10.04.2023 Views

TIAPS Module 1 Audit and Assurance workbook

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong><br />

<strong>Assurance</strong><br />

<strong>TIAPS</strong> Albania 2023/24<br />

1


2


Table of Contents<br />

<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong> <strong>Assurance</strong> ............................................................................................ 4<br />

A. Internal <strong>Audit</strong>ing’s Contribution to Good Governance ....................................................... 6<br />

A.1 Public Sector Environment .......................................................................................... 6<br />

A.2 Public Sector Governance ........................................................................................... 9<br />

A.3 Governance Models ............................................................................................... 15<br />

A.3.1 ISO 37000:2021 Governance of organizations – Guidance ................................ 15<br />

A.3.2 The IIA’s Three Lines Model ............................................................................... 16<br />

A.3.3 CIPFA International Framework: Good Governance in the Public Sector ............ 19<br />

A.3.4 King IV Corporate Governance Report, 2016 ...................................................... 20<br />

A.3.5 Examples of Best Practice in Public Sector Governance .................................... 22<br />

B. M<strong>and</strong>ate, Independence, <strong>and</strong> Objectivity ........................................................................ 26<br />

B.1 Importance of Independence <strong>and</strong> Objectivity ............................................................. 26<br />

B.1.1 Independence, Objectivity, <strong>and</strong> the Code of Ethics ............................................. 29<br />

B.1.2 Independence, Objectivity, <strong>and</strong> Competency ...................................................... 30<br />

B.2 Internal <strong>Audit</strong> M<strong>and</strong>ate .............................................................................................. 32<br />

B.3 Threats to Independence <strong>and</strong> Objectivity .................................................................. 36<br />

B.4 Safeguards for Independence <strong>and</strong> Objectivity ........................................................... 39<br />

C. <strong>Assurance</strong> <strong>and</strong> Advisory Engagements .......................................................................... 43<br />

C.1 Characteristics of <strong>Assurance</strong> <strong>and</strong> Advisory Engagements ........................................ 43<br />

C.1.1 <strong>Assurance</strong> Engagements .................................................................................... 46<br />

C.1.2 Consulting (Advisory) Engagements ................................................................... 46<br />

C.1.3 <strong>Assurance</strong> <strong>and</strong> Advisory Engagements Compared ............................................. 48<br />

C.1.4 Blended Engagements ....................................................................................... 49<br />

C.1.5 Internal <strong>Audit</strong> Opinions ....................................................................................... 51<br />

C.1.6 Competencies Needed for <strong>Assurance</strong> <strong>and</strong> Advisory Engagements .................... 52<br />

C.2 <strong>Audit</strong>ing Governance................................................................................................. 55<br />

C.3 Fraud, IT, <strong>and</strong> Cybersecurity ..................................................................................... 58<br />

C.3.1 Fraud .................................................................................................................. 58<br />

C.3.2 Information Technology ...................................................................................... 64<br />

C.3.3 Cybersecurity ..................................................................................................... 67<br />

C.3.4 Data Privacy ....................................................................................................... 70<br />

References <strong>and</strong> Additional Reading .................................................................................... 72<br />

3


<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong> <strong>Assurance</strong><br />

Introduction<br />

<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong> <strong>Assurance</strong> examines how internal audit contributes to organizational<br />

governance through assurance <strong>and</strong> advisory services. The module is organized as follows:<br />

1A. Internal <strong>Audit</strong>ing’s Contribution to Good Governance<br />

A.1 Public Sector Environment<br />

A.2 Public Sector Governance<br />

A.3 Governance Models<br />

1B. M<strong>and</strong>ate, Independence, <strong>and</strong> Objectivity<br />

B.1 Importance of Independence <strong>and</strong> Objectivity<br />

B.2 Internal <strong>Audit</strong> M<strong>and</strong>ate<br />

B.3 Threats to Independence <strong>and</strong> Objectivity<br />

B.4 Safeguards for Independence <strong>and</strong> Objectivity<br />

1C. <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />

C.1 Characteristics of <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />

C.2 <strong>Audit</strong>ing Governance<br />

C.3 Fraud, IT, <strong>and</strong> Cybersecurity<br />

References<br />

Practice Questions<br />

4


Relevant St<strong>and</strong>ards<br />

Reference is made throughout the <strong>TIAPS</strong> program to relevant international st<strong>and</strong>ards, principally<br />

those of The Institute of Internal <strong>Audit</strong>ors (IIA) included in the International Professional Practices<br />

Framework (IPPF). Other st<strong>and</strong>ards <strong>and</strong> frameworks, most notably the COSO Internal Control –<br />

Integrated Framework, are also noted where appropriate.<br />

At the time of writing, The IIA is undertaking a major review of the IPPF with an expected period of<br />

public exposure in 2023. The content of this module reflects the 2017 edition (published in 2016 <strong>and</strong><br />

effective from the start of 2017). Participants should anticipate major revisions to the structure <strong>and</strong><br />

content of the IPPF, although fundamental principles about the practice of internal auditing are<br />

unlikely to change significantly. This program will be updated once the revisions to the IPPF are<br />

finalized <strong>and</strong> formally introduced.<br />

References <strong>and</strong> Additional Reading<br />

References are given at the end of this module. Participants are encouraged to read these to provide<br />

greater underst<strong>and</strong>ing of the topics. The items have been selected to complement the content<br />

included in this module <strong>and</strong> to offer internal auditors relevant, practical guidance.<br />

5


A. Internal <strong>Audit</strong>ing’s Contribution to Good Governance<br />

On completion of this section, students will be better able to:<br />

• Identify factors impacting governance in the public sector.<br />

• Define governance with reference to various models.<br />

• Identify requirements for good governance in public sector environments.<br />

• Describe how internal audit contributes to organizational governance.<br />

A.1 Public Sector Environment<br />

Internal auditors operating in a public sector environment face a range of conditions not<br />

generally experienced by their private sector counterparts. The following features represent<br />

a generalization not found in every public entity but are characteristic of many.<br />

• High importance. Governments hold significant power. They impact the lives of all<br />

citizens in many ways. They have access to a vast array of information <strong>and</strong><br />

resources. Consequently, the risks of errors, wastage, fraud, <strong>and</strong> corruption can be<br />

hugely consequential, including the potential for abuses of privacy <strong>and</strong> misuse of<br />

data, despoilation of environments, depletion of natural resources, economic <strong>and</strong><br />

social deprivation, military conflict, inadequate supply of energy <strong>and</strong> other utilities,<br />

<strong>and</strong> weaknesses in the rule of law. The work of internal auditors in helping<br />

administrations improve governance, risk management, <strong>and</strong> control could not be<br />

more important.<br />

• Limited resources. Resources tend to be limited because of continuous pressures on<br />

public spending. Everyone is expected to do more with less. This is often particularly<br />

true of unseen “back office” functions like internal audit whose overheads may be<br />

regarded by many budget holders <strong>and</strong> uninformed members of the public as<br />

inconsequential or unnecessary. Specialist skills for areas such as IT, cybersecurity,<br />

<strong>and</strong> data analytics are often in short supply, especially when the private sector can<br />

lure individuals away from the public sector with offers of higher rewards.<br />

• Immature risk management processes. Risk management may be relatively<br />

immature with fewer resources applied to risk <strong>and</strong> compliance functions. Awareness<br />

<strong>and</strong> underst<strong>and</strong>ing of risk <strong>and</strong> control may also be relatively limited. In such<br />

circumstances, internal audit may be expected to play a greater role in supporting<br />

management to develop effective internal control or even to act as a quasi-second<br />

line function (see section A.3.2 for consideration of the Three Lines Model.) In its<br />

advisory capacity, supporting the development of public internal financial control is<br />

an important internal audit service but care must be taken to safeguard<br />

independence <strong>and</strong> objectivity (see section B).<br />

6


• Close scrutiny. The activities of public entities are rightly subject to close scrutiny by<br />

line ministries, financial inspectors, external auditors, the business community, <strong>and</strong><br />

the public. This includes the work of the internal audit function <strong>and</strong> the behavior <strong>and</strong><br />

actions of its members. Unlike external audit reports, those of the internal audit<br />

function are not typically made available to the public, but the expectations placed on<br />

internal auditors to serve the public interest as inspectors <strong>and</strong> watchdogs are<br />

generally considerable. The public may not underst<strong>and</strong> what an internal auditor<br />

does, but when things go wrong, they are often caught in the firing line.<br />

• Political environment. The public sector environment is, above all, a political one.<br />

There is a cyclical change of leadership, policy, <strong>and</strong> organizational direction, <strong>and</strong><br />

internal audit is expected to keep up. The head of internal audit must anticipate<br />

these frequent shifts when planning the timing <strong>and</strong> focus of engagements. They<br />

must continuously rebuild relationships <strong>and</strong> carefully navigate politics to ensure<br />

activities are appropriately focused on organizational purpose <strong>and</strong> the public good<br />

rather than election cycles <strong>and</strong> the personal ambitions of public officials.<br />

• Constraints on independence. Establishing <strong>and</strong> maintaining organizational<br />

independence can be more challenging for internal audit functions in public entities<br />

than it is in privately owned businesses. Often the distinction between executive <strong>and</strong><br />

non-executive leadership is less apparent. The head of internal audit may report to<br />

an individual or a board comprising senior managers <strong>and</strong> political appointees. In<br />

some cases, internal audit oversight may be fairly remote. <strong>Audit</strong> committees, where<br />

such exist, may span multiple entities, especially where there is a centralized or<br />

shared service provider for central or local government. In addition, the use of<br />

outsourced or shared services may increase internal audit’s operational<br />

independence at the expense of greater remoteness from <strong>and</strong> reduced familiarity<br />

with the activities being audited.<br />

• Legitimate restrictions in scope. The m<strong>and</strong>ate of internal audit should allow the<br />

function access to the people, data, <strong>and</strong> resources needed to complete its<br />

engagements. Often in the private sector, this is interpreted as an “access all areas”<br />

m<strong>and</strong>ate. Restrictions on scope amount to a limitation on independence, keeping<br />

internal audit away from areas the governing body does not wish to be scrutinized. In<br />

the public sector, there can be legitimate reasons for reducing scope, especially in<br />

the interests of national security.<br />

These <strong>and</strong> other dimensions require careful h<strong>and</strong>ling by internal auditors <strong>and</strong> heads of audit<br />

functions.<br />

7


A.1: Reflection<br />

Do you recognize these characteristics of the public sector in the environment in which<br />

you work?<br />

Are there additional features that need to be considered?<br />

How do each of these characteristics impact your role as an internal auditor <strong>and</strong><br />

manager?<br />

8


A.2 Public Sector Governance<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Organizational Governance:<br />

General Awareness: Describe the concept of organizational governance.<br />

Applied Knowledge: Detect risks related to the organization’s governance policies,<br />

processes, <strong>and</strong> structures.<br />

Expert: Recommend improvements to the organization’s governance policies, processes,<br />

<strong>and</strong> structures. 1<br />

Internal audit adds value to its client organization when, among other things, it “strives to<br />

offer ways to enhance governance.” 2 Governance can be understood in general terms as the<br />

process of governing <strong>and</strong> is broadly about leading <strong>and</strong> controlling. It is defined by The<br />

Institute of Internal <strong>Audit</strong>ors (IIA) in the glossary of the International Professional Practices<br />

Framework (IPPF) as:<br />

The combination of processes <strong>and</strong> structures implemented by the board to inform,<br />

direct, manage, <strong>and</strong> monitor the activities of the organization toward the achievement<br />

of its objectives. 3<br />

“Board” is used by The IIA to refer to the “highest level governing body” for an entity,<br />

identifiable as the most senior decision-making authority. Public sector boards can take<br />

many forms <strong>and</strong> “governing body” or alternatively “governing authority” is a more common<br />

general term. Some government departments or ministries have a clearly defined board<br />

whose membership may also include representatives of the private sector <strong>and</strong> civil society.<br />

In a municipality or regional body, typically the council is the governing body in which the<br />

mayor may act as both the equivalent of the chairman of the board <strong>and</strong> the chief executive<br />

officer (CEO). In other situations, there is an executive director or manager who heads up<br />

operations while the mayor is more of a political figurehead for the city. Generally, in public<br />

entities where there is no immediately recognizable board or governing body, then governing<br />

responsibilities may be assumed by one of the following:<br />

• Head of the organization (minister, etc.) (i.e., a single person).<br />

• External oversight committee which could take different forms (e.g., parliamentary<br />

committee, government committee, committee represented by different ministries).<br />

• Oversight by line ministry or a superior organization.<br />

1<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

2<br />

St<strong>and</strong>ard 2000 – Managing the Internal <strong>Audit</strong> Activity, International Professional Practices Framework, The IIA, 2016.<br />

3<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

9


• Dual leadership: minister (political leader) plus secretary general (administrative<br />

leader).<br />

• Board of the agency/department represented by the executive only (with those<br />

appointed within organization).<br />

• <strong>Audit</strong> committees at the agency/department level with non-executive<br />

directors/independent members.<br />

• <strong>Audit</strong> committee centralized for the government.<br />

• Thematic boards: e.g., internal control board led by a secretary general (or deputy).<br />

• Dedicated unit or person in the presidential administration (where relevant) with<br />

specific oversight responsibilities. 4<br />

While the governing body leads on governance <strong>and</strong> is ultimately responsible for it, it is<br />

perhaps more accurate to say governance is implemented collectively <strong>and</strong> collaboratively by<br />

the governing body, management, <strong>and</strong> internal auditing, although in different ways.<br />

Governance occurs at every level of an organization at which decision-making takes place<br />

no matter how minor because all decisions contribute to success (or lack thereof). This view<br />

of governance is consistent with CIPFA’s model elaborated in the Whole System Approach<br />

to Public Financial Management. 5<br />

There are three important elements in The IIA definition of governance.<br />

• Processes <strong>and</strong> structures. Governance includes not only activities undertaken by an<br />

organization but also the way in which those activities <strong>and</strong> its resources are<br />

organized.<br />

• Inform, direct, manage, <strong>and</strong> monitor. Governance is part of a continuous cycle of<br />

input <strong>and</strong> feedback. Internal <strong>and</strong> external information informs decisions, actions are<br />

executed, <strong>and</strong> outcomes are achieved that then inform future decisions.<br />

• Achievement of objectives. The purpose of governance is organizational success.<br />

Governing bodies in the public sector may be comprised wholly of independent members<br />

without executive responsibilities or may combine executive <strong>and</strong> non-executive members.<br />

The non-executive responsibilities may be characterized as those:<br />

• Contributing to strategy by bringing a range of perspectives to strategy development<br />

<strong>and</strong> decision making.<br />

• Making sure that effective management structures <strong>and</strong> processes are in place, <strong>and</strong><br />

that there is an effective team at the top level of the entity.<br />

• Holding the executive to account for performance in fulfilling the responsibilities<br />

delegated to it by the governing body, including thorough purposeful challenge <strong>and</strong><br />

scrutiny. 6<br />

4<br />

Assessing the Effectiveness of Internal Control: PEMPAL Guidance for Public Sector Internal <strong>Audit</strong>ors, PEMPAL, 2020<br />

5<br />

See Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial Management<br />

6<br />

International Framework: Good Governance in the Public Sector, CIPFA, 2014<br />

10


The need for governance arises for two main reasons.<br />

• Accountability. Public sector organizations are managed <strong>and</strong> led by officials for <strong>and</strong><br />

on behalf of citizens. Public resources (money, labor, buildings, l<strong>and</strong>, <strong>and</strong> other<br />

assets) are used to serve a particular purpose for the common good. Those assigned<br />

to administer those services – whether by election or appointment – have an<br />

obligation to the public to act as diligent stewards of public resources <strong>and</strong> do<br />

whatever is reasonable to achieve the best outcomes. In many cases, officials take<br />

an oath of office to this effect. Being accountable entails public officials are open to<br />

scrutiny for their behavior <strong>and</strong> performance <strong>and</strong> will receive due recognition or<br />

admonishment accordingly. This requires transparency through honest <strong>and</strong> reliable<br />

reporting together with mechanisms (enforced by the rule of law) for apportioning<br />

rewards <strong>and</strong> punishments (which may include no longer being able to serve in a<br />

public position) as appropriate.<br />

• Uncertainty. Governance is also required because there are no guarantees wellintentioned<br />

actions will yield desirable results. Resources <strong>and</strong> systems are finite <strong>and</strong><br />

imperfect. People are subjective in their thinking, limited in their knowledge <strong>and</strong><br />

reasoning, <strong>and</strong> unreliable in their behavior. Circumstances are complex, changeable,<br />

interconnected, <strong>and</strong> chaotic, <strong>and</strong> ultimately unpredictable. All these factors create<br />

uncertainty, <strong>and</strong> it is the impact of uncertainty – whether favorable or unfavorable –<br />

on our efforts to achieve goals that is the origin of risk. According to ISO, risk is<br />

simply defined as “the effect of uncertainty on objectives.” 7<br />

Governance aims to restore confidence <strong>and</strong> trust by stakeholders as well as enabling<br />

managers <strong>and</strong> leaders to navigate uncertainty by making better decisions based on a clearer<br />

underst<strong>and</strong>ing. Accountability <strong>and</strong> uncertainty are unavoidable. They both require honest<br />

endeavors based on sound judgments. Governance helps an entity fulfil its purpose<br />

economically, effectively, efficiently, ethically, <strong>and</strong> sustainably.<br />

• Economically: with the least amount of effort <strong>and</strong> resource, reducing – <strong>and</strong> ideally<br />

eliminating – unnecessary costs of input.<br />

• Efficiently: with the greatest amount of output, minimizing – <strong>and</strong> ideally eliminating –<br />

inferior or defective results.<br />

• Effectively: with the greatest success in achieving desired outcomes <strong>and</strong> value.<br />

• Ethically: in accordance with accepted norms of behavior.<br />

• Sustainably: in a manner that minimizes – <strong>and</strong> ideally eliminates – negative social<br />

<strong>and</strong> environmental impacts.<br />

Governance can be regarded in part as an attempt to address risks that exist in the<br />

relationships between stakeholders <strong>and</strong> those assigned to manage affairs on their behalf.<br />

This is an example of the classic principal-agent situation. In the public sector context,<br />

citizens are the primary stakeholder (or principal) of organizations while elected <strong>and</strong><br />

appointed officials are the agents. As noted in A.1, the consequences of errors <strong>and</strong> abuse in<br />

the management of public resources <strong>and</strong> pursuit of public policy can be considerable.<br />

7<br />

ISO 31000: Risk Management, 2018.<br />

11


The principles of good governance can be applied holistically to an organization <strong>and</strong> to the<br />

public sector in its entirety. They can also be considered in the context of an individual<br />

project or initiative as well as groups of activities, such as IT governance, where matters are<br />

sufficiently complex <strong>and</strong>/or important to require specific attention not just on completion of<br />

tasks but also at a more strategic level. Governance takes account of factors such as risks,<br />

stakeholder needs, long-term planning <strong>and</strong> resource requirements, laws <strong>and</strong> regulations,<br />

<strong>and</strong> sustainability.<br />

The distinction between managing <strong>and</strong> governing is not absolute. The concepts as well as<br />

the roles of individuals tend to overlap. The chief executive officer (CEO) (i.e., secretary<br />

general, executive director, deputy minister, or similar) often sits at the intersection of the<br />

governing body <strong>and</strong> senior management. Most organizational responsibilities include some<br />

decision-making as well as oversight of <strong>and</strong> responsibility for resources <strong>and</strong> their utilization,<br />

including people <strong>and</strong> money. Monitoring <strong>and</strong> appropriate intervention are required by both<br />

managers <strong>and</strong> directors. Governing bodies involve themselves to a greater or lesser extent<br />

with both strategy <strong>and</strong> operations <strong>and</strong> are responsible for appointing (<strong>and</strong> firing) the CEO.<br />

While accepting the likelihood of overlap, in general terms we can make the following<br />

distinction:<br />

Focus of Governance<br />

• Overseeing<br />

• Advising<br />

• Guiding<br />

• Developing strategy<br />

• High level, long-term, big picture<br />

perspective<br />

• Non-executive decisions<br />

Focus of Management<br />

• Planning<br />

• Directing<br />

• Controlling<br />

• Implementing strategy<br />

• Operational, detailed, logistical<br />

perspective<br />

• Executive decisions<br />

The expression “those charged with governance” is often used to allow for the many<br />

differences that exist in how governance responsibilities are apportioned. It avoids arbitrarily<br />

limiting governance duties to the governing body (however that may be constituted) as well<br />

as removing the necessity of listing everyone who may be considered as holding<br />

governance responsibilities. Both the expression <strong>and</strong> the success of governance rely on<br />

clarity of exactly who is “charged with governance.” The primary stakeholders are assumed<br />

– explicitly or implicitly – to be the ones to “charge” the governing body <strong>and</strong> others with<br />

responsibility for governance <strong>and</strong> this links closely with the principle of accountability. When<br />

public officials are using public resources to achieve something on behalf of the public, they<br />

have a duty of care to the public for governance of those activities. Those charged with<br />

governance have both legal <strong>and</strong> ethical duties.<br />

12


Although developed for government at a local level, the Council of Europe’s 12 Principles of<br />

Good Governance are relevant to most public sector bodies:<br />

1. Participation, Representation, <strong>and</strong> Fair Conduct of Elections.<br />

2. Responsiveness (to the expectations <strong>and</strong> needs of citizens.)<br />

3. Efficiency <strong>and</strong> Effectiveness.<br />

4. Openness <strong>and</strong> Transparency.<br />

5. Rule of Law.<br />

6. Ethical Conduct.<br />

7. Competence <strong>and</strong> Capacity.<br />

8. Innovation <strong>and</strong> Openness to Change.<br />

9. Sustainability <strong>and</strong> Long-term Orientation.<br />

10. Sound Financial Management.<br />

11. Human Rights, Cultural Diversity, <strong>and</strong> Social Cohesion.<br />

12. Accountability. 8<br />

Albanian Context<br />

The president of Albania is the Head of State <strong>and</strong> comm<strong>and</strong>er in chief while the prime<br />

minister is the head of government. The highest executive authority rests with the prime<br />

minister <strong>and</strong> the cabinet (Council of Ministers) while parliament is the head of legislative<br />

power. The third branch – the judiciary – is independent from both the executive <strong>and</strong><br />

legislative branches.<br />

Membership of the Council of Ministers includes ministers, deputy ministers, <strong>and</strong> secretaries<br />

general. Ministries may have varied internal structures <strong>and</strong> numbers of subordinated entities<br />

(known variously as directorates, agencies, centers, offices, authorities, academies,<br />

inspectorates, institutes, commissions, committees, services, <strong>and</strong> more). A subordinated<br />

entity is accountable to its line ministry.<br />

For the purposes of government, Albania is divided into 12 administrative counties <strong>and</strong> 61<br />

municipalities. Albania was granted EU c<strong>and</strong>idate country status in 2014 <strong>and</strong> this is a major<br />

driver for ongoing public administration reform at all levels as well as a impetus to implement<br />

public internal financial control (PIFC). For more detail on PIFC, refer to <strong>Module</strong> T3<br />

Accounting Fundamentals. In accordance with Albanian law, all public entities are required<br />

to establish internal audit services, if not directly then via its superior institution (e.g., from<br />

the Ministry to a subordinated entity), from another public unit, or by contracted services.<br />

The head of the internal audit function should report to the head of the public unit. The<br />

Minister is appointed by the Prime Minister, is politically accountable for performance, <strong>and</strong> is<br />

the highest decision-making authority responsible for setting policy. The Secretary-General<br />

is the most senior civil servant in charge of executing policy. These factors are relevant for<br />

consideration <strong>and</strong> evaluation of internal audit independence.<br />

8<br />

12 Principles of Good Governance, Council of Europe, 2008.<br />

13


A.2: Reflection<br />

Consider the 12 Principles of Good Governance in the context of your organization. Assign a<br />

score from 1-5 for each Principle where 1 is very low <strong>and</strong> 5 is very high.<br />

Based on this assessment, how effective is governance in your organization?<br />

What are the most important priorities for improvement?<br />

Is there sufficient clarity in the distinction between governance (nonexecutive)<br />

responsibilities <strong>and</strong> managerial (executive) responsibilities?<br />

How can internal audit support organizational leaders in making such improvements?<br />

14


A.3 Governance Models<br />

When evaluating governance, internal auditors must consider whether the organization has<br />

used “adequate criteria” for monitoring purposes.<br />

If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal<br />

auditors must identify appropriate evaluation criteria through discussion with management<br />

<strong>and</strong>/or the board.<br />

Types of criteria may include:<br />

• Internal (e.g., policies <strong>and</strong> procedures of the organization).<br />

• External (e.g., laws <strong>and</strong> regulations imposed by statutory bodies).<br />

• Leading practices (e.g., industry <strong>and</strong> professional guidance). 9<br />

To explore governance further we will consider four important models that may be said to<br />

represent “leading practices,” although they must always be contextualized:<br />

• ISO 37000:2021 Governance of organizations – Guidance.<br />

• IIA Three Lines Model.<br />

• CIPFA International Framework: Good Governance in the Public Sector.<br />

• King IV Corporate Governance Report, 2016.<br />

These models have many similarities. Corporate governance codes such as the King IV<br />

Code, while being applicable primarily to private sector companies, are also very informative<br />

for government entities.<br />

A.3.1 ISO 37000:2021 Governance of organizations – Guidance<br />

The ISO model places organizational purpose at its center. Purpose is informed by values<br />

which also determine how the organization pursues its purpose.<br />

Diagram based on<br />

ISO 37000:2021<br />

Governance of Organizations<br />

9<br />

St<strong>and</strong>ard 2210 – Engagement Objectives, International Professional Practices Framework, The IIA, 2016.<br />

15


Four foundational principles are at the heart of governance <strong>and</strong> are inter-related.<br />

Value generation: Pursuit of purpose can be characterized as value creation, whether<br />

that value is financial, nonfinancial, or both. Public sector entities share a common<br />

purpose of serving the public good through the provision of direct <strong>and</strong> indirect services.<br />

In creating value, they must manage their financial <strong>and</strong> other resources. State-owned<br />

enterprises (e.g., publicly owned transportation, utilities, <strong>and</strong> broadcasting companies)<br />

may operate as commercial or quasi-commercial organizations <strong>and</strong> compete on that<br />

basis with their private sector counterparts but their purpose is still linked to public<br />

service <strong>and</strong> any profits generated are used to subsidize costs to the public or for<br />

investment in other public benefits.<br />

Strategy: The purpose of an organization tends to be broad <strong>and</strong> may be satisfied in<br />

different ways. It is necessary to develop strategies for fulfilling the purpose by<br />

establishing <strong>and</strong> prioritizing goals <strong>and</strong> applying resources – which are always finite –<br />

accordingly. Strategy typically is formed within a long-term perspective over multiple<br />

years.<br />

Accountability: As discussed in A.1, public officials are accountable in that they owe a<br />

duty of care to their stakeholders – employees, suppliers, service users, taxpayers, <strong>and</strong><br />

citizens. That accountability needs to be realized through transparency <strong>and</strong><br />

consequences. Being held to account means accepting responsibility for behaviors,<br />

decisions, <strong>and</strong> actions, <strong>and</strong> their ensuing impact, <strong>and</strong> receiving fair treatment on this<br />

basis.<br />

Oversight: As a consequence of accountability, those charged with governance will both<br />

need <strong>and</strong> desire to exercise oversight. If you are going to be held to account, you will be<br />

expected to oversee – <strong>and</strong> will have a vested interest in overseeing – what is taking<br />

place <strong>and</strong> intervene as <strong>and</strong> when needed. Typically, a governing body is unable to<br />

observe all activity directly. It relies on reports from management, internal auditors,<br />

external auditors, <strong>and</strong> others. Members of the governing body will also ask searching<br />

questions to satisfy their responsibilities <strong>and</strong> wishes for exercising oversight.<br />

These foundational principles of governance are enabled by the primary governance<br />

principles of leadership, stakeholder engagement, risk governance, the application of data to<br />

inform decision-making, <strong>and</strong> social responsibility, all with the intention of achieving viability<br />

<strong>and</strong> performance over time.<br />

Finally, in the ISO model the governance outcomes are defined as effective performance,<br />

responsible stewardship, <strong>and</strong> ethical behavior. Successful leadership <strong>and</strong> ethical leadership<br />

are regarded as co-dependents.<br />

A.3.2 The IIA’s Three Lines Model<br />

The 2020 Three Lines Model is an update of the well-known three lines of defense. In<br />

making the switch, the new model emphasizes the positive nature of governance, risk<br />

management, <strong>and</strong> internal control in supporting organizational success in addition to the<br />

16


defensive aspects to minimize negative impacts. The model also stresses the importance of<br />

all key elements working together rather than operating in silos.<br />

Governance is described as comprising three types of roles:<br />

• Accountability.<br />

• Actions.<br />

• <strong>Assurance</strong>.<br />

Figure: IIA Three Lines Model<br />

This does not imply these roles need to be fully disaggregated <strong>and</strong> often teams <strong>and</strong><br />

individuals may have responsibilities combining two of these areas.<br />

Accountability: The governing body is regarded as having ultimate accountability to<br />

stakeholders for all aspects of the organization <strong>and</strong> its people. It must engage with<br />

stakeholders to ensure clarity of purpose <strong>and</strong> provide honest reporting of performance,<br />

position, <strong>and</strong> prospects. The governing body is also responsible for ensuring<br />

management has the resources <strong>and</strong> structures needed to achieve the goals of the entity<br />

<strong>and</strong> manage risks effectively. Lastly, the governing body must ensure there is<br />

appropriate provision for independent assurance <strong>and</strong> advice through an internal audit<br />

function.<br />

Actions: The chief executive officer (CEO) leads the execution of actions <strong>and</strong> application<br />

of resources in pursuit of organizational goals. In doing so, the CEO must take account<br />

of risk by enabling risk management <strong>and</strong> internal control. First line roles are those<br />

focused on providing products <strong>and</strong> services to clients as well as the enabling "back<br />

office" support. Second line roles (such as risk management, compliance, legal counsel,<br />

security, <strong>and</strong> financial control) are those with a specific focus on risk <strong>and</strong> control,<br />

providing senior management with specialist support, expertise, monitoring, <strong>and</strong><br />

challenge on such matters. How resources <strong>and</strong> roles are allocated between first <strong>and</strong><br />

17


second line roles depends on many factors, including organizational size, complexity of<br />

operations, culture, laws <strong>and</strong> regulations, external environment, skills <strong>and</strong> resources, <strong>and</strong><br />

the relative strength <strong>and</strong> maturity of internal auditing. In some cases, the head of risk<br />

management reports directly to the governing body (rather than the CEO) <strong>and</strong> may be<br />

required to do so by regulation. A degree of independence between those with first <strong>and</strong><br />

second line roles strengthens the effectiveness of risk management <strong>and</strong> internal control.<br />

However, risk management <strong>and</strong> internal control remain the responsibility of management<br />

<strong>and</strong> ultimately the CEO.<br />

<strong>Assurance</strong>: The internal audit function provides management <strong>and</strong> the governing body<br />

with independent <strong>and</strong> objective assurance <strong>and</strong> advice on the adequacy <strong>and</strong><br />

effectiveness of governance, risk management, <strong>and</strong> internal control. Independence<br />

means being accountable to the governing body (directly or via an audit committee),<br />

being free from interference by management <strong>and</strong> from responsibility for the activities<br />

being audited, <strong>and</strong> having access to the resources, people, <strong>and</strong> information needed to<br />

complete the work of the function. However, independence should not entail isolation.<br />

Internal auditing must be fully aligned with the needs of the organization <strong>and</strong> supportive<br />

of its purpose. Cooperation <strong>and</strong> collaboration with management are encouraged. The<br />

head of the internal audit function (the chief audit executive) should engage with <strong>and</strong><br />

provide reports to senior management on a regular basis as well as communicating with<br />

the governing body.<br />

The Three Lines Model focuses primarily on the internal elements of an organization.<br />

However, external assurance providers (principally the Supreme <strong>Audit</strong> Institution for<br />

government entities, although other external service providers may be used subject to<br />

statutory requirements) are also recognized as contributing to governance <strong>and</strong> the success<br />

of organizations. The role of external audit is discussed in more detail in <strong>Module</strong> T3<br />

Accounting Fundamentals.<br />

Where governments are focused on implementing public internal financial control (PIFC),<br />

financial <strong>and</strong> managerial control (FMC) <strong>and</strong> internal auditing are two of the central<br />

components (the third being the Central Harmonization Unit (CHU)). This is strongly<br />

reflective of the Three Lines Model in identifying control responsibilities as part of the role of<br />

management <strong>and</strong> internal audit as an independent function. PIFC <strong>and</strong> FMC are discussed in<br />

more detail in <strong>Module</strong> T3 Accounting Fundamentals. Countries seeking accession to the<br />

European Union are required to satisfy, among other things, best practice st<strong>and</strong>ards,<br />

frameworks, <strong>and</strong> policies relating to PIFC on a holistic sector-wide basis. These expectations<br />

are detailed in Chapter 32 Financial Control of the EU requirements. These include:<br />

• Effective <strong>and</strong> transparent management systems, including accountability<br />

arrangements for the achievement of objectives.<br />

• A functionally independent internal audit.<br />

• Relevant organizational structures, including central co-ordination of PIFC<br />

development across the public sector. 10<br />

10<br />

See, for example, the European Commission Staff Working Document: Albania 2022 report.<br />

18


A.3.3 CIPFA International Framework: Good Governance in the Public<br />

Sector<br />

The Good Governance Framework is specifically designed for public sector entities “to<br />

encourage better service delivery <strong>and</strong> improved accountability.” The definition of governance<br />

used is similar to that of The IIA quoted in A.1.<br />

Governance comprises the arrangements put in place to ensure that the intended<br />

outcomes for stakeholders are defined <strong>and</strong> achieved. 11<br />

Figure: CIPFA Good Governance Framework<br />

The framework is intended to be applicable to individual entities as well as the public sector<br />

system. It is based on seven principles:<br />

I. Behaving with integrity, demonstrating strong commitment to ethical values, <strong>and</strong><br />

respecting the rule of law.<br />

II. Ensuring openness <strong>and</strong> comprehensive stakeholder engagement.<br />

III. Defining outcomes in terms of sustainable economic, social, <strong>and</strong> environmental<br />

benefits.<br />

IV. Determining the interventions necessary to optimize the achievement of the<br />

intended outcomes.<br />

V. Developing the entity’s capacity, including the capability of its leadership <strong>and</strong> the<br />

individuals within it.<br />

11<br />

International Framework: Good Governance in the Public Sector, CIPFA, 2014<br />

19


VI.<br />

VII.<br />

Managing risks <strong>and</strong> performance through robust internal control <strong>and</strong> strong public<br />

financial management.<br />

Implementing good practices in transparency, reporting, <strong>and</strong> audit, to deliver<br />

effective accountability. 12<br />

Principles A <strong>and</strong> B are at the core of public sector entities <strong>and</strong> ensure they operate in the<br />

public interest. The other principles define the requirements for effective governance,<br />

working together as a plan-do-check-act cycle (also known as PDCA).<br />

A.3.4 King IV Corporate Governance Report, 2016<br />

The King IV Corporate Governance Report 2016 incorporates a governance code for South<br />

Africa. However, it is widely regarded as a leading global st<strong>and</strong>ard for governance for all<br />

sectors. The report defines corporate governance as “the exercise of ethical <strong>and</strong> effective<br />

leadership by a governing body towards the achievement of the<br />

following governance outcomes: ethical culture, good performance, effective control, <strong>and</strong><br />

legitimacy.” This balance between integrity <strong>and</strong> effectiveness is a key feature. Doing good<br />

<strong>and</strong> doing well are regarded as complementary rather than being in opposition.<br />

The report sets four key responsibilities for the board:<br />

• Steering <strong>and</strong> setting strategic direction.<br />

• Approving policy <strong>and</strong> planning.<br />

• Ensuring accountability.<br />

• Overseeing <strong>and</strong> monitoring.<br />

These are defined in more detail through 17 principles. These become the basis for<br />

assessing the quality of governance. Since the model applies to all organizations, there is a<br />

need to “adopt <strong>and</strong> adapt” according to size <strong>and</strong> other organizational needs.<br />

1. Lead ethically <strong>and</strong> effectively.<br />

2. Govern the ethics of the organization in a way that supports the establishment of an<br />

ethical culture.<br />

3. Ensure that the organization is <strong>and</strong> is seen to be a responsible corporate citizen.<br />

4. Appreciate that the organization’s core purpose, its risks <strong>and</strong> opportunities, strategy,<br />

business model, performance, <strong>and</strong> sustainable development are all inseparable<br />

elements of the value creation process.<br />

5. Ensure that reports issued by the organization enable stakeholders to make informed<br />

assessments of the organization’s performance <strong>and</strong> its short, medium, <strong>and</strong> long-term<br />

prospects.<br />

6. Serve as the focal point <strong>and</strong> custodian of corporate governance in the organization.<br />

7. Comprise the appropriate balance of knowledge, skills, experience, diversity, <strong>and</strong><br />

independence for it to discharge its governance role <strong>and</strong> responsibilities objectively<br />

<strong>and</strong> effectively.<br />

12<br />

International Framework: Good Governance in the Public Sector, CIPFA, 2014<br />

20


8. Ensure that its arrangements for delegation within its own structures promote<br />

independent judgement, <strong>and</strong> assist with the balance of power <strong>and</strong> the effective<br />

discharge of its duties.<br />

9. Ensure that the evaluation of its own performance <strong>and</strong> that of its committees, its<br />

chair, <strong>and</strong> its individual members support continued improvement in its performance<br />

<strong>and</strong> effectiveness.<br />

10. Ensure that the appointment of, <strong>and</strong> delegation to, management contribute to role<br />

clarity <strong>and</strong> the effective exercise of authority <strong>and</strong> responsibilities.<br />

11. Govern risk in a way that supports the organization in setting <strong>and</strong> achieving its<br />

strategic objectives.<br />

12. Govern technology <strong>and</strong> information in a way that supports the organization setting<br />

<strong>and</strong> achieving its strategic objectives.<br />

13. Govern compliance with applicable laws <strong>and</strong> adopted, non-binding rules, codes, <strong>and</strong><br />

st<strong>and</strong>ards in a way that supports the organization being ethical <strong>and</strong> a good corporate<br />

citizen.<br />

14. Ensure that the organization remunerates fairly, responsibly, <strong>and</strong> transparently so as<br />

to promote the achievement of strategic objectives <strong>and</strong> positive outcomes in the<br />

short, medium, <strong>and</strong> long term.<br />

15. Ensure that assurance services <strong>and</strong> functions enable an effective control<br />

environment, <strong>and</strong> that these support the integrity of information for internal decisionmaking<br />

<strong>and</strong> of the organization’s external reports.<br />

16. Adopt a stakeholder-inclusive approach that balances the needs, interests, <strong>and</strong><br />

expectations of material stakeholders over time.<br />

17. [For institutional investor organizations] Ensure that responsible investment is<br />

practiced by the organization <strong>and</strong> the creation of value by the companies in which it<br />

invests. 13<br />

In addition to these principles, the report includes recommended practices. For principle 15,<br />

this includes a role for the audit committee <strong>and</strong> a separation of roles consistent with the<br />

Three Lines Model (although King IV advocates for five lines of assurance, adding external<br />

audit <strong>and</strong> the board as lines four <strong>and</strong> five respectively). Additionally, the report recommends<br />

internal audit makes an annual statement on the effectiveness of governance <strong>and</strong> risk<br />

management processes. This reflects the requirements of the IPPF (St<strong>and</strong>ard 2100 – Nature<br />

of Work):<br />

The internal audit activity must evaluate <strong>and</strong> contribute to the improvement of the<br />

organization’s governance, risk management, <strong>and</strong> control processes using a systematic,<br />

disciplined, <strong>and</strong> risk-based approach. Internal audit credibility <strong>and</strong> value are enhanced<br />

when auditors are proactive <strong>and</strong> their evaluations offer new insights <strong>and</strong> consider future<br />

impact. 14<br />

However, the requirement for annual reporting goes beyond St<strong>and</strong>ard 2060 – Reporting to<br />

Senior Management <strong>and</strong> the Board by which the CAE must report “periodically.” (Internal<br />

audit opinions are discussed in more detail in C.1.5)<br />

13<br />

“Report on Corporate Governance for South Africa,” King IV, 2016.<br />

14<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

21


A.3.5 Examples of Best Practice in Public Sector Governance<br />

Governance is dependent on clarity <strong>and</strong> underst<strong>and</strong>ing regarding accountability.<br />

An organization with effective internal accountability arrangements will have<br />

management <strong>and</strong> staff who underst<strong>and</strong> clearly their own roles, responsibilities <strong>and</strong><br />

powers <strong>and</strong> how they relate to others in the organization. Every public sector<br />

organization needs to be headed by an effective Minister or board of directors to lead<br />

<strong>and</strong> control the entity <strong>and</strong> monitor the executive management. The Minister or<br />

Chairperson of the board of directors needs to have his role formally defined in writing to<br />

include responsibility for providing effective strategic leadership <strong>and</strong> to ensure he<br />

successfully discharges the overall responsibility for the organization’s activities. 15<br />

Managerial accountability is discussed in detail in <strong>Module</strong> T2 Good Governance, Managerial<br />

Accountability, Developing Strategy, <strong>and</strong> Data Analysis.<br />

The following examples of best practices in public sector governance are based on the<br />

APEC Economic Committee’s Good Practice Guide on Public Sector Governance. 16<br />

Culture<br />

The organization must demonstrate its commitment to strong governance, <strong>and</strong> this starts<br />

with the “tone at the top.” Leaders <strong>and</strong> senior managers must lead by example. Good<br />

practices include:<br />

• Formal adoption of a good governance framework, principles, st<strong>and</strong>ards, etc. in<br />

policy or by legislation.<br />

• Adoption of a written code of ethics, values, <strong>and</strong> acceptable behavior.<br />

• Implementation of procedures for enforcing acceptable behavior, including the need<br />

for agreeing individual <strong>and</strong> team goals, monitoring, <strong>and</strong> reporting.<br />

• Preparedness for addressing unacceptable behavior in a fair, consistent, <strong>and</strong> timely<br />

manner.<br />

• Training <strong>and</strong> awareness-raising to communicate <strong>and</strong> reinforce values.<br />

• Commitment to improvement with measurable targets.<br />

• Periodic audit of organizational culture.<br />

Stakeholder Relationships<br />

Engagement with internal <strong>and</strong> external stakeholders is a two-way process, ensuring all<br />

parties are aware of the organization’s vision, mission, goals, <strong>and</strong> priorities <strong>and</strong> can<br />

comment on <strong>and</strong> participate in its governance. Good practice includes:<br />

• Regular engagement with internal <strong>and</strong> external stakeholders through systematic <strong>and</strong><br />

ad hoc arrangements.<br />

• Regular <strong>and</strong> reliable two-way communications.<br />

• Operation of appropriate virtual <strong>and</strong> in-person boards, panels, committees, <strong>and</strong> other<br />

groups with representation from civil society, political leadership, the private sector,<br />

service users, community groups, managers, <strong>and</strong> staff.<br />

15<br />

APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />

16<br />

APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />

22


• Consideration of overlapping interests with other public sector bodies supported by<br />

multi-agency <strong>and</strong> inter-departmental forums.<br />

• Channels for timely processing of enquiries, complaints, <strong>and</strong> suggestions.<br />

Compliance<br />

Compliance <strong>and</strong> performance are typically viewed as the primary goals of governance.<br />

Internal <strong>and</strong> external compliance requirements may be satisfied though reporting, including:<br />

• Annual reporting to the legislative body.<br />

• Electronic communications to external stakeholders via websites <strong>and</strong> other platforms.<br />

• Circulation of audit reports to target audiences.<br />

• Circulation of financial inspection reports.<br />

Compliance risk management <strong>and</strong> other aspects of governance depend on several key<br />

positions:<br />

• Chief Executive Officer (CEO). The CEO should be accountable to the governing<br />

body <strong>and</strong> may be a member of it but should not be its chair. In other words, the CEO<br />

(for example, depending on the body: Secretary General, Deputy Minister, Executive<br />

Director, or President), should participate in the development of policy <strong>and</strong> strategy<br />

but should not also be the highest decision-making authority. The CEO is responsible<br />

for performance by executing the policies set by the governing body <strong>and</strong> managing<br />

those with first <strong>and</strong> second line roles.<br />

• Chief Financial Officer (CFO). The CFO is normally a certified or chartered public<br />

accountant <strong>and</strong> is responsible for advising the governing body <strong>and</strong> senior<br />

management on all strategic financial matters as well for maintaining financial control<br />

across the entity.<br />

• Chief Compliance Officer (CCO). The CCO is responsible for advising the governing<br />

body <strong>and</strong> senior management on strategic compliance risks <strong>and</strong> for maintaining<br />

compliance risk management across the entity. Many public sector entities do not<br />

have a CCO or other risk officers <strong>and</strong> these responsibilities are shared across the<br />

senior management team <strong>and</strong> coordinated by the CEO.<br />

• <strong>Audit</strong> committee. Best practices recommend an independent audit committee,<br />

accountable to the governing body, to oversee the work of internal <strong>and</strong> external audit.<br />

Planning <strong>and</strong> Performance Monitoring<br />

Successful governance – much like internal control <strong>and</strong> risk management – relies on<br />

documentation <strong>and</strong> communication. The APEC guidance recommends the following<br />

processes <strong>and</strong> practices:<br />

• A clear statement of the organization’s purpose that is communicated to all staff.<br />

• A plan that describes the organization’s strategic priorities <strong>and</strong> objectives, consistent<br />

with the organization’s purpose, which is updated annually.<br />

• The systematic monitoring of financial <strong>and</strong> non-financial performance against the<br />

organization's plan.<br />

• The use of information generated from performance monitoring for external reporting<br />

requirements <strong>and</strong> internal planning purposes.<br />

23


Risk Management<br />

Similar comments as those made in respect of compliance (see above) apply to risk<br />

management more generally. It relies on the actions of multiple parties (most notably the<br />

CEO, CFO, <strong>and</strong> a Chief Risk Officer or equivalent) together with the support of internal audit.<br />

There may not be an individual or team with organizational responsibility for risk<br />

management <strong>and</strong> so the task is shared among managers, blending first <strong>and</strong> second line<br />

roles.<br />

Information <strong>and</strong> Decision Support<br />

The APEC guidance describes essential requirements for information <strong>and</strong> decision support:<br />

• St<strong>and</strong>ards for the creation <strong>and</strong> retention of public records, usually established by<br />

legislation.<br />

• Procedures within organizations to ensure the st<strong>and</strong>ards are met.<br />

• Quality data, information, <strong>and</strong> analysis to inform decisions taken by government<br />

boards <strong>and</strong> committees.<br />

• The keeping of records of decisions established by government boards <strong>and</strong><br />

committees, including the points considered or discussed in reaching those<br />

decisions. 17<br />

Review <strong>and</strong> Evaluation<br />

In the final element, the APEC guidance recognizes the importance of continuous<br />

improvement to governance supported by review <strong>and</strong> evaluation.<br />

• Ideally, governance arrangements should be reviewed in detail every year or two,<br />

particularly when there is a significant event affecting or potentially affecting those<br />

arrangements, such as a major legislative change or recommendations from a<br />

government committee or an external auditor.<br />

• An internal review led by the Minister or board of directors <strong>and</strong>/or executive<br />

management would normally suffice. Occasionally, where an organization could<br />

benefit from outside objectivity <strong>and</strong> expertise, a formal, externally facilitated review<br />

should be conducted.<br />

• The scope of the review may extend across the full range of the organization’s<br />

activities or else be confined to a performance assessment of the Minister or board of<br />

directors <strong>and</strong>/or executive management. In either instance, the fulfilment of both<br />

performance <strong>and</strong> conformance objectives should be evaluated.<br />

• Smaller <strong>and</strong>/or less complex organizations need not review their governance<br />

arrangements as frequently or in as much depth as larger <strong>and</strong> more complex<br />

organizations.<br />

• Organizations with significant policy or operational risk need to review their<br />

governance practices more frequently <strong>and</strong> more thoroughly.<br />

• Results from the reviews of governance arrangement should be acted upon in a<br />

reasonable timeframe 18<br />

17<br />

APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />

18<br />

APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />

24


A.3: Reflection<br />

Which model or models, if any, does your organization use to help define <strong>and</strong> implement<br />

governance?<br />

Which model or models, if any, do you or your internal audit function use to help evaluate<br />

the effectiveness of organizational governance?<br />

Which models could be the most beneficial in your organization <strong>and</strong> in what ways?<br />

25


B. M<strong>and</strong>ate, Independence, <strong>and</strong> Objectivity<br />

Learning Outcomes<br />

On completion of this section, students will be better able to:<br />

• Define minimum requirements for the internal audit m<strong>and</strong>ate.<br />

• Describe the purpose of the internal audit m<strong>and</strong>ate.<br />

• Evaluate audit independence <strong>and</strong> auditor objectivity.<br />

• Identify appropriate means to safeguard independence <strong>and</strong> objectivity.<br />

B.1 Importance of Independence <strong>and</strong> Objectivity<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Organizational Independence:<br />

General Awareness: Describe the importance of organizational independence of the internal<br />

audit activity; identify the elements that affect independence.<br />

Applied Knowledge: Detect any potential impairments to internal audit independence <strong>and</strong> the<br />

impact.<br />

Expert: Address any potential impairments to internal audit independence to achieve<br />

conformance with the St<strong>and</strong>ards; communicate the impact of any remaining impairments. 19<br />

Individual Objectivity:<br />

General Awareness: Describe the importance of internal audit objectivity; identify factors that<br />

may impair, or appear to impair, objectivity.<br />

Applied Knowledge: Detect <strong>and</strong> manage any real or perceived impairments to an individual<br />

internal auditor’s objectivity; assess <strong>and</strong> maintain internal audit objectivity.<br />

Expert: Develop <strong>and</strong> maintain policies that govern objectivity; recommend strategies to<br />

promote objectivity. 20<br />

The IPPF provides the most widely recognized definition of internal auditing.<br />

Internal auditing is an independent, objective assurance <strong>and</strong> consulting activity designed<br />

to add value <strong>and</strong> improve an organization’s operations. It helps an organization<br />

accomplish its objectives by bringing a systematic, disciplined approach to evaluate <strong>and</strong><br />

improve the effectiveness of risk management, control, <strong>and</strong> governance processes. 21<br />

19<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

20<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

21<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

26


Although they are related, the principles of independence <strong>and</strong> objectivity as defined by The<br />

IIA are distinct. They also differ in detail from the definitions used by the International Ethics<br />

St<strong>and</strong>ards Board for Accountants (IESBA) <strong>and</strong> others.<br />

In the IPPF, St<strong>and</strong>ard 1100 – Independence <strong>and</strong> Objectivity makes clear an important<br />

distinction:<br />

The internal audit activity must be independent, <strong>and</strong> internal auditors must be objective<br />

in performing their work. 22<br />

Independence is a feature of the internal audit function (referred to as the “internal audit<br />

activity” in the IPPF). Objectivity, on the other h<strong>and</strong>, is a facet of auditors. St<strong>and</strong>ard 1100<br />

provides the following interpretations:<br />

Independence is the freedom from conditions that threaten the ability of the internal audit<br />

activity to carry out internal audit responsibilities in an unbiased manner. To achieve the<br />

degree of independence necessary to effectively carry out the responsibilities of the<br />

internal audit activity, the chief audit executive has direct <strong>and</strong> unrestricted access to<br />

senior management <strong>and</strong> the board. This can be achieved through a dual-reporting<br />

relationship. Threats to independence must be managed at the individual auditor,<br />

engagement, functional, <strong>and</strong> organizational levels.<br />

Objectivity is an unbiased mental attitude that allows internal auditors to perform<br />

engagements in such a manner that they believe in their work product <strong>and</strong> that no quality<br />

compromises are made. Objectivity requires that internal auditors do not subordinate<br />

their judgment on audit matters to others. Threats to objectivity must be managed at the<br />

individual auditor, engagement, functional, <strong>and</strong> organizational levels. 23<br />

To establish organizational independence, the head of the internal audit function (the chief<br />

audit executive) “must report to a level within the organization that allows the internal audit<br />

activity to fulfil its responsibilities.” The structures of public entities, including reporting lines<br />

for the head of the internal audit function, may be defined by legislation or policy. Reference<br />

to a “dual-reporting relationship” in the St<strong>and</strong>ards alludes to a desirable state in which the<br />

head of internal audit reports functionally to (i.e., is accountable to <strong>and</strong> overseen by) the<br />

governing body, either directly or via an audit committee. Functional reporting involves a<br />

substantive relationship in which the governing body is the de facto line manager of the head<br />

of internal audit with responsibility for appraising performance as well as hiring <strong>and</strong> firing.<br />

The governing body should approve the internal audit charter, the audit plan, <strong>and</strong> budget,<br />

<strong>and</strong> receive <strong>and</strong> consider reports from the head of internal audit. This is in addition to the<br />

head of internal audit’s administrative reporting relationship with a member of senior<br />

management, ideally the CEO, for routine matters. The head of internal audit should provide<br />

reports to both senior management <strong>and</strong> the governing body regarding significant findings<br />

<strong>and</strong> insights on governance, risk management, <strong>and</strong> internal control.<br />

22<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

23<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

27


To establish individual objectivity requires that auditors have “an impartial, unbiased attitude<br />

<strong>and</strong> avoid any conflict of interest.” This involves adhering to a code of ethics <strong>and</strong><br />

professional st<strong>and</strong>ards, maintaining professional competency, <strong>and</strong> applying due professional<br />

care <strong>and</strong> professional skepticism. It also means auditors must be part of an independent<br />

internal audit function.<br />

The requirements for independence <strong>and</strong> objectivity are summarized below.<br />

Requirements for the Independence of<br />

the Internal <strong>Audit</strong> Function<br />

• Internal audit m<strong>and</strong>ate (as defined in<br />

charter or legislation).<br />

• Access to necessary people, resources,<br />

<strong>and</strong> information.<br />

• Freedom from interference.<br />

• Functional reporting by head of internal<br />

audit to an appropriate level in<br />

organization (ideally governing body).<br />

• Administrative reporting to senior<br />

management (ideally CEO).<br />

• Application of safeguards for<br />

independence when threatened.<br />

Requirements for the Objectivity of<br />

Internal <strong>Audit</strong>ors<br />

• Independence of internal audit function.<br />

• Freedom from conflicts of interest.<br />

• Competency.<br />

• Objective mindset.<br />

• Professional skepticism.<br />

• Due professional care.<br />

• Unwavering integrity.<br />

• Adherence to professional st<strong>and</strong>ards.<br />

• Application of disciplined <strong>and</strong><br />

systematic procedures.<br />

The internal audit m<strong>and</strong>ate <strong>and</strong> charter are discussed in B.2. Independence <strong>and</strong> objectivity –<br />

including the appearance of independence <strong>and</strong> objectivity – are important for the credibility<br />

<strong>and</strong> authority of the internal audit function <strong>and</strong> of individual auditors. It should be clear to<br />

internal <strong>and</strong> external stakeholders that the opinion of the internal audit function is reliable<br />

<strong>and</strong> has not been concocted to suit the personal interests of auditors, managers, or<br />

members of the governing body. Internal audit provides transparency through an unbiased<br />

<strong>and</strong> insightful assessment of past, current, <strong>and</strong> future circumstances. This enables:<br />

• Managers to make well-informed decisions.<br />

• Members of the governing body to exercise oversight <strong>and</strong> intervene where<br />

necessary.<br />

• External stakeholders to trust in reports regarding the organization’s performance,<br />

position, <strong>and</strong> prospects <strong>and</strong> so hold managers <strong>and</strong> leaders to account.<br />

If the internal audit function is not sufficiently independent of management, it becomes<br />

indistinguishable from a second line unit. In this capacity it can provide value but is robbed of<br />

its distinct characteristic. Its authority is subordinated to senior management <strong>and</strong> its scope<br />

<strong>and</strong> capacity potentially limited. The findings <strong>and</strong> recommendations of auditors whose<br />

objectivity is or appears to be impaired can be disregarded or dismissed more easily. Trust is<br />

established on the basis that internal auditors operating outside of the management<br />

structure, <strong>and</strong> there is confidence their recommendations are made in the best interests of<br />

the organization.<br />

28


B.1.1 Independence, Objectivity, <strong>and</strong> the Code of Ethics<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Ethical Behavior:<br />

General Awareness: Describe the importance of a code of ethics for internal auditors;<br />

identify the principles of The IIA’s Code of Ethics.<br />

Applied Knowledge: Demonstrate individual conformance with The IIA’s Code of Ethics.<br />

Expert: Assess the internal audit activity’s conformance with The IIA’s Code of Ethics;<br />

recommend strategies to maintain <strong>and</strong> promote the highest ethical st<strong>and</strong>ards for internal<br />

auditors <strong>and</strong> the internal audit activity. 24<br />

Unflinching adherence to an ethical code is a hallmark of a true professional. It is also<br />

essential for establishing trust in internal auditing. <strong>Audit</strong>ors must ensure their integrity,<br />

objectivity, confidentiality, <strong>and</strong> competency. In fact, the principle of auditor objectivity is<br />

considered so important it is found throughout the IPPF. Independence of the internal audit<br />

function is also heavily referenced, as shown in the table below.<br />

IPPF Elements<br />

Reference to <strong>Audit</strong>or<br />

Objectivity<br />

Reference to<br />

Independence of the<br />

internal <strong>Audit</strong> Function<br />

The Mission of Internal <strong>Audit</strong>ing Yes No<br />

Core Principles for the<br />

Professional Practice of Internal<br />

<strong>Audit</strong>ing<br />

Yes<br />

Yes<br />

Definition of Internal <strong>Audit</strong>ing Yes Yes<br />

Code of Ethics Yes No<br />

International St<strong>and</strong>ards for the<br />

Professional Practice of Internal<br />

<strong>Audit</strong>ing<br />

Yes<br />

(1100, 1112, 1120, 1130,<br />

2000, 2050)<br />

Yes<br />

(1100, 1110, 1112, 1130,<br />

2060)<br />

Organizations may have their own codes of ethics <strong>and</strong> conduct describing acceptable <strong>and</strong><br />

unacceptable behaviors. <strong>Audit</strong>ors must demonstrate the highest levels of personal integrity.<br />

It is sometimes easy to justify small breaches to ourselves, such as taking office supplies for<br />

personal use, but to be beyond reproach requires faithful observance even of seemingly<br />

insignificant expectations. Through self-awareness, peer review, <strong>and</strong> supervision, auditors<br />

should continually reflect on their attitudes, behaviors, decisions, <strong>and</strong> actions to eliminate<br />

any potential deviation from professional objectivity in the exercise of their duties.<br />

24<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

29


B.1.2 Independence, Objectivity, <strong>and</strong> Competency<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Due Professional Care:<br />

General Awareness: Describe due professional care.<br />

Applied Knowledge: Demonstrate due professional care.<br />

Expert: Evaluate <strong>and</strong> conclude on the application of due professional care. 25<br />

Competency is a principle of the Code of Ethics <strong>and</strong> a prerequisite for maintaining<br />

objectivity.<br />

The IIA Competency Framework is discussed in more detail in section C.1.6.<br />

25<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

30


B.1: Reflection<br />

Is it possible to be objective but not independent? Or independent but not objective?<br />

Sometimes internal auditors are asked: you are employed by the organization, you are<br />

familiar with its activities <strong>and</strong> individuals, so how can you be truly independent <strong>and</strong><br />

objective? How would you respond to such a challenge?<br />

31


B.2 Internal <strong>Audit</strong> M<strong>and</strong>ate<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Mission of Internal <strong>Audit</strong>ing<br />

General Awareness: Describe the purpose, authority, <strong>and</strong> responsibility of the internal audit<br />

activity; distinguish between assurance <strong>and</strong> consulting services.<br />

Applied Knowledge: Demonstrate ability to conduct both assurance <strong>and</strong> consulting<br />

engagements in conformance with the St<strong>and</strong>ards.<br />

Expert: Review the internal audit activity’s ability to conduct both assurance <strong>and</strong> consulting<br />

activities to add value <strong>and</strong> improve the organization’s operations. 26<br />

Internal <strong>Audit</strong> Charter<br />

General Awareness: Describe the purpose of an internal audit charter; identify the required<br />

elements of an internal audit charter, according to the St<strong>and</strong>ards.<br />

Applied Knowledge: Prepare an internal audit charter in conformance with the St<strong>and</strong>ards, <strong>and</strong><br />

receive approval from the board.<br />

Expert: Evaluate <strong>and</strong> revise an internal audit charter to achieve conformance with the<br />

St<strong>and</strong>ards <strong>and</strong> promote world- class performance. 27<br />

Reference has already been made to an internal audit charter <strong>and</strong> m<strong>and</strong>ate. In the IPPF,<br />

St<strong>and</strong>ard 1000 – Purpose, Authority, <strong>and</strong> Responsibility states:<br />

The purpose, authority, <strong>and</strong> responsibility of the internal audit activity must be formally<br />

defined in an internal audit charter, consistent with the Mission of Internal <strong>Audit</strong> <strong>and</strong> the<br />

m<strong>and</strong>atory elements of the International Professional Practices Framework. 28<br />

The Mission of Internal <strong>Audit</strong> referred to is:<br />

To enhance <strong>and</strong> protect organizational value by providing risk-based <strong>and</strong> objective<br />

assurance, advice, <strong>and</strong> insight. 29<br />

The IPPF does not refer to the m<strong>and</strong>ate of internal audit. The authority <strong>and</strong> powers of the<br />

internal audit function, especially for public entities, may be derived from legislation. In<br />

principle, in accordance with the IPPF, the authority comes from the governing body. The<br />

internal audit charter is a formal document approved by the governing body in which the<br />

m<strong>and</strong>ate is defined <strong>and</strong> should be reviewed <strong>and</strong> updated on a regular basis.<br />

26<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

27<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

28<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

29<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

32


According to The IIA Position Paper: The Internal <strong>Audit</strong> Charter, the document should<br />

contain the following:<br />

• Internal audit mission <strong>and</strong> purpose.<br />

• Reference to or inclusion of the m<strong>and</strong>atory elements of the IPPF by which the<br />

internal audit function will be governed. (Recognizing the m<strong>and</strong>atory elements of the<br />

IPPF in the charter is a requirement of St<strong>and</strong>ard 1010 – Recognizing M<strong>and</strong>atory<br />

Guidance in the Internal <strong>Audit</strong> Charter.)<br />

• Authority, clarifying the functional <strong>and</strong> administrative reporting relationships <strong>and</strong> the<br />

role of the governing body in upholding the authority of the internal audit function.<br />

• Independence <strong>and</strong> objectivity, ensuring the head of internal audit will safeguard the<br />

independence of the function <strong>and</strong> the objectivity of auditors, applying safeguards<br />

when required, <strong>and</strong> reporting threats <strong>and</strong> limits to independence <strong>and</strong> objectivity to<br />

the governing when they arise.<br />

• Scope to confirm the internal audit’s responsibility for providing assurance <strong>and</strong><br />

advice on the adequacy <strong>and</strong> effectiveness of governance, risk management, <strong>and</strong><br />

internal control.<br />

• Responsibilities of the head of internal audit.<br />

• Requirements for a quality assurance <strong>and</strong> improvement program, including an<br />

external quality review at least once every five years. 30<br />

Without sufficient authority, the internal audit function is unable to fulfil its m<strong>and</strong>ate. Its work<br />

may be obstructed by managers who are not interested or who would prefer to avoid scrutiny<br />

for whatever reason. Internal audit may also be constrained by limited resources or by being<br />

denied access to information it needs to complete its work. There is a close link between<br />

authority <strong>and</strong> independence. The pronouncements of the internal audit function are more<br />

likely to be considered authoritative if it operates independently but it is only able to do that if<br />

it has sufficient force behind it, whether by legislation or the endorsement of the governing<br />

body (ideally both).<br />

According to the IIA, to ensure the internal audit function has sufficient authority, the<br />

governing body (or audit committee) is expected to:<br />

• Approve the internal audit charter.<br />

• Approve the internal audit plan.<br />

• Approve the internal audit budget <strong>and</strong> resource plan.<br />

• Receive timely communications on performance relative to the internal audit plan.<br />

• Approve the appointment <strong>and</strong> removal of the head of internal audit (typically in<br />

response to discussions with <strong>and</strong> recommendations from senior management).<br />

• Approve the remuneration of the head of internal audit (typically in response to<br />

discussions with <strong>and</strong> recommendations from senior management).<br />

• Make appropriate inquiries of management <strong>and</strong> the head of internal audit to<br />

determine if there are any inappropriate scope or resource limitations.<br />

• Ensure the head of internal audit has unrestricted access to, <strong>and</strong> can communicate<br />

<strong>and</strong> interact directly with, the governing body without management present.<br />

30<br />

IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019<br />

33


• Ensure the internal audit function has free <strong>and</strong> unrestricted access to all functions,<br />

records, property, <strong>and</strong> personnel pertinent to carrying out any engagement, subject<br />

to accountability for confidentiality <strong>and</strong> safeguarding of records <strong>and</strong> information. 31<br />

The authority conferred on the internal audit function through its m<strong>and</strong>ate as confirmed in the<br />

charter <strong>and</strong>/or legislation carries with it reciprocal responsibilities for the head of the internal<br />

audit function. These include:<br />

• Submitting at least annually a risk-based internal audit plan.<br />

• Communicating with senior management <strong>and</strong> the governing body the impact of<br />

resource limitations on the plan.<br />

• Ensuring the internal audit activity has access to appropriate resources regarding<br />

competency <strong>and</strong> skill.<br />

• Managing the activity appropriately for it to fulfill its m<strong>and</strong>ate.<br />

• Ensuring conformance with IIA St<strong>and</strong>ards.<br />

• Communicating the results of the internal audit function’s work <strong>and</strong> following up on<br />

agreed-to corrective actions.<br />

• Coordinating with other assurance providers.<br />

• Reporting periodically on the results of quality assurance <strong>and</strong> improvement<br />

program. 32<br />

31<br />

IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019<br />

32<br />

IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019<br />

34


B.2: Reflection<br />

When was the last time you reviewed the internal audit m<strong>and</strong>ate?<br />

Is the internal audit function able to fulfil all the responsibilities in its m<strong>and</strong>ate?<br />

What changes are needed either to strengthen the m<strong>and</strong>ate or enable the function to<br />

satisfy its responsibilities?<br />

35


B.3 Threats to Independence <strong>and</strong> Objectivity<br />

Threats to independence <strong>and</strong> objectivity occur when the requirements described in B.1 are<br />

not in place or are under strain. An appearance of a lack of independence or a conflict of<br />

interest can be just as much of an impairment as something more concrete.<br />

Threats to independence may arise for the following reasons:<br />

• The head of internal audit reports functionally to a senior manager with responsibility<br />

for activities to be audited who tries to limit the scope or influence the findings of an<br />

audit.<br />

• The internal audit function’s resources are determined by a senior manager with<br />

responsibility for activities to be audited who tries to limit the scope or influence the<br />

findings of an audit.<br />

• The head of internal audit has or has had recent responsibility for activities to be<br />

audited by members of the internal audit function.<br />

• The head of internal audit has limited access to the governing body to discuss any<br />

topics of interest or concern freely without the presence of management who might<br />

otherwise inhibit or deflect such discussions.<br />

• The internal audit charter, approved by the governing body, specifically restricts the<br />

internal audit function’s access to areas the governing body considers to be<br />

“unimportant” or “too sensitive.”<br />

Threats to objectivity may arise for the following reasons:<br />

• Self-interest. The auditor st<strong>and</strong>s to gain personally from a particular outcome of the<br />

audit.<br />

• Adverse interest. The auditor st<strong>and</strong>s to lose personally from a particular outcome of<br />

the audit.<br />

• Duress: The auditor in some other way is under pressure to conduct or conclude the<br />

audit in a particular way.<br />

• Familiarity. The auditor is overly acquainted with the activity under review through<br />

recent or extensive involvement.<br />

• Self-review. The auditor is reviewing an area for which they have or have recently<br />

had significant influence.<br />

• Management participation. The auditor is responsible for the activity under review or<br />

managers who are responsible are involved in undertaking parts of the audit.<br />

• Advocacy threat. The auditor is acting or has recently acted as an advocate for those<br />

responsible for the activity under review.<br />

• Undue influence. The auditor in some other way has too much influence over the<br />

activity, perhaps by virtue of close relationships.<br />

• Lack of competence: The auditor may not be sufficiently skilled or experienced to<br />

apply the necessary professional skepticism, open-mindedness, <strong>and</strong> disciplined<br />

approach to ensure findings <strong>and</strong> recommendations are objective.<br />

• Lack of independence of the internal audit function: The auditor is part of an internal<br />

audit function whose independence is compromised.<br />

36


When independence or objectivity are impaired (in fact or in appearance) this should be<br />

disclosed to appropriate parties, especially with management <strong>and</strong> the governing body, in<br />

accordance with St<strong>and</strong>ard 1130 – Impairment to Independence or Objectivity.<br />

The organizational environment in both the private <strong>and</strong> public sectors can be highly<br />

politically charged <strong>and</strong> this can impact internal auditing. The function can be sidelined or<br />

under-resourced as a way of limiting its scope <strong>and</strong> influence. The governing body may not<br />

have time, skill, or inclination to provide adequate oversight <strong>and</strong> there may be no audit<br />

committee to act as a champion for independent <strong>and</strong> impactful internal auditing. Pressure<br />

may be applied on individuals to steer clear of certain areas or activities or to moderate their<br />

findings <strong>and</strong> reports. Reports that identify significant weaknesses in politically sensitive<br />

areas may be suppressed or “buried.” Former chair of The IIA Global Board of Directors<br />

Patty Miller has written extensively on this topic <strong>and</strong> the need for auditors to have political<br />

awareness <strong>and</strong> moral courage. 33<br />

33<br />

See, for example, Organizational Political Pressure <strong>and</strong> the Impact on Internal <strong>Audit</strong>, Patty Miller, 2017.<br />

37


B.3: Reflection<br />

Have you ever experienced a situation where you were discouraged (from within the<br />

internal audit function or outside of it) from looking at an area or activity?<br />

Have you ever been denied the necessary resources or access to people <strong>and</strong> data<br />

needed to conduct your audit to the full extent of the engagement scope <strong>and</strong> objectives?<br />

Have you ever been asked to change your report by “toning it down” or removing<br />

inconvenient findings?<br />

38


B.4 Safeguards for Independence <strong>and</strong> Objectivity<br />

In accordance with St<strong>and</strong>ard 1110 – Organizational Independence, “the chief audit executive<br />

must confirm to the board, at least annually, the organizational independence of the internal<br />

audit activity.” 34 If there is interference in determining scope, performing work, or<br />

communicating results, “the chief audit executive must disclose such interference to the<br />

board <strong>and</strong> discuss the implications.” 35<br />

Certain safeguards to avoid or limit impairments to independence <strong>and</strong> objectivity <strong>and</strong> to<br />

reduce the threat of impairment to an acceptable level are specified in St<strong>and</strong>ard 1130 –<br />

Impairment to Independence or Objectivity. These include:<br />

• Internal auditors should not provide assurance for operations for which they were<br />

responsible within the previous year.<br />

• <strong>Assurance</strong> engagements for areas over which the head of internal audit has<br />

responsibility should be overseen by a party outside of the internal audit function.<br />

• Caution is required where auditors previously provided advisory services to ensure<br />

this does not impair objectivity in an assurance engagement.<br />

There are specific requirements when the head of internal audit is asked to assume<br />

additional responsibilities that may impair independence <strong>and</strong>/or objectivity. St<strong>and</strong>ard 1112 –<br />

Chief <strong>Audit</strong> Executive Roles Beyond Internal <strong>Audit</strong>ing states the following:<br />

The chief audit executive may be asked to take on additional roles <strong>and</strong> responsibilities<br />

outside of internal auditing, such as responsibility for compliance or risk management<br />

activities. These roles <strong>and</strong> responsibilities may impair, or appear to impair, the<br />

organizational independence of the internal audit activity or the individual objectivity of<br />

the internal auditor. Safeguards are those oversight activities, often undertaken by the<br />

board, to address these potential impairments, <strong>and</strong> may include such activities as<br />

periodically evaluating reporting lines <strong>and</strong> responsibilities <strong>and</strong> developing alternative<br />

processes to obtain assurance related to the areas of additional responsibility. 36<br />

To identify impairments, it is necessary to consider the perspectives of stakeholders. The<br />

appearance of impropriety can undermine trust. Close relationships with individuals do not<br />

automatically weaken an internal auditor’s professionalism but can create an impression or<br />

even an expectation of bias or “friendly” reporting. The same is true of strong familiarity with<br />

an area of responsibility or activity. An auditor may well be capable of making an objective<br />

assessment, but others may regard the audit work with some skepticism. Regular reminders<br />

<strong>and</strong> training for internal auditors regarding independence <strong>and</strong> objectivity are important.<br />

Requirements for maintaining independence <strong>and</strong> objectivity can also be reinforced through<br />

policies, procedures, audit manuals, templates, <strong>and</strong> so on.<br />

34<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

35<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

36<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

39


Examples of appropriate measures the head of internal audit may take to safeguard against<br />

impairments <strong>and</strong> ensure sufficient independence <strong>and</strong> objectivity include the following:<br />

• Discuss a perception of impairment with relevant parties to describe the controls in<br />

place (such as policies, processes, supervision, <strong>and</strong> review of audit work) that would<br />

minimize any actual impairment <strong>and</strong> so reduce concerns.<br />

• Assign a sufficiently competent alternate auditor to an engagement to avoid a conflict<br />

of interest in fact or appearance.<br />

• Discuss an actual impairment with senior management <strong>and</strong> the board to seek<br />

support <strong>and</strong> resolution, which may include noting <strong>and</strong> accepting the risk in the short<br />

term while recruiting additional resource for future engagements or contracting with<br />

an alternate auditor on a temporary basis from another public entity or external<br />

agency.<br />

• Reporting an impairment that has been identified after completion of an engagement<br />

to the client <strong>and</strong> the governing body to consider its potential impact on the accuracy<br />

<strong>and</strong> reliability of the conclusions, as required by St<strong>and</strong>ard 2121 – Errors <strong>and</strong><br />

Omissions.<br />

One of the more persistent threats to independence of the internal audit function in the public<br />

sector is the absence of a functional reporting line by the head of internal audit to an<br />

independent governing body, in some cases because such a body (or individual) does not<br />

exist in the way envisaged by the IPPF. There may not be a duly constituted board <strong>and</strong> the<br />

senior executive – as the de facto governing body – may act with little or no separation<br />

between management <strong>and</strong> governance roles. Where there is a governing body, the<br />

appointments to it may be directed by the government with political motivations or in<br />

accordance with various conventions <strong>and</strong> practices that have little to do with providing<br />

competent oversight of the entity <strong>and</strong> its internal audit function. Approval of the internal audit<br />

plan <strong>and</strong> budget may be made by those with responsibilities for areas to be audited. In such<br />

a position, the head of internal audit must be extra vigilant to maintain <strong>and</strong> demonstrate<br />

independence in determining engagement priorities based on risk <strong>and</strong> organizational need.<br />

In all cases, the head of internal audit must report on the status of independence of the<br />

function. Peer review as part of the quality assurance <strong>and</strong> improvement program as well as<br />

more regular external review can also be used to provide validation of independence.<br />

Practice varies regarding the establishment of audit committees. For example, a city council<br />

– as the governing body of a municipality – may meet periodically as an audit committee<br />

such that the members of the council are also the members of the audit committee.<br />

Alternatively, an audit committee may have a separate existence from the governing body<br />

<strong>and</strong> act as an advisory panel with membership comprising other independent individuals.<br />

Where a government has adopted the European Commission model for Public Internal<br />

Financial Control (PIFC), the Central Harmonization Unit (CHU) may act as the audit<br />

committee for multiple entities (although b<strong>and</strong>width constraints usually limit the role to<br />

monitoring internal audit activity rather than findings.) PIFC is discussed in module T3<br />

Accounting Fundamentals. In large complex public organizations, especially multilateral<br />

bodies like the United Nations, but also for ministries with multiple subordinated entities,<br />

there may be audit committees with oversight responsibilities of lower-level bodies reporting<br />

to their respective governing authorities that are also coordinated by a higher-level<br />

committee or board that considers all reports to ensure a coherent aggregated perspective.<br />

40


In other cases, there is no audit committee <strong>and</strong> oversight is exercised directly by the<br />

governing body.<br />

Availability of resources can also be an issue for independence, including funding for<br />

external quality reviews, required by the St<strong>and</strong>ards at least once every five years. Where<br />

small audit teams are faced with a large or complex audit universe, the head of the function<br />

must make clear to the governing body the areas that cannot be covered <strong>and</strong> where<br />

assurance cannot be provided. The audit plan must still prioritize engagements according to<br />

risks <strong>and</strong> needs.<br />

The nature of such threats to independence in the public sector may be political. Elected <strong>and</strong><br />

appointed officials may be seeking to extend their terms of office or establish their legacy<br />

<strong>and</strong> are desirous of demonstrating favorable results. Communications are often “spun” in<br />

such a way that the information is preferentially presented via generalizations, incomplete<br />

truths, <strong>and</strong> omissions. <strong>Audit</strong>ors may be asked directly or indirectly to tone down or refrain<br />

from reporting what may be perceived as negative findings <strong>and</strong> conclusions in the interests<br />

of maintaining favorable public or line ministry opinion. Internal auditors must demonstrate<br />

strength of character <strong>and</strong> moral courage to resist such pressures.<br />

41


B.4: Reflection<br />

How would you rate the level of independence of your internal audit function in fact <strong>and</strong> in<br />

appearance?<br />

What steps could be taken to strengthen organizational independence?<br />

What factors may weaken the objectivity of auditors in your internal audit function in fact<br />

<strong>and</strong> in appearance?<br />

What steps could be taken to strengthen individual auditor objectivity?<br />

42


C. <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />

Learning Outcomes<br />

On completion of this section, students will be better able to:<br />

• Compare <strong>and</strong> contrast assurance <strong>and</strong> advisory engagements.<br />

• Determine an appropriate balance of audit <strong>and</strong> advisory engagements.<br />

• Identify competencies needed for assurance <strong>and</strong> advisory engagements.<br />

• Plan an assurance engagement of organizational governance.<br />

• Evaluate IT <strong>and</strong> cybersecurity risks <strong>and</strong> controls as part of an audit engagement.<br />

• Evaluate the effectiveness of entity-wide risk management.<br />

• Describe how internal audit contributes to an organization’s responsiveness to fraud,<br />

IT, <strong>and</strong> cybersecurity risks.<br />

C.1 Characteristics of <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Organizational Strategic Planning <strong>and</strong> Management:<br />

General Awareness: Identify the risk <strong>and</strong> control implications of different organizational<br />

structures. Describe the strategic planning process. Describe common performance<br />

measures. Explain organizational behavior <strong>and</strong> performance management techniques.<br />

Describe management’s effectiveness to lead <strong>and</strong> build organizational commitment.<br />

Applied Knowledge: Evaluate the organization’s governance structure <strong>and</strong> the impact of<br />

organizational structure <strong>and</strong> culture on the overall control environment <strong>and</strong> risk management<br />

strategy. Analyze the organization’s strategic planning process. Examine performance<br />

measures used by the organization. Examine existing organizational behavior <strong>and</strong><br />

performance management techniques. Examine management’s effectiveness to lead <strong>and</strong><br />

build organizational commitment.<br />

Expert: Recommend improvements to the overall control environment <strong>and</strong> risk management<br />

strategy. Recommend improvements to the organization’s strategic planning process. Select<br />

appropriate performance measures. Recommend appropriate organizational behavior <strong>and</strong><br />

performance management techniques. Recommend actions to improve management’s<br />

approach to leading <strong>and</strong> building organizational commitment. 37<br />

The definition of internal auditing quoted in B.1 identifies it to comprise both assurance <strong>and</strong><br />

consulting services (the latter commonly referred to as advisory services). These terms are<br />

both defined in the IPPF.<br />

37<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

43


<strong>Assurance</strong> Services<br />

An objective examination of evidence for<br />

the purpose of providing an independent<br />

assessment on governance, risk<br />

management, <strong>and</strong> control processes for the<br />

organization. Examples may include<br />

financial, performance, compliance, system<br />

security, <strong>and</strong> due diligence engagements. 38<br />

Consulting Services<br />

Advisory <strong>and</strong> related client service<br />

activities, the nature <strong>and</strong> scope of which are<br />

agreed with the client, are intended to add<br />

value <strong>and</strong> improve an organization’s<br />

governance, risk management, <strong>and</strong> control<br />

processes without the internal auditor<br />

assuming management responsibility.<br />

Examples include counsel, advice,<br />

facilitation, <strong>and</strong> training. 39<br />

The IPPF provides additional comment to help distinguish between these two types of<br />

services.<br />

<strong>Assurance</strong> services involve the internal auditor’s objective assessment of evidence to<br />

provide opinions or conclusions regarding an entity, operation, function, process, system,<br />

or other subject matters. The nature <strong>and</strong> scope of an assurance engagement are<br />

determined by the internal auditor. Generally, three parties are participants in assurance<br />

services: (1) the person or group directly involved with the entity, operation, function,<br />

process, system, or other subject matter—the process owner, (2) the person or group<br />

making the assessment—the internal auditor, <strong>and</strong> (3) the person or group using the<br />

assessment—the user.<br />

Consulting services are advisory in nature <strong>and</strong> are generally performed at the specific<br />

request of an engagement client. The nature <strong>and</strong> scope of the consulting engagement<br />

are subject to agreement with the engagement client. Consulting services generally<br />

involve two parties: (1) the person or group offering the advice—the internal auditor, <strong>and</strong><br />

(2) the person or group seeking <strong>and</strong> receiving the advice—the engagement client. When<br />

performing consulting services the internal auditor should maintain objectivity <strong>and</strong> not<br />

assume management responsibility. 40<br />

The internal audit charter or legislation should describe the services to be provided.<br />

<strong>Assurance</strong> engagements are typically scheduled as a result of the head of internal audit’s<br />

assessment of organizational risks <strong>and</strong> priorities <strong>and</strong> form part of the internal audit plan.<br />

Consulting (or advisory) engagements tend to be agreed in response to requests from<br />

management but may also be proposed by the internal audit function to address<br />

opportunities for improvement where auditors can usefully lend their expertise. However, a<br />

consulting engagement should not be accepted simply because it has been requested:<br />

The chief audit executive should consider accepting proposed consulting engagements<br />

based on the engagement’s potential to improve management of risks, add value, <strong>and</strong><br />

improve the organization’s operations. Accepted engagements must be included in the<br />

plan. 41<br />

38<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

39<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

40<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

41<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

44


It is common to build an allowance into the internal audit plan <strong>and</strong> budget for ad hoc<br />

engagements which are non-periodic reactive assignments conducted at the entreaty of the<br />

governing body, senior managers, external auditors, or the head of internal audit, <strong>and</strong> may<br />

be an assurance engagement or advisory in nature. A change of internal or external<br />

circumstances may require engagements to be added to the plan. The Covid 19 p<strong>and</strong>emic<br />

led to significant redrafting of audit plans as priorities <strong>and</strong> operations were severely<br />

disrupted.<br />

One issue the head of internal audit must decide when creating the plan is an appropriate<br />

balance of assurance <strong>and</strong> advisory engagements. The starting point is a risk-based<br />

approach, meaning engagements are prioritized in response to organizational objectives <strong>and</strong><br />

risks. St<strong>and</strong>ard 2010 – Planning directs the internal audit function as follows:<br />

To develop the risk-based plan, the chief audit executive consults with senior<br />

management <strong>and</strong> the board <strong>and</strong> obtains an underst<strong>and</strong>ing of the organization’s<br />

strategies, key business objectives, associated risks, <strong>and</strong> risk management processes.<br />

The chief audit executive must review <strong>and</strong> adjust the plan, as necessary, in response to<br />

changes in the organization’s business, risks, operations, programs, systems, <strong>and</strong><br />

controls.<br />

2010.A1 The internal audit activity’s plan of engagements must be based on a<br />

documented risk assessment, undertaken at least annually. The input of senior<br />

management <strong>and</strong> the board must be considered in this process.<br />

2010.A2 The chief audit executive must identify <strong>and</strong> consider the expectations of senior<br />

management, the board, <strong>and</strong> other stakeholders for internal audit opinions <strong>and</strong> other<br />

conclusions.<br />

2010.C1 The chief audit executive should consider accepting proposed consulting<br />

engagements based on the engagement’s potential to improve management of risks,<br />

add value, <strong>and</strong> improve the organization’s operations. Accepted engagements must be<br />

included in the plan. 42<br />

The assessment of risk needs to be independent, although the input of management <strong>and</strong> the<br />

governing body should be considered.<br />

There is no scientific formula for determining the right balance between assurance <strong>and</strong><br />

advisory engagements in the audit plan, but the following factors are relevant:<br />

• Internal audit m<strong>and</strong>ate <strong>and</strong> responsibilities (as defined in the charter or legislation).<br />

• Roles previously adopted by the internal audit function.<br />

• Strength of internal audit function independence.<br />

• Organizational objectives <strong>and</strong> priorities.<br />

• Internal <strong>and</strong> external risks (including new risks).<br />

• The role of the governing body in providing oversight <strong>and</strong> level of engagement with<br />

executive activity.<br />

42<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

45


• Risk management maturity.<br />

• Control weaknesses identified by internal audit.<br />

• The focus of the external auditors <strong>and</strong> financial inspectors (to ensure coherent<br />

coverage <strong>and</strong> minimize unnecessary duplication to the extent to which cooperation is<br />

possible while maintaining independence <strong>and</strong> respective missions).<br />

• Resources <strong>and</strong> skills available to the internal audit function.<br />

• Internal audit function strategic plan.<br />

C.1.1 <strong>Assurance</strong> Engagements<br />

<strong>Assurance</strong> can be defined in terms of the examination <strong>and</strong> assessment processes deployed<br />

by auditors to evaluate governance, risk management, <strong>and</strong> internal control. This is how it is<br />

defined by the IPPF. “<strong>Assurance</strong>” also refers to the confidence provided by an assurance<br />

engagement <strong>and</strong> the comfort derived from it by the client of assurance services.<br />

<strong>Assurance</strong> as a form of confidence <strong>and</strong> comfort allows for the possibility of different degrees,<br />

amounts, or levels, ranging theoretically from total <strong>and</strong> absolute assurance to the complete<br />

absence of assurance. In practice, it is impossible to provide absolute assurance since the<br />

scope of an audit is always limited to what was observed <strong>and</strong> concluded at that moment.<br />

Other activities <strong>and</strong> conditions fall outside of the scope <strong>and</strong> circumstances continue to<br />

change. Uncertainty will always remain. For that reason, external auditors may provide<br />

reasonable or limited assurance, although this distinction is not made for internal auditors in<br />

the IPPF. The IPPF refers to “reasonable assurance” only in the context of the purpose of<br />

risk management <strong>and</strong> internal control, although it does not define the term. For example, risk<br />

management is defined as:<br />

A process to identify, assess, manage, <strong>and</strong> control potential events or situations to<br />

provide reasonable assurance regarding the achievement of the organization’s<br />

objectives. 43<br />

“Limited assurance” is not referenced at all in the IPPF. While some internal auditors choose<br />

to make the distinction between reasonable (or positive) assurance <strong>and</strong> limited (or negative)<br />

assurance, these are more commonly terms used by external auditors. Internal audit<br />

engagements may provide assurance based on “sufficient, reliable, relevant, <strong>and</strong> useful<br />

information” to support conclusions <strong>and</strong> opinions (St<strong>and</strong>ard 2310 – Identifying Information).<br />

There is no allowance for anything that falls short of this requirement. The IIA guidance on<br />

audit opinions does allow for distinctions in the level of assurance (see section C.1.5).<br />

C.1.2 Consulting (Advisory) Engagements<br />

What constitutes consulting services covers a wide spectrum of activities.<br />

43<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

46


The following list is taken from Sawyer’s Internal <strong>Audit</strong>ing: Enhancing <strong>and</strong> Protecting<br />

Organizational Value:<br />

• Business process improvement.<br />

• Continuous monitoring.<br />

• Control self-assessment or risk <strong>and</strong> control self-assessment.<br />

• Forensic.<br />

• Governance <strong>and</strong> ethics training.<br />

• Internal control review.<br />

• Internal control training.<br />

• Merger <strong>and</strong> acquisition analysis.<br />

• Participation on committees or taskforces.<br />

• Readiness review.<br />

• Review of a new product or service before implementation.<br />

• Risk self-assessment.<br />

• Transition activities. 44<br />

IIA Australia has produced guidance on consulting engagements <strong>and</strong> advises internal<br />

auditors to follow these steps:<br />

• Build time into your internal audit plan. Often consulting engagements are not<br />

planned at the beginning of the year <strong>and</strong> some flexible time for ad hoc engagements<br />

makes it easier to be responsive to management requests.<br />

• Make management aware of the service. Sometimes managers are unaware that<br />

internal audit can provide advisory services in response to their requests <strong>and</strong> it is<br />

necessary to promote this across the organization as an available support for<br />

management.<br />

• Respond promptly. In all cases – assurance <strong>and</strong> advisory engagements – internal<br />

audit needs to be reflective of organizational needs <strong>and</strong> priorities <strong>and</strong> flexible when<br />

these change. Delays can reduce the value of the sought-after advice <strong>and</strong> insight.<br />

• Don’t do what management should do themselves. This is a reminder to maintain<br />

independence <strong>and</strong> objectivity. The request should be legitimate rather than setting an<br />

expectation that internal audit will fill a first or second line role. Internal audit does not<br />

need to accept every request made by management <strong>and</strong> it is always necessary to<br />

prioritize.<br />

• Don’t give up when the allocated time runs out. Advisory engagements require<br />

greater flexibility as they are often harder to fully scope <strong>and</strong> budget at the outset.<br />

There may be options for securing additional internal or external resources to extend<br />

the work. Additionally, internal audit should be helping management identify what<br />

work needs to be done so there can be agreement about prioritization.<br />

• Celebrate success. One of the best ways to promote advisory services is to share<br />

news of successful engagements which can be achieved formally or informally<br />

through various channels. 45<br />

44<br />

Sawyer’s Internal <strong>Audit</strong>ing: Enhancing <strong>and</strong> Protecting Organizational Value, Seventh Edition, Internal <strong>Audit</strong> Foundation, 2019<br />

45<br />

Factsheet: Internal <strong>Audit</strong> Consulting, IIA Australia, 2022<br />

47


C.1.3 <strong>Assurance</strong> <strong>and</strong> Advisory Engagements Compared<br />

There are many similarities between assurance <strong>and</strong> advisory engagements <strong>and</strong> internal<br />

auditors will apply many common skills. In particular, both types of engagements must be<br />

defined in the internal audit charter <strong>and</strong> internal auditors must adhere to appropriate<br />

st<strong>and</strong>ards <strong>and</strong> apply due professional care. There are also important differences, as shown<br />

below.<br />

Feature<br />

Purpose<br />

Key differences between advisory <strong>and</strong> consulting services<br />

<strong>Assurance</strong> services<br />

Advisory services<br />

To provide assurance through an To offer advice, usually in response<br />

opinion on the adequacy <strong>and</strong> to a request.<br />

effectiveness of governance, risk<br />

management, <strong>and</strong> internal control<br />

based on an objective assessment<br />

of evidence.<br />

Principal parties • Internal auditor.<br />

• Unit manager or process owner.<br />

• Recipient of assurance (senior<br />

management <strong>and</strong> the governing<br />

body).<br />

Scope <strong>and</strong><br />

approach<br />

Objectives<br />

Governance, risk<br />

management, <strong>and</strong><br />

internal control<br />

<strong>Audit</strong>or<br />

assignment<br />

Conflicts of<br />

interest<br />

Determined by internal auditor with<br />

consultation with relevant manager.<br />

Based on a risk assessment, taking<br />

account of the possibility of error,<br />

fraud, <strong>and</strong> noncompliance.<br />

Must be part of the engagement<br />

scope <strong>and</strong> objectives.<br />

The head of internal audit must<br />

obtain the necessary skills for the<br />

engagement, either from the team<br />

or from other sources rather than<br />

defer the engagement.<br />

In accordance with St<strong>and</strong>ard 1130,<br />

internal auditors should not provide<br />

assurance for operations for which<br />

they were responsible within the<br />

previous year.<br />

• Internal auditor.<br />

• Client.<br />

Agreed between client <strong>and</strong> internal<br />

auditor.<br />

Consistent with the organization’s<br />

goals <strong>and</strong> priorities.<br />

May be included in the engagement<br />

scope <strong>and</strong> objectives.<br />

The head of internal audit must wait<br />

until the necessary skills for the<br />

engagement are available.<br />

In accordance with St<strong>and</strong>ard 1130,<br />

internal auditors may provide<br />

consulting services relating to<br />

operations for which they had<br />

previous responsibilities but any<br />

potential impairments to<br />

independence or objectivity must be<br />

disclosed prior to accepting the<br />

engagement.<br />

In undertaking advisory engagements, care must be taken to ensure the independence of<br />

the function <strong>and</strong> objectivity of auditors for future engagements. Implementing controls,<br />

making executive decisions, enforcing policies, directing the application of resources, <strong>and</strong> in<br />

general terms “owning the risk” are responsibilities of management which internal auditors<br />

should not assume. In offering training, facilitating control self-assessment workshops,<br />

48


helping managers developing controls, <strong>and</strong> providing advice on potential improvements,<br />

internal auditors are sharing the benefit of their expertise <strong>and</strong> insights with management.<br />

However, they must refrain from taking ownership of decisions management must take. This<br />

is illustrated by the table diagram below (adapted from The IIA fan graphic 46 ).<br />

Threats to Functional Independence <strong>and</strong> <strong>Audit</strong>or Objectivity<br />

Responsibilities Examples Safeguards<br />

needed<br />

Core responsibilities<br />

of the internal<br />

auditor<br />

Broader<br />

responsibilities<br />

providing additional<br />

value<br />

Management<br />

responsibilities<br />

• Providing assurance on the adequacy <strong>and</strong><br />

effectiveness of governance, risk<br />

management, <strong>and</strong> internal control.<br />

• Evaluating processes.<br />

• Assessing risks.<br />

• Sharing insights <strong>and</strong> opinions.<br />

• Making recommendations for innovation <strong>and</strong><br />

improvement.<br />

• Coaching <strong>and</strong> training.<br />

• Developing the risk management framework.<br />

• Designing controls.<br />

• Coordinating activities.<br />

• Monitoring responses made to the fraud or<br />

ethics hotline.<br />

• Taking operational decisions on behalf<br />

functional units.<br />

• Determining organizational strategy.<br />

• Participating in the decision-making process<br />

as part of a working group or taskforce.<br />

• Implementing controls.<br />

• Enforcing policies.<br />

• Accepting responsibility for managing risks.<br />

Can be<br />

undertaken<br />

without special<br />

safeguards<br />

May be<br />

undertaken with<br />

additional<br />

safeguards<br />

Should not be<br />

undertaken by<br />

members of the<br />

internal audit<br />

function<br />

This is relevant to consideration of threats to <strong>and</strong> safeguards for independence <strong>and</strong><br />

objectivity discussed in B but also helps separate the point at which advisory services may<br />

stray into managerial responsibilities.<br />

C.1.4 Blended Engagements<br />

The principal differences between assurance <strong>and</strong> advisory engagements can be<br />

summarized as follows:<br />

• Purpose: assurance engagements provide an opinion based on an assessment;<br />

consulting engagements provide support <strong>and</strong> expertise to advise on the acquisition,<br />

development, or improvement of resources (inc people), systems, <strong>and</strong> processes.<br />

46<br />

IIA Position Paper, The Role of Internal <strong>Audit</strong>ing in Enterprise-wide Risk Management, The IIA, 2009.<br />

49


• Determination of nature <strong>and</strong> scope: for assurance engagements this must include<br />

governance, risk management, <strong>and</strong> internal control; for consulting engagements it is<br />

a matter to be decided through discussion.<br />

• Parties involved: assurance engagements are agreed with the involvement of the<br />

internal auditor, manager of the activity being audited, senior management, <strong>and</strong> the<br />

governing body; consulting engagements may be agreed between the internal<br />

auditor <strong>and</strong> manager of the activity being audited.<br />

Despite these differences, assurance <strong>and</strong> advisory engagements have many synergies <strong>and</strong><br />

do not need to be kept separate. There are advantages from conducting a blended<br />

engagement through which the auditor delivers both assurance <strong>and</strong> advice. <strong>Audit</strong>ors are<br />

continuously increasing their knowledge <strong>and</strong> underst<strong>and</strong>ing about the organization <strong>and</strong> its<br />

internal <strong>and</strong> external operating environments. Indeed, the St<strong>and</strong>ards require auditors to<br />

apply their knowledge gained through consulting to assurance engagements. It is common<br />

to conclude an assurance engagement with recommendations through which the auditor<br />

advises the manager of the audited activity on opportunities for innovation <strong>and</strong> improvement<br />

<strong>and</strong> this may be extended to include involvement with some of the developmental work.<br />

Sometimes what is planned as an assurance engagement may be extended to include<br />

consulting as well. For example, the auditor may identify through the course of an assurance<br />

engagement that members of staff do not fully underst<strong>and</strong> key concepts about risk<br />

management <strong>and</strong> internal control <strong>and</strong> as a result offers to provide training. Extensions to<br />

scope in this way need to be approved by the manager <strong>and</strong> audit supervisor.<br />

It is also possible for an engagement that starts as consulting to be extended to include<br />

assurance too. For example, when an internal auditor participates as an advisor to an IT<br />

project, it may transpire that existing hardware <strong>and</strong> software controls need to be reviewed.<br />

The auditor will be able to test <strong>and</strong> provide assurance. Once again, extensions to<br />

engagements should be approved by the audit supervisor.<br />

It is also possible for an engagement to be planned as a blend of assurance <strong>and</strong> consulting.<br />

Consideration should be given to the following as part of the planning process:<br />

• Risk-based planning should ensure priority is given to the most significant risks,<br />

objectives, <strong>and</strong> activities. Where management is planning major projects – such as<br />

public administration reform organizational restructuring, long-term financial<br />

strategies, IT upgrades, introduction of new services, or relocation of activities,<br />

personnel, <strong>and</strong> resources – internal audit may be invited to act as an advisor. This<br />

may create natural opportunities for blended engagements.<br />

• Allocation of scarce resources should follow the risk-based prioritization of<br />

engagements. Efficiencies may be gained through planning a blended engagement.<br />

• Significant findings <strong>and</strong> necessary follow-up resulting from prior engagements may<br />

also suggest opportunities for blended engagements.<br />

50


C.1.5 Internal <strong>Audit</strong> Opinions<br />

<strong>Audit</strong>ors may be asked to provide an opinion either within an individual audit report or at a<br />

broader level. <strong>Assurance</strong> may be provided at the process, function, or entity level. This<br />

includes an opinion on the adequacy <strong>and</strong> effectiveness of governance, risk management,<br />

<strong>and</strong> internal control for the organization. In some situations, the head of internal audit is<br />

asked to offer such an opinion periodically. This may be limited to the system of internal<br />

control or enterprise risk management (ERM). Such an opinion may be more limited still,<br />

such as an opinion of internal control over financial reporting or for aspects of compliance.<br />

When asked to provide such an opinion, the head of internal audit may plan a specific audit<br />

engagement but is also likely to draw upon the results of multiple engagements. The opinion<br />

may be expressed in terms of a grade for the level of assurance (such as by “traffic lights”<br />

red, yellow (amber), or green, or a grade from 1-4). The assurance may be expressed as<br />

reasonable (or positive) assurance or limited (or negative) assurance, although such terms<br />

are not defined in the IPPF (see section C.1.1). However, The IIA allows for Internal auditors<br />

providing an opinion in the form of reasonable or limited assurance in its Practice Guide:<br />

Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions. 47 Whatever form it takes, it is important<br />

there is clear underst<strong>and</strong>ing about the meaning <strong>and</strong> the basis on which the opinion is given.<br />

Macro level opinions are usually based on multiple engagements. This requires care as the<br />

findings may have been gathered over different periods of time using different criteria. Other<br />

evidence may be drawn from multiple formal <strong>and</strong> informal sources, placing appropriate<br />

reliance according to the characteristics of each. According to the Practice Guide, macro<br />

level opinions may include:<br />

• An opinion on the organization’s overall system of internal control over financial<br />

reporting.<br />

• An opinion on the organization’s controls <strong>and</strong> procedures for compliance with<br />

applicable laws <strong>and</strong> regulations, such as health <strong>and</strong> safety, when those controls <strong>and</strong><br />

procedures are performed in multiple countries or subsidiaries.<br />

• An opinion on the effectiveness of controls such as budgeting <strong>and</strong> performance<br />

management, when such controls are performed in multiple subsidiaries <strong>and</strong><br />

coverage comprises the majority of the organization’s assets, resources, revenues,<br />

etc.<br />

In comparison, micro level opinions are often derived from a single engagement <strong>and</strong> may<br />

include:<br />

• An opinion on an individual business process or activity within a single organization,<br />

department, or location.<br />

• An opinion on the system of internal control at a subsidiary or reporting unit, when all<br />

work is performed in a single audit.<br />

• An opinion on the organization’s compliance with policies, laws, <strong>and</strong> regulations<br />

regarding data privacy, when the scope of work is performed in a single or just a few<br />

business units. 48<br />

47<br />

Practice Guide: Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions, The IIA, 2009.<br />

48<br />

Practice Guide: Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions, The IIA, 2009.<br />

51


When asked to provide an opinion, the head of the audit function should be clear of the<br />

intended purpose <strong>and</strong> audience, the scope <strong>and</strong> time period covered by the opinion, <strong>and</strong> the<br />

criteria <strong>and</strong> rating process to be used. When applying criteria – for example, the COSO<br />

Internal Control Integrated Framework – there is still a need to convert the evaluation into a<br />

suitable rating by considering what degree of conformance is acceptable or satisfactory. This<br />

is likely to involve a consideration of materiality <strong>and</strong> impact.<br />

C.1.6 Competencies Needed for <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />

The IIA Competency Framework defines the knowledge, skills, <strong>and</strong> abilities needed by<br />

internal auditors, managers, <strong>and</strong> heads of internal audit to deliver internal audit services in<br />

accordance with the requirements of the IPPF. They are organized under four domains <strong>and</strong><br />

defined at three competency level (general awareness, applied knowledge, <strong>and</strong> expert). The<br />

domains are as follows:<br />

Domain<br />

Professionalism<br />

Performance<br />

Environment<br />

Leadership <strong>and</strong><br />

Communication<br />

Description<br />

Competencies required to demonstrate the authority, credibility, <strong>and</strong><br />

ethical conduct essential for a valuable internal audit activity.<br />

Competencies required to plan <strong>and</strong> perform internal audit engagements<br />

in conformance with the St<strong>and</strong>ards.<br />

Competencies required to identify <strong>and</strong> address the risks specific to the<br />

industry <strong>and</strong> environment in which the organization operates.<br />

Competencies required to provide strategic direction, communicate<br />

effectively, maintain relationships, <strong>and</strong> manage internal audit personnel<br />

<strong>and</strong> processes.<br />

When applying these to assurance <strong>and</strong> advisory engagements, there are many<br />

commonalities, as described below.<br />

Domain<br />

Professionalism<br />

Performance<br />

Environment<br />

Competencies for <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />

All aspects of professionalism are relevant for all internal audit work,<br />

including ethical conduct, conformance with the st<strong>and</strong>ards, <strong>and</strong><br />

maintaining objectivity.<br />

In general, the knowledge base required for assurance <strong>and</strong> advisory<br />

engagements is largely identical, but the skills <strong>and</strong> abilities needed for<br />

these two types of engagement place different requirements on the<br />

internal auditor. The st<strong>and</strong>ards relating to performing audits identify<br />

some specific differences for assurance <strong>and</strong> consulting engagements.<br />

However, knowledge <strong>and</strong> underst<strong>and</strong>ing of governance, risk<br />

management, <strong>and</strong> internal control are essential for all engagements.<br />

Likewise, the techniques for conducting fieldwork are also very similar<br />

although the contexts may differ.<br />

Regardless of the type of engagement, internal auditors must<br />

underst<strong>and</strong> the internal <strong>and</strong> external environments of their organization<br />

including the strategic priorities, resources, risks, legal <strong>and</strong> regulatory<br />

requirements, <strong>and</strong> other factors impacting the attainment of goals.<br />

52


Leadership <strong>and</strong><br />

Communication<br />

Internal audit supervisors, managers, <strong>and</strong> leaders have their respective<br />

roles <strong>and</strong> delegated authorities for ensuring the efficient <strong>and</strong> effective<br />

operation of the internal audit function for all services provided.<br />

Communication skills are of paramount importance for all internal audit<br />

work. This includes developing relationships <strong>and</strong> adopting styles of<br />

communication appropriate for the intended audience. Consulting<br />

engagements have a greater degree of flexibility in approach <strong>and</strong><br />

reporting compared with the testing <strong>and</strong> recoding of findings needed for<br />

assurance engagements. However, the same requirements for<br />

accuracy, timeliness, <strong>and</strong> relevance apply.<br />

There are also competencies that have greater relevance for each of the two types of<br />

engagements.<br />

Competencies of greater relevance for assurance engagements include:<br />

• Adherence to process <strong>and</strong> methodology.<br />

• Engagement planning.<br />

• Due care <strong>and</strong> attention for detail.<br />

• Systematic testing, analysis, <strong>and</strong> data processing.<br />

• Root cause analysis.<br />

• Critical thinking.<br />

• Drawing significant findings <strong>and</strong> conclusions from large volumes of information.<br />

• Effective reporting.<br />

• Moral courage to ask difficult questions <strong>and</strong> tenacity to seek out the truth.<br />

In comparison, advisory engagements can require a lot more versality <strong>and</strong> flexibility from the<br />

auditor. There is a greater variety of activities that fall within the broad class of missions. The<br />

objectives <strong>and</strong> scope more be more open-ended. Skills like process design <strong>and</strong> engineering,<br />

facilitation, strategic thinking, root cause analysis, building a consensus, <strong>and</strong> creative<br />

problem solving are likely to be more to the fore. 49<br />

Competencies of greater relevance for advisory engagements include:<br />

• Creativity <strong>and</strong> originality.<br />

• Collaboration, teamwork, <strong>and</strong> relationship management.<br />

• Deep expertise in specific processes or activities.<br />

• Rapid assimilation of complex data.<br />

• Operating under pressure in a dynamic environment.<br />

• Unstructured problem-solving.<br />

• Providing continuous feedback <strong>and</strong> offering insights during the engagement.<br />

49<br />

See Anderson, et al, Internal <strong>Audit</strong>ing: <strong>Assurance</strong> <strong>and</strong> Advisory Services, fourth edition, The IIA, 2017.<br />

53


C.1: Reflection<br />

Approximately what percentages of the internal audit plan are committed to assurance <strong>and</strong><br />

consulting engagements? Is the balance appropriate for organizational needs, priorities, <strong>and</strong><br />

expectations?<br />

What allowance is made in internal audit planning for ad hoc engagements made at the<br />

request of management? Is this sufficient?<br />

How often are consulting engagements proposed by the head of the internal audit function<br />

rather than by management?<br />

How much of the content of the audit plan is truly risk-based as opposed to completing a<br />

list of expected audits that are repeated annually?<br />

Are blended engagements considered as an option for increasing efficiency <strong>and</strong><br />

effectiveness?<br />

Do you agree with the analysis of the different competencies needed for assurance <strong>and</strong><br />

advisory engagements? Is this considered when auditors are assigned to engagements?<br />

54


C.2 <strong>Audit</strong>ing Governance<br />

The IIA Supplement Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance<br />

emphasizing the essential characteristics of the internal audit function for providing valuable<br />

assurance insight:<br />

• Organizational independence.<br />

• A formal m<strong>and</strong>ate (in “the public sector’s constitution, charter, or other basic legal<br />

document.”)<br />

• Unrestricted access “to employees, property, <strong>and</strong> records.”<br />

• Sufficient funding.<br />

• Competent leadership.<br />

• Objective staff.<br />

• Competent staff.<br />

• Stakeholder support.<br />

• Professional audit st<strong>and</strong>ards. 50<br />

In respect of governance, internal audit may contribute in various ways:<br />

• Oversight: Internal audit can extend the reach of senior management <strong>and</strong> the<br />

governing body to observe organizational activities <strong>and</strong> circumstances <strong>and</strong> determine<br />

whether policy is being implemented as intended with appropriate assessment of<br />

risks <strong>and</strong> implementation of controls. <strong>Audit</strong>ing provides transparency through<br />

verification of performance, position, <strong>and</strong> prospects, <strong>and</strong> by sharing it with<br />

stakeholders.<br />

• Detection: <strong>Audit</strong>s reveal “inappropriate, inefficient, illegal, fraudulent, or abusive acts<br />

that have already transpired.” Such information can be used to strengthen controls,<br />

initiate training, <strong>and</strong> pursue disciplinary or legal proceedings. Detection can occur as<br />

part of an investigation of potential conflicts of interest or suspected wasteful,<br />

abusive, or fraudulent activities. Alternatively, detection also occurs when red flags<br />

are identified during a routine engagement involving the identification of risks <strong>and</strong><br />

testing of controls.<br />

• Deterrence: Anticipated audit work as well as the exposure of detected weaknesses<br />

can deter other lapses in proper oversight <strong>and</strong> management.<br />

• Insight: <strong>Audit</strong>ors can share their expertise <strong>and</strong> underst<strong>and</strong>ing <strong>and</strong> make<br />

recommendations in terms of potential improvements with reference to best<br />

practices.<br />

• Foresight: <strong>Audit</strong>ors can also anticipate future risks by considering trends as well as<br />

changes in legislation <strong>and</strong> regulation. 51<br />

Organizational governance may be audited in an individual engagement. Alternatively, an<br />

opinion on governance may be derived from multiple engagements (see C.1.5). <strong>Assurance</strong><br />

<strong>and</strong> advisory engagements may be used. Any engagement that considers risk management<br />

<strong>and</strong> internal control contributes to an auditor’s underst<strong>and</strong>ing of governance.<br />

50<br />

Supplemental Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance, The IIA, 2012.<br />

51<br />

Supplemental Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance, The IIA, 2012.<br />

55


Performance audits are also useful in determining governance with regard to particular<br />

policies <strong>and</strong> initiatives. Some governance audits pay particular attention to the working of the<br />

governing body <strong>and</strong> may evaluate the effectiveness of meetings, strategic planning,<br />

management of conflicts of interest, nominations, <strong>and</strong> so on. External agencies can provide<br />

this service for greater independence <strong>and</strong> objectivity.<br />

Suggested questions internal auditors may ask as part of their investigation into the<br />

adequacy <strong>and</strong> effectiveness of governance, focusing on the key aspects of governance<br />

(performance, conformance, value creation <strong>and</strong> protection, <strong>and</strong> accountability) are given<br />

below, based on guidance from IFAC:<br />

• Do the structures <strong>and</strong> processes of governance serve to optimize stakeholder value?<br />

• Do they serve to ensure an appropriate balance of stakeholder interests?<br />

• Do they support both performance in respect of achieving organizational purpose <strong>and</strong><br />

conformance with laws, regulations, policies, <strong>and</strong> other expectations?<br />

• Are governance processes fully integrated into the organization <strong>and</strong> its culture,<br />

planning, behaviors, <strong>and</strong> activities?<br />

• Is the governing body appropriately constituted <strong>and</strong> structured to lead on governance<br />

for the organization, overseeing senior management <strong>and</strong> internal audit, <strong>and</strong> engaging<br />

with key stakeholders?<br />

• Has the governing body established a set of fundamental values by which the<br />

organization operates?<br />

• Are these values well communicated, monitored, <strong>and</strong> appropriately reinforced <strong>and</strong><br />

enforced?<br />

• Does the strategy adopted by the governing body demonstrate a sound<br />

underst<strong>and</strong>ing of the political context, operating model, <strong>and</strong> internal <strong>and</strong> external<br />

environment?<br />

• Does the strategy promoted by the governing body provide sufficient direction <strong>and</strong><br />

focus for the organization?<br />

• Has the governing body ensured that management has established an appropriate<br />

<strong>and</strong> effective framework for risk management <strong>and</strong> internal control?<br />

• Does the governing body ensure resource allocation by management is aligned with<br />

strategic priorities?<br />

• Does the governing body evaluate its own effectiveness as well as that of its strategy<br />

<strong>and</strong> organizational activities toward continual improvement <strong>and</strong> achievement of<br />

objectives?<br />

• Are the interests <strong>and</strong> needs of stakeholders given appropriate consideration <strong>and</strong> do<br />

stakeholders receive relevant, timely, <strong>and</strong> reliable information? 52<br />

52<br />

Evaluating <strong>and</strong> Improving Governance in Organizations, IFAC, 2009.<br />

56


C.2: Reflection<br />

How does your internal audit function contribute to the ongoing development <strong>and</strong><br />

improvement of organizational governance?<br />

Does your internal audit function provide assurance on governance for specific areas<br />

<strong>and</strong>/or for the entity as a whole?<br />

Is governance highlighted as an important consideration in every engagement?<br />

57


C.3 Fraud, IT, <strong>and</strong> Cybersecurity<br />

In providing assurance, internal auditors must be attentive to all relevant risks <strong>and</strong> their<br />

potential to impact organizational objectives <strong>and</strong> priorities. The IPPF gives particular mention<br />

to two key risk areas: fraud <strong>and</strong> IT.<br />

For example, St<strong>and</strong>ard 1210 – Proficiency has the following requirements:<br />

1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud<br />

<strong>and</strong> the manner in which it is managed by the organization, but are not expected to have<br />

the expertise of a person whose primary responsibility is detecting <strong>and</strong> investigating<br />

fraud.<br />

1210.A3 Internal auditors must have sufficient knowledge of key information technology<br />

risks <strong>and</strong> controls <strong>and</strong> available technology-based audit techniques to perform their<br />

assigned work. However, not all internal auditors are expected to have the expertise of<br />

an internal auditor whose primary responsibility is information technology auditing. 53<br />

C.3.1 Fraud<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Fraud:<br />

General Awareness: Recognize types of fraud, fraud risk, <strong>and</strong> red flags for fraud.<br />

Applied Knowledge: Evaluate the potential for fraud <strong>and</strong> how the organization detects <strong>and</strong><br />

manages fraud risks; recommend controls to prevent <strong>and</strong> detect fraud <strong>and</strong> educate to<br />

improve the organization’s fraud awareness.<br />

Expert: Apply forensic auditing techniques in fraud prevention, deterrence, <strong>and</strong><br />

investigation. 54<br />

Fraud is referenced seven times in the St<strong>and</strong>ards <strong>and</strong> is defined as:<br />

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are<br />

not dependent upon the threat of violence or physical force. Frauds are perpetrated by<br />

parties <strong>and</strong> organizations to obtain money, property, or services; to avoid payment or<br />

loss of services; or to secure personal or business advantage. 55<br />

53<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

54<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

55<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

58


Fraud may be perpetrated via measures such as:<br />

• Claims for fictitious expenses or duplicate claims.<br />

• Use of fake or stolen identity.<br />

• Disbursements to fictitious vendors or beneficiaries.<br />

• Unwarranted refunds.<br />

• Lost or voided checks.<br />

• Interception of goods received.<br />

• Concealment through false accounting (such as capitalizing expenses, ignoring bad<br />

debts, mischaracterizing expenditure as “miscellaneous” or something else, <strong>and</strong><br />

over- or under-reporting.)<br />

• Embezzlement of funds <strong>and</strong> other resources.<br />

All parties within an organization have a responsibility to contribute to fighting fraud.<br />

Organizational<br />

role<br />

Governing body<br />

<strong>and</strong> audit<br />

committee<br />

Senior<br />

management<br />

Those with first<br />

line roles<br />

Those with second<br />

line roles<br />

Role in fighting fraud<br />

• Ultimate responsibility for fraud risk governance.<br />

• Lead by example.<br />

• Set “tone at the top.”<br />

• Ensure there are appropriate fraud risk management structures <strong>and</strong><br />

processes in place.<br />

• Ensure the internal audit plan is sufficiently attentive to fraud risk.<br />

• Receive <strong>and</strong> respond to reports from internal auditing regarding the<br />

adequacy <strong>and</strong> effectiveness of fraud risk management.<br />

• Receive <strong>and</strong> respond to reports from fraud risk experts, examiners,<br />

inspectors, external auditors, <strong>and</strong> others.<br />

• Lead by example.<br />

• Promote ethical conduct.<br />

• Address suspicions of fraud when they surface.<br />

• Provide training.<br />

• Implement <strong>and</strong> maintain controls for fraud.<br />

• Report incidents of fraud or suspected fraud.<br />

• Provide specialist expertise in developing <strong>and</strong> implementing controls for<br />

fraud.<br />

• Monitor <strong>and</strong> analyze the effectiveness of fraud risk management.<br />

Internal auditors • Provide independent <strong>and</strong> objective assurance <strong>and</strong> advice on the<br />

adequacy <strong>and</strong> effectiveness of fraud risk governance, management,<br />

<strong>and</strong> control.<br />

• Map <strong>and</strong> coordinate fraud risk assurance from internal <strong>and</strong> external<br />

providers.<br />

59


Common controls for fraud relating to cash <strong>and</strong> financial transactions, for example, include:<br />

• Segregation of incompatible duties. Responsibility for custody of an asset,<br />

authorization for its deployment, <strong>and</strong> recording its usage should ideally be assigned<br />

to different individuals. Where this is not possible because of a shortage of resources<br />

then compensating controls, including increased supervision, regular reconciliations,<br />

stock takes, <strong>and</strong> scrutiny by inspectors <strong>and</strong> auditors, should be applied.<br />

• Centralization of cash collection points.<br />

• Individual cash drawers for each employee responsible for collecting money to assist<br />

with traceability <strong>and</strong> accountability for errors <strong>and</strong> fraud.<br />

• Endorsing checks when they are received to limit opportunities for misuse.<br />

• Maintaining sequential receipts.<br />

• Timely recording of transactions.<br />

• Timely deposits of cash.<br />

• Physical security of blank checks.<br />

• Regular reconciliations.<br />

Figure: Segregation of Incompatible Duties<br />

Many of the controls described above are needed for managing risks related to human,<br />

system, <strong>and</strong> process errors as well as the possibility of fraud. To ensure the general integrity<br />

of the control environment, there should be clear tone at the top, a well-defined code of<br />

conduct to confirm behavioral expectations, consistent <strong>and</strong> timely h<strong>and</strong>ling of breaches,<br />

continuous awareness raising <strong>and</strong> regular training, documented policies <strong>and</strong> processes, <strong>and</strong><br />

opportunities for anonymous whistleblowing.<br />

A defining characteristic of fraud is that such acts are deliberate. Frauds are not errors<br />

caused by bad luck or incompetence. Individuals acting alone or with others usually have a<br />

need or an incentive (motivation) to commit fraud (such as economic or social hardship,<br />

ambition, or duress), identify an opportunity to take an unfair <strong>and</strong> unwarranted advantage of<br />

60


circumstances (unethical <strong>and</strong> often but not always illegal), <strong>and</strong> tend to provide a<br />

rationalization to themselves <strong>and</strong> anyone else (such as when they are caught) in terms of<br />

their needs or perceived entitlement (“everyone else is doing it,” “the organization deserves it<br />

for having weak controls,” “it’s only $100,” “I need it more than they do,” “it’s a victimless<br />

crime,” etc.). Often individuals start committing fraud with a small value or with the intention<br />

of only doing it once but the temptation <strong>and</strong> the rationalization increase. Motivation,<br />

opportunity, <strong>and</strong> rationalization are the key elements of the fraud risk triangle <strong>and</strong> provide a<br />

basis for considering appropriate controls for each of these dynamics. Organizations must:<br />

• Reduce motivation (through ethical training <strong>and</strong> by addressing signs of stress).<br />

• Limit opportunity (through awareness raising <strong>and</strong> segregation of incompatible duties,<br />

for example).<br />

• Combat potential rationalization (through being seen to take fraud seriously, dealing<br />

with incidents fairly <strong>and</strong> swiftly, <strong>and</strong> providing fair compensation to all).<br />

Figure: Controls for the Primary Causes of Fraud (based on the Cressey Fraud Risk<br />

Triangle)<br />

The IIA Practice Guide: Internal <strong>Audit</strong> <strong>and</strong> Fraud – Assessing Fraud Risk Governance <strong>and</strong><br />

Management at the Organizational Level distinguishes three aspects an internal auditor<br />

must be aware of when evaluating risks <strong>and</strong> controls:<br />

• Fraud risks – the potential for fraud (which is ever-present).<br />

• Fraud schemes – active plans by individuals or groups to commit fraud.<br />

• Fraud events – where fraud has been committed. 56<br />

56<br />

IIA Practice Guide: Internal <strong>Audit</strong> <strong>and</strong> Fraud – Assessing Fraud Risk Governance <strong>and</strong> Management at the Organizational<br />

Level, 2nd edition, 2022.<br />

61


Internal auditors have an important role to play in raising fraud risk awareness, helping to<br />

reduce the likelihood <strong>and</strong> impact of fraud, <strong>and</strong> supporting the identification of fraud schemes<br />

<strong>and</strong> events. The following extracts from the St<strong>and</strong>ards illustrate the role <strong>and</strong> its limits.<br />

1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud<br />

<strong>and</strong> the manner in which it is managed by the organization, but are not expected to have<br />

the expertise of a person whose primary responsibility is detecting <strong>and</strong> investigating<br />

fraud. 57<br />

1220.A1 Internal auditors must exercise due professional care by considering the:<br />

• …<br />

• Probability of significant errors, fraud, or noncompliance. 58<br />

2060 Reporting [by the chief audit executive] must also include significant risk <strong>and</strong><br />

control issues, including fraud risks, governance issues, <strong>and</strong> other matters that require<br />

the attention of senior management <strong>and</strong>/or the board. 59<br />

As part of a regular audit engagement, internal auditors should:<br />

• Gather information to underst<strong>and</strong> the purpose <strong>and</strong> context of the engagement, as<br />

well as the governance, risk management, <strong>and</strong> controls relevant to the area or<br />

process under review. Information may be drawn from multiple sources, including<br />

previous audit engagements, reports from specialist investigators (such as fraud<br />

examiners, external auditors, <strong>and</strong> financial inspections), interviews, external research<br />

of similar situations, <strong>and</strong> fraud risk <strong>and</strong> control models <strong>and</strong> benchmarks.<br />

• Brainstorm fraud scenarios to identify potential fraud risks.<br />

• Assess the identified fraud risks to determine which risks require further evaluation<br />

during the engagement. 60<br />

Certain red flags should alert the internal auditor to the potential for fraud. These may<br />

include:<br />

Issues<br />

Give-away phrases<br />

used<br />

Potential Red Flags for Fraud<br />

• “As a work around …”<br />

• “Just this one time …”<br />

• “I have always done it this way.”<br />

• “Once in a while we …”<br />

• “Off the record …”<br />

• “There are no policies or procedures for this process.”<br />

• “Someone told me to do it this way; however, I am not sure<br />

why.”<br />

• “This is really how it is done.”<br />

• “The way it is supposed to work …”<br />

57<br />

The International Professional Practices Framework, The IIA, 2016.<br />

58<br />

The International Professional Practices Framework, The IIA, 2016.<br />

59<br />

The International Professional Practices Framework, The IIA, 2016.<br />

60<br />

IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.<br />

62


Management Issues • Lack of area expertise.<br />

• Lack of supervision.<br />

• History of legal violations.<br />

Personnel Issues • Lack of background checks.<br />

• Dissatisfied employees.<br />

• Unwillingness to share duties.<br />

Process Issues • Duties not segregated.<br />

• Poor physical security.<br />

• Poor access controls. 61<br />

Guidance published by the World Bank Group identifies examples of internal frauds<br />

perpetrated by employees:<br />

• Procurement fraud (e.g., false invoicing, credit card misuse, manipulations in the<br />

procurement process or procuring low quality items, receiving kickbacks for referring<br />

contract work to related parties).<br />

• Theft <strong>and</strong> skimming (e.g., removing <strong>and</strong> selling inventory, cash, consumables, or<br />

information, fraudulent acceptance of goods <strong>and</strong> services, <strong>and</strong> receiving<br />

compensation without reporting transactions).<br />

• Fraudulent expenditure claims (e.g., using false receipts to claim travel <strong>and</strong><br />

accommodation allowances).<br />

• Payroll fraud (e.g., adding fake employees to the payroll or claiming overtime for<br />

hours not worked). 62<br />

Accounting fraud, money laundering, <strong>and</strong> tax evasion can be added to this list.<br />

When internal auditors suspect fraud, great care needs to be taken. The organization<br />

requires well-defined procedures to follow in such circumstances. In some cases, the<br />

internal auditor is expected to pass over the evidence giving rise to a suspected fraud to<br />

investigators or law enforcement to pursue. <strong>Audit</strong>ors may be asked to be witnesses or<br />

provide other evidence. The careful preservation of papers <strong>and</strong> audit trails is extremely<br />

important. In some organization, internal auditors are expected to investigate fraud, but as<br />

with all activities this should only occur where individuals have the competency to do so.<br />

61<br />

IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.<br />

62<br />

Public Sector Internal <strong>Audit</strong>: Focus on Fraud, Center for Financial Reporting Reform, World Bank Group, 2017.<br />

63


C.3.2 Information Technology<br />

IIA Internal <strong>Audit</strong> Competency Framework<br />

Information Technology:<br />

General Awareness: Describe the basic concepts of IT <strong>and</strong> data analytics. Describe the<br />

various risks related to IT, information security, <strong>and</strong> data privacy. Recognize the purpose <strong>and</strong><br />

applications of IT control frameworks <strong>and</strong> basic IT controls.<br />

Applied Knowledge: Apply data analytics <strong>and</strong> IT in auditing. Identify <strong>and</strong> assess various risks<br />

related to IT, information security, <strong>and</strong> data privacy. Apply IT control frameworks.<br />

Expert: Evaluate the use of data analytics <strong>and</strong> IT in auditing. Recommend actions to address<br />

IT risks, information security, <strong>and</strong> data privacy. Evaluate the use of IT control frameworks. 63<br />

IT audit is no longer the exclusive preserve of specialists. Information technology is utilized<br />

universally across departments <strong>and</strong> forms a part of most procedures. Hence, all internal<br />

auditors need to be able to recognize IT risks <strong>and</strong> evaluate the effectiveness of controls.<br />

IT creates many opportunities <strong>and</strong> threats for organizations. It is used as a tool to provide<br />

services to clients <strong>and</strong> support routine operations including controls. IT usage includes:<br />

• Routine storage, access, <strong>and</strong> manipulation of large amounts of data, presenting<br />

potential issues for data privacy <strong>and</strong> protection.<br />

• Wide usage <strong>and</strong> availability of mobile phones, tablets, laptops, memory sticks with<br />

huge storage capacity, <strong>and</strong> other personal devices.<br />

• Ready access to “big data” <strong>and</strong> the potential for continuous auditing.<br />

• The increasing use of data analytics<br />

• Social media for personal <strong>and</strong> business use.<br />

• Cloud computing for flexible storage <strong>and</strong> access.<br />

• Blockchain.<br />

• Artificial intelligence, machine learning, <strong>and</strong> virtual reality.<br />

• Online receipts, payments, <strong>and</strong> banking.<br />

IT tools <strong>and</strong> techniques are also available for internal auditors to assist with planning,<br />

communication, testing, remote observation, analysis, <strong>and</strong> follow up. (This is covered in<br />

more detail in T2: Good Governance, Managerial Accountability, Developing Strategy, <strong>and</strong><br />

Data Analysis.)<br />

IT creates key risk areas for organization including:<br />

• Compliance risks (especially for data privacy <strong>and</strong> protection).<br />

• Reputational damage <strong>and</strong> erosion of trust by citizens, service users, vendors, donor<br />

organizations, <strong>and</strong> others.<br />

• Financial penalties.<br />

• Operational disruption.<br />

• Skills gaps <strong>and</strong> shortages.<br />

63<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

64


Risk management techniques can be applied to IT risks although specialist frameworks <strong>and</strong><br />

st<strong>and</strong>ards have been developed to define best practices <strong>and</strong> reflecting the complexity of the<br />

area. IT is subject to rapid development <strong>and</strong> service users (including staff to operate<br />

systems supported by IT) are likely to have high expectations. Customer online experiences<br />

of companies like Amazon reduce our tolerance of anything less effective or user-friendly.<br />

Internal auditors are expected to account for IT risks in every engagement.<br />

St<strong>and</strong>ard 2110 – Governance<br />

2110.A2 The internal audit activity must assess whether the information technology<br />

governance of the organization supports the organization’s strategies <strong>and</strong> objectives.<br />

St<strong>and</strong>ard 2120 – Risk Management<br />

2120.A1 The internal audit activity must evaluate risk exposures relating to the<br />

organization’s governance, operations, <strong>and</strong> information systems.<br />

St<strong>and</strong>ard 2130 – Control<br />

2130.A1 The internal audit activity must evaluate the adequacy <strong>and</strong> effectiveness of<br />

controls in responding to risks within the organization’s governance, operations, <strong>and</strong><br />

information systems. 64<br />

Internal auditors should identify IT risks within audits <strong>and</strong> evaluate the effectiveness of<br />

management responses to them. There should be appropriate expertise to enable the<br />

internal audit function to consider all IT risks, although not all auditors need to be specialists.<br />

Where the expertise is lacking within the team, the head of the function will need to draw on<br />

other sources to provide the desired level of assurance to senior management <strong>and</strong> the<br />

governing body. A risk management framework such as COSO Internal Control – Integrated<br />

Framework may be used to support auditors in developing audit objectives <strong>and</strong> plans,<br />

undertaking testing <strong>and</strong> analysis, <strong>and</strong> formulating conclusions. Specialist st<strong>and</strong>ards may also<br />

be used to guide the work of internal audit <strong>and</strong> serve as a benchmark for expected practice.<br />

There are two main classes of IT controls namely general controls <strong>and</strong> application controls.<br />

General controls operate at the most fundamental level <strong>and</strong> work to ensure the integrity of IT<br />

outputs. Application controls are fully automated <strong>and</strong> are designed to ensure correctness of<br />

processing throughout the system.<br />

64<br />

The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />

65


Class of IT Examples<br />

Controls<br />

General Controls • The organizational <strong>and</strong> IT control environments.<br />

• Technical-support policies <strong>and</strong> procedures.<br />

• Policies <strong>and</strong> processes for change management.<br />

• Procedures for source code/document version-control.<br />

• St<strong>and</strong>ards for software development lifecycle.<br />

• Hardware/software configuration, installation, testing,<br />

management, st<strong>and</strong>ards, policies, <strong>and</strong> procedures.<br />

• Security policies, st<strong>and</strong>ards, <strong>and</strong> processes.<br />

• Procedures <strong>and</strong> policies for incident-management.<br />

• Procedures for back-up <strong>and</strong> disaster recovery.<br />

Application • Authentication.<br />

Controls<br />

• Authorization.<br />

• Change management.<br />

• Completeness checks.<br />

• Identification.<br />

• Input controls.<br />

• Problem management.<br />

• Validity checks.<br />

The relationships among the classification of IT controls are shown in the following graphic,<br />

adapted from GTAG: Information Technology Risks <strong>and</strong> Controls, The IIA, 2012 65 :<br />

Figure: Types of IT Controls<br />

65<br />

GTAG, Information Technology Risks <strong>and</strong> Controls, The IIA, 2012<br />

66


IT controls may be manual, automated, or semi-automated. A useful article by <strong>Audit</strong>Board<br />

makes the distinction clear:<br />

Automated controls are ideal in situations with high volume, uniform transactions. In<br />

this case, there is little need for manual intervention or judgment. Automated controls<br />

include the risk of relying on inaccurate systems <strong>and</strong> data or putting trust in an<br />

inappropriate automation algorithm.<br />

Manual controls are preferred when there is a need for human judgment. The need<br />

for manual controls often arises when there is a low volume of transactions that<br />

require discretion in deciding the outcome of the internal control process. Manual<br />

controls run the risk of human error <strong>and</strong> intentional override.<br />

A third control category also exists called semi-automated controls, sometimes<br />

referred to as IT-dependent controls. With this type of automated control, human<br />

intervention is still required, but the person’s action is dependent on the output for a<br />

system. 66<br />

In addition, the process of testing controls can be automated with significant benefits, as<br />

described by EY:<br />

• Increased operational efficiency (compared with manual controls <strong>and</strong> risk compliance<br />

processes that may be “fragmented, siloed, <strong>and</strong> unsustainable.”)<br />

• Reduced compliance costs associated with the manual effort, time, <strong>and</strong> errors.<br />

• Improved controls assurance, allowing for high volume, high accuracy, <strong>and</strong> live<br />

insights.<br />

• Continuous controls improvement, making the shift “from controls testing as a<br />

compliance exercise to a value-added program.” 67<br />

The advanced tools described in <strong>Module</strong> 2 Good Governance, Managerial Accountability,<br />

Developing Strategy, <strong>and</strong> Data Analysis section B.3.1, including data analytics, robotic<br />

process automation, artificial intelligence, machine learning, deep learning networks, <strong>and</strong><br />

exploratory data analysis, can be used to enable automated controls testing.<br />

C.3.3 Cybersecurity<br />

IT is not just something that might fail through error, poor practice, <strong>and</strong> bad luck; it provides<br />

a target for deliberate <strong>and</strong> often malicious attacks. The IIA Cybersecurity Toolkit provides a<br />

checklist for undertaking cybersecurity audits of key areas to consider as part of the planning<br />

<strong>and</strong> testing stages.<br />

• Cybersecurity governance. (This is discussed in more detail in section A.4.)<br />

• Inventory of information assets (hardware, software, <strong>and</strong> data).<br />

66<br />

Automated Controls Testing <strong>and</strong> SOX Testing, <strong>Audit</strong>Board, 2016.<br />

67<br />

Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021.<br />

https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-future-internal-roffey/<br />

67


• St<strong>and</strong>ard security configurations (following best practices for key items of hardware<br />

<strong>and</strong> software).<br />

• Information access management (appropriate for each layer, i.e., application user,<br />

developer, administrator).<br />

• Proactive <strong>and</strong> preventive controls (e.g., malware detection, vulnerability scanning,<br />

penetration testing, <strong>and</strong> data encryption).<br />

• Response <strong>and</strong> remediation. 68<br />

Cybersecurity is a key element of IT risk <strong>and</strong> focuses on how an organization protects its<br />

information assets (computers, networks, programs, <strong>and</strong> data) through the use of various<br />

technologies, processes, <strong>and</strong> practices. Cybersecurity risks arise in the context of access,<br />

damage, <strong>and</strong> alteration to, <strong>and</strong> availability, control, theft, <strong>and</strong> distribution of, these assets.<br />

As with the management of fraud <strong>and</strong> IT risks, cybersecurity can be considered in the<br />

context of more general frameworks as well as specialized models. The guide to COSO in<br />

the Cyber Age uses the COSO Internal Control – Integrated Framework as the basis for a<br />

review of cybersecurity risks <strong>and</strong> how internal audit may review these.<br />

COSO Internal Questions for Internal <strong>Audit</strong> to Consider<br />

Control Element<br />

Control Environment • Does the board of directors underst<strong>and</strong> the organization’s<br />

cyber risk profile <strong>and</strong> are they informed of how the organization<br />

is managing the evolving cyber risks management faces?<br />

Risk Assessment • Has the organization <strong>and</strong> its critical stakeholders evaluated its<br />

operations, reporting, <strong>and</strong> compliance objectives <strong>and</strong> gathered<br />

information to underst<strong>and</strong> how cyber risk could impact such<br />

objectives?<br />

Control Activities • Has the entity developed control activities, including general<br />

control activities over technology, that enable the organization<br />

to manage cyber risk within the level of tolerance acceptable to<br />

the organization?<br />

• Have such control activities been deployed through formalized<br />

policies <strong>and</strong> procedures?<br />

Information <strong>and</strong><br />

Communication<br />

• Has the organization identified information requirements to<br />

manage internal control over cyber risk?<br />

• Has the organization defined internal <strong>and</strong> external<br />

communication channels <strong>and</strong> protocols that support the<br />

functioning of internal control?<br />

• How will the organization respond to, manage, <strong>and</strong><br />

communicate a cyber risk event?<br />

Monitoring Activities • How will the organization select, develop, <strong>and</strong> perform<br />

evaluations to ascertain the design <strong>and</strong> operating effectiveness<br />

of internal controls that address cyber risks?<br />

• When deficiencies are identified how are these deficiencies<br />

communicated <strong>and</strong> prioritized for corrective action?<br />

• What is the organization doing to monitor their cyber risk<br />

profile? 69<br />

68<br />

Cybersecurity Toolkit, The IIA, 2021<br />

69<br />

COSO In the Cyber Age, COSO, 2015<br />

68


The IIA’s Cybersecurity Toolkit describes internal audit’s contribution to cybersecurity<br />

governance through consideration of the main components of a governance model, as<br />

follows:<br />

• Board-level oversight: Confirm that the board of directors sees regular reporting on<br />

cybersecurity risks <strong>and</strong> risk mitigation activities.<br />

• Policies <strong>and</strong> procedures: Verify whether significant processes described below are<br />

adequately covered in policies <strong>and</strong> procedures, <strong>and</strong> whether the guidance has been<br />

reauthorized within a reasonable time period.<br />

• Risk management: Determine whether management has conducted a<br />

comprehensive cyber risk assessment, covering all geographic areas of operation,<br />

business lines, etc.<br />

• Records <strong>and</strong> information management: Verify whether system architecture <strong>and</strong> data<br />

flow documentation is complete, accurate, <strong>and</strong> consistently retained.<br />

• Compliance: Determine whether IT <strong>and</strong> IS leaders have identified relevant external<br />

requirements <strong>and</strong> implemented controls to ensure the organization meets the<br />

st<strong>and</strong>ards<br />

• Data classification: Confirm that a classification scheme has been defined <strong>and</strong> is<br />

recorded for all systems <strong>and</strong> databases.<br />

• Vendor management: Verify whether third-party risks have been assessed, <strong>and</strong><br />

whether vendors that store or process sensitive data are subject to sufficient<br />

contractual, oversight, <strong>and</strong> technical controls.<br />

• Management reporting: Determine whether KPIs or KRIs have been defined for<br />

cybersecurity, <strong>and</strong> whether reporting is accurate <strong>and</strong> actionable.<br />

• Personnel: Determine whether IT <strong>and</strong> IS staffing is sufficient <strong>and</strong> has the expertise to<br />

deploy security tools <strong>and</strong> enforce policies. 70<br />

The IIA series Global Perspectives <strong>and</strong> Insights provides a three-part guidance on<br />

cybersecurity. Among other things, the guidance emphasizes the importance of a<br />

collaborative approach to cybersecurity in which the internal auditor has an important role,<br />

placing particular importance on the relationship between internal audit <strong>and</strong> the senior<br />

manager charged with information security. Oversight by the governing body is also critical. 71<br />

70<br />

Cybersecurity Toolkit, The IIA, 2021.<br />

71<br />

Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Parts 1-3, The IIA, 2022.<br />

69


C.3.4 Data Privacy<br />

There are strict requirements regarding data privacy. Although laws <strong>and</strong> regulations vary <strong>and</strong><br />

continue to evolve, when someone provides an organization with personal data they<br />

generally have a right to:<br />

• Know the purpose for collecting the data.<br />

• Know what personal information an organization has.<br />

• Control what information is collected <strong>and</strong> how it is used, including who has access to<br />

it.<br />

• Request to change <strong>and</strong> delete any personal information held at any time for any<br />

reason.<br />

Organizations can find themselves operating outside of these requirements due to<br />

inadequate controls, such as:<br />

• The processes used for data collection are poorly designed <strong>and</strong> maintained <strong>and</strong> as a<br />

result the organization is collecting unnecessary, incomplete, or inaccurate<br />

information, or they do not gain appropriate permission from the owner of personal<br />

data for its usage <strong>and</strong> storage.<br />

• The organization allows data to be corrupted, stolen, or leaked, or shares it –<br />

contrary to the agreement with the data owner – with a third party that misuses it.<br />

• Data is stored beyond a permissible or useful period when it should be deleted.<br />

Organizations must maintain awareness of internal <strong>and</strong> external requirements for data<br />

privacy, keep staff informed, <strong>and</strong> ensure policies <strong>and</strong> processes are regularly reviewed <strong>and</strong><br />

kept up to date.<br />

70


C.3: Reflection<br />

Fraud:<br />

How are suspected frauds h<strong>and</strong>led in your organization?<br />

Do internal auditors receive sufficient training?<br />

Are internal auditors involved in awareness raising about fraud risk?<br />

IT:<br />

How does your internal audit function ensure it has the skills <strong>and</strong> expertise needed to audit<br />

IT risks <strong>and</strong> controls?<br />

To what extent is automated controls testing utilized?<br />

Who in your organization takes the lead on managing IT risks?<br />

How does internal audit collaborate with <strong>and</strong> support those responsible for IT risk<br />

management?<br />

Cybersecurity:<br />

How does your internal audit function ensure it has the skills <strong>and</strong> expertise needed to<br />

audit cybersecurity risks <strong>and</strong> controls?<br />

Who in your organization takes the lead on managing cybersecurity risks?<br />

How does internal audit collaborate with <strong>and</strong> support those responsible for cybersecurity<br />

risk management?<br />

Data Privacy:<br />

Who in your organization takes the lead on managing data privacy risks?<br />

How does internal audit collaborate with <strong>and</strong> support those responsible for data privacy<br />

risk management?<br />

71


References <strong>and</strong> Additional Reading<br />

12 Principles of Good Governance, Council of Europe, 2008.<br />

https://www.coe.int/en/web/good-governance/12-principles<br />

APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />

https://www.apec.org/docs/default-source/publications/2011/3/good-practice-guide-onpublic-sector-governance/2011_ec_good-practice-guidepsg.pdf?sfvrsn=7398b3dc_1#:~:text=Six%20principles%20of%20good%20public%20sec<br />

tor%20governance,-<br />

Although%20public%20sector&text=The%20following%20six%20principles%20have,<strong>and</strong><br />

%20probity%3B%20stewardship%20<strong>and</strong>%20leadership<br />

Assessing the Effectiveness of Internal Control: PEMPAL Guidance for Public Sector<br />

Internal <strong>Audit</strong>ors, PEMPAL, 2020.<br />

https://www.pempal.org/sites/pempal/files/IACOP/NEWSPAPER/iacop_assessing_the_e<br />

ffectiveness_of_internal_control_-_pempal_guidance.pdf<br />

Assessing Cybersecurity Risks: The Three Lines Model, The IIA, 2020.<br />

https://www.theiia.org/globalassets/documents/content/articles/guidance/gtag/gtagassessing-cybersecurity-risk.pdfCybersecurity<br />

Toolkit, The IIA, 2021.<br />

https://www.theiia.org/globalassets/documents/content/tools/iia-member-certifiedcybersecurity-toolkit.pdf<br />

Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021.<br />

https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-futureinternal-roffey/<br />

Automated Controls Testing <strong>and</strong> SOX Testing, <strong>Audit</strong>Board, 2016.<br />

https://www.auditboard.com/blog/automated-controls-<strong>and</strong>-sox-testing/<br />

COSO In the Cyber Age, COSO, 2015. https://www.coso.org/Shared%20Documents/COSOin-the-Cyber-Age.pdf<br />

Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial<br />

Management, Cipfa. https://www.cipfa.org/policy-<strong>and</strong>-guidance/reports/whole-systemapproach-volume-1<br />

European Commission Staff Working Document Albania 2022 Report,<br />

https://neighbourhood-enlargement.ec.europa.eu/system/files/2022-<br />

10/Albania%20Report%202022.pdf.<br />

Evaluating <strong>and</strong> Improving Governance in Organizations, IFAC, 2009.<br />

https://www.ifac.org/system/files/publications/files/IGPG-Evaluating-<strong>and</strong>-Improving-<br />

Governance.pdf<br />

Factsheet: Internal <strong>Audit</strong> Consulting, IIA Australia, 2022.<br />

http://www.iia.org.au/sf_docs/default-source/technical-resources/2018-factsheets/internal-audit-consulting.pdf?sfvrsn=2<br />

72


Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Part 1: How the New SEC<br />

Proposals Could Change the Game, The IIA, 2022.<br />

https://www.theiia.org/globalassets/site/content/articles/global-perspectives-<strong>and</strong>-<br />

insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-<br />

3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf<br />

Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Part 2: Critical Partners —<br />

Internal <strong>Audit</strong> <strong>and</strong> the CISO, The IIA, 2022.<br />

https://www.theiia.org/globalassets/site/content/articles/global-perspectives-<strong>and</strong>-<br />

insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-<br />

3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf<br />

Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Part 3: Cyber Incident Response<br />

<strong>and</strong> Recovery, The IIA, 2022.<br />

https://www.theiia.org/globalassets/site/content/articles/global-perspectives-<strong>and</strong>-<br />

insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-<br />

3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf<br />

GTAG: Information Technology Risks <strong>and</strong> Controls, The IIA, 2012.<br />

https://www.theiia.org/en/content/guidance/recommended/supplemental/gtags/gtaginformation-technology-risk-<strong>and</strong>-controls-2nd-edition/<br />

Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

https://www.theiia.org/globalassets/documents/st<strong>and</strong>ards/ia-competencyframework/2022-4103-sem-competency-framework-graphics-table_fnl.pdf<br />

IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019.<br />

https://www.theiia.org/globalassets/documents/resources/the-internal-audit-charter-ablueprint-to-assurance-success-august-2019/pp-the-internal-audit-charter.pdf<br />

IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.<br />

https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/engagement-planning-assessing-fraud-risks/pg-engagement-planning-assessingfraud-risks.pdf<br />

IIA Position Paper: The Role of Internal <strong>Audit</strong>ing in Enterprise-wide Risk Management, The<br />

IIA, 2009, https://www.theiia.org/globalassets/documents/resources/the-role-of-internalauditing-in-enterprise-wide-risk-management-january-2009/pp-the-role-of-internalauditing-in-enterprise-risk-management.pdf<br />

IIA Practice Guide: Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions, The IIA, 2009.<br />

https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/formulating-<strong>and</strong>-expressing-internal-audit-opinions/09523_pro-opinionspracguidefnl-lo-cx3.pdf<br />

73


IIA Practice Guide: Internal <strong>Audit</strong> <strong>and</strong> Fraud – Assessing Fraud Risk Governance <strong>and</strong><br />

Management at the Organizational Level, 2nd edition, 2022.<br />

https://www.theiia.org/globalassets/site/content/guidance/recommended/supplemental/pr<br />

actice-guides/practice-guide-internal-audit-<strong>and</strong>-fraud-2ndedition/pg_internal_audit_<strong>and</strong>_fraud_2nd_edition_final.pdf<br />

IIA Practice Guide: Unique Aspects of Internal <strong>Audit</strong>ing in the Public Sector, The IIA, 2022.<br />

https://www.theiia.org/en/content/guidance/recommended/supplemental/practiceguides/unique-aspects-of-internal-auditing-in-the-public-sector/<br />

The IIA Three Lines Model, The IIA, 2020. https://www.theiia.org/globalassets/site/aboutus/advocacy/three-lines-model-updated.pdf<br />

Independent <strong>Audit</strong> Committees in Public Sector Organizations, The IIA, 2014.<br />

https://www.theiia.org/globalassets/documents/st<strong>and</strong>ards/independent-audit-committeesin-public-sector-organizations.pdf<br />

International Framework: Good Governance in the Public Sector, CIPFA, 2014.<br />

https://www.cipfa.org/policy-<strong>and</strong>-guidance/st<strong>and</strong>ards/international-framework-goodgovernance-in-the-public-sector<br />

The International Professional Practices Framework, The Institute of Internal <strong>Audit</strong>ors, 2016.<br />

https://www.theiia.org/en/st<strong>and</strong>ards/international-professional-practices-framework/<br />

Law No 114/2015, Internal <strong>Audit</strong>ing in Public Sector, Republic of Albania.<br />

https://track.unodc.org/uploads/documents/BRI-legal-resources/Albania/21_-<br />

Albania_Law_on_internal_auditing_in_public_sector_2016-03-17-EN.pdf<br />

Organizational Political Pressure <strong>and</strong> the Impact on Internal <strong>Audit</strong>, Patty Miller, 2017.<br />

https://na.eventscloud.com/file_uploads/dab848a33de87b2ec71fd1f0cb0b2321_GS-2-<br />

Politics-PattyMiller.pdf<br />

Public Sector Internal <strong>Audit</strong>: Focus on Fraud, Center for Financial Reporting Reform, World<br />

Bank, 2017. https://cfrr.worldbank.org/sites/default/files/2019-<br />

11/public_sector_internal_audit_fraud_pages.pdf<br />

Sawyer’s Internal <strong>Audit</strong>ing: Enhancing <strong>and</strong> Protecting Organizational Value, Internal <strong>Audit</strong><br />

Foundation, 2019. https://www.theiia.org/en/products/bookstore/sawyers-internalauditing-enhancing-<strong>and</strong>-protecting-organizational-value-7th-edition/<br />

Supplemental Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance, The IIA, 2012.<br />

https://www.theiia.org/globalassets/documents/st<strong>and</strong>ards/public_sector_governance1_1<br />

_.pdf<br />

74


CIPFA: 77 Mansell Street, London E1 8AN<br />

+44 20 7543 5600<br />

cipfa.org<br />

CEF: Cankarjeva cesta 18, 1000 Ljubljana, Slovenia<br />

+386 1 369 61 90<br />

cef-see.org<br />

The Chartered Institute of Public Finance <strong>and</strong> Accountancy. Registered with the Charity<br />

Commissioners of Engl<strong>and</strong> <strong>and</strong> Wales No 231060. Registered with the Office of the<br />

Scottish Charity Regulator No SCO37963.<br />

75

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!