MANAGING THE

INTERNAL AUDIT FUNCTION

SOLITA R. VITUG
 Strategic Roles of Internal Audit
1. Assess and foster the ethical climate of the Board and the management
2. Build and maintain networking with other organization executives and
the Audit Committee
3. Educate senior management and the Board on best practices in
governance, risk management, control, and compliance
4. Organize and lead a team in mapping, analysis, and business process
improvement
5. Initiate, manage, be a change catalyst and cope with change
6. Assess the adequacy of the performance measurement system and
achievement of control objectives
7. Communicate internal audit key performance indicators to senior
management and the board regularly
8. Coordinate internal audit efforts with external auditor, regulatory
oversight bodies and other internal assurance functions

Source: IIA-p.org
 Ethics
— Ethics consists of moral principles and standards of conduct
— It relates to the philosophy of human conduct and principles
of human morality and duty
— Morality, in turn, is focused on the “right” and “wrong” of
human behavior

Integrity and ethical behavior are the product of an entity’s

corporate culture
— ethical and behavioral standards, how these are
communicated and reinforced in practice
— includes communicating entity values and behavioral
standards to personnel through policy statements, codes of
conduct and by examples.
Source: IIA-p.org
 Assessing and fostering the Ethical Climate
Indicators of an ethical climate
1. Governance model or system used by the board and
management to govern itself
2. Internal auditing structure: how it is structured in the
organization
3. Ethical features
Examples:
— Unquestioned integrity at all levels
— Accountability and personal responsibility
— Openness and willingness to take risk
— Accepting mistakes and willingness to learn from these
— Commitment to “be the best we can be”
— Collaboration and holistic thinking
Source: IIA-p.org
 Ethics and Compliance Program (ECP)
Elements of an effective ECP
1. Standards and procedures to prevent and detect criminal conduct
2. High-level oversight, responsibility and authority, adequate
resources and direct access to the governing authority
3. Screening of personnel to eliminate hiring those with previous
illegal conduct or may have tendencies
4. Communication of program to and training at all levels
5. Auditing, monitoring, and evaluating program effectiveness
6. Non-retaliatory internal reporting system
7. Discipline and incentives to promote compliance
8. Upon detection of violators, take reasonable steps to respond to
and prevent the recurrence of similar offenses

Source: IIA-p.org
 Ethics and Compliance Program
Role of internal audit
— Becoming an ethics advocate
— Evaluating the design and implementation success of its
program
Ø Evaluate if the elements are actually in place and if
properly operating

Different roles of internal audit as an ethics advocate:

Ø Member of an internal ethics council, or
Ø Assessor of the organization’s ethical climate

Source: IIA-p.org
 Relevant Standards
2110 The internal audit activity must assess and make appropriate
recommendations for improving the governance process in its
accomplishment of the following objectives:
— Promoting appropriate ethics and values within the organization;
— Ensuring effective organizational performance management and
accountability;
— Communicating risk and control information to appropriate areas of the
organization; and
— Coordinating the activities of and communicating information among
the board, external and internal auditors, and management.
2110.A1 – The internal audit activity must evaluate the design, implementation,
and effectiveness of the organization’s ethics-related objectives, programs,
and activities.

2110.A2 – The internal audit activity must assess whether the information
technology governance of the organization supports the organization’s
strategies and objectives.
Source: IIA-p.org
 Operational Roles of Internal Audit
1. Review the role of the internal audit function within the risk
management framework
2. Report on the effectiveness of corporate risk management
processes to senior management and the board
3. Report on the effectiveness of the internal control and risk
management frameworks
4. Maintain effective Quality Assurance Improvement Program
5. Formulate policies and procedures for the planning, organizing,
directing, and monitoring of internal audit operations
6. Direct the administrative activities (e.g., budgeting, human
resources) of the internal audit department
7. Interview candidates for internal audit positions

Source: IIA-p.org
 Establishing
Risk-Based Internal Audit Plan
 Managing the Internal Audit Activity (IAA)

The CAE must effectively

manage the IAA to
ensure it adds value to
the organization

Add Value

The internal audit activity adds value to the organization (and

its stakeholders) when it provides objective and relevant
assurance, and contributes to the effectiveness and efficiency
of governance (fairness, accountability, transparency), risk
management, and control processes.
Source: IIA-p.org
 Planning (Standard 2010)
q The CAE must establish a risk-based plan to determine the priorities of the IAA,
consistent with organization’s goals
q Considerations
ü Obtain an understanding of the organization’s strategies, key business
objectives, associated risks, and risk management processes
ü Based on a documented risk assessment undertaken [undertaken at least
annually] (2010.A1)
ü Inputs of the senior management and the board (2010.A1)
ü Expectations of senior management, the board, and other stakeholders for
internal audit opinions and other conclusions (2010.A2)
ü Accept proposed consulting engagements based on the potential to improve
management of risks, add value, and improve the operations [must be included
in the plan] (2020.C1)
q Review and adjust the risk-based plan (as necessary) in response to changes in the
organization’s business, risks, operations, programs, systems, and controls
 Mandatory Considerations for Internal Audit Risk-based
Plan

— Consistent with the goals of the organization

— Based on a documented risk assessment, undertaken at least
annually
— Input of senior management and the board
— Changes in the organization’s business, risks, operations,
programs, systems, and controls
— Expectations of senior management, board and other stakeholders
for internal audit opinions and conclusions
— Includes accepted consulting engagements to the annual plan
— Overall opinion on controls, risk management, and governance

Source: IIA-p.org
 Risk-based Internal Audit Plan

May include:
q A list of proposed audit engagements (and specification regarding
whether the engagements are assurance or consulting in nature)
q Rationale for selecting each proposed engagement (e.g., risk
rating, time since last audit, change in management, etc.)
q Objectives and scope of each proposed engagement
q A list of initiatives or projects that result from the internal audit
strategy but may not be directly related to an audit engagement.
 Why Risk-based?
— ISPPIA mandate – Standard 2010
— Regulatory reasons: bank, corporations
Ø Mandate of the Code of Corporate Governance
Ø Function of the Audit Committee and Accountability and
Audit, Code of Corporate Governance SEC Memorandum
No 6 (effective 07.15.09)
Ø BSP Circular No. 499, series of 2005 – Subsec. X164.3
Qualification Standards of the Internal Auditor
— Changes happening constantly – externally and internally
— Broad audit universe
— Limited budget
— Limited manpower and fast turnover of audit manpower
— Limited expertise, especially technical skills
Source: IIA-p.org
Internal Audit Planning Process

Understanding
the business

Conduct risk
Monitor IA plan
assessment

Report and Identify and

approve IA select
plan engagements

Identify
Prepare IA plan resource
requirements

IA Management Level Source: IIA-p.org

 1. Understanding the business
• Overall objectives, vision, mission, mandate, key business goals
• Internal and external environment
ü Governance, organizational structure, roles and accountabilities
ü Policies, objectives, and strategies that are in place to achieve the
organizational objectives
ü Capabilities – resources and knowledge
ü Information systems, information flows and decision-making
processes
ü Relationship with, and perception and values of, stakeholders
ü Organization’s culture
ü Standards, guidelines and models adopted by the organization
ü Form and extent of contractual obligations
ü Social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive environment,
whether international, national, regional or local; and
ü Key drivers and trends having impact on objectives
 1. Understanding the business
Ø Business analysis framework

Market Value creating Financial

overview Strategy activities performance

Components: Components:
• Environment
ü Economic trends • Information
ü Political conditions • Stakeholders
ü Regulatory compliance • Suppliers
ü Demographic patterns • Majority customers
ü Technological advances • competitors
ü Social and cultural • Values
changes • Management
ü Ecological concerns • processes Source: IIA-p.org
 1. Understanding the business

Audit universe – a list of all possible audit engagements that could

be performed.
§ Strategic Business Unit – scope includes business units/specific
tasks; review focuses on documentation and compliance
§ Process based – scope is expanded to include links to business
units/tasks to broader systems
§ Review focuses not only on compliance but also the
effectiveness of the process

Business process – a set of connected activities linked with each

other for the purpose of achieving one or more business objectives
(i.e., Strategic management, core business, resource management)

Source: IIA-p.org
 2. Risk Assessment in IA planning
The identification and analysis (typically in terms of impact and
likelihood) of relevant risks to the achievement of an organization’s
objectives to form a basis for determining how the risks should be
managed.

Purpose of risk assessment

— Gain an understanding of the risks that threaten achievement of
strategic objectives
— Develop foundations that will assist in identifying business
processes or activities that mitigate strategic risks and to focus
process-level assessment
— Develop the basis for the internal audit plan

Source: IIA-p.org
 Focus of Internal Audit Plan
— Unacceptable current risks where management action is required.
These would be areas with minimal key controls or mitigating
factors that senior management wants audited immediately

— Areas where the inherent risk is above tolerance of senior

management and the audit committee

— Control systems on which the organization is most reliant

— Areas where the differential is great between the inherent risk and
residual risk

Source: IIA-p.org
 Prioritize Risks

Factors to consider:
— Significance
— Risk management
effectiveness
— Materiality and
likelihood
— Risk appetite

Risk scoring:
• High
• Moderate
• Low
AUDIT PLAN
Prioritize Risks
 3. Identify and select engagements
Types of Engagements
— Control reviews/assurance activities – where the internal auditor
reviews the adequacy and efficiency of the control systems and
provides assurance that the controls are working and the risks
are effectively managed
— Consulting activities – where the internal auditor advises
organizational management in the development of the control
systems to mitigate unacceptable current risks
ü Inquiry activities – where organizational management has an
unacceptable level of uncertainty about the controls related to
a business activity or identified risk area and the internal
auditor performs procedures to gain a better understanding of
the residual risk

Source: IIA-p.org
 Assurance Services
An objective examination of evidence for the purpose of providing
an independent assessment on governance, risk management, and
control processes for the organization.

Assurance engagements:

Risk and control self-assessment Privacy

Third party contract Quality
Due diligence Performance/operational
Financial Compliance
Security

Source: IIA-p.org
 Consulting Services
Advisory and related client service activities, the nature and scope
of which are agreed upon with the client, are intended to add value
and improve an organization’s governance, risk management, and
control processes without the internal auditor assuming
management responsibility.

Consulting engagements:
— Internal control training
— Business process review
— IT and systems development
— Benchmarking

Source: IIA-p.org
 4. Identify resource requirements
2030 – Resource Management
The chief audit executive must ensure that internal audit resources
are appropriate, sufficient, and effectively deployed to achieve the
approved plan.

Interpretation:
— Appropriate refers to the mix of knowledge, skills, and other
competencies needed to perform the plan.
— Sufficient refers to the quantity of resources needed to
accomplish the plan.
— Resources are effectively deployed when they are used in a way
that optimizes the achievement of the approved plan.

Source: IIA-p.org
 Internal Audit Resource Requirements
— Employees – skills, capabilities, and technical knowledge of the
internal audit staff
— External service providers, employees from other departments
within the organization, or specialized consultants (if necessary)
— Technology-based audit techniques
— Financial budget

Source: IIA-p.org
 Internal Audit Resource Requirements

Resource Planning Considerations

— The staffing analysis considers the:
Ø Audit universe
Ø Relevant risk levels
Ø Internal audit plan
Ø Coverage expectations
Ø Estimate of unanticipated activities (fraud, requests from
management and audit committee)
Ø Monitoring and follow-up of audit recommendations
Ø Quality and Assurance Improvement Program (QAIP)
• The staffing plan or analysis should be realistic
• Skills assessment (performed periodically)
Source: IIA-p.org
 5. Prepare the Internal Audit Plan
Objectives of the IA plan
— Provide the senior management and the board with assurance
and information to help them accomplish the organization’s
objectives
— Includes assessment of the effectiveness of management’s risk
management activities
Basis of IA plan
— Assessment of risks and exposures affecting the organization
— Audit universe
— Input from senior management and board
Elements of IA Plan
— Engagement type
— Staffing plan
Source: IIA-p.org
— Financial budget
 Contents: Engagement Work Schedule
— Carry over projects (from previous years)
— Audit projects based on: risk assessment, management requests,
board requests
— Accepted consulting services
— Internal audit planning activities
— Processes that will be reviewed
— QAIP activities (monitoring, follow-up, self-assessment)
— Man-days/man hours per project/activity
— Scheduled date, month, quarter for activities

Source: IIA-p.org
 6. Report and approve the IA plan
2020 – Communication and Approval

— The CAE must communicate

ü The internal audit activity’s plans and resource requirements,
including significant interim changes, to senior management
and the board for review and approval.
ü The impact of resource limitations, if any
ü Annually to senior management and the board for review and
approval a summary of the internal audit plan, work schedule,
staffing plan, and financial budget. This summary will inform
senior management and the board of the scope of internal
audit work and of any limitations placed on that scope.
ü All significant interim changes for approval and information.

Source: IIA-p.org
 Conducting
Internal Audit Engagement

“Planning the Engagement”

 Engagement Planning (2200)
Engagement Objectives - objectives must be established for each
engagement.

— Internal auditors must conduct a preliminary assessment of the risks

relevant to the activity under review. Engagement objectives must
reflect the results of this assessment.

Source: IIA-p.org
 Engagement Scope (2220)
— The established scope must be sufficient to achieve the objectives of the
engagement.
— The scope of the engagement must include consideration of relevant systems,
records, personnel, and physical properties, including those under the control of
third parties.
— If significant consulting opportunities arise during an assurance engagement, a
specific written understanding as to the objectives, scope, respective
responsibilities, and other expectations should be reached and the results of the
consulting engagement communicated in accordance with consulting standards.
— In performing consulting engagements, internal auditors must ensure that the
scope of the engagement is sufficient to address the agreed-upon objectives. If
internal auditors develop reservations about the scope during the engagement,
these reservations must be discussed with the client to determine whether to
continue with the engagement.
— During consulting engagements, internal auditors must address controls consistent
with the engagement’s objectives and be alert to significant control issues.
Source: IIA-p.org
 Engagement Work Program (2240)
— Internal auditors must develop and document work programs that
achieve the engagement objectives.
— Work programs must include the procedures for identifying, analyzing,
evaluating, and documenting information during the engagement.
— The work program must be approved prior to its implementation, and
any adjustments approved promptly.
— Work programs for consulting engagements may vary in form and
content depending upon the nature of the engagement.

“Internal auditors must identify, analyze, evaluate, and document

sufficient information to achieve the engagement’s objectives.”

Source: IIA-p.org