SAMMER AHMAD (CIA, CISA, CISM, SAP-FI) DG (IT), SAI, PAKISTAN Dated: July 24, 2025
Email address: zainsarah@gmail.com WhatsApp: +923474711694
Effective internal auditing: a panacea for all ills
Introduction to internal auditing
Any successful organization or business starts with a clearly defined, focused,
transparent, value-adding, and simply communicable strategy. A strategy supports mission,
vision, goals, and objectives of a business or organization. Without such a clear strategy, the
business or organization is just like a ship floating directionless on an ocean. A ship swayed by
the external forces like waves, currents, and winds (customers, suppliers, competitors,
regulators), and the internal forces of its squad, magnitude, and complexity (organization,
management, structure, processes, etc.). The will and influence of environment and others force
a rudderless ship, without ever reaching its destination (target). The same scenario holds true
for internal audit. Each successful internal audit function begins with a strategy. Like the ship
captain, an audit manager or Chief Audit Executive (CAE) needs to plot a course (create a
strategy and then identify goals and objectives) and persistently monitor and adjust all of the
internal and external jerks and forces in order to reach its destination. Plotting and keeping the
progress is possible by the use of strategic planning and cautious management of processes
essential to implement and carry on strategies. 1
Brief background
In accordance with the International Professional Practices Framework (IPPF) 2017,
mission of internal auditing has been of supreme importance and is defined as “to enhance and
protect organizational value by providing risk-based and objective assurance, advice, and
insight.” IPPF facilitates attainment of the mission of internal auditing. IPPF contained two
types of guidance: mandatory guidance and recommended guidance. There were four elements
of mandatory guidance and those were core principles, definition of internal auditing, codes of
ethics, and the standards. There were ten core principles. These ten core principles were
bifurcated and emerged into two main streams of guidance. One steam consisted of codes of
ethics and the other one, the standards. 2
There were four codes of ethics and those presented the attributes (or characteristics,
qualities) of internal auditors at individual level. Those codes of ethics were integrity,
1
Sawyer’s Internal Auditing, 7th Edition (2019)
2
Gleim study material of Internal Auditing, 2023.
Page 1 of 9
�objectivity, confidentiality, and competency. Three of them i.e. integrity, objectivity and
confidentiality are strictly the characteristics for each internal auditor while the fourth one i.e.
competency is the characteristics of internal audit team, activity or department as a whole.
Besides the individual and combined characteristics of internal audit activity, there were set of
essential requirements for performing the activity and those were called the standards. So, there
were two core requirements for performing the effective internal auditing and those were codes
of ethics and the standards.
New Global Internal Audit Standards published by the Institute of Internal Auditors
(IIA) in 2024 replaced the earlier guidelines of internal auditing, described above. Now, the
new IPPF arranges authoritative body of knowledge for the professional practice of internal
auditing. This framework (IPPF) consists of global standards for internal auditing, topical
requirements, and global guidance. Global standards and topical requirements are mandatory,
while global guidance are supplemental (non-mandatory).
In IPPF of 2017, there were ten (10) principles, four (4) codes of ethics and fifty-two
(52) standards as mandatory elements of internal auditing. Now, there are fifteen (15) guiding
principles at the core of total 52 standards published by the IIA in 2024. In other words, the
number of standards and their essence are almost the same (as those were published in 2017)
but now those standards are guided by fifteen (15) guiding principles. 3
Definition of internal auditing and its elaboration
Internal auditing is “[a]n independent, objective assurance and advisory service
designed to add value and improve an organization’s operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of governance, risk management, and control processes.”4
3
Gleim study material of Internal Auditing, 2025.
4
Ibid.
Page 2 of 9
� Every aspect of internal auditing is covered very beautifully and laconically in internal
audit definition mentioned above. Internal audit activity is assurance and advisory service while
keeping independence, organizationally; and maintaining objectivity, individually. In other
words, independence is an attribute of the internal audit department, team or activity; whereas,
objectivity is the characteristic of individual internal auditor. Internal audit activity provide
assurance services to the organization on one hand while advisory services (often termed as
consultancy services) on the other.
Assurance services are defined as “services through which internal auditors perform
objective assessments to provide assurance. Examples of assurance services include
compliance, financial, operational, performance, and technology engagements. Internal
auditors may provide limited or reasonable assurance, depending on the nature, timing, and
extent of procedures performed.”5 In other words, while performing the assurance service
internal auditor objectively evaluates the evidence to provide reasonable assurance to an
organization in their Governance, Risk management and Control processes (GRC).
While conducting assurance engagements, audit objectives, scope and procedures to
perform are always decided by internal auditor without any influence of the management of
organization. Moreover, three parties are involved in any assurance engagement: internal
auditor, the auditee and user of the audit report. There are roughly nine types of assurance
engagements and those are operational, financial/financial reporting, compliance, performance,
quality, privacy, security, due diligence, and external business relationships.
Consultancy services are advisory in nature and these are defined as “services through
which internal auditors provide advice to an organization’s stakeholders without providing
assurance or taking on management responsibilities. The nature and scope of advisory services
are subject to agreement with relevant stakeholders.”6 There are three main types of consulting
engagements and those are advisory, training and facilitative. Examples of consultancy services
include advising on the design and implementation of new policies, processes, systems, and
products; providing forensic services; providing training; and facilitating discussions about
risks and controls.
The next important term in the definition is value. This term refers to the positive
contributions or benefits internal audit activity deliver to the organization. In other words, value
5
Gleim study material of Internal Auditing, 2025.
6
Ibid.
Page 3 of 9
�provided by the internal audit activity refers to the positive impacts on the abilities of an
organization towards the attainment of its goals and objectives. It is also important to be noted
here that goals are always short term, whereas, objectives are always long-term.
The next important part of the definition is improve an organization’s operations. Usual
operations audited by internal audit activity are, but not limited to, financial operations;
compliance and regulatory adherence; information technology systems; human resources and
payroll; procurement and supply chain management; and Environmental, Social and
Governance (ESG) factors etc.
Governance as defined by the glossary of internal auditing is “the combination of
processes and structures implemented by the board to inform, direct, manage, and monitor the
activities of the organization toward the achievement of its objectives.”7 Structures show the
stagnant part and processes show the moving part of system/activity of an organization.
Governance function of BoDs is performed through inform, direct, manage, and monitor. In
other words, Governance is actually a set of relationships among different stakeholders of an
organization and those stakeholders are BoDs, management, employees, shareholders and other
stakeholders like financial institutions, regulators, vendors, customers, external auditors and
public. Effective governance includes oversight, accountability and decision-making.
Main components of Governance are strategic direction and oversight. However,
strategic direction actually determines the business model and overall objectives of an
organization on one hand, and approach to taking risk in accordance with the risk appetite on
the other. Oversight is that component of governance in which internal auditing is very
apprehensive. Risk management and controls are mostly applied in this component of
governance. Oversight deals with two types of activities and those are risk management
activities executed by the risk owners and senior management on one hand; whereas, internal
and external assurance activates on the other.
Risk and risk management defined by the Institute of Internal Auditors (IIA) are “the
positive or negative effect of uncertainty on objectives” and “a process to identify, assess,
manage, and control potential events or situations to provide reasonable assurance regarding
the achievement of the organization’s objectives” respectively. In other words, risk
management is a chain of activities for recognizing, evaluating, managing and regulating the
7
Gleim study material of Internal Auditing, 2024.
Page 4 of 9
�possible events or situations. Moreover, risk management helps ensure that the organization
can reasonably attain its short-term goals and long-term objectives. Risk is a function of threat,
vulnerability, probability (or likelihood) and impact (or consequences). Mostly, the threat is
external and vulnerability is internal factor to the organization. In other words, only
vulnerability can reasonably be overcome by the organization but threat cannot be.
To understand risk management in true letter and spirit, internal audit management must
comprehend how the organization recognizes and evaluate the significant risks. This
comprehension includes how the organization recognizes and copes with the following factors:
Reliability and integrity of financial and operational information
Effectiveness and efficiency of operations and programs
Safeguarding of assets
Compliance with laws or regulations.
Management must consider risks at every level of organization and must manage those
risks that can hinder the achievement of organizational objectives. Risk management cycle
comprises five steps.
Step-1: Identification of context
Before identification of risks, it is necessary to identify significant contexts. Risks
should be managed within those contexts. More often than not, context includes organizations,
laws & regulations, business processes, capital projects, technology, and market risks i.e.
foreign exchange, interest rates etc.
Step-2: Risk identification
Within the pre-identified context, identification of risk should be carried out at each
level of an organization (e.g. entity, division, and business unit level). SWOT (Strengths,
Weaknesses, Opportunities, and Threats) analysis (also called situational analysis), scenario
analysis and workshops can identify risks.
Step-3: Risk assessment and prioritization
Risk assessment step may be informal or formal. Risk assessment comprising
assessment of significance (impact) of an event, assessment of its likelihood, and then
considering the ways of managing the risk. Resultant of likelihood and impact can help to
Page 5 of 9
�prioritize the risks. Risk assessment methods may be quantitative or qualitative comprising risk
modeling, risk maps and risk ranking.
Step-4: Risk response
Keeping in view the probability of threat to exploit the vulnerably to create the impact,
there are four possible options for risk response. If the resultant of probability of threat and its
consequence (impact) is very high (far more than acceptable level of risk), then risk avoidance
is the suitable response. If the resultant of probability and impact is lower than acceptable level
of risk, then risk acceptance is suitable response. If probability is low but impact is very high,
then risk sharing (sometimes-called risk transfer) is suitable response. If the resultant of
probability and impact is more than acceptable level of risk (more than risk appetite) then
mitigation of risk is the appropriate response. Mitigation is done by modification of existing
control, application of new control, or by business process reengineering.
Step-5: Risk monitoring
New risks can be identified by risk monitoring.
It is pertinent to mention here that risk management is the responsibility senior
management and the BoDs. However, BoDs has the oversight function. Senior management
ensures that risk management function is working properly. Internal audit function provide the
assurance service regarding risk management and report to the BoDs or audit committee.
After understanding risks and risk management, it is indispensable to consider the
controls. It is pertinent to mention here that controls, control processes, and control
environment are interrelated elements that work together helping an organization to manage
risks and achieve its long-term objectives. The definition of control is “any action taken by
management, the board, and other parties to manage risk and increase the likelihood that
established objectives and goals will be achieved.”8 Control processes are “[t]he policies,
procedures, and activities designed and operated to manage risks to be contained within the
level of an organization’s risk tolerance. The control environment is the attitude and actions of
8
IIA Glossary.
Page 6 of 9
�the board and management regarding the importance of control within the organization. Control
environment has following components: integrity and ethical values; organizational structure;
management’s philosophy and operating style; assignment of authority and responsibly; human
resource policies and practices; and competence of personnel.”9
Discussion
Internal auditors, especially CAE, have business acumen in general and insight
pertaining to their organization in particular. This acumen has been developed as internal
auditors know deeply the following key areas due to their experience: strategic management,
planning and performance measures; organizational behavior; leadership and organizational
structure; business processes and data analytics; project management and contracts; databases
and application development; IT infrastructure; and IT control frameworks and disaster
recovery. Finally, internal auditors have thorough understanding of the concepts and essential
principles of financial accounting; financial accounting elements; concept of advanced
accounting; financial statement analysis; current asset management; capital structure, capital
budgeting, and taxation; and finally managerial accounting.
New opportunities comes with new dangers along with new peaks and troughs for
internal auditors. Internal auditor may feel fear of over-promising and under-delivering.
Usually, ‘many internal auditors find the self-worth in finding findings’. However, it is true
“finding findings for the sake of finding findings undermines the principle of objectivity”10. Add
to this, internal auditor always have in mind about the tangible value adding e.g. quantifiable
savings, recoveries (increased revenue) and efficiency improvement. ‘Effective internal audit
function consistently try to demonstrate real(ized) value’.
Financial auditors perform financial audit; compliance with authority auditors perform
compliance with authority audit; performance auditors perform performance audit focused on
economy, efficiency and effectives; and information systems auditors perform the information
systems audit or audit of information security. Usually all these types of audits (financial,
compliance, performance etc.) are performed by external auditor. External auditors usually
perform these audits on annual basis within short span of time. However, internal auditors
remain in the organization throughout the year and they get insight of the current processes as
well as aware of any new initiative taken by the organization. They are the eyes and ears of the
9
Ibid.
10
Rainer Lenz and Barrie Enslin, 2025
Page 7 of 9
�BoDs. They perform all types of assurance and consulting engagements. They utilize
interpersonal, communication and listening skills to determine insight and foresight of
organizational operations and initiatives.
They understand the intricacies of hyper-connected, fast-changing world, where VUCA
(volatility, uncertainty, complexity, ambiguity) and BANI (brittle, anxious, non-linear,
incomprehensible) realities dominate. Instead of hindsight, internal auditors focus on insight
and foresight of business environment in which organization operates. Therefore, while
performing the internal audit activities, they do not rely on sit-through and walk-through rather
they perform hawk-through. Internal auditors of today’s age realized that there is more to
internal auditing than merely auditing. They prefer being pragmatic, not dogmatic. They
understand ‘learn how to’ and ‘learn how not to’. They acquire skills like communication,
leadership, human, ability to influence and, last but not least, listening skills. They also know
that creating and preserving a positive workplace culture needs nurturing and time. Therefore,
they know the importance of positive culture in organizations. Moreover, they know that
positive environment is that which is free from toxic behavior. Furthermore, they also know
the reality that bad culture can creep in and pervades the organization, bit by bit pushing the
cart downward.11
Conclusion
More often than not, organizations cannot be run successfully in the absence of robust
internal audit function. It is just like lubricating oil that ensures that the engine runs smoothly.
Effective internal audit activity covers every aspect of organization thus try to enhance the
value and improve the efficiency and effectiveness of organization’s operations. It is important
to convey that all the effectiveness of internal auditing depends upon the authority given to the
internal audit activity by the BoDs or audit committee and that authority is written in internal
audit charter. It all depends upon the decision-makers of the organization (BoDs) whether they
actually provide authority to internal audit function through its charter and demonstrate trust,
authority, and respect given to internal audit function through implementing the
recommendations conveyed by CAE. Therefore, if the decision makers of an organization
provide authority and trust to internal audit function then it serves as a panacea for all
organizational ills.
11
Rainer Lenz and Barrie Enslin, 2025
Page 8 of 9
�Bibliography
Gleim Publications. CIA Material. 2025. https://www.gleim.com/cia-review/
Gleim Publications. CIA Material. 2023.
Institute of Internal Auditors (IIA). CIA Material. 2020.
ISACA. CISA Review Manual. 28th ed. 2024.
Lenz, Rainer, and Barrie Enslin. The Gardeners of Governance: A Call to Action for Effective
Internal Auditing. 2025.
Sawyer, Lawrence B. Sawyer’s Internal Auditing. 7th ed. 2019.
Page 9 of 9
