+91 800 8000 311

+91 800 8000 311

Internal
Auditing
Internal Auditing
  The IIA defines internal auditing as:

“an independent, objective assurance and consulting activity

designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and
Internal improve the effectiveness of risk management, control and
Auditing governance processes.”

 Internal auditing provides a mechanism for management to

monitor the reliability of financial reporting and the
company’s control over operations.
  Internal auditing services fall into three fundamental
categories:
1. Operational – reviewing the various functions within the
organization in order to appraise the efficiency and
economy of operations and the effectiveness with which
Internal Audit the functions achieve their objectives.
Responsibility 2. Financial – reviewing the economic activity of the
organization as it is measured and reported by accounting
Types methods.
3. Compliance – reviewing both financial and operating
controls and transactions to determine whether they
conform to laws, standards, regulations and procedures.
  The responsibility of the internal audit function is to
review and appraise policies, procedures, plans
and records for the purpose of informing and
advising management.
 Perhaps more important is what internal audit is not
responsible for.
Internal Audit  Internal audit is not responsible for and has no authority
Responsibility 
over operating activities.
Internal audit makes no decisions about what should be
done – they provide information and advice, and then
management makes a decision.
 Internal audit may help with implementation, but
management makes the decision.
  The internal auditors are not responsible for the internal
control system (management is responsible for that).

 The internal auditor’s function is to test, examine, review,

Internal evaluate and make recommendations about the internal control
system.
Auditors
 In this way, internal auditing assists management in carrying
out its monitoring responsibilities.
  The internal audit function should report to the board of
directors through the audit committee.
 The internal auditors need to be perceived as an important part
of the company in order to be able to do their job effectively.
Internal Audit  People in the company need to know that the board will listen to
what the auditors say and therefore the conclusions of the
Functions auditor are important.
 By reporting to a high level the function has organizational
independence. This means that they do not have any direct
relationships with who they are auditing. The people they are
auditing cannot tell them what to do or fire them.
  External auditors are focused on one thing – the opinion about
the financial statements.
 External auditors are not concerned about the efficiency or
effectiveness of operations, just that the financial statements
reflect fairly the operations of the company.
Internal Audit  Internal auditors have a wider range of interests and
Functions engagements. They compare “what is” in the company with
“what should be” and report to management their findings. In
addition to their findings, the internal auditor develops and
reports recommendations for improvement.
  Some of the work of the internal auditors may be relevant to
and used by the external auditor.
Internal
 Before using the work of the internal auditors, however, the
Auditors- external auditor must assess the internal auditors’

Support to 
Competence (how well they do their job), and
Objectivity (their organizational independence, or their role
External within the organization)

Auditors
  If the external auditor decides to use some of the
work of the internal auditor,
 The external auditor will supervise, manage and review
Internal 
all of the work done by the internal auditors.
The internal auditors will not assess risk.
Auditors-  The internal auditors will not draw any conclusions.
Support to  The internal auditor will be more likely to be used in areas
that are objective (existence of fixed assets) than
External subjective (valuation of future cash flows).

Auditors
+91 800 8000
311
+91 800 8000
311
Internal Auditing
Session 2
  Internal auditors perform two basic types of services:
1. Assurance services: performing an objective examination of
evidence for the purpose of providing an independent assessment
Internal on governance, risk management, and control process for the
organization.
Auditors-
Services 2. Consulting services: advisory and other related client service
activities. They are usually performed at the request of the client,
and their nature ands scope are agreed upon with the client. They
are intended to add value and improve an organization's
governance, risk management and control processes.
 Assurance services include:
1. Financial audit: analyze the economic activity as measured and
reported by accounting methods. The goal is to determine
whether financial assertions can be proven:
 Existence or occurrence
Internal  Completeness
Auditors-  Rights and obligations
Services  Valuation or allocation
 Presentation and disclosure
2. Performance (or operational) audit: it focuses on the efficiency,
effectiveness, and economy of the company´s internal control
system based upon the company standards.
 Assurance services include (cont´d):
3. Audit of financial controls: involves examining two aspects of
financial internal controls:
 Controls over financial resources
Internal 4.
 Controls over the accounting for financial resources
Compliance audit: performed in order to determine whether an
Auditors- organization is operating in an orderly way, effectively and
visibly confirming to certain specific requirements of its polices,
Services procedures, or standards
5. System security audit: auditing the controls in place for
information systems.
6. Due Diligence engagement: to confirm company records, both
financial and those of property ownership
 • Examples of consulting services include:
1. Quality audit: evaluating the quality of the product or service
being provided

Internal 2. Special engagements: an example of a special engagement is a

fraud audit. Fraud audits are performed for the purpose of
Auditors- discovering the presence, scope and means of either
misappropriation of assets or fraudulent reporting.
Services • Consulting services are intended to add value and improve an
organization´s activities in a specific area without assuming
management responsibility.
 • Per Internal Auditing Standard No. 2120 the internal auditor
should following the following standard during a consulting
engagement:
 address risk consistent with the engagement’s objectives
and be alert to the existence of other significant risks.
Internal  incorporate knowledge of risks gained from consulting
Auditors- engagements into their evaluation of the organization’s
risk management processes.
Services  When assisting management in establishing or improving
risk management processes, internal auditors must refrain
from assuming any management responsibility by actually
managing risks.
  The beginning of the audit process is to determine
which engagements to conduct.
 The chief audit executive makes the decisions regarding
which engagements to perform based upon risk based
factors such as:
Internal  Length of time since last audit was performed in this
area
Auditors-  Requests from senior management
Services  Relation of the proposed engagement to the external
audits of financial statements and internal controls
 Changing circumstances in the business, operations,
systems or controls
 Potential benefit that could be achieved by the
engagement
  According to Internal Auditing Standard 2201, the internal
auditor considers the following in planning the engagement:
 The objectives of the activity being reviewed and the means by
which the activity controls its performance;
Internal  The significant risks to the activity, its objectives, resources, and
operations and the means by which the potential impact of risk is
Auditors- kept to an acceptable level;
Services  The adequacy and effectiveness of the activity's risk management
and control processes compared to a relevant control framework
or model;
 The opportunities for making improvements to the activity's risk
management and control processes.
  When establishing an audit´s objectives, internal auditing
standard 2210 states that the auditor must:
 conduct a preliminary assessment of the risks relevant to the
activity under review.
 consider the probability of significant errors, fraud,
Internal 
noncompliance, and other exposures
Ensure that adequate criteria is available to evaluate controls. If
Auditors- they are adequately defined by management, internal auditors
must use such criteria in their evaluation. If inadequate, internal
Services auditors must work with management to develop appropriate
evaluation criteria.
 Address governance, risk management, and control processes to
the extent agreed upon with the client during consulting
engagements.
  Assessing audit risk is an important part of the audit process.
Audit risk is the risk that the auditor will conclude that
everything is working properly, when in fact, it is not
working correctly. It is made up of three components:
 Inherent risk (IR) – is the risk that exists in what is
Internal being audited. The risk of a problem in the absence of
controls.
Auditors-  Control risk (CR) – is the risk that a mistake is NOT
Services 
prevented or detected by the internal control system
Detection risk (DR) – is the risk that the mistake is
NOT detected by the auditor
 The audit risk is calculated by multiplying these risks
together: AR = IR × CR × DR
  Control risk and detection risk operate inversely to each
other.
 If control risk decreases (the internal controls are better) the
detection risk can be increased (auditors do less testing) and the
audit risk will remain the same.
Internal  If control risk increases (the internal controls are worse) the
detection risk can be decreased (auditors do more testing) and
Auditors- the audit risk will remain the same.
Services
 The auditor assesses inherent and control risk, but is able to
influence only detection risk.
  After the engagement objectives are determined and the
inherent risks identified, the next step is the understanding of
internal controls.
 The auditor’s understanding needs to encompass the 5
components of internal control: the control environment, risk
assessment, control activities, information and communication,
Internal and monitoring.
Auditors-  The auditor will use this understanding to:
 Identify types of potential misstatements that may occur in
Services whatever is being audited
 Consider factors related to risk of material misstatement
 Design the substantive tests to be performed
  Internal control systems may be documented in a flowchart.
 A systems flowchart (or horizontal flowchart) shows
departments and functions across the top and documents
Internal manual and automated processes. Control points are identified.

Auditors- A program flowchart (or vertical flowchart) shows the steps in
the process and how they will be executed.
Services  A data flow diagram is a graphic representation of the internal
control system.
  The audit program is written after the assessment of the
relevant internal controls.
 The program should include the objectives of the area to be
audited and the controls in place to achieve the area’s
objectives, which determine the audit objectives.
Internal  It gives details on the procedures to be followed to reach the
objectives of the audit: what is to be done and how it will be
Auditors- done.
Services  It must be written and must be detailed enough so that the
auditors know what is to be done.
 It is used to supervise and review the work.
 Standardized audit programs may be used when appropriate.
  The audit program is written after the assessment of the
relevant internal controls.
 The program should include the objectives of the area to be
audited and the controls in place to achieve the area’s
objectives, which determine the audit objectives.
Internal  It gives details on the procedures to be followed to reach the
Auditors- objectives of the audit: what is to be done and how it will be
done.
Services  It must be written and must be detailed enough so that the
auditors know what is to be done.
 It is used to supervise and review the work.
 Standardized audit programs may be used when appropriate.
  Evidence is what the auditor gathers to be able to support their
conclusion. The evidence should be
 Sufficient – there must be enough evidence

Internal 
Competent – it must be reliable and the best available
Relevant – must be consistent with the objectives of the audit
Auditors-  Useful – assists the organization to achieve its goals

Services
 The most competent, or best source of evidence is something
obtained by the auditor directly. Evidence from the client is
the worst, and evidence from a third party is in the middle.
  Audit evidence is classified according to legal rules of evidence.
These include:
 Direct – acquired directly by the party offering it
 Hearsay – secondhand account where the witness does not have
personal direct knowledge
Internal  Documentary – any original record, dead, or document

Auditors- 
Opinion – not generally considered useful evidence.
Circumstantial – evidence that is consistent with a particular
Services 
inference
Secondary – not the original documentation
 Corroborative – supports other evidence
 Conclusive – it is indisputable
 is the worst, and evidence from a third party is in the middle.
  The Sarbanes-Oxley Act requires management to assess the
adequacy of the company’s internal controls over financial
reporting. Internal auditors can assist in this through an audit of
financial controls
Internal  A financial audit focuses on accounting controls. An operational
audit focuses on administrative controls.
Auditors-  Accounting controls are concerned with the integrity and accuracy
Services of the accounting system and the financial reports being
generated
 Administrative controls are more focused on managements'
operating objectives.
  Accounting controls are intended to achieve the
following characteristics for the financial records:
Internal  Completeness: Are all of the transactions reflected in or
captured by the accounting system?
Auditors-  Validity: Are only valid transactions recorded?
Services  Authorization: Are all transactions properly authorized?
 Accuracy: Are reported numbers accurate representations
of the economic transactions that have occurred?
  An audit of controls has the following objectives:
1. determine if controls are in place
2. determine if the existing controls are structurally sound
3. determine if the controls are designed to achieve a specific
management objective, to achieve compliance with predetermined
requirements, or to ensure accuracy and propriety of transactions
Internal 4. determine whether the controls are being used properly
5. determine if the controls are efficiently serving their purpose
Auditors- 6. determine whether the controls are effective
Services 7.
8.
determine if management is using the output of the control system
Does the control system have the following required characteristics?
 Flexibility.
 Timeliness.
 Accountability.
 Cause identification.
 Appropriateness.
 Placement.
  Procedures the auditor performs to test operating effectiveness
of controls include a mix of tests. Some types of tests produce
greater evidence of the effectiveness of the controls than other
tests.
Internal  Here are the tests that an auditor might perform in order of the
evidence they would usually produce, from the lowest quality
Auditors- evidence to the highest quality evidence:
Services 1.
2.
Inquiry of appropriate personnel;
Observation;
3. Inspection of relevant documentation; and
4. Re-performance of a control
  If an auditor identifies a deficiency in a control over financial
reporting, the auditor should evaluate the severity of the
deficiency to determine whether the deficiency, either
Internal individually or in combination with other deficiencies,
Auditors- represents a material weakness. The severity depends upon:
 Whether there is a reasonable possibility that the company’s
Services controls will fail to prevent or detect a misstatement of an account
balance or disclosure; and
 The magnitude of the potential misstatement resulting from the
deficiency or deficiencies.
  Risk factors affect whether there is a reasonable possibility that
a deficiency or combination of deficiencies will result in a
misstatement of an account balance or disclosure. These risk
Internal factors include:

Auditors- The nature of the financial statement accounts, disclosures, and
assertions involved;
Services  The susceptibility of the related asset or liability to loss or fraud, or
how likely it is that something could go wrong;
 The subjectivity, complexity, or extent of judgment required to
determine the amount involved;
  Risk factors affect whether there is a reasonable possibility that
a deficiency or combination of deficiencies will result in a
Internal misstatement of an account balance or disclosure. These risk
factors include (cont´d):
Auditors-  The interaction or relationship of the control with other controls,
including if they are interdependent or redundant
Services  The interaction of the deficiencies, i.e., if there is more than one,
could they in combination cause a material misstatement
 The possible future consequences of the deficiency
  If multiple control deficiencies affect the same financial
statement balance or disclosure, that increases the likelihood of
misstatement and may, in combination, constitute a material
weakness(though each deficiency individually may not be
severe)
Internal  Factors that affect the size of a misstatement that might result
from a deficiency in controls include:
Auditors-  The financial statement amounts or total of transactions exposed
to the deficiency; and
Services  The volume of activity in the account balance or class of
transactions exposed to the deficiency that has occurred in the
current period or that is expected in future periods.
  In a financial statement audit, the audit should be prepared so
that any material misstatement is detected, no matter what the
cause of the misstatement.

Financial  The auditor is responsible for examining the controls to

determine if they are adequate to prevent or detect fraud
Audit and must also have sufficient knowledge to be able to
identify the indicators that fraud may have occurred.
 However, the deterrence of fraud is the responsibility of
management, not the auditor.
  It is preferable (and usually cheaper) to prevent fraud than it is
to discover it after the fact.

Financial  If the auditor detects control weaknesses, additional tests

should be performed to identify other factors of fraud that may
Audit be present.

 When fraud is detected, the auditor should immediately report

it to the appropriate level of management.
  There are three main classifications of fraud:
 Misstatements from fraudulent financial reporting,
 Misappropriation (theft) of company assets.
 Corruption (bribes, conflicts of interest).
Financial
Audit  In the misappropriation of assets, the employee is more likely
to be ‘living beyond their means’ because they have more
money than their salary as a result of the theft.
  The following items do not indicate that fraud is occurring, but
rather that conditions exist in which fraud may occur more
easily.
 No segregation of duties;
 Lack of controls such as limiting access to assets, comparing
Financial Audit existing assets with recorded assets, and requiring proper
authorization for executing transactions;
 Lack of qualified personnel;
 Collusion among employees;
 The existence of high-value, small, liquid assets; and
 Management override of controls that are in place.
  The Institute of Internal Auditors’ (IIA’s) position on deterrence,
detection, investigation and reporting of fraud is:
 Deterrence of fraud is the responsibility of management.
 Internal auditors must have sufficient knowledge to be able to
identify the indicators that fraud may have occurred.
Financial Audit  If control weaknesses are detected, additional tests should be
performed to identify other factors of fraud that may be present.
 Audit procedures alone will not guarantee that fraud will be
detected.
 A fraud that is detected needs to be reported.
  The auditor should develop and plan the audit with a
reasonable assurance of detecting material fraud or
misstatements. However, due to the fact that the perpetrators
of fraud will try to hide the fact, it is not possible to guarantee
discovery of material frauds.
 Fraud is different from an error in that fraud is an intentional
Financial Audit misstatement while an error is unintentional. The three main
types of fraud are:
1. Fraudulent financial reporting
2. Misappropriation of assets
3. Corruption
  Audit reports may be written or oral. Oral reports are more
timely but do not replace written reports. Any oral reports
should be followed with a written report confirming the oral
report.
 All reports should include:
 The purpose,
 The scope of the engagement,
Financial Audit  The results of the engagement, including recommendations, if
applicable.

 Reports might include summaries, background information,

status of previous audit findings or other comments.
  The purpose should include:
 The engagement objectives – should be described in enough detail
so readers know what to expect from the rest of the report.
 Objectives should address the risks, controls and
governance processes associated with the activities
under review.
Financial Audit  The purpose may also include:
 Why the engagement was performed
 What the expected results were (i.e., cost savings, increased
efficiencies, etc.)
  Description of the work done to achieve the engagement’s
objectives. The scope should be sufficient to address the
agreed-upon objectives.
 Activities reviewed and time period reviewed
 Any related activities not reviewed
Financial Audit  The nature and extent of the work performed
 Should include consideration of relevant systems, records,
personnel, and physical properties, including those under the
control of third parties
 The scope should specifically state what areas were not
covered that readers might expect to be covered unless told
differently.
  Includes observations, conclusions, an opinion if appropriate,
recommendations, and action plans from the engagement.
• Observations – audit findings made by comparing what is with
what should be.
• An audit finding should include: Background, criteria, condition,
cause, and effect.
 Background – Identify people involved,
Financial Audit environment of the operation, reason why the
situation is reportable, etc.
 Criteria – the standards used to judge the
operation being audited. (The “what should be.”)
 Condition – the facts determined through
observation, questioning, analysis, verification and
investigation. (The “what is.”)
  Audit findings (continued)
 Cause – Explains the reason why “what is” is different
from “what should be.”
 Effect – The consequences of the difference between
“what is” and “what should be.” To be reportable, an
Financial Audit audit finding should have consequences – who or what
was hurt, and how badly.
• Conclusions – the internal auditor’s evaluations such as whether a
function is operating as intended, if control criteria are being met, if
objectives are being met, etc.
• Recommendations – for improved performance, acknowledgement of
satisfactory performance, any corrective actions needed.
  One or two page “executive summary.”
 To inform senior management of matters that need prompt or
continued attention.
 To inform senior management about significant findings.
 Should include:
 Brief description of the audit,
 Conclusions,
Financial Audit  Summary statements of significant findings with
references to where the detail can be found in the full
audit report, and
 Brief description of actions taken by the client as a
result of the audit findings.
 May be issued in addition to the full audit report.
  The report should be:
 Objective,
 Clear,
 Concise (no longer than necessary),
Internal  Timely, and
 Constructive.
Auditors –
Reporting  The report should be reviewed with the auditee before it is
issued.
 The report should be distributed to everyone who has a direct
interest in the area being audited.
  The auditor should report:
 All material facts that they know that, if not reported,
could cause the audit report to be distorted or conceal
Internal unlawful acts,

Auditors – Any variances between what should have been and what
was,
Reporting  Any suspected fraud,
 The violation of any law,
 Inconsistent product quality (in a quality audit), and
 Any other reportable condition that management should
be informed about.
  Unlike the external auditor, the internal auditor
should follow-up on engagements after they are
Internal completed.
Auditors –
 The follow-up is to determine whether the
Follow-up recommendations have been implemented,
whether they were timely, and whether they have
been effective, and just how the department is
doing.
 Use of computers to audit information systems:
 Generalized audit software
 Test data
 Integrated test facility
Internal  Parallel simulation
Auditors - IT  Embedded audit routines
 Extended records
 Snapshots
 Tracing
 Mapping
 Use of computers to audit information systems:
 Generalized audit software
 Generalized Audit Software GAS consists of a
Internal series of computer program routines that can
Auditors - IT read computer files, select desired information,
perform repetitive calculations, and print reports
in an Auditor-specified format. Generalized Audit
Software enables Auditors to have direct access
to computerized records and to deal effectively
with large quantities of data.