Internal Auditing and Controls
Supplementary Lesson Notes – Module 1
Note: Supplementary Lesson Notes only provide brief discussions on topics covered in each
module. The notes are not substitutes for the recommended textbook and other assigned
readings. Students are required to complete all assigned readings to adequately prepare for
classes.
Refer to your Course Textbook guide for a list of assigned readings.
1 Introduction to Internal Auditing
1.1 Definition of Internal Auditing
Internal audit, sometimes referred to as management audit, is defined as:
…an independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations. It helps an organization
accomplish its objectives by bringing a systematic, discipline approach to
evaluate and improve the effectiveness of risk management, control and
governance processes.
Institute of Internal Auditors (IIA)
Some important terms in the definition are:
Independence: It is a situation requiring carrying out the responsibility of an internal
auditor without any biased mindset.
Objectivity: It is a state of being able to perform the internal audit responsibilities
without compromise in the quality of their work.
Assurance: This refers to the level whereby reliance could be placed on the output of
the internal audit assignment
Consulting: Ability to ensure the profession provides value added advisory services to
the users of the internal auditor’s reports
Risk management: Being able to assist management in identifying, analyzing,
managing and controlling occurrences that could impact on management’s ability to
achieve their objectives
Control: Being able to provide support to management in ensuring there are frameworks
for policies and procedures to help curtail risks within acceptable limit set by the
management.
1 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
Governance: This comprises various processes and structures which the management
put in place to enable it perform its functions in such a manner to allow it achieve its
objectives.
The last three terms identified above are sometimes referred to as the three focus areas
of management audit.
1.2 Internal Audit Activities
1.2.1 Scope of Internal Auditing
Specifically, the standards state that the internal audit activity should evaluate risk
exposures and evaluate the adequacy and effectiveness of controls in response to risks
related to the company’s governance, operations, and information systems regarding
the:
Reliability and integrity of financial and operational information
Effectiveness and efficiency of operations
Safeguarding of assets
Compliance with laws, regulations, and contracts
1.2.2 Functions of Management
Four main functions of management and auditor’s role concerning them:
Planning: It involves setting objectives and goals of an organization, defining strategies
to meet the objectives. Internal auditors review compliance with policies, procedures,
and rules. Internal auditors also review the company’s budgets and performance reports.
Organizing: This is the act of establishing a rule structure to help achieve the goals of
the organization, including delegation of authority. Internal auditors ensure that
responsibilities are clearly stated; decision-making ability is clearly outlined, and ensure
adequate information is available.
Directing: This involves inducing members of the organization to perform their roles
successfully, including communicating organizational goals and motivating staff to help
achieve those goals. Understanding the human relations, and the needs and feelings of
the staff, are key elements to the internal audit.
Controlling: This function involves comparing actual results to predetermined
standards, plans, or objectives. Control is essential to ensure that corporate objectives
are being met. Internal auditors help to develop, monitor, and improve internal controls.
2 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
1.3 Enterprise Risk
1.3.1 Risk
Risk is the possibility that an event will occur that will have an impact on the
achievement of objectives. It is measured in terms of impact and likelihood.
Enterprise risk (or business risk) is the possibility of an event occurring that could
reduce the likelihood of an organization achieving its objectives.
Risks come in many forms: some are minor, others major. Some can be controlled or
mitigated by the organization; others are totally outside the company’s control (due to
extraneous factors).
Risk can never be completely eliminated: effective controls ensure that the remaining
risks are at a level that management “can live with.”
1.3.2 Internal Controls
Internal controls are designed and implemented to identify and mitigate business risks.
Effective controls are those that provide reasonable assurance that the organization will
achieve its objectives. Stated another way, controls reduce the enterprise risk to an
acceptable level.
Internal controls can be either preventive (the control stops the activity before errors or
fraud can occur) or detective (the control ensures that errors or fraud are detected after
they occur).
Is an enterprise wide process of strategy setting, effected by an entity’s board of
directors, management and staff which is designed to identify potential risks, manage
them within its risk appetite to enable the organization achieve its objectives. It involves
identifying the risks, establishing tolerance limits and ensuring existence of controls to
reduce their occurrence.
1.4 Primary Roles of Internal Auditors
The primary roles of internal auditors include:
Acting as consultants to board & management.
They assist the board and management in executing their responsibilities; e.g., cost
controls
They assist in observing an enterprise’s operations and sensitizing management on
opportunities for improvement
They provide objective audit reports that provide management with information on
processes that are working appropriately and those that needs improvement.
3 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
1.5 Primary Role of External Auditors
The sole objective of an external audit is to issue an opinion as to whether the financial
statements of the organization, as prepared by management, are presented fairly in all
material aspects in accordance with the CICA Handbook (Part I: IFRS or Part II: ASPE).
External auditors are concerned only with the evidence required to support this opinion:
they are not specifically concerned with the effectiveness or efficiency of the
organization.
1.6 Types of Internal Audits
There are many different types of internal audit assignments.
Compliance audits: The internal auditor does not evaluate the appropriateness of the
controls, merely whether they are being followed. Compliance audits also review
compliance with organizational policies, procedures, and external laws and regulations.
Internal financial audits: An audit that focuses on the accounting system and its
outputs. External auditors focus on the financial statements at a specific date: internal
auditors focus on the processes and controls used to generate the financial information.
This type of audit has become extremely important in the last few years, with the
implementation of the Sarbanes-Oxley Act in the United States and MI 52-109 in
Canada. Internal auditors are often extensively involved in SOX and CSOX work.
Operational audits: An audit that focuses on evaluating the effectiveness, efficiency,
and economy of the organization’s operations. Here, the internal auditor evaluates the
attainment of the organization’s goals (effectiveness), the relationship between the
resources used and the outputs (efficiency), and the relative long-term cost of the
resources used (economy).
IT audits and integrated audits: Historically, audits of information systems required
special expertise. Today, internal auditors are well-trained in the use of computers, and
most audits of information systems are conducted as part of another type of audit. When
combined in this way, they’re referred to as integrated audits.
Fraud audits: Fraud is always a significant business risk. Fraud encompasses a wide
range of activities, from theft of company resources to misrepresentation of financial
results. Internal auditors are often involved in investigations to determine the existence
and/or extent of fraud in an organization.
Environmental audits: In many ways, these are a specific type of compliance audit.
The internal auditor attempts to establish the extent to which the company is complying
with legislative and regulatory requirements on environmental matters.
4 School of Business
© 2016, Southern Alberta Institute of Technology
� Internal Auditing and Controls
Comprehensive audits: Often, internal auditors are called upon to provide services that
combine more than one type of audit. Comprehensive audits are a combination of two or
more different audit types.
1.7 Situations Requiring Ethical Judgement
Internal auditors are subject to the IIA Code of Ethics. Anyone conducting an internal
audit is expected to conform to this code of ethics.
Strong adherence to an ethical code increases the reputation and effectiveness of the
internal auditor’s work.
Situations that require and internal auditor to have ethical judgement include:
Monitoring compliance and enforcement of all the organization’s policies
Carrying out fraud investigation assignments
Reporting of illegal actions and those viewed as unethical
Helping the organization function better
Respecting the confidentiality of financial, operational and personal information
Advising employee and management on their understanding and interpretation of
relevant standards, conflict of interest, corporate and professional code of conflict
Adherence to ethical code
1.8 An Internal Auditor’s Role in Ethical Culture
An internal auditor can influence the ethical culture of an organization by:
Following the code of ethics
Supporting and communicating about ethics and expected behavior
Providing regular reminders about ethics
Having a whistle-blowing policy
Evaluating delegation of responsibility and investigating misconduct.
Providing and taking training on ethics
Leading by example
Reviewing processes and state of ethics
Performing background checks and integrity tests
5 School of Business
© 2016, Southern Alberta Institute of Technology
