TIAPS Module 1 Audit and Assurance workbook
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong><br />
<strong>Assurance</strong><br />
<strong>TIAPS</strong> Albania 2023/24<br />
1
2
Table of Contents<br />
<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong> <strong>Assurance</strong> ............................................................................................ 4<br />
A. Internal <strong>Audit</strong>ing’s Contribution to Good Governance ....................................................... 6<br />
A.1 Public Sector Environment .......................................................................................... 6<br />
A.2 Public Sector Governance ........................................................................................... 9<br />
A.3 Governance Models ............................................................................................... 15<br />
A.3.1 ISO 37000:2021 Governance of organizations – Guidance ................................ 15<br />
A.3.2 The IIA’s Three Lines Model ............................................................................... 16<br />
A.3.3 CIPFA International Framework: Good Governance in the Public Sector ............ 19<br />
A.3.4 King IV Corporate Governance Report, 2016 ...................................................... 20<br />
A.3.5 Examples of Best Practice in Public Sector Governance .................................... 22<br />
B. M<strong>and</strong>ate, Independence, <strong>and</strong> Objectivity ........................................................................ 26<br />
B.1 Importance of Independence <strong>and</strong> Objectivity ............................................................. 26<br />
B.1.1 Independence, Objectivity, <strong>and</strong> the Code of Ethics ............................................. 29<br />
B.1.2 Independence, Objectivity, <strong>and</strong> Competency ...................................................... 30<br />
B.2 Internal <strong>Audit</strong> M<strong>and</strong>ate .............................................................................................. 32<br />
B.3 Threats to Independence <strong>and</strong> Objectivity .................................................................. 36<br />
B.4 Safeguards for Independence <strong>and</strong> Objectivity ........................................................... 39<br />
C. <strong>Assurance</strong> <strong>and</strong> Advisory Engagements .......................................................................... 43<br />
C.1 Characteristics of <strong>Assurance</strong> <strong>and</strong> Advisory Engagements ........................................ 43<br />
C.1.1 <strong>Assurance</strong> Engagements .................................................................................... 46<br />
C.1.2 Consulting (Advisory) Engagements ................................................................... 46<br />
C.1.3 <strong>Assurance</strong> <strong>and</strong> Advisory Engagements Compared ............................................. 48<br />
C.1.4 Blended Engagements ....................................................................................... 49<br />
C.1.5 Internal <strong>Audit</strong> Opinions ....................................................................................... 51<br />
C.1.6 Competencies Needed for <strong>Assurance</strong> <strong>and</strong> Advisory Engagements .................... 52<br />
C.2 <strong>Audit</strong>ing Governance................................................................................................. 55<br />
C.3 Fraud, IT, <strong>and</strong> Cybersecurity ..................................................................................... 58<br />
C.3.1 Fraud .................................................................................................................. 58<br />
C.3.2 Information Technology ...................................................................................... 64<br />
C.3.3 Cybersecurity ..................................................................................................... 67<br />
C.3.4 Data Privacy ....................................................................................................... 70<br />
References <strong>and</strong> Additional Reading .................................................................................... 72<br />
3
<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong> <strong>Assurance</strong><br />
Introduction<br />
<strong>Module</strong> 1: <strong>Audit</strong> <strong>and</strong> <strong>Assurance</strong> examines how internal audit contributes to organizational<br />
governance through assurance <strong>and</strong> advisory services. The module is organized as follows:<br />
1A. Internal <strong>Audit</strong>ing’s Contribution to Good Governance<br />
A.1 Public Sector Environment<br />
A.2 Public Sector Governance<br />
A.3 Governance Models<br />
1B. M<strong>and</strong>ate, Independence, <strong>and</strong> Objectivity<br />
B.1 Importance of Independence <strong>and</strong> Objectivity<br />
B.2 Internal <strong>Audit</strong> M<strong>and</strong>ate<br />
B.3 Threats to Independence <strong>and</strong> Objectivity<br />
B.4 Safeguards for Independence <strong>and</strong> Objectivity<br />
1C. <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />
C.1 Characteristics of <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />
C.2 <strong>Audit</strong>ing Governance<br />
C.3 Fraud, IT, <strong>and</strong> Cybersecurity<br />
References<br />
Practice Questions<br />
4
Relevant St<strong>and</strong>ards<br />
Reference is made throughout the <strong>TIAPS</strong> program to relevant international st<strong>and</strong>ards, principally<br />
those of The Institute of Internal <strong>Audit</strong>ors (IIA) included in the International Professional Practices<br />
Framework (IPPF). Other st<strong>and</strong>ards <strong>and</strong> frameworks, most notably the COSO Internal Control –<br />
Integrated Framework, are also noted where appropriate.<br />
At the time of writing, The IIA is undertaking a major review of the IPPF with an expected period of<br />
public exposure in 2023. The content of this module reflects the 2017 edition (published in 2016 <strong>and</strong><br />
effective from the start of 2017). Participants should anticipate major revisions to the structure <strong>and</strong><br />
content of the IPPF, although fundamental principles about the practice of internal auditing are<br />
unlikely to change significantly. This program will be updated once the revisions to the IPPF are<br />
finalized <strong>and</strong> formally introduced.<br />
References <strong>and</strong> Additional Reading<br />
References are given at the end of this module. Participants are encouraged to read these to provide<br />
greater underst<strong>and</strong>ing of the topics. The items have been selected to complement the content<br />
included in this module <strong>and</strong> to offer internal auditors relevant, practical guidance.<br />
5
A. Internal <strong>Audit</strong>ing’s Contribution to Good Governance<br />
On completion of this section, students will be better able to:<br />
• Identify factors impacting governance in the public sector.<br />
• Define governance with reference to various models.<br />
• Identify requirements for good governance in public sector environments.<br />
• Describe how internal audit contributes to organizational governance.<br />
A.1 Public Sector Environment<br />
Internal auditors operating in a public sector environment face a range of conditions not<br />
generally experienced by their private sector counterparts. The following features represent<br />
a generalization not found in every public entity but are characteristic of many.<br />
• High importance. Governments hold significant power. They impact the lives of all<br />
citizens in many ways. They have access to a vast array of information <strong>and</strong><br />
resources. Consequently, the risks of errors, wastage, fraud, <strong>and</strong> corruption can be<br />
hugely consequential, including the potential for abuses of privacy <strong>and</strong> misuse of<br />
data, despoilation of environments, depletion of natural resources, economic <strong>and</strong><br />
social deprivation, military conflict, inadequate supply of energy <strong>and</strong> other utilities,<br />
<strong>and</strong> weaknesses in the rule of law. The work of internal auditors in helping<br />
administrations improve governance, risk management, <strong>and</strong> control could not be<br />
more important.<br />
• Limited resources. Resources tend to be limited because of continuous pressures on<br />
public spending. Everyone is expected to do more with less. This is often particularly<br />
true of unseen “back office” functions like internal audit whose overheads may be<br />
regarded by many budget holders <strong>and</strong> uninformed members of the public as<br />
inconsequential or unnecessary. Specialist skills for areas such as IT, cybersecurity,<br />
<strong>and</strong> data analytics are often in short supply, especially when the private sector can<br />
lure individuals away from the public sector with offers of higher rewards.<br />
• Immature risk management processes. Risk management may be relatively<br />
immature with fewer resources applied to risk <strong>and</strong> compliance functions. Awareness<br />
<strong>and</strong> underst<strong>and</strong>ing of risk <strong>and</strong> control may also be relatively limited. In such<br />
circumstances, internal audit may be expected to play a greater role in supporting<br />
management to develop effective internal control or even to act as a quasi-second<br />
line function (see section A.3.2 for consideration of the Three Lines Model.) In its<br />
advisory capacity, supporting the development of public internal financial control is<br />
an important internal audit service but care must be taken to safeguard<br />
independence <strong>and</strong> objectivity (see section B).<br />
6
• Close scrutiny. The activities of public entities are rightly subject to close scrutiny by<br />
line ministries, financial inspectors, external auditors, the business community, <strong>and</strong><br />
the public. This includes the work of the internal audit function <strong>and</strong> the behavior <strong>and</strong><br />
actions of its members. Unlike external audit reports, those of the internal audit<br />
function are not typically made available to the public, but the expectations placed on<br />
internal auditors to serve the public interest as inspectors <strong>and</strong> watchdogs are<br />
generally considerable. The public may not underst<strong>and</strong> what an internal auditor<br />
does, but when things go wrong, they are often caught in the firing line.<br />
• Political environment. The public sector environment is, above all, a political one.<br />
There is a cyclical change of leadership, policy, <strong>and</strong> organizational direction, <strong>and</strong><br />
internal audit is expected to keep up. The head of internal audit must anticipate<br />
these frequent shifts when planning the timing <strong>and</strong> focus of engagements. They<br />
must continuously rebuild relationships <strong>and</strong> carefully navigate politics to ensure<br />
activities are appropriately focused on organizational purpose <strong>and</strong> the public good<br />
rather than election cycles <strong>and</strong> the personal ambitions of public officials.<br />
• Constraints on independence. Establishing <strong>and</strong> maintaining organizational<br />
independence can be more challenging for internal audit functions in public entities<br />
than it is in privately owned businesses. Often the distinction between executive <strong>and</strong><br />
non-executive leadership is less apparent. The head of internal audit may report to<br />
an individual or a board comprising senior managers <strong>and</strong> political appointees. In<br />
some cases, internal audit oversight may be fairly remote. <strong>Audit</strong> committees, where<br />
such exist, may span multiple entities, especially where there is a centralized or<br />
shared service provider for central or local government. In addition, the use of<br />
outsourced or shared services may increase internal audit’s operational<br />
independence at the expense of greater remoteness from <strong>and</strong> reduced familiarity<br />
with the activities being audited.<br />
• Legitimate restrictions in scope. The m<strong>and</strong>ate of internal audit should allow the<br />
function access to the people, data, <strong>and</strong> resources needed to complete its<br />
engagements. Often in the private sector, this is interpreted as an “access all areas”<br />
m<strong>and</strong>ate. Restrictions on scope amount to a limitation on independence, keeping<br />
internal audit away from areas the governing body does not wish to be scrutinized. In<br />
the public sector, there can be legitimate reasons for reducing scope, especially in<br />
the interests of national security.<br />
These <strong>and</strong> other dimensions require careful h<strong>and</strong>ling by internal auditors <strong>and</strong> heads of audit<br />
functions.<br />
7
A.1: Reflection<br />
Do you recognize these characteristics of the public sector in the environment in which<br />
you work?<br />
Are there additional features that need to be considered?<br />
How do each of these characteristics impact your role as an internal auditor <strong>and</strong><br />
manager?<br />
8
A.2 Public Sector Governance<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Organizational Governance:<br />
General Awareness: Describe the concept of organizational governance.<br />
Applied Knowledge: Detect risks related to the organization’s governance policies,<br />
processes, <strong>and</strong> structures.<br />
Expert: Recommend improvements to the organization’s governance policies, processes,<br />
<strong>and</strong> structures. 1<br />
Internal audit adds value to its client organization when, among other things, it “strives to<br />
offer ways to enhance governance.” 2 Governance can be understood in general terms as the<br />
process of governing <strong>and</strong> is broadly about leading <strong>and</strong> controlling. It is defined by The<br />
Institute of Internal <strong>Audit</strong>ors (IIA) in the glossary of the International Professional Practices<br />
Framework (IPPF) as:<br />
The combination of processes <strong>and</strong> structures implemented by the board to inform,<br />
direct, manage, <strong>and</strong> monitor the activities of the organization toward the achievement<br />
of its objectives. 3<br />
“Board” is used by The IIA to refer to the “highest level governing body” for an entity,<br />
identifiable as the most senior decision-making authority. Public sector boards can take<br />
many forms <strong>and</strong> “governing body” or alternatively “governing authority” is a more common<br />
general term. Some government departments or ministries have a clearly defined board<br />
whose membership may also include representatives of the private sector <strong>and</strong> civil society.<br />
In a municipality or regional body, typically the council is the governing body in which the<br />
mayor may act as both the equivalent of the chairman of the board <strong>and</strong> the chief executive<br />
officer (CEO). In other situations, there is an executive director or manager who heads up<br />
operations while the mayor is more of a political figurehead for the city. Generally, in public<br />
entities where there is no immediately recognizable board or governing body, then governing<br />
responsibilities may be assumed by one of the following:<br />
• Head of the organization (minister, etc.) (i.e., a single person).<br />
• External oversight committee which could take different forms (e.g., parliamentary<br />
committee, government committee, committee represented by different ministries).<br />
• Oversight by line ministry or a superior organization.<br />
1<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
2<br />
St<strong>and</strong>ard 2000 – Managing the Internal <strong>Audit</strong> Activity, International Professional Practices Framework, The IIA, 2016.<br />
3<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
9
• Dual leadership: minister (political leader) plus secretary general (administrative<br />
leader).<br />
• Board of the agency/department represented by the executive only (with those<br />
appointed within organization).<br />
• <strong>Audit</strong> committees at the agency/department level with non-executive<br />
directors/independent members.<br />
• <strong>Audit</strong> committee centralized for the government.<br />
• Thematic boards: e.g., internal control board led by a secretary general (or deputy).<br />
• Dedicated unit or person in the presidential administration (where relevant) with<br />
specific oversight responsibilities. 4<br />
While the governing body leads on governance <strong>and</strong> is ultimately responsible for it, it is<br />
perhaps more accurate to say governance is implemented collectively <strong>and</strong> collaboratively by<br />
the governing body, management, <strong>and</strong> internal auditing, although in different ways.<br />
Governance occurs at every level of an organization at which decision-making takes place<br />
no matter how minor because all decisions contribute to success (or lack thereof). This view<br />
of governance is consistent with CIPFA’s model elaborated in the Whole System Approach<br />
to Public Financial Management. 5<br />
There are three important elements in The IIA definition of governance.<br />
• Processes <strong>and</strong> structures. Governance includes not only activities undertaken by an<br />
organization but also the way in which those activities <strong>and</strong> its resources are<br />
organized.<br />
• Inform, direct, manage, <strong>and</strong> monitor. Governance is part of a continuous cycle of<br />
input <strong>and</strong> feedback. Internal <strong>and</strong> external information informs decisions, actions are<br />
executed, <strong>and</strong> outcomes are achieved that then inform future decisions.<br />
• Achievement of objectives. The purpose of governance is organizational success.<br />
Governing bodies in the public sector may be comprised wholly of independent members<br />
without executive responsibilities or may combine executive <strong>and</strong> non-executive members.<br />
The non-executive responsibilities may be characterized as those:<br />
• Contributing to strategy by bringing a range of perspectives to strategy development<br />
<strong>and</strong> decision making.<br />
• Making sure that effective management structures <strong>and</strong> processes are in place, <strong>and</strong><br />
that there is an effective team at the top level of the entity.<br />
• Holding the executive to account for performance in fulfilling the responsibilities<br />
delegated to it by the governing body, including thorough purposeful challenge <strong>and</strong><br />
scrutiny. 6<br />
4<br />
Assessing the Effectiveness of Internal Control: PEMPAL Guidance for Public Sector Internal <strong>Audit</strong>ors, PEMPAL, 2020<br />
5<br />
See Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial Management<br />
6<br />
International Framework: Good Governance in the Public Sector, CIPFA, 2014<br />
10
The need for governance arises for two main reasons.<br />
• Accountability. Public sector organizations are managed <strong>and</strong> led by officials for <strong>and</strong><br />
on behalf of citizens. Public resources (money, labor, buildings, l<strong>and</strong>, <strong>and</strong> other<br />
assets) are used to serve a particular purpose for the common good. Those assigned<br />
to administer those services – whether by election or appointment – have an<br />
obligation to the public to act as diligent stewards of public resources <strong>and</strong> do<br />
whatever is reasonable to achieve the best outcomes. In many cases, officials take<br />
an oath of office to this effect. Being accountable entails public officials are open to<br />
scrutiny for their behavior <strong>and</strong> performance <strong>and</strong> will receive due recognition or<br />
admonishment accordingly. This requires transparency through honest <strong>and</strong> reliable<br />
reporting together with mechanisms (enforced by the rule of law) for apportioning<br />
rewards <strong>and</strong> punishments (which may include no longer being able to serve in a<br />
public position) as appropriate.<br />
• Uncertainty. Governance is also required because there are no guarantees wellintentioned<br />
actions will yield desirable results. Resources <strong>and</strong> systems are finite <strong>and</strong><br />
imperfect. People are subjective in their thinking, limited in their knowledge <strong>and</strong><br />
reasoning, <strong>and</strong> unreliable in their behavior. Circumstances are complex, changeable,<br />
interconnected, <strong>and</strong> chaotic, <strong>and</strong> ultimately unpredictable. All these factors create<br />
uncertainty, <strong>and</strong> it is the impact of uncertainty – whether favorable or unfavorable –<br />
on our efforts to achieve goals that is the origin of risk. According to ISO, risk is<br />
simply defined as “the effect of uncertainty on objectives.” 7<br />
Governance aims to restore confidence <strong>and</strong> trust by stakeholders as well as enabling<br />
managers <strong>and</strong> leaders to navigate uncertainty by making better decisions based on a clearer<br />
underst<strong>and</strong>ing. Accountability <strong>and</strong> uncertainty are unavoidable. They both require honest<br />
endeavors based on sound judgments. Governance helps an entity fulfil its purpose<br />
economically, effectively, efficiently, ethically, <strong>and</strong> sustainably.<br />
• Economically: with the least amount of effort <strong>and</strong> resource, reducing – <strong>and</strong> ideally<br />
eliminating – unnecessary costs of input.<br />
• Efficiently: with the greatest amount of output, minimizing – <strong>and</strong> ideally eliminating –<br />
inferior or defective results.<br />
• Effectively: with the greatest success in achieving desired outcomes <strong>and</strong> value.<br />
• Ethically: in accordance with accepted norms of behavior.<br />
• Sustainably: in a manner that minimizes – <strong>and</strong> ideally eliminates – negative social<br />
<strong>and</strong> environmental impacts.<br />
Governance can be regarded in part as an attempt to address risks that exist in the<br />
relationships between stakeholders <strong>and</strong> those assigned to manage affairs on their behalf.<br />
This is an example of the classic principal-agent situation. In the public sector context,<br />
citizens are the primary stakeholder (or principal) of organizations while elected <strong>and</strong><br />
appointed officials are the agents. As noted in A.1, the consequences of errors <strong>and</strong> abuse in<br />
the management of public resources <strong>and</strong> pursuit of public policy can be considerable.<br />
7<br />
ISO 31000: Risk Management, 2018.<br />
11
The principles of good governance can be applied holistically to an organization <strong>and</strong> to the<br />
public sector in its entirety. They can also be considered in the context of an individual<br />
project or initiative as well as groups of activities, such as IT governance, where matters are<br />
sufficiently complex <strong>and</strong>/or important to require specific attention not just on completion of<br />
tasks but also at a more strategic level. Governance takes account of factors such as risks,<br />
stakeholder needs, long-term planning <strong>and</strong> resource requirements, laws <strong>and</strong> regulations,<br />
<strong>and</strong> sustainability.<br />
The distinction between managing <strong>and</strong> governing is not absolute. The concepts as well as<br />
the roles of individuals tend to overlap. The chief executive officer (CEO) (i.e., secretary<br />
general, executive director, deputy minister, or similar) often sits at the intersection of the<br />
governing body <strong>and</strong> senior management. Most organizational responsibilities include some<br />
decision-making as well as oversight of <strong>and</strong> responsibility for resources <strong>and</strong> their utilization,<br />
including people <strong>and</strong> money. Monitoring <strong>and</strong> appropriate intervention are required by both<br />
managers <strong>and</strong> directors. Governing bodies involve themselves to a greater or lesser extent<br />
with both strategy <strong>and</strong> operations <strong>and</strong> are responsible for appointing (<strong>and</strong> firing) the CEO.<br />
While accepting the likelihood of overlap, in general terms we can make the following<br />
distinction:<br />
Focus of Governance<br />
• Overseeing<br />
• Advising<br />
• Guiding<br />
• Developing strategy<br />
• High level, long-term, big picture<br />
perspective<br />
• Non-executive decisions<br />
Focus of Management<br />
• Planning<br />
• Directing<br />
• Controlling<br />
• Implementing strategy<br />
• Operational, detailed, logistical<br />
perspective<br />
• Executive decisions<br />
The expression “those charged with governance” is often used to allow for the many<br />
differences that exist in how governance responsibilities are apportioned. It avoids arbitrarily<br />
limiting governance duties to the governing body (however that may be constituted) as well<br />
as removing the necessity of listing everyone who may be considered as holding<br />
governance responsibilities. Both the expression <strong>and</strong> the success of governance rely on<br />
clarity of exactly who is “charged with governance.” The primary stakeholders are assumed<br />
– explicitly or implicitly – to be the ones to “charge” the governing body <strong>and</strong> others with<br />
responsibility for governance <strong>and</strong> this links closely with the principle of accountability. When<br />
public officials are using public resources to achieve something on behalf of the public, they<br />
have a duty of care to the public for governance of those activities. Those charged with<br />
governance have both legal <strong>and</strong> ethical duties.<br />
12
Although developed for government at a local level, the Council of Europe’s 12 Principles of<br />
Good Governance are relevant to most public sector bodies:<br />
1. Participation, Representation, <strong>and</strong> Fair Conduct of Elections.<br />
2. Responsiveness (to the expectations <strong>and</strong> needs of citizens.)<br />
3. Efficiency <strong>and</strong> Effectiveness.<br />
4. Openness <strong>and</strong> Transparency.<br />
5. Rule of Law.<br />
6. Ethical Conduct.<br />
7. Competence <strong>and</strong> Capacity.<br />
8. Innovation <strong>and</strong> Openness to Change.<br />
9. Sustainability <strong>and</strong> Long-term Orientation.<br />
10. Sound Financial Management.<br />
11. Human Rights, Cultural Diversity, <strong>and</strong> Social Cohesion.<br />
12. Accountability. 8<br />
Albanian Context<br />
The president of Albania is the Head of State <strong>and</strong> comm<strong>and</strong>er in chief while the prime<br />
minister is the head of government. The highest executive authority rests with the prime<br />
minister <strong>and</strong> the cabinet (Council of Ministers) while parliament is the head of legislative<br />
power. The third branch – the judiciary – is independent from both the executive <strong>and</strong><br />
legislative branches.<br />
Membership of the Council of Ministers includes ministers, deputy ministers, <strong>and</strong> secretaries<br />
general. Ministries may have varied internal structures <strong>and</strong> numbers of subordinated entities<br />
(known variously as directorates, agencies, centers, offices, authorities, academies,<br />
inspectorates, institutes, commissions, committees, services, <strong>and</strong> more). A subordinated<br />
entity is accountable to its line ministry.<br />
For the purposes of government, Albania is divided into 12 administrative counties <strong>and</strong> 61<br />
municipalities. Albania was granted EU c<strong>and</strong>idate country status in 2014 <strong>and</strong> this is a major<br />
driver for ongoing public administration reform at all levels as well as a impetus to implement<br />
public internal financial control (PIFC). For more detail on PIFC, refer to <strong>Module</strong> T3<br />
Accounting Fundamentals. In accordance with Albanian law, all public entities are required<br />
to establish internal audit services, if not directly then via its superior institution (e.g., from<br />
the Ministry to a subordinated entity), from another public unit, or by contracted services.<br />
The head of the internal audit function should report to the head of the public unit. The<br />
Minister is appointed by the Prime Minister, is politically accountable for performance, <strong>and</strong> is<br />
the highest decision-making authority responsible for setting policy. The Secretary-General<br />
is the most senior civil servant in charge of executing policy. These factors are relevant for<br />
consideration <strong>and</strong> evaluation of internal audit independence.<br />
8<br />
12 Principles of Good Governance, Council of Europe, 2008.<br />
13
A.2: Reflection<br />
Consider the 12 Principles of Good Governance in the context of your organization. Assign a<br />
score from 1-5 for each Principle where 1 is very low <strong>and</strong> 5 is very high.<br />
Based on this assessment, how effective is governance in your organization?<br />
What are the most important priorities for improvement?<br />
Is there sufficient clarity in the distinction between governance (nonexecutive)<br />
responsibilities <strong>and</strong> managerial (executive) responsibilities?<br />
How can internal audit support organizational leaders in making such improvements?<br />
14
A.3 Governance Models<br />
When evaluating governance, internal auditors must consider whether the organization has<br />
used “adequate criteria” for monitoring purposes.<br />
If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal<br />
auditors must identify appropriate evaluation criteria through discussion with management<br />
<strong>and</strong>/or the board.<br />
Types of criteria may include:<br />
• Internal (e.g., policies <strong>and</strong> procedures of the organization).<br />
• External (e.g., laws <strong>and</strong> regulations imposed by statutory bodies).<br />
• Leading practices (e.g., industry <strong>and</strong> professional guidance). 9<br />
To explore governance further we will consider four important models that may be said to<br />
represent “leading practices,” although they must always be contextualized:<br />
• ISO 37000:2021 Governance of organizations – Guidance.<br />
• IIA Three Lines Model.<br />
• CIPFA International Framework: Good Governance in the Public Sector.<br />
• King IV Corporate Governance Report, 2016.<br />
These models have many similarities. Corporate governance codes such as the King IV<br />
Code, while being applicable primarily to private sector companies, are also very informative<br />
for government entities.<br />
A.3.1 ISO 37000:2021 Governance of organizations – Guidance<br />
The ISO model places organizational purpose at its center. Purpose is informed by values<br />
which also determine how the organization pursues its purpose.<br />
Diagram based on<br />
ISO 37000:2021<br />
Governance of Organizations<br />
9<br />
St<strong>and</strong>ard 2210 – Engagement Objectives, International Professional Practices Framework, The IIA, 2016.<br />
15
Four foundational principles are at the heart of governance <strong>and</strong> are inter-related.<br />
Value generation: Pursuit of purpose can be characterized as value creation, whether<br />
that value is financial, nonfinancial, or both. Public sector entities share a common<br />
purpose of serving the public good through the provision of direct <strong>and</strong> indirect services.<br />
In creating value, they must manage their financial <strong>and</strong> other resources. State-owned<br />
enterprises (e.g., publicly owned transportation, utilities, <strong>and</strong> broadcasting companies)<br />
may operate as commercial or quasi-commercial organizations <strong>and</strong> compete on that<br />
basis with their private sector counterparts but their purpose is still linked to public<br />
service <strong>and</strong> any profits generated are used to subsidize costs to the public or for<br />
investment in other public benefits.<br />
Strategy: The purpose of an organization tends to be broad <strong>and</strong> may be satisfied in<br />
different ways. It is necessary to develop strategies for fulfilling the purpose by<br />
establishing <strong>and</strong> prioritizing goals <strong>and</strong> applying resources – which are always finite –<br />
accordingly. Strategy typically is formed within a long-term perspective over multiple<br />
years.<br />
Accountability: As discussed in A.1, public officials are accountable in that they owe a<br />
duty of care to their stakeholders – employees, suppliers, service users, taxpayers, <strong>and</strong><br />
citizens. That accountability needs to be realized through transparency <strong>and</strong><br />
consequences. Being held to account means accepting responsibility for behaviors,<br />
decisions, <strong>and</strong> actions, <strong>and</strong> their ensuing impact, <strong>and</strong> receiving fair treatment on this<br />
basis.<br />
Oversight: As a consequence of accountability, those charged with governance will both<br />
need <strong>and</strong> desire to exercise oversight. If you are going to be held to account, you will be<br />
expected to oversee – <strong>and</strong> will have a vested interest in overseeing – what is taking<br />
place <strong>and</strong> intervene as <strong>and</strong> when needed. Typically, a governing body is unable to<br />
observe all activity directly. It relies on reports from management, internal auditors,<br />
external auditors, <strong>and</strong> others. Members of the governing body will also ask searching<br />
questions to satisfy their responsibilities <strong>and</strong> wishes for exercising oversight.<br />
These foundational principles of governance are enabled by the primary governance<br />
principles of leadership, stakeholder engagement, risk governance, the application of data to<br />
inform decision-making, <strong>and</strong> social responsibility, all with the intention of achieving viability<br />
<strong>and</strong> performance over time.<br />
Finally, in the ISO model the governance outcomes are defined as effective performance,<br />
responsible stewardship, <strong>and</strong> ethical behavior. Successful leadership <strong>and</strong> ethical leadership<br />
are regarded as co-dependents.<br />
A.3.2 The IIA’s Three Lines Model<br />
The 2020 Three Lines Model is an update of the well-known three lines of defense. In<br />
making the switch, the new model emphasizes the positive nature of governance, risk<br />
management, <strong>and</strong> internal control in supporting organizational success in addition to the<br />
16
defensive aspects to minimize negative impacts. The model also stresses the importance of<br />
all key elements working together rather than operating in silos.<br />
Governance is described as comprising three types of roles:<br />
• Accountability.<br />
• Actions.<br />
• <strong>Assurance</strong>.<br />
Figure: IIA Three Lines Model<br />
This does not imply these roles need to be fully disaggregated <strong>and</strong> often teams <strong>and</strong><br />
individuals may have responsibilities combining two of these areas.<br />
Accountability: The governing body is regarded as having ultimate accountability to<br />
stakeholders for all aspects of the organization <strong>and</strong> its people. It must engage with<br />
stakeholders to ensure clarity of purpose <strong>and</strong> provide honest reporting of performance,<br />
position, <strong>and</strong> prospects. The governing body is also responsible for ensuring<br />
management has the resources <strong>and</strong> structures needed to achieve the goals of the entity<br />
<strong>and</strong> manage risks effectively. Lastly, the governing body must ensure there is<br />
appropriate provision for independent assurance <strong>and</strong> advice through an internal audit<br />
function.<br />
Actions: The chief executive officer (CEO) leads the execution of actions <strong>and</strong> application<br />
of resources in pursuit of organizational goals. In doing so, the CEO must take account<br />
of risk by enabling risk management <strong>and</strong> internal control. First line roles are those<br />
focused on providing products <strong>and</strong> services to clients as well as the enabling "back<br />
office" support. Second line roles (such as risk management, compliance, legal counsel,<br />
security, <strong>and</strong> financial control) are those with a specific focus on risk <strong>and</strong> control,<br />
providing senior management with specialist support, expertise, monitoring, <strong>and</strong><br />
challenge on such matters. How resources <strong>and</strong> roles are allocated between first <strong>and</strong><br />
17
second line roles depends on many factors, including organizational size, complexity of<br />
operations, culture, laws <strong>and</strong> regulations, external environment, skills <strong>and</strong> resources, <strong>and</strong><br />
the relative strength <strong>and</strong> maturity of internal auditing. In some cases, the head of risk<br />
management reports directly to the governing body (rather than the CEO) <strong>and</strong> may be<br />
required to do so by regulation. A degree of independence between those with first <strong>and</strong><br />
second line roles strengthens the effectiveness of risk management <strong>and</strong> internal control.<br />
However, risk management <strong>and</strong> internal control remain the responsibility of management<br />
<strong>and</strong> ultimately the CEO.<br />
<strong>Assurance</strong>: The internal audit function provides management <strong>and</strong> the governing body<br />
with independent <strong>and</strong> objective assurance <strong>and</strong> advice on the adequacy <strong>and</strong><br />
effectiveness of governance, risk management, <strong>and</strong> internal control. Independence<br />
means being accountable to the governing body (directly or via an audit committee),<br />
being free from interference by management <strong>and</strong> from responsibility for the activities<br />
being audited, <strong>and</strong> having access to the resources, people, <strong>and</strong> information needed to<br />
complete the work of the function. However, independence should not entail isolation.<br />
Internal auditing must be fully aligned with the needs of the organization <strong>and</strong> supportive<br />
of its purpose. Cooperation <strong>and</strong> collaboration with management are encouraged. The<br />
head of the internal audit function (the chief audit executive) should engage with <strong>and</strong><br />
provide reports to senior management on a regular basis as well as communicating with<br />
the governing body.<br />
The Three Lines Model focuses primarily on the internal elements of an organization.<br />
However, external assurance providers (principally the Supreme <strong>Audit</strong> Institution for<br />
government entities, although other external service providers may be used subject to<br />
statutory requirements) are also recognized as contributing to governance <strong>and</strong> the success<br />
of organizations. The role of external audit is discussed in more detail in <strong>Module</strong> T3<br />
Accounting Fundamentals.<br />
Where governments are focused on implementing public internal financial control (PIFC),<br />
financial <strong>and</strong> managerial control (FMC) <strong>and</strong> internal auditing are two of the central<br />
components (the third being the Central Harmonization Unit (CHU)). This is strongly<br />
reflective of the Three Lines Model in identifying control responsibilities as part of the role of<br />
management <strong>and</strong> internal audit as an independent function. PIFC <strong>and</strong> FMC are discussed in<br />
more detail in <strong>Module</strong> T3 Accounting Fundamentals. Countries seeking accession to the<br />
European Union are required to satisfy, among other things, best practice st<strong>and</strong>ards,<br />
frameworks, <strong>and</strong> policies relating to PIFC on a holistic sector-wide basis. These expectations<br />
are detailed in Chapter 32 Financial Control of the EU requirements. These include:<br />
• Effective <strong>and</strong> transparent management systems, including accountability<br />
arrangements for the achievement of objectives.<br />
• A functionally independent internal audit.<br />
• Relevant organizational structures, including central co-ordination of PIFC<br />
development across the public sector. 10<br />
10<br />
See, for example, the European Commission Staff Working Document: Albania 2022 report.<br />
18
A.3.3 CIPFA International Framework: Good Governance in the Public<br />
Sector<br />
The Good Governance Framework is specifically designed for public sector entities “to<br />
encourage better service delivery <strong>and</strong> improved accountability.” The definition of governance<br />
used is similar to that of The IIA quoted in A.1.<br />
Governance comprises the arrangements put in place to ensure that the intended<br />
outcomes for stakeholders are defined <strong>and</strong> achieved. 11<br />
Figure: CIPFA Good Governance Framework<br />
The framework is intended to be applicable to individual entities as well as the public sector<br />
system. It is based on seven principles:<br />
I. Behaving with integrity, demonstrating strong commitment to ethical values, <strong>and</strong><br />
respecting the rule of law.<br />
II. Ensuring openness <strong>and</strong> comprehensive stakeholder engagement.<br />
III. Defining outcomes in terms of sustainable economic, social, <strong>and</strong> environmental<br />
benefits.<br />
IV. Determining the interventions necessary to optimize the achievement of the<br />
intended outcomes.<br />
V. Developing the entity’s capacity, including the capability of its leadership <strong>and</strong> the<br />
individuals within it.<br />
11<br />
International Framework: Good Governance in the Public Sector, CIPFA, 2014<br />
19
VI.<br />
VII.<br />
Managing risks <strong>and</strong> performance through robust internal control <strong>and</strong> strong public<br />
financial management.<br />
Implementing good practices in transparency, reporting, <strong>and</strong> audit, to deliver<br />
effective accountability. 12<br />
Principles A <strong>and</strong> B are at the core of public sector entities <strong>and</strong> ensure they operate in the<br />
public interest. The other principles define the requirements for effective governance,<br />
working together as a plan-do-check-act cycle (also known as PDCA).<br />
A.3.4 King IV Corporate Governance Report, 2016<br />
The King IV Corporate Governance Report 2016 incorporates a governance code for South<br />
Africa. However, it is widely regarded as a leading global st<strong>and</strong>ard for governance for all<br />
sectors. The report defines corporate governance as “the exercise of ethical <strong>and</strong> effective<br />
leadership by a governing body towards the achievement of the<br />
following governance outcomes: ethical culture, good performance, effective control, <strong>and</strong><br />
legitimacy.” This balance between integrity <strong>and</strong> effectiveness is a key feature. Doing good<br />
<strong>and</strong> doing well are regarded as complementary rather than being in opposition.<br />
The report sets four key responsibilities for the board:<br />
• Steering <strong>and</strong> setting strategic direction.<br />
• Approving policy <strong>and</strong> planning.<br />
• Ensuring accountability.<br />
• Overseeing <strong>and</strong> monitoring.<br />
These are defined in more detail through 17 principles. These become the basis for<br />
assessing the quality of governance. Since the model applies to all organizations, there is a<br />
need to “adopt <strong>and</strong> adapt” according to size <strong>and</strong> other organizational needs.<br />
1. Lead ethically <strong>and</strong> effectively.<br />
2. Govern the ethics of the organization in a way that supports the establishment of an<br />
ethical culture.<br />
3. Ensure that the organization is <strong>and</strong> is seen to be a responsible corporate citizen.<br />
4. Appreciate that the organization’s core purpose, its risks <strong>and</strong> opportunities, strategy,<br />
business model, performance, <strong>and</strong> sustainable development are all inseparable<br />
elements of the value creation process.<br />
5. Ensure that reports issued by the organization enable stakeholders to make informed<br />
assessments of the organization’s performance <strong>and</strong> its short, medium, <strong>and</strong> long-term<br />
prospects.<br />
6. Serve as the focal point <strong>and</strong> custodian of corporate governance in the organization.<br />
7. Comprise the appropriate balance of knowledge, skills, experience, diversity, <strong>and</strong><br />
independence for it to discharge its governance role <strong>and</strong> responsibilities objectively<br />
<strong>and</strong> effectively.<br />
12<br />
International Framework: Good Governance in the Public Sector, CIPFA, 2014<br />
20
8. Ensure that its arrangements for delegation within its own structures promote<br />
independent judgement, <strong>and</strong> assist with the balance of power <strong>and</strong> the effective<br />
discharge of its duties.<br />
9. Ensure that the evaluation of its own performance <strong>and</strong> that of its committees, its<br />
chair, <strong>and</strong> its individual members support continued improvement in its performance<br />
<strong>and</strong> effectiveness.<br />
10. Ensure that the appointment of, <strong>and</strong> delegation to, management contribute to role<br />
clarity <strong>and</strong> the effective exercise of authority <strong>and</strong> responsibilities.<br />
11. Govern risk in a way that supports the organization in setting <strong>and</strong> achieving its<br />
strategic objectives.<br />
12. Govern technology <strong>and</strong> information in a way that supports the organization setting<br />
<strong>and</strong> achieving its strategic objectives.<br />
13. Govern compliance with applicable laws <strong>and</strong> adopted, non-binding rules, codes, <strong>and</strong><br />
st<strong>and</strong>ards in a way that supports the organization being ethical <strong>and</strong> a good corporate<br />
citizen.<br />
14. Ensure that the organization remunerates fairly, responsibly, <strong>and</strong> transparently so as<br />
to promote the achievement of strategic objectives <strong>and</strong> positive outcomes in the<br />
short, medium, <strong>and</strong> long term.<br />
15. Ensure that assurance services <strong>and</strong> functions enable an effective control<br />
environment, <strong>and</strong> that these support the integrity of information for internal decisionmaking<br />
<strong>and</strong> of the organization’s external reports.<br />
16. Adopt a stakeholder-inclusive approach that balances the needs, interests, <strong>and</strong><br />
expectations of material stakeholders over time.<br />
17. [For institutional investor organizations] Ensure that responsible investment is<br />
practiced by the organization <strong>and</strong> the creation of value by the companies in which it<br />
invests. 13<br />
In addition to these principles, the report includes recommended practices. For principle 15,<br />
this includes a role for the audit committee <strong>and</strong> a separation of roles consistent with the<br />
Three Lines Model (although King IV advocates for five lines of assurance, adding external<br />
audit <strong>and</strong> the board as lines four <strong>and</strong> five respectively). Additionally, the report recommends<br />
internal audit makes an annual statement on the effectiveness of governance <strong>and</strong> risk<br />
management processes. This reflects the requirements of the IPPF (St<strong>and</strong>ard 2100 – Nature<br />
of Work):<br />
The internal audit activity must evaluate <strong>and</strong> contribute to the improvement of the<br />
organization’s governance, risk management, <strong>and</strong> control processes using a systematic,<br />
disciplined, <strong>and</strong> risk-based approach. Internal audit credibility <strong>and</strong> value are enhanced<br />
when auditors are proactive <strong>and</strong> their evaluations offer new insights <strong>and</strong> consider future<br />
impact. 14<br />
However, the requirement for annual reporting goes beyond St<strong>and</strong>ard 2060 – Reporting to<br />
Senior Management <strong>and</strong> the Board by which the CAE must report “periodically.” (Internal<br />
audit opinions are discussed in more detail in C.1.5)<br />
13<br />
“Report on Corporate Governance for South Africa,” King IV, 2016.<br />
14<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
21
A.3.5 Examples of Best Practice in Public Sector Governance<br />
Governance is dependent on clarity <strong>and</strong> underst<strong>and</strong>ing regarding accountability.<br />
An organization with effective internal accountability arrangements will have<br />
management <strong>and</strong> staff who underst<strong>and</strong> clearly their own roles, responsibilities <strong>and</strong><br />
powers <strong>and</strong> how they relate to others in the organization. Every public sector<br />
organization needs to be headed by an effective Minister or board of directors to lead<br />
<strong>and</strong> control the entity <strong>and</strong> monitor the executive management. The Minister or<br />
Chairperson of the board of directors needs to have his role formally defined in writing to<br />
include responsibility for providing effective strategic leadership <strong>and</strong> to ensure he<br />
successfully discharges the overall responsibility for the organization’s activities. 15<br />
Managerial accountability is discussed in detail in <strong>Module</strong> T2 Good Governance, Managerial<br />
Accountability, Developing Strategy, <strong>and</strong> Data Analysis.<br />
The following examples of best practices in public sector governance are based on the<br />
APEC Economic Committee’s Good Practice Guide on Public Sector Governance. 16<br />
Culture<br />
The organization must demonstrate its commitment to strong governance, <strong>and</strong> this starts<br />
with the “tone at the top.” Leaders <strong>and</strong> senior managers must lead by example. Good<br />
practices include:<br />
• Formal adoption of a good governance framework, principles, st<strong>and</strong>ards, etc. in<br />
policy or by legislation.<br />
• Adoption of a written code of ethics, values, <strong>and</strong> acceptable behavior.<br />
• Implementation of procedures for enforcing acceptable behavior, including the need<br />
for agreeing individual <strong>and</strong> team goals, monitoring, <strong>and</strong> reporting.<br />
• Preparedness for addressing unacceptable behavior in a fair, consistent, <strong>and</strong> timely<br />
manner.<br />
• Training <strong>and</strong> awareness-raising to communicate <strong>and</strong> reinforce values.<br />
• Commitment to improvement with measurable targets.<br />
• Periodic audit of organizational culture.<br />
Stakeholder Relationships<br />
Engagement with internal <strong>and</strong> external stakeholders is a two-way process, ensuring all<br />
parties are aware of the organization’s vision, mission, goals, <strong>and</strong> priorities <strong>and</strong> can<br />
comment on <strong>and</strong> participate in its governance. Good practice includes:<br />
• Regular engagement with internal <strong>and</strong> external stakeholders through systematic <strong>and</strong><br />
ad hoc arrangements.<br />
• Regular <strong>and</strong> reliable two-way communications.<br />
• Operation of appropriate virtual <strong>and</strong> in-person boards, panels, committees, <strong>and</strong> other<br />
groups with representation from civil society, political leadership, the private sector,<br />
service users, community groups, managers, <strong>and</strong> staff.<br />
15<br />
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />
16<br />
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />
22
• Consideration of overlapping interests with other public sector bodies supported by<br />
multi-agency <strong>and</strong> inter-departmental forums.<br />
• Channels for timely processing of enquiries, complaints, <strong>and</strong> suggestions.<br />
Compliance<br />
Compliance <strong>and</strong> performance are typically viewed as the primary goals of governance.<br />
Internal <strong>and</strong> external compliance requirements may be satisfied though reporting, including:<br />
• Annual reporting to the legislative body.<br />
• Electronic communications to external stakeholders via websites <strong>and</strong> other platforms.<br />
• Circulation of audit reports to target audiences.<br />
• Circulation of financial inspection reports.<br />
Compliance risk management <strong>and</strong> other aspects of governance depend on several key<br />
positions:<br />
• Chief Executive Officer (CEO). The CEO should be accountable to the governing<br />
body <strong>and</strong> may be a member of it but should not be its chair. In other words, the CEO<br />
(for example, depending on the body: Secretary General, Deputy Minister, Executive<br />
Director, or President), should participate in the development of policy <strong>and</strong> strategy<br />
but should not also be the highest decision-making authority. The CEO is responsible<br />
for performance by executing the policies set by the governing body <strong>and</strong> managing<br />
those with first <strong>and</strong> second line roles.<br />
• Chief Financial Officer (CFO). The CFO is normally a certified or chartered public<br />
accountant <strong>and</strong> is responsible for advising the governing body <strong>and</strong> senior<br />
management on all strategic financial matters as well for maintaining financial control<br />
across the entity.<br />
• Chief Compliance Officer (CCO). The CCO is responsible for advising the governing<br />
body <strong>and</strong> senior management on strategic compliance risks <strong>and</strong> for maintaining<br />
compliance risk management across the entity. Many public sector entities do not<br />
have a CCO or other risk officers <strong>and</strong> these responsibilities are shared across the<br />
senior management team <strong>and</strong> coordinated by the CEO.<br />
• <strong>Audit</strong> committee. Best practices recommend an independent audit committee,<br />
accountable to the governing body, to oversee the work of internal <strong>and</strong> external audit.<br />
Planning <strong>and</strong> Performance Monitoring<br />
Successful governance – much like internal control <strong>and</strong> risk management – relies on<br />
documentation <strong>and</strong> communication. The APEC guidance recommends the following<br />
processes <strong>and</strong> practices:<br />
• A clear statement of the organization’s purpose that is communicated to all staff.<br />
• A plan that describes the organization’s strategic priorities <strong>and</strong> objectives, consistent<br />
with the organization’s purpose, which is updated annually.<br />
• The systematic monitoring of financial <strong>and</strong> non-financial performance against the<br />
organization's plan.<br />
• The use of information generated from performance monitoring for external reporting<br />
requirements <strong>and</strong> internal planning purposes.<br />
23
Risk Management<br />
Similar comments as those made in respect of compliance (see above) apply to risk<br />
management more generally. It relies on the actions of multiple parties (most notably the<br />
CEO, CFO, <strong>and</strong> a Chief Risk Officer or equivalent) together with the support of internal audit.<br />
There may not be an individual or team with organizational responsibility for risk<br />
management <strong>and</strong> so the task is shared among managers, blending first <strong>and</strong> second line<br />
roles.<br />
Information <strong>and</strong> Decision Support<br />
The APEC guidance describes essential requirements for information <strong>and</strong> decision support:<br />
• St<strong>and</strong>ards for the creation <strong>and</strong> retention of public records, usually established by<br />
legislation.<br />
• Procedures within organizations to ensure the st<strong>and</strong>ards are met.<br />
• Quality data, information, <strong>and</strong> analysis to inform decisions taken by government<br />
boards <strong>and</strong> committees.<br />
• The keeping of records of decisions established by government boards <strong>and</strong><br />
committees, including the points considered or discussed in reaching those<br />
decisions. 17<br />
Review <strong>and</strong> Evaluation<br />
In the final element, the APEC guidance recognizes the importance of continuous<br />
improvement to governance supported by review <strong>and</strong> evaluation.<br />
• Ideally, governance arrangements should be reviewed in detail every year or two,<br />
particularly when there is a significant event affecting or potentially affecting those<br />
arrangements, such as a major legislative change or recommendations from a<br />
government committee or an external auditor.<br />
• An internal review led by the Minister or board of directors <strong>and</strong>/or executive<br />
management would normally suffice. Occasionally, where an organization could<br />
benefit from outside objectivity <strong>and</strong> expertise, a formal, externally facilitated review<br />
should be conducted.<br />
• The scope of the review may extend across the full range of the organization’s<br />
activities or else be confined to a performance assessment of the Minister or board of<br />
directors <strong>and</strong>/or executive management. In either instance, the fulfilment of both<br />
performance <strong>and</strong> conformance objectives should be evaluated.<br />
• Smaller <strong>and</strong>/or less complex organizations need not review their governance<br />
arrangements as frequently or in as much depth as larger <strong>and</strong> more complex<br />
organizations.<br />
• Organizations with significant policy or operational risk need to review their<br />
governance practices more frequently <strong>and</strong> more thoroughly.<br />
• Results from the reviews of governance arrangement should be acted upon in a<br />
reasonable timeframe 18<br />
17<br />
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />
18<br />
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />
24
A.3: Reflection<br />
Which model or models, if any, does your organization use to help define <strong>and</strong> implement<br />
governance?<br />
Which model or models, if any, do you or your internal audit function use to help evaluate<br />
the effectiveness of organizational governance?<br />
Which models could be the most beneficial in your organization <strong>and</strong> in what ways?<br />
25
B. M<strong>and</strong>ate, Independence, <strong>and</strong> Objectivity<br />
Learning Outcomes<br />
On completion of this section, students will be better able to:<br />
• Define minimum requirements for the internal audit m<strong>and</strong>ate.<br />
• Describe the purpose of the internal audit m<strong>and</strong>ate.<br />
• Evaluate audit independence <strong>and</strong> auditor objectivity.<br />
• Identify appropriate means to safeguard independence <strong>and</strong> objectivity.<br />
B.1 Importance of Independence <strong>and</strong> Objectivity<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Organizational Independence:<br />
General Awareness: Describe the importance of organizational independence of the internal<br />
audit activity; identify the elements that affect independence.<br />
Applied Knowledge: Detect any potential impairments to internal audit independence <strong>and</strong> the<br />
impact.<br />
Expert: Address any potential impairments to internal audit independence to achieve<br />
conformance with the St<strong>and</strong>ards; communicate the impact of any remaining impairments. 19<br />
Individual Objectivity:<br />
General Awareness: Describe the importance of internal audit objectivity; identify factors that<br />
may impair, or appear to impair, objectivity.<br />
Applied Knowledge: Detect <strong>and</strong> manage any real or perceived impairments to an individual<br />
internal auditor’s objectivity; assess <strong>and</strong> maintain internal audit objectivity.<br />
Expert: Develop <strong>and</strong> maintain policies that govern objectivity; recommend strategies to<br />
promote objectivity. 20<br />
The IPPF provides the most widely recognized definition of internal auditing.<br />
Internal auditing is an independent, objective assurance <strong>and</strong> consulting activity designed<br />
to add value <strong>and</strong> improve an organization’s operations. It helps an organization<br />
accomplish its objectives by bringing a systematic, disciplined approach to evaluate <strong>and</strong><br />
improve the effectiveness of risk management, control, <strong>and</strong> governance processes. 21<br />
19<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
20<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
21<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
26
Although they are related, the principles of independence <strong>and</strong> objectivity as defined by The<br />
IIA are distinct. They also differ in detail from the definitions used by the International Ethics<br />
St<strong>and</strong>ards Board for Accountants (IESBA) <strong>and</strong> others.<br />
In the IPPF, St<strong>and</strong>ard 1100 – Independence <strong>and</strong> Objectivity makes clear an important<br />
distinction:<br />
The internal audit activity must be independent, <strong>and</strong> internal auditors must be objective<br />
in performing their work. 22<br />
Independence is a feature of the internal audit function (referred to as the “internal audit<br />
activity” in the IPPF). Objectivity, on the other h<strong>and</strong>, is a facet of auditors. St<strong>and</strong>ard 1100<br />
provides the following interpretations:<br />
Independence is the freedom from conditions that threaten the ability of the internal audit<br />
activity to carry out internal audit responsibilities in an unbiased manner. To achieve the<br />
degree of independence necessary to effectively carry out the responsibilities of the<br />
internal audit activity, the chief audit executive has direct <strong>and</strong> unrestricted access to<br />
senior management <strong>and</strong> the board. This can be achieved through a dual-reporting<br />
relationship. Threats to independence must be managed at the individual auditor,<br />
engagement, functional, <strong>and</strong> organizational levels.<br />
Objectivity is an unbiased mental attitude that allows internal auditors to perform<br />
engagements in such a manner that they believe in their work product <strong>and</strong> that no quality<br />
compromises are made. Objectivity requires that internal auditors do not subordinate<br />
their judgment on audit matters to others. Threats to objectivity must be managed at the<br />
individual auditor, engagement, functional, <strong>and</strong> organizational levels. 23<br />
To establish organizational independence, the head of the internal audit function (the chief<br />
audit executive) “must report to a level within the organization that allows the internal audit<br />
activity to fulfil its responsibilities.” The structures of public entities, including reporting lines<br />
for the head of the internal audit function, may be defined by legislation or policy. Reference<br />
to a “dual-reporting relationship” in the St<strong>and</strong>ards alludes to a desirable state in which the<br />
head of internal audit reports functionally to (i.e., is accountable to <strong>and</strong> overseen by) the<br />
governing body, either directly or via an audit committee. Functional reporting involves a<br />
substantive relationship in which the governing body is the de facto line manager of the head<br />
of internal audit with responsibility for appraising performance as well as hiring <strong>and</strong> firing.<br />
The governing body should approve the internal audit charter, the audit plan, <strong>and</strong> budget,<br />
<strong>and</strong> receive <strong>and</strong> consider reports from the head of internal audit. This is in addition to the<br />
head of internal audit’s administrative reporting relationship with a member of senior<br />
management, ideally the CEO, for routine matters. The head of internal audit should provide<br />
reports to both senior management <strong>and</strong> the governing body regarding significant findings<br />
<strong>and</strong> insights on governance, risk management, <strong>and</strong> internal control.<br />
22<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
23<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
27
To establish individual objectivity requires that auditors have “an impartial, unbiased attitude<br />
<strong>and</strong> avoid any conflict of interest.” This involves adhering to a code of ethics <strong>and</strong><br />
professional st<strong>and</strong>ards, maintaining professional competency, <strong>and</strong> applying due professional<br />
care <strong>and</strong> professional skepticism. It also means auditors must be part of an independent<br />
internal audit function.<br />
The requirements for independence <strong>and</strong> objectivity are summarized below.<br />
Requirements for the Independence of<br />
the Internal <strong>Audit</strong> Function<br />
• Internal audit m<strong>and</strong>ate (as defined in<br />
charter or legislation).<br />
• Access to necessary people, resources,<br />
<strong>and</strong> information.<br />
• Freedom from interference.<br />
• Functional reporting by head of internal<br />
audit to an appropriate level in<br />
organization (ideally governing body).<br />
• Administrative reporting to senior<br />
management (ideally CEO).<br />
• Application of safeguards for<br />
independence when threatened.<br />
Requirements for the Objectivity of<br />
Internal <strong>Audit</strong>ors<br />
• Independence of internal audit function.<br />
• Freedom from conflicts of interest.<br />
• Competency.<br />
• Objective mindset.<br />
• Professional skepticism.<br />
• Due professional care.<br />
• Unwavering integrity.<br />
• Adherence to professional st<strong>and</strong>ards.<br />
• Application of disciplined <strong>and</strong><br />
systematic procedures.<br />
The internal audit m<strong>and</strong>ate <strong>and</strong> charter are discussed in B.2. Independence <strong>and</strong> objectivity –<br />
including the appearance of independence <strong>and</strong> objectivity – are important for the credibility<br />
<strong>and</strong> authority of the internal audit function <strong>and</strong> of individual auditors. It should be clear to<br />
internal <strong>and</strong> external stakeholders that the opinion of the internal audit function is reliable<br />
<strong>and</strong> has not been concocted to suit the personal interests of auditors, managers, or<br />
members of the governing body. Internal audit provides transparency through an unbiased<br />
<strong>and</strong> insightful assessment of past, current, <strong>and</strong> future circumstances. This enables:<br />
• Managers to make well-informed decisions.<br />
• Members of the governing body to exercise oversight <strong>and</strong> intervene where<br />
necessary.<br />
• External stakeholders to trust in reports regarding the organization’s performance,<br />
position, <strong>and</strong> prospects <strong>and</strong> so hold managers <strong>and</strong> leaders to account.<br />
If the internal audit function is not sufficiently independent of management, it becomes<br />
indistinguishable from a second line unit. In this capacity it can provide value but is robbed of<br />
its distinct characteristic. Its authority is subordinated to senior management <strong>and</strong> its scope<br />
<strong>and</strong> capacity potentially limited. The findings <strong>and</strong> recommendations of auditors whose<br />
objectivity is or appears to be impaired can be disregarded or dismissed more easily. Trust is<br />
established on the basis that internal auditors operating outside of the management<br />
structure, <strong>and</strong> there is confidence their recommendations are made in the best interests of<br />
the organization.<br />
28
B.1.1 Independence, Objectivity, <strong>and</strong> the Code of Ethics<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Ethical Behavior:<br />
General Awareness: Describe the importance of a code of ethics for internal auditors;<br />
identify the principles of The IIA’s Code of Ethics.<br />
Applied Knowledge: Demonstrate individual conformance with The IIA’s Code of Ethics.<br />
Expert: Assess the internal audit activity’s conformance with The IIA’s Code of Ethics;<br />
recommend strategies to maintain <strong>and</strong> promote the highest ethical st<strong>and</strong>ards for internal<br />
auditors <strong>and</strong> the internal audit activity. 24<br />
Unflinching adherence to an ethical code is a hallmark of a true professional. It is also<br />
essential for establishing trust in internal auditing. <strong>Audit</strong>ors must ensure their integrity,<br />
objectivity, confidentiality, <strong>and</strong> competency. In fact, the principle of auditor objectivity is<br />
considered so important it is found throughout the IPPF. Independence of the internal audit<br />
function is also heavily referenced, as shown in the table below.<br />
IPPF Elements<br />
Reference to <strong>Audit</strong>or<br />
Objectivity<br />
Reference to<br />
Independence of the<br />
internal <strong>Audit</strong> Function<br />
The Mission of Internal <strong>Audit</strong>ing Yes No<br />
Core Principles for the<br />
Professional Practice of Internal<br />
<strong>Audit</strong>ing<br />
Yes<br />
Yes<br />
Definition of Internal <strong>Audit</strong>ing Yes Yes<br />
Code of Ethics Yes No<br />
International St<strong>and</strong>ards for the<br />
Professional Practice of Internal<br />
<strong>Audit</strong>ing<br />
Yes<br />
(1100, 1112, 1120, 1130,<br />
2000, 2050)<br />
Yes<br />
(1100, 1110, 1112, 1130,<br />
2060)<br />
Organizations may have their own codes of ethics <strong>and</strong> conduct describing acceptable <strong>and</strong><br />
unacceptable behaviors. <strong>Audit</strong>ors must demonstrate the highest levels of personal integrity.<br />
It is sometimes easy to justify small breaches to ourselves, such as taking office supplies for<br />
personal use, but to be beyond reproach requires faithful observance even of seemingly<br />
insignificant expectations. Through self-awareness, peer review, <strong>and</strong> supervision, auditors<br />
should continually reflect on their attitudes, behaviors, decisions, <strong>and</strong> actions to eliminate<br />
any potential deviation from professional objectivity in the exercise of their duties.<br />
24<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
29
B.1.2 Independence, Objectivity, <strong>and</strong> Competency<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Due Professional Care:<br />
General Awareness: Describe due professional care.<br />
Applied Knowledge: Demonstrate due professional care.<br />
Expert: Evaluate <strong>and</strong> conclude on the application of due professional care. 25<br />
Competency is a principle of the Code of Ethics <strong>and</strong> a prerequisite for maintaining<br />
objectivity.<br />
The IIA Competency Framework is discussed in more detail in section C.1.6.<br />
25<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
30
B.1: Reflection<br />
Is it possible to be objective but not independent? Or independent but not objective?<br />
Sometimes internal auditors are asked: you are employed by the organization, you are<br />
familiar with its activities <strong>and</strong> individuals, so how can you be truly independent <strong>and</strong><br />
objective? How would you respond to such a challenge?<br />
31
B.2 Internal <strong>Audit</strong> M<strong>and</strong>ate<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Mission of Internal <strong>Audit</strong>ing<br />
General Awareness: Describe the purpose, authority, <strong>and</strong> responsibility of the internal audit<br />
activity; distinguish between assurance <strong>and</strong> consulting services.<br />
Applied Knowledge: Demonstrate ability to conduct both assurance <strong>and</strong> consulting<br />
engagements in conformance with the St<strong>and</strong>ards.<br />
Expert: Review the internal audit activity’s ability to conduct both assurance <strong>and</strong> consulting<br />
activities to add value <strong>and</strong> improve the organization’s operations. 26<br />
Internal <strong>Audit</strong> Charter<br />
General Awareness: Describe the purpose of an internal audit charter; identify the required<br />
elements of an internal audit charter, according to the St<strong>and</strong>ards.<br />
Applied Knowledge: Prepare an internal audit charter in conformance with the St<strong>and</strong>ards, <strong>and</strong><br />
receive approval from the board.<br />
Expert: Evaluate <strong>and</strong> revise an internal audit charter to achieve conformance with the<br />
St<strong>and</strong>ards <strong>and</strong> promote world- class performance. 27<br />
Reference has already been made to an internal audit charter <strong>and</strong> m<strong>and</strong>ate. In the IPPF,<br />
St<strong>and</strong>ard 1000 – Purpose, Authority, <strong>and</strong> Responsibility states:<br />
The purpose, authority, <strong>and</strong> responsibility of the internal audit activity must be formally<br />
defined in an internal audit charter, consistent with the Mission of Internal <strong>Audit</strong> <strong>and</strong> the<br />
m<strong>and</strong>atory elements of the International Professional Practices Framework. 28<br />
The Mission of Internal <strong>Audit</strong> referred to is:<br />
To enhance <strong>and</strong> protect organizational value by providing risk-based <strong>and</strong> objective<br />
assurance, advice, <strong>and</strong> insight. 29<br />
The IPPF does not refer to the m<strong>and</strong>ate of internal audit. The authority <strong>and</strong> powers of the<br />
internal audit function, especially for public entities, may be derived from legislation. In<br />
principle, in accordance with the IPPF, the authority comes from the governing body. The<br />
internal audit charter is a formal document approved by the governing body in which the<br />
m<strong>and</strong>ate is defined <strong>and</strong> should be reviewed <strong>and</strong> updated on a regular basis.<br />
26<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
27<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
28<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
29<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
32
According to The IIA Position Paper: The Internal <strong>Audit</strong> Charter, the document should<br />
contain the following:<br />
• Internal audit mission <strong>and</strong> purpose.<br />
• Reference to or inclusion of the m<strong>and</strong>atory elements of the IPPF by which the<br />
internal audit function will be governed. (Recognizing the m<strong>and</strong>atory elements of the<br />
IPPF in the charter is a requirement of St<strong>and</strong>ard 1010 – Recognizing M<strong>and</strong>atory<br />
Guidance in the Internal <strong>Audit</strong> Charter.)<br />
• Authority, clarifying the functional <strong>and</strong> administrative reporting relationships <strong>and</strong> the<br />
role of the governing body in upholding the authority of the internal audit function.<br />
• Independence <strong>and</strong> objectivity, ensuring the head of internal audit will safeguard the<br />
independence of the function <strong>and</strong> the objectivity of auditors, applying safeguards<br />
when required, <strong>and</strong> reporting threats <strong>and</strong> limits to independence <strong>and</strong> objectivity to<br />
the governing when they arise.<br />
• Scope to confirm the internal audit’s responsibility for providing assurance <strong>and</strong><br />
advice on the adequacy <strong>and</strong> effectiveness of governance, risk management, <strong>and</strong><br />
internal control.<br />
• Responsibilities of the head of internal audit.<br />
• Requirements for a quality assurance <strong>and</strong> improvement program, including an<br />
external quality review at least once every five years. 30<br />
Without sufficient authority, the internal audit function is unable to fulfil its m<strong>and</strong>ate. Its work<br />
may be obstructed by managers who are not interested or who would prefer to avoid scrutiny<br />
for whatever reason. Internal audit may also be constrained by limited resources or by being<br />
denied access to information it needs to complete its work. There is a close link between<br />
authority <strong>and</strong> independence. The pronouncements of the internal audit function are more<br />
likely to be considered authoritative if it operates independently but it is only able to do that if<br />
it has sufficient force behind it, whether by legislation or the endorsement of the governing<br />
body (ideally both).<br />
According to the IIA, to ensure the internal audit function has sufficient authority, the<br />
governing body (or audit committee) is expected to:<br />
• Approve the internal audit charter.<br />
• Approve the internal audit plan.<br />
• Approve the internal audit budget <strong>and</strong> resource plan.<br />
• Receive timely communications on performance relative to the internal audit plan.<br />
• Approve the appointment <strong>and</strong> removal of the head of internal audit (typically in<br />
response to discussions with <strong>and</strong> recommendations from senior management).<br />
• Approve the remuneration of the head of internal audit (typically in response to<br />
discussions with <strong>and</strong> recommendations from senior management).<br />
• Make appropriate inquiries of management <strong>and</strong> the head of internal audit to<br />
determine if there are any inappropriate scope or resource limitations.<br />
• Ensure the head of internal audit has unrestricted access to, <strong>and</strong> can communicate<br />
<strong>and</strong> interact directly with, the governing body without management present.<br />
30<br />
IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019<br />
33
• Ensure the internal audit function has free <strong>and</strong> unrestricted access to all functions,<br />
records, property, <strong>and</strong> personnel pertinent to carrying out any engagement, subject<br />
to accountability for confidentiality <strong>and</strong> safeguarding of records <strong>and</strong> information. 31<br />
The authority conferred on the internal audit function through its m<strong>and</strong>ate as confirmed in the<br />
charter <strong>and</strong>/or legislation carries with it reciprocal responsibilities for the head of the internal<br />
audit function. These include:<br />
• Submitting at least annually a risk-based internal audit plan.<br />
• Communicating with senior management <strong>and</strong> the governing body the impact of<br />
resource limitations on the plan.<br />
• Ensuring the internal audit activity has access to appropriate resources regarding<br />
competency <strong>and</strong> skill.<br />
• Managing the activity appropriately for it to fulfill its m<strong>and</strong>ate.<br />
• Ensuring conformance with IIA St<strong>and</strong>ards.<br />
• Communicating the results of the internal audit function’s work <strong>and</strong> following up on<br />
agreed-to corrective actions.<br />
• Coordinating with other assurance providers.<br />
• Reporting periodically on the results of quality assurance <strong>and</strong> improvement<br />
program. 32<br />
31<br />
IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019<br />
32<br />
IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019<br />
34
B.2: Reflection<br />
When was the last time you reviewed the internal audit m<strong>and</strong>ate?<br />
Is the internal audit function able to fulfil all the responsibilities in its m<strong>and</strong>ate?<br />
What changes are needed either to strengthen the m<strong>and</strong>ate or enable the function to<br />
satisfy its responsibilities?<br />
35
B.3 Threats to Independence <strong>and</strong> Objectivity<br />
Threats to independence <strong>and</strong> objectivity occur when the requirements described in B.1 are<br />
not in place or are under strain. An appearance of a lack of independence or a conflict of<br />
interest can be just as much of an impairment as something more concrete.<br />
Threats to independence may arise for the following reasons:<br />
• The head of internal audit reports functionally to a senior manager with responsibility<br />
for activities to be audited who tries to limit the scope or influence the findings of an<br />
audit.<br />
• The internal audit function’s resources are determined by a senior manager with<br />
responsibility for activities to be audited who tries to limit the scope or influence the<br />
findings of an audit.<br />
• The head of internal audit has or has had recent responsibility for activities to be<br />
audited by members of the internal audit function.<br />
• The head of internal audit has limited access to the governing body to discuss any<br />
topics of interest or concern freely without the presence of management who might<br />
otherwise inhibit or deflect such discussions.<br />
• The internal audit charter, approved by the governing body, specifically restricts the<br />
internal audit function’s access to areas the governing body considers to be<br />
“unimportant” or “too sensitive.”<br />
Threats to objectivity may arise for the following reasons:<br />
• Self-interest. The auditor st<strong>and</strong>s to gain personally from a particular outcome of the<br />
audit.<br />
• Adverse interest. The auditor st<strong>and</strong>s to lose personally from a particular outcome of<br />
the audit.<br />
• Duress: The auditor in some other way is under pressure to conduct or conclude the<br />
audit in a particular way.<br />
• Familiarity. The auditor is overly acquainted with the activity under review through<br />
recent or extensive involvement.<br />
• Self-review. The auditor is reviewing an area for which they have or have recently<br />
had significant influence.<br />
• Management participation. The auditor is responsible for the activity under review or<br />
managers who are responsible are involved in undertaking parts of the audit.<br />
• Advocacy threat. The auditor is acting or has recently acted as an advocate for those<br />
responsible for the activity under review.<br />
• Undue influence. The auditor in some other way has too much influence over the<br />
activity, perhaps by virtue of close relationships.<br />
• Lack of competence: The auditor may not be sufficiently skilled or experienced to<br />
apply the necessary professional skepticism, open-mindedness, <strong>and</strong> disciplined<br />
approach to ensure findings <strong>and</strong> recommendations are objective.<br />
• Lack of independence of the internal audit function: The auditor is part of an internal<br />
audit function whose independence is compromised.<br />
36
When independence or objectivity are impaired (in fact or in appearance) this should be<br />
disclosed to appropriate parties, especially with management <strong>and</strong> the governing body, in<br />
accordance with St<strong>and</strong>ard 1130 – Impairment to Independence or Objectivity.<br />
The organizational environment in both the private <strong>and</strong> public sectors can be highly<br />
politically charged <strong>and</strong> this can impact internal auditing. The function can be sidelined or<br />
under-resourced as a way of limiting its scope <strong>and</strong> influence. The governing body may not<br />
have time, skill, or inclination to provide adequate oversight <strong>and</strong> there may be no audit<br />
committee to act as a champion for independent <strong>and</strong> impactful internal auditing. Pressure<br />
may be applied on individuals to steer clear of certain areas or activities or to moderate their<br />
findings <strong>and</strong> reports. Reports that identify significant weaknesses in politically sensitive<br />
areas may be suppressed or “buried.” Former chair of The IIA Global Board of Directors<br />
Patty Miller has written extensively on this topic <strong>and</strong> the need for auditors to have political<br />
awareness <strong>and</strong> moral courage. 33<br />
33<br />
See, for example, Organizational Political Pressure <strong>and</strong> the Impact on Internal <strong>Audit</strong>, Patty Miller, 2017.<br />
37
B.3: Reflection<br />
Have you ever experienced a situation where you were discouraged (from within the<br />
internal audit function or outside of it) from looking at an area or activity?<br />
Have you ever been denied the necessary resources or access to people <strong>and</strong> data<br />
needed to conduct your audit to the full extent of the engagement scope <strong>and</strong> objectives?<br />
Have you ever been asked to change your report by “toning it down” or removing<br />
inconvenient findings?<br />
38
B.4 Safeguards for Independence <strong>and</strong> Objectivity<br />
In accordance with St<strong>and</strong>ard 1110 – Organizational Independence, “the chief audit executive<br />
must confirm to the board, at least annually, the organizational independence of the internal<br />
audit activity.” 34 If there is interference in determining scope, performing work, or<br />
communicating results, “the chief audit executive must disclose such interference to the<br />
board <strong>and</strong> discuss the implications.” 35<br />
Certain safeguards to avoid or limit impairments to independence <strong>and</strong> objectivity <strong>and</strong> to<br />
reduce the threat of impairment to an acceptable level are specified in St<strong>and</strong>ard 1130 –<br />
Impairment to Independence or Objectivity. These include:<br />
• Internal auditors should not provide assurance for operations for which they were<br />
responsible within the previous year.<br />
• <strong>Assurance</strong> engagements for areas over which the head of internal audit has<br />
responsibility should be overseen by a party outside of the internal audit function.<br />
• Caution is required where auditors previously provided advisory services to ensure<br />
this does not impair objectivity in an assurance engagement.<br />
There are specific requirements when the head of internal audit is asked to assume<br />
additional responsibilities that may impair independence <strong>and</strong>/or objectivity. St<strong>and</strong>ard 1112 –<br />
Chief <strong>Audit</strong> Executive Roles Beyond Internal <strong>Audit</strong>ing states the following:<br />
The chief audit executive may be asked to take on additional roles <strong>and</strong> responsibilities<br />
outside of internal auditing, such as responsibility for compliance or risk management<br />
activities. These roles <strong>and</strong> responsibilities may impair, or appear to impair, the<br />
organizational independence of the internal audit activity or the individual objectivity of<br />
the internal auditor. Safeguards are those oversight activities, often undertaken by the<br />
board, to address these potential impairments, <strong>and</strong> may include such activities as<br />
periodically evaluating reporting lines <strong>and</strong> responsibilities <strong>and</strong> developing alternative<br />
processes to obtain assurance related to the areas of additional responsibility. 36<br />
To identify impairments, it is necessary to consider the perspectives of stakeholders. The<br />
appearance of impropriety can undermine trust. Close relationships with individuals do not<br />
automatically weaken an internal auditor’s professionalism but can create an impression or<br />
even an expectation of bias or “friendly” reporting. The same is true of strong familiarity with<br />
an area of responsibility or activity. An auditor may well be capable of making an objective<br />
assessment, but others may regard the audit work with some skepticism. Regular reminders<br />
<strong>and</strong> training for internal auditors regarding independence <strong>and</strong> objectivity are important.<br />
Requirements for maintaining independence <strong>and</strong> objectivity can also be reinforced through<br />
policies, procedures, audit manuals, templates, <strong>and</strong> so on.<br />
34<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
35<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
36<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
39
Examples of appropriate measures the head of internal audit may take to safeguard against<br />
impairments <strong>and</strong> ensure sufficient independence <strong>and</strong> objectivity include the following:<br />
• Discuss a perception of impairment with relevant parties to describe the controls in<br />
place (such as policies, processes, supervision, <strong>and</strong> review of audit work) that would<br />
minimize any actual impairment <strong>and</strong> so reduce concerns.<br />
• Assign a sufficiently competent alternate auditor to an engagement to avoid a conflict<br />
of interest in fact or appearance.<br />
• Discuss an actual impairment with senior management <strong>and</strong> the board to seek<br />
support <strong>and</strong> resolution, which may include noting <strong>and</strong> accepting the risk in the short<br />
term while recruiting additional resource for future engagements or contracting with<br />
an alternate auditor on a temporary basis from another public entity or external<br />
agency.<br />
• Reporting an impairment that has been identified after completion of an engagement<br />
to the client <strong>and</strong> the governing body to consider its potential impact on the accuracy<br />
<strong>and</strong> reliability of the conclusions, as required by St<strong>and</strong>ard 2121 – Errors <strong>and</strong><br />
Omissions.<br />
One of the more persistent threats to independence of the internal audit function in the public<br />
sector is the absence of a functional reporting line by the head of internal audit to an<br />
independent governing body, in some cases because such a body (or individual) does not<br />
exist in the way envisaged by the IPPF. There may not be a duly constituted board <strong>and</strong> the<br />
senior executive – as the de facto governing body – may act with little or no separation<br />
between management <strong>and</strong> governance roles. Where there is a governing body, the<br />
appointments to it may be directed by the government with political motivations or in<br />
accordance with various conventions <strong>and</strong> practices that have little to do with providing<br />
competent oversight of the entity <strong>and</strong> its internal audit function. Approval of the internal audit<br />
plan <strong>and</strong> budget may be made by those with responsibilities for areas to be audited. In such<br />
a position, the head of internal audit must be extra vigilant to maintain <strong>and</strong> demonstrate<br />
independence in determining engagement priorities based on risk <strong>and</strong> organizational need.<br />
In all cases, the head of internal audit must report on the status of independence of the<br />
function. Peer review as part of the quality assurance <strong>and</strong> improvement program as well as<br />
more regular external review can also be used to provide validation of independence.<br />
Practice varies regarding the establishment of audit committees. For example, a city council<br />
– as the governing body of a municipality – may meet periodically as an audit committee<br />
such that the members of the council are also the members of the audit committee.<br />
Alternatively, an audit committee may have a separate existence from the governing body<br />
<strong>and</strong> act as an advisory panel with membership comprising other independent individuals.<br />
Where a government has adopted the European Commission model for Public Internal<br />
Financial Control (PIFC), the Central Harmonization Unit (CHU) may act as the audit<br />
committee for multiple entities (although b<strong>and</strong>width constraints usually limit the role to<br />
monitoring internal audit activity rather than findings.) PIFC is discussed in module T3<br />
Accounting Fundamentals. In large complex public organizations, especially multilateral<br />
bodies like the United Nations, but also for ministries with multiple subordinated entities,<br />
there may be audit committees with oversight responsibilities of lower-level bodies reporting<br />
to their respective governing authorities that are also coordinated by a higher-level<br />
committee or board that considers all reports to ensure a coherent aggregated perspective.<br />
40
In other cases, there is no audit committee <strong>and</strong> oversight is exercised directly by the<br />
governing body.<br />
Availability of resources can also be an issue for independence, including funding for<br />
external quality reviews, required by the St<strong>and</strong>ards at least once every five years. Where<br />
small audit teams are faced with a large or complex audit universe, the head of the function<br />
must make clear to the governing body the areas that cannot be covered <strong>and</strong> where<br />
assurance cannot be provided. The audit plan must still prioritize engagements according to<br />
risks <strong>and</strong> needs.<br />
The nature of such threats to independence in the public sector may be political. Elected <strong>and</strong><br />
appointed officials may be seeking to extend their terms of office or establish their legacy<br />
<strong>and</strong> are desirous of demonstrating favorable results. Communications are often “spun” in<br />
such a way that the information is preferentially presented via generalizations, incomplete<br />
truths, <strong>and</strong> omissions. <strong>Audit</strong>ors may be asked directly or indirectly to tone down or refrain<br />
from reporting what may be perceived as negative findings <strong>and</strong> conclusions in the interests<br />
of maintaining favorable public or line ministry opinion. Internal auditors must demonstrate<br />
strength of character <strong>and</strong> moral courage to resist such pressures.<br />
41
B.4: Reflection<br />
How would you rate the level of independence of your internal audit function in fact <strong>and</strong> in<br />
appearance?<br />
What steps could be taken to strengthen organizational independence?<br />
What factors may weaken the objectivity of auditors in your internal audit function in fact<br />
<strong>and</strong> in appearance?<br />
What steps could be taken to strengthen individual auditor objectivity?<br />
42
C. <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />
Learning Outcomes<br />
On completion of this section, students will be better able to:<br />
• Compare <strong>and</strong> contrast assurance <strong>and</strong> advisory engagements.<br />
• Determine an appropriate balance of audit <strong>and</strong> advisory engagements.<br />
• Identify competencies needed for assurance <strong>and</strong> advisory engagements.<br />
• Plan an assurance engagement of organizational governance.<br />
• Evaluate IT <strong>and</strong> cybersecurity risks <strong>and</strong> controls as part of an audit engagement.<br />
• Evaluate the effectiveness of entity-wide risk management.<br />
• Describe how internal audit contributes to an organization’s responsiveness to fraud,<br />
IT, <strong>and</strong> cybersecurity risks.<br />
C.1 Characteristics of <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Organizational Strategic Planning <strong>and</strong> Management:<br />
General Awareness: Identify the risk <strong>and</strong> control implications of different organizational<br />
structures. Describe the strategic planning process. Describe common performance<br />
measures. Explain organizational behavior <strong>and</strong> performance management techniques.<br />
Describe management’s effectiveness to lead <strong>and</strong> build organizational commitment.<br />
Applied Knowledge: Evaluate the organization’s governance structure <strong>and</strong> the impact of<br />
organizational structure <strong>and</strong> culture on the overall control environment <strong>and</strong> risk management<br />
strategy. Analyze the organization’s strategic planning process. Examine performance<br />
measures used by the organization. Examine existing organizational behavior <strong>and</strong><br />
performance management techniques. Examine management’s effectiveness to lead <strong>and</strong><br />
build organizational commitment.<br />
Expert: Recommend improvements to the overall control environment <strong>and</strong> risk management<br />
strategy. Recommend improvements to the organization’s strategic planning process. Select<br />
appropriate performance measures. Recommend appropriate organizational behavior <strong>and</strong><br />
performance management techniques. Recommend actions to improve management’s<br />
approach to leading <strong>and</strong> building organizational commitment. 37<br />
The definition of internal auditing quoted in B.1 identifies it to comprise both assurance <strong>and</strong><br />
consulting services (the latter commonly referred to as advisory services). These terms are<br />
both defined in the IPPF.<br />
37<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
43
<strong>Assurance</strong> Services<br />
An objective examination of evidence for<br />
the purpose of providing an independent<br />
assessment on governance, risk<br />
management, <strong>and</strong> control processes for the<br />
organization. Examples may include<br />
financial, performance, compliance, system<br />
security, <strong>and</strong> due diligence engagements. 38<br />
Consulting Services<br />
Advisory <strong>and</strong> related client service<br />
activities, the nature <strong>and</strong> scope of which are<br />
agreed with the client, are intended to add<br />
value <strong>and</strong> improve an organization’s<br />
governance, risk management, <strong>and</strong> control<br />
processes without the internal auditor<br />
assuming management responsibility.<br />
Examples include counsel, advice,<br />
facilitation, <strong>and</strong> training. 39<br />
The IPPF provides additional comment to help distinguish between these two types of<br />
services.<br />
<strong>Assurance</strong> services involve the internal auditor’s objective assessment of evidence to<br />
provide opinions or conclusions regarding an entity, operation, function, process, system,<br />
or other subject matters. The nature <strong>and</strong> scope of an assurance engagement are<br />
determined by the internal auditor. Generally, three parties are participants in assurance<br />
services: (1) the person or group directly involved with the entity, operation, function,<br />
process, system, or other subject matter—the process owner, (2) the person or group<br />
making the assessment—the internal auditor, <strong>and</strong> (3) the person or group using the<br />
assessment—the user.<br />
Consulting services are advisory in nature <strong>and</strong> are generally performed at the specific<br />
request of an engagement client. The nature <strong>and</strong> scope of the consulting engagement<br />
are subject to agreement with the engagement client. Consulting services generally<br />
involve two parties: (1) the person or group offering the advice—the internal auditor, <strong>and</strong><br />
(2) the person or group seeking <strong>and</strong> receiving the advice—the engagement client. When<br />
performing consulting services the internal auditor should maintain objectivity <strong>and</strong> not<br />
assume management responsibility. 40<br />
The internal audit charter or legislation should describe the services to be provided.<br />
<strong>Assurance</strong> engagements are typically scheduled as a result of the head of internal audit’s<br />
assessment of organizational risks <strong>and</strong> priorities <strong>and</strong> form part of the internal audit plan.<br />
Consulting (or advisory) engagements tend to be agreed in response to requests from<br />
management but may also be proposed by the internal audit function to address<br />
opportunities for improvement where auditors can usefully lend their expertise. However, a<br />
consulting engagement should not be accepted simply because it has been requested:<br />
The chief audit executive should consider accepting proposed consulting engagements<br />
based on the engagement’s potential to improve management of risks, add value, <strong>and</strong><br />
improve the organization’s operations. Accepted engagements must be included in the<br />
plan. 41<br />
38<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
39<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
40<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
41<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
44
It is common to build an allowance into the internal audit plan <strong>and</strong> budget for ad hoc<br />
engagements which are non-periodic reactive assignments conducted at the entreaty of the<br />
governing body, senior managers, external auditors, or the head of internal audit, <strong>and</strong> may<br />
be an assurance engagement or advisory in nature. A change of internal or external<br />
circumstances may require engagements to be added to the plan. The Covid 19 p<strong>and</strong>emic<br />
led to significant redrafting of audit plans as priorities <strong>and</strong> operations were severely<br />
disrupted.<br />
One issue the head of internal audit must decide when creating the plan is an appropriate<br />
balance of assurance <strong>and</strong> advisory engagements. The starting point is a risk-based<br />
approach, meaning engagements are prioritized in response to organizational objectives <strong>and</strong><br />
risks. St<strong>and</strong>ard 2010 – Planning directs the internal audit function as follows:<br />
To develop the risk-based plan, the chief audit executive consults with senior<br />
management <strong>and</strong> the board <strong>and</strong> obtains an underst<strong>and</strong>ing of the organization’s<br />
strategies, key business objectives, associated risks, <strong>and</strong> risk management processes.<br />
The chief audit executive must review <strong>and</strong> adjust the plan, as necessary, in response to<br />
changes in the organization’s business, risks, operations, programs, systems, <strong>and</strong><br />
controls.<br />
2010.A1 The internal audit activity’s plan of engagements must be based on a<br />
documented risk assessment, undertaken at least annually. The input of senior<br />
management <strong>and</strong> the board must be considered in this process.<br />
2010.A2 The chief audit executive must identify <strong>and</strong> consider the expectations of senior<br />
management, the board, <strong>and</strong> other stakeholders for internal audit opinions <strong>and</strong> other<br />
conclusions.<br />
2010.C1 The chief audit executive should consider accepting proposed consulting<br />
engagements based on the engagement’s potential to improve management of risks,<br />
add value, <strong>and</strong> improve the organization’s operations. Accepted engagements must be<br />
included in the plan. 42<br />
The assessment of risk needs to be independent, although the input of management <strong>and</strong> the<br />
governing body should be considered.<br />
There is no scientific formula for determining the right balance between assurance <strong>and</strong><br />
advisory engagements in the audit plan, but the following factors are relevant:<br />
• Internal audit m<strong>and</strong>ate <strong>and</strong> responsibilities (as defined in the charter or legislation).<br />
• Roles previously adopted by the internal audit function.<br />
• Strength of internal audit function independence.<br />
• Organizational objectives <strong>and</strong> priorities.<br />
• Internal <strong>and</strong> external risks (including new risks).<br />
• The role of the governing body in providing oversight <strong>and</strong> level of engagement with<br />
executive activity.<br />
42<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
45
• Risk management maturity.<br />
• Control weaknesses identified by internal audit.<br />
• The focus of the external auditors <strong>and</strong> financial inspectors (to ensure coherent<br />
coverage <strong>and</strong> minimize unnecessary duplication to the extent to which cooperation is<br />
possible while maintaining independence <strong>and</strong> respective missions).<br />
• Resources <strong>and</strong> skills available to the internal audit function.<br />
• Internal audit function strategic plan.<br />
C.1.1 <strong>Assurance</strong> Engagements<br />
<strong>Assurance</strong> can be defined in terms of the examination <strong>and</strong> assessment processes deployed<br />
by auditors to evaluate governance, risk management, <strong>and</strong> internal control. This is how it is<br />
defined by the IPPF. “<strong>Assurance</strong>” also refers to the confidence provided by an assurance<br />
engagement <strong>and</strong> the comfort derived from it by the client of assurance services.<br />
<strong>Assurance</strong> as a form of confidence <strong>and</strong> comfort allows for the possibility of different degrees,<br />
amounts, or levels, ranging theoretically from total <strong>and</strong> absolute assurance to the complete<br />
absence of assurance. In practice, it is impossible to provide absolute assurance since the<br />
scope of an audit is always limited to what was observed <strong>and</strong> concluded at that moment.<br />
Other activities <strong>and</strong> conditions fall outside of the scope <strong>and</strong> circumstances continue to<br />
change. Uncertainty will always remain. For that reason, external auditors may provide<br />
reasonable or limited assurance, although this distinction is not made for internal auditors in<br />
the IPPF. The IPPF refers to “reasonable assurance” only in the context of the purpose of<br />
risk management <strong>and</strong> internal control, although it does not define the term. For example, risk<br />
management is defined as:<br />
A process to identify, assess, manage, <strong>and</strong> control potential events or situations to<br />
provide reasonable assurance regarding the achievement of the organization’s<br />
objectives. 43<br />
“Limited assurance” is not referenced at all in the IPPF. While some internal auditors choose<br />
to make the distinction between reasonable (or positive) assurance <strong>and</strong> limited (or negative)<br />
assurance, these are more commonly terms used by external auditors. Internal audit<br />
engagements may provide assurance based on “sufficient, reliable, relevant, <strong>and</strong> useful<br />
information” to support conclusions <strong>and</strong> opinions (St<strong>and</strong>ard 2310 – Identifying Information).<br />
There is no allowance for anything that falls short of this requirement. The IIA guidance on<br />
audit opinions does allow for distinctions in the level of assurance (see section C.1.5).<br />
C.1.2 Consulting (Advisory) Engagements<br />
What constitutes consulting services covers a wide spectrum of activities.<br />
43<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
46
The following list is taken from Sawyer’s Internal <strong>Audit</strong>ing: Enhancing <strong>and</strong> Protecting<br />
Organizational Value:<br />
• Business process improvement.<br />
• Continuous monitoring.<br />
• Control self-assessment or risk <strong>and</strong> control self-assessment.<br />
• Forensic.<br />
• Governance <strong>and</strong> ethics training.<br />
• Internal control review.<br />
• Internal control training.<br />
• Merger <strong>and</strong> acquisition analysis.<br />
• Participation on committees or taskforces.<br />
• Readiness review.<br />
• Review of a new product or service before implementation.<br />
• Risk self-assessment.<br />
• Transition activities. 44<br />
IIA Australia has produced guidance on consulting engagements <strong>and</strong> advises internal<br />
auditors to follow these steps:<br />
• Build time into your internal audit plan. Often consulting engagements are not<br />
planned at the beginning of the year <strong>and</strong> some flexible time for ad hoc engagements<br />
makes it easier to be responsive to management requests.<br />
• Make management aware of the service. Sometimes managers are unaware that<br />
internal audit can provide advisory services in response to their requests <strong>and</strong> it is<br />
necessary to promote this across the organization as an available support for<br />
management.<br />
• Respond promptly. In all cases – assurance <strong>and</strong> advisory engagements – internal<br />
audit needs to be reflective of organizational needs <strong>and</strong> priorities <strong>and</strong> flexible when<br />
these change. Delays can reduce the value of the sought-after advice <strong>and</strong> insight.<br />
• Don’t do what management should do themselves. This is a reminder to maintain<br />
independence <strong>and</strong> objectivity. The request should be legitimate rather than setting an<br />
expectation that internal audit will fill a first or second line role. Internal audit does not<br />
need to accept every request made by management <strong>and</strong> it is always necessary to<br />
prioritize.<br />
• Don’t give up when the allocated time runs out. Advisory engagements require<br />
greater flexibility as they are often harder to fully scope <strong>and</strong> budget at the outset.<br />
There may be options for securing additional internal or external resources to extend<br />
the work. Additionally, internal audit should be helping management identify what<br />
work needs to be done so there can be agreement about prioritization.<br />
• Celebrate success. One of the best ways to promote advisory services is to share<br />
news of successful engagements which can be achieved formally or informally<br />
through various channels. 45<br />
44<br />
Sawyer’s Internal <strong>Audit</strong>ing: Enhancing <strong>and</strong> Protecting Organizational Value, Seventh Edition, Internal <strong>Audit</strong> Foundation, 2019<br />
45<br />
Factsheet: Internal <strong>Audit</strong> Consulting, IIA Australia, 2022<br />
47
C.1.3 <strong>Assurance</strong> <strong>and</strong> Advisory Engagements Compared<br />
There are many similarities between assurance <strong>and</strong> advisory engagements <strong>and</strong> internal<br />
auditors will apply many common skills. In particular, both types of engagements must be<br />
defined in the internal audit charter <strong>and</strong> internal auditors must adhere to appropriate<br />
st<strong>and</strong>ards <strong>and</strong> apply due professional care. There are also important differences, as shown<br />
below.<br />
Feature<br />
Purpose<br />
Key differences between advisory <strong>and</strong> consulting services<br />
<strong>Assurance</strong> services<br />
Advisory services<br />
To provide assurance through an To offer advice, usually in response<br />
opinion on the adequacy <strong>and</strong> to a request.<br />
effectiveness of governance, risk<br />
management, <strong>and</strong> internal control<br />
based on an objective assessment<br />
of evidence.<br />
Principal parties • Internal auditor.<br />
• Unit manager or process owner.<br />
• Recipient of assurance (senior<br />
management <strong>and</strong> the governing<br />
body).<br />
Scope <strong>and</strong><br />
approach<br />
Objectives<br />
Governance, risk<br />
management, <strong>and</strong><br />
internal control<br />
<strong>Audit</strong>or<br />
assignment<br />
Conflicts of<br />
interest<br />
Determined by internal auditor with<br />
consultation with relevant manager.<br />
Based on a risk assessment, taking<br />
account of the possibility of error,<br />
fraud, <strong>and</strong> noncompliance.<br />
Must be part of the engagement<br />
scope <strong>and</strong> objectives.<br />
The head of internal audit must<br />
obtain the necessary skills for the<br />
engagement, either from the team<br />
or from other sources rather than<br />
defer the engagement.<br />
In accordance with St<strong>and</strong>ard 1130,<br />
internal auditors should not provide<br />
assurance for operations for which<br />
they were responsible within the<br />
previous year.<br />
• Internal auditor.<br />
• Client.<br />
Agreed between client <strong>and</strong> internal<br />
auditor.<br />
Consistent with the organization’s<br />
goals <strong>and</strong> priorities.<br />
May be included in the engagement<br />
scope <strong>and</strong> objectives.<br />
The head of internal audit must wait<br />
until the necessary skills for the<br />
engagement are available.<br />
In accordance with St<strong>and</strong>ard 1130,<br />
internal auditors may provide<br />
consulting services relating to<br />
operations for which they had<br />
previous responsibilities but any<br />
potential impairments to<br />
independence or objectivity must be<br />
disclosed prior to accepting the<br />
engagement.<br />
In undertaking advisory engagements, care must be taken to ensure the independence of<br />
the function <strong>and</strong> objectivity of auditors for future engagements. Implementing controls,<br />
making executive decisions, enforcing policies, directing the application of resources, <strong>and</strong> in<br />
general terms “owning the risk” are responsibilities of management which internal auditors<br />
should not assume. In offering training, facilitating control self-assessment workshops,<br />
48
helping managers developing controls, <strong>and</strong> providing advice on potential improvements,<br />
internal auditors are sharing the benefit of their expertise <strong>and</strong> insights with management.<br />
However, they must refrain from taking ownership of decisions management must take. This<br />
is illustrated by the table diagram below (adapted from The IIA fan graphic 46 ).<br />
Threats to Functional Independence <strong>and</strong> <strong>Audit</strong>or Objectivity<br />
Responsibilities Examples Safeguards<br />
needed<br />
Core responsibilities<br />
of the internal<br />
auditor<br />
Broader<br />
responsibilities<br />
providing additional<br />
value<br />
Management<br />
responsibilities<br />
• Providing assurance on the adequacy <strong>and</strong><br />
effectiveness of governance, risk<br />
management, <strong>and</strong> internal control.<br />
• Evaluating processes.<br />
• Assessing risks.<br />
• Sharing insights <strong>and</strong> opinions.<br />
• Making recommendations for innovation <strong>and</strong><br />
improvement.<br />
• Coaching <strong>and</strong> training.<br />
• Developing the risk management framework.<br />
• Designing controls.<br />
• Coordinating activities.<br />
• Monitoring responses made to the fraud or<br />
ethics hotline.<br />
• Taking operational decisions on behalf<br />
functional units.<br />
• Determining organizational strategy.<br />
• Participating in the decision-making process<br />
as part of a working group or taskforce.<br />
• Implementing controls.<br />
• Enforcing policies.<br />
• Accepting responsibility for managing risks.<br />
Can be<br />
undertaken<br />
without special<br />
safeguards<br />
May be<br />
undertaken with<br />
additional<br />
safeguards<br />
Should not be<br />
undertaken by<br />
members of the<br />
internal audit<br />
function<br />
This is relevant to consideration of threats to <strong>and</strong> safeguards for independence <strong>and</strong><br />
objectivity discussed in B but also helps separate the point at which advisory services may<br />
stray into managerial responsibilities.<br />
C.1.4 Blended Engagements<br />
The principal differences between assurance <strong>and</strong> advisory engagements can be<br />
summarized as follows:<br />
• Purpose: assurance engagements provide an opinion based on an assessment;<br />
consulting engagements provide support <strong>and</strong> expertise to advise on the acquisition,<br />
development, or improvement of resources (inc people), systems, <strong>and</strong> processes.<br />
46<br />
IIA Position Paper, The Role of Internal <strong>Audit</strong>ing in Enterprise-wide Risk Management, The IIA, 2009.<br />
49
• Determination of nature <strong>and</strong> scope: for assurance engagements this must include<br />
governance, risk management, <strong>and</strong> internal control; for consulting engagements it is<br />
a matter to be decided through discussion.<br />
• Parties involved: assurance engagements are agreed with the involvement of the<br />
internal auditor, manager of the activity being audited, senior management, <strong>and</strong> the<br />
governing body; consulting engagements may be agreed between the internal<br />
auditor <strong>and</strong> manager of the activity being audited.<br />
Despite these differences, assurance <strong>and</strong> advisory engagements have many synergies <strong>and</strong><br />
do not need to be kept separate. There are advantages from conducting a blended<br />
engagement through which the auditor delivers both assurance <strong>and</strong> advice. <strong>Audit</strong>ors are<br />
continuously increasing their knowledge <strong>and</strong> underst<strong>and</strong>ing about the organization <strong>and</strong> its<br />
internal <strong>and</strong> external operating environments. Indeed, the St<strong>and</strong>ards require auditors to<br />
apply their knowledge gained through consulting to assurance engagements. It is common<br />
to conclude an assurance engagement with recommendations through which the auditor<br />
advises the manager of the audited activity on opportunities for innovation <strong>and</strong> improvement<br />
<strong>and</strong> this may be extended to include involvement with some of the developmental work.<br />
Sometimes what is planned as an assurance engagement may be extended to include<br />
consulting as well. For example, the auditor may identify through the course of an assurance<br />
engagement that members of staff do not fully underst<strong>and</strong> key concepts about risk<br />
management <strong>and</strong> internal control <strong>and</strong> as a result offers to provide training. Extensions to<br />
scope in this way need to be approved by the manager <strong>and</strong> audit supervisor.<br />
It is also possible for an engagement that starts as consulting to be extended to include<br />
assurance too. For example, when an internal auditor participates as an advisor to an IT<br />
project, it may transpire that existing hardware <strong>and</strong> software controls need to be reviewed.<br />
The auditor will be able to test <strong>and</strong> provide assurance. Once again, extensions to<br />
engagements should be approved by the audit supervisor.<br />
It is also possible for an engagement to be planned as a blend of assurance <strong>and</strong> consulting.<br />
Consideration should be given to the following as part of the planning process:<br />
• Risk-based planning should ensure priority is given to the most significant risks,<br />
objectives, <strong>and</strong> activities. Where management is planning major projects – such as<br />
public administration reform organizational restructuring, long-term financial<br />
strategies, IT upgrades, introduction of new services, or relocation of activities,<br />
personnel, <strong>and</strong> resources – internal audit may be invited to act as an advisor. This<br />
may create natural opportunities for blended engagements.<br />
• Allocation of scarce resources should follow the risk-based prioritization of<br />
engagements. Efficiencies may be gained through planning a blended engagement.<br />
• Significant findings <strong>and</strong> necessary follow-up resulting from prior engagements may<br />
also suggest opportunities for blended engagements.<br />
50
C.1.5 Internal <strong>Audit</strong> Opinions<br />
<strong>Audit</strong>ors may be asked to provide an opinion either within an individual audit report or at a<br />
broader level. <strong>Assurance</strong> may be provided at the process, function, or entity level. This<br />
includes an opinion on the adequacy <strong>and</strong> effectiveness of governance, risk management,<br />
<strong>and</strong> internal control for the organization. In some situations, the head of internal audit is<br />
asked to offer such an opinion periodically. This may be limited to the system of internal<br />
control or enterprise risk management (ERM). Such an opinion may be more limited still,<br />
such as an opinion of internal control over financial reporting or for aspects of compliance.<br />
When asked to provide such an opinion, the head of internal audit may plan a specific audit<br />
engagement but is also likely to draw upon the results of multiple engagements. The opinion<br />
may be expressed in terms of a grade for the level of assurance (such as by “traffic lights”<br />
red, yellow (amber), or green, or a grade from 1-4). The assurance may be expressed as<br />
reasonable (or positive) assurance or limited (or negative) assurance, although such terms<br />
are not defined in the IPPF (see section C.1.1). However, The IIA allows for Internal auditors<br />
providing an opinion in the form of reasonable or limited assurance in its Practice Guide:<br />
Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions. 47 Whatever form it takes, it is important<br />
there is clear underst<strong>and</strong>ing about the meaning <strong>and</strong> the basis on which the opinion is given.<br />
Macro level opinions are usually based on multiple engagements. This requires care as the<br />
findings may have been gathered over different periods of time using different criteria. Other<br />
evidence may be drawn from multiple formal <strong>and</strong> informal sources, placing appropriate<br />
reliance according to the characteristics of each. According to the Practice Guide, macro<br />
level opinions may include:<br />
• An opinion on the organization’s overall system of internal control over financial<br />
reporting.<br />
• An opinion on the organization’s controls <strong>and</strong> procedures for compliance with<br />
applicable laws <strong>and</strong> regulations, such as health <strong>and</strong> safety, when those controls <strong>and</strong><br />
procedures are performed in multiple countries or subsidiaries.<br />
• An opinion on the effectiveness of controls such as budgeting <strong>and</strong> performance<br />
management, when such controls are performed in multiple subsidiaries <strong>and</strong><br />
coverage comprises the majority of the organization’s assets, resources, revenues,<br />
etc.<br />
In comparison, micro level opinions are often derived from a single engagement <strong>and</strong> may<br />
include:<br />
• An opinion on an individual business process or activity within a single organization,<br />
department, or location.<br />
• An opinion on the system of internal control at a subsidiary or reporting unit, when all<br />
work is performed in a single audit.<br />
• An opinion on the organization’s compliance with policies, laws, <strong>and</strong> regulations<br />
regarding data privacy, when the scope of work is performed in a single or just a few<br />
business units. 48<br />
47<br />
Practice Guide: Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions, The IIA, 2009.<br />
48<br />
Practice Guide: Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions, The IIA, 2009.<br />
51
When asked to provide an opinion, the head of the audit function should be clear of the<br />
intended purpose <strong>and</strong> audience, the scope <strong>and</strong> time period covered by the opinion, <strong>and</strong> the<br />
criteria <strong>and</strong> rating process to be used. When applying criteria – for example, the COSO<br />
Internal Control Integrated Framework – there is still a need to convert the evaluation into a<br />
suitable rating by considering what degree of conformance is acceptable or satisfactory. This<br />
is likely to involve a consideration of materiality <strong>and</strong> impact.<br />
C.1.6 Competencies Needed for <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />
The IIA Competency Framework defines the knowledge, skills, <strong>and</strong> abilities needed by<br />
internal auditors, managers, <strong>and</strong> heads of internal audit to deliver internal audit services in<br />
accordance with the requirements of the IPPF. They are organized under four domains <strong>and</strong><br />
defined at three competency level (general awareness, applied knowledge, <strong>and</strong> expert). The<br />
domains are as follows:<br />
Domain<br />
Professionalism<br />
Performance<br />
Environment<br />
Leadership <strong>and</strong><br />
Communication<br />
Description<br />
Competencies required to demonstrate the authority, credibility, <strong>and</strong><br />
ethical conduct essential for a valuable internal audit activity.<br />
Competencies required to plan <strong>and</strong> perform internal audit engagements<br />
in conformance with the St<strong>and</strong>ards.<br />
Competencies required to identify <strong>and</strong> address the risks specific to the<br />
industry <strong>and</strong> environment in which the organization operates.<br />
Competencies required to provide strategic direction, communicate<br />
effectively, maintain relationships, <strong>and</strong> manage internal audit personnel<br />
<strong>and</strong> processes.<br />
When applying these to assurance <strong>and</strong> advisory engagements, there are many<br />
commonalities, as described below.<br />
Domain<br />
Professionalism<br />
Performance<br />
Environment<br />
Competencies for <strong>Assurance</strong> <strong>and</strong> Advisory Engagements<br />
All aspects of professionalism are relevant for all internal audit work,<br />
including ethical conduct, conformance with the st<strong>and</strong>ards, <strong>and</strong><br />
maintaining objectivity.<br />
In general, the knowledge base required for assurance <strong>and</strong> advisory<br />
engagements is largely identical, but the skills <strong>and</strong> abilities needed for<br />
these two types of engagement place different requirements on the<br />
internal auditor. The st<strong>and</strong>ards relating to performing audits identify<br />
some specific differences for assurance <strong>and</strong> consulting engagements.<br />
However, knowledge <strong>and</strong> underst<strong>and</strong>ing of governance, risk<br />
management, <strong>and</strong> internal control are essential for all engagements.<br />
Likewise, the techniques for conducting fieldwork are also very similar<br />
although the contexts may differ.<br />
Regardless of the type of engagement, internal auditors must<br />
underst<strong>and</strong> the internal <strong>and</strong> external environments of their organization<br />
including the strategic priorities, resources, risks, legal <strong>and</strong> regulatory<br />
requirements, <strong>and</strong> other factors impacting the attainment of goals.<br />
52
Leadership <strong>and</strong><br />
Communication<br />
Internal audit supervisors, managers, <strong>and</strong> leaders have their respective<br />
roles <strong>and</strong> delegated authorities for ensuring the efficient <strong>and</strong> effective<br />
operation of the internal audit function for all services provided.<br />
Communication skills are of paramount importance for all internal audit<br />
work. This includes developing relationships <strong>and</strong> adopting styles of<br />
communication appropriate for the intended audience. Consulting<br />
engagements have a greater degree of flexibility in approach <strong>and</strong><br />
reporting compared with the testing <strong>and</strong> recoding of findings needed for<br />
assurance engagements. However, the same requirements for<br />
accuracy, timeliness, <strong>and</strong> relevance apply.<br />
There are also competencies that have greater relevance for each of the two types of<br />
engagements.<br />
Competencies of greater relevance for assurance engagements include:<br />
• Adherence to process <strong>and</strong> methodology.<br />
• Engagement planning.<br />
• Due care <strong>and</strong> attention for detail.<br />
• Systematic testing, analysis, <strong>and</strong> data processing.<br />
• Root cause analysis.<br />
• Critical thinking.<br />
• Drawing significant findings <strong>and</strong> conclusions from large volumes of information.<br />
• Effective reporting.<br />
• Moral courage to ask difficult questions <strong>and</strong> tenacity to seek out the truth.<br />
In comparison, advisory engagements can require a lot more versality <strong>and</strong> flexibility from the<br />
auditor. There is a greater variety of activities that fall within the broad class of missions. The<br />
objectives <strong>and</strong> scope more be more open-ended. Skills like process design <strong>and</strong> engineering,<br />
facilitation, strategic thinking, root cause analysis, building a consensus, <strong>and</strong> creative<br />
problem solving are likely to be more to the fore. 49<br />
Competencies of greater relevance for advisory engagements include:<br />
• Creativity <strong>and</strong> originality.<br />
• Collaboration, teamwork, <strong>and</strong> relationship management.<br />
• Deep expertise in specific processes or activities.<br />
• Rapid assimilation of complex data.<br />
• Operating under pressure in a dynamic environment.<br />
• Unstructured problem-solving.<br />
• Providing continuous feedback <strong>and</strong> offering insights during the engagement.<br />
49<br />
See Anderson, et al, Internal <strong>Audit</strong>ing: <strong>Assurance</strong> <strong>and</strong> Advisory Services, fourth edition, The IIA, 2017.<br />
53
C.1: Reflection<br />
Approximately what percentages of the internal audit plan are committed to assurance <strong>and</strong><br />
consulting engagements? Is the balance appropriate for organizational needs, priorities, <strong>and</strong><br />
expectations?<br />
What allowance is made in internal audit planning for ad hoc engagements made at the<br />
request of management? Is this sufficient?<br />
How often are consulting engagements proposed by the head of the internal audit function<br />
rather than by management?<br />
How much of the content of the audit plan is truly risk-based as opposed to completing a<br />
list of expected audits that are repeated annually?<br />
Are blended engagements considered as an option for increasing efficiency <strong>and</strong><br />
effectiveness?<br />
Do you agree with the analysis of the different competencies needed for assurance <strong>and</strong><br />
advisory engagements? Is this considered when auditors are assigned to engagements?<br />
54
C.2 <strong>Audit</strong>ing Governance<br />
The IIA Supplement Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance<br />
emphasizing the essential characteristics of the internal audit function for providing valuable<br />
assurance insight:<br />
• Organizational independence.<br />
• A formal m<strong>and</strong>ate (in “the public sector’s constitution, charter, or other basic legal<br />
document.”)<br />
• Unrestricted access “to employees, property, <strong>and</strong> records.”<br />
• Sufficient funding.<br />
• Competent leadership.<br />
• Objective staff.<br />
• Competent staff.<br />
• Stakeholder support.<br />
• Professional audit st<strong>and</strong>ards. 50<br />
In respect of governance, internal audit may contribute in various ways:<br />
• Oversight: Internal audit can extend the reach of senior management <strong>and</strong> the<br />
governing body to observe organizational activities <strong>and</strong> circumstances <strong>and</strong> determine<br />
whether policy is being implemented as intended with appropriate assessment of<br />
risks <strong>and</strong> implementation of controls. <strong>Audit</strong>ing provides transparency through<br />
verification of performance, position, <strong>and</strong> prospects, <strong>and</strong> by sharing it with<br />
stakeholders.<br />
• Detection: <strong>Audit</strong>s reveal “inappropriate, inefficient, illegal, fraudulent, or abusive acts<br />
that have already transpired.” Such information can be used to strengthen controls,<br />
initiate training, <strong>and</strong> pursue disciplinary or legal proceedings. Detection can occur as<br />
part of an investigation of potential conflicts of interest or suspected wasteful,<br />
abusive, or fraudulent activities. Alternatively, detection also occurs when red flags<br />
are identified during a routine engagement involving the identification of risks <strong>and</strong><br />
testing of controls.<br />
• Deterrence: Anticipated audit work as well as the exposure of detected weaknesses<br />
can deter other lapses in proper oversight <strong>and</strong> management.<br />
• Insight: <strong>Audit</strong>ors can share their expertise <strong>and</strong> underst<strong>and</strong>ing <strong>and</strong> make<br />
recommendations in terms of potential improvements with reference to best<br />
practices.<br />
• Foresight: <strong>Audit</strong>ors can also anticipate future risks by considering trends as well as<br />
changes in legislation <strong>and</strong> regulation. 51<br />
Organizational governance may be audited in an individual engagement. Alternatively, an<br />
opinion on governance may be derived from multiple engagements (see C.1.5). <strong>Assurance</strong><br />
<strong>and</strong> advisory engagements may be used. Any engagement that considers risk management<br />
<strong>and</strong> internal control contributes to an auditor’s underst<strong>and</strong>ing of governance.<br />
50<br />
Supplemental Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance, The IIA, 2012.<br />
51<br />
Supplemental Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance, The IIA, 2012.<br />
55
Performance audits are also useful in determining governance with regard to particular<br />
policies <strong>and</strong> initiatives. Some governance audits pay particular attention to the working of the<br />
governing body <strong>and</strong> may evaluate the effectiveness of meetings, strategic planning,<br />
management of conflicts of interest, nominations, <strong>and</strong> so on. External agencies can provide<br />
this service for greater independence <strong>and</strong> objectivity.<br />
Suggested questions internal auditors may ask as part of their investigation into the<br />
adequacy <strong>and</strong> effectiveness of governance, focusing on the key aspects of governance<br />
(performance, conformance, value creation <strong>and</strong> protection, <strong>and</strong> accountability) are given<br />
below, based on guidance from IFAC:<br />
• Do the structures <strong>and</strong> processes of governance serve to optimize stakeholder value?<br />
• Do they serve to ensure an appropriate balance of stakeholder interests?<br />
• Do they support both performance in respect of achieving organizational purpose <strong>and</strong><br />
conformance with laws, regulations, policies, <strong>and</strong> other expectations?<br />
• Are governance processes fully integrated into the organization <strong>and</strong> its culture,<br />
planning, behaviors, <strong>and</strong> activities?<br />
• Is the governing body appropriately constituted <strong>and</strong> structured to lead on governance<br />
for the organization, overseeing senior management <strong>and</strong> internal audit, <strong>and</strong> engaging<br />
with key stakeholders?<br />
• Has the governing body established a set of fundamental values by which the<br />
organization operates?<br />
• Are these values well communicated, monitored, <strong>and</strong> appropriately reinforced <strong>and</strong><br />
enforced?<br />
• Does the strategy adopted by the governing body demonstrate a sound<br />
underst<strong>and</strong>ing of the political context, operating model, <strong>and</strong> internal <strong>and</strong> external<br />
environment?<br />
• Does the strategy promoted by the governing body provide sufficient direction <strong>and</strong><br />
focus for the organization?<br />
• Has the governing body ensured that management has established an appropriate<br />
<strong>and</strong> effective framework for risk management <strong>and</strong> internal control?<br />
• Does the governing body ensure resource allocation by management is aligned with<br />
strategic priorities?<br />
• Does the governing body evaluate its own effectiveness as well as that of its strategy<br />
<strong>and</strong> organizational activities toward continual improvement <strong>and</strong> achievement of<br />
objectives?<br />
• Are the interests <strong>and</strong> needs of stakeholders given appropriate consideration <strong>and</strong> do<br />
stakeholders receive relevant, timely, <strong>and</strong> reliable information? 52<br />
52<br />
Evaluating <strong>and</strong> Improving Governance in Organizations, IFAC, 2009.<br />
56
C.2: Reflection<br />
How does your internal audit function contribute to the ongoing development <strong>and</strong><br />
improvement of organizational governance?<br />
Does your internal audit function provide assurance on governance for specific areas<br />
<strong>and</strong>/or for the entity as a whole?<br />
Is governance highlighted as an important consideration in every engagement?<br />
57
C.3 Fraud, IT, <strong>and</strong> Cybersecurity<br />
In providing assurance, internal auditors must be attentive to all relevant risks <strong>and</strong> their<br />
potential to impact organizational objectives <strong>and</strong> priorities. The IPPF gives particular mention<br />
to two key risk areas: fraud <strong>and</strong> IT.<br />
For example, St<strong>and</strong>ard 1210 – Proficiency has the following requirements:<br />
1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud<br />
<strong>and</strong> the manner in which it is managed by the organization, but are not expected to have<br />
the expertise of a person whose primary responsibility is detecting <strong>and</strong> investigating<br />
fraud.<br />
1210.A3 Internal auditors must have sufficient knowledge of key information technology<br />
risks <strong>and</strong> controls <strong>and</strong> available technology-based audit techniques to perform their<br />
assigned work. However, not all internal auditors are expected to have the expertise of<br />
an internal auditor whose primary responsibility is information technology auditing. 53<br />
C.3.1 Fraud<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Fraud:<br />
General Awareness: Recognize types of fraud, fraud risk, <strong>and</strong> red flags for fraud.<br />
Applied Knowledge: Evaluate the potential for fraud <strong>and</strong> how the organization detects <strong>and</strong><br />
manages fraud risks; recommend controls to prevent <strong>and</strong> detect fraud <strong>and</strong> educate to<br />
improve the organization’s fraud awareness.<br />
Expert: Apply forensic auditing techniques in fraud prevention, deterrence, <strong>and</strong><br />
investigation. 54<br />
Fraud is referenced seven times in the St<strong>and</strong>ards <strong>and</strong> is defined as:<br />
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are<br />
not dependent upon the threat of violence or physical force. Frauds are perpetrated by<br />
parties <strong>and</strong> organizations to obtain money, property, or services; to avoid payment or<br />
loss of services; or to secure personal or business advantage. 55<br />
53<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
54<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
55<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
58
Fraud may be perpetrated via measures such as:<br />
• Claims for fictitious expenses or duplicate claims.<br />
• Use of fake or stolen identity.<br />
• Disbursements to fictitious vendors or beneficiaries.<br />
• Unwarranted refunds.<br />
• Lost or voided checks.<br />
• Interception of goods received.<br />
• Concealment through false accounting (such as capitalizing expenses, ignoring bad<br />
debts, mischaracterizing expenditure as “miscellaneous” or something else, <strong>and</strong><br />
over- or under-reporting.)<br />
• Embezzlement of funds <strong>and</strong> other resources.<br />
All parties within an organization have a responsibility to contribute to fighting fraud.<br />
Organizational<br />
role<br />
Governing body<br />
<strong>and</strong> audit<br />
committee<br />
Senior<br />
management<br />
Those with first<br />
line roles<br />
Those with second<br />
line roles<br />
Role in fighting fraud<br />
• Ultimate responsibility for fraud risk governance.<br />
• Lead by example.<br />
• Set “tone at the top.”<br />
• Ensure there are appropriate fraud risk management structures <strong>and</strong><br />
processes in place.<br />
• Ensure the internal audit plan is sufficiently attentive to fraud risk.<br />
• Receive <strong>and</strong> respond to reports from internal auditing regarding the<br />
adequacy <strong>and</strong> effectiveness of fraud risk management.<br />
• Receive <strong>and</strong> respond to reports from fraud risk experts, examiners,<br />
inspectors, external auditors, <strong>and</strong> others.<br />
• Lead by example.<br />
• Promote ethical conduct.<br />
• Address suspicions of fraud when they surface.<br />
• Provide training.<br />
• Implement <strong>and</strong> maintain controls for fraud.<br />
• Report incidents of fraud or suspected fraud.<br />
• Provide specialist expertise in developing <strong>and</strong> implementing controls for<br />
fraud.<br />
• Monitor <strong>and</strong> analyze the effectiveness of fraud risk management.<br />
Internal auditors • Provide independent <strong>and</strong> objective assurance <strong>and</strong> advice on the<br />
adequacy <strong>and</strong> effectiveness of fraud risk governance, management,<br />
<strong>and</strong> control.<br />
• Map <strong>and</strong> coordinate fraud risk assurance from internal <strong>and</strong> external<br />
providers.<br />
59
Common controls for fraud relating to cash <strong>and</strong> financial transactions, for example, include:<br />
• Segregation of incompatible duties. Responsibility for custody of an asset,<br />
authorization for its deployment, <strong>and</strong> recording its usage should ideally be assigned<br />
to different individuals. Where this is not possible because of a shortage of resources<br />
then compensating controls, including increased supervision, regular reconciliations,<br />
stock takes, <strong>and</strong> scrutiny by inspectors <strong>and</strong> auditors, should be applied.<br />
• Centralization of cash collection points.<br />
• Individual cash drawers for each employee responsible for collecting money to assist<br />
with traceability <strong>and</strong> accountability for errors <strong>and</strong> fraud.<br />
• Endorsing checks when they are received to limit opportunities for misuse.<br />
• Maintaining sequential receipts.<br />
• Timely recording of transactions.<br />
• Timely deposits of cash.<br />
• Physical security of blank checks.<br />
• Regular reconciliations.<br />
Figure: Segregation of Incompatible Duties<br />
Many of the controls described above are needed for managing risks related to human,<br />
system, <strong>and</strong> process errors as well as the possibility of fraud. To ensure the general integrity<br />
of the control environment, there should be clear tone at the top, a well-defined code of<br />
conduct to confirm behavioral expectations, consistent <strong>and</strong> timely h<strong>and</strong>ling of breaches,<br />
continuous awareness raising <strong>and</strong> regular training, documented policies <strong>and</strong> processes, <strong>and</strong><br />
opportunities for anonymous whistleblowing.<br />
A defining characteristic of fraud is that such acts are deliberate. Frauds are not errors<br />
caused by bad luck or incompetence. Individuals acting alone or with others usually have a<br />
need or an incentive (motivation) to commit fraud (such as economic or social hardship,<br />
ambition, or duress), identify an opportunity to take an unfair <strong>and</strong> unwarranted advantage of<br />
60
circumstances (unethical <strong>and</strong> often but not always illegal), <strong>and</strong> tend to provide a<br />
rationalization to themselves <strong>and</strong> anyone else (such as when they are caught) in terms of<br />
their needs or perceived entitlement (“everyone else is doing it,” “the organization deserves it<br />
for having weak controls,” “it’s only $100,” “I need it more than they do,” “it’s a victimless<br />
crime,” etc.). Often individuals start committing fraud with a small value or with the intention<br />
of only doing it once but the temptation <strong>and</strong> the rationalization increase. Motivation,<br />
opportunity, <strong>and</strong> rationalization are the key elements of the fraud risk triangle <strong>and</strong> provide a<br />
basis for considering appropriate controls for each of these dynamics. Organizations must:<br />
• Reduce motivation (through ethical training <strong>and</strong> by addressing signs of stress).<br />
• Limit opportunity (through awareness raising <strong>and</strong> segregation of incompatible duties,<br />
for example).<br />
• Combat potential rationalization (through being seen to take fraud seriously, dealing<br />
with incidents fairly <strong>and</strong> swiftly, <strong>and</strong> providing fair compensation to all).<br />
Figure: Controls for the Primary Causes of Fraud (based on the Cressey Fraud Risk<br />
Triangle)<br />
The IIA Practice Guide: Internal <strong>Audit</strong> <strong>and</strong> Fraud – Assessing Fraud Risk Governance <strong>and</strong><br />
Management at the Organizational Level distinguishes three aspects an internal auditor<br />
must be aware of when evaluating risks <strong>and</strong> controls:<br />
• Fraud risks – the potential for fraud (which is ever-present).<br />
• Fraud schemes – active plans by individuals or groups to commit fraud.<br />
• Fraud events – where fraud has been committed. 56<br />
56<br />
IIA Practice Guide: Internal <strong>Audit</strong> <strong>and</strong> Fraud – Assessing Fraud Risk Governance <strong>and</strong> Management at the Organizational<br />
Level, 2nd edition, 2022.<br />
61
Internal auditors have an important role to play in raising fraud risk awareness, helping to<br />
reduce the likelihood <strong>and</strong> impact of fraud, <strong>and</strong> supporting the identification of fraud schemes<br />
<strong>and</strong> events. The following extracts from the St<strong>and</strong>ards illustrate the role <strong>and</strong> its limits.<br />
1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud<br />
<strong>and</strong> the manner in which it is managed by the organization, but are not expected to have<br />
the expertise of a person whose primary responsibility is detecting <strong>and</strong> investigating<br />
fraud. 57<br />
1220.A1 Internal auditors must exercise due professional care by considering the:<br />
• …<br />
• Probability of significant errors, fraud, or noncompliance. 58<br />
2060 Reporting [by the chief audit executive] must also include significant risk <strong>and</strong><br />
control issues, including fraud risks, governance issues, <strong>and</strong> other matters that require<br />
the attention of senior management <strong>and</strong>/or the board. 59<br />
As part of a regular audit engagement, internal auditors should:<br />
• Gather information to underst<strong>and</strong> the purpose <strong>and</strong> context of the engagement, as<br />
well as the governance, risk management, <strong>and</strong> controls relevant to the area or<br />
process under review. Information may be drawn from multiple sources, including<br />
previous audit engagements, reports from specialist investigators (such as fraud<br />
examiners, external auditors, <strong>and</strong> financial inspections), interviews, external research<br />
of similar situations, <strong>and</strong> fraud risk <strong>and</strong> control models <strong>and</strong> benchmarks.<br />
• Brainstorm fraud scenarios to identify potential fraud risks.<br />
• Assess the identified fraud risks to determine which risks require further evaluation<br />
during the engagement. 60<br />
Certain red flags should alert the internal auditor to the potential for fraud. These may<br />
include:<br />
Issues<br />
Give-away phrases<br />
used<br />
Potential Red Flags for Fraud<br />
• “As a work around …”<br />
• “Just this one time …”<br />
• “I have always done it this way.”<br />
• “Once in a while we …”<br />
• “Off the record …”<br />
• “There are no policies or procedures for this process.”<br />
• “Someone told me to do it this way; however, I am not sure<br />
why.”<br />
• “This is really how it is done.”<br />
• “The way it is supposed to work …”<br />
57<br />
The International Professional Practices Framework, The IIA, 2016.<br />
58<br />
The International Professional Practices Framework, The IIA, 2016.<br />
59<br />
The International Professional Practices Framework, The IIA, 2016.<br />
60<br />
IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.<br />
62
Management Issues • Lack of area expertise.<br />
• Lack of supervision.<br />
• History of legal violations.<br />
Personnel Issues • Lack of background checks.<br />
• Dissatisfied employees.<br />
• Unwillingness to share duties.<br />
Process Issues • Duties not segregated.<br />
• Poor physical security.<br />
• Poor access controls. 61<br />
Guidance published by the World Bank Group identifies examples of internal frauds<br />
perpetrated by employees:<br />
• Procurement fraud (e.g., false invoicing, credit card misuse, manipulations in the<br />
procurement process or procuring low quality items, receiving kickbacks for referring<br />
contract work to related parties).<br />
• Theft <strong>and</strong> skimming (e.g., removing <strong>and</strong> selling inventory, cash, consumables, or<br />
information, fraudulent acceptance of goods <strong>and</strong> services, <strong>and</strong> receiving<br />
compensation without reporting transactions).<br />
• Fraudulent expenditure claims (e.g., using false receipts to claim travel <strong>and</strong><br />
accommodation allowances).<br />
• Payroll fraud (e.g., adding fake employees to the payroll or claiming overtime for<br />
hours not worked). 62<br />
Accounting fraud, money laundering, <strong>and</strong> tax evasion can be added to this list.<br />
When internal auditors suspect fraud, great care needs to be taken. The organization<br />
requires well-defined procedures to follow in such circumstances. In some cases, the<br />
internal auditor is expected to pass over the evidence giving rise to a suspected fraud to<br />
investigators or law enforcement to pursue. <strong>Audit</strong>ors may be asked to be witnesses or<br />
provide other evidence. The careful preservation of papers <strong>and</strong> audit trails is extremely<br />
important. In some organization, internal auditors are expected to investigate fraud, but as<br />
with all activities this should only occur where individuals have the competency to do so.<br />
61<br />
IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.<br />
62<br />
Public Sector Internal <strong>Audit</strong>: Focus on Fraud, Center for Financial Reporting Reform, World Bank Group, 2017.<br />
63
C.3.2 Information Technology<br />
IIA Internal <strong>Audit</strong> Competency Framework<br />
Information Technology:<br />
General Awareness: Describe the basic concepts of IT <strong>and</strong> data analytics. Describe the<br />
various risks related to IT, information security, <strong>and</strong> data privacy. Recognize the purpose <strong>and</strong><br />
applications of IT control frameworks <strong>and</strong> basic IT controls.<br />
Applied Knowledge: Apply data analytics <strong>and</strong> IT in auditing. Identify <strong>and</strong> assess various risks<br />
related to IT, information security, <strong>and</strong> data privacy. Apply IT control frameworks.<br />
Expert: Evaluate the use of data analytics <strong>and</strong> IT in auditing. Recommend actions to address<br />
IT risks, information security, <strong>and</strong> data privacy. Evaluate the use of IT control frameworks. 63<br />
IT audit is no longer the exclusive preserve of specialists. Information technology is utilized<br />
universally across departments <strong>and</strong> forms a part of most procedures. Hence, all internal<br />
auditors need to be able to recognize IT risks <strong>and</strong> evaluate the effectiveness of controls.<br />
IT creates many opportunities <strong>and</strong> threats for organizations. It is used as a tool to provide<br />
services to clients <strong>and</strong> support routine operations including controls. IT usage includes:<br />
• Routine storage, access, <strong>and</strong> manipulation of large amounts of data, presenting<br />
potential issues for data privacy <strong>and</strong> protection.<br />
• Wide usage <strong>and</strong> availability of mobile phones, tablets, laptops, memory sticks with<br />
huge storage capacity, <strong>and</strong> other personal devices.<br />
• Ready access to “big data” <strong>and</strong> the potential for continuous auditing.<br />
• The increasing use of data analytics<br />
• Social media for personal <strong>and</strong> business use.<br />
• Cloud computing for flexible storage <strong>and</strong> access.<br />
• Blockchain.<br />
• Artificial intelligence, machine learning, <strong>and</strong> virtual reality.<br />
• Online receipts, payments, <strong>and</strong> banking.<br />
IT tools <strong>and</strong> techniques are also available for internal auditors to assist with planning,<br />
communication, testing, remote observation, analysis, <strong>and</strong> follow up. (This is covered in<br />
more detail in T2: Good Governance, Managerial Accountability, Developing Strategy, <strong>and</strong><br />
Data Analysis.)<br />
IT creates key risk areas for organization including:<br />
• Compliance risks (especially for data privacy <strong>and</strong> protection).<br />
• Reputational damage <strong>and</strong> erosion of trust by citizens, service users, vendors, donor<br />
organizations, <strong>and</strong> others.<br />
• Financial penalties.<br />
• Operational disruption.<br />
• Skills gaps <strong>and</strong> shortages.<br />
63<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
64
Risk management techniques can be applied to IT risks although specialist frameworks <strong>and</strong><br />
st<strong>and</strong>ards have been developed to define best practices <strong>and</strong> reflecting the complexity of the<br />
area. IT is subject to rapid development <strong>and</strong> service users (including staff to operate<br />
systems supported by IT) are likely to have high expectations. Customer online experiences<br />
of companies like Amazon reduce our tolerance of anything less effective or user-friendly.<br />
Internal auditors are expected to account for IT risks in every engagement.<br />
St<strong>and</strong>ard 2110 – Governance<br />
2110.A2 The internal audit activity must assess whether the information technology<br />
governance of the organization supports the organization’s strategies <strong>and</strong> objectives.<br />
St<strong>and</strong>ard 2120 – Risk Management<br />
2120.A1 The internal audit activity must evaluate risk exposures relating to the<br />
organization’s governance, operations, <strong>and</strong> information systems.<br />
St<strong>and</strong>ard 2130 – Control<br />
2130.A1 The internal audit activity must evaluate the adequacy <strong>and</strong> effectiveness of<br />
controls in responding to risks within the organization’s governance, operations, <strong>and</strong><br />
information systems. 64<br />
Internal auditors should identify IT risks within audits <strong>and</strong> evaluate the effectiveness of<br />
management responses to them. There should be appropriate expertise to enable the<br />
internal audit function to consider all IT risks, although not all auditors need to be specialists.<br />
Where the expertise is lacking within the team, the head of the function will need to draw on<br />
other sources to provide the desired level of assurance to senior management <strong>and</strong> the<br />
governing body. A risk management framework such as COSO Internal Control – Integrated<br />
Framework may be used to support auditors in developing audit objectives <strong>and</strong> plans,<br />
undertaking testing <strong>and</strong> analysis, <strong>and</strong> formulating conclusions. Specialist st<strong>and</strong>ards may also<br />
be used to guide the work of internal audit <strong>and</strong> serve as a benchmark for expected practice.<br />
There are two main classes of IT controls namely general controls <strong>and</strong> application controls.<br />
General controls operate at the most fundamental level <strong>and</strong> work to ensure the integrity of IT<br />
outputs. Application controls are fully automated <strong>and</strong> are designed to ensure correctness of<br />
processing throughout the system.<br />
64<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
65
Class of IT Examples<br />
Controls<br />
General Controls • The organizational <strong>and</strong> IT control environments.<br />
• Technical-support policies <strong>and</strong> procedures.<br />
• Policies <strong>and</strong> processes for change management.<br />
• Procedures for source code/document version-control.<br />
• St<strong>and</strong>ards for software development lifecycle.<br />
• Hardware/software configuration, installation, testing,<br />
management, st<strong>and</strong>ards, policies, <strong>and</strong> procedures.<br />
• Security policies, st<strong>and</strong>ards, <strong>and</strong> processes.<br />
• Procedures <strong>and</strong> policies for incident-management.<br />
• Procedures for back-up <strong>and</strong> disaster recovery.<br />
Application • Authentication.<br />
Controls<br />
• Authorization.<br />
• Change management.<br />
• Completeness checks.<br />
• Identification.<br />
• Input controls.<br />
• Problem management.<br />
• Validity checks.<br />
The relationships among the classification of IT controls are shown in the following graphic,<br />
adapted from GTAG: Information Technology Risks <strong>and</strong> Controls, The IIA, 2012 65 :<br />
Figure: Types of IT Controls<br />
65<br />
GTAG, Information Technology Risks <strong>and</strong> Controls, The IIA, 2012<br />
66
IT controls may be manual, automated, or semi-automated. A useful article by <strong>Audit</strong>Board<br />
makes the distinction clear:<br />
Automated controls are ideal in situations with high volume, uniform transactions. In<br />
this case, there is little need for manual intervention or judgment. Automated controls<br />
include the risk of relying on inaccurate systems <strong>and</strong> data or putting trust in an<br />
inappropriate automation algorithm.<br />
Manual controls are preferred when there is a need for human judgment. The need<br />
for manual controls often arises when there is a low volume of transactions that<br />
require discretion in deciding the outcome of the internal control process. Manual<br />
controls run the risk of human error <strong>and</strong> intentional override.<br />
A third control category also exists called semi-automated controls, sometimes<br />
referred to as IT-dependent controls. With this type of automated control, human<br />
intervention is still required, but the person’s action is dependent on the output for a<br />
system. 66<br />
In addition, the process of testing controls can be automated with significant benefits, as<br />
described by EY:<br />
• Increased operational efficiency (compared with manual controls <strong>and</strong> risk compliance<br />
processes that may be “fragmented, siloed, <strong>and</strong> unsustainable.”)<br />
• Reduced compliance costs associated with the manual effort, time, <strong>and</strong> errors.<br />
• Improved controls assurance, allowing for high volume, high accuracy, <strong>and</strong> live<br />
insights.<br />
• Continuous controls improvement, making the shift “from controls testing as a<br />
compliance exercise to a value-added program.” 67<br />
The advanced tools described in <strong>Module</strong> 2 Good Governance, Managerial Accountability,<br />
Developing Strategy, <strong>and</strong> Data Analysis section B.3.1, including data analytics, robotic<br />
process automation, artificial intelligence, machine learning, deep learning networks, <strong>and</strong><br />
exploratory data analysis, can be used to enable automated controls testing.<br />
C.3.3 Cybersecurity<br />
IT is not just something that might fail through error, poor practice, <strong>and</strong> bad luck; it provides<br />
a target for deliberate <strong>and</strong> often malicious attacks. The IIA Cybersecurity Toolkit provides a<br />
checklist for undertaking cybersecurity audits of key areas to consider as part of the planning<br />
<strong>and</strong> testing stages.<br />
• Cybersecurity governance. (This is discussed in more detail in section A.4.)<br />
• Inventory of information assets (hardware, software, <strong>and</strong> data).<br />
66<br />
Automated Controls Testing <strong>and</strong> SOX Testing, <strong>Audit</strong>Board, 2016.<br />
67<br />
Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021.<br />
https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-future-internal-roffey/<br />
67
• St<strong>and</strong>ard security configurations (following best practices for key items of hardware<br />
<strong>and</strong> software).<br />
• Information access management (appropriate for each layer, i.e., application user,<br />
developer, administrator).<br />
• Proactive <strong>and</strong> preventive controls (e.g., malware detection, vulnerability scanning,<br />
penetration testing, <strong>and</strong> data encryption).<br />
• Response <strong>and</strong> remediation. 68<br />
Cybersecurity is a key element of IT risk <strong>and</strong> focuses on how an organization protects its<br />
information assets (computers, networks, programs, <strong>and</strong> data) through the use of various<br />
technologies, processes, <strong>and</strong> practices. Cybersecurity risks arise in the context of access,<br />
damage, <strong>and</strong> alteration to, <strong>and</strong> availability, control, theft, <strong>and</strong> distribution of, these assets.<br />
As with the management of fraud <strong>and</strong> IT risks, cybersecurity can be considered in the<br />
context of more general frameworks as well as specialized models. The guide to COSO in<br />
the Cyber Age uses the COSO Internal Control – Integrated Framework as the basis for a<br />
review of cybersecurity risks <strong>and</strong> how internal audit may review these.<br />
COSO Internal Questions for Internal <strong>Audit</strong> to Consider<br />
Control Element<br />
Control Environment • Does the board of directors underst<strong>and</strong> the organization’s<br />
cyber risk profile <strong>and</strong> are they informed of how the organization<br />
is managing the evolving cyber risks management faces?<br />
Risk Assessment • Has the organization <strong>and</strong> its critical stakeholders evaluated its<br />
operations, reporting, <strong>and</strong> compliance objectives <strong>and</strong> gathered<br />
information to underst<strong>and</strong> how cyber risk could impact such<br />
objectives?<br />
Control Activities • Has the entity developed control activities, including general<br />
control activities over technology, that enable the organization<br />
to manage cyber risk within the level of tolerance acceptable to<br />
the organization?<br />
• Have such control activities been deployed through formalized<br />
policies <strong>and</strong> procedures?<br />
Information <strong>and</strong><br />
Communication<br />
• Has the organization identified information requirements to<br />
manage internal control over cyber risk?<br />
• Has the organization defined internal <strong>and</strong> external<br />
communication channels <strong>and</strong> protocols that support the<br />
functioning of internal control?<br />
• How will the organization respond to, manage, <strong>and</strong><br />
communicate a cyber risk event?<br />
Monitoring Activities • How will the organization select, develop, <strong>and</strong> perform<br />
evaluations to ascertain the design <strong>and</strong> operating effectiveness<br />
of internal controls that address cyber risks?<br />
• When deficiencies are identified how are these deficiencies<br />
communicated <strong>and</strong> prioritized for corrective action?<br />
• What is the organization doing to monitor their cyber risk<br />
profile? 69<br />
68<br />
Cybersecurity Toolkit, The IIA, 2021<br />
69<br />
COSO In the Cyber Age, COSO, 2015<br />
68
The IIA’s Cybersecurity Toolkit describes internal audit’s contribution to cybersecurity<br />
governance through consideration of the main components of a governance model, as<br />
follows:<br />
• Board-level oversight: Confirm that the board of directors sees regular reporting on<br />
cybersecurity risks <strong>and</strong> risk mitigation activities.<br />
• Policies <strong>and</strong> procedures: Verify whether significant processes described below are<br />
adequately covered in policies <strong>and</strong> procedures, <strong>and</strong> whether the guidance has been<br />
reauthorized within a reasonable time period.<br />
• Risk management: Determine whether management has conducted a<br />
comprehensive cyber risk assessment, covering all geographic areas of operation,<br />
business lines, etc.<br />
• Records <strong>and</strong> information management: Verify whether system architecture <strong>and</strong> data<br />
flow documentation is complete, accurate, <strong>and</strong> consistently retained.<br />
• Compliance: Determine whether IT <strong>and</strong> IS leaders have identified relevant external<br />
requirements <strong>and</strong> implemented controls to ensure the organization meets the<br />
st<strong>and</strong>ards<br />
• Data classification: Confirm that a classification scheme has been defined <strong>and</strong> is<br />
recorded for all systems <strong>and</strong> databases.<br />
• Vendor management: Verify whether third-party risks have been assessed, <strong>and</strong><br />
whether vendors that store or process sensitive data are subject to sufficient<br />
contractual, oversight, <strong>and</strong> technical controls.<br />
• Management reporting: Determine whether KPIs or KRIs have been defined for<br />
cybersecurity, <strong>and</strong> whether reporting is accurate <strong>and</strong> actionable.<br />
• Personnel: Determine whether IT <strong>and</strong> IS staffing is sufficient <strong>and</strong> has the expertise to<br />
deploy security tools <strong>and</strong> enforce policies. 70<br />
The IIA series Global Perspectives <strong>and</strong> Insights provides a three-part guidance on<br />
cybersecurity. Among other things, the guidance emphasizes the importance of a<br />
collaborative approach to cybersecurity in which the internal auditor has an important role,<br />
placing particular importance on the relationship between internal audit <strong>and</strong> the senior<br />
manager charged with information security. Oversight by the governing body is also critical. 71<br />
70<br />
Cybersecurity Toolkit, The IIA, 2021.<br />
71<br />
Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Parts 1-3, The IIA, 2022.<br />
69
C.3.4 Data Privacy<br />
There are strict requirements regarding data privacy. Although laws <strong>and</strong> regulations vary <strong>and</strong><br />
continue to evolve, when someone provides an organization with personal data they<br />
generally have a right to:<br />
• Know the purpose for collecting the data.<br />
• Know what personal information an organization has.<br />
• Control what information is collected <strong>and</strong> how it is used, including who has access to<br />
it.<br />
• Request to change <strong>and</strong> delete any personal information held at any time for any<br />
reason.<br />
Organizations can find themselves operating outside of these requirements due to<br />
inadequate controls, such as:<br />
• The processes used for data collection are poorly designed <strong>and</strong> maintained <strong>and</strong> as a<br />
result the organization is collecting unnecessary, incomplete, or inaccurate<br />
information, or they do not gain appropriate permission from the owner of personal<br />
data for its usage <strong>and</strong> storage.<br />
• The organization allows data to be corrupted, stolen, or leaked, or shares it –<br />
contrary to the agreement with the data owner – with a third party that misuses it.<br />
• Data is stored beyond a permissible or useful period when it should be deleted.<br />
Organizations must maintain awareness of internal <strong>and</strong> external requirements for data<br />
privacy, keep staff informed, <strong>and</strong> ensure policies <strong>and</strong> processes are regularly reviewed <strong>and</strong><br />
kept up to date.<br />
70
C.3: Reflection<br />
Fraud:<br />
How are suspected frauds h<strong>and</strong>led in your organization?<br />
Do internal auditors receive sufficient training?<br />
Are internal auditors involved in awareness raising about fraud risk?<br />
IT:<br />
How does your internal audit function ensure it has the skills <strong>and</strong> expertise needed to audit<br />
IT risks <strong>and</strong> controls?<br />
To what extent is automated controls testing utilized?<br />
Who in your organization takes the lead on managing IT risks?<br />
How does internal audit collaborate with <strong>and</strong> support those responsible for IT risk<br />
management?<br />
Cybersecurity:<br />
How does your internal audit function ensure it has the skills <strong>and</strong> expertise needed to<br />
audit cybersecurity risks <strong>and</strong> controls?<br />
Who in your organization takes the lead on managing cybersecurity risks?<br />
How does internal audit collaborate with <strong>and</strong> support those responsible for cybersecurity<br />
risk management?<br />
Data Privacy:<br />
Who in your organization takes the lead on managing data privacy risks?<br />
How does internal audit collaborate with <strong>and</strong> support those responsible for data privacy<br />
risk management?<br />
71
References <strong>and</strong> Additional Reading<br />
12 Principles of Good Governance, Council of Europe, 2008.<br />
https://www.coe.int/en/web/good-governance/12-principles<br />
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.<br />
https://www.apec.org/docs/default-source/publications/2011/3/good-practice-guide-onpublic-sector-governance/2011_ec_good-practice-guidepsg.pdf?sfvrsn=7398b3dc_1#:~:text=Six%20principles%20of%20good%20public%20sec<br />
tor%20governance,-<br />
Although%20public%20sector&text=The%20following%20six%20principles%20have,<strong>and</strong><br />
%20probity%3B%20stewardship%20<strong>and</strong>%20leadership<br />
Assessing the Effectiveness of Internal Control: PEMPAL Guidance for Public Sector<br />
Internal <strong>Audit</strong>ors, PEMPAL, 2020.<br />
https://www.pempal.org/sites/pempal/files/IACOP/NEWSPAPER/iacop_assessing_the_e<br />
ffectiveness_of_internal_control_-_pempal_guidance.pdf<br />
Assessing Cybersecurity Risks: The Three Lines Model, The IIA, 2020.<br />
https://www.theiia.org/globalassets/documents/content/articles/guidance/gtag/gtagassessing-cybersecurity-risk.pdfCybersecurity<br />
Toolkit, The IIA, 2021.<br />
https://www.theiia.org/globalassets/documents/content/tools/iia-member-certifiedcybersecurity-toolkit.pdf<br />
Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021.<br />
https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-futureinternal-roffey/<br />
Automated Controls Testing <strong>and</strong> SOX Testing, <strong>Audit</strong>Board, 2016.<br />
https://www.auditboard.com/blog/automated-controls-<strong>and</strong>-sox-testing/<br />
COSO In the Cyber Age, COSO, 2015. https://www.coso.org/Shared%20Documents/COSOin-the-Cyber-Age.pdf<br />
Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial<br />
Management, Cipfa. https://www.cipfa.org/policy-<strong>and</strong>-guidance/reports/whole-systemapproach-volume-1<br />
European Commission Staff Working Document Albania 2022 Report,<br />
https://neighbourhood-enlargement.ec.europa.eu/system/files/2022-<br />
10/Albania%20Report%202022.pdf.<br />
Evaluating <strong>and</strong> Improving Governance in Organizations, IFAC, 2009.<br />
https://www.ifac.org/system/files/publications/files/IGPG-Evaluating-<strong>and</strong>-Improving-<br />
Governance.pdf<br />
Factsheet: Internal <strong>Audit</strong> Consulting, IIA Australia, 2022.<br />
http://www.iia.org.au/sf_docs/default-source/technical-resources/2018-factsheets/internal-audit-consulting.pdf?sfvrsn=2<br />
72
Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Part 1: How the New SEC<br />
Proposals Could Change the Game, The IIA, 2022.<br />
https://www.theiia.org/globalassets/site/content/articles/global-perspectives-<strong>and</strong>-<br />
insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-<br />
3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf<br />
Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Part 2: Critical Partners —<br />
Internal <strong>Audit</strong> <strong>and</strong> the CISO, The IIA, 2022.<br />
https://www.theiia.org/globalassets/site/content/articles/global-perspectives-<strong>and</strong>-<br />
insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-<br />
3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf<br />
Global Perspectives <strong>and</strong> Insights – Cybersecurity in 2022, Part 3: Cyber Incident Response<br />
<strong>and</strong> Recovery, The IIA, 2022.<br />
https://www.theiia.org/globalassets/site/content/articles/global-perspectives-<strong>and</strong>-<br />
insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-<br />
3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf<br />
GTAG: Information Technology Risks <strong>and</strong> Controls, The IIA, 2012.<br />
https://www.theiia.org/en/content/guidance/recommended/supplemental/gtags/gtaginformation-technology-risk-<strong>and</strong>-controls-2nd-edition/<br />
Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
https://www.theiia.org/globalassets/documents/st<strong>and</strong>ards/ia-competencyframework/2022-4103-sem-competency-framework-graphics-table_fnl.pdf<br />
IIA Position Paper: The Internal <strong>Audit</strong> Charter, The Institute of Internal <strong>Audit</strong>ors, 2019.<br />
https://www.theiia.org/globalassets/documents/resources/the-internal-audit-charter-ablueprint-to-assurance-success-august-2019/pp-the-internal-audit-charter.pdf<br />
IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.<br />
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/engagement-planning-assessing-fraud-risks/pg-engagement-planning-assessingfraud-risks.pdf<br />
IIA Position Paper: The Role of Internal <strong>Audit</strong>ing in Enterprise-wide Risk Management, The<br />
IIA, 2009, https://www.theiia.org/globalassets/documents/resources/the-role-of-internalauditing-in-enterprise-wide-risk-management-january-2009/pp-the-role-of-internalauditing-in-enterprise-risk-management.pdf<br />
IIA Practice Guide: Formulating <strong>and</strong> Expressing Internal <strong>Audit</strong> Opinions, The IIA, 2009.<br />
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/formulating-<strong>and</strong>-expressing-internal-audit-opinions/09523_pro-opinionspracguidefnl-lo-cx3.pdf<br />
73
IIA Practice Guide: Internal <strong>Audit</strong> <strong>and</strong> Fraud – Assessing Fraud Risk Governance <strong>and</strong><br />
Management at the Organizational Level, 2nd edition, 2022.<br />
https://www.theiia.org/globalassets/site/content/guidance/recommended/supplemental/pr<br />
actice-guides/practice-guide-internal-audit-<strong>and</strong>-fraud-2ndedition/pg_internal_audit_<strong>and</strong>_fraud_2nd_edition_final.pdf<br />
IIA Practice Guide: Unique Aspects of Internal <strong>Audit</strong>ing in the Public Sector, The IIA, 2022.<br />
https://www.theiia.org/en/content/guidance/recommended/supplemental/practiceguides/unique-aspects-of-internal-auditing-in-the-public-sector/<br />
The IIA Three Lines Model, The IIA, 2020. https://www.theiia.org/globalassets/site/aboutus/advocacy/three-lines-model-updated.pdf<br />
Independent <strong>Audit</strong> Committees in Public Sector Organizations, The IIA, 2014.<br />
https://www.theiia.org/globalassets/documents/st<strong>and</strong>ards/independent-audit-committeesin-public-sector-organizations.pdf<br />
International Framework: Good Governance in the Public Sector, CIPFA, 2014.<br />
https://www.cipfa.org/policy-<strong>and</strong>-guidance/st<strong>and</strong>ards/international-framework-goodgovernance-in-the-public-sector<br />
The International Professional Practices Framework, The Institute of Internal <strong>Audit</strong>ors, 2016.<br />
https://www.theiia.org/en/st<strong>and</strong>ards/international-professional-practices-framework/<br />
Law No 114/2015, Internal <strong>Audit</strong>ing in Public Sector, Republic of Albania.<br />
https://track.unodc.org/uploads/documents/BRI-legal-resources/Albania/21_-<br />
Albania_Law_on_internal_auditing_in_public_sector_2016-03-17-EN.pdf<br />
Organizational Political Pressure <strong>and</strong> the Impact on Internal <strong>Audit</strong>, Patty Miller, 2017.<br />
https://na.eventscloud.com/file_uploads/dab848a33de87b2ec71fd1f0cb0b2321_GS-2-<br />
Politics-PattyMiller.pdf<br />
Public Sector Internal <strong>Audit</strong>: Focus on Fraud, Center for Financial Reporting Reform, World<br />
Bank, 2017. https://cfrr.worldbank.org/sites/default/files/2019-<br />
11/public_sector_internal_audit_fraud_pages.pdf<br />
Sawyer’s Internal <strong>Audit</strong>ing: Enhancing <strong>and</strong> Protecting Organizational Value, Internal <strong>Audit</strong><br />
Foundation, 2019. https://www.theiia.org/en/products/bookstore/sawyers-internalauditing-enhancing-<strong>and</strong>-protecting-organizational-value-7th-edition/<br />
Supplemental Guidance: The Role of <strong>Audit</strong>ing in Public Sector Governance, The IIA, 2012.<br />
https://www.theiia.org/globalassets/documents/st<strong>and</strong>ards/public_sector_governance1_1<br />
_.pdf<br />
74
CIPFA: 77 Mansell Street, London E1 8AN<br />
+44 20 7543 5600<br />
cipfa.org<br />
CEF: Cankarjeva cesta 18, 1000 Ljubljana, Slovenia<br />
+386 1 369 61 90<br />
cef-see.org<br />
The Chartered Institute of Public Finance <strong>and</strong> Accountancy. Registered with the Charity<br />
Commissioners of Engl<strong>and</strong> <strong>and</strong> Wales No 231060. Registered with the Office of the<br />
Scottish Charity Regulator No SCO37963.<br />
75