internal auditing n.
Skip this Video
Loading SlideShow in 5 Seconds..
Internal Auditing PowerPoint Presentation
Download Presentation
Internal Auditing

Loading in 2 Seconds...

play fullscreen
1 / 41

Internal Auditing - PowerPoint PPT Presentation

  • Uploaded on

Internal Auditing. Umair Ali shah CIA,ACCA. Corporate Governance. Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses, Organization are operated, regulated, and controlled.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Internal Auditing' - eadoin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
internal auditing

Internal Auditing

Umair Ali shah


corporate governance
Corporate Governance

Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses, Organization are operated, regulated, and controlled.

The term can refer to internal factors defined by the officers, stockholders or constitution of a corporation, as well as to external forces such as consumer groups, clients, government regulations

control environment
Control environment
  • Control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities.
  • Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks.
internal control
Internal control

Internal controls are the fundamental building blocks in developing financial systems that are effective and consider potential risks. Internal controls should be purposeful in addressing risks, but should not unnecessarily restrict activities.

The primary objectives of internal controls are:

  • To verify the efficiency and effectiveness of operations.
  • To ensure the reliability and completeness of financial and management information.
  • To comply with applicable laws, regulations, policies and agreement provisions.
  • To document and support the validity and authorization of financial transactions.
  • To safeguard resources.
internal control1
Internal control

Preventive and Detective Controls. Controls can be either preventive or detective. The intent of these controls is different.

Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets.

Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.

Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.

Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems.

keys element of internal control
Keys element of internal control

The following elements define proper internal controls. When developing local controls, a thorough understanding of the process as well as the potential risks is necessary. The documentation and training of policies and procedures are also key follow-up steps.

1. Transparency

Information should be clearly and accurately reported and readily available for all that need it to make decisions or to assess organizational or programmatic performance.

2. Simplicity

Offices can reduce the chance for errors or fraud if procedures are simple, clear, documented and well communicated.

keys element of internal control1
Keys element of internal control

3. Accountability

Accountability should be ensured at all levels of authority.

4. Security

Physical assets should be protected from harm or misuse.

5. Cost-effectiveness

The benefits derived from internal controls should be proportional to their cost as well as the potential risk they are designed to address

basic internal controls
Basic Internal Controls

The following concepts and practices comprise a basic list of internal controls that field offices should consider when developing local procedures or assigning roles and responsibilities.

  • Segregation of duties - Responsibilities in a process should be separated and delegated to several employees, with the goal of providing a system of checks and balances to prevent errors or dishonest behavior. For example, an accountant who is responsible for record keeping should not also be responsible for selecting vendors since the opportunity exists to hide fraudulent transactions.
  • Signature requirements– By requiring signatures, unauthorized transactions are prevented and accountability is established. For example, a purchase request signed by the manager ensures that he or she is aware of the purchase and accepts the subsequent charge to the Department.
basic internal controls1
Basic Internal Controls
  • Physical controls- Measures should be taken to verify the existence of assets reported on the office’s books and records, such as an annual equipment inventory.
  • Monitoring and independent checks– Cross-checks and management spot checks should be made to ensure that policies and procedures are followed. Some examples would be a monitoring visit to a program site, an internal audit of a field office or a surprise cash count.
  • Dual controls– Double-checks or reviews should be performed to ensure that critical decisions, high-value transactions or external reports are substantially correct. For example, bank transactions should be made only upon the authorization of two parties and external financial reports should always be reviewed by a second person for accuracy.
  • Computer-related controls – Access to computer records should be restricted and the back upofkey information should be performed. Access to financial system files, for example, should be restricted to prevent intentional or unintentional changes to data.
basic internal controls2
Basic Internal Controls
  • Fixed responsibility for resources - Access to resources should be restricted to specific individuals and those individuals should have authority over those resources. For example, only a limited number of employees should have keys to the cash box. The cashier should have exclusive access during the work day to ensure accountability.
  • Regular and timely reporting - Accounting and reporting functions should be specifically assigned to staff members and employees should be held accountable for timely and accurate reporting. Completion of functions should be documented with appropriate working papers that are available for inspection and are verifiable through signatures and dates.
  • Independent confirmations - Internally generated reports and documents should be reconciled to independent sources of information and proofs of accuracy should be performed on work at various stages of completion. An example would be reconciling the bank journal balance to an account statement obtained from the bank.
  • Manuals- Policies and procedures should be written to provide a clear understanding of functions and authorities.
internal auditing1
Internal auditing

Definition of Internal Auditing

The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

the purpose of internal auditing
The Purpose of Internal Auditing?
  • “Eyes and Ears”
  • “Policeman”
  • “Watchdog”
  • “Consultant”
  • “Catalyst”
iia statement of responsibilities
IIA Statement of Responsibilities


  • Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization.
  • The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities.
  • The audit objective includes promoting control at a reasonable cost.
types of internal audit
Types of Internal Audit

There are several types of internal audits. There are financial audit, operational audit, management audit, compliance audit, IS audit and investigation audit. Each audit has different purpose and characteristic.Financial AuditThe purpose is express opinion on financial condition based on analysis, comparisons and test of accuracy. Its scope is on the financial records. The expected results from this audit is to give opinion on the accuracy and reliability of the financial statements.Operational AuditThe purpose is to analyze and improve methods of operations and performance. Its scope on the operational activities of a unit or department. The expected results from this audit is to give recommendations to management for the improvement of operations.

types of internal audit1
Types of Internal Audit

Management AuditThe purpose is to review and evaluate business and management issues to enhance profitability. Its scope is on the business support activities of a unit or the entire organization. The expected results from this audit is to give opinion on strategic issues and recommendations or solutions.Compliance AuditThe purpose is to express opinion as to adherence to internal policies and regulatory rules and requirements and applicable laws. Its scope on the specific aspects of operations and business. The expected results from this audit to make immediate rectification and compliance thereafter.IS/IT AuditThe purpose is to audit on the computer systems and the provision and management of information. Its scope is on the technical reviews on computer systems and their peripherals . The expected results from this audit is to give recommendations on computerization and information systems related.Investigation AuditThe purpose is to audit in dept into irregularities such as misappropriation of bank’s assets or reported fraud or allegations. Its scope is in the area specified to determine modus operandi. The expected results from this audit is to give conclusion to findings with recommendations to prevent recurrence.

code of ethic integrity
Code Of Ethic-Integrity

Internal auditors are expected to apply and uphold the following principles:

  • Integrity

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

code of ethic objectivity
Code Of Ethic-Objectivity
  • Objectivity

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgment

Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

code of ethic confidentiality
Code Of Ethic- Confidentiality
  • Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

code of ethic competency
Code Of Ethic- Competency
  • Competency

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.

Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.

4.3. Shall continually improve their proficiency and the effectiveness and quality of their

responsibilities of ia
Responsibilities of IA

Duties and responsibilities of Internal Auditor

  • Evaluates and provides reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organization's objectives and goals to be met
  • Reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organization's operations, in terms of both efficient and effective performance
  • Evaluates information security and associated risk exposures.
  • Evaluates regulatory compliance program with consultation from legal counsel
  • Evaluates the organization's readiness in case of business interruption
  • Maintains open communication with management and the audit committee teams with other internal and external resources as appropriate
  • Engages in continuous education and staff development
  • Provides support to the company's anti-fraud programs.
the nature of business risk
The Nature of Business Risk

Risk is a concept used by

auditors and managers

to express concerns about

the probable effects of an

uncertain environment.

control and risk
Control and Risk

Control mitigates risk:

internal audit framework

Phase I:



Planning the Audit









Phase II:


Performing the Audit




Phase III:


Documenting the Audit


Internal AuditFramework
  • Planning
  • Performing
  • Reporting
establishing audit objective and scope
Establishing Audit Objectiveand Scope
  • Ensure a positive link between the audit objective and the entity’s goals.
  • Ensure the audit program will produce the evidence as required.
  • Ensure that each test will provide the evidence required by the audit program.
planning the audit
Planning the Audit
  • Research
  • Risk Assessment
  • Audit Strategy
  • Preliminary Survey
    • Policies and Procedures
    • Inputs and Outputs
    • Control Steps
    • People
planning step 1
Planning Step #1

Perform Research on Area under Audit

Research is important for understanding, but we must be able to recognize when “enough is enough”

Research tells us define the historical issues, current issues, marketing issues, pervasive risks, personnel issues, and future issues.

planning step 2
Planning Step #2

Prepare Your Hypothesis

1. The activity is operating normally

What is = What should Be

2. The activity is not operating as it should in some significant way

What is does not = What should be

3. Some value in between

There are minor differences between

What is and What should be

planning step 3
Planning Step #3

Send Engagement Memo

  • To executive management
  • Include the name of the audit effort and the initiation date
  • Request the name of a contact person
designing audit tests
Designing Audit Tests
  • Evidence is created from tests or questions.
  • The creation of the right test or question to ask is a process of working backwards from the audit objective.
documenting the audit
Documenting the Audit

Automated Work Papers provide

  • A framework to guide the audit process.
  • Support for the conclusions reached by the audit.
  • A record of the audit process and its conformance to standards.
work papers good practices
Work Papers – Good Practices
  • Use electronic templates to capture data:

* Background & Scope Document

* Risk

* Control

* Test

* Audit Point Sheet

  • Structure your work paper documents as carefully as you would the final audit report.
a framework for the audit
A Framework for the Audit

1. Audit Strategy/ Audit Scope & Objective.

2. Creation of Risk Based Work Papers

3. Collection of basic reference materials (flow

charts, etc.)

4. Determination of tests needed

5. Sample Design

6. Preparation of meeting agendas

7. Follow-up on information gleaned/re-direction

8. Documentation of test results and conclusions.

9. Creation of Audit Point Sheets.

10. Audit Report

writing up conclusions
Writing Up Conclusions

Best practices include:

  • Test description or question.
  • Results (clearly stated).
  • Conclusion reached as a result of that test.
best practices cont
Best Practices (cont)
  • Discussion of the conclusion with management.
    • To avoid misunderstandings.
    • To give management a ‘heads-up’ about issues.
    • To encourage corrective action as soon as possible.
  • Cross-reference the audit point sheets to the conclusions in the audit work papers (and back-reference the conclusions to the report).
summarizing and evaluating results
Summarizing and Evaluating Results
  • The audit process creates evidence.
  • Evidence is summarized into conclusions.
  • Evidence (facts) + Context (impact) = Finding
the audit point sheet
The Audit Point Sheet
  • Ensures all aspects of problems (findings) are captured.
  • Useful as ready documentation.
  • Serves as a basis for


  • Aids the summarization

and report writing.

Audit Point Sheet

writing effective audit reports
Writing Effective Audit Reports

Reports are important because they:

  • Provide documented communication and assurance to senior management.
  • Provide operating management with

assessments of operations and corrective action.

  • Provide the auditor with records for follow-up of audit results.
  • Provide the audit group with marketing opportunities to demonstrate added value.
following up corrective actions
Following Up – Corrective Actions

The control aspect of auditing is not

complete until corrective action is taken (or

the risk formally assumed by senior


Effective statements of corrective action


  • The specific steps to be taken,
  • The completion date and
  • The person responsible for completion.
building trust with auditee
Building Trust with Auditee
  • The slow way- Making and keeping commitments
  • The faster way -