks to the activity, its objectives, resources, and operations and the
means by which the potential impact of risk is kept to an acceptable level;
• The adequacy and effectiveness of the activity’s governance, risk management, and
control processes compared to a relevant framework or model; and
• The opportunities for making significant improvements to the activity’s governance,
risk management, and control processes.

The engagement plan must also outline the timing and resource allocation for the entire audit.

Engagement Objectives and Scope

Each engagement requires clear objectives to ensure effectiveness and efficiency. The objectives
define what the engagement needs to achieve and the deliverables. Other than objectives, the
engagement plan also needs to define scope of which and what the engagement should or should
not cover.

In setting up the objectives, the following factors need to be taken into consideration:

• Understanding of the auditee to ensure that the engagement objectives can capture
meaningful area that can add value to auditee’s operation and ultimately enhance the
governance, risk and control of the organisation. To do so, the auditor would have to
conduct a preliminary survey in order to obtain information regarding the auditee.
Information that is gathered should include the organisational chart, policy and
procedures, process mapping and so on.
• Preliminary assessment of the risks relevant to the activity under review.
• The assessment should be aligned to the engagement objectives.
• Probability of significant errors, fraud, non-compliance and other exposures when
developing the engagement objectives.
• Criteria that can adequately evaluate governance, risk management and controls.
Internal auditors must ascertain the extent to which management and/or the Board of
Directors has established adequate criteria to determine whether objectives and goals
have been accomplished. If the criteria are adequate, internal auditors must use them in
their evaluation. If otherwise, internal auditors must work with management and/or the
Board of Directors to develop appropriate evaluation criteria.
• For consulting engagement, the objectives must address governance, risk management,
and control processes to the extent agreed upon with the client. Furthermore, consulting
100
 engagement objectives must be consistent with the organisation’s values, strategies and
objectives.

In determining the scope, auditors must take into consideration the relevant systems, records,
personnel and physical properties, including those under the control of third parties to ensure
that the scope can adequately address the engagement objectives.

In performing consulting engagements, internal auditors must ensure that the scope of the
engagement is sufficient to address the agreed- upon objectives. If internal auditors develop
reservations about the scope during the engagement, these reservations must be discussed with
the client to determine the continuation with the engagement. In addition, during consulting
engagements, internal auditors must address controls consistent with the engagement’s
objectives and be alert to significant control issues.

Risks and Control Assessments

Risk assessment has become the important method to guide audits in order to develop effective
audit planning and provide strategic direction for limited resources. The internal audit activity
should assist the organisation by identifying and evaluating significant exposures to risk and
contributing to the improvement of risk management and control systems.

The auditor must perform preliminary risk assessment as well as consider and identify
probability of significant errors, fraud, non-compliance, and other exposures during the audit
planning process. The result of the assessment will influence the objectives set for the
engagement as well as the audit plan. Risks that auditors should be concerned with are those that
threaten the achievement of an auditee’s objective as a whole.

Auditors may find it very useful if auditees have their own risk management information where
auditors can use as reference. Such information are:

• The reliability of the management’s assessment of risk.

• The management’s process for monitoring, reporting and resolving risk and control
issues.
• The management’s reporting of events that exceeded the limits of the organisation’s
risk appetite and responses to those reports.
• Risks in related activities relevant to the activity under review.

Risk assessment involves gauging two dimensions of risks which are the likelihood of risk
occurring and the impact on the objectives if the risks occur. The level of likelihood and impact
can be set based on five or seven criteria depending on the management’s judgement. Table 6.1
illustrates the example of criteria to assess level of likelihood and impact.

100
Assessing risks by identifying likelihood and consequences helps internal audit to draw up the
risk scoring matrix which combines both factors and identifies whether the risk is low, medium
or high (see Table 6.2). Further, internal audit needs to evaluate how a management’s plan to
respond to the risks identified. Risks need to be mitigated with an adequate control mechanism
to avoid the risks from occurring. However, there are certain risks that a management can take
and accept at its assessed levels (tolerated risks). Risks that exceed a management’s risk tolerance
threshold must be mitigated to an acceptable low level. For example, avoiding risks (disbanding
activities that give risk), sharing risks (transfer some to insurance company) or reducing risks
(implementing control activities designed to lower their impact, likelihood or both).

Subsequent to risks assessments, internal audit needs to assess the existence and adequacy of
controls to determine whether controls can mitigate (stop) risks from occurring as shown in
Table 6.3.

Table 6.1 Example of Criteria to Assess Level of Likelihood and Impact

100
Table 6.2 Example of Risk Scoring Matrix

Table 6.3 Individual Controls Effectiveness Measures

RCE Guide
Good Nothing more to be done except review and monitor the existing controls.
Controls are well designed for the risk to address the root causes and
management believes that they are effective and reliable at all times.
Satisfactory Most controls are designed correctly and are in place and effective. Some
work needs to be done to improve operating effectiveness or management
has doubts about operational effectiveness and reliability.
Poor While the design of controls may be largely correct in that they treat most of
the root causes of the risk, they are not currently very effective.

Or

Some of the controls do not seem to be correctly designed in that they do not
treat root causes; those that are correctly designed are operating effectively.
Very poor Significant control gaps. Either controls do not treat root causes or they do
not operate effectively at all.
Uncontrolled Virtually no credible control. Management has no confidence that any
degree of control is being achieved due to poor control design and/or very
limited operational effectiveness.

When carrying out risk and control assessments, there are few types of audit tests that are
normally carried out by auditors (subject to the respective audit environment) such as:

• Walk through test

As the name suggests, this test aims to explore step by step the process affected by the auditee
for specific operational task. It gives an experiential firsthand and comprehensive knowledge of
how a particular task is performed as well as who are the persons in charge. This process enables
the auditor to come up with a flowchart of the process if the auditee has not developed their own

100
process flowchart. In a certain scenario, the auditee may already have the flowchart where the
auditor can review the control implementation during the walk- through test.

• Internal Control Questionnaires (ICQ)

ICQ comprise of questions that test the adequacy of controls within the process or tasks under
review. The questions should, where possible, be phrased in such a way that only a ‘yes’ or ‘no’
answer is required so as to promote consistency in the answers received. The advantage of using
a questionnaire is that it acts as a checklist to cover all aspects of a normal internal control
structure. However, auditors also need to be careful when using ICQ to establish judgment on
controls because the questionnaire approach can omit some highly unusual areas that are not
included in standard internal control structures.

Creating a Test Plan and a Work Program

Based on the risk and control assessment that is performed, the next step is to create a test plan
to enable specific focus in addressing the scope and objectives. The test plan will be translated
into a work program, which will provide further details on objectives and audit procedures. A
test plan represents the strategy to collect evidence for a particular engagement. It includes
nature and timing of the audit work to be carried out for the related audit/control objectives. It
may also indicate the required time to be spent for the engagement.

The test plan that is prepared will be used as a basis for developing a work program. The internal
auditors must develop and document work programs that achieve the engagement objectives.
The work program includes methodologies to be used, such as technology-based audit and
sampling techniques.

Generally, a work program includes the following details:

• Objectives
• Reference documents if any (for example COSO, SOP)
• Date of work being performed
• Allocation of the task to individual auditors
• The person performing the work
• Detail audit procedures and evidence collected
• Quantifying how long a task should take to execute
• Additional notes

It is important to note that in an RBIA methodology, an audit work program would be developed
for a particular audit engagement based on risk and controls assessment, unlike a compliance
based or a procedural based audit where programmes may be standardised.

100
Resource Allocation
Resource allocation is a process of determining what should be done, how, where and when it
should be done as well as who should do it. Therefore, managing and allocating resources for
internal audit activity with regards to timing, staff and priorities of work procedures is very
important for achieving effective audit. In this respect, internal audit function must assure an
efficient and effective management of internal audit resources such as time, finance, people,
capacity, intellectual property, skills, talents, tools and techniques. This is crucial to ensure that
all planned work is of high priority and that audit resources are used in the best possible way.

Internal auditors must determine appropriate and sufficient resources to achieve engagement
objectives based on an evaluation of the nature and complexity of each engagement, time
constraints and available resources. At the individual engagement level, resource allocation
refers to activities such as allocating the number of staffs to each assignment, time allocated to
each staff, determining the knowledge, skills and experiences of the staff, training requirement
(if needed) and any other external resources that need to be obtained.

In determining the number of staff and the time allocated, it is important to evaluate the nature
and complexity of the engagement as well as the availability of resources. It is also important to
consider staff competency when allocating resources to the engagement. Competency includes
the experience as well as knowledge and expertise to perform the planned audit tests in order to
achieve the audit objective. For example, if the engagement is related to an information
technology (IT) audit, the staff assigned must possess knowledge in the area of IT. If required
competency is not currently available, training should be considered to supplement the current
knowledge and skills of the staff.

Documentation and Communication

The engagement plan needs to be clearly documented and approved at the appropriate levels.
Documentation is in fact required throughout the overall audit process. The well-documented
plan should be made available to the staff involved in the engagement to ensure that everyone
understands the objectives, scope, test plan, resource allocation and the expected output.

In summary, the engagement plan is the document that sets the direction for a specific
engagement. It includes key elements such as the following:

• Planned engagement objectives and scope of work

• Preliminary assessment of risks and controls
• The timing of the engagement work
• Internal auditors assigned to the engagement
• The process of communicating throughout the engagement including the methods, time
frames and the person in charge
100
 • Business conditions and operations of the activity being reviewed including recent
changes in management or major system
• Concerns or any request by the Audit Committee/management
• Audit strategy and test plan

Performing the Engagement

Performing the engagement involves performing the engagement tests by the internal auditors
as outlined in the planning phase and evaluating and documenting the results. Internal audit
customers are kept informed of the engagement process through regular status meetings.
Internal auditors normally discuss with internal audit customers about audit observations,
potential findings, and recommendations with the internal audit customers as they are identified.
The type of information required and analysis applied may depend on whether the engagement
is designed to provide assurance services or consulting and advice services.

The performance of an internal audit engagement is to collect data and information for the
purpose of meeting the engagement objectives, internal auditors should consider the
expectations of the Board of Directors and senior management. It also involves substantial field
work. Internal auditors must identify, analyse, evaluate and document sufficient information to
achieve the engagement’s objectives. The process is guided by the audit strategy and the test plan
documented during the audit engagement planning which is executed by the assigned audit team.

Identifying and Collecting Information

Identifying information explains that internal auditors must identify sufficient, reliable, relevant
and useful information to achieve the engagement’s objectives. Sufficient information is factual,
adequate, and convincing so that a prudent, informed person would reach the same conclusions
as the auditor. Reliable information is the best attainable information through the use of
appropriate engagement techniques. Relevant information supports engagement observations
and recommendations and is consistent with the objectives of the engagement. Useful
information helps the organisation to meet its goals. Thus, engagement information should be
collected and documented in such a way that a prudent, informed person, such as another
internal auditor or an external assessor, could repeat the engagement and achieve an outcome
that confirms the internal auditor’s results and logically leads to the same conclusions.

Information or evidence collection activity is also known as audit procedures. Details of the
procedures that need to be carried out are documented in the audit work program. The
information gathering process generally involves the activities listed in Table 6.4 where examples
are also given.

100
Applicability and usage of the above methods in collecting information depends on the type of
engagement to be carried out. For example, if the engagement relates to assessing IT controls,
most likely Computer-Assisted Audit Techniques (CAATs) will be used as the primary
information collection procedure.

Analysing and Evaluating Information

Internal auditors’ approach to analysis and evaluation of information often includes a
combination of manual audit procedures and CAATs. During this process, one very important
consideration is to ensure the sufficiency, relevancy and reliability of information collected.
Sufficiency refers to the adequacy of information to enable auditors to make assessment and
judgement on achievement of the scope and objectives of the audit. Relevance refers to the
applicability of the information in context to the particular engagement while reliability refers to
the accuracy and objectivity of the information. In addition, reliability of information depends
on the information provider. Information from external independent third party (such as
confirmation) is more reliable than information generated and provided by the auditee.

Table 6.4 Activities of the Information Gathering Process

Activities Detailed examples

Interviewing or conducting inquiry Discuss with payroll manager on payroll calculation.
Verifying or vouching Review the payroll payment instruction letter sent to the
bank.
Observation Observe employee clock in attendance.
Re-performance/Recalculation Recalculate amount of tax deduction.
Questionnaires Issue survey on employee satisfaction.
Analytical procedures Calculate ratio on total monthly tax deduction for 12
months
Computer assisted audit Using audit software to reconcile payroll file and
techniques (CAATs) employee master file.
Physical inspection Test drive the company car used by the chief executive
officer to ensure that it is in good condition.
Review of published reports or Review minutes of meeting to identify decision on
minutes bonuses for the year.
Confirmation Send letters to employees who took company car loan to
confirm the loan balance due.

Documenting the Information Collected

All the information collected, need to be properly documented to ensure compliance to IPPF
standards and for the benefit of future reference and knowledge management. The CAE usually
establishes a common approach to workpaper documentation in the internal audit activity’s
policies and procedures guide. Internal auditors must document relevant information to support
the conclusions and engagement results.

The documentation is commonly termed as audit working papers and is either kept manually or
in electronic form. An important aspect of audit evidence is the use of the working papers by the
100
auditors to record procedures applied, tests performed, information obtained and the
conclusions reached during the course of the audit. Working papers, which are the property of
the auditors, assist them in the planning, designing and performance of the audit work. Working
papers also facilitate the supervision of assistants and the review of work carried out. The fact
that working papers provide evidence that the work has been carried out with due care and skill
have legal significance. All matters that require judgment, such as the evaluation of internal
control and any conclusions drawn about its “quality” should be explained and included in the
working papers.

The form and content of the working papers depend on the requirements, nature and conditions
of the audit engagement. More detailed working papers may be required for a large complex audit
where several audit assistants are employed.

The contents of working papers used by the auditor vary depending on the type of audit
engagement, the nature and complexity of the entity environment, and the form of the auditor’s
report. Generally, the audit work papers would contain the following elements.

• Audit Plan
Working papers should contain evidence that the auditor has developed a plan for the
whole audit engagement. This includes information on any special audit procedures, any
unusual circumstances and the nature of any special reports to be rendered. An audit
programme should also be included showing the audit procedures and other
supplementary information, such as flowcharts and organisation charts that have helped
shape the course of the examination.
• Narrative Summaries
All information gathered through inquiry, confirmation, inspection and any other
methods of enquiry, along with the conclusions reached, are recorded in narrative
summaries. These summaries are normally prepared by the supervisor in charge of the
audit engagement and are reviewed by the Chief Audit Executive (CAE) or the head of
internal audit.
• Supporting Documents
Auditors prepare various types of schedules or summary in support of specific work
performed. Risk and control assessments, documents and analysis using generalised
audit software are a couple of examples.

Evaluation and Conclusion

In an RBIA, all collected information that constitute evidence are corroborated and evaluated
based on risks towards achieving the audit objectives. Corroborating means bringing together
facts from various types of evidence that can support each other to form one solid conclusion. In
short, it is like putting together a jigsaw puzzle.
100
Internal auditors must base conclusions and engagement results on appropriate analysis and
evaluations. The standard does not elaborate further on methods and considerations during the
evaluation and conclusion process. One good guidance is to identify requirements during the
communication process that enable a structured way of evaluating findings.

The engagement observations and recommendations emerge from a process of comparing

criteria (the correct state) with condition (the current state). Whether or not there is any
difference, the internal auditor would have a foundation on which to build the report. The
internal audit final report is a principal outcome in which internal auditors express their opinions,
present the audit findings, and discuss improvement recommendations. To facilitate
communication and ensure that the recommendations presented in the final report are practical,
Internal Audit discusses the rough draft with the client prior to issuing the final report.

When conditions meet the criteria, it is then appropriate for internal auditors to reach an opinion
that performance of a particular task is satisfactory. Opinions and recommendations are based
on the following attributes:

• Criteria: The standards, measures, or expectations used in making an evaluation and/or

verification (the correct state).
• Condition: The factual evidence that the internal auditor finds in the course of the
examination (the current state).
• Cause: The reason for the difference between expected and actual conditions.
• Effect: The risk or exposure the organisation and/or others encounter because the
condition is not consistent with the criteria (the impact of the difference). In determining
the degree of risk or exposure, internal auditors must consider the effect their
engagement.

Further, when arriving at the conclusion, auditors should consider the following:

• whether the conclusion encompasses the entire scope or specific aspects of an

engagement
• program objectives and goals
• to review alignment to organisational goals; whether the organisation’s objectives and
goals are being met
• whether the activity under review is functioning as intended
• an overall assessment of controls or area under review
• whether the scope is limited to specific controls or aspects of the engagement

In order to achieve the purpose of internal audit, which is to improve and add value to the
organisation’s governance, risk management and control processes, internal auditors need to

100
develop recommendations once conclusion is decided. The following are factors to consider when
developing recommendations:

• Should be specific to the problem and offer some alternatives or advice to solve the
problem
• Avoid dictatorial connotations by using ‘should’, ‘ought’ or ‘must’

• Findings must be taken seriously by the management/auditee but not always obligated
to accept the audit recommendations
• Should be suited to the auditee’s needs and considerations

Few pertinent questions should be answered in order to ensure that the recommendations being
developed can enhance the effectiveness of the audit.

• Does the recommendation solve the problem, i.e. resolve the risk?
• Is the auditee capable of implementing the recommendation? Does the auditor have the
necessary expertise and technology?
• Is the recommendation compatible with the operations?
• Is the recommendation cost effective? Benefits versus costs.
• Does the recommendation represent a long term, short term or stopgap solution to the
problem?

The illustration on how the above are applied during the evaluation is presented in Appendix 6.1
Performing an Audit on Payroll.

Communication
Internal auditors need to communicate engagement results of audit. It is interesting to note that
the standard does not explicitly use the word reporting but instead look to a larger context, which
is communicating. Therefore, the communication of audit results may take several phases as well
as using several means including a written report. Communication between auditors with the
auditee may start as early as the preliminary or interim results are obtained until the final
conclusion is achieved and communicated to the auditee. It is also a normal practice to issue an
interim written report before the final written report is presented which in most cases is
supplemented by slide presentation. Figure 7.7 illustrates the process of preparing an audit
communication.

100
 Preparation of the initial draft of the report.
Review and edit bymember of
the audit team.
Preparation of the revised audit
report. Review and edit by the manager of
audit assignment.
Preparation of the second revision of the

report. Review and edit by the head of

Preparation of the third revision of the
report.
Combined review and editby the
audit team leader, manager and
director.

Review by management and

response provided on audit

Preparation of the final draft of the audit findings.

report for distribution.

Figure 6.7 Process of Preparing an Audit Communication

The quality of communication is also very important in order to achieve an efficient outcome
from the audit. Clear presentation of audit objectives, findings and recommendation will enable
positive understanding and response from auditee and the management. Figure 7.8 shows the
important factors that influence the quality of communication.

Quality

Timely

Figure 6.8 Criteria of Quality Communication

The format of communication may vary from one engagement to another and may also depend
on whether a written report is prepared. In general, the following aspects must be included to
ensure that the above factors, which determine quality are taken into consideration.

• Executive summary or overview of the whole engagement

100
 • The engagement’s objectives and scope
• Condition, criteria, effect, cause, observations
• Applicable conclusions
• Recommendations
• Action plans

Follow Up
A follow-up procedure is part of the monitoring process in which the CAE should establish and
maintain a system to monitor the disposition of results communicated to management. The CAE
should establish a follow-up process to monitor and ensure that management actions have been
effectively implemented or that senior management has accepted the risk of not taking action.

Internal auditors will perform a follow-up review to verify the resolution of the report findings,
followed by reviewing and testing the client response letter and the actions taken to resolve the
audit engagement report findings to confirm that the desired results were achieved. All
unanswered and unresolved findings will be discussed in the follow-up report. Basically, in the
follow-up reports the internal auditors will review, compare and conclude with the lists of actions
taken by the respective internal audit customers to resolve the original report findings. The
report also comprises a brief description of the finding, unresolved findings, the original audit
recommendation, the internal audit customers’ response, the current condition, and the
continued risk exposure to the organisation. The outcome of the follow-up review will be in the
form of a discussion draft of each report with unresolved findings. The draft will be
communicated to the audit customers before the final report of the follow-up process is issued.
Finally, the follow-up review results will be communicated to the respective internal audit
customers and other parties that considered appropriate to resolve the matter such as executives,
senior management or the Board of Directors.

A follow-up process is very important in order to ensure effectiveness of the internal audit
function. It is very crucial that all parties involved, namely the auditees, the internal auditors and
the management play their roles respectively as shown in Table 6.5.

Table 6.5 Roles of Internal Auditors, Management and Auditees in a Follow-Up Process

100
Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions
1. Discuss the benefits of strategic audit plan to the internal audit function.
2. Describe the internal audit planning process.
3. Explain the importance of risk-based internal auditing (RBIA).
4. Outline the process of risk assessment and explain the part it plays in the strategic
planning of the work of an internal audit function.
5. Describe briefly how changes to the corporate objectives should be accommodated in the
internal audit strategic plan (annual internal audit plan).
6. Describe the steps in planning an internal audit assignment.
7. Describe the steps that you would take to identify the “significant issues” which you will
need to include in this initial work plan (consider the implications of audit resourcing).
8. List four important criteria for effective communication of audit results.
9. Give your opinion whether or not all internal audit reports should be lodged on the
company’s website.
100
 10. Describe the different methods of communicating audit findings and recommendations
to management.
11. Compare and contrast the factors that internal auditors should take into account when
communicating findings and recommendations to different levels of management.
12. Discuss how follow-up contributes to internal audit effectiveness

References
Gleim, I. N. (2013). CIA Review Part II: Conducting the Internal Audit Engagement, 14th ed.,
Gleim Publications.

IIA (2017). The Professional Practices Framework, The Institute of Internal Auditors Research
Foundation.

Institute of Internal Auditors (IIA) UK and Ireland (2014). Risk based internal auditing,
Retrieved from https://global.theiia.org/standards-
guidance/topics/Documents/201501GuidetoRBIA.pdf [Accessed 22 January 2019].

K. H. Spencer Pickett, The essential handbook of internal auditing, Wiley, 2012.

Wiley CIA Exam Review, Volume 2, Conducting the Internal Audit Engagement, 4th Edition, S.
Rao Vallabhaneni

100
 7
Chapter 7: Internal Audit
Reporting and Monitoring

After going through this chapter, you should be able to :

• Understand the purpose of providing an internal audit report

• Describe the report writing process
• Describe the format and content of an internal audit report
• Define the criteria for a good-quality internal audit report
• Describe the distribution of an internal audit report
• Describe the report monitoring and follow-up process

Introduction
The final stage in an internal audit engagement is to communicate the results and disclose
important matters during the process to the auditee. In this study, the process of preparing and
communicating the internal audit report refers mainly to the International Standards for the
Professional Practice of Internal Auditing (ISPPIA). An internal audit report is fundamentally
the final product of an audit engagement that is considered important to the management.
Internal auditors communicate results based on evidence, analytical judgements and later
determine whether the auditee has taken any appropriate corrective action.

The internal audit report is considered as the auditor’s opportunity to draw the management’s
undivided attention into the issues faced by the organisation. That is how auditors should regard
reporting, which is an opportunity to inform the management that some corrective actions are
required. Internal audit reports instil confidence in investors by indicating that the reported
financial information is free from errors and intentional misstatements. The internal audit report
is perceived to be as useful as the Audit Committee report, management’s discussions and
100
analysis as well as the management’s report on internal control. The Chief Audit Executive (CAE)
is responsible for communicating results that provide the CAE’s due consideration, opinions and
conclusions (The Institute of Internal Auditors, 2017). Furthermore, the internal audit report
provides a perceived disclosure that is highly credible through the CAE report to the Audit
Committee, Chief Executive Officer (CEO) and Chief Finance Officer (CFO).

Purpose of Internal Audit Report

The internal audit report is compulsory to be prepared, whereby internal auditors must
communicate the results of audit engagements. The purposes of communicating the results of
audit engagements are as follows:

1. Developing Recommendation
The report should disclose the current internal control situation highlighting the problems
discovered during the engagement so that the management can take notice and overcome the
problems. These problems could either be low or high risk and have implications on overall
organisational achievements. Thus, the role of an audit report is to change or improve internal
controls.

2. Present the Management with Control and Risk Issues

The internal audit report should highlight the importance of control and risks related to
achieving the business objectives. Management itself needs to address the potential risk that is
due to the element of controls not being properly addressed and managed according to the
business objectives. The potential risk from environmental factors has a great effect on business
operations. Thus, the management needs to initiate high priority control, appropriate solutions
and improvement tools in order to focus on future achievement.

3. Developing an Action Plan

Internal auditors recommend and develop an action plan for the current actual event arising
from the internal audit process. The action plan is one- step ahead of recommendations that
require the management to make some required changes.

4. To Promote Problems to Management

The report is structured for the purpose of promoting problems related to the risk area and the
implication towards business objectives. The audit report highlights the results of compliance
and non- compliance of rules and regulations, level of errors and the irregularity of control.
100
Highlighting and promoting problems to the management creates greater concern for problems
in the risk areas and instigates the management to plan remedial action plans.

5. To Document the Results

The results prepared from an internal audit process are intended to convey internal
documentation to the management. The results are reported as a formal document that records
the audit program and findings from the audit process. The internal audit report acts as a formal
tool to convey audit findings to the management to highlight the risk areas and provide opinions
and recommendations.

6. To Provide Assurance to Management Operations

This is a crucial role where the internal audit report is assured and confirmed based on the view
of audit review controls. The audit process ensures that risk management and controls are
applied and practiced with no adverse findings. Besides that, the internal audit report assures
and confirms that problems faced by organisations might have no major consequences that affect
the effectiveness of the operation.

Process of Report Writing

Internal auditors play an important role in achieving business objectives to ensure and improve
the effectiveness of risk management, control and governance processes. The reporting itself
ensures the reliability and integrity of financial and operational information, the effectiveness
and efficiency of operations, safeguarding of assets as well as compliance with laws, regulations
and contracts.

In order to communicate the results, the following process should be carried out, prepared and
executed as in Figure 7.1:

100
 Field Audit Exit
Meeting

Draft Audit Report

Responses from
Department

First Audit Report

Post Audit Survey

Follow Up Audit

Figure 7.1 Process of Report Writing

1. Field Audit Exit Meeting

This is when an internal audit team meets with an auditee or management to discuss the results
of an audit process. The purpose of an exit meeting is to enable the auditors to discuss matters
regarding the system’s weaknesses and the risk areas discovered during the audit. More
corrective actions regarding the lack of control and protection need to be provided in the risk
area system. Auditors must discuss and ask auditees or management questions in the meeting on
significant and material issues. Auditors themselves need to gauge auditees’ feedback and
reactions in order to draft the final audit report. In the next stage, the CAE confirms the contents
of the draft report.

2. Draft Audit Report

Internal Auditors prepare the draft audit report after the management has agreed with the entire
content and facts. The draft audit includes audit observations, audit recommendations and an
audit plan. The audit plan highlights specific recommendations and states who is in charge of
improving the risk areas. The draft is prepared by the CAE and submitted to the CEO or senior
management. The CEO or senior management then makes decisions based on recommendations
given in the report.

3. Response from Various Departments

100
Auditees will receive a copy of the draft audit report from the CEO. The department itself must
take into consideration each recommendation provided by the internal auditors for the purpose
of improving business operations and ensuring the effectiveness of the system.

4. Final Audit Report

The final audit report is prepared by the CAE after receiving feedback from auditees. The final
report includes significant issues, action plans, recommendations, departments’ responses and
auditors’ conclusions. The internal audit report is published together with the management’s
responses.

5. Post Audit Survey

The internal auditors require auditees and the management to fill in a post audit survey. This is
to evaluate the effectiveness of the audit process, audit planning, audit performance,
professionalism and knowledge of the audit team.

6. Follow-Up Audit
Auditors will perform a follow-up audit on significant issues that were identified in the final
engagement report. They will request for follow up information to review and report on
corrective actions taken when addressing all previous significant issues.

Structure of the Report

The structure of an internal audit report differs due to the internal audit process and a variation
in the information gathered from the auditee. The report must include the title, details of auditee,
location, date of the report, report number, status, list of distributed reports, appropriate release
and confidentiality notifications as well as list of internal auditors involved. The contents should
consist of an executive summary, background, action plan, recommendations and management’s
responses. The executive summary should also include the objectives and scope of the report,
methods used, opinions, standards, conformance statements and observation summary.

Firstly, the objectives in the report should be able to tailor the engagement of the audit process.
Secondly, the scope that is covered in the report should be accurate and only those necessary
need to be included in the report. Thirdly, the report needs to describe broadly the methods
employed in the audit process with the specialised methods used. Fourthly, the report should
include related matters on the opinion that aligns the ratings with the observations covered in
the report. In preparing the opinion, there is a need to focus on the causes and effects for the
observation by using precise words and reducing the exaggeration on the effects of observations.

100
Fifthly, there is a need to mention the standards applied in conducting the internal audit process,
which is the standards related to ISPPIA.

Sixth, an observation summary should be in the report to allow readers to understand each
condition. Each condition represents the level of risk and determines the cause of the observation,
which can be determined by using a few techniques found in the field management, such as the
Five Why Analysis, Change Analysis and the Ishikawa Diagram. Related to the Five Why Analysis
are concerns on the root cause for any problem to identify the solution. Change analysis may also
be used to identify any potential impact of any change and identify any solution in order to
accomplish a change. Ishikawa Diagram, known as a fishbone diagram, is used to identify
potential factors, which is a cause and effect for any specific event. Thus, these techniques would
be used by internal auditors in observing any conditions and identifying the action plan. This is
in line with the observation, as suggested by the Practice Guide for Audit Reports (The Institute
of Internal Auditors, 2016), must include elements such as conditions, criteria, cause, effect, and
rating as shown in Table 7.1. After determining the causes and the management has considered
all recommendations and taken appropriate action, the internal auditors should assess the
residual risks. Then, they should investigate the effects for each risk in order to meet the
organisation’s objectives.

Table 7.1 Elements of Observation

Elements Description
Condition Factual evidence identified during the course of the engagement
Criteria Standards, measures, or expectations used in making an evaluation and/or
verification of an observation
Cause Underlying reason for the difference between the criteria and condition
Effect Risk or exposure encountered because the condition is not consistent with the
criteria
Rating It can be an effective communication tool for delivering the significance of
each observation and could assist management with prioritising their action
plans, and internal auditors with prioritising follow-up.

Next, the internal auditors should focus on recommendations to prevent future occurrences and
correct the existing conditions, which are known as caused-focused recommendations. The
internal auditors should decide if they wish to use condition-focused and/or recovery-focused
recommendations. In preparing for the recommendations, there are two writing styles for
recommendations, which are

imperative and modal verbs. Imperative verbs represent action, instruction and commands,
while the modal verbs represent words that are obligatory in nature, like should or must in
sentences. For example, ‘please monitor the authorisation in the cheque preparation process’, as
in the imperative verb version, while ‘monitoring the authorisation of cheque preparation must
be assigned’, is the modal verb version.
100
The action plan is the next process in reporting, where auditees/clients present their plan in
order to address the cause and impact of either the recovery or correction for each condition.
Formulating an opinion is the conclusion of an engagement. The opinion should be
communicated to stakeholders for them to understand the overall internal audit process.
Opinions and conclusions on the overall assessment of specific controls can be formed based on
professional judgments after observations have been carried out; however, internal auditors
must evaluate the effects based on overall observations in order to suggest recommendations for
each of the conditions. Internal auditors examine the operation to ensure that it conforms with
objectives aimed at achieving organisational goals.

The internal auditor’s opinion should be in line with the level of professional expertise and
judgment pertaining to governance, risk management and compliance throughout the overall
organisation. Moreover, internal auditors must understand the judgmental nature of the report
according to the internal auditing perspective. Whereas, opinions must be consistent with the
views of primary stakeholders and the overall implications in achieving organisational goals.

The final communication of engagement results must include applicable or feasible conclusions,
as well as applicable recommendations and/or action plans. Where appropriate, the internal
auditor should provide an opinion which considers the expectations of senior management, the
Board of Directors, and other stakeholders and must be supported by sufficient, reliable, relevant,
accurate and useful information.

In relation to the observation elements, below is the example of the internal control review on
payrolls. The observation is based on the time and attendance records, as shown in Table 7.2.

Table 7.2 Example of Internal Audit Report: The Structure of Report Time and Attendance
Record- Payroll Internal Control Review AAA Berhad

Structure
Title Page Payroll Internal Control Review:
Time and Attendance Record March 1, 2012
Issued by Group of Internal Audit — AAA Berhad
Header and Footer
Executive Summary
Objective • To determine the efficiency and effectiveness of the time and attendance system.
• To ensure that the system has followed proper internal controls.
• To ensure the time and attendance records have been properly completed, reviewed,
approved and processed.
• To ensure the adequacy of separation of duties, security controls and monitoring
procedures.
Scope • The purpose of this audit is to identify the effectiveness of existing systems and
controls in detecting errors and fraud.
• The audit analysed five weeks of time and attendance system and records in
manual payroll system.
100
 • The audit team interviewed person-in-charge in order to understand the manual
payroll system.
Methods The methods used in this audit engagement are:
• The auditors inspected the time and attendance records from the manual payroll
system in order to verify the accuracy and completeness of data written in
timesheets.
• Auditing also vouched data on authorised timesheets record (source document) that
has been verified and compared with information that was entered in the payroll and
accounting system, which produced the computer report.
• Interviewed person in charge in order to understand the overall procedure of manual
payroll system and accounting and payroll system.
Opinion 1. The internal audit has suggested that the critical procedures in time and attendance
sheets be prepared on a timely basis to maintain the level of accuracy and timeliness.
Any problems such as entering erroneous data and documenting incorrect information
while preparing timesheets would affect the payroll and accounting system.
2. The responsibility of each employee and payroll supervisor is very important and
needs to be emphasised in ensuring that all hours worked are accurately and correctly
reported, calculated and paid. Mistakes in approving all hours worked would result in
inappropriate payments.
3. The payroll supervisor is responsible and accountable for checking and reviewing the
accuracy of the time and attendance sheets. The head of payroll unit is responsible to
provide signature for time and attendance sheet.
Overall, errors or mistakes do happen in the payroll and accounting system; hence, this
would cause information error and lack of productivity.

Standards This audit was conducted in conformance with International Standards for the
Conformance Professional Practice of Internal Auditing (IPPF).
Statement
Observation Background
Summary
Manual payroll system was reorganised to provide better efficiency in time and
attendance processing. The process includes two key process objectives:
1. Making accurate timesheets
2. Ensuring proper authorisation
Criteria
1. The policies of the organisation require employees to record time and attendance
through punch-in cards and manual timesheets.
2. Every timesheet requires checking and review by the payroll supervisor.
3. The head of payroll unit is required to sign every timesheet based on the
authorisation of hours worked.
Conditions of the observation
1. The time and attendance sheets are not properly completedand approved.
2. The time and attendance are not properly reviewed by payroll supervisors.
3. The timesheets have been approved and signed without proper checking by the
head of payroll.
Cause
The manual payroll system is a highly labour-intensive process as handwritten timesheets
are then keyed in and entered in the payroll and accounting system.
Effects of the observation
1. There is a possibility of keying in erroneous data into the payroll and accounting
system.
2. The report produced through the payroll and accounting system would document
erroneous information.
3. Inappropriate payments may have been made when the time and attendance sheets
were inadequately reviewed and authorized

Rating the Observation

Low risk
Action Plan Recommendations
Recommendations
1. The payroll supervisor should ensure that all time and attendance recorded are
100
 Management reviewed for completeness and checked forerrors before entering into the payroll
Responses and accounting system.
2. Backup reviewers must review the individual inputting timesheet information from
the source document in order to avoid any process errors.
3. The Human Resource Department should implement training in payroll writing
procedures for supervisors, backup reviewers and employees in understanding their
function in the time and attendance process.
4. Head of payroll unit and payroll supervisor must perform proper and timely review
for signature approval and error checking.
Action Plan
1. Training for new hires and current employees to emphasise their responsibility and
function to record time and attendance accurately.
2. Training on proper timekeeping practices for employees who were found to be not
complying with proper procedures and rules.
3. Training for payroll and management on supervising timesheet record and reviewing
overall manual payroll system.
Management Responses
The director of Human Resource Department has agreed on all recommendations made in
this report. The policy of time and attendance will be addressed. All recommendations
should be implemented in June 2012.
Report Distribution Internal readers
in Title Page —
Separate internal Human Resource Director Director of Finance External Readers Registrar of Companies
and external Bursa Malaysia
readers
Report Team AAA Bhd Group of Internal Audit
Appendices –
(Source: Adapted and Modified from Henderson, 2012)

Opinions and Ratings of the Internal Audit Report

The opinions and ratings of the internal audit report are also important in structuring the report
to highlight the results based on the internal auditor’s observation. For example, Table 7.2
presents the rating and opinion for the time and attendance record-payroll internal control
review. These ratings and opinions are developed based on the conditions of observation done
by the internal auditors.

Opinions of the Internal Audit Report

The overall opinion will be issued based on the organisation's strategies, objectives, and risks to
meet the expectations of senior management, the Board of Directors, and other stakeholders. It
must be supported by sufficient, reliable, relevant, accurate, and useful information.

In addition, internal auditors must communicate the internal audit report after they have
identified each risk for each observation along with the evaluation and assessment, which is
related to the development of opinion. The opinion developed by CAE should address a few
matters such as:

1. The strategies, objectives, and risks faced by the organisation.

100
 2. The opinion can solve a problem, add value and provide management with confidence on
the condition of organisation.
3. The understanding of expectation for the scope of the overall opinion based on the
discussions with management and any stakeholders.
4. The scope of the overall opinion should include the specific time related to the opinion
and consider whether there are any limitations to the scope.
5. The conclusions and other communicated results should be sufficient, reliable, relevant,
accurate and useful information.
6. Summarise the information on the overall opinion and identify the relevant risk or
control framework as a criteria used for the overall opinion.

Ratings of the Internal Audit Report

In developing the ratings on the internal audit report, there is no single prescribed way for
expressing engagement outcomes on effectiveness and efficiency of controls reviewed. The final
engagement communication can be either a positive or negative assurance. A positive assurance
is known as reasonable assurance if internal auditors conform and ensure that the controls are
designed adequately and operating effectively. A negative assurance is known as limited
assurance when internal auditors are led to believe that controls are not designed adequately and
operating ineffectively. The opinion is developed based on observations on the overall internal
control for each process.

The rating system is developed to rate observation for operation area and risk. The rating on a
report is a subjective professional judgment based on the business complexity, the potential
effects of the observations, the responsiveness of management action plans, and the repeat
nature of the observations. Commonly, internal audit activities use a three point rating system:
unsatisfactory, marginal and satisfactory. The rating system for observation is also a three point
system: high risk, medium risk or low risk. This rating system has advantages as it makes it easier
in summarising results to senior management and in contributing to the internal audit activities
planning. Furthermore, it will also provide focus attention to stakeholders in alerting to them to
areas that need more focus and show more impact.

Quality of the Report Writing

The quality of a report is important, and it should conform to the standards. This ensures that
each internal audit process has been implemented according to principles or rules of conduct
stipulated in the Code of Ethics and the Standards. The conformation must be accurate, objective,
clear, concise, constructive, complete, and timely. The descriptions of the criteria are presented
in Table 7.3.

100
 Table 7.3 Criteria of Good Quality Report Writing

Quality Description
Accurate Free from errors and distortions and is faithful to the underlying facts.
Objective Fair, impartial and unbiased and is the result of a fair-minded and
balanced assessment of all relevant facts and circumstances.
Clear Easily understood and logical, avoiding unnecessary technical language
and providing all significant and relevant information.
Concise Communication is to the point and avoid unnecessary elaboration,
superfluous details, redundancy and wordiness.
Constructive Helpful to the engagement client and organisation and lead to
improvements where needed.
Complete Lack nothing that is essential to the target audience and include all
significant and relevant information and observations to support
recommendations and conclusions.
Timely Opportune and expedient, depending on the significance of the issue,
allowing management to take appropriate corrective action.
(Source: The Institute of Internal Auditors, 2017)

The quality of the report can be enhanced by five other factors based on practice, such as
readability, clarity, objective wording, tone and the conventions of written language that
improves the quality.

First is readability. Message placement, coherence, conciseness and the use of graphics can help
enhance the readability of a report. Message placement refers to the structure of the report, in
which each observation is delivered in a structured manner in the executive summary and body
of the report. Second, the report should be written coherently using appropriate words, phrases
and terms. Conciseness is the third factor that improves the level of readability in a report. The
report should contain the right information and avoid redundant words. Concise information
will assist the management in understanding the main conditions, causes, effects and
recommendation(s) for each observation. The last factor that affects readability is how good
graphics are presented to highlight information from the audit process. Graphic presentations
that use pie and bubble charts and bars; trends that use line graphs; status against goals that use
dashboards and categorisation that uses iconic images and colour are the best formats for
comparing information.

Second, clarity of information is also important. To ensure clarity, definitions must be used
appropriately. Definitions are crucial for understanding concepts used in each observation and
audit process. Each observation might carry different concepts and term. Confusion can be
avoided by providing a glossary and hyperlinks when electronic reports are used. The report
should be written in simple and clear structured sentences. Thirdly, internal auditors must avoid
biased wordings. The report must be prepared objectively when describing the engagement;
hence, the wording used must be fair, impartial and unbiased. The written report must state the
weakness of the process, if any, and internal control. The tone of the writing should reflect the
level of severity of each observation. The severity and risk in each observation has to be reflected
in the tone of the writing.
100
Finally, the language used in the report should be relevant to the culture of the location. The level
of understanding of the report depends on good grammar, punctuation and mechanics. Thus,
internal auditors must improve their writing skills in order to improve their internal audit
reputation and the level of readers’ comprehension. Readers comprehension can be improved
through good quality reports and complete information provided by internal auditor.

Overall, all criteria should be taken into consideration in writing the internal audit report. An
excellent report portrays the auditor’s competency and capability in writing a high-level quality
report and hence, facilitates the reader’s comprehension. Together with the quality criteria, there
is a need to understand the strategies in preparing an internal audit report. This would ensure
the management, particularly Audit Committee and senior management to easily understand
and be concerned about the highlighted matters.

Strategies in Preparing Internal Audit Report

When preparing an internal audit report, the best practice is to attract readers to understand the
contents of the report, especially the senior line management. The right technique ensures direct,
objective and convincing reports as well as being able to deliver the intended message with clarity.
The report can be delivered based on guidelines that ensure the completeness of an internal audit
report. The main contents of the internal audit report must be stated immediately because
auditees, senior executives and Audit Committee members want a succinct description of the
issue, its level of risk and recommended mitigation or corrective measures. In addition, auditors
need to communicate the severity of risks and explain the risks in meaningful ways so that
management can focus more on recommendations.The report should be written and
communicated so that pertinent ideas that were the focus in the audit findings are understood
by the auditees.

The writing style of the audit report requires auditors to construct sentences that consist of a
noun, which readers can easily understand and visualise. Each sentence must generally be short
and contain no more than 24 words to ensure readability. Meanwhile, ideas in the report can be
improved by simplifying ideas into lists in order to help audittee to digest and process
information in a short time. However, auditors need to avoid using technical terms because not
every auditee would understand or are familiar with accounting and auditing terminologies.
Thus, auditors need to use the correct words as well as acceptable practices and norms required
for business documents in order to highlight potential improvements for each of the controls,
which if not implemented could lead to possible failure. In the case of pointing out issues,
auditors must avoid using negative words because such words have a high tendency to provoke
rather than convince auditees. With these strategies, this would ensure to achieve the purpose of
internal audit reports in documenting and communicating the results to both auditees as well as
senior management and the Audit Committee.

100
Communicating Results
Communicating results is an important task for internal auditors. Internal auditors must work
on the challenges involved in communicating results, not only when delivering positive news, but
also negative news. Archambeault and Rose (2011) had suggested five key steps to effective
communication.

Firstly, internal auditors must make advance preparations when communicating negative news.
This includes a review of the findings, auditors’ understanding of critical issues, gathering
information about readers and considering visualising the point of view they expect from the
audience regarding the negative news. Secondly, internal auditors must focus on coordinating a
meeting so that they can maintain control over the direction of the meeting. They must try to
schedule a time and place where they can have the participants’ undivided attention.

Thirdly, internal auditors must be straightforward and honest in their delivery. They must be
aware that certain words are emotionally charged and thus, could produce negative reactions
from clients. Nonverbal cues in communication such as body language, facial expressions, eye
contact and tone of voice should also be taken into consideration as it could help auditors in their
presentation. Fourth, internal auditors must anticipate the responses or feedbacks from clients
to counter the audit findings.

They need to respond and discuss every finding with clients in a proper and positive manner
instead of mostly reacting defensively. Finally, the last step to ensure effective reporting is by
determining corrective measures. Internal auditors can provide the biggest contribution,
encouragement and constructive suggestions. All corrective actions and recommendations to
mitigate problems and risk areas will assist clients in the long-term to achieve organisational
objectives and goals.

Dissemination of the Audit Report

Control over the distribution of the final engagement report is done by the CAE. The CAE is
responsible for communicating the results to parties who can ensure that the results would be
given due consideration. The purpose of distributing the report is to assist clients or auditees to
achieve the desired action. The following factors should be taken into consideration in
disseminating internal audit report:

1. Discussions with the Board of Directors and review of any organisational communication
protocol, the CAE determines who will receive the results from the engagement and the form
of communications that will ensue.

100
2. When determining the recipients of the report, the CAE takes into consideration whether the
party/parties has a genuine business interest for receiving the results, as well as whether this
party/parties has the responsibility to initiate management action plans.
3. To ensure consistency, internal audit activities could develop a standard distribution list of
parties who have been censored to receive all types of communication, as well as management
levels that should be included in the distribution list for engagement results pertaining to
their area of responsibility.
4. The CAE can expand the distribution list if necessary, which often includes the organisation’s
senior management.
5. To ensure compliance with legal obligations and organisational protocols, it is important for
the CAE to exercise caution and consideration when disseminating the results outside the
organisation. The CAE should consider the ramifications of communicating sensitive
information as such information might affect the organisation’s market value, reputation,
earnings, or competitiveness. The CAE might find it helpful to consult with a legal counsel
and compliance areas within the organisation.

The responsibility to disseminate the internal audit report would be important to the CAE for the
validation and approval. This is to ensure the report is directed to the appropriate recipients.
This is for the reason that the results from the report will be given to the recipients that are able
to give some reasonable consideration. After the dissemination, if there is a need for further
monitoring, the respective recipients or auditees should take action to follow up.

Monitoring the Progress and Follow-up Audit

Monitoring and follow-up on the progress are two stages that occur after the CAE has
disseminated and communicated an internal audit report based on relevant standards. For
monitoring purpose, the CAE should establish procedures on how to ensure the effectiveness of
monitoring progress. The monitoring procedures that involve the role of the CAE are as follows:

1. Whether sophisticated or simple, it is important for the CAE to develop a process that
captures the relevant observations, agreed corrective actions, and current status.
2. The CAE often develops or purchases a tool, mechanism, or system to track, monitor, and
report on such information. Based on information provided to the internal audit by the
management, the status of the corrective actions is updated in the system periodically and
often directly by the management using a shared exception tracking system.
3. The frequency and approach to monitoring (the extent of audit staff to verify that corrective
action was taken) is determined based on the CAE’s professional judgment, as well as the
expectations set by the Board of Directors and senior management.
4. The form of reporting is determined based on the CAE’s judgment and the agreed
expectations. Some CAEs report the status of every observation for every engagement in a

100
 detailed manner, while others report only observations that are rated as posing a higher risk,
perhaps summarised by the business process or executive owner, noting statistics, such as
percentage of corrective actions on track, overdue and completed on time
5. In some instances, the CAE might report on the completion of the corrective action as well as
whether the action has rectified the underlying issue. Capturing and measuring positive
improvements based on the execution of corrective actions is considered a leading practice.

The final part is the follow-up process, where internal auditors need to examine whether the
management has taken action for each recommendation. Conversely, the Practice Guide for
Audit Reports (The Institute of Internal Auditors, 2016) has suggested a tracking spreadsheet or
system, including the audit observation, action plan, responsible personnel, and target
completion dates.

Internal auditors must present documents with relevant information to support their
conclusions and engagement results as well as document follow-up procedures and results.
Follow-up procedures need to be conducted and performed in order to instil confidence and
assurance to the CAE, upper management and the Board of Directors. Furthermore, these
procedures would ensure that the issues and associated risks are identified and mitigated
adequately.

The follow-up audits should be performed at specific time intervals, or on an ongoing basis.
When performed at specific time intervals, the CAE might schedule specific assignments in the
annual internal audit plan to perform a follow-up for incomplete or expired action plans from
the previous year(s). When follow-up activities are performed on an ongoing basis, the follow-up
process is usually performed monthly or quarterly and consists of three elements, namely
collecting information, verifying the completion of the action plan, and reporting results to the
engagement client, senior management, and periodically to the Board of Directors.

In relation to the monitoring and follow-up as mentioned above, these activities will provide
benefits to the organisation. Depending on whether the recommendations from the past results
have been performed correctly by the respective parties or auditees within the timescale that is
given by the management. Besides that, the report related to monitoring and follow-up could be
important to both committee and senior management in order to highlight any specific areas that
are of concern to both Audit Committee and senior management. In addition, this process will
ensure that each recommendation is fully implemented by the auditees and will provide a good
impact to the organisation and the risks that have been identified has been effectively mitigated.
Thus, the actions done by the auditee will expect to reduce any possible risks in future.

100
Summary
Prepare internal audit report together with monitoring. The monitoring and follow up are part
of the audit process. Internal auditors and auditee should understand the purpose of preparing
the internal audit report. There are six steps on how to prepare an internal audit report in order
to ensure the process is in line with the standards. Together with this, internal auditors would
need to consider the best practice of the structure of the report and any related strategies to
produce a high quality report. With respect to the engagement with the management in
communicating the results, internal auditors would need to understand the matters related to
communicating results, dissemination of the audit report as well as monitoring the progress and
follow-up audit.

Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions
1. Discuss the advantages of writing an internal audit report.
2. Discuss the process of writing an internal audit reporting.
3. Describe the quality of an internal audit report as required by the standards.
4. Comment on the quality of internal audit reporting in Table 8.2: The Structure of Report,
Payroll Internal Control Review, Time and Attendance Record. You can comment based on
the report quality checklist.
5. Discuss the role of internal auditors in monitoring and follow-up process for each reporting.

References
Adams, P., Cutler, S., McCuaig, B., Rai, S., & Roth, J. (June 30, 2012). Sawyer’s Guide for Internal
Auditors, 6th Edition, ISBN-13: 978-0894137211, The Institute of Internal Auditors Research
Foundation.

Archambeault, D. & Rose, M. (2011), The ABCs of Communicating Results. Internal Auditor
Available at: http://www.theiia.org/intAuditor/back-to-basics/2011/communicate-bad-
news/the-abcs-of-communicating-
results/?search=The%20ABCs%20of%20Communicating%20Results

Henderson, J. (2012). Time and Attendance Reporting Internal Control Review. Internal Audit Report.
Town of Trumbull, CT. Office of The Financial/Accounting Controls Analyst. pp. 3-13.
Available at: http:// www.trumbull-ct.gov/filestorage/7112/7181/Internal_Audit_Report_-
100
 _Time_and_Attendance_Reporting_ Internal_Control_Review,_April_2012.pdf

Kurt F.R., Paul., J.S., Urton., L.A., Michael., J.H., Sridhar., R., Mark., S., & Cris., R. (2009). Internal
Auditing: Assurance & Consulting Services. ISBN-13: 978-0894136436. The Institute of
Internal Auditors Research Foundation.

The Institute of Internal Auditors (2016). The Supplemental Guidance: Practice Guide Audit Report.
Available at: https://na.theiia.org/standards-guidance/recommended-guidance/practice-
guides/Pages/ audit-reports-practice-guide.aspx

The Institute of Internal Auditors (2017). International Professional Practices Framework (IPPF).
International Standards for the Professional Practice of Internal Auditing (Standards). Edition
First Printing. USA.

The Institute of Internal Auditors (2017). Implementation Guides. International Professional Practices
Framework (IPPF) (2017). Available at: https://na.theiia.org/standards-guidance/mandatory-
guidance/ Pages/Standards.aspx

100
 8
Chapter 8: IT in Internal Audit
Practices

After going through this chapter, you should be able to :

• Describe the Information technology (IT) audit

• Identify technology risks and challenges to internal auditing
• Discuss the evaluation of general and application controls
• Define and discuss the audit of the System Development Life Cycle (SDLC)
• Define and discuss the audit of e-commerce and its challenges to Internal Auditors
• Understand the idea of computer-assisted audit techniques (CAATs) in performing an
audit procedure
• Discuss the impact of the Fourth Industrial Revolution on internal auditing

Introduction
Information technology (IT) has growth positively in Malaysia and aggressively after the launch
of the Multimedia Super Corridor (MSC) in Cyberjaya. Entities ranging from sole proprietorship
to big organisation rely on IT to record and process day-to-day business transactions. Some
business organisations merely purchase available application software in the market to process
their business transactions. Those with a budget for system development might prefer to develop
their own system application. Heavy reliance on computers for processing business transactions
has changed the business scenario. Businesses are now subjected to various IT related risks such
as:

System Application Error

The use of software application in processing transactions will eventually reduce the risk of
human error. However, the risk of system error might increase since the system requires to be
upgraded from time to time due to the expansion of business operations. Too many changes and

100
flaws in the system program procedures will lead to the issue of reliability of the software. At the
same time risks such as operating system crashes, transmission error or missing data can occur.

Hardware Failure
Computer hardware such as central processing unit (CPU), monitors, servers, etc. can easily
malfunction if not properly maintained and protected. A proper procedure in handling computer
hardware is important to prevent it from physical damage. Damages could be due to
inappropriate use, sabotage or environmental disasters such as a fire, blackout, flood or an
earthquake.

Computer Crime
Business transactions conducted via the Internet can expose the oganisation’s electronic data to
attacks from hackers, competitors, terrorist groups, previous employees or industrial spies.
These identified parties will attack to look for valuable data or to harm the computer system.
There are unlimited types of computer attacks such as hacking, spamming, spoofing or sending
viruses and worms.

Therefore, controlling and protecting business information has become one of the main
priorities in most organisations. An effective control of the processing data in the information
system is important to protect an organisation’s liability and to ensure security as well as
confidentiality. This is where management should regularly monitor and evaluate their system
to ensure effective functionality and adherence to related standards and practices.

IT audit is part of the overall audit process to ensure IT control issues are preserved at all times.
The scope of IT audit is wide since a computer system not only records transactions, but has
become the key business processing system of an organisation. Generally, IT audit is concerned
with the following issues:

1. Security
To ensure access to the system and its data is restricted to authorised personnel only.

2. Confidentiality
To ensure that sensitive information of an organisation is protected from unathorised
access or disclosure.

3. Privacy
To ensure personal information of any third party such as customers’ addresses, contact
numbers, etc. are treated in accordance with the organisational business policy and
protected from unauthorised access or disclosure.
100
4. Processing integrity
To ensure business data are processed accurately, completely in a timely manner with
proper authorisation.

5. Availability
To ensure the operating system and its data are available at all times to meet the needs of
business operations.

(Source: Trust Services Framework, which developed jointly by American Institute of Certified
Public Accountants & Canadian Institute of Chartered Accountants)

This chapter highlights different areas to be audited in regards to computerised systems, such as
the evaluation of general and application control, audit of System Development of Life Cycle
(SDLC), audit of e-commerce and the use of Computer-Assisted Audit Techniques and Tools
(CAATTs) in completing audit procedures. The sample audit programs attached within this
chapter allows a better understanding of areas that are audited.

Definition of IT Audit
IT audit is one of the branches of the different types of audits that is performed by an internal
auditor. IT audit holds the same definition as general auditing which is ‘an independent
examination of the internal controls, records, and related information generated from the system
in order to form an opinion on the integrity of the system of controls, the compliance with policies
and procedures, and the recommendation of control improvements to minimise or limit risks.
However, IT audit focuses more on the evaluation of an organisation’s computer systems and
network to ensure:

• The effectiveness of control procedures in minimising related technology risks; and

• The compliance with international or Malaysia’s standard operating practice, policies,
procedures and related law or regulations of the regulatory body.

Elements of IT Audit
A major challenge in performing an IT audit is to determine the scope for the assessment of
internal control in the IT environment. Assurance on information systems can only be obtained
if all components are being assessed and evaluated properly. The major areas of an IT audit are
categorised as follows:

Physical and Environmental Review

100
Review physical facilities and condition of IT environment such as physical access, power supply,
air conditioning and humidity control.

System Administration Review

Review all system administration procedures to ensure compliance to regulatory rules. It
includes review on security control procedures of existing operating systems and database
management systems.

Application Software Review

Review all business application software, for example, software to record accounting and finance
transactions used by the finance department, software to process salary used by the payroll
department and web-based customer order system used by the sales department. Generally,
assessment is carried out in these areas:

• Access control and authorisations

• Procedure handling validation, error and exception process
• Processing transaction flowchart
• Manual on controls and procedures

Network Security Review

Review IT network’s infrastructure, which includes internal and external connections to the
system, perimeter security, firewall review, router access control lists, port scanning and
intrusion detection.

Business Continuity Review

Review control procedures in ensuring the systems and information are available when needed,
for example:

• The procedures for maintenance of fault tolerant and redundant hardware.

• Backup procedures and storage.
• Documented and tested disaster recovery/business continuity plan.

Data Integrity Review

Review control security measures around IT operating systems and application software to
ensure output produces is accurate, complete, timely and valid.

100
The CAE should consider performing an audit on these six major elements of IT in the annual
audit plan. Addressing all of these elements properly will assure the highest level of security
control measures in the IT environment.

Guide To Conduct an IT Audit

The Information Systems Audit and Control Association or better known as ISACA is an
independent, non-profit global association handling the process of development, adoption and
the use of globally accepted knowledge and practices for the information system. Initially, ISACA
was started by a small group of individuals who shared a common interest on the requirement of
the establishment of resource centre for auditing control in the computer systems. Back in 1969,
the group was known as the EDP Auditors Association. This association has expanded its scope
by establishing an education foundation with the purpose to undertake more research on IT
governance and control field.

ISACA developed the Control Objectives for Information and Related Technology (COBIT)
framework. It serves an IT governance framework, which provides guidelines on controls
requirements, technical issues and business risks. Amongst the benefits of employing this
framework are:

• Allows the management to benchmark security and control practices of IT environments;

• Allows users the assurance that adequate IT security and control exists; and
• Allows auditors to substantiate their internal control opinions and advise on IT security
and control matters.

In addition, the Institute of Internal Auditors (IIA) has developed and issued the Guide to the
Assessment of IT Risk (GAIT). This guideline helps auditors to evaluate and assess IT general
controls that have an impact over financial reporting. The GAIT Practice Guides include three
areas, which are:

1. The GAIT Methodology

It is a guideline to assess the scope of IT general controls using a top- down and risk-based
approach. It helps the management to identify any deficiencies in key IT general controls that
may result in material errors in financial statements. There are four principles that form the basis
for this guideline, which include:

Principle One: The identification of risks and related controls in IT general control processes (e.g.
in change management, deployment, access security, and operations) should be a continuation
of the top-down and risk-based approach used to identify significant accounts, risks to those
accounts, and key controls in the business processes.

100
Principle Two: The IT general control process risks that need to be identified are those that
critically affect IT functionality in financially significant applications and related data.

Principle Three: The IT general control process risks that need to be identified as existing in
processes at various IT layers: application program code, databases, operating systems and
networks.

Principle Four: Risks in IT general control processes are mitigated by the achievement of IT
control objectives, not individual controls.

GAIT Methodology enables organisations to implement these principles and offers management
and auditors guidance around scoping IT general controls and the tools to defend these decisions.

2. GAIT for IT General Control Deficiency Assessment

It is a guideline to evaluate any IT general control deficiencies identified during assessment such
as material weaknesses or significant deficiencies.The guideline was developed by nine certified
public accounting firms to help management as well as internal and external auditors in
assessing deficiencies in the organisation’s internal control system for financial reporting.

3. GAIT for Business and IT Risk

It is a guideline to help identify the IT controls that are critical to achieving business goals and
objectives. Adherence to this guideline would help the CAE and audit team provide assurance
and the necessary levels of consideration to IT related business risks.

Scope and Objectives of an IT Audit

The scope of IT audit depends on various factors such as the nature and background of the
business, existing and potential technology risks as well as resources from the IT department (e.g.
number of staff, software applications). Therefore, it is pertinent for management to have an
appropriate plan in performing IT audit to ensure a proper assessment on every area of IT
functions.

Ideally the scope should consist of audits on security controls, logical access controls, physical
security controls, installation controls and local network area controls. This scope of audit is
properly detailed as per Table 8.1.

100
 Table 8.1 Highlights on the Objectives of an Audit for Five Scope of IT Audit

No. Scope of Audit Objective of Audit

1 Security Controls To ensure the establishment of appropriately defined IT

Management structure with a clear framework of authorities and
responsibilities for successful implementation of security
objectives of an organisation
2 Logical Access To ensure that the access controls are reviewed to determine
Controls safeguards are in place to prevent unauthorised acquisition of data
resources.
3 Physical Security To prevent unauthorised access to computer-related equipment.
Controls To ensure an adequate protection on computer-related equipment
against natural hazards and malicious damages.
4 Installation To ensure consistent control of software and hardware
Controls management in its operation of applications system.
5 Local Area To prevent any unauthorised access to local area network.
Network Controls

The following tables show examples of audit programs for the five scopes of audit as mentioned
in Table 8.1.

Table 8.1(a) Audit Program for Security Controls

No Audit Procedures
1 Review the information security management structure to identify those responsible
for:
ix) Security management
x) Security administration
xi) Data owners
xii) System owners
xiii) System users
xiv) System providers
xv) Procedure owners

2 Review whether the Security Administrator’s responsibilities include the following:

• Promote security awareness and education;
• Administer access to software; and
• Advise and guide development, maintenance and implementation of IT
Standards

3 Review the appropriateness of the level of segregation of duties between the following:
• Application development
• Technical support
• Computer operations
• Security administration
• User department

100
 Table 8.1(b) Audit Program for Logical Access Controls

No Audit Procedures
1 Review the User Security Administrator and check the following:
• There is a procedure in place for issuing, approving and monitoring application
access.
• User access control reports are periodically reviewed for accuracy and
completeness by user management.

2 Check whether access to control software administration facilities is limited to only the
security administrator.
3 Verify whether user IDs are used to identify users accessing the system.
4 Verify that a user security administration procedure is in place to ensure that unique
user IDs are assigned to system users.
5 Review the following: password
• Passwords are being used to confirm users’ identity.
• Passwords are encrypted to ensure confidentiality.

6 If a user ID has been inactive for more than 90 days, check whether it has been disabled.
7 Check whether user IDs are automatically disabled after three consecutive unsuccessful
login attempts.
8 Check that unattended terminals are automatically logged-off after a certain number of
minutes of inactivity.

Table 8.1(c) Audit Program for Physical Security Controls

No Audit Procedures
1 Review the Computer Centre as a secure location and ensure that the physical access
control procedures include:
• entrances that are fitted with locking devices which can identify staff, and detect
date, time of entry/exit
• emergency exits that are fitted with alarms
• perimeter walls that are constructed from true floor to true ceiling
• access to air conditioning units, power and telecommunication lines and backup
power units are secured

2 Review the adequacy of the various modes of protection from fire and water damage to
include:
• automatic fire detection and alarm system
• regular check and service for the system
• regulations complied with fire suppression system

3 The Computer Centre power supply must be backed up with the following:
• a generator for air conditioning and lighting;
• an uninterruptible power supply (UPS) or battery backup for computers; and
• regular maintenance and testing for generator(s) and UPS or battery backup.

4 Review of the following:

• room temperature and humidity in the Computer Centre are maintained within
specified range as recommended by the manufacturers
• regular inspections and cleaning of air cooling units

5 Review controls for confidential print output – identification, documentation, printing

on secure printers, access restriction to printer rooms, and output release to authorised
personnel only.

100
 Table 8.1(d) Audit Program for Installation Controls

No Audit Procedures
1 Review the controls for system software to include:
• protection using an access control mechanism
• maintenance of the system that is fully supported by vendor
• authorisation of changes
• documentation and support of software maintenance facility
2 Review the following:
• inventory listing, to ensure that it is regularly maintained and verified
• removal, movement or disposal of computer equipment should be authorised
and properly recorded
• hardware maintenance agreements should include preventive maintenance
• all computer equipment must be operated and maintained according to the
manufacturer’s specifications
• a log for hardware problems and actions taken to resolve the problems
3 Review on the selected agreements with third party providers on the following:
• All IT staff and affected parties should be aware of the relevant agreements and
the commitments contained within.
• Amendments made to agreements are subjected to the approval by the Board of
Directors.
4 Obtain and review the procurement procedures and ensure that all procedures are
followed.
• Review samples of the proposal obtained from suppliers.
• Ensure that at least three proposal from different suppliers are attached for
every procurement process.
• Ensure that supplier proposal evaluation and additional investigation have
been carried outprior to the selection of the supplier.
Scrutinise the review from the company’s legal advisor.

Table 8.1(e) Audit Program for Local Area Network Controls

No Audit Procedures
1 Check whether the audit system is able to generate an audit trail showing activities of the
users in the system such as user ID, date and time, terminal number and activities
performed.
2 Review the physical access to critical components and check the following:
• The servers are located in secure rooms /cabinets with adequate environmental
controls
• Only an authorised person is allowed to operate on the equipment
• Secondary media (e.g. diskettes and cartridges) are stored securely
3 Review logbook, to ensure that external parties who install, repair or service local area
network and computer equipment are accompanied by an authorised IT staff, with
approval granted by the IT manager.
4 Review the computer disaster recovery plan for all critical local area network systems.
Ensure the following steps are incorporated:
• include spare devices with sufficient capacity and speed for backup purpose
• the frequency and retention of backup of the servers and workstations
• documentation and testing of backup and recovery procedures
• uninterruptible power supply system to protect critical network servers and its
components

5 Check that all directories and files are installed with antivirus software and being
scanned regularly.
6 Review the antivirus software and ensure the following features are available:
• virus detection and removal capabilities
100
 • licensing agreement, which provides regular anti-virus updates, at least every
week
• reputable track record, in terms of reliability where viruses are detected and
removed

Steps in IT Audit
A proper process of audit will eventually lead to the achievement of an audit objective for
different audit areas. Figure 10.1 presents the recommended steps in performing IT audit.

1. Establish the Terms of Engagement

The CAE will determine the scope and objectives of the audit of IT functions. The engagement
letter will be addressed to the respective auditee, i.e., Head of IT Department. The letter will
include information such as the scope and objectives of audit, responsibilities of auditor and
auditee, authority for auditor to have access to all information of IT functions and audit schedule.

1. Establish the 3. Establish

2. Preliminary
Terms of the materiality and
review
Engagement assess risks

5. Consider 6. Perform
4. Plan the
internal audit
audit
control procedures

7. Issue the
audit report

Figure 8.1 Steps in IT Audit

2. Preliminary Review
This is the process where the auditor needs to gather information on the IT department as a basis
in preparation for an audit plan. Among the information required includes the auditee’s strategy
and responsibilities in managing and controlling IT’s operations.

100
3. Establish Materiality and Assess Risks
The auditor needs to establish judgement on the materiality of IT’s function as well as perform
an assessment on the auditee’s business risk, in order to set the scope of the audit.

4. Plan the Audit

Normally, a proper audit plan includes the engagement’s objectives, scope, timing and resource
allocation. A well-developed audit plan will ensure that the audit process is conducted efficiently
and effectively.

5. Consider Internal Control

The auditor has to consider the internal control of the auditee in order to begin the audit process.
The information on internal controls could come from a variety of sources such as studies of
existing internal controls, previous audit reports, reports by regulators such as Bank Negara
Malaysia, Bursa Malaysia or feedback from operating personnel. Once the process is completed,
the auditor could assess the level of auditee’s control risk, which is important to determine the
level of substantive tests to be performed during fieldwork.

6. Perform Audit Procedures

The auditor will perform the audit process based on the scope stated in the audit plan. The
auditor will use a substantive test approach to audit IT business functions.
ambil sample
7. Issue the Audit Report

The auditor will issue an audit report once all audit procedures have been completed and
evaluated.

Evaluation of General and Application Controls

There are two control groups for any IT system: general controls and application controls.
General controls handle all aspects of IT functions including the administration of IT function,
hardware or software acquisition and maintenance, physical and security control over hardware
and the establishment of disaster recovery plan in the event of unexpected emergencies.
Application controls deal with the control of usage of individual transactions specific to certain
software application. For example, controls over the processing of sales or cash receipts.

Table 8.2 Different categories of general and application controls

100
 Categories of Control Purpose of Control Example of Control
GENERAL CONTROLS
Administration of IT To ensure proper • List of IT staff with their
function administration of people and responsibilities.
resources of the department. • Organisational chart of
IT department

Physical access control To ensure proper control in Access to Data Centre is

place for physical access IT restricted to authorised
department and its critical personnel only.
areas.
Logical access control To ensure a proper control in
Using of password and user
place for infrastructure,
ID to access information on
applications and data. organisation in the
computer.
Backup and contingency To ensure a proper backup and Well-written business
plan contingency plan is in place for contingency and disaster
unexpected emergencies such recovery plans.
as fire, virus attack, power
failure or natural disaster.
APPLICATION CONTROLS
Input control To check the integrity of data Review the input screens to
entered into an organisation’s ensure they are designed to
application. capture all relevant data
required.
Processing control To ensure proper control for Review system
data processing so that the documentation to ensure
process is complete, accurate key computations are fully
and authorised. documented.
Output control To ensure output results The controls over output
similar with input data. To (printed reports)
ensure computer output is not confidentiality are
interrupted by or shown to maintained.
unauthorised users.

Auditing of System Development Life Cycle

The system development life cycle (SDLC), also known as Software Development Process is a
method whereby a system analyst will create or alter the information system to produce a high
quality system to meet the user’s expectations. SDLC consists seven phases that management
should follow closely in order to develop a solid information system.

These seven phases will also give proper evaluation and management of risk associated with the
system development process. Each stage has to be completed before management could move on
to the next. This will ensure success in the development process. Figure 10.2 shows the seven
phases of the SDLC.

100
 Figure 8.2 SDLC Phases

1. Systems planning

2. Systems analysis

3. Conceptual design

4. Systems selection

5.Details design

6. Programming and testing systems

7. Systems implementation

Phase 1: Systems Planning

During this phase, management will plan a system to meet the organisation’s mission and
objectives. The plan will include general guidelines for system development, time frame and
budget. Several documents will be generated from this phase, which consists of a long-term plan,
policies for selecting IT projects, both long-term and short-term IT budgets, a project proposal
and a project schedule.

Phase 2: Systems Analysis

During the second phase, a system analyst will gather the necessary information such as facts
and samples to be used in the project from the end users. The analyst will then review and analyse
the input received and produce a system analysis report.

Phase 3: Conceptual Design

During this phase, a conceptual design is developed to include views from all respective persons
involved with the development project. The outcome from this process will be translated into a
possible document such as a data flow diagram (DFD).

100
Phase 4: Systems Selection
A system selection phase involves a process where management together with the system analyst
will evaluate alternative system requirements to select the best system to meet the requirements
stipulated by the users as well as to fulfil the organisation’s objectives. The analysis involved
includes a detailed feasibility study, where the management will examine whether the newly
developed system is able to work within the current IT infrastructure, with the organisation’s
business processes and procedures as well as the existing employees’ skills. The management is
also responsible to produce a cost-benefit analysis for the newly developed system. The finance
personnel is responsible to analyse and determine the value of each alternative. The outcome
from this selection process will be summarised in a selection report.

Phase 5: Detail Design

At this level, the system analyst will develop a system based on the DFD created in phase three,
taking into consideration the analysis made during the selection process. The system analyst has
to record the procedures involved, outcomes as well as problems encountered during the
development process.

Phase 6: Programming and Testing Systems

The programming and testing system is the most important phase in the SDLC. It will determine
whether the outcome of the project is able to meet the predetermined objectives. There are
several factors to be considered in the testing process, which include:

• Testing should be done offline, before the online implementation.

• Testing should be done as a stand-alone module, before being conducted in conjunction
with the other applications.
• Testing should be done with the participation of the end users.
• Result of the testing process should be documented.

Phase 7: Systems Implementation

This is the last process of the SDLC where the system is ready to be employed. Management has
to sign-off the user acceptance agreement before the system is made live. However, the process
of the SDLC does not end at this stage. Management is required to perform a post-
implementation evaluation on the project. The review should be made on the capability of the
system in meeting the user’s requirement and comparison should be made on the actual costs
against benefits. The process of evaluation should be made continuously to ensure proper
corrective and preventive actions to be made to the new system.

100
Internal Auditors Involvement in the SDLC
Companies that are involved in the system development processes are likely to invest heavily in
the project to ensure it is efficiently delivered. Therefore, this project requires independent
review to ensure all risks are properly identified and administered, value-added improvements
are properly suggested, and eventually this will help to meet the objective of the project. The
following are a few examples of internal auditors involvement, which act as an independent
reviewer for the SDLC project.

1. An internal auditor holds an advisory role in every phase of the SDLC. Normally, an
internal auditor is invited as an independent party during each meeting of the SDLC project.
Advice from an internal auditor is needed on certain risk areas of the development process to
ensure that an effective system is created. Other roles of an internal auditor are listed below:

• Review the project proposal generated during the system planning phases. This is to
ensure issues such as control procedures and governance activities are properly
addressed.
• Review the relevant documents generated during system testing. This is to ensure the
output generated meets the requirements needed by the end users; and to comply with
the organisation’s policies as well as conform to rules and regulations stipulated by the
regulatory body.
• Review and examine various documents generated at every phase of the SDLC process.
This is to determine that the project runs smoothly. Other than that, an internal auditor
could also use the other tools to assess, such as an inquiry and a checklist. Results from
this process will help an internal auditor evaluate if the project is developed in the best
interest of the organisation.

2. The role of an internal auditor is to provide an independent view on issues during the
development process.

An internal auditor who is independent of the SDLC is able to provide independent or unbiased
opinions in regards to any issues derived during the development of project. This is important as
the project has two parties, i.e. management (end users of the system) and system analyst (could
be staff of the organisation or a third party developer), where both parties have their own interest
in regards to the newly developed system. Therefore, the presence of an internal auditor is
needed to ensure that the project is carried out effectively without jeopardising the interest of the
parties involved. However, in providing advice an internal auditor must maintain his or her
integrity by remaining in an advisory capacity. An internal auditor should not be directly involved
with the actual design or testing activities of the new system.

100
3. An internal Auditor is involved in auditing the SDLC.

An audit on the SDLC is important to provide the management with the assurance that the actual
development of the project complies with the necessary requirements stated in the SDLC
methodology. The objectives of the audit are:

• To ascertain that the standards and procedures for the SDLC are made available and
followed accordingly;
• To ascertain that resources are effectively and efficiently utilised to enable the project to
meet its deadline;
• To ascertain that proper authorisation/approval is sought at each stage prior to the
commencement of further tasks;
• To ascertain that project documentation is current and properly maintained for future
review;
• To ascertain that test documentation including test plans and results are adequately
maintained; and
• To ascertain that proper change request procedures exist to ensure all changes are
authorised and attended to on a timely basis.

Auditing of E-Commerce
Electronic commerce, or commonly known as e-commerce is the process by which organisations
conduct their business over electronic systems such as the Internet and other computer networks
with their customers, suppliers and other external business partners. According to the IT Audit
Assurance Guidance (issued by ISACA, 2010) e-commerce includes both business-to-business
(B2B) and business-to-consumer (B2C) models, but does not include existing non-Internet e-
commerce methods that are based on private networks, for examples Electronic Data
Interchange (EDI) and SWIFTnet.

The using of e-commerce may expose a company’s sensitive information, as well as programs
and hardware equipment to potential sabotage by external parties especially hackers. There are
indefinite numbers of threats in regards to the use of e-commerce as a business model, which
include:

• virus infections;
• hacking;
• cybercrime; and
• failure of the system and infrastructure.

100
E-commerce Challenges and Internal Auditing
Unlimited number of Internet exposures when using an e-commerce model has caused
management concern over the need of a strong control on the organisation’s IT environment.
Management could use various control tools such as firewall, antivirus, encryption techniques
and others to protect company data and systems application. Besides having all these security
tools, management requires the assistance from internal auditors to review the ability and
adequacy of the existence security control. The following are among areas of concern for an
internal auditor in regards to e-commerce.

Knowledge on security exposures and control measures

Internal auditors should equip themselves with the various security breach techniques (e.g.
hacking, spamming, virus attacks) associated with e-commerce transactions. They should be
capable in addressing those security issues. They need to understand that different security
threats require different approaches and solutions.

For example, inadequate network access control may increase the possibility of unauthorised
access (e.g., hacking) by an external party into the company’s sensitive and confidential data. An
internal auditor could perform a penetration test to examine the effectiveness of an
organisation’s information security. It is a test where an internal audit team will try to break into
an organisation’s information system legally. Normally, the team will try different methods to
compromise a company’s system, in order to assess the level of security control. If the level of
security control is poor, the team would recommend additional protection tools. For example, a
company could exercise the idea of defence-in- depth, i.e. a process where the company employs
a multiple layer of protection tools to avoid a single point of failure. One of the tools is a firewall
with several authentication methods (ID card, password and biometrics) used simultaneously to
access the company’s website.

An effective recommendation will help management to overcome issues in a short period of time.
Thus, this would allow management to focus on other critical areas of business operations.

Skills and experience in handling e-commerce security issues

The use of e-commerce as part of a business operation has increased the function, scope and
responsibilities of the IT department. As a result, internal auditors need to equip themselves
especially to better their skill and knowledge on the latest development in IT control procedures.
If possible, auditors must understand the concept behind the development of e-commerce
business model. This could help them identify any vulnerable areas exposed to external or
internal threats.

100
 Question on loss of transaction integrity
Since e-commerce transactions do not involve physical documentation, internal auditors should
focus on the adequacy of the security control as stated in the IT policy and procedures. The
auditors could also perform a walkthrough of the e-commerce system to ensure that a proper
security control procedure is installed and implemented at every stage of the transaction.

Audit on e-commerce
Once a company has operated online, an internal audit has to consider an e-commerce audit in
the annual audit plan. This is important to help management in evaluating the existing system
of internal control on the current e-commerce model. Generally, reasons for an audit on e-
commerce are:

• to assess the effectiveness of the infrastructure and security measures of an e-commerce

• to evaluate compliance of e-commerce business operations with an organisation’s IT
MCMC
security policies as well as with the industry best practices
• to evaluate the readiness of IT functions in the event of a major failure in e-commerce
business transactions kena hack @ down
• to identify other security issues that may affect the current infrastructure of an e-
commerce model
guna computer

Computer-Assisted Audit Techniques (CAATs) approach auditor guna. eg. excel

ataupun apa apa system
Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and techniques
(CAATTs) is an approach of auditing using computers. CAATTs offer various tools or utilities,
which help the auditor to select, gather, analyse and report audit findings. CAATTs normally
offer basic Microsoft Office application such as spreadsheet, word processors and text editing
programs, while more advanced software packages offer more functions such as statistical
analysis and report writing tools. Among functions provided by CAATTs are:

Information Retrieval and Analysis

Auditors could use automated retrieval and analysis tools to assess data and records and to
evaluate and analyse them based on the criteria or parameters set by them. Common audit tests
or routines on data analysis such as matching transactions, identifying duplicate transactions,
checking of approvals versus authorisation limits, system overrides, access authorities, telephone
usage, and so on could be handled by the systems rather than done manually.

100
Fraud Detection Tool
Auditors could use the highly sophisticated software to identify unexpected or unexplained
patterns in data that may indicate a possible fraud case. For example, software may warn the
user of the existence of duplicate payments, long overdue outstanding accounts, sudden write-
offs, unusual expensive acquisition or overrides of authorisation limit.

Audit Reporting Function

CAATTs providing tools to enable automatic linking between work performed, information
gathered, auditor assessments and information used in supporting audit report writing function.
This function allows auditors to minimise duplication of writing or translating information from
one section of the audit working papers to another related section or as a summary. Intelligent
CAATTs may note audit findings in the audit programs, checklist or internal control
questionnaire, which then transfers the related information into the management letter for
reporting to the management. eg. confirmation from the supplier, bank

Advantages of CAATs
• CAATs are suitable to audit large volumes of transactions. It is valuable to organisations
with complex processes, distributed operations and high transaction volumes. The use of
CAATs will help auditors to scrutinise all business data and highlight any unusual
transactions.
• As businesses expands, most companies would prefer the company data to be kept
electronically rather than in printed form. Therefore, the use of CAATs is important for
auditors to gain access into audited data in a much effecient way. A direct access to an
organisation’s data will eventually reduce the time and effort spent in performing audit
procedures with assured accuracy.
• Using CAATs in performing substative testing will provide total assurance to the area
being audited. It allows auditors to point out errors or fraud easily in order to provide
effective recommendations. This will also increase the credibility of auditors in the eyes
of the management.
• CAATs provide a standard uniform practice and user-friendly interface for auditors. It
allows auditors to perform various tasks, irrespective of the data format or the underlying
operating system of an organisation. A CAE could also use a log analysis which contains
all tests conducted using the software for the purpose of reviewing the job of each auditor.

100
Disadvantages of CAATs
• The issue of cost outweighing the benefits of purchasing an audit software is one of the
limitations of having CAATs in an organisation. The question is whether management is
willing to invest in a new audit software and bear all related costs. There are many costs
associated with using this software, which includes:
o Cost of puchasing and installing the software;
o Cost of training the staff to use the software;
o Cost for maintaining the software; and
o Cost for after sales services such as telephone charges to contact the service centre,
especially if the service centre is located abroad.
boleh ke pakai dengan komputer office
• Certain audit software may have compatibility issues with the existing software
applications used by a company. The use of CAATs may not be suitable with complex
operating systems. Therefore, it becomes problematic for auditors to use the software to
gain access to the auditee’s database pertaining to the audited transactions.
• The installation and use of a new audit software may sometimes require certain computer
resources or facility. Normally, there are a few system requirements that need to be
addressed by management for the purpose of installation. For examples, the type of
processor, size of memory and storage required, compatibility with DVD-ROM drive and
the Internet connection for registration purpose. The problem may also arise when
auditors use the software to perform audit procedures. A typical situation is where the
audit process is in conflict with the normal processing of a company’s transactions. This
may result in server failure.
• CAATs which is used to extract business data has various security issues. Sensitive
business data such as customers ’ details, business plan and strategies could be
compromised by irresponsible persons, if not handled properly. Inadequate control
procedure on handling business data could also contribute to this issue.

Internal Auditing and The Fourth Industrial Revolution

The first industrial revolution began with the introduction of mechanical production equipment
powered by water and steam. This was followed by the introduction of the concept of mass
production with the help of electrical power in the early 20th century. Then the third industrial
revolution evolved in the early 1970s, with the use of electronics and computers to automate the
manufacturing worldwide. Today, the concept of ‘Cyber-Physical Systems’ with terms such as
artificial intelligence, big data, robotics and many more has come into existence.

Industrial Revolution 4.0 or IR 4.0 “involves the use of software (apps) as a medium for
automating business activity. It stimulates manufacturing productivity by enhancing the
connectivity between humans and machines”, (Idris, 2018). IR 4.0 provide the idea of combining
100
the existing manufacturing technology with tools such as autonomous robots, simulation,
Internet of Things (IOT), cloud, cyber security, and big data. This being done with expectation to
shift the manufacturing industry into more innovative business model, thus enabling it to be
competitive globally.

For internal auditing, big data and data analytics provide greater opportunity in improving
current process of conducting audit. Big data refers to an extremely large set of data, that is
characterised by high volume, fast rate of velocity and ranges of variety. Whereas data analytics
refers to the process of turning the big data into meaningful information for management’s
decision making purposes. Both could provide a bigger opportunity for internal auditors in
handling audit tasks efficiently, then help the company to become more viable in the industry.

To incorporate data analytics as part of auditing procedures, the company might consider the
following aspects:

1. Support from top level management

Top level management especially the Board of Directors should actively plan, discuss and decide
to invest or explore on any potential ideas that could help the internal auditor in dealing with big
data. Planning among others include, a proportionate budget for investment on analytics tools,
enhancing current technology used in auditing so as to ensure the ability to accommodate current
complex big data as well as an allocation of incentive allawonce for staff who is interested to
pursue knowledge and skills on those specialised area.

2. On-going programs on enhancing analytical skills

The CAE is responsible to plan continuous programs on enhancing analytics knowledge and
technical skills among audit team members. This could help the auditor to meet their audit
objective with greater assurance and ability to maintain efficiency in carrying out their audit
duties. The audit staff should also be motivated to transform themselves to become more
innovative in dealing with big data. Creativity in understanding, dealing and presenting the
unique big data in more significant way could help the internal auditor to enhance the level of
competitiveness of their organisation. Other than that, the CAE should also consider conducting
an in-house training not only to the audit team, but also to other non- audit staff, to highlight on
the new approach of auditing. This could help in reducing unneccessary outcomes due to the lack
of knowledge on the new requirements and methods in conducting audit among operational staff.

3. Automated audit tools and techniques

Integrating data analytics into the current audit methodologies requires a proper plan structure.
Internal auditors are now dealing with non- traditional data which is characterised by volumes
of unstructured data that not only comes from the company, but also comes from social media,
100
emails, videos, statistic, forecasts and many more. In the process of integrating data analytics,
the CAE should consider factors such as the availability of the IT infrastructure to support the
idea, the compatibility and security features of data sources and also the ability of handling
internal control issues and dealing with current auditing standards. Properly handling these
operational risks could lead to the smooth transition of using data analytics as part of audit
methodologies, thus improving the audit reporting process as well as enriching the decision and
actions of top level management.

Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions
1. Discuss guidelines when performing an IT audit.
2. Discuss six major areas in regards to an IT audit.
3. Identify and discuss the advantages and disadvantages of CAATs.
4. List the audit procedures pertaining to an audit of a system development.
5. What are the differences between business conducted in the traditional manner and one
using the Internet?
6. Design an internal audit program for an e-commerce audit.

References
Anantha Sayana, S. Using CAATs to Support IS Audit. ISACA Journal. (2003): Volume 1.
Anantha Sayana, S. The IS Audit Process. ISACA Journal.

Arens, A. A., Elder, R.J., Beasley, M.S., Amran, N.A., Fadzil, F.H., Mohamad Yusof, N.Z.,
Mohamad Nor, M.N. & Shafie, R. (2008). Auditing and Assurance Services in Malaysia. Pearson
Malaysia. 2008.

Blanco, L. (2002). Audit Trails in an E-commerce Environment, CISA Journal, Volume 5.

GAIT Methodology—A risk-based approach to assessing the scope of IT general controls. The
Institute of Internal Auditor (2007).

Guide to the Assessment of IT Risk (GAIT). The Institute of Internal Auditors. (2009).

100
Idris, R. (2018). IR 4.0: The Way Forward. (2008). Daily Express Independent National
Newspaper of East Malaysia.

IS Auditing Guideline: G3 Use of Computer-Assisted Audit Techniques.

IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance. ISACA. August
2010. Kaur, J., Yap, M.L. and Mohamed Nadzri, A.Z. IS Auditing Standards in Malaysia. ISACA
Journal. (2008): Volume 1.

Lee, M., Haron, H., Ismail, I., Che Haat, M.H., Zaini, N., Tong, S.Y., Lok, C.L. and Nasar, M.F.
(2009). Principles and Contemporary in Internal Auditing. McGraw Hill Education.

Romney, M.B. and Steinbart, P.J. Accounting Information Systems. Pearson Education Limited.
2012. Singleton, T. W. Systems Development Life Cycle and IT Audits. ISACA Journal. (2004):
Volume 3.

100
 9
Chapter 9: Investigation of Fraud

After going through this chapter, you should be able to :

• Describe the fraud triangle/fraud diamond theory

• Define the different types of fraud and identify the red flags for fraud
• Explain the roles and responsibilities of an internal auditor in fraud prevention and
detection
• Explain other roles and responsibilities for fraud prevention and detection
• Describe the framework of the fraud risk assessment
• Understand the concept of forensic auditing
• the Code of Ethics and International Standards for the Professional Practice of Internal
Auditing
• Integrate the Code of Ethics and International Standards for the Professional Practice of
Internal Auditing into the roles of internal auditors

Introduction
The increased levels of fraud, a heightened regulatory environment and pointed questions from
internal and external auditors and Board of Directors have caused companies to be more vigilant
in their efforts to address fraud. Fraudulent schemes are often on-going crimes that can last
months or even years before detection, making it difficult to measure losses.

Fraud has negatively impacted organisations in different ways, including financial, reputational,
psychological and social. Organisations have been forced to cease operations due to the impact
of financial and reputation damages. Victims of fraud also suffer mental and emotional harm and
stress related physical effects in addition to financial losses.

Fraud can range from minor employee theft, an unproductive behaviour to misappropriation of
assets, fraudulent financial reporting, or Ponzi schemes used to defraud investors. However, the
risk of fraud can be reduced through prevention, detection and deterrence. Most frauds begin
small and continue to grow as schemes remain undetected. For example, perpetrators often view

100
initial stealing as temporary borrowings that will be fixed before anyone notices the problem.
The borrowings accelerate and the perpetrators take positions that are indefensible or develop a
scheme for concealment and attempt to avoid discovery. As the fraud continues to grow,
hopefully, it will be detected by a fellow employee, management, or internal or external auditor.

Definition of Fraud
Fraud encompasses a wide range of irregularities and illegal acts characterised by intentional
deception or misrepresentation. In general, fraud is defined as an act or course of deception, an
intentional concealment, omission or perversion of truth, to:

• gain unlawful or unfair advantage,

• induce another to part with some valuable item or surrender a legal right, and/or
• inflict injury in some manner.

Wilful fraud is a criminal offense which calls for severe penalties, and its prosecution and
punishment (like that of a murder) is not bound by the statute of limitations.

Fraud refers to an intentional act by one or more individuals among management, those charged
with governance, employees or third parties, involving the use of deception to obtain an unjust
or illegal advantage. Fraudulent financial reporting involves intentional misstatements, in one
or more ways as stated below:

• Deception such as manipulation, falsification or alteration of accounting records or

supporting documents,
• Misrepresentation in, or intentional omission from financial statements of significant
events, transactions or other information,
• Intentional misapplication of accounting principles relating to measurement, recognition,
classification, presentation or disclosure of material transactions.

Fraud is generally defined by law as an intentional misrepresentation of existing fact made by

one person to another with knowledge of its falsity and for inducing the other person to act, and
upon which the other person is inflicted with resulting injury or damage. Fraud may also be an
omission or purposeful failure to state material facts, as non-disclosure makes the other
statements misleading.

However, incompetence or negligence in managing a business or even a reckless waste of assets

(by speculating on the stock market, for example) does not normally constitute a fraud. In such
cases, to be proven as fraud, the aggrieved party (creditors or stockholders/shareholders) must
prove that at some point they were intentionally deceived on a material fact.

Fraud Triangle and Fraud Diamond

100
The following describes what is known as the fraud triangle theory as shown in Figure 9.1. In
order for fraud to occur, all the three elements have to be present. Employees should be cognizant
of pressures and how they relate to companies overall fraud risk. Rationalisations can be reduced
by promoting a strong sense of ethical behaviour amongst employees and creating a positive
work environment. By implementing strong internal controls, companies can lessen or remove
opportunities for fraud to occur and increase the chances of detecting it. Government and
companies can take steps to influence all three legs.

Figure 9.1 The Three Elements of the Fraud Triangle

Pressure
Pressure is what causes a person to commit fraud. Pressure can include almost anything such as
medical bills, expensive tastes, addictions and so on. Most of the time, pressure comes from a
significant financial need/problem. Often this need/problem is non-sharable in the eyes of the
fraudster. That is, the person believes, for whatever reason, that their problem must be solved in
secret. However, some frauds are committed simply out of greed alone.

Opportunity
Opportunity provides a situation to commit fraud. Because fraudsters do not wish to be caught,
they must also believe that their actions will not be detected. Opportunity is created by weak
internal controls, poor management oversight and/or through the use of one’s position and
authority. Failure to establish adequate procedures to detect fraudulent activity also increases
the opportunities for fraud to occur. Of the three elements, opportunity is the leg that
organisations have the most control over. It is essential that organisations build processes,
procedures and controls that do not needlessly put employees in a position to commit fraud and
effectively detect fraudulent activity when it occurs.

Rationalisation
Rationalisation is a crucial component in most frauds. Rationalisation involves a person
reconciling his/her behaviour (stealing) with the commonly accepted notion of decency and trust.
Some common rationalisations for committing fraud are:

100
 • The person believes committing fraud is justified to save a family member or loved one;
• The person believes he/she will lose everything — family, home, car, and so on, if he/she
does not take the money;
• The person believes that no help is available from outside;
• The person labels the theft as ’borrowing’; and fully intends to pay back the stolen
money at some point;
• The person, because of job dissatisfaction (salaries, job environment, treatment by
managers, etc.), believes that something is owed to him/ her; and
• The person is unable to understand or does not care about the consequence of his/her
actions or of accepted notions of decency and trust.

However, Wolfe and Hermanson (2004), believe that the fraud triangle could be enhanced to
improve both fraud prevention and detection by considering a fourth element that is capability
as depicted in the fraud diamond theory in Figure 9.2.

€¥

Figure 9.2 Fraud Diamond

Capability
Personal traits and abilities play a major role in whether fraud may actually occur even with the
presence of the other three elements. The components of capabilities are position/function,
brains, confidence/ego, coercion skills, effective lying and immunity to stress.

• The person’s position or function within the organisation may offer the ability to create
or exploit an opportunity for fraud not available to others. For example, a CEO or
divisional president has the positional authority to influence when contracts or deals take
effect, thus affecting the timing of revenue or expense recognition.
• The right person for a fraud is smart enough to understand and exploit internal control
weaknesses and to use position, function, or authorised access to the greatest advantage.
Many of today’ s largest frauds are committed by intelligent, experienced, creative
people, with a solid grasp of company controls and vulnerabilities. This knowledge is used
to leverage the person’s responsibility over or authorise access to systems or assets.
100
 • The right person has a strong ego and great confidence that he will not be detected, or the
person believes that he could easily talk himself out of trouble if caught. Such confidence
or arrogance can affect one’s cost- benefit analysis of engaging in fraud: the more
confident the person, the lower the estimated cost of fraud will be.
• A successful fraudster can coerce others to commit or conceal fraud. A person with a very
persuasive personality may be able to convince others to go along with a fraud or to simply
look the other way. In addition, common personality type among fraudsters is the “bully,”
who “makes unusual and significant demands of those who work for him or her, cultivates
fear rather than respect and consequently avoids being subject to the same roles and
procedures as others.” Many financial reporting frauds are committed by subordinates
reacting to an edict from above to “make your numbers at all costs” or else.
• A successful fraudster lies effectively and consistently. To avoid detection, she must look
auditors, investors, and others right in the eye and lie convincingly. She also possesses
the skill to keep track of the lies, so that the overall story remains consistent.

Types of Fraud
Fraud is perpetrated by a person knowing that it could result in some unauthorised benefit to
him or her, to the organisation or to another person, and can be perpetrated by an outsider. The
following lists the common kinds of fraud.

Asset Misappropriation
Involves stealing of cash or assets (supplies, inventories, equipment and information) from the
organisation. In many cases, the perpetrator tries to conceal the theft, usually by adjusting the
records.

Financial Statement Fraud

Involves misrepresenting financial statements, often by overstating assets or revenue or
understating liabilities and expenses. Financial statement fraud is typically perpetrated by
managers who seek to enhance the economic appearance of the organisation. Members of the
organisation may benefit directly from the fraud by selling stock, receiving performance bonuses,
or using the false report to conceal another fraud.

Corruption
Misused of entrusted power for private gain. Corruption includes bribery and other improper use
of power. Corruption is off–book fraud meaning that there is little financial evidence available to
prove that the crime occurred. Corrupt employees do not have to fraudulently change financial
statements to cover up their crimes. They simply receive cash payments under the table. In most
100
cases, these crimes are uncovered through tips or complaints from third parties. Procurement-
related corruption is common.

Bribery
The offering, giving, receiving or soliciting of anything of value to influence an outcome. Bribes
may be offered to key employees or managers who are purchasing agents and who have the ability
to award businesses to vendors.

Falsification of Expense Claims

An old favourite with both senior and junior staff. Common ‘ruses’ include inflating mileage
claims, entertaining friends and relatives at the company’s expense and claiming for expenses
that were never incurred.

Stealing Money from the Company Bank Account

The perpetrator having gotten away with stealing once will keep on doing it again.

Manipulating Sales Figures to Reach Target and Achieve Bonuses

A simple version of this involves booking sales in one month then crediting them back the next,
unless the perpetrator keeps this up, the overstatement in one month will naturally show as a
shortfall in the next.

Falsifying Supplier Invoices

A senior manager who had renovation work carried out on his house and then arranged for the
invoices to be sent to the company, booked as costs for work carried out on the company’s
premises.

Stock Theft
A time-honoured way to make a ‘fast buck’. The perpetrator will over a period of time abscond
with a number of items from the warehouse and resell them. So long as the stock losses are within
tolerance, then it is possible for this to remain undetected for a significant period of time.

Transactions That Are Not at ‘Arms Length’

When a company asks for tenders for a contract, they usually obtain at least three quotes from
third parties. The best value quote should then be selected. When the system does not run
effectively, there is an opportunity for friends and relatives of the purchasing department to send
in quotes that are accepted, bypassing the quotes from reputable suppliers.
100
Tax Evasion
Fraud at corporate level. Excessively complex organisational structures are created and designed
to obfuscate the revenue streams to hide the reality from tax authorities.

Fictitious Invoicing
Where there are poor accounting controls, fraudsters can arrange for fake invoices from
connected parties to be passed for payment.

Acquisition of Company Property at Less than Market Value

This requires the collusion of at least two people (usually quite senior in position). Company
property is ‘sold’ to one of the individuals at a bargain price approved by the other. The property
is then resold at market value and the profit is split between the two individuals.

Theft of Raw Materials

Manufacturers should measure the quantities and costs of the raw materials used in the
manufacturing process. Some processes use expensive materials such as gold. When the
measurement system is compromised or management does not investigate adverse yield
variances, fraudsters have the opportunity to steal the raw material.

Given the ongoing recession, the temptation/pressure to commit fraud is even greater;
companies and government organisations would be well advised to review their procedures.

Red Flags of Fraud

Managers and employees responsible for stewardship of companies should be aware of red flags
for fraud. These are only warning signs that may indicate higher fraud risk; however, they are
not evidence that fraud will occur. Also, the existence of one or two flags is not something to be
overly concerned with. Many employees do demonstrate one or more elements on the list.
However, if multiple flags are present that span the three groupings and accounting irregularities
or weak controls are identified, then appropriate authorities (including the superintendent’s
office and internal auditing) should be contacted.

Common Personality Traits of Fraudsters

• Wheeler and dealer
• Domineering/controlling
• Do not like people reviewing their work
• Strong desire for personal gain

100
 • Have a ‘Beat the System Attitude’
• Live beyond their means
• Close relationship with customers or vendors
• Unable to relax
• Often have a ‘too good to be true’ work performance
• Do not take vacation or sick time or only take leave in small amounts
• Often work excessive overtime
• Outwardly appear to be very trustworthy
• Often display some sort of drastic change in personality or behaviour

Common Sources of Pressure

• Medical problems — especially for a loved one

• Unreasonable performance goals
• Spouse loses a job
• Divorce
• Starting a new business or current business is struggling
• Criminal conviction
• Civil lawsuit
• Purchase of a new home, a second home, or a home renovation
• Need to maintain a certain lifestyle (‘champagne tastes’ or ‘keep up with the Joneses)
— person (or spouse) either likes expensive things or feels pressured to ‘keep up with’
or out-do others in regards to material possessions
• Excessive gambling
• Drug or alcohol addiction

Changes in Behaviour

• Suddenly appears to be buying more material items — houses, cars, boats, clothes,
jewellery, electronics, and so on
• Brags about new purchases
• Starts to carry unusual amounts of cash
• Creditors/bill collectors show up at work or call frequently
• Borrows money from co-workers
• Becomes more irritable or moody
• Becomes unreasonably upset when questioned
• Becomes territorial over their area of responsibility
• Would not take vacation or sick time or only takes it in small increments
• Works unnecessary overtime

100
 • Turns down promotions
• Starts coming in early or staying late
• Redoes or rewrites work to ‘make it neat’
• May start or mentions family or financial problems
• Exhibits signs of drug or gambling addiction (absenteeism, becomes manipulative, looks
ill, inconsistent or illogical behaviour, loss of sleep or appetite, etc.)
• Exhibits signs of dissatisfaction (decrease in productivity, change attire, irregular
schedules, frequent complaining about inequities or work issues)

Internal Audit’s Role in Fighting Fraud

Fighting fraud in an organisation requires the combined efforts of many different departments,
including internal auditors assisting in the prevention and detection of fraud by evaluating the
adequacy and effectiveness of internal control, assisting management in establishing effective
fraud prevention measures, proactively auditing for fraud, and investigating suspected fraud.

Specifically, the practice guide states, that, in conducting audit engagements, the internal
auditor should:

• Consider fraud risks in the assessment of internal control design and determination of
audit steps to perform.
• Have sufficient knowledge of fraud to identify red flags indicating fraud might have been
committed.
• Be alert to opportunities that could allow fraud, such as control deficiencies.
• Evaluate whether management is actively retaining responsibilities for oversight of the
fraud risk management programme, whether timely sufficient corrective measures have
been taken with respect to any noted control deficiencies or weakness, and whether the
plan for monitoring the programme continues to be adequate for the programme’s
ongoing success.
• Evaluate the indicators of fraud and decide whether any further action is necessary or
whether an investigation should be recommended.
• Recommended investigation when appropriate.

Internal auditors evaluate risks faced by organisations based on audit plans with appropriate
testing. Internal auditors need to be alert to signs and possibilities of fraud within an
organisation. These auditors are often in a better position to detect the symptoms that
accompany fraud. They usually have a continual presence in the organisation which provides
them with a better understanding of the organisation and its control system. Internal auditors
can assist:

100
 • in deterring fraud by examining and evaluating the adequacy and effectiveness of internal
controls.
• in establishing effective fraud prevention measures by knowing the organisation ’s
strengths and weaknesses and providing consulting expertise.

The importance an organisation attaches to its internal audit activity is an indication of the
organisation’s commitments to effective internal control and fraud risk management. Internal
auditors’ roles in relation to fraud risk management are as follows:

• To launch initial or full investigation of suspected fraud, to perform root cause analysis
and control improvement recommendations, to monitor a reporting/whistle-blowing
hotline and provide ethics training
• To obtain sufficient skills and competencies including knowledge of fraud schemes,
investigation techniques and laws
• To conduct proactive auditing to search for misappropriation of assets and information
misrepresentation using CAAT techniques and data mining
• To employ analytical and other procedures of high-risk accounts and transactions to
identify potential fraud

Other Responsibilities of Fraud Prevention and Detection

Board of Directors
The Board of Directors has the responsibility for effective corporate fraud governance. The role
of the Board of Directors:

• To oversee and monitor management’s actions to manage fraud.

• To evaluate management’s identification of fraud risks.
• To implement anti-fraud measures.
• To set the tone at the top.

To set the tone for fraud risk management, the Board of Directors should engage in the following:

• Implement policies that encourage ethical behaviour, including processes for employees,
customers and external business relationship partners to report instances where those
policies are violated.
• Monitor the organisation’s fraud risk management effectiveness by appointing one
executive-level member of management to be responsible for coordinating fraud risk
management and reporting to the Board of Directors.

100
Audit Committee
The CAE must report periodically to senior management and the Board of Directors on the
internal audit activity’s purpose, authority, responsibility and performance related to his plan.
The Audit Committee usually has oversight of the internal audit activity.

An Audit Committee is the independent eyes and ears of the investors and other stakeholders.
The role of the Audit Committee is as follows:

• To evaluate management’s identification of fraud risks.

• To implement anti-fraud measures.
• To provide the tone at the top that fraud will not be accepted in any form.
• To hire external auditors to report on the financial statements of the organisation.
• To provide recommendations on internal control.
• To be responsible for overseeing management’s compliance with appropriate financial
reporting.
• To be responsible for preventing senior management from overriding the controls or
other inappropriate influence over the reporting process.

Management
The primary responsibility for the prevention and detection of fraud rests with the governing
body and management. Management’s responsibilities include creating an environment where
fraud is not tolerated, identifying risks of fraud, and taking appropriate actions to ensure that
controls are in place to prevent and detect fraud. The role of the management is as follows:

• Responsible for overseeing the activities of employees and typically does so by

implementing and monitoring processes and internal controls.
• Assess the vulnerability of the entity to any fraudulent activities.
• Responsible for establishing and maintaining an effective internal control system at a
reasonable cost.
• Maintain discussions with investigators and legal counsel to develop controls over the
investigation process, including developing policies and procedures for effective fraud
investigations and for handling the results of investigations, reporting and
communications.

External Auditor
External auditors have the responsibility to comply with professional standards and to plan and
perform audit for an organisation’s financial statements to obtain reasonable assurance whether
these statements are free from material misstatements and if misstatements were found, whether
they were caused by error or fraud.
100
Whenever external auditors have determined that there is evidence of fraud, their professional
standards typically require that the matter be brought to the attention of the appropriate level of
management. An external auditor typically reports fraud involving senior management directly
to those charged of governance.

Fraud Investigators
Fraud investigators are usually responsible for the detection and investigation of fraud as well as
the recovery of assets. They also have a role in fraud prevention. Senior management and the
Audit Committee need to support investigators and to let all stakeholders know that the business
entity is ready to respond quickly and appropriately to fraud risks.

Fraud investigators often work closely with the legal counsel to take action against perpetrators.
Communication between fraud investigators and legal counsel is likely to be confidential. Fraud
investigators’ work is done under the direction of the legal counsel.

A lead investigator usually determines the knowledge, skills and other competencies needed to
carry out an investigation effectively and assigns competent and appropriate people to the team.

Other Employees
Every employee has a role to play in fighting fraud. Employees are the eyes and ears of an
organisation, and they should be empowered to maintain a workplace of integrity. Employees
can report their suspicion of fraud to the employee hotline, the internal audit department or a
member of management. To deter and detect fraud and abuse, many experts believe an employee
hotline that is appropriately monitored is the single most cost-effective fraud detection and
deterrence mechanism.

Internal Audit’s Role in Anti-Bribery and Anti-Corruption

Programs
The specific role of internal audit in anti-bribery and anti-corruption programs varies across the
organisation, depending on the reinforcement of the program, both through identifying the
existence of potential and actual incidents and assessing the effectiveness of the program
designed to anticipate and address these risks.

Specifically, internal audit can reinforce each of the following program components in the noted
ways:

100
1. Tone at the top/governance structure, by:

• Understanding the attitude and tolerance of management and the Board of Directors
regarding bribery and corruption risks
• Assessing whether that attitude is sufficiently restrictive
• Validating that this attitude has been effectively communicated throughout the
organisation
• Scrutinising the governance structure and oversight of the anti- bribery and anti-
corruption program

2. Bribery and corruption risk assessment, by:

• Understanding all aspects of the anti-bribery and corruption program before performing
risk assessments
• Evaluating inherent bribery and corruption risk as part of a comprehensive risk
assessment
• Ensuring the audit plan for assessing the anti-bribery and anti- corruption program is
based on the results of risk assessment

3. Policies and procedures, by testing whether they are:

• Documented appropriately
• Approved by management
• In compliance with applicable laws and regulations
• Implemented effectively

4. Communication and training, by:

• Sharing information with other functions or parties (e.g. fraud investigation, legal
compliance, external audit, regulations), as appropriate
• Assisting in communicating and training employees in anti-bribery and anti-corruption
policies (to the extent that doing so does not impair their objectivity)

5. Monitoring and auditing, by:

• Ensuring risk assessments, analysis, and communication are effective in supporting

management’s monitoring role.

6. Investigation and reports, by:

• Participating in investigations as appropriate, based on the team ’ s resources, the

organisation’s governance structure, and formal protocols.
• Understanding the culture and legal landscape of the jurisdictions involved
• Being familiar with local protocols for investigating and reporting
100
 • Following the organisation’s protocol regarding any audit evidence that might indicate
bribery or corruption
• Performing and documenting adequate audit actions to support any findings, conclusions,
or recommendations pertaining to bribery or corruption
• Seeking legal advice or recommending management seek legal advice regarding any
evidence of illegal activity uncovered during an audit
• Working with appropriate personnel to determine whether an irregularity or illegal act
has occurred and gauge its effect

7. Enforcement and sanctions, by:

• Working with management to adhere to a defined process for evaluating cases of bribery
or corruption and, if appropriate, implementing sanctions according to a formal policy.

Fraud Risk Assessment

A fraud risk assessment is often a critical component to an organisation’s larger enterprise risk
management programme. The fraud risk assessment is a tool that assists management and
internal auditors to systematically identify where and how fraud may occur and who may be in
the position to commit fraud. A fraud risk assessment concentrates on fraud schemes and
scenarios and whether or not the controls can be circumvented.

The scope of fraud risk assessment may vary widely depending on the organisation’s size,
complexity or industry. A fraud risk assessment generally includes five key steps:

1. Identify Relevant Fraud Risk Factors

This process includes the review of documentation of previous frauds and suspected frauds
committed against or on behalf of the organisation, evaluation of related frauds, and review of
the organisation’s performance measures over the past few years compared with its competitor.

For example, inconsistent patterns between non-financial measures, excessive use of licensed
software and other intellectual property may indicate possible fraud.

2. Identify Potential Fraud Schemes and Prioritise Them Based on Risk

The fraud assessment team identifies fraudulent schemes by brainstorming, conducting

management interviews, using analytical procedures and reviewing prior frauds. During this
process, the team has to always consider the basic characteristics of the Fraud Triangle.

The following factors are to be considered when prioritising fraud risks:

• Monetary impact
• Impact to the organisation’s reputation
100
 • Loss of productivity
• Potential criminal/civil actions including potential regulatory noncompliance
• Integrity and security of data
• Loss of assets
• Location and size of operations/units
• Company culture
• Management/employee turnover
• Liquidity assets

3. Map Existing Controls to Potential Fraud Schemes and Identify Gaps

The fraud risk assessment team identifies prevention and detects controls in place to address
each fraud risk and the likelihood of potential fraud. Anti-fraud controls such as whistle-blower
protection policy, Board of Directors oversight, continuous monitoring, code of conduct, and
good communications are important elements.

4. Test Operating Effectiveness of Fraud Prevention and Detection Controls

Internal auditing typically plays an important role in assessing the operating effectiveness of
internal controls. Internal auditors consider not only the existence of the internal control, but
also its effectiveness through periodic testing.

For example, an organisation may implement security passwords to change every 30 days;
however the network system, may not block the user access if the password is not changed as
required. As in this case, the internal control is present but is not effective.

5. Document and Report of the Fraud Risk Assessment

Key elements that would likely be documented in fraud risk assessment include:

• The types of fraud that have potential of occurring.

• The inherent risk of fraud considering the availability of liquid and saleable assets,
organisational morale and employee turnover, the history of fraud losses, and other
specific business area indicators.
• The adequacy of existing anti-fraud programmes, monitoring and preventive controls.
• The potential gaps in the organisation’s fraud controls, including segregation of duties.
• The likelihood of significant fraud occurring.
• The business impact/significant of a fraud.

100
Fraud Prevention and Detection
Fraud can occur at various levels in an organisation. Therefore, it is important to establish
appropriate preventive and detective techniques.

Fraud Prevention
Fraud prevention entails implementation of policies and procedures, employee training and
management communication to educate employees on fraudulent activities. It also involves
those actions taken to discourage the commission of fraud and limit fraud exposure when it
occurs. Instilling a strong ethical culture and setting the correct tone at the top are essential
elements in preventing fraud. A strong principle mechanism for preventing fraud is effective and
efficient internal controls, including controls related to screening customers, vendors and
external business relationship partners.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) presented a

framework for assessing and improving the internal control systems to fight fraud.

i. Control environment

Elements of a strong control environment to help prevent fraud include the following:

• A code of conduct, ethics policy or fraud policy to set the appropriate tone at the top
• Ethics and whistle-blower programmes to report fraud
• Hiring and promotion guidelines and practices
• Oversight by the Audit Committee, Board of Directors or other oversight body

ii. Risk assessment

Establishing a fraud risk assessment process that considers fraud risk factors and fraud schemes
by involving appropriate personnel in the process. Also, fraud risk assessments should be
conducted on a regular basis.

iii. Control activities

These are policies and procedures for business processes, including appropriate authority limits
and segregation of duties.

iv. Information and communication

Promoting the importance of the fraud risk management programme and the organisation’s
position on fraud risk both internally and externally through corporate communications
programs by:

• Designing and delivering fraud awareness training

100
 • Ascertaining affirmation or creating a certification process to ensure that employees have
read and understood corporate policies and that the employees are in compliance with
the policies

v. Monitoring

Providing periodic evaluation of anti-fraud controls by:

• Using independent evaluators for the fraud risk management programme by internal
auditors or other groups
• Using technology to aid in continuous monitoring and detection activities

Fraud Deterrence
Training is usually a key factor in deterring fraud. Training can cover the organisation’s
expectations of its employees’ conduct, the procedures and standards necessary to implement
internal controls and employee roles and responsibilities to report misconducts.

Employees need to understand the ethical behaviour expected of them to act accordingly within
the organisation. New employee orientations can present the organisation’s mission, values and
code of conduct as well as explain types of fraud, responsibility to report violations of ethical
behaviour and impropriety and ways to report potential fraud. The training on fraud needs to be
tailored to the organisation and employees’ position within the organisation.

Periodic training throughout employees’ career reinforces fraud awareness and the cost of fraud
to the organisation. This can be done through surveys that not only confirm attendance, but also
offer quick examination to determine whether employees have gained the necessary knowledge
from the training.

Fraud Detection
This entails activities and programmes designed to identify fraud or misconduct that is occurring
or has occurred.

Detective controls are designed to provide warnings or evidence that fraud is occurring or has
occurred. Effective internal controls are one of the strongest deterrents to fraudulent behaviour
and actions. Although detective internal controls may provide evidence that fraud exists,
detective internal controls cannot prevent fraud.

Fraud detection methods need to be flexible, adaptable and continuously changing to meet the
changes in the risk environment. While preventive measures are apparent and readily
identifiable, detective controls may not be as apparent.

100
An effective way for an organisation to learn about existing fraud is to provide employees,
suppliers and stakeholders with a variety of methods to report their concerns about illegal or
unethical behaviour.

Ways to collect the information on fraud include:

i. Code of conduct confirmation

When employees sign an annual code of conduct outlining their responsibilities in the prevention
and detection of fraud, they can be asked to report any known violations.

ii. Whistle-blower hotline

This can take the form of a telephone call or a web-based reporting system where the whistle
blower can remain anonymous.

iii. Exit interviews

Conduct exit interviews for terminated employees or those who have resigned can help identify
fraudulent schemes. These interviews may also determine whether there are issues regarding
management’s integrity, and may provide information regarding conditions conducive to fraud.

iv. Proactive employee survey

Routine employee surveys can be conducted to solicit employees’ knowledge of fraud and
unethical behaviour within the organisation. A proactive survey could elicit anonymous
information from employees, which would aid the organisation in catching fraud sooner than
waiting for employees to volunteer the information.

Other methods of fraud detection include surprise internal or external audits in high fraud risk
areas, continuous monitoring by management on critical data and related trends to identify
unusual situations or variances, routine and/or ad hoc matching of public data and/or
proprietary data against relevant transactions, vendor lists, employee roster and other data.

Forensic Audit
In general, forensic audit is defined as the application of accounting methods to the tracking and
collection of forensic evidence, usually for an investigation and a prosecution of criminal acts
such as embezzlement or fraud. It is also called forensic accounting.

The concept of financial auditing may be defined as ‘a concentrated audit of all the transactions
of the entity to find the correctness of such transactions and to report whether or not any
financial benefit has been attained by way of presenting an unreal picture’. Forensic auditing
aims to legally determine whether fraud did occur. In the process, it also aims at naming the

100
person(s) involved (with the intention to take legal action). Figure 9.3 outlines the difference
between financial audit and forensic audit.

Forensic audit involves examination of legalities by blending the techniques of propriety value-
for- money audit, regularity, investigative and financial audits. The objective is to find out
whether or not true business value has been reflected in financial statements and in the course
of examination to ascertain if any fraud has taken place.

Skills for Forensic Auditor

In addition to having strong accounting skills and good legal knowledge, a forensic auditor must
have the following:

• Knowledge of entity’s business and legal environment

• Awareness of computer-assisted audit procedures
• Innovative approach and sceptics of routine audit practices

Application
Forensic accounting and auditing may be applied in the following areas besides fraud detection:

• Conducting due-diligence (especially for segment-wise profitability analysis)

• Business valuation
• Management auditing
• Assessing loss before settling insurance claims.

Particulars Financial Audit Forensic Audit

Objective Express opinion as to ‘true and Determine correctness of the
fair’ presentation. accounts or whether any
fraud has actually taken
place.
Techniques ‘Substantive’ and ‘compliance’ Analysis of past trend and
procedures. substantive or ‘in depth’
checking of selected
transactions.

Period Normally all transactions for a No such limitations.

particular accounting period. Accounts may be examined in
detail from the beginning.
Verification of stock, Relies on the management Independent verification of
estimation of realisable value certificate/representation of suspected/selected items
of current assets, management. carried out
provisions/Liability
estimation, and so on.
Off balance-sheet items (like Used to vouch the arithmetic Regularity and propriety of
contracts etc.) accuracy and compliance with these transactions/contracts
procedures. are examined.

100
 Adverse findings, if any Negative opinion or qualified Legal determination of fraud
opinion expressed, and naming persons behind
with/without quantification. such frauds.

Figure 9.3 Differences between Financial Audit and Forensic Audit

Examination Methods
Tests of reasonableness

• Check weaknesses in internal controls

• Identify questionable transactions — indicating wide fluctuations from the normal
transactions and not, in general, related to main objectives
• Review questionable transaction documents for peculiarities, like
improper account, classifications, pricing, invoicing, or claims, and so on

Historical comparisons

• Develop a profile of the entity under investigation, its personnel and beneficiaries, using
available information
• Identify questionable accounts, account balances, and relationships between accounts, to
find out variances from current expectations and past relationships
• Gather and preserve evidence corroborating asset losses, fraudulent transactions and
financial misstatements

The internal auditor’s mindset towards fraud differs from the other ‘common’ audits; the mindset
should be investigative and anomaly oriented (generally auditors are trained to address majority
of the risks).

• Fraud risk impact and residual risk are difficult to measure.

• Fraudsters may not be who you think they are.
• The most common fraudster profile may contradict your intuition; a well-educated,
middle-aged male, with no criminal history.
• 10% of people will always commit fraud, 10% of people will never commit fraud and 80%
of people will have the opportunity to commit fraud.
• Technical expertise is needed in assessing fraud risk, investigation techniques, gathering
and maintaining evidence, and so on.
• Consult with internal or external experts if a task is greater than the means.
• Internal audit supports management by determining whether the organisation has
adequate internal controls and promotes an adequate control environment.
• Since internal audit is centralised, independent, and has an objective function, it is in a
prime position to address fraud risk management programmes and to affect change.

100
 • Different organisational structures and internal audit charters affect internal audit’s
role and ability to achieve its purpose.

Fraud Investigation
A fraud investigation consists of gathering sufficient information about specific details and
performing those procedures necessary to determine whether fraud has occurred, the loss or
exposure associated with the fraud, who was involved, and how it happened. An important
outcome of investigations is that the innocent are cleared of suspicion. Investigations attempt to
discover the full nature and the extent of the fraudulent activity. Investigations work includes
preparing, documenting and preserving evidence sufficient for potential legal proceedings.
Internal auditors, lawyers, investigators, security personnel and others from inside and outside
the organisation usually conduct or participate in fraud investigations.

Investigation Processes

Management is responsible for the investigation process. Investigation process includes:

• developing policies and procedures O need to consider the rights of individuals, the
qualification of those who conduct the investigations, and relevant laws.
• preserving evidence
• handling the results of investigations
• reporting
• Communication

Internal Auditor’s Role

• Help management identify critical indicators of fraud schemes.
• Evaluate gaps in internal controls during the progression of fraud reviews/investigations.
Conduct ad-hoc forensic accounting investigations.
• Support the chief audit executive to ensure appropriate communication on fraud issues
addressed by internal auditors to the Board of Directors, the Audit Committee and others.

Conducting the Investigation

A plan is developed for each investigation. The plan includes:

• Gathering evidence through surveillances, interviews or written statement.

• Documenting and preserving evidence.
• Determining the extent of the fraud.
100
 • Determining the method used to perpetrate fraud.
• Evaluating the cause of the fraud.
• Identifying the perpetrators.

The common investigation procedures include:

a) Obtaining evidence

Collecting and preparing the evidence is a critical stage in investigating the fraud. Examples of
evidence are letters, memos, computer files, security and logbook, camera videos, internal phone
records and news articles.

b) Interviewing

Investigators need to be knowledgeable and cognizant. The investigator has the responsibility to
ensure that the investigation process is handled in a consistent and prudent manner.

Reporting
Reporting fraud investigations consist of oral, written, interim or final communication to senior
management and/or the Board of Directors regarding the status and results of fraud
investigations. Additional considerations concerning fraud reporting are

• Submitting draft of the proposed final communication on fraud legal counsel for review.
• Notify senior management and the Board of Directors on a timely basis when fraud
happens.
• The results of fraud may indicate that fraud was undiscovered previously. Senior
management and the Board of Directors need to be informed on such discovery.

Communication of Fraud Incidents

There are two types of communication

a) Internal communication

Strategic tools used by the management to reinforce its position regarding integrity, action taken
on fraudster and when there is a violation of policy and demonstrate the importance of internal
control. Such communications may take the form of newsletter, memo or fraud training program.

b) External communication

Management will determine whether to inform public or not after consulting with legal counsel,
human resource personnel and the CAE. Notification to the enforcement is also needed.

100
Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions
1. Define fraud.
2. What are three elements that have to be present for a person committing fraud?
3. Identify the element of Fraud Triangle theory for each of the following situations:
a) A person who is having financial constraints stole the company’s money.
b) A person labels the theft as ‘borrowing’; and fully intends to pay back the
stolen money at some point.
c) A cashier stole money from the cash register machine because she knew that
there is no CCTV installed at the shop.
4. Identify five key steps in a fraud risk assessment.
5. Identify whether the following measures are meant for fraud prevention or fraud
detection.

No Fraud Fraud
Prevention Detection
1 Set a strong control environment
such as code of conduct
2 Segregation of duties in business
process
3 Whistle-blower hotline
4 Exit interviews
5 Fraud awareness training

6. Identify whether the following statements are true or false.

a. Statutory audit determines correctness of the accounts or whether any fraud has
actually taken place while forensic audit express opinion as ‘true or fair’
presentation.
b. Forensic audit involves analysis of past trend and substantive or ‘in depth’
checking of selected transactions while statutory audit involves ‘substantive’ and
‘compliance’ procedures.
c. Statutory audit relies on independent verification of selected item while forensic
audit relies on management representation.

100
References
ACFE 2012 Report To The Nation (RTTN)—http://www.acfe.com/rttn.aspx

PwC 2011 Global Economic Crime Survey (GECS)—http://www.pwc.com/gx/en/economic-crime-

survey/ index.jhtml.

Internet Crime Complaint Center (IC3) 2011 Internet Crime Report—

http://www.ic3.gov/media/2012/120511. aspx

PwC 2004—The Emerging Role of Internal Audit in Mitigating Fraud and Reputation Risks. Mitigating
Business Risk—Example of Anti-Fraud Framework from the Inscap Associates Australian

Standard on Fraud and Corruption Control, AS 8001-2003

Grant Thornton—Managing fraud risk: The Audit Committee perspective Forensic Firms Forensic
Strategic http://www.forensicstrategic.com/

Forensic CPAs—http://www.forensic-cpas.net/index.html Financial Forensic & Valuation Group –

http://www. ffvgroup.com/index.html

IPPF—Practice Guide on Internal Auditing and Fraud (2014)

Managing the Business Risk of Fraud: A Practical Guide—Paper sponsored by IIA, AICPA and ACFE.
Farrell, Barbara R. and Joseph R. Franco. 1999. The Role of the Auditor in the Prevention and Detection
of Business Fraud: SAS No. 82. Western Criminology Review 2/1. [Online].

Association of Certified Fraud Examiners. 1999. Report on the Nation Occupational Fraud and Abuse.

100
 10
Chapter 10: Current Issues in
Internal Auditing

After going through this chapter, you should be able to :

• Define whistleblowing
• Understand the role of an internal audit as a whistleblower
• Explain the provisions of the Malaysian Whistleblower Protection Act 2010
• Describe the code of conduct in relation to whistleblowing
• Discuss the purpose of environmental auditing
• Define environmental audit
• Suggest the objectives of environmental audit
• Discuss the advantages of performing environmental audit
• Illustrate environmental audit report
• Give examples of environmental audit in a manufacturing company
• Describe an Environmental Management System (EMS)
• Illustrate four pillars of EMS adoption
• Discuss commitment needed for a successful EMS adoption

Introduction
In line with the internal auditing definition to add value and improve an organisation’s
operations, the internal audit profession needs to play a prominent role in responding to all
significant issues that have implications on the company’s activities as a whole (Mary, L. et al.,
2009). A more holistic approach to understand companies’ operations is very much
recommended as it will guide the internal audit activity in addressing critical issues faced by the
management. Meanwhile, the new paradigm shift for corporate entities gives more emphasis to
achieve sustainability. In pursuing sustainability, decision- making process is one of the most
important elements in an organisation and it needs to be more vigorous when considering
100
various aspects including the impact of the organisation’s operations on the economy, society
and environment.

In recent years, the world’s population was shocked with several disastrous impacts on the
environment mainly due to a series of corporate blunders. The industrial world, in particular,
has been criticised for its devastating impact on the environment. In Malaysia, the recent
outrageous illegal dumping of chemical waste incident in the 1.5 km stretch of Kim Kim River in
Johor Bahru had not only cost the Malaysian government approximately RM10 million for the
cleaning operation, it was also reported that more than 3,000 people were treated for exposure
to hazardous fumes and about 111 schools in the affected area were forced to close temporarily.

Therefore, it is an undeniable demand for all parties, in particular, firms and companies to be
more environmentally responsible as the negative impact of their operations towards the
environment could be life threatening. In other words, management’s ability to address
environmental concerns are attracting greater concerns from most stakeholders including
regulators, investors, employees, fund providers as well as the community at large. In response
to the concerns, managements are facing greater pressure from stakeholders to properly manage
environmental issues faced by their own entity.

Introduction Whistle blowing

Corporate fraud is a persistent issue, which is a concern to all organisations. The Global Fraud
Study with the Association of Certified Fraud Examiners (ACFE) reported that a typical
organisation loses 5% of its annual revenue to fraud. Most organisations have therefore placed
various fraud prevention and detection mechanisms such as anti-fraud education, established
the ‘right tone at the top’ with ‘zero- tolerance’ against fraud cases and set an internal
whistleblowing policy. However, corporate whistleblowing has proved to be an effective internal
corporate monitoring mechanism as evidenced in the WorldCom and Enron cases. Since then,
there has been a growing interest in whistleblowing.

In Malaysia, the Whistleblower Protection Act 2010 was enforced on 15 December 2010. The Act
is aimed to provide protection to whistleblowers who disclose information of serious misconduct
in the public and private sectors to the relevant enforcement agencies. Despite all the
whistleblowing legislations, employees are still rather reluctant to expose incidents of improper
conduct. In the UK, the Public Interest Disclosure Act 1998 provides a framework of legal
protection for whistleblowers from victimisation and dismissal. Likewise in the United States,
further response to the corporate scandals is the Sarbanes-Oxley Act (2002) which states that ‘in
order for companies to continue as being listed, they must establish a mechanism for Board of
Directors to receive, retain and treat complaints regarding accounting, internal accounting
controls or auditing matters; the process must ensure the security and confidentiality of the
whistleblowers’.
100
Definition of Whistleblowing
The term “whistleblower” comes from the whistle a referee uses to indicate a foul play or a
policeman blowing his whistle to stop an illegal activity. The first law to protect whistleblowers
was the United States Claims Act in 1863. The Act was enacted during the former US President
Abraham Lincoln’s administration with the main objective of catching dishonest suppliers who
would provide ill horses or faulty rifles and ammunition to the military during the American Civil
War.

The Whistleblower Protection Act (2010) of Malaysia defines a ‘whistleblower’ as any person who
makes a disclosure of an improper conduct to an enforcement agency. It further defines
‘improper conduct’ as any conduct, which constitutes a disciplinary or criminal offence.

Whistleblowing is defined by the Institute of Internal Auditors (UK) as ‘the unauthorised

disclosure by internal auditors, in good faith, of serious information relating to questionable
practices, whose disclosure is perceived to be in the public interest. The information may
comprise audit results, findings, opinions or information acquired in the course of performing
their duties’. In a simple definition, whistleblowing is a voluntary act of reporting on misconduct
within an organisation to internal parties or external parties (such as the media or law
enforcement agencies). The action is truly a moral act of an individual done out of a sense of duty
to do the right thing to halt any illegal, harmful or improper behaviour in an organisation. As
such, there should be appropriate whistleblowing reporting procedures in the organisation
before the issues of concern become a serious problem, which could result in reputational
damage.

Forms of Whistleblowing
There are two forms of whistleblowing:

• Internal whistleblowing, which is a reporting process for employees on any suspected

incidents of wrongdoing within the organisation. For example, the setting up of an
internal independent whistleblowing hotline to a non-executive director such as the chair
of the Audit Committee or chair of the Board of Directors.
• External whistleblowing, which is a reporting process in circumstances when internal
reporting of suspected wrongdoing fails. The whistleblower would then report to an
external body such as regulators and/or the media as a last resort.

Besides the two forms of whistleblowing, Michael Woodford, the former Olympus President and
CEO who turned into a whistleblower, on a GBP1.1 billion fraud at the Japanese electronics
company, recommended an independent whistleblowing line separated from the executive
management (CIA, 2014).

100
Internal Auditor as a Whistleblower
The responsibility to prevent and detect fraud by setting up of a sound system of internal control
rests with the Board of Directors and supported by the internal auditor. Section C 3.5 of the UK
Corporate Governance Code (2016), which applies to companies listed on the London Stock
Exchange, states that ‘the Audit Committee should review arrangements by which staff of the
company, may, in confidence, raise concerns about possible improprieties in matters of financial
reporting or other matters. The Audit Committee’s objective should be to ensure that
arrangements are in place for the proportionate and independent investigation of such matters
and for appropriate follow-up action’.

Very often, internal auditors in their course of work have access to critical sensitive information,
which may adversely impact the organisation. In such a circumstance, the chief audit executive
(CAE) is required to report the information to the Audit Committee and if his/her concerns are
not taken up, the CAE should consider communicating to external parties outside the
organisation.

The decision of the internal auditor to communicate outside the normal chain of command needs
to be based on a well-informed opinion that the wrongdoing is supported by substantial, credible
evidence and that a legal or regulatory imperative, or a professional or ethical obligation, requires
further action. Thus, an internal audit acts as the means to investigate and to deal with
complaints especially related to fraud or corruption. An internal audit plays a vital role to support
the Board of Directors or Audit Committee in their oversight role. However, the actions of
whistleblowers will provoke many reactions, which are often unfavourable to them.

The Institute of Internal Auditors (UK) in its Whistleblowing Policy Position Paper states the role
of the Board of Directors in ensuring that the internal audit’s involvement in whistleblowing
would not compromise its prime assurance functions and that the internal audit is adequately
resourced with the necessary skills and resources. The paper further states that where the
internal audit plays an indirect role, it should provide assurance on the effectiveness of the
whistleblowing procedures to the Board of Directors and reserve the right to receive all
whistleblowing reports. These reports would enable the internal auditor to carry out
investigations on the incidents raised and would provide assurance on the internal controls in
the organisation.

Advantages and Disadvantages of Whistleblowing

Benefits of Whistleblowing
100
 • Whistleblowing will end a long-standing company’s wrongdoing and prevent further
disaster to the organisation.

The whistleblowing by Sherron Watkins prevented the stakeholders of Enron from further harm.
In 2001, she uncovered accounting irregularities in the financial reports of Enron and testified
before the Congressional committees in 2002.

Likewise, Cynthia Cooper, the vice-president for internal audits at WorldCom who unearthed
$3.8 billion fraud in America’s second largest phone company. This was the largest incident of
accounting fraud in US history.

Both Sherron Watkins and Cynthia Cooper were jointly named Times People of the Year in 2002
for exposing corporate financial scandals.

• Sharpened the rules on the company’s financial reporting by public companies.

The Sarbanes-Oxley Act (2002) requires Chief Executive Officers and Chief Financial Officers to
certify that the financial accounts are true and if found lying, they could face a jail sentence of 20
years.

Disadvantages of Whistleblowing

• Loss of jobs

As in the Enron case, steep financial losses and loss of jobs were not only limited to its employees.
Many of the employees of the Anderson US operations who were not involved with the Enron
audit were at risk of losing their jobs. Even the Anderson partners were also affected with the
loss of their audit clients.

• Retaliation from the management

A whistleblower is often stigmatised as “disloyal” and blamed for any wrongdoing.

Whistleblower Protection Act 2010

The Whistleblower Protection Act 2010 (Act) came into force in Malaysia on 15 December 2010
to facilitate reporting mechanisms for whistleblowing and to protect retaliations against
whistleblowers. The Act only covers disclosures of improper conduct to a designated
enforcement agency or agencies, which includes:

• Any ministry, department, agency or other body set up by the Federal Government of
Malaysia, State Governments or local governments

100
 • Royal Malaysian Police Force
• The Malaysian Securities Commission
• The Companies Commission of Malaysia

Section 3 of Part 2 of the Act provides the following general power to the designated enforcement
agencies:

• To receive disclosures of improper conduct

• To enforce the whistleblower protection
• To deal with the disclosure of improper conduct
• To receive and deal with complaints of detrimental action
• To implement the provisions of the Act

The protection of the whistleblowers and any person related to or associated with whistleblowing
under Section 7 Part 3 of the Act comes in three forms:

• Protection of confidential information — such as the identity of the whistleblower

(his/her occupation, residence and work address etc.) and the identity of the person
perpetuating the improper conduct would also be kept in confidence.
• Immunity from civil and criminal actions.
• Protection against detrimental actions.

Code of Conduct in Relation to Whistleblowing

A code of conduct is a set of principles and rules to govern behaviour of employees in an
organisation. The code serves to ‘reflect the covenant that an organisation has made to uphold
its most important values, dealing with such matters as its commitment to employees, its
standards for doing business and its relationship with the community’. It involves the
development of a corporate ethical culture with core principles of honesty, ethical conduct and
integrity.

The internal audit activity must evaluate the design, implementation and effectiveness of the
organisation’s ethics-related objectives, programs and activities’. Internal auditors are involved
in assessing the effectiveness of the code to minimise the risk of improper conduct, which
includes the reporting of non- compliance to the Audit Committee.

The Sarbanes-Oxley Act of 2002 is an example of an enactment in response to the Enron and
WorldCom scandals; among other things, designed to protect whistleblowers and mandating the
establishment to a stringent corporate code of conduct. This includes Section 806 of the Act in
which employees of public listed companies who provide evidence of fraud will be granted

100
protection against retaliations and discrimination. The Act further states that should an
employee feel discriminated for reporting violations, he/she can seek relief by filing a complaint
with the Secretary of Labour. The employee may be entitled to compensatory damages if the
Secretary is in favour of the case.

Generally, the code of conduct and whistleblower policy should include the following:

a) Introduction of the policy

Directors, officers and employees of an organisation are required to observe the highest
standards of business and personal ethics in conducting their duties and responsibilities. They
are also responsible to report any violations or suspected violations of the code and shall be
protected from any harassment, retaliation or adverse employment consequences.

b) Issues that the code will address:

• Conflicts of interest
• Confidentiality
• Full, fair, accurate and timely disclosures of relevant facts in all reports
• Compliance with all applicable governmental laws, rules and regulations
• Prompt internal reporting of any illegal or unethical behaviour
• Personal accountability in adhering to the code

c) Reporting of violations

In most cases employees are encouraged to report to their supervisor or anyone in management
or the Compliance Officer directly. Supervisors and managers shall report suspected violations
to the Compliance Officer.

d) Appointment of a Compliance Officer

A Compliance Officer is responsible for investigating and resolving all reported complaints
concerning suspected violations of the code. The Officer shall then report the matter to the Audit
Committee.

The Officer is also responsible to acknowledge the receipt of the reported or suspected violation
within a specific number of working days. All reports shall be promptly investigated and
appropriate corrective actions shall be taken.

e) Acting in good faith

Complaints on suspected violations of the code must be in good faith and believing that the
information disclosed is true and correct. Unsubstantiated allegations will be viewed as a serious
disciplinary offence.

100
f) Confidentiality of reports

An assurance that all reports of violations or suspected violations shall be kept in confidence.

g) Protection afforded to whistleblowers

Lastly, an assurance that any employee who report in good faith shall be afforded protection from
harassment, retaliation or adverse employment consequences.

Definition of Environmental Auditing

The role of environmental auditing has grown in importance in the last two decades. Many top
officials in various industries are beginning to realise the contribution of environmental audit in
managing environmental risks of their respective entities. The Institute of Internal Auditors (IIA)
Research Foundation defines environmental audit as ‘an integral part of an environmental
management system

whereby management determines whether the organisation’s environmental control systems

are adequate to ensure compliance with regulatory requirement and internal policies’. It involves
a systematic, documented and objective driven evaluation for the purpose of evaluating relevant
audit evidence to determine whether the organisation’s activities conform and comply with audit
criteria and other relevant environmental regulatory requirements.

An environmental audit may have broad coverage on organisational activities and areas,
including operational procedures, feasibility studies, business activities, buildings, industrial
and commercial developments and industrial hazards. There are also various types of
environmental audits, all of which have the main objective to determine whether the entity’s
environmental management system conforms to planned arrangements for environmental
management, including the requirements of relevant regulations and any applicable
international standards.

Objectives of Environmental Auditing

The objective of environmental auditing activities may differ between organisations. The level of
comprehensiveness of an audit is based on goals and objectives established by management of
the organisation. At large, the decision on the environmental audit objective is determined after
considering the interest of all stakeholders such as the government, customers, suppliers,
employees and the community at large. Some of the objectives that could be included in
environmental audit programs are:

1. evaluation of the environmental management systems

100
 2. compliance with the company’s environmental policies and procedures as well as relevant
environmental laws and reporting requirements
3. procedures for handling and storage of raw materials
4. manufacturing processes used in production plants
5. facilities and programs established for the treatment, storage, or disposal of liquid
effluents, solid waste materials and/or hazardous wastes
6. procedures for minimising noise pollution as well as air-based emission in the
surrounding area
7. environmental risks and liabilities of property acquisitions and divestitures;
8. pollution prevention and waste minimisation programs; and
9. types of building materials and maintenance procedures used at the sites.

It is important to note that the objective of a comprehensive environmental audit program should
not be limited to areas under compulsory regulatory compliance. In some companies,
management may establish several environmental protective measures that go beyond the
regulatory requirements. For example, instead of merely complying with the regulated waste
disposal and clean up procedures, an organisation may proactively introduce, a continual waste
minimisation program as part of its environmental-friendly management effort.

Advantages of Environmental Audit

An environmental audit examines the relationship between the impacts of an organisation’s
activities on the environment. Being one of the crucial pillars of an environmental management
system, environmental audit brings several advantages to an organisation which includes:

1. Avoid negative publicity and be assured of a worthy reputation as one of the good
corporate players to stakeholders such as bankers, potential investors, customers,
suppliers and shareholders.
2. Improve eco-efficiencies by adopting cleaner and environmentally friendly activities.
3. Increase employee awareness of the company’s environmental responsibility.
4. Able to be effective in managing environmental risk and comply with relevant
environmental legislations.
5. Lower the risk of regulatory punishment due to potential environmental breach and
the likelihood of regulatory action being effectively reduced.
6. Serve as an ongoing monitoring mechanism to maintain compliance as well as
identify an opportunity for continued improvement.
7. Able to safeguard against environmental disaster or emergencies. The entity would
also be better prepared to respond to any environmental crises due to the existence
of audit documentation.

100
 8. Enhance corporate attractiveness, which may bring long-term financial benefits in
term of customer loyalty or securing profit opportunities especially in countries with
stringent environmental regulations where environmental considerations are heavily
emphasised.

Examples of Environmental Audit in a Manufacturing Company

Operation Site Compliance Audits

This type of audit examines specific operation sites of a company to evaluate its ongoing
environmental practices. The assessment is done based on the applicable government
regulations as well as the environmental policies established by the company. Among the
components of this audit are assessing processes related to the treatment, storage, and disposal
of hazardous and non-hazardous materials used in the manufacturing process.

Pollution Prevention Audit

The auditor will attempt to discover the possibility to alter existing manufacturing process that
would result in the reduction and/or elimination of waste or pollution by-products. The audit
may include examining the effectiveness of previous pollution prevention efforts practiced by
management, to seek opportunity for continuous improvement in minimising the emission of
harmful substance to the environment.

Transactional Environmental Audit on Asset Transfer

The assigned auditor will have the task to measure any potential environmental risk associated
with an asset transfer. This type of audit is very important to avoid the possibility of acquiring an
environmental liability as a result of asset acquisition. Opinion(s) and/or recommendation(s) as
a result of this audit are regarded as critical insight(s) for top officials of a company before
deciding on any property transfer and acquisition.

Product Audits
It is important for a company to make sure all its products comply with relevant governmental
requirements particularly related to the component of raw material substances, chemical usage
and recycling regulations. Apart from ensuring regulatory compliance, product audits may also
help the company to boost consumers’ confidence about product safety and other environmental
related issues.

100
Environmental Liability Accrual Audits
The purpose of this audit is to identify and report the existence of any liability accruals for all
known environmental issues related to a company. The findings of this audit are yet another
significant input for top management of the company. In addition, the acknowledgement of these
liabilities in the financial statements will also meet the requirements by the Securities and
Exchange Commission.

Environmental Audit Report

A company disclosing information about their environmental practices would allow stakeholders
to make informed decision about the adequacy and the impact of organisational actions towards
achieving sustainability (Deegan, 2009). In a similar vein, a detailed environmental disclosure
would have a positive impact to the management’s reputation (Simnett et al., 2009). Generally,
an environmental audit report highlights the achievement of an organisation in view of its
environmental goals and objectives as outlines in its environmental policy and its environmental
management system. Ideally, the report outlines (1) the positive aspect of an organisation’s
environmental performance, (2) any deficiencies or weaknesses found in the current
environment management practices, and (3) a proposal for improvement opportunities or
recommendations concerning the weaknesses identified earlier during the audit.

The results of an environmental audit are normally released to all departments of the
organisation to strengthen overall organisational commitment towards the environment. In
some companies, yearly summary of environmental audit findings are prepared and presented
to the Board of Directors. The information obtained from the audit is also made available to
external stakeholders such as consumers, suppliers, regulators and the community to ensure
their specific environmental concerns and needs are being satisfied.

Environmental Management Systems (EMS)

Globally, an increasing number of organisations are giving more attention on environmental
issues in achieving sustainable growth. In general, more efforts are put forward in avoiding any
environmental impact from the production process over and above producing environmentally
friendly products. Many organisations have also adopted Environmental Management Systems
that provide a systematic approach for an organisation to achieve its intended outcomes of
providing value for the environment, gaining a competitive advantage and the trust of
stakeholders (Darnall and Kim, 2012).

An EMS can be defined as a systematic process to prescribe and implement environmental

objectives, policies and responsibilities including regular audits to monitor the performance of
each element in environmental management systems. An EMS is also regarded as a set of
100
comprehensive, transparent and efficient management processes with the ultimate aim to enable
an organisation to continually reduce their unfavourable impact on the natural environment. It
prescribes specific competencies, behaviour, procedures and demands for the implementation of
operational environmental policies throughout the organisation.

The most popular standard for EMS is the International Organisation for Standardisation, ISO
14001 (Jones et al., 2012). In Malaysia, the national standard for EMS is identified as MS ISO
14001:2015. Among the benefits of adopting ISO 14001 includes the improvement in both
organisational and environmental performance (Salim et al., 2018). This Standard underlines
the necessary requirements and guidelines for any organisation to improve its environmental
performance through more efficient use of resources and reduction of waste. Upon application,
an organisation will go through several procedures such as adequacy audit, compliance audit,
certification process as well as yearly surveillance. By complying with the Standard, an
organisation acts in accordance with the legal requirements set out by Environment Quality Act
1974 (Act 127) and the relevant regulations.

Four Pillars of EMS Adoption

Netherwood, A (1998) has identified four pillars, which form the foundation for EMS adoption.
See Figure 11.2: Four Pillars of EMS Adoption for illustration.

1. A written environmental policy

The first pillar of EMS adoption is the establishment of a written environmental policy. The
existence of such policy is very important to express a holistic organisational commitment
towards a responsible environmental management. The policy also represents an organisational
pledge to comply with all relevant environmental legislation. In other words, the policy shall
reflect management’s continuous environmentally friendly efforts throughout its organisational
activities including strategic planning, project implementation, product offerings as well as
services. Through the establishment of an environmental policy, an organisation shares its
beliefs and values on the significance of conserving the environment while safeguarding financial
returns from its investment.

100
 PERFORMANCE
ENVIRONMENTAL
INDICATORS
POLICY
AND GOALS

ENVIRONMENT
ENVIRONMENTAL
TRAINING
AUDIT
PROGRAM

Figure 11.2 Four Pillars of EMS Adoption

2. Environmental performance indicators and goals

The second pillar of EMS adoption is the creation of environmental performance indicators and
goals. It shows continuous organisational commitment to implement and take into effect earlier
environmental policy. Management will find ways to translate its written environmental pledge
into actions by identifying its environmental impacts and setting management objectives and
targets for achieving its environmental goals.

3. Environment training program

The third pillar refers to the environmental training program. It represents the adopters’ efforts
to ensure their employees possess the right understanding and share the same wisdom related
to organisational concerns on the environment. The main objective of the training program is to
develop necessary expertise and competency to ensure all activities of the organisation are
acceptable within the applicable environmental laws and regulations. This will include the
creation of enhanced management and communication structure both within and outside the
organisation to inculcate environmental concerns among the people.

4. Environmental audit
The fourth EMS pillar, environmental audit, is indispensable and critical to ensure continuous
environmental improvement within the organisation. It serves the organisation by periodically
evaluating and recommending appropriate solutions and corrective measures to address any
identified weaknesses or discrepancies within the environmental management program. A more
detailed discussion on environmental audit is found towards the end of this chapter.

100
It is important for an EMS adopter to embrace all these four pillars. Failure to execute any one
of these components will restrain the EMS’s ability to achieve its full potential. For example,
failure to implement environmental audits may prevent the organisation from rectifying any
discrepancies or weaknesses that exist within its environmental management system; thus,
hampering EMS’s ability to ensure continual environmental improvement. In a similar vein,
forgoing environment training program for employees may lead to a lack in a collective view on
the importance of having environmental concerns among the people within the organisation;
thus, lowering the chances of successfully integrating EMS deeply within the organisation.

An excellent example of EMS adopter in Malaysia is Sumirubber Malaysia Sdn Bhd, a well-known
leading manufacturer of high quality latex-based glove under Sumitomo Rubber Group. This
company strongly believes in having an excellent environmental management that would
ultimately help the company to gain better acceptability in the market. For about 30 years,
Sumirubber Malaysia continues to earn the trust of society through the introduction of
environmentally friendly products while consistently minimising the impact of its production
process on the environment. In line with its environmental policy, Sumirubber Malaysia
emphasises energy conservation, waste reduction, compliance obligations, implementing
emergency preparedness and promoting recycle activities. Apart from extensive environmental
auditing programs, the company has also made environment training as one of its top priority
through the development of rigorous training programs, ranging from basic awareness courses
to specific MS ISO14001:2015. In order to continuously promote and elevate environmental
awareness throughout its organisation, Sumirubber Malaysia made several conservation and
social contributions such as the annual Mudball Program and Mangrove Tree Planting.

Another outstanding example of EMS adopter is the Fujitsu Group, the leading Japanese
information and communication technology (ICT) company. It offers a full range of technology
products, solutions and services in more than 100 countries. With an approximately 140,000
staff throughout the world, the Fujitsu Group is considered as the largest IT service provider in
Japan and 7th in the world. As a responsible corporate citizen, the Group takes a leading role in
sustaining the well-being of society through its business activities. The top management of
Fujitsu Group has made it clear that environmental protection is the utmost important in
creating a sustainable environment for future generations.

Fujitsu Group was upgraded to a worldwide integrated ISO14001:2015 in 2018. It established its
environmental policy based on the principles and guidelines set forth in the Fujitsu Way. With
clear environmental goals set for all of its business areas, the Group conducts its business
activities in a sustainable manner. (See Exhibit 11.1: The Fujitsu Way; Philosophy and Principles).

100
 “Being environmentally
friendly is a pre-requisite to
remaining viable as a
company. We must be
committed to this basic policy
and implement it consistently
and continuously”

Hiroaki Kurokawa
12th President

Figure 11.3 The Fujitsu Group’s DNA

Exhibit 11.1 The Fujitsu Way; Philosophy and Principles

100
Among the green initiatives taken by the Fujitsu Group is the introduction of Fujitsu Green
Procurement Policy. The policy shows the Group’s commitment in implementing Green
Procurement throughout its supply chain. From the earliest stage of development, all Fujitsu
products have incorporated energy conservation concepts in its design and material selection.
These green initiatives are introduced to ensure its customers are offered eco-friendly products
that ultimately reduce the burden on the environment. Interestingly, Fujitsu also works together
with its customer in protecting the global environment. The company supplies their customers
with environmental solutions, incorporating the know-how and innovative technology it
developed for its own environmental countermeasures.

Commitments for a Successful EMS Adoption

Implementing a successful EMS depends heavily on the following, but not limited to, collective
commitments and exhaustive efforts by management and employees within the organisation.

1. To make sure all organisational activities comply with relevant governing standards and
regulatory requirements, locally as well as internationally, on environmental protection.
2. To monitor continuous improvement efforts on environmental performances through
efficient organisational planning, economic investments and necessary technological
measures. This would ensure that environmental concerns become an integral part of the
planning and decision-making process of the organisation. Employees should also be
encouraged and empowered to give ideas or suggestions on improvements.
3. To allocate sufficient resources for educating employees on environmental concerns such
as staff environmental awareness as well as accountability and training programs. It is
important to emphasise that an appropriate level of competency, accountability and
awareness on environmental issues among staff has a significant impact on the success
of an environmental management program.
4. To establish a set of ethical conduct on environmental issues, which should be observed
by everyone in the organisation as an indicator of an ongoing commitment on
environmental issues.
5. To practice and promote efficient use of energy resources through cost effective
conservation and energy management programs, including research and development
projects aimed at minimising and mitigating unfavourable environmental impacts
caused by operations. For example, the introduction of new environmentally friendly
technology in the production plant that can eliminate the emission of harmful greenhouse
gases.
6. To place sound environmental stewardship in all company-owned facilities and
properties by setting clear principles on how authority and accountability are delegated
within the organisation. This would include the emphasis on environmental risk

100
 management activities to meet the requirements of the environmental policy and
applicable legal regulations.
7. To have the ability to execute emergency-response plans whenever necessary, as well as
to implement appropriate restoration program on any adverse environmental impacts
caused by the organisation’s activities.
8. To ensure all wastes including confiscated materials, electronic equipment, chemicals,
solid and biological wastes are handled and disposed in an efficient and proper manner
consistent with the applicable environmental regulations and policies.
9. To perform evaluation on the environmental performance through periodic reviews and
audits to rectify any weaknesses or discrepancies, and ultimately, meet the objectives of
EMS adoption.

Summary
Explain the components of the COSO Enterprise Risk Management 2017 framework and
compare them to the ISO 31000:2018 risk management — Principles and Guidelines. How does
an organisation assess risk? Give specific examples based on an organisation which operates in
the retail industry.

Self-Review Questions

1. Define an environmental audit.

2. Discuss the benefits of performing an environmental audit.
3. Describe your understanding of the Environmental Management System (EMS).
4. Illustrate the importance of the environmental policy as one of the four pillars for EMS
adoption.
5. Discuss the commitment needed for a successful EMS adoption.

References
CPA Journal, Enhanced Protections for Whistleblowers under the Dodd-Frank Act, January 2013 ECI
Ethics & Compliance Initiative, Why have a code of conduct.

Darnall, N. and Y. Kim. Which Types of Environmental Management Systems Are Related to
Greater Environmental Improvements? Public Administration Review, 72:3(2012): 351–365.

Deegan, C. Environmental Disclosures and Share Prices—A discussion about efforts to study this
relationship. Accounting Forum 28 :1 (2004): 87–97.

Fastenberg, D (2011), 10 Whistleblowers Heard Around The World

Lacaya, R and Ripley A (2002), Persons of the Year 2002: The Whistleblowers, Time Magazine.

HKICS (2010), Guidance Note: A Practical Guide to Good Governance, The Hong Kong Institute of
Chartered Secretaries.

100
IIA (2013), International Professional Practices Framework (IPPF), The Institute of Internal Auditors
Research Foundation.

IIA (UK) (2014), Whistleblowing and Corporate Governance: the role of internal audit in
whistleblowing,The Chartered Institute of Internal Auditors (UK)

IIA (US) (2010), Do the Right Thing, viewed on 20 February 2014,

<http://www.theiia.org/intAuditor/ feature-articles/2010/february/do-the-right-thing Malaysian Law
(2010), Whistleblower Protection Act 2010, Percetakan Nasional Malaysia Bhd.

Mary, L. et al. Principles and Contemporary Issues in Internal Auditing. McGraw-Hill, 2009.
Netherwood, A. Environmental Management Systems: Corporate Environmental
Management. London: Earthscan (1998)

Salim, H. K., Padfield, R., Lee, C. T., Syayuti, K., Papargyropoulou, E., & Tham, M. H. An
Investigation Of The Drivers, Barriers, And Incentives For Environmental Management Systems
In The Malaysian Food And Beverage Industry. Clean Technologies & Environmental Policy,
20:3 (2018): 529–538

Simnett, R., Vanstraelen, A. Chua, W. Assuranceon Sustainability Report; An International

Comparison. The Accounting Review 84:3 (2009): 937–967.

“Cleaning up Toxic River Sungai Kim Kim in Pasir Gudang to Cost S$2.16 Million.” The
Straits Times, The Star/Asia News Network, 21 Mar. 2019, www.straitstimes.com/asia/se- asia/
cleaning-up-toxic-river-sungai-kim-kim-in-pasir-gudang-to-cost-s216-million.

“Environmental Report 2018”, Sumirubber Sdn Bhd,

https://www.srigroup.co.jp/csr/csr/ecology/ documents/08_18_SRIM.pdf

“ISO 14001 Certification Acquisition Results.” ISO 14001 Certification Acquisition Results –
Fujitsu Malaysia, www.fujitsu.com/my/about/environment/management/ems/result.

“MS ISO 14001: 2015—Environmental Management Systems.” MS ISO 14001: 2015— Environmental
Management Systems - JSM Portal, Department of Standards Malaysia, www.jsm.gov.my/ms-iso-
14001#. XMJKRdIzYdU.

Woodford, M (2014), Whistleblower, viewed on 29 May 2015, <http://www.theiia.org/intAuditor/

feature-articles/2014/february/whistleblower/

National Council of non-profit Associations, Sample Whistleblower Policy, www.ncna.org Prickett, Ruth,
Jan/Feb 2014, Billion Dollar Questions, Audit & Risk Magazine of IIA (UK)

Jones N, Panoriou E, Thiveou K, Roumeliotis S, Allan S, Clark JRA, Evangelinos KI. Investigating
Benefts From The Implementation of Environmental Management Systems In A Greek
University. Clean Technol Environ 14 (2012): 669–676.

100
Appendix 1 : Sample of Audit
Program

AUDIT PROGRAM

A. Audit Objectives and Scope

The main purpose of this review is to assess design adequacy and operating effectiveness of the internal
controls surrounding the payroll processes and identify process improvements. Objectives of the current
review include the following:

⚫ Evaluate controls to ensure that only legitimate employees are paid at the correct and authorised
rate.
⚫ Evaluate access controls and segregation of duties within the payroll function.
⚫ Evaluate controls to ensure pay and deduction is accurately calculated and disbursed timely.
⚫ Evaluate controls to ensure payroll data is accurately recorded and presented in the general ledger.
⚫ To ensure that the company is complying with all statutory laws and regulations in all payroll
matters.

Additionally, the audit also aims to provide assurance to the management on the completeness of
implementation of agreed-upon solution from the previous payroll audit, which was conducted in
2009 and to evaluate management efficiency in addressing the highlighted issues.

B. Methodology
The audit program was structured to include a review of previous audits, documentation
reviews, interviews and testing. Data analytics were used as part of testing to examine a large
volume of pay transactions to identify patterns and anomalies. All pertinent information from
the last audit was utilised to obtain our understanding towards payroll process since there are
no significant changes in policies and procedures, organisational structure and payroll system.

Risk and control matrix was then developed to include the following understanding and
procedures:
⚫ Objectives of each payroll activity;
⚫ Key risks inherent to each process;
⚫ Expected and existing controls for mitigating the risks identified.

C. Audit Procedures
We performed a specific testing related to the risks and controls identified to evaluate whether the
controls were designed adequately and operating effectively to mitigate the risks. At the conclusion of
our audit, the observations were summarised and management’s response was incorporated into our
report.

100
Detailed Audit Programme
i) Risk and Control Matrix
Risk Score**
(Impact ¥ Probability)

Impact Probability Total

Payroll Activity and Objectives Process-level Risks Expected Controls
1. Recruitment and resignation
of employees:
✓ Only valid employees are recorded and
• No proper segregation of duties, 3 3 9 a) Each payroll process is performed
paid.
authorisation and monitoring may result by a different person and properly
✓ Employees are correctly classified as to: authorised before master files are
exempt and non-exempt. updated and payment released.
• Paying fictitious employees
✓ All new employees are added to the
• Paying terminated and resigned
payroll master files timely.
employees
✓ Terminated or resigned employees
• Paying current employees who have
are removed from payroll master files
not worked
timely.

• Employees are paid and terminated b) The company can be at risk of lawsuits, 3 2 6 b) Payroll system interfaces with HR
within statutory and union civil penalties or internal complaints if information system that can trace
requirements. they violate the related federal or state valid current employees and time
regulations (i.e. Labour Act or minimum worked.
wage laws) in salary structure and other HR and payroll personnel are well
payroll matters. trained in payroll administration and
routinely monitors federal and state
labour policies, laws and regulations
to avoid non-compliance (i.e. base-
pay process, salary structure and
adjustment).

2. Calculation of payroll and deduction: a) Error in calculation of payroll and 2 3 6 a) Calculation of payroll and
• Payroll is accurately calculated and deduction due to huge number of hourly deductions are automated through
paid at the correct and authorised rate paid (non-exempt) employees (40% of payroll system and are linked to
(exempt and non-exempt). total staff) with frequent transaction HR information system (payroll
• Taxes and other statutory deductions (bi-weekly pay) and various deductions. master files and attendance
are accurately computed and paid system) without manual
timely. intervention. Payroll system is
programmed to correctly calculate
payroll including overtime and
withheld amounts.

101
 Risk Score**
(Impact ¥ Probability)

Impact Probability Total

Payroll Activity and Objectives Process-level Risks Expected Controls
b) Failure to pay on time, under/ 3 2 6 b) Hours worked by non-exempt
overpayments or unlawful deductions employees are reviewed and
may result in internal complaints or authorised by HOD before being
union claims if it happens to non-exempt submitted to payroll department
employees. and supported by justification and
approved timesheets.
c) When tax amount or other statutory 3 2 6 • Payroll withholding tables are
deductions are incorrectly computed, properly set-up and reviewed
withheld or reported to authorities (wrong before processing.
declarations and sent with delay) may • HR/payroll personnel are well-
incur civil penalties or fines. trained in taxes computation (right
percentage applied and legislative
changes properly updated) to
ensure proper preparation of
Tax Returns/ Declarations and
submission in due time to avoid
penalties.
3. Disbursement of payroll: a) Insufficient amount of available balance in 2 3 6 a) Payroll imprest account is regularly
• Payroll is disbursed on time. payroll imprest account will lead to delay monitored to ensure sufficient

• Payroll disbursements including in disbursing payment on time. funds are available to cover payroll
overtime reflect actual time worked expenses. Deposits are reserved
and is properly authorised. and transferred from general
account on a monthly basis and
are equal to the net expected pay
to employees and statutory bodies
for deductions made.
b) If delay in disbursing payment of payroll 3 2 6 b) The payroll system is set-up to run
occurs frequently, it may result in automatically bi-weekly so that the
employees’ dissatisfaction and a high pay process is without delay.
turnover rate. c) Payroll (net pay) is directly
deposited into employee’s bank
account via an electronic payment
file generated by the payroll system
**Risk Rating / Score :

102
 Risk Score**
(Impact ¥ Probability)

Impact Probability Total

Payroll Activity and Objectives Process-level Risks Expected Controls
c) Failure to identify multiple payroll inputs 3 2 6 d) The payroll system is set-up to
may result in duplicate payments to the flag any duplicate payments for
same person by mistake or intentionally the manager to review prior to
(fraud). disbursement.
4. Recording and reporting payroll data • Incorrect accounting record that is caused 3 2 6 a) A review of accounting records and
• Payroll data is accurately accounted by wrongly keyed-in or system error may reconciliation is done once a month
in the accounting system and result in wrong decision making by the by Finance Manager to validate
presented in the general ledger. management. the correct accounts used and to
ensure payroll data corresponds
with HR data and general ledger.

(e) Payroll is recorded in the • Lack of effective logical security practices

3 3 9 b) Logical security is properly
appropriate period. administered by IT personnel at
may create opportunities for unauthorised
(f) Confidential employee person to access and manipulate data
least once a year, which is to
information is appropriately include a review of access rights to
for profit or destructive motives that can the payroll system.
safeguarded, limiting the liability
exposure and reputational decline. cause data corruption, loss in reputation,
loss of competitive advantage or legal
• Unauthorised access to the payroll consequences.
system and sensitive data is adequately
prevented.

Score Low Medium High

Impact 1 2 3

Probability 1 2 3

Total 1–3 4–6 7–9

*Management tolerance level is not more than 3 points of total risk scores

103
i) Design Adequacy

Process Flowchart Existing Controls Expected Controls Gap of Design Adequacy

1. Recruitment and resignation of employees • Payroll functions are performed • Each payroll process is a) Improper segregation of duties
by different departments performed by different persons for user access in the KiraGaji
When an employee joins namely: and properly authorised before system.
or resigns, the employee’s • HR department establishes master files are updated and b) KiraGaji is a standalone system
base-pay, enter data records payment released. whereby it does not interface
particulars must be updated in the for new employees, maintain • The payroll system interfaces with HR information system.
employee’s master file input form. personnel records including with HR information system c) No gap in policies and
withholding data tables that can trace valid current procedures as well as payroll
and process employee employees and time worked. personnel training.
status changes (promotion, • HR and payroll personnel Conclusion:
demotion, increment etc.) are well trained in payroll Existing controls are inadequate to
After filing or updating the master • Payroll department processes administration and routinely manage the risks to an acceptable
file input form must be verified by bi-weekly pay viapaycheques monitors federal and state labour level. Refer to observation no. 3.
a superior. to all employees. policies, laws and regulations to
• Finance department avoid non-compliance (i.e. base-
maintains record keeping of pay process, salary structure
payroll expenses including and adjustment).
Sent to manager for approval. reconciliation report.
• Policies and procedures
are in place and are in
accordance with statutory and
regulatory requirements for
payroll processes from the
Updated in the Payroll entry phase throughout the
system. employment phase up to the
exit phase including user access
management.

104
 Process Flowchart Existing Controls Expected Controls Gap of Design Adequacy

2. Calculation of payroll and deductions a) KiraGaji system runs the payroll d) Calculation of payroll and a) KiraGaji is a standalone system
calculation including overtime deductions are automated whereby it does not interface
and deduction once data are through payroll system and with HR attendance system to
Time Recording: entered. However, the system are linked to HR information identify the time worked. Manual
is not integrated with the system (payroll master files intervention is involved to
Recording of hours worked by
attendance system to automate and attendance system) without validate hours worked based on
timesheets, clocking-in and out
the overtime calculation. manual intervention. The approved timesheets submitted
arrangement, recording of changes in by employees.
b) Payroll for hourly paid
pay rates, recording of advances and payroll system is programmed
employees are processed based b) No gap observed in processing
other deduction, paid leave and so on. on approved timesheets by HOD. to correctly calculate payroll of withheld amounts.
including overtime and withheld
c) Deductions/withholding tables Conclusion:
amounts.
are set-up by the HR department Existing controls are inadequate to
after receiving election form e) Hours worked by non-exempt
manage the risks to an acceptable
from employees and regularly employees are supported by
level. Refer to observation no. 1.
Checking: Time-in and out for checked by the HR manager. justification and approved
work, excessive break taken, leave timesheets, which are reviewed
Copy of election form is kept and authorised by HOD before
supported with valid approvedleave by the payroll department to submitting to the payroll
form. Medical claims supported cross-check the figure. Any department.
with genuine medical certificates. adjustments will be updated in f) Payroll withholding tables are
Overtimes are properly claimed. the system. properly set-up and reviewed
before processed.
g) HR/payroll personnel are well
trained in taxes computation
(right percentage applied and
legislative changes properly
updated) to ensure proper
preparation of Tax Returns/
Declarations and submission in
Calculation of Wages: Basis for
due time to avoid penalties.
compilation of payroll, preparation,
checking and approval of payroll.

Sent to manager for approval.

105
 Process Flowchart Existing Controls Expected Controls Gap of Design Adequacy

3. Disbursement of payroll a) Payroll imprest account is a) Payroll imprest account is No proper Standard Operating Policy
established separately to regularly monitored to ensure and Procedure is set up for the
process payroll cheques sufficient funds are available to disbursement of payroll.
Preparation and authorisation of for better control of payroll cover payroll expenses. Deposits
cheques and bank transfer file. Conclusion:
expenses. are reserved and transferred from
b) Deposits from general account general account on a monthly Existing controls are inadequate to
transferred to the imprest basis and are equal to the net manage the risks to an acceptable
account on daily basis to cover expected pay to employees and level. Refer to observation no. 2.
any cheques presented. statutory bodies for deductions
Comparison of cheques and bank made.
c) KiraGaji system is programmed
transfer list with payroll. b) The payroll system is set-up to
to run the bi-weekly pay process
automatically on the 15th run automatically the bi-weekly
pay without delay.
and 30th of each month if no
c) Payroll (net pay) is directly
adjustment is keyed in.
deposited into employee’s
Maintenance and d) KiraGaji system is programmed bank account via an electronic
reconciliation of wages to flag any payments to identical payment file generated bythe
records. employees (with the same payroll system.
identification – name, IC no or
d) The payroll system is set-up to
bank account) for the manager’s
flag any duplicate payments for
review prior to disbursement.
the manager’s review prior to
disbursement.
4. Recording and reporting payroll data a) Payroll control reports have been a) A review of accounting records Logical security is not properly set
designed and implemented to and reconciliation is done once up to protect unauthorised access to
ensure correct payroll process a month by the Finance Manager payroll data.
Compiling of overall payroll records and help identify potential fraud, to validate the correct accounts Conclusion:
for financial and management which includes: used and to ensure payroll data Existing controls are inadequate to
reporting purposes. • Report of staff changes on match the HR data and general manage the risks to an acceptable
a monthly basis from HR ledger. level. Refer to observation no. 4.
department (new hires and c) Logical security is properly
Reconciliations are carried out
leavers for the months). administered by IT personnel at
to make sure no unexplained
• Payroll overview total amount least once a year, which is to
or untimely variances. include a review of access rights
report (summary of gross
pay, deductions, net pay), to the payroll system.
including a comparison to
previous month’s amount.
Maintenance of Payroll
• Multiple payments to same
Recording and Reporting.
account.

Sent to manager for approval.

106
Test Plans and Results
Testing Approach Detailed Audit Testing Audit Testing Conclusion

1. Recruitment and resignation of employees

Procedures are in place for HR processes Obtain the SOP and interview the personnel on the User access procedure for employees from user creation,
including payroll processing from the entry processes and the control. modification and deletion are incorporated as part of the HR
phase to the employment phase up to the exit procedures.
phase including user access management.

New hiring should be approved as per Verify the additions to payroll (new employees hired The process is as per HR policies.
company policies. The pay scale or basis during the month).
salaries should be verified to ensure they are
approved according to company policy.

Process is in place to determine if a worker Review job description. Ten sample records are sufficient.
will act as employee or contract employee Advertise, screen and interview.
and verification of job requirements and Ten samples of employees files were obtained and
duties are performed accordingly. checks were performed on the following for each
Ensure screening and background checks are employee’s record:
performed to shortlist qualified application
• Examination for completeness, authorisation
which also helps to screen out “ghost” and
unneeded candidates. • Compare pay rates, deductions
• Trace from register to employee records

Payments for payroll-related services are Check that a resigned employee is properly removed No resigned employees in the payroll system.
being made to valid employees for time from the payroll.
actually worked. Controls must be in place
to ensure that no payments are made to
fictitious or ‘ghost’ employees and payments
to valid employees are stopped once the
employee is terminated.
The resignation checklist should be updated Review on the resignation checklist. Obtain a Thirty samples were selected mainly 5 samples from
to include the removal of user access for the few samples to check whether there is proper Finance, 5 from IT department, 5 samples from HR and 10
related system. endorsement from IT Department. from operations. The review noted that the IT department
will disable the user access upon receiving the form; thus,
immediately block leavers from accessing the company’s
system. The user access will be deleted within 7 days.

Exit interview and resignation checklist Review the exit interview and resignation checklist The exit interview and resignation checklists are performed
should always be performed, completed for completeness. and completed as per HR policy.
and followed-up if required on all resigned/
terminated staff.

107
 Testing Approach Detailed Audit Testing Audit Testing Conclusion

2. Calculation of payroll and deductions

Ensure that all benefits and deductions • Recalculate benefits and deductions for a sample Inaccuracies in the salary payments as numerous errors
(employee loan, retirement plan, contribution of employees. were noted in the calculation of contract employees’ pay
to charitable organisation and PACs, tax etc.) • Inspect documentation for evidence of earnings and some of the deductions were not included for
are computed correctly by validating and management’s review. salaried employees. Refer to Observation 1.
performing a check on the following:
• Verification of payroll amounts and
benefits calculations.
• Agreement of gross earnings and total tax
deducted with taxation returns.

Check whether payroll transactions are • Review reconciliation before and after reports to Refer to Observation 1 and 4.
correctly recorded in the accounting system. payroll master file.
The following should be validated: • Review reconciliation payroll master file to
• Changes to master payroll file are verified general ledger. Confirm whether discrepancies
before and after reports. are followed-up promptly and resolved.
• Payroll master file is reconciled to general
ledger.

Extract the overtime reports and perform Observe employee and management use of time Employees who turned in a clock card were paid. However,
test of controls on overtime recorded in the clock and time cards. there were high manual interventions involved in computing
Trace a sample of time cards to payroll accounting the hours as highlighted in Observation 1. Overtime hours
payroll, verify that all overtime is approved by
records for those employees. were submitted in bulk to payroll, which raised concerns
the appropriate manager and so on.
over accuracy of overtime reported and matching of payroll
expenses with overtime worked.

Employees being paid must have active Select a sample of employee files from payroll This procedure addresses the auditor’s concern regarding
personnel files. accounting. Cross-reference this information to nonexistent employees or ‘ghost’ employees.
related personnel files.

3. Disbursement of payroll

Payroll imprest account should have sufficient Obtain and review the bank statement of the payroll Insufficient funds noted in the imprest account from
funds to cover all payroll expenses. imprest account. January 2012 to May 2012.
Perform analytical procedures using ACL to check In November 2012 there was excess of 60% in the imprest
disbursement date, transaction and amount involved account.
and observe any overdraw or delay in disbursement Refer to Observation 2.
as compared to requirement stated in the company
policy.

108
 Testing Approach Detailed Audit Testing Audit Testing Conclusion

4. Recording and reporting payroll data

Payroll transactions are properly classified in • Review chart of accounts. Although procedures are in place, audit could not ascertain
the financial statements. • Review procedures for classifying payroll costs. whether the information is correctly reflected in the financial
• Chart of accounts. • Review budgeting procedures. reporting as discrepancy and inaccuracy were noted in
• Independent approval and review of payroll and the GL system.
accounts charged to payroll.
• Payroll budgets in place and reviewed by
the management.

The organisational structure for HR, Payroll Access to the payroll system should be segregated Refer to Observation 3.
and Finance are formally defined with clear and given to authorised personnel only.
segregation of duties (job descriptions) and
responsibilities to support business objectives
and goals.

ii) Observations
Observation 1 Inaccuracy of pay due to frequent (bi-weekly pay) and tedious transactions (overtime calculation and various deduction).

The calculations of all payments and deductions should be correctly calculated and accounted as well as in accordance with the
Criteria relevant taxation and other regulations and requirements.

At the time of review, employees are paid on bi-weekly basis. The department has about 4,400 employees, which consist of 2,700
salaried employees and 1,700 contract employees that are paid hourly. Contract employees’ earnings are depicted in the following
table:

Pay earn Hours in a pay period

Standard pay 80 hours
Time and a half Additional 20 hours in a pay period
Double time Exceeding 100 hours in a pay perio

Conditions
In addition, for salaried employees there are various deductions such as employees’ loan, contribution for long-term retirement plans
and political action committees (PACs) as well as taxation, are included in the bi-weekly pay.
Although the department has implemented the KiraGaji payroll system, most of the computation still involves a high level of manual
intervention, which is prone to human error and inefficiency. Specifically,
• For payroll, the bi-weekly input of overtime data involved manual computation of hours and rates of about 500 to 600 applications
before keying into the KiraGaji System.

109
 • Although, the KiraGaji system has a direct interface with the General Ledger system, from the data analytics used, there is
discrepancy especially in the payment to contract staff. Specifically, there were 465 records with discrepancy. Payroll for hourly-
paid employees are processed based on approved timesheets by HOD and there are three different calculations from different
criteria to compute in pay earnings. A further check of 20 samples noted that there were inaccuracies between the timesheet/clock-
card and the amount from the system for nine samples.
• A separate system is used to compute staff loan. Furthermore, the loan system is not interfaced with the General Ledger (GL), the
journal entries for posting to GL are manually keyed into the excel spreadsheets for update by Finance.

• Frequent payment of salary (bi-weekly basis) and tedious transactions for deduction.
• Complexity of pay earning calculations for contract staff.
Causes
• High level of manual intervention in payroll processing.

• As there is no system to enforce dual controls and audit trail report to highlight any changes in the KiraGaji, the input accuracy and
completeness of the overtime data may not be ascertained.
• The current process is prone to human error and there is the risk that any input errors may not be detected on a timely basis.
• Whenever there are adjustments, there is a risk that these adjustments may be inaccurately documented by respective Managers
Effects and/or processed by Payroll.
• The salary amounts paid to individual employees were not in accordance with the correct pay rate.

• It is recommended that bi-weekly Payroll processing to be revisited and revised to monthly payment. This would eliminate the need
for adjustments and would prevent any potential errors from occurring as a result.
• Management should also strengthen the control over the current high level of manual intervention. Specifically,
O Audit trail report on all changes of data should be produced before each processing cycle. Total amount and sample check on
the individual data should be performed by and reviewed by a staff with no input access to KiraGaji and Loan System to detect
Recommendations omissions and errors.
O Management should explore the possibility of generating the journal entries directly from both the payroll and loan systems and
uploading the information into the GL without the requirement for any re-input. If this direct upload is not possible, the Payroll
Manager should perform the total amount and sample check on the individual data as an interim measure.

Observation 2 Delay in disbursement of payroll due to using of imprest account, insufficient funds
Payroll imprest account should have sufficient funds to cover all payroll expenses. Funds should be deposited for the exact amount
of the total net payroll. Once the funds are expensed to employees, the account funds should be at or near zero, until the next payroll
Conditions
date is due.
An Imprest payroll account is a separate account held by a corporation that contains funds strictly for employee payroll use. When
payroll is due, funds are withdrawn from the Imprest account, rather than from the company’s main account. The advantages of an
imprest account is that it limits the organisation's exposure to payroll fraud, allows the delegation of payroll cheque signing duties,
separates routine payroll expenditures from other expenditures, and facilitates cash management.
The review noted that there were insufficient funds in the imprest account deposit and from the records there were a number of
Criteria instances where an additional deposit was made to avoid an overdraw on the account from January 2012 to May 2012.
However, in November 2012, there is an excess of 60% in the imprest account. By depositing too much, this will leave money sitting in
an account that could be redirected elsewhere in the organisation.

110
 • Lack of monitoring of the imprest account.
Causes • Inadequate planning and forecasting on computing the precise amount to be place in the imprest account which normally relies on
the company's knowledge of payroll expenditure.

• Insufficient amount of available balance in the payroll imprest account may lead to delay in disbursing payment on time.
Effects • Frequent delays in disbursing payment of payroll may result in employees’ dissatisfaction and high turnover rate.

• It is recommended that the payroll imprest account is regularly monitored to ensure sufficient funds are available to cover payroll
Recommendation expenses. Deposits are reserved and transferred from general account on a monthly basis and should be equal to the net expected
pay to employees and related deductions made.

Observation 3 Inadequate segregation of duties and user access in the KiraGaji system.

There should be appropriate segregation of duties that include separate authorising, recording and reconciling functions. These duties
Criteria are typically owned or performed by different departments or personnel.

The review on segregation of duties and user access for various payroll functions revealed the following weaknesses:
• All Payroll Department employees should have full edit and unlimited access to the Payroll Module, including access to modify
salary/hourly rate fields.
• All Payroll Department employees should have access to post payroll to the Finance Module. Access to the Finance Module should
Conditions be limited to the Finance Department.
• HR employees that are not involved in payroll processing should have edit access to payroll adjustments, pay types and salary
schedule.

• Lack of housekeeping on access permissions and user profiles since the system was set up by the KiraGaji vendor.
Causes • No customised user access permission was established for the company.

• Inappropriate access rights that do not correspond to the job scope and no proper segregation of duties surrounding compensation
Effects and the payroll function. Errors, misappropriation of payroll funds or other types of irregularities could occur and may not be
traceable and detected in a timely manner.

Appropriate segregation and user access should be reviewed and monitored regularly, especially when there are job / function
changes. Specifically:
• Access to modify salary/rate fields should be limited to the HR Department.
• Access to process payroll should be limited to the Payroll Department. Access within the Payroll Department should be limited
according to roles and job duties.
Recommendations • Access to post payroll to the Finance Module should be limited to the Finance Department who should not be able to modify the
information.
• All other access to the Payroll Module should be limited to specific authorised functions or view capabilities only.

111
 MODULE: INTERNAL AUDITING
(for internal circulation)

Observation 4 Inadequate processing controls in payroll disbursement

The integrity of Payroll payment data should be maintained and proper procedures should be in place to govern the use of Internet Banking access.
Criteria

The current payroll process has the following weaknesses:

• For payroll payments, the Payroll Officer uploads the payroll payment data into EasyBank2u system and prints a detailed report. The Payroll
Manager will review the total amount and sample check on individual amount. However, the payroll payment data can be uploaded again with
different payee and amount details, while the control totals remain identical. Any unauthorised changes by the Payroll Officer may not be
detected on a timely basis.
• The payroll manager who is also one of the administrators of EasyBank2u Internet banking system also controls the password and security
Conditions
card that used to belong to a former manager. Thus, additional access rights can be granted without restriction to the security cards this
payroll manager controls to effect the transfer of funds without additional approvals. In addition, formal procedures to manage the security
cards and passwords are also not in place.

• Lack of awareness on strengthening the access control of Internet banking account.

Causes • Absence of procedures on payroll processing over EasyBank2u.

Effects Unauthorised payments made may be undetected.

Management should strengthen the payroll processing controls. Specifically,

• The total headcount and payroll amount in KiraGaji system should be reconciled to the data maintained by the HR team and Finance. The
payroll system can be enhanced with encryption technology. Alternatively the Payroll Manager should sample check the payroll information
loaded into EasyBank2u system to provide more assurance that the payroll information loaded is valid.
Recommendations
• Segregation over the receipt of password letters and custody of security cards should be enforced. Formal procedures over security
administration of EasyBank2u should be implemented. A regular review of EasyBank2u user listing should also be performed.

112
 MODULE: INTERNAL AUDITING
(for internal circulation)

113