5.

Managing the Internal Audit Function (5)

 2 importance of internal audit charter. (4) PDF1 JULY2020 DEC2019 DEC2018 JULY2017
1. To define the internal audit activity’s purpose, authority, responsibility and position within the organisation.
This is a formal written agreement between management and the board about internal audit activity. An audit
charter defines the internal audit activity’s position within the organisation, including the head of internal audit’s
reporting lines, access to records, people and property, and the scope of its activities. The charter should specify
the nature of services that internal audit will deliver and how internal audit will assist the organisation to meet its
objectives.
2. To provide a recognised statement for review and acceptance by management and for approval by the board.
This formal written agreement facilitate the periodic assessment of the internal audit activity. The assessment
need to be reviewed periodically and approved by the board especially if any changes occur within the function.
3. To facilitate periodic assessment.
Support quality assurance, a process aimed to ‘guaranteeing’ that the internal audit services satisfies the
predetermined requirements set by the IIA. The CAE is also in charge for communicating the result of the
assessment to senior management and the board.

 Related Standards (proficiency, continuing professional development, managing internal audit activity,
resource management, engagement resource allocation)

 Strengths of the internal audit function (10) PDF2 DEC2019 DEC2018

1. Independence reporting responsibility - *proficiency
In order to fulfil the responsibilities, the internal auditors must have the knowledge, skills and other abilities. The
CAE must report to a level within the organization that allows the internal audit activity to fulfil its responsibilities.
1000 Purpose, Authority, and Responsibility – Have a formal, written internal audit charter that establishes the
internal audit activity’s position within the organization
2000 Managing the Internal Audit Activity – Consider strategies, objectives, and risks in order to enhance the
governance, risk management and control processes
2. Continuing professional development
Internal auditors must improve their education in order to develop and enhance their proficiency and keep up
with the demands of the organisation and the profession.
Internal auditors stay informed about improvements and current developments in internal audit standards,
procedures, and techniques, including The IIA’s promulgation.
3. Appropriate approach in dealing with conflicts.
Conflict in the workplace is unavoidable. The ability to recognize conflict, understand the nature of conflict, and
to be able to bring swift and just resolution to conflict will bring positive environment, where the inability to do so
may well be the internal audit downfall.
In resolving inherent conflicts, internal auditors do not address surface issues that will not create meaningful
change or lasting solutions.
In resolving avoidable conflicts, internal audit must give all internal auditors to a conflict an equal voice,
regardless of their position and seniority
4. Report functionally to the board of directors
Organizational independence is effectively achieved when the internal auditors report functionally to the board
Internal auditors proceed with the correct channel for obtaining the approval for the internal audit budget and
resource plan, i.e. the outsourcing arrangement
5. Relevant outsourcing arrangement
The CAE, the in-house liaison is fully responsible for the management of the internal audit activity
The service provider jointly executes the internal audit responsibility, but the organization still has complete
control over the business-critical tasks.
 6. Effective resource management
CAE must ensure the internal audit resources are appropriate, sufficient and effectively deployed to achieve of
the approved plan.
Effective or optimal resource management will lead to positive results such as, able to meet deadlines, lower
costs, increased quality, good use of opportunities high productivity, and high morale.

 The element of resource management. PDF2 JAN2018

1. Appropriate refers to the skills, capabilities and technical knowledge of the CAE in order to perform the planned
activities.
The CAE must conduct a periodic skills assessment to determine specific skills needed to perform the internal
audit activities such as technical knowledge, language skills, business acumen, fraud detection and prevention
competency, and accounting and auditing expertise.
2. Sufficient refers to the quantity of resources needed to accomplish the planned activities.
The CAE must ensure that sufficient resources are available in order to execute audit activities in the breadth,
depth and timeliness that expected by the management.
3. Effectively deployed refers to the use of the resources in a way that optimizes the achievement of approved
planned activities.
The CAE are required to assign competent and qualified auditors for specific assignments.
It includes developing a resourcing approach and organisational structure that are appropriate for the business
structure, risk profile, and geographical dispersion of the organization.

 Body of knowledge and character PDF2

 Characteristics of proficiency PDF3 JUNE2018
1. Proficiency means the ability to apply knowledge to the audit situations likely to be encountered and to deal with
them appropriately without extensive recourse to technical research and assistance.
2. The internal auditors can make sound and timely decision with the information at hand under a tight deadline
and pressure.
3. Internal auditors able to apply the Standards (ISPPIA), procedures and techniques and perform them effectively
and efficienly.
4. If the internal auditors work extensively with financial records and reports, they should be proficient with the
principles and techniques in accounting and auditing, also on the indicators of fraud, the IT risks and controls
and the materiality and significance deviations from good practices.

 Guideline to assist CAE in IIA common body.

 Evidences of maintaining due professional care DEC2018
1. CIA’s membership
Achieve professional membership by completing college/ university/ self-study courses
The standard by which individuals demonstrate their competency and professionalism in the field of internal
auditing
2. Attendance at conference, seminars, and in-house training
Keep the internal auditors on the cutting edge of industry developments
Build the confidence of the internal auditors because they have a stronger understanding of the industries and
the responsibilities of their job. The confidence may push them to perform even better and think of new ideas
that help them excel
3. Additional membership for specialized engagement
A win-win situation for internal auditors because they are being praised for taking the initiative to learn more
about their field of interest
Additional memberships with other professional organizations were a crucial aspect of a professional's career
which opens up opportunities for networking and professional development
 4. Involvement in research projects
Finding out the facts about internal audit profession job will allow internal auditors to make better decisions and
gain more knowledge
The Institute of Internal Auditors include a peer-reviewed journal to support the internal auditing as well by
maintaining high standards for education, providing the above mentioned educational offerings, engage in
opportunities to educate to those members seeking more information, stay abreast of the current industry
standards and news to keep their profession informed

 2 matters impair independence, objectivity FEB2021

 Selecting internal auditors PDF3
 Internal audit hierarchy
 Responsibilities of CAE PDF4 JUNE2019
1. The role of CAE is to be fully responsible for the internal audit function, including the examination and evaluation
of the adequacy and effectiveness of risk management, internal controls and corporate governance process of
the organization.
2. The CAE has an in-depth knowledge of the organisation and is concerned principally with its internal control and
corporate governance process, the efficiency of operations, internal audit function including the examination and
evaluation of the adequacy and effectiveness of risk management, and its observance of relevant laws and
regulations.

 Responsibilities of audit manager PDF4 JULY2020 JUNE2019 JULY2017

1. The AM is in charge for planning and performing operational and financial audits as well as defining the audit
plan, setting the audit budget, resources, and schedule, project management tools, and reviewing the risk
assessment, risk matrix, and internal controls. His roles are crucial in ensuring that the attainment of the audit
objectives and scope of the audit are adequate determined.
2. The AM is responsible for coordinating the audit assignments with the management in order to take necessary
action on audit findings in line with auditing practices. In addition, the AM also coordinates the work related to the
risk with legal and other control related activities within the internal audit function.
3. The AM is responsible for reporting directly to the CAE on matters pertaining to the audit assignments, such as
information technology, special projects, delivery network and other assignments for a large multinational
organisation. AM also need to prepare timely audit reports for executive management, the audit committee and
the board of directors.
4. Guiding Managers and Staff
Internal audit manager becomes the sources for the teams within the company to get the guidance and advice in
order to ensure that the development and processes are legal and all the internal audit works are working toward
the organization’s goals.
5. Researching Emerging Issues
The internal audit has the responsibility to do the research on the emerging trends and issues in the industry
which would be helpful in determining the scope of the internal audit. They also develop the annual plan that will
help for the business to grow with the approval from the managers and stakeholders.

 Training and promotions PDF5

 Risk-Based internal audit plan resource management PDF5 (when conflicts exist)
 Related standards PDF5 (communication and approval, policies and procedures, report to board and
management)

 2 types of conflicts, with an example for each when performing their internal audit work (4) PDF6 JULY2021
1. Inherent conflicts
 Conflicts that are inherent and occur naturally within an organisation.
Example include a lack of communication inside organisations, audit committee and management about the
audit function and auditees’ lack of cooperation.
Management may not provide accurate information and fraud may committed, thus the internal auditor may not
discover them.
This conflict is difficult to deal, but it can be reduced with effective management and organisational action. The
management should developed and reviewed these actions on a regular basis.
2. Avoidable conflicts
Conflict that exist within the internal audit department and process.
Example include a lack of guidance and reference, unclear instructions for assignments, incomplete review of
working papers and assignment favouritism.
Internal auditors can avoid these conflicts by establishing effective audit guidance and manual with clear
instructions, directions and supervision as well as less bias.

 3 approach/practices that the internal auditors had considered on handling the avoidable conflict with the
client (6) PDF6 DEC2019 JUNE2018
1. Internal auditors develop trust
This can be accomplished by showing a genuine intention to improve the organisation and ensuring cooperation
to improve the department’s efficiency and economics.
For example, internal auditors should liaise their work with the production department to examine the high waste
of raw materials used in production.
Internal auditor can provide recommendations to the production manager in order to reduce the percentage of
wastage.
Internal auditors should give advices that are free from ambiguity as well as that is not biased and prejudiced.
2. Internal auditors are salespersons
In order to overcome issues, the auditees need recommendations for audit findings.
They cannot expect that everyone will immediately react upon the submission of their recommendations.
Instead of identifying problems and telling on how to fix them, internal auditors must to explain the problems and
possible consequences to the auditees.
3. Internal auditors make the clients to understand the audit objectives.
Conflict can be avoided if auditees know the objectives and the information needed.
Internal auditor must make the clients understand on the importance to obtain the needed evidence or
information.
By educating the clients about the roles and responsibilities of the internal auditors, the clients can understand
the audit objectives.
4. Internal auditors are objective and factual about their findings
Since different words or phrases can affect the auditees’ value judgement, internal auditors should allow the
clients to review the findings.
The possibility of conflicts can be reduce by allowing the clients to suggest for changes before submitting to the
board or management.

 3 possible suggestions that internal auditor should consider when dealing with inherent conflicts (6) PDF7
JULY2021 FEB2021 JUNE2019 JAN2018 JULY2017
1. Consider the good aspect of the conflicts, as they can be considered as a necessity to help build meaningful
relationships between people and it has a potential to create positive opportunities and advancement for an
organization to move towards its objectives.
Some negative conflicts may have positive effects on the auditing process. the valuable information could be
gathered and may give solution to the issues.
For example, conducting a formal interview with top management might be resented but could be considered a
 valuable gathering technique for the internal auditor.
2. Compromise conflict resolution technique where the auditees are more responsive to important findings than to
less important findings.
Internal auditors should be firm, yet fair, in taking a stance over their findings. These actions will help the internal
auditors to be prepared to face the possible conflict that may arise as they are already aware of that and can
tackle them easily without having to communicate with the auditees which will take some time.
3. Seek guidance and support from high-level management, especially the audit committee, on the best path
forward. Internal auditors should be able to segregate personal differences in opinion from critical control issues
or ethical considerations that the audit committee should be informed about.
For example, the internal audit faced a conflict with an auditee that has relationship with his manager that
actually affect him in practicing internal control. This issue has to be addressed to the audit committee to be
resolved. Seeking support from high-level management is crucial to ensure effective operation of the audit
function.
4. Internal auditors should not feel guilty or be made responsible for situations that have negative consequences as
a result of the audit findings, such as auditees’ termination, relocation or other forms of mental ailments or
conditions..

 Outsourcing PDF8
 Why outsourcing? PDF8
 Related standard PDF8
 Outsourcing arrangement (full, partial, co, sub) PDF9

 Arrangement is partial outsourcing JUNE2018

1. Partial outsourcing is relevant to BPSB because the company is a small company with the only a land-based in
Puncak Alam
BPSB may not have the size and cash flow to support a full-time audit staff. Even in larger organizations, using a
combination of in-house staffs and outsourced internal auditors allows for control of employment costs related to
the internal audit function.
2. Partial outsourcing is relevant to BPSB because the company would never lose control since the outsourced
service provider still reporting to the chief audit executive (CAE)
The oversight responsibility for the internal audit activity by the CAE cannot be outsourced. Here the CAE, the in-
house liaison employed by BPSB is still fully responsible for the management of the internal audit activity.
3. Execution of the internal audit plan is partly done by an internal provider on an ongoing basis.
Partial outsourcing is relevant to BPSB because the service provider executes part of the responsibility of
internal audit and the company still develop in-house staffs to run the company in the future.
Hence BPSB still has complete control over the fieldwork. In order to lighten the load, BPSB has to outsource
planning and coordination task to the service provider. The CAE still can focus and involve the time and energy
of the in-house staffs on business-critical activities.
4. Partial outsourcing is relevant to BPSB because with the concept of partial outsourcing, BPSB has the freedom
to quickly change service providers in case the organization faces a problem.
Partial outsourcing can help BPSB to increase the productivity, exercise control over business-critical tasks, and
give the opportunity to quickly change the outsourcing vendor in case any problem arise. If the outsourced
service deteriorates, or if service provider price rises, BPSB does not lose know-how and skills that may prove
critical to the organization long-term competitiveness, since the company still have the in-house staff to handle
the work.
5. Partial outsourcing is relevant to BPSB because this outsourcing arrangement has helps many organizations to
create operational effectiveness and efficiency especially in the areas that the company is exposed to great risks
This is also beneficial to BPSB as the outsourced service provider able to help in complying with approved
policies, industry best practices, procedures and regulatory requirements. Independent consultants will often
 specialize in
particular industries and bring an in-depth knowledge of that industry, utilizing years of experience to support an
internal audit function within an organization, regardless of the age or experience of the particular organization.
6. Partial outsourcing is relevant to BPSB because this outsourcing arrangement is suitable to meet the
requirements of regulations and legislation.
In particular, to meet the requirements of Section 246 of Companies Act 2016, where under this new company
law provision has imposed on the directors to have in place a system of internal control. Hence, the internal
auditors can assist board of directors on this matter.

 4 essential features of the outsourcing arrangement for the position as internal audit manager JULY2020
1. The service provider has to report to Chief Audit Executive. However, the oversight activity cannot be outsourced
because it is the ultimate responsibility of CAE and the in-house internal auditors.
2. The service provider executes part of the internal audit plan. Hence the organization still has the complete
control over the business’ critical task because the provider only executes part of internal audit plan. In order to
lighten the load, the organization has to outsource certain task mainly the non-core or special task to the
provider by properly plan outsource activity. The outcome of outsource should bring the significant productivity to
the business so that the internal auditor can focus on the critical part of the business.
3. The organization still retaining control over internal audit activities. It means that the internal auditor still
maintaining their audit procedures and tools. The duty to act professionally according to the organization goal
are the internal auditor’s central responsibilities. The service provider is to assist the internal audit activity. The
organization still need to monitor the provider’s work so that they give the correct outcome.
4. The partial outsourcing-concept allow the organization to have the freedom to quickly change the service
provider in case the organization faces some problems. The outsourcing can help the organization to increase
the productivity and give opportunity to quickly change the outsourcing vendor if the previous service is not
effective.

 Benefits of partial outsourcing JAN2018

1. The service provider has to report to the chief audit executive (CAE). The oversight responsibility for the internal
audit activity by the CAE cannot be outsourced
Here the CAE, the in-house liaison employed by the organization is fully responsible for the management of the
internal audit activity
2. The service provider executes part of the internal audit plan, hence the organization still has complete control
over the business-critical tasks. In order to lighten the load, an organization has to outsource certain planned
task, mainly the non-core tasks to the service provider
Here, with non-core work out of the organization hands, the employed internal auditors can focus their time and
energy on business-critical activities
3. With the concept of partial outsourcing, an organization has the freedom to quickly change service providers in
case the organization faces a problem. Partial outsourcing can help the organization increase the productivity,
exercise control over business-critical tasks, and give the opportunity to quickly change the outsourcing vendor
in case any problem arise
If the outsourced service deteriorates, or if service provider price rises, the organization does not lose know-how
and skills that may prove critical to the organization long-term competitiveness, since they still have their in-
house staff to handle the work

 5 merits of outsourcing that might increase the internal audit effectiveness (10) PDF10 JULY2021 FEB2021
1. A better ability to focus on core competencies.
Outsourcing enables management to focus on core competencies on targeted skills instead of the day-to-day
low payback activities that are time-consuming.
The improvements in staff allocation allow business to gain the luxury of having access to global expertise and
 cutting-edge technology.
It will improve business returns and allow for more effective management of existing resources, both in-house
and outsource.
2. It helps to manage costs
Outsourcing can be efficient to control the costs of internal audit by reducing its costs and converting fixed costs
of an internal audit function to variable costs. Furthermore, the costs for the internal audit service will be agreed
upon in advance. Costs associated with overlapping positions and audit effort can also be reduced, allowing
business creating more flexibility in increasing and decreasing workload demands.
3. Efficiency of the business.
The external provider can perform quality assurance and consulting on specialised areas while conducting
internal audit activities. This continuous review enables a business to be carried out without any flaws and in
tune with the latest technologies, according to the standards and latest best practices.
4. Efficiency and effectiveness of external audit
The external service provider can increase the efficiency and effectiveness of statutory audit with a quality
documentation.
The knowledge obtained during an internal audit engagement can increase the efficiency of the annual
independent statutory audit in situations where an external provider is also the internal auditor.
For example, knowledge of the internal control systems should reduce the work to document the internal
controls, assess the control risks and design test of controls.
5. Future expectations
The external provider can provide training ground for future in-house internal audit staff to gain specialised skills,
especially with partial outsourcing.
The retention of knowledge for future assignments through the working papers and information available can
assist the internal audit staff to plan their assignment and perform their duties.
6. Increase business geographical locations coverage
Businesses with numerous and remote locations will benefit from outsourcing as more locations can be reviewed
and improved.
The coverage undertaken by an external provider is more extensive and the coordination with an in-house
internal audit staff will increase accessibility to best practice or insight to alternative approaches.
7. Credibility
An external provider with good reputation carries greater credibility compared to the work done by the internal
audit staff.
The credibility from the work down by external service provider has 2 key components, which are trustworthiness
and expertise.

 Arguments/limitation against outsourcing PDF11 JUNE2019

1. Awareness of the culture of the organization.
The culture of an organisation may be an inevitable introduction period for external provider to get used with it.
They might find it difficult to access to the information, whether verbal or written as it can limit and the outsource
providers from performing their assignments.
Since the organisation does not have the same culture, they need to be very adaptive to perform the internal
audit function by improving the communication skill.
Hence, the board need to ensure that the external provider is given the required authority and assistance in
order to overcome this problem.
2. Incurred significant amount of resources in term of fees and time.
It may takes a significant amount of time as the company need to assist the external providers to be familiar and
aware with the operation of the business.
Eventually, the company need to incur significant amount of fee to the external provider and these costs will
become a fixed cost to the company.
 The fees might get higher over time with the complexity of the business in this current environment.
This is a disadvantage of not establishing the internal audit department, since the business is losing in term of
training the in-house internal audit expertise, which will eventually benefit the business.

3. Lack of depth of internal knowledge

This will affect the performance of the outsourced activity, as the external provider might not be well informed
about the operation of the business and the organization’s objectives.
Although the external provider need time to adapt with the business, it does not mean that they will successfully
understood the objective and the operation of the business.
On the other hand, the in-house internal audit staff is normally well informed and the competencies possessed
represent a unique perspective of the organisation.
4. Succession plan gets affected.
The internal audit department will provide the training ground for the future managers as they are involved in the
organization risk control and governance practices.
In the absence of the internal audit department, the succession for the future managers cannot be trained.

6. Implications of Information Technology on Internal Auditing (8)

 4 risks related to the application system that can cause error in processing data (6) PDF1 JULY2020
JULY2017
1. Risk from application system not timely upgraded.
The software updates are important because they contain critical features.
An outdated application may not always open files from newer program versions, or it may not support new
features or requirements introduced in other systems.
2. Risk from application system contains flaw.
The example of software security flaws are security bugs, errors, holes, faults, vulnerabilities or weaknesses
inside a software application.
These can be defects in software security design and coding errors as well as software implementation bugs.
3. Risk from application system that can go along with invalid data
Invalid data can cause a huge loss to the company in making right decision.
4. Risk from data lost or corrupted during transmission.
When data is lost or damaged, it takes time and money to restore the critical information for the organisation.
When there is a hardware or software problem, such as a power outage or data corruption, the owner is unable
to update information into the system because it is malfunctioning and a data error might arise.
5. Risk from operating or application system abruptly stops functioning
Viruses is part of malicious computer code or malware that designed to disrupt computer operation by copying
the data and spreading from one computer to another. It disables the computer system, and the owner of
computer that has been hacked is unable to modify the access of those information.

 Hardware failure
 Computer crime
 Issues (security, confidentiality, privacy, processing integrity, availability)
 Definition IT audit

 4 scope of IT audit / elements of IT audit PDF3 JULY2020

1. Physical and environmental review
Reviews physical facilities and conditions of IT environment such as physical access, electric supply, heating, air
conditioning, humidity and control.
The failure or substandard performance of these facilities may interrupt operation of systems and may cause
 physical damage to system hardware or stored data.
2. System administration review
Reviews all system administration procedures to ensure the system is compliance with regulatory rules.
It includes reviews of security control procedures of existing operating systems and database management
systems.
3. Application software review
Reviews all business application software, for example, software to record accounting and finance transactions
used by the finance department, software to process salary used by the payroll department and web-based
customer order system used by the sales department.
Generally assessment is carried out in the areas like access control and authorisations, procedure handling
validation, error and exception process, processing transaction flowchart and manual on controls and
procedures.
4. Network security review
Reviews IT network’s infrastructure, which includes internal and external connections to the system, perimeter
security, firewall review, router access control lists, port scanning and intrusion detection.
It includes the reviews of the effectiveness of network security to resolving underlying network security issues.
5. Business continuity review
Reviews control procedures in ensuring the systems and information are available when needed, for example,
the procedures for maintenance of fault-tolerant and redundant hardware, backup procedures and storage and
documented and tested recovery.
It includes the review for evaluating business continuity are being managed.
6. Data integrity review
Reviews control security measures around IT operating systems and application software to ensure output
produced is accurate, complete, timely and valid.
It includes the accuracy and consistency of data stored in a database.

 4 scopes on the assessment of network security (4) PDF3 JUNE2018

1. Assess the internal and external connection to the system as it covers all the data on the network.
2. Assess the perimeter security for “trusted relationships” between networks as the safeguard.
3. Assess the firewall review for protection from unauthorized access to the system and resources.
4. Assess the router access from vulnerability of backdoor attacks.
5. Assess the server or host for open ports using port scanner application.
6. Assess the malicious activity or policy violation using intrusion detection application.

 Guide to conduct IT audit

 Benefits employ framework

 4 guiding principles stipulated in the Guide to the Assessment of IT Risk (GAIT)(4) PDF4 JULY2021
JUNE2018
1. Principle 1 encourages the internal auditors to consider the risks associated with information technology general
control for significant accounts.
The identification of risks and related controls in IT general control processes should be a continuation of the
top-down and risk-based approach. For example, in change management, deployment, access security and
operations should be continuation of the top-down and risk-based approach used to identify significant accounts,
risk to those accounts and key controls in the business processes.
2. Principle 2 discusses the information technology general control processes that need to be tested.
The IT general control process risks that need to be identified are those that affect IT functionality in financially
significant applications and related data.
3. Principle 3 discusses the areas where information technology general control risk could exist.
 The IT general control process risks that need to be identified exist in processes and at various IT layers such as
application program code, databases, operating systems and networks.
4. Principle 4 encourages internal auditors to consider the controls as a whole rather than the individual controls.
Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual
controls.

 GAIT for IT general control deficiency assessment

 GAIT for business and IT risk

 4 Scope of IT in assessing control in IT (4) PDF5 FEB2021 JUNE2019

1. Security Controls (Segregation of duties)
In order to meet an organisation’s objectives, this scope ensures that the IT management structure is properly
defined with an appropriate framework of authorities and responsibilities.
For example, the staff examines the information that related to security management structure in order to
identify person in charge of security management, security administration, system users and system providers.
2. Logical access controls
This scope ensures that the access controls are reviewed to verify safeguards are in place to prevent
unauthorized entry into an organisation’s data.
Connections to computer networks, system files and data are restricted by logical access control.
For example, the staff should ensure that access to control software administration facilities is restricted to only
the security administrator and that a user security administrative procedure is in place to ensure that system
user are allocated unique user IDs.
3. Physical Security Controls
This scope ensures that access to the system and its data is restricted to authorised personnel only and ensure
an adequate protection of computer-related equipment against natural hazards and malicious damages.
For example, the staff should assess the adequacy of the various modes of protection from fire and water
damage, such as automatic fire detection and alarm system.
4. Installation Controls
This scope is to ensure consistent control of software and hardware management in the operation of
applications system.
For example, evaluate the controls for system software to ensure that it is protected using an access control
mechanism, maintenance of the system is fully supported by vendor, authorization of changes and
documentation and support of software maintenance facility.
5. Local area network controls - To prevent any unauthorized access to local area of network.

 4 audit process for logical access control (6) PDF6 JUNE2019

1. Check whether access control to software administration facilities is restricted to the security administrator only.
2. Verify whether the user IDs identifies the user name to the system that the user accessed.
3. Verify whether a user security administration is in place to ensure that unique user IDs are assigned to system
users.
4. Review whether the passwords are used to confirm the users’ identities and whether the passwords are
encrypted to protect the confidentiality.
5. Check whether user IDs are automatically disabled after 3 invalid log in attempts and can make the account will
be locked out.

 Steps in IT audit PDF8

 Establish the terms of engagement (preliminary review, establish materiality and assess risks, plan the
audit, consider IC, perform audit procedures, issues audit report) PDF9
 Evaluation of general and application controls PDF9-PDF10
 Auditing SDLC (6 phases) PDF10-PDF12

 Involvement, Roles and responsibilities of internal auditors in the system development life cycle (SDLC)
PDF12 JAN2018 DEC2019
1. Review the SDLC project’s proposal generated during the system planning phases.
This is to ensure issues such as control procedures and governance activities are addressed properly in the
compliance with the standards.
2. Review the economic feasibility of the system
3. Review and examine various documents generated at every phase of SDLC processes.
This is to ensure the internal auditor can use other assessment tools such as an inquiry and a checklist so that
the project can run smoothly.
The results of this process will help the internal auditor to determine if the project is being developed in the best
interest of the organisation.
4. Review the relevant documented generated during system testing.
This is to ensure that the output generated fulfils the requirements needed by the end users in accordance with
the organisation’s policies, and complies with rules and regulations imposed by the regulatory body.
5. Review the adequacy of controls
6. Review the availability of audit trail

 Auditing of e-commerce PDF13

 4 challenges faced by the internal auditors in conducting the audit for ecommerce (4) PDF13 JAN2018
1. To determine the knowledge of security and control measures are up-to-date
Internal auditors must be familiar with the various security breach techniques associated with e-commerce
transactions, such as hacking and virus attack.
They should be able to solve those security issues and must recognise that different security threats require
different approaches and solutions.
2. To develop the skills and experience in handling e-commerce security issues.
Internal auditors must equip themselves in order to have better their skills and knowledge of the latest
developments in IT control procedures.
This could assist them in identifying any vulnerable areas exposed to external or internal threats. The internal
auditors can ensure that the systems will support the integrity of business process.
3. To determine the validity, completeness and accuracy of recording
Internal auditors should focus on the adequacy of security control as stated in the IT policy and procedures as
audit trails is lacking since the transactions are not involve physical documentation and paperless.
By performing a walkthrough of the e-commerce system, the auditors can ensure a proper security control
procedure is installed and implemented at every stage of the transaction.
4. To determine the backup support from the IT vendors
IT vendors are no longer able to troubleshoot if the continuity in processing is affected and the system failed.
5. To review significant operational risk, e.g. in procurement and contracting
Legal liability from breach of the business partner’s agreements may bring to payment of compensation
6. To determine records retention are according to statutory and administrative needs
The records with important information are preserved, while records that are no longer valuable are disposed of
in an appropriate and legal manner.
7. To review the segregation of duties
An individual should not have excessive system access that enables him or her to execute transactions across
an entire business process without checks and balances .

 4 purposes to audit the e-commerce business (6) PDF14 DEC2019 JULY2017

1. To audit the IT infrastructure
 The internal auditors assess the performance and efficiency of the organization’s infrastructure and security
measures such as hardware, software, networks and data centres. Internal auditors must ensure that the IT
infrastructure was developed, managed and maintained to enabled effective e-commerce operations.
2. To audit the security measures
The internal auditors identify other security issues that may harm the current infrastructure of an e-commerce
model. The security measures and related controls should be anticipated to be more extensive where the web
site is used for transacting with business partners, or where systems are highly interconnected. Internal audit
must also need to evaluate the security against unauthorized users, malicious and sensitive data leaks.
3. To audit the best practices
The internal auditors evaluate the compliance of the e-commerce business operations with an organization’s IT
security policies and best practice within the industry. Internal auditor can identify the best practices that can
assist organisation in improving their e-commerce operations.
4. To audit the contingency plan
The internal auditors evaluate the readiness of IT functions in the case of a major failure in e-commerce
business transactions. A contingency plan may help organisations in recovering from disasters, risk
management, avoiding negative publicity, and dealing employee injuries.

 4 factors that can affect the business continuity of an e-commerce (4) DEC2018
1. Too dependent on IT service provider
2. Security threats to computer and network systems
3. Corrupt data
4. Flaw in data backup
5. No IT disaster recovery plan in place

 CAAT PDF15
 3 functions provided by Computer-Assisted Audit Techniques (CAATs) (6) PDF15 JULY2021
1. Information retrieval and analysis
CAATs can assist auditors in assessing data and records in order to evaluate and analyse them using the
criteria or parameters that they have set.
CAATs can be useful and effective in extracting information that would be acceptable in auditing.
For example, performing relevant audit tests in data analysis such as identifying duplicate transactions, verifying
of approvals versus authorisation limits, matching transactions, system overrides, access authorities and
telephone usage could be handled by systems rather than being performed manually.
2. Fraud detection tool
CAATs can help auditor detect unexpected or unexplained patterns in data that may indicate a possible fraud
case.
This involves auditors to recognise the indicators of fraud and to understand how the data obtained may be
utilised to verify if a fraudulent act has occurred.
CAATs can assist by highlighting transactions that contain the characteristics that are associated with fraudulent
conduct.
For example, long overdue outstanding accounts, sudden write-offs, software may notify the auditor of duplicate
payments and unusual costly acquisitions or overrides of authorisation limit.
3. Audit reporting function
CAATs can assist auditors in preparation of accurate and relevant reports. CAATs provide tools for automating
the connection of work performed, information obtained, auditor assessments and information utilised in the
audit report writing function.
This function enables auditors to minimise duplication of writing or translating information from one section of the
audit working papers to another related section or in writing it as a summary.
CAATs can identify audit findings in the audit programs, checklist or internal control questionnaire and then
 transfers the related information into management letters for reporting to the management.
Using CAATs will be more effective in obtaining audit results, allowing the audit report can be used as the right
decision making.

 4 Advantages of information retrieval and analysis in detecting irregularities (6) FEB2021 DEC2018
1. In a high volume of transactions, it would be impossible for internal auditors to review even 1 percent of the
transactions in terms of numbers or values, although materiality is the general emphasis.
2. Internal auditors can perform various data analysis tasks such as matching transactions, checking of approvals
and authorisation limits, identifying duplicate transactions system overrides, access authorities and telephone
usage.
3. Internal auditors able to select specific data and pay more attention only to those unusual data that are outside
the expected range of transactions values or results.
4. Internal auditors can identify patterns, shifts or trends in the data that may indicate changes in business
environment, customer base or the economy.

 Advantage CAAT PDF15

 Disadvantage CAAT PDF16

7. Internal Audit Process – Planning and Fieldwork (7)

 Internal audit process (strategic audit planning, engagement planning, performing the engagement,
evaluation/conclusion, communication-reporting, follow up) PDF2

 Engagement Plan Payroll cycle PDF6 JULY2021

1. The objectives of the activity being reviewed and the means by which the activity controls its performance.
2. The significant risk to the activity, its objectives, resources and operations and means by which the potential
impact of risk is kept to an acceptable level.
3. The adequacy and effectiveness of the activity governance, risk management and control procedures compared
to relevant framework or model
4. The opportunities for making significant improvement and recommendation to the activity’s governance, risk
management and control process.
5. Timing and resource allocation

 The factors to be considered in setting up the engagement objectives and scope PDF6 FEB2021
1. Understanding of the auditee.
The internal auditors need to understand the auditee’s business objectives and operations as the engagement
objectives depend on it.
From an internal auditor’s perspective, the auditee’s business objectives provide a framework for defining the
engagement objectives.
The auditor can conduct a preliminary survey to obtain information about the auditee, such as organisational
chart, policy and procedures and process mapping.
2. Preliminary assessment of risks relevant to the activity under review.
The internal auditors must assess risks that threaten the achievement the auditee’s business objectives and,
ultimately, the organization’s objectives.
The internal auditors should focus on inherent risk in the preliminary assessment so that the management can
take action to reduce the risk.
3. Probability of significant irregularities.
Internal auditors should consider the possible accounting irregularities, such as errors, non-compliance and
other exposures when setting up objectives for assurance engagement.
 For example, on the understatement of liabilities, the internal auditors required to review estimates on accruals
and provisions involving subjective judgments or uncertainties that are difficult to explain and substantiate.
4. Criteria that can adequately evaluate risk management, control and governance process.
Internal auditors must determine which management and the board has established adequate criteria in order to
determine the accomplished of objectives and goals.
If the criteria are adequate, internal auditors must evaluate such criteria in meeting with the engagement
objectives. If otherwise, internal auditors must work with management to develop appropriate evaluation criteria

 Risk and controls assessments / factors to be consider by internal auditors in order to rely on the
management’s assessment of risks. PDF7 FEB2021
1. The reliability of the management’s assessment of risk.
Reliability is the ability of internal auditors to provide the process of risk identification, risk analysis, and risk
evaluation that can contribute to the trustworthiness of risk assessment.
For example, establish the key risk indicators (KRIs).
The internal auditors also can go through self-assessment questionnaires for business process.
2. The process that the management take into account in monitoring, reporting and resolving risk and control
issues.
Organization must to be able to identify what constitutes a risk and decide whether the risk can be accepted or
need to be mitigated in order to protect business profitability and survival.
It is important for the organisation to develop and disseminate repeatable process to properly uncover, assess,
analyse and mitigate risk, as the risk management is a long-term requirement.
3. The management’s reporting of events that exceeded the limits of the organization’s risk appetite and responses
to those reports.
Risk appetite is the level of risk that an organization is willing to accept while pursuing its objectives, and before
management determined to whether there necessary to reduce the risk.
By monitoring adherence to the appetite, it can drive decisions and ensure that business decisions are made
with a complete understanding of the risks and the capacity to respond to those risks.
4. Risks in related activities relevant to the activity under review.
The business activities in an organisation are sales and receipts, purchase and payment, inventory, and payroll.
The internal auditors need to assess the risk of inadequate of allowance for doubtful debts when reviewing the
net realizable value of accounts receivable.
In this case, the management should be able to provide the internal auditors with required documentations and
explanations about the risk of doubtful debts and the approach to mitigate such risk.

 Creating test plan / factors that are pertinent to effective work program. PDF9 FEB2021
1. Objectives and scope
An objective is what the engagement is intended to achieve.
A scope is what the engagement will and will not cover, such as the totality output and outcomes required.
The internal auditor can conducts a meeting with the auditee’s personnel in order to discuss the objectives and
scope of the engagement.
2. Reference documents.
The audit planning memorandum can be used for reviewing to the effectiveness and efficiency function and
confirming that the scope and direction of the audit is aligned with standards required.
The document is referred for monitoring and measurement of work performance when the task is progressing.
3. Date and person performing the work.
It is important to assign who are going to perform the audit work and the date such work need to be completed.
The resources schedule is prepared in order to efficiently assign the staff and schedule the start and finished
dates for each task based on resource availability.
4. Detail audit procedures and evidence collected.
 Detailed audit procedures was design in order to obtain sufficient appropriate audit evidence. Procedures can
include inspection, observation, confirmation, recalculation, re-performance, and analytical procedures, often in
some combination.

 Performing engagement PDF10

 Identify and collect information PDF11
 Analysing and Evaluating information / Audit procedures (payroll) PDF11 JULY2021
1. Interview or conducting Inquiry - Discuss with payroll manager on payroll calculation
2. Verifying or Vouching - Review the payroll payment instruction letter sent to the bank
3. Observation - Observe the employee clock attendance
4. Re-performance or re-calculation - Recalculate amount of tax deduction
5. Questionnaires - Issue survey on employee satisfaction
6. Analytical Procedures - Calculate Ratio on total monthly tax deduction for 12 months
7. Computer assisted audit tools and techniques (CAATTs) - Using audit software to reconcile payroll file and
employee master file.
8. Physical inspection - Test drive the company car used by the chief executive officer to ensure that it is in good
condition
9. Review of published reports or minutes - Review minutes of meeting to identify decision on bonuses for the year.
10. Confirmation - Send letters to employees who took company car loan to confirm the loan balance due.

 Documenting / Elements of AWP PDF12 JULY2021

1. Audit Plan
Audit working paper should contain evidence that auditor developed a plan for the whole audit engagement which
include information on audit procedures, any unusual circumstances, flowchart, organization chart that helped
shaped the course of audit examination.
2. Narrative Summary
Narrative summary is all information gathered by any methods like inquiry, confirmation, inspection and other
methods of enquiry and conclusion.
The supervisor will prepared the description and will reviewed by the CAE or the head of internal audit.
3. Supporting Documents
Auditor prepare types of schedule or summary in support of specific work performed.
These documents are evidence that supports auditors to make their conclusion on the financial statements.
For example, risk and control assessments, documents and analysis using generalized audit software.

8. Internal Audit Process – Investigation of Fraud (10)

 The success of the perpetration of fraud by the SAE according to the elements in fraud diamond PDF3
FEB2021
1. Pressure
A person commits fraud because they are under pressure.
Pressure can include almost anything and most of the time, pressure come from a significant financial problem.
In the views of the fraudster, this problem is non-sharable so that the person feels that the problem can be
solved in secret.
To satisfy the financial needs since she is has incurred upscale renovation cost
2. Opportunity
Opportunity is the ability circumstances that give a person the advantage to commit fraud.
Opportunity is created by weak internal controls, poor management oversight and through use of one’s position
and authority.
Opportunities fraud can occur because of the failure to establish adequate procedures to detect fraudulent
 activity.
ARB had relaxed its controls over the accounts payable and signing of cheques.
The SAE able to create a new vendor without an approval from procurement manager.
The SAE could access and use the automated signature machine to sign cheques made payable to vendors
It is important for organisation to build processes, procedures and controls that do not put employees in a
position to commit fraud and that effectively detect fraudulent activity if it occurs.
3. Capability
Capability is the ability of a person to recognize the opportunity to carry out fraud and to turn it into reality.
The SAE’s position within ARB that gave her the confidence. The SAE handled not only the record keeping, but
also have the access to the automated signature machine
4. Rationalization
Rationalization is the ability of a person to offer reasons to commit fraud.
The SAE able to give a seemingly reasonable explanation for committing the fraud, e.g. She was underpaid and
underappreciated. She took the money for good purpose. She is not hurting anyone. She is borrowing the
money temporarily, and has intention to pay it back.

 Procedures that enable the internal auditor to discover the fraud - Misappropriation of assets and stock
theft PDF4 JULY2021
1. Periodically, observe the performance of a stock-take.
2. Compare the details and the balances from the perpetual inventory records with the physical and bin card
balances.
3. Making query and probing documents with alterations.
4. Observe the acceptance of raw material into the store to see is there any checking perform by the staff in-
charge.
5. Check is there any authorization on the perpetual inventory records done by higher authority.

 Red flags that could have warn the occurrence of this fraud PDF5 JULY2021
1. People category
Lack of policies regarding the company’s values and behavioral standards, and no published code of conduct.
Failure to take holiday entitlement without good reason, or only taking leave one day at a time.
Rumors and/ or evidence about lifestyle or work style of employees or where lifestyle is at variance with their
known sources of income.
Company management does not take appropriate actions in response to departures from approved policies and
procedures or the code of conduct.
2. Processes category
Suggestions that internal control is being overridden.
Indications that internal financial information is not reliable.
Continuing failure to correct deficiencies in internal control where such corrections are practicable and cost
effective.
Internal control is given low priority and little time management.
3. Opportunity category
Familiarity with operations.
The company does not inform employees about the rules or the action taken to combat fraud.
No mandatory vacations, periodic rotations, or transfer of key employees.

 Fraud prevention / Fraud detection measures PDF10 JULY2021 FEB2021

1. Control environment - A code of conduct, ethics or fraud policy to set the appropriate tone at the top as a key
part of fighting against fraud.
A straightforward and easily understood fraud policy is a cost-effective way of demonstrating an organization’s
 commitment to combating fraud and corruption wherever it is occurs.
An organization should establish a policy that clearly states its position and the actions that will be taken for
anyone who commits fraud.
This would send a clear message to employees of the organization has zero-tolerance for anyone who commits
fraud, as the management will take the action against staff and third parties who commit fraud.
2. Analytical review
Analytical review is the evaluation of financial information based on analysis of plausible relationships among
both financial and non-financial data.
The review includes any necessary of identified fluctuations or relationships that are inconsistent with other
relevant information or that differ from expected values by a significant amount.
This would be useful to smaller companies since the impact of fraudulent activities would not affect the bottom
line.
If the measure is supplemented with a policy of job rotation, it will be more effective in revealing fraud activities
when the perpetrator requires continuous manual intervention in his job.
3. Control activities - Employee education
Promoting the importance of the fraud risk management program and organisation’s position on fraud risk both
internally and externally through cooperate communication by designing and delivering fraud awareness training.
With such education, they can become organisation’s eyes and ears and will be more likely to report any fraud
activity.
Well-trained employees can detect suspicious activity and management can communicate its commitment to
high ethical standards and fraud prevention.
Effective employee education and training can also improve employee morale and lead to increased compliance
with legal and regulatory obligations and standards.
4. Monitoring - Surprise audit
Providing surprise audit would be a strong deterrent measure to fraud as compared to normal audit as advance
announcement is given to the organization so it give perpetrator time to cover his tracks and destroy relevant
evidence.
Internal auditors conduct surprise audit to identify any weaknesses that could make assets vulnerable and to
determine whether anyone has already exploited those weaknesses to misappropriate assets.

 The evidence that lead to the detection of fraud FEB2021

1. Documentary evidence
Review the expense report kept by the accounting department which indicated that payment were fraudulently
made
2. Documentary evidence
Review the fraudulent invoices and noted that those invoices are not supported with receiving reports and
purchase orders
3. Documentary evidence
Review of the register of cheques signing machine reveal that the payment for the 40 fraudulent invoices were
not properly documented
4. Analytical evidence
Review the social media reveal the SAE’s photos of house renovation at Saujana Bay and the cost incurred
coincide with the amount misappropriated.

9. Internal Audit Process – Reporting and Monitoring (7)

 Purpose of issuing interim report JUNE2019 FEB2021
1. It enhance in the establishment of better and transparent communication between the internal auditor and the
organisation’s management.
It will assist the management to be updated with the current information regarding the risk and control of the
 organization.
The information are normally regarding significant findings by a company’s internal auditors, which must be
brought to the attention of management rather than waiting for the audit to be completed.
2. It helps the internal auditors in the communication of information such as red flag risks that requires immediate
attention of management.
However, it must be done in proper manner which is through interim reporting.
For example, the issue of fraud needs the information to be instantly conveyed to those charged with
governance.
3. It helps to communicate the change in engagement scope of audit for the activity under review.
The scope of audit is important to ensure that the results of the internal auditing cover the objectives of the
internal audit.
Understanding the scope and boundaries allows to work effectively together, and to avoid any overlap of
activities that may create conflicts for the engagement.
Hence, the communication of the change in the scope is important.
4. It helps to keep the management fully informed and updated on the progress of engagement, especially if the
work is time consuming.
This will help the internal audit work to be done effectively and efficiently since the management will be more
ready to contribute to the internal audit work.
Internal auditors can build a reputation as professional who is on top of things as they respect time by keeping
reports as short as possible while still communicating essential details and this will make them to be competent
internal auditors.
5. It shows the competencies of the internal audit staff.
The interim audit report shows that the internal audit staff are performing their work will the knowledge, skills and
competencies in accordance to the objective of the audit and the scope of the audit.
It shows that they are responsible for the audit assignments.
It builds a good reputation for the internal audit staff.

 Internal audit report should be able to assist the clients for the following purposes DEC2019
1. To inform
To document the findings, i.e. the observation and recommendation pertaining to the adequacy of an
organization’s risk management and internal control systems
2. To vouch
To have a discussion that in order to come to an agreement of the findings, hence, lead an organization to be
more robust in the future and strengthen the corporate governance. Also to acknowledge of client
accomplishments, in term of improvements since the last engagement.
3. To give confidence
To provide assurance that risk management and controls have been applied and practiced with no adverse
findings. In addition, to convince the management on the worth and validity of the findings
4. To get results
To recommend, i.e. make the management to move towards correcting existing conditions or improving
operations. Furthermore, to have an action plan, i.e. a list of tasks that need to be achieved, in order for the
goals to be reached by an organization

 The purposes of field audit exit meeting are PDF4 JULY2021

1. To enable auditors to discuss matters on the weaknesses and deficiencies of the system
2. To focus on the specific risk areas that discovered during the audit that requires attention.
3. Confirmation from auditee the acts uncovered during audit
4. To get the auditees’ feedback and reaction for the agreement on the form and content of draft audit report
 Shortcomings/Deficiencies in the quality of communications PDF6 JULY2017
1. Recommendation – not constructive
The recommendation is not stating how should the outstanding account receivable be collected. It does not provide
the recommendation that leads to the improvement for the credit control department to settle the outstanding
receivables.
2. Criteria – not clear
The criteria only stated the ‘standard operating procedure’ but it does not state how the SOP is being done. It
contains only the topic sentence without the supporting sentences to explain on the SOP.
3. Condition – not clear
The sentence in the condition element stated the it has long outstanding receivables. The ‘long’ there does provide
the relevant information. It should state how long it has been outstanding. For example, 60 days for 90 days.
4. Cause
The standard require all elements of findings. However, the finding reported is missing the elements of “Cause”. The
cause element of finding requires the auditors careful judgement. The internal audit recommendations basically
depends on the Cause element of audit findings.
Therefore, the auditor shall carefully analyze and explain the cause element of a finding.
To explain oversight, excessive workload, lack of competent staff, unawareness of the criteria, instructed by
supervisors as the case may be.
5. Effect (not a short coming)
The impact element adequately states the effect of a finding if not rectified as per recommendations.
The consequences if not rectified could lead to financial statements is materially misstated or huge loss incurred by
organization in the future.

 Shortcomings/Deficiencies in the quality of communications PDF6 JAN2018

1. Condition – No deficiency, adequately explain.
2. Criteria – No deficiency, adequately explain.
3. Cause
The cause element of a finding requires the internal auditor’s careful judgment. Stating that “Chief cashier is not
aware of the problems” is inappropriate
The internal auditors should state that the chief cashier is not serious in performing supervisory review or lack of
training as the factor that caused the current condition
4. Effect
The Impact element should adequately state the effect of a finding if not rectified as per the recommendation
A clear explanation is required about cash loss from mishandling the cash register and accepting counterfeit money.
Here, if not written off as expenses could materially misstate the financial statements
5. Recommendation
The report is missing the element of ‘Recommendation’. The recommendations basically depend on the ‘Cause’
elements of audit observation
Here, the importance of supervisory review or in-house training can be recommended
6. Action Plan – No deficiency, adequately explain.

 Shortcomings/Deficiencies in the quality of communications PDF6 JUN2018

1. Criteria
No deficiency, adequately explain.
2. Condition
No deficiency, adequately explain.
3. Cause
Not clear – Did not provide significant and relevant information why the condition happened
4. Effect
 Not accurate – Contain error, instead of net realizable value (NRV), the report stated as net book value (NBV) as
the valuation of accounts receivable
5. Recommendation
Not constructive– Did not understand the nature and hardship in adhering to the job description as accounts
executive and immediately putting the blame to terminate service
6. Action Plan
No deficiency, adequately explain.

 Shortcomings/Deficiencies in the quality of communications PDF6 DEC2018

1. Criteria
No deficiency, adequately explain.
2. Condition
No deficiency, adequately explain.
3. Cause
Not clear, difficult to understand
The word “many” is an intensifiers, which is lack of precision and based on personal values
Should explain on not having enough staffs to handle deliveries during the peak period
4. Effect
No deficiency, adequately explain.
5. Recommendation
Not clear, did not provide significant and relevant information
The responsibility for each receiving staff is not explained
The segregation of responsibility in keeping the records of unfulfilled order and the responsibility in examining for
damages can ensure complete documentation of good received
6. Not clear, passive voice can make it hard to understand the report
Dull and tiresome reading
Active phrasing is usually easier to understand
7. Action Plan
Not clear, did not provide significant and relevant information
The information should be written under “Effect”
Should write those activities that must be performed for a recommendation to succeed

 The weakness in the wordings for each element of observation PDF6 DEC2019
1. Criteria
The criteria element is not providing relevant information. The criteria is lacking the details of the control
activities, i.e. the segregation of duties. Here, the elements of the control activities should be emphasized, i.e.
the separation into authorizing the data entry, processing the data, disbursement, and backup of the data.
2. Condition
The condition is not providing significant information on the weaknesses in the control activities. Here, the
weakness should mention that the human resource, payroll and accounting department are operating the
application on a sharing basis. Hence, the payroll information is susceptible to unauthorized modification
3. Cause
The cause is not helpful in assisting for improvements to the internal control. Here, MudahGaji application is a
single-user license, and therefore is accessible by three incompatible departments that give the opportunity for
fraudulent alteration to the data
4. Effect
The effect is not helpful in recognizing the consequences from the weakness. Here, the risk or exposure the
organization encounter because the condition is not consistent with the criteria since MudahGaji is accessed by
three incompatible department. Therefore, any irregularity in the payroll may not be able to be detected on timely
 basis.

 Shortcomings/Deficiencies in the quality of communications PDF6 JULY2020

1. The criteria and the correct states of the business operation was not stated. It should provide the requirement of
operating procedures on the findings or the internal auditor’s expectations.
2. The conditions of the current state of the business operation were not stated. It should provide factual evidence
that internal auditor has found in the investigation.
3. The cost was not stated. The cost which refers to the reason for the difference between criteria and actual
condition. So, the cost element requires auditor’s careful judgement. The internal auditor’s recommendation is
depending on the cost element finding. Hence, they should carefully analyze the cost on the shortcoming.
4. The effect of not rectify was not stated. Impact element should detect the effect of finding if it was not rectified as
per recommendation. The consequences of not rectified could lead to the financial statements is materially
misstated and huge losses to the business.
5. The recommendation was not stated. This element shall provide an internalauditor suggestion to be
implemented to overcome the issues. No recommendation can be provided since there is no specific criteria to
be followed and there is no cost element to be analyzed.

 Shortcomings/Deficiencies in the quality of communications – time and attendance record PDF7 JULY2021
1. Condition .
A preliminary audit revealed that a number of employees did not have their working hours completely recorded.
Further investigations revealed that smaller portion of the employees did not submit their forms manually.
It should be reported with exact number or percentage of the employees involved.

2. Causes
Emails reminding those who did not clock-out received a very late notification. Most of those who failed to clock-
out only realized it via email the next day.
There is a vague reporting on the notification time of “no-clocking out” time.

3. Effects
The statement on the possibility of actual working hours are grossly wrong.
This should be correctly report as “There is possibility that actual working hours are inaccurately recorded and
incomplete”
Erroneous calculations of working hours will affect their gratuity calculation upon retirement later.
Erroneous calculations of working hours will cause the gratuity upon retirement of that particular employee to be
misstated.

4. Recommendations
The statement on the ”notifying the staff to clock-out be asked via social media application” should be worded as
“Notification of the staff to clock-out to be communicated via social media application”
This statement on “The human resource department should send reminders to staff who failed to clock-out any
time” should be replaced with “The human resource department must send reminders to staff who failed to clock-
out for a particular day the next day”.

 Factor of good quality report writing / Assessment of understandability – cash disbursement PDF11
FEB2021
1. Criteria, condition, cause and effect – Readability
Here, the paragraph in each of the attributes only has “topic sentence”.
Begin each paragraph with a “topic sentence”, following by “supporting sentences”.
The topic sentence is a sentence that is used at the beginning of a paragraph to tell the reader what it is that you
 are going to be talking about in that paragraph.
It should follow with “supporting sentences” that give information in order to explain, describe, and develop the
main idea in the topic sentence.

2. Cause – Readability
Contain redundant wording – …the disbursement payment…
The word “disbursement payment” contained redundant wording.
It is appropriate to write only “payment” and abandon the word “disbursement” because a disbursement is a
payment of money

3. Effect – Clarity
The cause element of a finding requires the internal auditor’s careful judgment.
Stating that “The staff only received invoices from the mailing department” is inappropriate
The internal auditors should state that the staff is not serious in performing the three-way matching by chasing
the document from the relevant departments or lack of training as the factor that caused the current condition

4. Recommendation – Readability
Contain redundant wording –. …the detection of unintentional mistake…
The word “unintentional mistake” contained redundant wording.
It is appropriate to write only “mistake” and abandon the word “unintentional” because an unintentional is
something that is not done on purpose.

 Factor of good quality report writing / Assessment of understandability PDF11 JULY2017

1. Readability
The message placement is in the structured manners. It stated the title of the report which it “Executive
Summary: Audit Objective” which it will help the reader to understand what the whole paragraph is talking about.
2. Readability
The use of the redundant wording in the report. ‘Oversight’ is redundant. Just write the ‘supervision’ in the
sentences.
3. Readability
The objectives of the audit are well organized into main objective and sub-objective. The writer mentions on the
sub-objectives of the audit. It gives the reader a view of what they are reading.
4. Clarity
The sentences should contain appropriate words which will make the reader understand what the sentences are
trying to conveyed about. The writing style has to be formal. QC should not be writing in simple term. It should be
writing as Quality Control. This is because not all the readers can understand on the simple term.

 Factor of good quality report writing / Assessment of understandability PDF11 JUNE2018

1. Readability
Readability depends on a range of factors, including content, structure, style, and layout and design
The placement of audit scope is correct in the executive summary (✓1).
2. Readability
Readability is more than simply legibility. Here, readability is a measure of how easily a reader can understand
the wordings
Here, the word “foreign imported” contained redundant wording. It is appropriate to write only “imported” and
abandon the word “foreign”
3. Clarity
Clarity is the quality or condition of being clear or easy to understand
Here, each scope will assist in the examination in order to lead to understand the terms of engagement
 4. Objective wording
Objective is the quality or condition of not influenced by personal feelings or opinions in considering and
representing facts
Here, the scope of inventory taking audit describe the requirement to determine weaknesses in the physical
count, and discrepancies between the counted and recorded quantity

 Factor of good quality report writing / Assessment of understandability PDF11 JUNE2019

1. Readability – Effect
There is redundant wording in the Effect. The word ‘falsely’ is redundant. The sentence should be “The net profit
is misstated by a significant amount…”
2. Clarify – Effect
There is intensifier in the sentence. The word ‘significant’ is intensifier which it does not hold the precision in the
amount that is misstated. Replace it with RM800. The sentence should be “The net profit is misstated by RM800
of penalty charged by…”
3. Readability – Recommendation
There is redundant wording in the sentence. The word ‘unintentional’ is redundant. Abandon the ‘unintentional’
and write only ‘error’. Error is indeed unintentional, there is no need to redundantly add the word ‘unintentional’
there.

 Best practices / common mistakes in the writing of the Internal Audit Report PDF12 JULY2020
1. No heading and subheading. The info is not organized into heading and sub which it cannot draw readers
attention to specific part of report and emphasize important information.
2. Format not easy to understand. There is no paragraph as the finding should be presented in the paragraph and
the internal auditor should begin with topic sentence and followed by supporting sentences. A long sentence
might cause problem in getting the correct meaning.
3. Too many intensifiers. Intensifiers are lacking of precision and mainly based on personal values. For example, it
is not acceptable for the internal auditor to use the words clearly and completely.
4. Inconsistent terminology. Problem of inconsistency or ambiguity in terminology can directly relate to the failure of
the user of the terminology, i.e. the internal auditors to fully understand the meaning. When internal auditors
interpret wrongly the terminology, they may unintentionally mislead another team member. Even worse,
inconsistent terminology also prevents the management from meaningfully assessing or relying on the internal
auditors finding or opinion.
5. Not visually attractive and not able to be read efficiently. The report does not help to develop positive feeling in
the reading and it makes the reader does not feel important to read further.
6. Passive voice - Dull and tiresome reading. For example, It is recommended by the internal auditors that
quotations from three vendors must be evaluated by the purchasing department.

 Best practices / common mistakes in the writing of the Internal Audit Report PDF12 JULY2017 JUN2018
1. The main point should be stated immediately because the reader must grab the main point first before they can
comprehend on the explanation on the issue, level of risk, recommended mitigation and corrective action.
2. Auditors need to construct sentences that consist on noun that readers can easily understand and visualize.
Avoid using bombastic sentences because it will cause failure for the readers to understand the points.
3. Each sentence must be generally short and contains not more than 24 words to ensure readability.
When the words are too much, it will make the readers loss attention in the key point.
4. The auditors can write the ideas in list from. This will help the readers to digest and process the information in a
short time as compared to paragraph form which need them to carefully read and find each idea in the long
paragraph.
5. Auditors need to use the correct words and acceptable practice for business documents. The main point must be
brief and clearly describe of the issue. The tone of writing does reflect the level of risk and the importance of
 mitigation/ corrective action for the management and audit committee.
6. Auditors need to communicate the severity of risk and explain the risk in meaningful ways in order so that the
management are able to focus more on recommendation. Provide meaningful explanation on the severity of the
risks, so that the management able to focus on recommendations.
7. Auditors need to avoid using technical terms because not every client would understand and familiar with
accounting and auditing terminologies.
8. Avoid using negative words because such words have a high tendency to provoke, rather than convince
auditees because such voice contain provoking word.
9. Must anticipate responses or feedback from clients. To discuss findings in a good and positive manner, not
reacting defensively.
10. Construct sentences with noun , so that readers can easily understand and visualize on the issue.
11. Construct short sentences contain no more than 24 words to ensure readability.
12. The main point must be short n precise n describe the issue.
13. The tone of writing. Does reflect the level of risk
14. Simplify ideas into lists to help readers digest and process information in a short time.
15. Long sentences
The report does not adhere to the rules of writing mechanics
16. Inconsistent terminology
The problem of inconsistent terminology is related to the failure of the internal auditors to fully understand the
meaning
17. Passive voice
Passive voice makes the writing weak and less readable
18. Intensifiers
Lack precision and mainly based on personal values

 Steps to the effective communication of internal audit report PDF16 DEC2018

1. Must make advance preparation when communicating bad news
Directors and management increasingly want, expect, and even demand to know why the bad news is being
delivered, whether it is a negative performance review, a budget cutback, or job layoffs
Also present solutions or an action plan to solve the problems that led to the bad news
2. Must focus on the setting for the meeting
Ensure the order in which items are to be discussed, so that the meeting achieves its purpose. This will later
shape the minutes of the meeting
Also enable to prepare any facts or figures so that the internal auditors have the necessary information to make
an effective contribution
3. Must be straightforward and honest in their delivery
The importance of being straightforward and honest lies in your moral values.
Internal auditors have to keep everyone abreast of what is going on within the organization, both good and bad
4. Must anticipate responses or feedback from auditees
Feedback is a supportive act intended to deal with under-performance in a constructive way
Able to give feedback effectively means that internal auditors know that they have been understood, and what
they said had some form of value
5. Determining corrective actions
Corrective action helps to understand complaints/ negative situations and pinpoint any issues that must be
resolved
Effective corrective actions will bring light to the most complaints/ negative situations to mitigate risk and ensure
compliance for the organization

 3 monitoring actions to be taken until recommendation is implemented JUNE2019

 1. Conveying the engagement observations and recommendation to appropriate levels of management who are
responsible for the action taking process.
2. Receiving and evaluating the management responses and proposed action plans on the observation and
recommendations during the engagement or within a reasonable time period after the engagement result are
communicated.
3. Receiving periodic updates from the management to evaluate the status of its efforts to correct the observations
and implement recommendation through action plan.

 Prerequisites on disseminating information to the parties outside the organization PDF19 DEC2019
1. Enter into a contract
Provide written agreement with intended recipients concerning information to be reported and internal auditors’
responsibilities. A written contract provides security and peace of mind for both parties and may help avoid costly
and time consuming conflict
2. Official capacity to obtain information
Identification of information providers, sources, report signers, recipients and related persons to receive report or
information. The company can miss opportunities from social corporate responsibility and even find itself in
regulatory trouble if do not monitor dissemination of information
3. Purpose to obtain information
Identification of objectives, scope and procedures to be performed in generating applicable information. Once
the purpose e.g. for a research has been explained, objectives and scope help determine the extent of
information needed to complete the study.
4. Protect information from unauthorized purposes
Nature of report or other communication including opinions, inclusions or exclusions of recommendation,
disclaimers, limitations and types of assurance provided. While a disclaimer certainly cannot rule out the
possibility of legal action taking place at some point in the future, it can go a long way toward protecting the
company best interests.
5. Legal right over the information
Copyright issues, intended use of information and limitations on further distribution or sharing of information.
Copyright constitutes the exclusive ownership of the information which means that the company can protect the
confidentiality, and to determine whether and under what conditions it may be copied and used by others

 Internal Communication / aspects to be considered before disseminating information on internal audit

finding within the organisation PDF19 JULY2021
1. Adopt policies or guidelines
The internal policies highlights and acknowledges what information can be shared and communicated, and how
with its internal employees. CAE may adopt policies or guidelines in communicating sensitive information within
and outside internal audit group or chain of command.
2. Information communicated
Information communicated may need to be taken with care as it may expose threats, uncertainties, fraud, waste
and mismanagement, illegal activities, abuse of power, misconduct that endangers public health or safety or
other wrongdoings.
3. Information sensitivity
Information sensitivity is to describe controlling access to highly privileged information that could cause a loss of
security or advantage over organisation.
It is necessary to see the impact of information towards organization’s reputation, image, competitiveness,
success, viability, market values, investments and intangible assets and earnings.

 The types of information/ recipients that require a separate reporting FEB2021 JUNE2018
1. Privileged information
 Any information that is legally protected from having disclosed to the public.
For example: personal data
2. Proprietary information
Information that deals with the activities, business or products of a company and not public knowledge.
For example: financial data, research and development, trade secrets.
3. Information on improper acts
Information pertaining to any actions that are not conforming to an organization’s regulations and code of ethics.
For example: domestic inquiry
4. Information on illegal acts
Information pertaining to criminal activities, violations of laws or governmental regulations and punishable by
fines. For example: fraud, criminal breach of trust

 Necessary requirements for effective monitoring PDF20 JAN2018

1. Management were informed
Addressing engagement observations and recommendations to appropriate levels of management responsible
for taking action
Management are responsible on the adequacy, timeliness and appropriateness of proposed corrective actions
2. Management provide responses
Receiving and evaluating management responses and proposed action plan to engagement observations and
recommendations
Responses are more useful if they include sufficient information for the CAE to evaluate the adequacy and
timeliness of proposed actions
3. Management provide periodic updates
Receiving periodic updates from management to evaluate the status of its efforts to correct observations and/or
implement recommendations
This to ensure that the observations and recommendations are understood and clearly described
4. Other business function provide responses
Receiving and evaluating information from other organizational units assigned responsibility for follow-up or
corrective actions
Responses from others are reviewed to assess their adequacy and timeliness and appropriateness of corrective
actions
5. Management were informed on status
Reporting to senior management and the board on the status of responses to engagement observations and
recommendations
Here, the management were informed that the recommendation was effectively implemented and an alternative
action was taken that achieved the intended results

 Matters that need to be observed before disclosing the internal audit report to parties outside the
organization. DEC2018
1. Assess the potential risk to the organization
Interview the doctoral candidate about the study, to ensure that the outside parties are authorized to receive the
information
2. Obtain the official letter from university about the purpose of study
Consult with legal counsel and/or senior management as appropriate
Separate between permissible and non-permissible information
Abide to the company’s procedures for approval
3. Control dissemination by restricting the use of the results
Copyrights and limitations on further distribution and sharing
Obtain written agreement with university/ doctoral candidate that the information will be used only for the
 intended purpose
4. Ensure the privacy regulations, regulatory requirements, and legal considerations are not violated
Some information is internally protected with the intention to preserve the business reputation
Information that is legally protected should not be disclosed to the public

Ethical issue

INTEGRITY √½

PILIH

 To uphold the integrity principle,

 Internal auditors shall perform their work with honesty, diligence and responsibility.
 Internal auditors shall observe the law and make disclosures expected by the law and the profession.
 Internal auditors not knowingly be a part to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organisation.
 Internal auditors shall respect and contribute to the legitimate and ethical objectives of the organisation.

 Internal auditors have to establish trust and hence the trust will be the basis for reliance on their judgement.

Ubah ayat soalan

Explain

ILLEGAL ACT
In this case, if Tugimin files the false report for the fraudulent cash transfer to the CAE, it shows that Tugimin is
cooperating in the illegal act.
Tugimin should be probing the fraudulent cash transfer instead of being the alliance with the internal audit manager.

PROCEDURE/AUDIT MANUAL
Being an experienced internal auditor, Mr. Solomon is expected to show example to his subordinate by following all
procedures or standards set by the profession and the organization he is working. √
The pervious CAE did agree to the audit manual but did not even proceed with the ground work of audit manual (✓1).
Ismail fails to meet the commitment and comply with 360 Dataview system.

EXPECT IA KNOW
By not looking at his predecessor’s file on any outstanding auditing issues and expecting that all the internal auditors in
his department know their duties is not fair to his staff √ and this shows that he is lacking in the integrity in making
judgement on the staff assignment. √

NOT ORGANISED PERSON

The previous CAE was not the most organized person, and Anita, as the current CAE has to track down the supporting
papers (✓1).
LEAVE MEETING, WORK EARLY
- Lose trust, doubt judgment
Ambil ayat first
 This shows that CAE is considered violating integrity principle because he is not performing his work with
honesty, diligence, and responsibility. (✓1).
OBJECTIVITY√½

PILIH
 To uphold the objectivity principle, the CAE
 Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict with the
interests of the organisation.
 Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment.
 Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.

Ubah ayat soalan

Explain

OVERLOOK ON APPOITMENT WITHOUT LOOK PROFILE

He overlook on the appointment of members as he just assigned new team members in this purchasing department
auditing without looking at their profile. √
The supervisor did not oversee the engagement and ensure compliance with all audit procedures and reasonableness
of findings (✓1).

SPOUSES
This resulted that few members of appointed internal audit team to audit purchasing department have spouses working
in this department. √

FROM PAYROLL TO AUDIT

Azimah is considered as violating the objectivity principle because she just 4 months being transferred to audit
department. She might unduly influence by her own interest and close relationship from payroll team in forming
judgment.
Since she is still new to internal audit department, she might unable to make balance assessment on the company’s
relevant circumstances.

ACCEPT GIFT

BIAS
CONTINUE CURRENT REPORT

Therefore, the internal auditors did not exhibit the highest level of professional objectivity in gathering, evaluating and
communicating information from audit activity (✓1).

Ambil ayat first

 This shows that CAE is considered violating objectivity principle because he is not performing his work
with highest level of professional objectivity (✓1).

 CONFIDENTIALITY√½

PILIH
To uphold the CONFIDENTIALITY principle,
 Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.
 Internal auditors shall not use information for any personal gain or in any manner that would be contract to the
law or detrimental to the legitimate and ethical objectives of the organisation.
 Respect the value and ownership of information they receive and do not disclose the info without appropriate
authority unless there is the need in relation to the legal or professional disclose the information

Ubah ayat soalan

Explain

SOCIAL MEDIA TO COMMUNICATE (NO LIMIT)

Mr. Solomon introduced the use of social media to communicate with one another via Telegram Application group which
he created for each team to speed up reporting processes. √
However, he did not limit who are eligible to be allowed to access the information on matters reported as this later would
be misused or leaked by irresponsible staff for their personal purposes, √

NOT ORGANISED PERSON /NEGLECT FILE

The previous CAE was not the most organized person, and Anita, as the current CAE has to track down the supporting
papers (✓1).
Here, the previous CAE was not prudent in the use and protection of information acquired in the course of her duties
(✓1).

EXPOSED INFO
Violation of confidentiality principle as she is considered as breaching the confidentiality principle because she exposed
the company’s confidential information.
Azimah has disclosed the info about the employee laid off without appropriate authority.
This makes her not prudent in protecting the company’s information acquired in her course of duty.
She didn’t careful in keeping the confidentiality of the info.
Ambil ayat first
 This shows that CAE is considered violating CONFIDENTIALITY principle because he is not performing his
work with not prudent in the use and protection of information acquired in the course of her duties (✓1).

 COMPETENCY√½

PILIH
To uphold the COMPETENCY principle,
 Internal auditors shall engage only in those services for which they have necessary knowledge, skills and
experience. TRAINING/BRIEFING
 Internal auditors shall perform internal audit services in accordance with the ISPPIA. SUPERVISION
 Internal auditors shall continually improve their proficiency and the effectiveness and quality of their services.
CONFERENCE/

Ubah ayat soalan

Explain

SUPERVISION

ASSIGN STAFF
As the head of internal audit, Mr. Solomon has to assign his staff with appropriate level of competency to the demand of
tasks assigned. √

TRAINING/
By not giving attention to the exposure and training of the staff with the newly developed purchasing system √ would
lead to the lack of experience of his staff in this area which could lead to less conclusive findings in their audit later. √
Hence, Mr. Solomon overlooked on the competency aspect of their staff. √

Anita did not give a chance to attend continuing professional development (CPD). The internal auditors do not have a
thorough knowledge about the latest development in audit (✓1).
Therefore, Anita is not able to apply the appropriate skills for effective and efficient audit, and also to meet the
requirements of the ISPPIA (✓1).

PROCEDURE/MEMORANDUM
The supervisor did not clarify in the audit planning memorandum on additional procedures and explain on how to
proceed when there are discrepancies noted (✓1).
Therefore, the internal auditors are not able to apply the appropriate skills for effective and efficient audit (✓1)..

Ambil ayat first

 This shows that CAE is considered violating COMPETENCY principle because he is not (✓1).
he didn’t provide briefing about the content of audit planning memorandum so the others members have no tare
knowledge about the special requirement for the audit
Therefore, they are unable to apply appropriate skill for the effective and efficient audit work and they do not
meet the requirement of ISPPIA.