TIAPS Module 1 Audit and Assurance workbook

Module 1: Audit and
Assurance
TIAPS Albania 2023/24
1

2

Table of Contents
Module 1: Audit and Assurance ............................................................................................ 4
A. Internal Auditing’s Contribution to Good Governance ....................................................... 6
A.1 Public Sector Environment .......................................................................................... 6
A.2 Public Sector Governance ........................................................................................... 9
A.3 Governance Models ............................................................................................... 15
A.3.1 ISO 37000:2021 Governance of organizations – Guidance ................................ 15
A.3.2 The IIA’s Three Lines Model ............................................................................... 16
A.3.3 CIPFA International Framework: Good Governance in the Public Sector ............ 19
A.3.4 King IV Corporate Governance Report, 2016 ...................................................... 20
A.3.5 Examples of Best Practice in Public Sector Governance .................................... 22
B. Mandate, Independence, and Objectivity ........................................................................ 26
B.1 Importance of Independence and Objectivity ............................................................. 26
B.1.1 Independence, Objectivity, and the Code of Ethics ............................................. 29
B.1.2 Independence, Objectivity, and Competency ...................................................... 30
B.2 Internal Audit Mandate .............................................................................................. 32
B.3 Threats to Independence and Objectivity .................................................................. 36
B.4 Safeguards for Independence and Objectivity ........................................................... 39
C. Assurance and Advisory Engagements .......................................................................... 43
C.1 Characteristics of Assurance and Advisory Engagements ........................................ 43
C.1.1 Assurance Engagements .................................................................................... 46
C.1.2 Consulting (Advisory) Engagements ................................................................... 46
C.1.3 Assurance and Advisory Engagements Compared ............................................. 48
C.1.4 Blended Engagements ....................................................................................... 49
C.1.5 Internal Audit Opinions ....................................................................................... 51
C.1.6 Competencies Needed for Assurance and Advisory Engagements .................... 52
C.2 Auditing Governance................................................................................................. 55
C.3 Fraud, IT, and Cybersecurity ..................................................................................... 58
C.3.1 Fraud .................................................................................................................. 58
C.3.2 Information Technology ...................................................................................... 64
C.3.3 Cybersecurity ..................................................................................................... 67
C.3.4 Data Privacy ....................................................................................................... 70
References and Additional Reading .................................................................................... 72
3

Module 1: Audit and Assurance
Introduction
Module 1: Audit and Assurance examines how internal audit contributes to organizational
governance through assurance and advisory services. The module is organized as follows:
1A. Internal Auditing’s Contribution to Good Governance
A.1 Public Sector Environment
A.2 Public Sector Governance
A.3 Governance Models
1B. Mandate, Independence, and Objectivity
B.1 Importance of Independence and Objectivity
B.2 Internal Audit Mandate
B.3 Threats to Independence and Objectivity
B.4 Safeguards for Independence and Objectivity
1C. Assurance and Advisory Engagements
C.1 Characteristics of Assurance and Advisory Engagements
C.2 Auditing Governance
C.3 Fraud, IT, and Cybersecurity
References
Practice Questions
4

Relevant Standards
Reference is made throughout the TIAPS program to relevant international standards, principally
those of The Institute of Internal Auditors (IIA) included in the International Professional Practices
Framework (IPPF). Other standards and frameworks, most notably the COSO Internal Control –
Integrated Framework, are also noted where appropriate.
At the time of writing, The IIA is undertaking a major review of the IPPF with an expected period of
public exposure in 2023. The content of this module reflects the 2017 edition (published in 2016 and
effective from the start of 2017). Participants should anticipate major revisions to the structure and
content of the IPPF, although fundamental principles about the practice of internal auditing are
unlikely to change significantly. This program will be updated once the revisions to the IPPF are
finalized and formally introduced.
References and Additional Reading
References are given at the end of this module. Participants are encouraged to read these to provide
greater understanding of the topics. The items have been selected to complement the content
included in this module and to offer internal auditors relevant, practical guidance.
5

A. Internal Auditing’s Contribution to Good Governance
On completion of this section, students will be better able to:
• Identify factors impacting governance in the public sector.
• Define governance with reference to various models.
• Identify requirements for good governance in public sector environments.
• Describe how internal audit contributes to organizational governance.
A.1 Public Sector Environment
Internal auditors operating in a public sector environment face a range of conditions not
generally experienced by their private sector counterparts. The following features represent
a generalization not found in every public entity but are characteristic of many.
• High importance. Governments hold significant power. They impact the lives of all
citizens in many ways. They have access to a vast array of information and
resources. Consequently, the risks of errors, wastage, fraud, and corruption can be
hugely consequential, including the potential for abuses of privacy and misuse of
data, despoilation of environments, depletion of natural resources, economic and
social deprivation, military conflict, inadequate supply of energy and other utilities,
and weaknesses in the rule of law. The work of internal auditors in helping
administrations improve governance, risk management, and control could not be
more important.
• Limited resources. Resources tend to be limited because of continuous pressures on
public spending. Everyone is expected to do more with less. This is often particularly
true of unseen “back office” functions like internal audit whose overheads may be
regarded by many budget holders and uninformed members of the public as
inconsequential or unnecessary. Specialist skills for areas such as IT, cybersecurity,
and data analytics are often in short supply, especially when the private sector can
lure individuals away from the public sector with offers of higher rewards.
• Immature risk management processes. Risk management may be relatively
immature with fewer resources applied to risk and compliance functions. Awareness
and understanding of risk and control may also be relatively limited. In such
circumstances, internal audit may be expected to play a greater role in supporting
management to develop effective internal control or even to act as a quasi-second
line function (see section A.3.2 for consideration of the Three Lines Model.) In its
advisory capacity, supporting the development of public internal financial control is
an important internal audit service but care must be taken to safeguard
independence and objectivity (see section B).
6

• Close scrutiny. The activities of public entities are rightly subject to close scrutiny by
line ministries, financial inspectors, external auditors, the business community, and
the public. This includes the work of the internal audit function and the behavior and
actions of its members. Unlike external audit reports, those of the internal audit
function are not typically made available to the public, but the expectations placed on
internal auditors to serve the public interest as inspectors and watchdogs are
generally considerable. The public may not understand what an internal auditor
does, but when things go wrong, they are often caught in the firing line.
• Political environment. The public sector environment is, above all, a political one.
There is a cyclical change of leadership, policy, and organizational direction, and
internal audit is expected to keep up. The head of internal audit must anticipate
these frequent shifts when planning the timing and focus of engagements. They
must continuously rebuild relationships and carefully navigate politics to ensure
activities are appropriately focused on organizational purpose and the public good
rather than election cycles and the personal ambitions of public officials.
• Constraints on independence. Establishing and maintaining organizational
independence can be more challenging for internal audit functions in public entities
than it is in privately owned businesses. Often the distinction between executive and
non-executive leadership is less apparent. The head of internal audit may report to
an individual or a board comprising senior managers and political appointees. In
some cases, internal audit oversight may be fairly remote. Audit committees, where
such exist, may span multiple entities, especially where there is a centralized or
shared service provider for central or local government. In addition, the use of
outsourced or shared services may increase internal audit’s operational
independence at the expense of greater remoteness from and reduced familiarity
with the activities being audited.
• Legitimate restrictions in scope. The mandate of internal audit should allow the
function access to the people, data, and resources needed to complete its
engagements. Often in the private sector, this is interpreted as an “access all areas”
mandate. Restrictions on scope amount to a limitation on independence, keeping
internal audit away from areas the governing body does not wish to be scrutinized. In
the public sector, there can be legitimate reasons for reducing scope, especially in
the interests of national security.
These and other dimensions require careful handling by internal auditors and heads of audit
functions.
7

A.1: Reflection
Do you recognize these characteristics of the public sector in the environment in which
you work?
Are there additional features that need to be considered?
How do each of these characteristics impact your role as an internal auditor and
manager?
8

A.2 Public Sector Governance
IIA Internal Audit Competency Framework
Organizational Governance:
General Awareness: Describe the concept of organizational governance.
Applied Knowledge: Detect risks related to the organization’s governance policies,
processes, and structures.
Expert: Recommend improvements to the organization’s governance policies, processes,
and structures. 1
Internal audit adds value to its client organization when, among other things, it “strives to
offer ways to enhance governance.” 2 Governance can be understood in general terms as the
process of governing and is broadly about leading and controlling. It is defined by The
Institute of Internal Auditors (IIA) in the glossary of the International Professional Practices
Framework (IPPF) as:
The combination of processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization toward the achievement
of its objectives. 3
“Board” is used by The IIA to refer to the “highest level governing body” for an entity,
identifiable as the most senior decision-making authority. Public sector boards can take
many forms and “governing body” or alternatively “governing authority” is a more common
general term. Some government departments or ministries have a clearly defined board
whose membership may also include representatives of the private sector and civil society.
In a municipality or regional body, typically the council is the governing body in which the
mayor may act as both the equivalent of the chairman of the board and the chief executive
officer (CEO). In other situations, there is an executive director or manager who heads up
operations while the mayor is more of a political figurehead for the city. Generally, in public
entities where there is no immediately recognizable board or governing body, then governing
responsibilities may be assumed by one of the following:
• Head of the organization (minister, etc.) (i.e., a single person).
• External oversight committee which could take different forms (e.g., parliamentary
committee, government committee, committee represented by different ministries).
• Oversight by line ministry or a superior organization.
1
Internal Audit Competency Framework, The IIA, 2022.
2
Standard 2000 – Managing the Internal Audit Activity, International Professional Practices Framework, The IIA, 2016.
3
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
9

• Dual leadership: minister (political leader) plus secretary general (administrative
leader).
• Board of the agency/department represented by the executive only (with those
appointed within organization).
• Audit committees at the agency/department level with non-executive
directors/independent members.
• Audit committee centralized for the government.
• Thematic boards: e.g., internal control board led by a secretary general (or deputy).
• Dedicated unit or person in the presidential administration (where relevant) with
specific oversight responsibilities. 4
While the governing body leads on governance and is ultimately responsible for it, it is
perhaps more accurate to say governance is implemented collectively and collaboratively by
the governing body, management, and internal auditing, although in different ways.
Governance occurs at every level of an organization at which decision-making takes place
no matter how minor because all decisions contribute to success (or lack thereof). This view
of governance is consistent with CIPFA’s model elaborated in the Whole System Approach
to Public Financial Management. 5
There are three important elements in The IIA definition of governance.
• Processes and structures. Governance includes not only activities undertaken by an
organization but also the way in which those activities and its resources are
organized.
• Inform, direct, manage, and monitor. Governance is part of a continuous cycle of
input and feedback. Internal and external information informs decisions, actions are
executed, and outcomes are achieved that then inform future decisions.
• Achievement of objectives. The purpose of governance is organizational success.
Governing bodies in the public sector may be comprised wholly of independent members
without executive responsibilities or may combine executive and non-executive members.
The non-executive responsibilities may be characterized as those:
• Contributing to strategy by bringing a range of perspectives to strategy development
and decision making.
• Making sure that effective management structures and processes are in place, and
that there is an effective team at the top level of the entity.
• Holding the executive to account for performance in fulfilling the responsibilities
delegated to it by the governing body, including thorough purposeful challenge and
scrutiny. 6
4
Assessing the Effectiveness of Internal Control: PEMPAL Guidance for Public Sector Internal Auditors, PEMPAL, 2020
5
See Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial Management
6
International Framework: Good Governance in the Public Sector, CIPFA, 2014
10

The need for governance arises for two main reasons.
• Accountability. Public sector organizations are managed and led by officials for and
on behalf of citizens. Public resources (money, labor, buildings, land, and other
assets) are used to serve a particular purpose for the common good. Those assigned
to administer those services – whether by election or appointment – have an
obligation to the public to act as diligent stewards of public resources and do
whatever is reasonable to achieve the best outcomes. In many cases, officials take
an oath of office to this effect. Being accountable entails public officials are open to
scrutiny for their behavior and performance and will receive due recognition or
admonishment accordingly. This requires transparency through honest and reliable
reporting together with mechanisms (enforced by the rule of law) for apportioning
rewards and punishments (which may include no longer being able to serve in a
public position) as appropriate.
• Uncertainty. Governance is also required because there are no guarantees wellintentioned
actions will yield desirable results. Resources and systems are finite and
imperfect. People are subjective in their thinking, limited in their knowledge and
reasoning, and unreliable in their behavior. Circumstances are complex, changeable,
interconnected, and chaotic, and ultimately unpredictable. All these factors create
uncertainty, and it is the impact of uncertainty – whether favorable or unfavorable –
on our efforts to achieve goals that is the origin of risk. According to ISO, risk is
simply defined as “the effect of uncertainty on objectives.” 7
Governance aims to restore confidence and trust by stakeholders as well as enabling
managers and leaders to navigate uncertainty by making better decisions based on a clearer
understanding. Accountability and uncertainty are unavoidable. They both require honest
endeavors based on sound judgments. Governance helps an entity fulfil its purpose
economically, effectively, efficiently, ethically, and sustainably.
• Economically: with the least amount of effort and resource, reducing – and ideally
eliminating – unnecessary costs of input.
• Efficiently: with the greatest amount of output, minimizing – and ideally eliminating –
inferior or defective results.
• Effectively: with the greatest success in achieving desired outcomes and value.
• Ethically: in accordance with accepted norms of behavior.
• Sustainably: in a manner that minimizes – and ideally eliminates – negative social
and environmental impacts.
Governance can be regarded in part as an attempt to address risks that exist in the
relationships between stakeholders and those assigned to manage affairs on their behalf.
This is an example of the classic principal-agent situation. In the public sector context,
citizens are the primary stakeholder (or principal) of organizations while elected and
appointed officials are the agents. As noted in A.1, the consequences of errors and abuse in
the management of public resources and pursuit of public policy can be considerable.
7
ISO 31000: Risk Management, 2018.
11

The principles of good governance can be applied holistically to an organization and to the
public sector in its entirety. They can also be considered in the context of an individual
project or initiative as well as groups of activities, such as IT governance, where matters are
sufficiently complex and/or important to require specific attention not just on completion of
tasks but also at a more strategic level. Governance takes account of factors such as risks,
stakeholder needs, long-term planning and resource requirements, laws and regulations,
and sustainability.
The distinction between managing and governing is not absolute. The concepts as well as
the roles of individuals tend to overlap. The chief executive officer (CEO) (i.e., secretary
general, executive director, deputy minister, or similar) often sits at the intersection of the
governing body and senior management. Most organizational responsibilities include some
decision-making as well as oversight of and responsibility for resources and their utilization,
including people and money. Monitoring and appropriate intervention are required by both
managers and directors. Governing bodies involve themselves to a greater or lesser extent
with both strategy and operations and are responsible for appointing (and firing) the CEO.
While accepting the likelihood of overlap, in general terms we can make the following
distinction:
Focus of Governance
• Overseeing
• Advising
• Guiding
• Developing strategy
• High level, long-term, big picture
perspective
• Non-executive decisions
Focus of Management
• Planning
• Directing
• Controlling
• Implementing strategy
• Operational, detailed, logistical
perspective
• Executive decisions
The expression “those charged with governance” is often used to allow for the many
differences that exist in how governance responsibilities are apportioned. It avoids arbitrarily
limiting governance duties to the governing body (however that may be constituted) as well
as removing the necessity of listing everyone who may be considered as holding
governance responsibilities. Both the expression and the success of governance rely on
clarity of exactly who is “charged with governance.” The primary stakeholders are assumed
– explicitly or implicitly – to be the ones to “charge” the governing body and others with
responsibility for governance and this links closely with the principle of accountability. When
public officials are using public resources to achieve something on behalf of the public, they
have a duty of care to the public for governance of those activities. Those charged with
governance have both legal and ethical duties.
12

Although developed for government at a local level, the Council of Europe’s 12 Principles of
Good Governance are relevant to most public sector bodies:
1. Participation, Representation, and Fair Conduct of Elections.
2. Responsiveness (to the expectations and needs of citizens.)
3. Efficiency and Effectiveness.
4. Openness and Transparency.
5. Rule of Law.
6. Ethical Conduct.
7. Competence and Capacity.
8. Innovation and Openness to Change.
9. Sustainability and Long-term Orientation.
10. Sound Financial Management.
11. Human Rights, Cultural Diversity, and Social Cohesion.
12. Accountability. 8
Albanian Context
The president of Albania is the Head of State and commander in chief while the prime
minister is the head of government. The highest executive authority rests with the prime
minister and the cabinet (Council of Ministers) while parliament is the head of legislative
power. The third branch – the judiciary – is independent from both the executive and
legislative branches.
Membership of the Council of Ministers includes ministers, deputy ministers, and secretaries
general. Ministries may have varied internal structures and numbers of subordinated entities
(known variously as directorates, agencies, centers, offices, authorities, academies,
inspectorates, institutes, commissions, committees, services, and more). A subordinated
entity is accountable to its line ministry.
For the purposes of government, Albania is divided into 12 administrative counties and 61
municipalities. Albania was granted EU candidate country status in 2014 and this is a major
driver for ongoing public administration reform at all levels as well as a impetus to implement
public internal financial control (PIFC). For more detail on PIFC, refer to Module T3
Accounting Fundamentals. In accordance with Albanian law, all public entities are required
to establish internal audit services, if not directly then via its superior institution (e.g., from
the Ministry to a subordinated entity), from another public unit, or by contracted services.
The head of the internal audit function should report to the head of the public unit. The
Minister is appointed by the Prime Minister, is politically accountable for performance, and is
the highest decision-making authority responsible for setting policy. The Secretary-General
is the most senior civil servant in charge of executing policy. These factors are relevant for
consideration and evaluation of internal audit independence.
8
12 Principles of Good Governance, Council of Europe, 2008.
13

A.2: Reflection
Consider the 12 Principles of Good Governance in the context of your organization. Assign a
score from 1-5 for each Principle where 1 is very low and 5 is very high.
Based on this assessment, how effective is governance in your organization?
What are the most important priorities for improvement?
Is there sufficient clarity in the distinction between governance (nonexecutive)
responsibilities and managerial (executive) responsibilities?
How can internal audit support organizational leaders in making such improvements?
14

A.3 Governance Models
When evaluating governance, internal auditors must consider whether the organization has
used “adequate criteria” for monitoring purposes.
If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal
auditors must identify appropriate evaluation criteria through discussion with management
and/or the board.
Types of criteria may include:
• Internal (e.g., policies and procedures of the organization).
• External (e.g., laws and regulations imposed by statutory bodies).
• Leading practices (e.g., industry and professional guidance). 9
To explore governance further we will consider four important models that may be said to
represent “leading practices,” although they must always be contextualized:
• ISO 37000:2021 Governance of organizations – Guidance.
• IIA Three Lines Model.
• CIPFA International Framework: Good Governance in the Public Sector.
• King IV Corporate Governance Report, 2016.
These models have many similarities. Corporate governance codes such as the King IV
Code, while being applicable primarily to private sector companies, are also very informative
for government entities.
A.3.1 ISO 37000:2021 Governance of organizations – Guidance
The ISO model places organizational purpose at its center. Purpose is informed by values
which also determine how the organization pursues its purpose.
Diagram based on
ISO 37000:2021
Governance of Organizations
9
Standard 2210 – Engagement Objectives, International Professional Practices Framework, The IIA, 2016.
15

Four foundational principles are at the heart of governance and are inter-related.
Value generation: Pursuit of purpose can be characterized as value creation, whether
that value is financial, nonfinancial, or both. Public sector entities share a common
purpose of serving the public good through the provision of direct and indirect services.
In creating value, they must manage their financial and other resources. State-owned
enterprises (e.g., publicly owned transportation, utilities, and broadcasting companies)
may operate as commercial or quasi-commercial organizations and compete on that
basis with their private sector counterparts but their purpose is still linked to public
service and any profits generated are used to subsidize costs to the public or for
investment in other public benefits.
Strategy: The purpose of an organization tends to be broad and may be satisfied in
different ways. It is necessary to develop strategies for fulfilling the purpose by
establishing and prioritizing goals and applying resources – which are always finite –
accordingly. Strategy typically is formed within a long-term perspective over multiple
years.
Accountability: As discussed in A.1, public officials are accountable in that they owe a
duty of care to their stakeholders – employees, suppliers, service users, taxpayers, and
citizens. That accountability needs to be realized through transparency and
consequences. Being held to account means accepting responsibility for behaviors,
decisions, and actions, and their ensuing impact, and receiving fair treatment on this
basis.
Oversight: As a consequence of accountability, those charged with governance will both
need and desire to exercise oversight. If you are going to be held to account, you will be
expected to oversee – and will have a vested interest in overseeing – what is taking
place and intervene as and when needed. Typically, a governing body is unable to
observe all activity directly. It relies on reports from management, internal auditors,
external auditors, and others. Members of the governing body will also ask searching
questions to satisfy their responsibilities and wishes for exercising oversight.
These foundational principles of governance are enabled by the primary governance
principles of leadership, stakeholder engagement, risk governance, the application of data to
inform decision-making, and social responsibility, all with the intention of achieving viability
and performance over time.
Finally, in the ISO model the governance outcomes are defined as effective performance,
responsible stewardship, and ethical behavior. Successful leadership and ethical leadership
are regarded as co-dependents.
A.3.2 The IIA’s Three Lines Model
The 2020 Three Lines Model is an update of the well-known three lines of defense. In
making the switch, the new model emphasizes the positive nature of governance, risk
management, and internal control in supporting organizational success in addition to the
16

defensive aspects to minimize negative impacts. The model also stresses the importance of
all key elements working together rather than operating in silos.
Governance is described as comprising three types of roles:
• Accountability.
• Actions.
• Assurance.
Figure: IIA Three Lines Model
This does not imply these roles need to be fully disaggregated and often teams and
individuals may have responsibilities combining two of these areas.
Accountability: The governing body is regarded as having ultimate accountability to
stakeholders for all aspects of the organization and its people. It must engage with
stakeholders to ensure clarity of purpose and provide honest reporting of performance,
position, and prospects. The governing body is also responsible for ensuring
management has the resources and structures needed to achieve the goals of the entity
and manage risks effectively. Lastly, the governing body must ensure there is
appropriate provision for independent assurance and advice through an internal audit
function.
Actions: The chief executive officer (CEO) leads the execution of actions and application
of resources in pursuit of organizational goals. In doing so, the CEO must take account
of risk by enabling risk management and internal control. First line roles are those
focused on providing products and services to clients as well as the enabling "back
office" support. Second line roles (such as risk management, compliance, legal counsel,
security, and financial control) are those with a specific focus on risk and control,
providing senior management with specialist support, expertise, monitoring, and
challenge on such matters. How resources and roles are allocated between first and
17

second line roles depends on many factors, including organizational size, complexity of
operations, culture, laws and regulations, external environment, skills and resources, and
the relative strength and maturity of internal auditing. In some cases, the head of risk
management reports directly to the governing body (rather than the CEO) and may be
required to do so by regulation. A degree of independence between those with first and
second line roles strengthens the effectiveness of risk management and internal control.
However, risk management and internal control remain the responsibility of management
and ultimately the CEO.
Assurance: The internal audit function provides management and the governing body
with independent and objective assurance and advice on the adequacy and
effectiveness of governance, risk management, and internal control. Independence
means being accountable to the governing body (directly or via an audit committee),
being free from interference by management and from responsibility for the activities
being audited, and having access to the resources, people, and information needed to
complete the work of the function. However, independence should not entail isolation.
Internal auditing must be fully aligned with the needs of the organization and supportive
of its purpose. Cooperation and collaboration with management are encouraged. The
head of the internal audit function (the chief audit executive) should engage with and
provide reports to senior management on a regular basis as well as communicating with
the governing body.
The Three Lines Model focuses primarily on the internal elements of an organization.
However, external assurance providers (principally the Supreme Audit Institution for
government entities, although other external service providers may be used subject to
statutory requirements) are also recognized as contributing to governance and the success
of organizations. The role of external audit is discussed in more detail in Module T3
Accounting Fundamentals.
Where governments are focused on implementing public internal financial control (PIFC),
financial and managerial control (FMC) and internal auditing are two of the central
components (the third being the Central Harmonization Unit (CHU)). This is strongly
reflective of the Three Lines Model in identifying control responsibilities as part of the role of
management and internal audit as an independent function. PIFC and FMC are discussed in
more detail in Module T3 Accounting Fundamentals. Countries seeking accession to the
European Union are required to satisfy, among other things, best practice standards,
frameworks, and policies relating to PIFC on a holistic sector-wide basis. These expectations
are detailed in Chapter 32 Financial Control of the EU requirements. These include:
• Effective and transparent management systems, including accountability
arrangements for the achievement of objectives.
• A functionally independent internal audit.
• Relevant organizational structures, including central co-ordination of PIFC
development across the public sector. 10
10
See, for example, the European Commission Staff Working Document: Albania 2022 report.
18

A.3.3 CIPFA International Framework: Good Governance in the Public
Sector
The Good Governance Framework is specifically designed for public sector entities “to
encourage better service delivery and improved accountability.” The definition of governance
used is similar to that of The IIA quoted in A.1.
Governance comprises the arrangements put in place to ensure that the intended
outcomes for stakeholders are defined and achieved. 11
Figure: CIPFA Good Governance Framework
The framework is intended to be applicable to individual entities as well as the public sector
system. It is based on seven principles:
I. Behaving with integrity, demonstrating strong commitment to ethical values, and
respecting the rule of law.
II. Ensuring openness and comprehensive stakeholder engagement.
III. Defining outcomes in terms of sustainable economic, social, and environmental
benefits.
IV. Determining the interventions necessary to optimize the achievement of the
intended outcomes.
V. Developing the entity’s capacity, including the capability of its leadership and the
individuals within it.
11
International Framework: Good Governance in the Public Sector, CIPFA, 2014
19

VI.
VII.
Managing risks and performance through robust internal control and strong public
financial management.
Implementing good practices in transparency, reporting, and audit, to deliver
effective accountability. 12
Principles A and B are at the core of public sector entities and ensure they operate in the
public interest. The other principles define the requirements for effective governance,
working together as a plan-do-check-act cycle (also known as PDCA).
A.3.4 King IV Corporate Governance Report, 2016
The King IV Corporate Governance Report 2016 incorporates a governance code for South
Africa. However, it is widely regarded as a leading global standard for governance for all
sectors. The report defines corporate governance as “the exercise of ethical and effective
leadership by a governing body towards the achievement of the
following governance outcomes: ethical culture, good performance, effective control, and
legitimacy.” This balance between integrity and effectiveness is a key feature. Doing good
and doing well are regarded as complementary rather than being in opposition.
The report sets four key responsibilities for the board:
• Steering and setting strategic direction.
• Approving policy and planning.
• Ensuring accountability.
• Overseeing and monitoring.
These are defined in more detail through 17 principles. These become the basis for
assessing the quality of governance. Since the model applies to all organizations, there is a
need to “adopt and adapt” according to size and other organizational needs.
1. Lead ethically and effectively.
2. Govern the ethics of the organization in a way that supports the establishment of an
ethical culture.
3. Ensure that the organization is and is seen to be a responsible corporate citizen.
4. Appreciate that the organization’s core purpose, its risks and opportunities, strategy,
business model, performance, and sustainable development are all inseparable
elements of the value creation process.
5. Ensure that reports issued by the organization enable stakeholders to make informed
assessments of the organization’s performance and its short, medium, and long-term
prospects.
6. Serve as the focal point and custodian of corporate governance in the organization.
7. Comprise the appropriate balance of knowledge, skills, experience, diversity, and
independence for it to discharge its governance role and responsibilities objectively
and effectively.
12
International Framework: Good Governance in the Public Sector, CIPFA, 2014
20

8. Ensure that its arrangements for delegation within its own structures promote
independent judgement, and assist with the balance of power and the effective
discharge of its duties.
9. Ensure that the evaluation of its own performance and that of its committees, its
chair, and its individual members support continued improvement in its performance
and effectiveness.
10. Ensure that the appointment of, and delegation to, management contribute to role
clarity and the effective exercise of authority and responsibilities.
11. Govern risk in a way that supports the organization in setting and achieving its
strategic objectives.
12. Govern technology and information in a way that supports the organization setting
and achieving its strategic objectives.
13. Govern compliance with applicable laws and adopted, non-binding rules, codes, and
standards in a way that supports the organization being ethical and a good corporate
citizen.
14. Ensure that the organization remunerates fairly, responsibly, and transparently so as
to promote the achievement of strategic objectives and positive outcomes in the
short, medium, and long term.
15. Ensure that assurance services and functions enable an effective control
environment, and that these support the integrity of information for internal decisionmaking
and of the organization’s external reports.
16. Adopt a stakeholder-inclusive approach that balances the needs, interests, and
expectations of material stakeholders over time.
17. [For institutional investor organizations] Ensure that responsible investment is
practiced by the organization and the creation of value by the companies in which it
invests. 13
In addition to these principles, the report includes recommended practices. For principle 15,
this includes a role for the audit committee and a separation of roles consistent with the
Three Lines Model (although King IV advocates for five lines of assurance, adding external
audit and the board as lines four and five respectively). Additionally, the report recommends
internal audit makes an annual statement on the effectiveness of governance and risk
management processes. This reflects the requirements of the IPPF (Standard 2100 – Nature
of Work):
The internal audit activity must evaluate and contribute to the improvement of the
organization’s governance, risk management, and control processes using a systematic,
disciplined, and risk-based approach. Internal audit credibility and value are enhanced
when auditors are proactive and their evaluations offer new insights and consider future
impact. 14
However, the requirement for annual reporting goes beyond Standard 2060 – Reporting to
Senior Management and the Board by which the CAE must report “periodically.” (Internal
audit opinions are discussed in more detail in C.1.5)
13
“Report on Corporate Governance for South Africa,” King IV, 2016.
14
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
21

A.3.5 Examples of Best Practice in Public Sector Governance
Governance is dependent on clarity and understanding regarding accountability.
An organization with effective internal accountability arrangements will have
management and staff who understand clearly their own roles, responsibilities and
powers and how they relate to others in the organization. Every public sector
organization needs to be headed by an effective Minister or board of directors to lead
and control the entity and monitor the executive management. The Minister or
Chairperson of the board of directors needs to have his role formally defined in writing to
include responsibility for providing effective strategic leadership and to ensure he
successfully discharges the overall responsibility for the organization’s activities. 15
Managerial accountability is discussed in detail in Module T2 Good Governance, Managerial
Accountability, Developing Strategy, and Data Analysis.
The following examples of best practices in public sector governance are based on the
APEC Economic Committee’s Good Practice Guide on Public Sector Governance. 16
Culture
The organization must demonstrate its commitment to strong governance, and this starts
with the “tone at the top.” Leaders and senior managers must lead by example. Good
practices include:
• Formal adoption of a good governance framework, principles, standards, etc. in
policy or by legislation.
• Adoption of a written code of ethics, values, and acceptable behavior.
• Implementation of procedures for enforcing acceptable behavior, including the need
for agreeing individual and team goals, monitoring, and reporting.
• Preparedness for addressing unacceptable behavior in a fair, consistent, and timely
manner.
• Training and awareness-raising to communicate and reinforce values.
• Commitment to improvement with measurable targets.
• Periodic audit of organizational culture.
Stakeholder Relationships
Engagement with internal and external stakeholders is a two-way process, ensuring all
parties are aware of the organization’s vision, mission, goals, and priorities and can
comment on and participate in its governance. Good practice includes:
• Regular engagement with internal and external stakeholders through systematic and
ad hoc arrangements.
• Regular and reliable two-way communications.
• Operation of appropriate virtual and in-person boards, panels, committees, and other
groups with representation from civil society, political leadership, the private sector,
service users, community groups, managers, and staff.
15
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.
16
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.
22

• Consideration of overlapping interests with other public sector bodies supported by
multi-agency and inter-departmental forums.
• Channels for timely processing of enquiries, complaints, and suggestions.
Compliance
Compliance and performance are typically viewed as the primary goals of governance.
Internal and external compliance requirements may be satisfied though reporting, including:
• Annual reporting to the legislative body.
• Electronic communications to external stakeholders via websites and other platforms.
• Circulation of audit reports to target audiences.
• Circulation of financial inspection reports.
Compliance risk management and other aspects of governance depend on several key
positions:
• Chief Executive Officer (CEO). The CEO should be accountable to the governing
body and may be a member of it but should not be its chair. In other words, the CEO
(for example, depending on the body: Secretary General, Deputy Minister, Executive
Director, or President), should participate in the development of policy and strategy
but should not also be the highest decision-making authority. The CEO is responsible
for performance by executing the policies set by the governing body and managing
those with first and second line roles.
• Chief Financial Officer (CFO). The CFO is normally a certified or chartered public
accountant and is responsible for advising the governing body and senior
management on all strategic financial matters as well for maintaining financial control
across the entity.
• Chief Compliance Officer (CCO). The CCO is responsible for advising the governing
body and senior management on strategic compliance risks and for maintaining
compliance risk management across the entity. Many public sector entities do not
have a CCO or other risk officers and these responsibilities are shared across the
senior management team and coordinated by the CEO.
• Audit committee. Best practices recommend an independent audit committee,
accountable to the governing body, to oversee the work of internal and external audit.
Planning and Performance Monitoring
Successful governance – much like internal control and risk management – relies on
documentation and communication. The APEC guidance recommends the following
processes and practices:
• A clear statement of the organization’s purpose that is communicated to all staff.
• A plan that describes the organization’s strategic priorities and objectives, consistent
with the organization’s purpose, which is updated annually.
• The systematic monitoring of financial and non-financial performance against the
organization's plan.
• The use of information generated from performance monitoring for external reporting
requirements and internal planning purposes.
23

Risk Management
Similar comments as those made in respect of compliance (see above) apply to risk
management more generally. It relies on the actions of multiple parties (most notably the
CEO, CFO, and a Chief Risk Officer or equivalent) together with the support of internal audit.
There may not be an individual or team with organizational responsibility for risk
management and so the task is shared among managers, blending first and second line
roles.
Information and Decision Support
The APEC guidance describes essential requirements for information and decision support:
• Standards for the creation and retention of public records, usually established by
legislation.
• Procedures within organizations to ensure the standards are met.
• Quality data, information, and analysis to inform decisions taken by government
boards and committees.
• The keeping of records of decisions established by government boards and
committees, including the points considered or discussed in reaching those
decisions. 17
Review and Evaluation
In the final element, the APEC guidance recognizes the importance of continuous
improvement to governance supported by review and evaluation.
• Ideally, governance arrangements should be reviewed in detail every year or two,
particularly when there is a significant event affecting or potentially affecting those
arrangements, such as a major legislative change or recommendations from a
government committee or an external auditor.
• An internal review led by the Minister or board of directors and/or executive
management would normally suffice. Occasionally, where an organization could
benefit from outside objectivity and expertise, a formal, externally facilitated review
should be conducted.
• The scope of the review may extend across the full range of the organization’s
activities or else be confined to a performance assessment of the Minister or board of
directors and/or executive management. In either instance, the fulfilment of both
performance and conformance objectives should be evaluated.
• Smaller and/or less complex organizations need not review their governance
arrangements as frequently or in as much depth as larger and more complex
organizations.
• Organizations with significant policy or operational risk need to review their
governance practices more frequently and more thoroughly.
• Results from the reviews of governance arrangement should be acted upon in a
reasonable timeframe 18
17
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.
18
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.
24

A.3: Reflection
Which model or models, if any, does your organization use to help define and implement
governance?
Which model or models, if any, do you or your internal audit function use to help evaluate
the effectiveness of organizational governance?
Which models could be the most beneficial in your organization and in what ways?
25

B. Mandate, Independence, and Objectivity
Learning Outcomes
On completion of this section, students will be better able to:
• Define minimum requirements for the internal audit mandate.
• Describe the purpose of the internal audit mandate.
• Evaluate audit independence and auditor objectivity.
• Identify appropriate means to safeguard independence and objectivity.
B.1 Importance of Independence and Objectivity
IIA Internal Audit Competency Framework
Organizational Independence:
General Awareness: Describe the importance of organizational independence of the internal
audit activity; identify the elements that affect independence.
Applied Knowledge: Detect any potential impairments to internal audit independence and the
impact.
Expert: Address any potential impairments to internal audit independence to achieve
conformance with the Standards; communicate the impact of any remaining impairments. 19
Individual Objectivity:
General Awareness: Describe the importance of internal audit objectivity; identify factors that
may impair, or appear to impair, objectivity.
Applied Knowledge: Detect and manage any real or perceived impairments to an individual
internal auditor’s objectivity; assess and maintain internal audit objectivity.
Expert: Develop and maintain policies that govern objectivity; recommend strategies to
promote objectivity. 20
The IPPF provides the most widely recognized definition of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes. 21
19
Internal Audit Competency Framework, The IIA, 2022.
20
Internal Audit Competency Framework, The IIA, 2022.
21
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
26

Although they are related, the principles of independence and objectivity as defined by The
IIA are distinct. They also differ in detail from the definitions used by the International Ethics
Standards Board for Accountants (IESBA) and others.
In the IPPF, Standard 1100 – Independence and Objectivity makes clear an important
distinction:
The internal audit activity must be independent, and internal auditors must be objective
in performing their work. 22
Independence is a feature of the internal audit function (referred to as the “internal audit
activity” in the IPPF). Objectivity, on the other hand, is a facet of auditors. Standard 1100
provides the following interpretations:
Independence is the freedom from conditions that threaten the ability of the internal audit
activity to carry out internal audit responsibilities in an unbiased manner. To achieve the
degree of independence necessary to effectively carry out the responsibilities of the
internal audit activity, the chief audit executive has direct and unrestricted access to
senior management and the board. This can be achieved through a dual-reporting
relationship. Threats to independence must be managed at the individual auditor,
engagement, functional, and organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no quality
compromises are made. Objectivity requires that internal auditors do not subordinate
their judgment on audit matters to others. Threats to objectivity must be managed at the
individual auditor, engagement, functional, and organizational levels. 23
To establish organizational independence, the head of the internal audit function (the chief
audit executive) “must report to a level within the organization that allows the internal audit
activity to fulfil its responsibilities.” The structures of public entities, including reporting lines
for the head of the internal audit function, may be defined by legislation or policy. Reference
to a “dual-reporting relationship” in the Standards alludes to a desirable state in which the
head of internal audit reports functionally to (i.e., is accountable to and overseen by) the
governing body, either directly or via an audit committee. Functional reporting involves a
substantive relationship in which the governing body is the de facto line manager of the head
of internal audit with responsibility for appraising performance as well as hiring and firing.
The governing body should approve the internal audit charter, the audit plan, and budget,
and receive and consider reports from the head of internal audit. This is in addition to the
head of internal audit’s administrative reporting relationship with a member of senior
management, ideally the CEO, for routine matters. The head of internal audit should provide
reports to both senior management and the governing body regarding significant findings
and insights on governance, risk management, and internal control.
22
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
23
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
27

To establish individual objectivity requires that auditors have “an impartial, unbiased attitude
and avoid any conflict of interest.” This involves adhering to a code of ethics and
professional standards, maintaining professional competency, and applying due professional
care and professional skepticism. It also means auditors must be part of an independent
internal audit function.
The requirements for independence and objectivity are summarized below.
Requirements for the Independence of
the Internal Audit Function
• Internal audit mandate (as defined in
charter or legislation).
• Access to necessary people, resources,
and information.
• Freedom from interference.
• Functional reporting by head of internal
audit to an appropriate level in
organization (ideally governing body).
• Administrative reporting to senior
management (ideally CEO).
• Application of safeguards for
independence when threatened.
Requirements for the Objectivity of
Internal Auditors
• Independence of internal audit function.
• Freedom from conflicts of interest.
• Competency.
• Objective mindset.
• Professional skepticism.
• Due professional care.
• Unwavering integrity.
• Adherence to professional standards.
• Application of disciplined and
systematic procedures.
The internal audit mandate and charter are discussed in B.2. Independence and objectivity –
including the appearance of independence and objectivity – are important for the credibility
and authority of the internal audit function and of individual auditors. It should be clear to
internal and external stakeholders that the opinion of the internal audit function is reliable
and has not been concocted to suit the personal interests of auditors, managers, or
members of the governing body. Internal audit provides transparency through an unbiased
and insightful assessment of past, current, and future circumstances. This enables:
• Managers to make well-informed decisions.
• Members of the governing body to exercise oversight and intervene where
necessary.
• External stakeholders to trust in reports regarding the organization’s performance,
position, and prospects and so hold managers and leaders to account.
If the internal audit function is not sufficiently independent of management, it becomes
indistinguishable from a second line unit. In this capacity it can provide value but is robbed of
its distinct characteristic. Its authority is subordinated to senior management and its scope
and capacity potentially limited. The findings and recommendations of auditors whose
objectivity is or appears to be impaired can be disregarded or dismissed more easily. Trust is
established on the basis that internal auditors operating outside of the management
structure, and there is confidence their recommendations are made in the best interests of
the organization.
28

B.1.1 Independence, Objectivity, and the Code of Ethics
IIA Internal Audit Competency Framework
Ethical Behavior:
General Awareness: Describe the importance of a code of ethics for internal auditors;
identify the principles of The IIA’s Code of Ethics.
Applied Knowledge: Demonstrate individual conformance with The IIA’s Code of Ethics.
Expert: Assess the internal audit activity’s conformance with The IIA’s Code of Ethics;
recommend strategies to maintain and promote the highest ethical standards for internal
auditors and the internal audit activity. 24
Unflinching adherence to an ethical code is a hallmark of a true professional. It is also
essential for establishing trust in internal auditing. Auditors must ensure their integrity,
objectivity, confidentiality, and competency. In fact, the principle of auditor objectivity is
considered so important it is found throughout the IPPF. Independence of the internal audit
function is also heavily referenced, as shown in the table below.
IPPF Elements
Reference to Auditor
Objectivity
Reference to
Independence of the
internal Audit Function
The Mission of Internal Auditing Yes No
Core Principles for the
Professional Practice of Internal
Auditing
Yes
Yes
Definition of Internal Auditing Yes Yes
Code of Ethics Yes No
International Standards for the
Professional Practice of Internal
Auditing
Yes
(1100, 1112, 1120, 1130,
2000, 2050)
Yes
(1100, 1110, 1112, 1130,
2060)
Organizations may have their own codes of ethics and conduct describing acceptable and
unacceptable behaviors. Auditors must demonstrate the highest levels of personal integrity.
It is sometimes easy to justify small breaches to ourselves, such as taking office supplies for
personal use, but to be beyond reproach requires faithful observance even of seemingly
insignificant expectations. Through self-awareness, peer review, and supervision, auditors
should continually reflect on their attitudes, behaviors, decisions, and actions to eliminate
any potential deviation from professional objectivity in the exercise of their duties.
24
Internal Audit Competency Framework, The IIA, 2022.
29

B.1.2 Independence, Objectivity, and Competency
IIA Internal Audit Competency Framework
Due Professional Care:
General Awareness: Describe due professional care.
Applied Knowledge: Demonstrate due professional care.
Expert: Evaluate and conclude on the application of due professional care. 25
Competency is a principle of the Code of Ethics and a prerequisite for maintaining
objectivity.
The IIA Competency Framework is discussed in more detail in section C.1.6.
25
Internal Audit Competency Framework, The IIA, 2022.
30

B.1: Reflection
Is it possible to be objective but not independent? Or independent but not objective?
Sometimes internal auditors are asked: you are employed by the organization, you are
familiar with its activities and individuals, so how can you be truly independent and
objective? How would you respond to such a challenge?
31

B.2 Internal Audit Mandate
IIA Internal Audit Competency Framework
Mission of Internal Auditing
General Awareness: Describe the purpose, authority, and responsibility of the internal audit
activity; distinguish between assurance and consulting services.
Applied Knowledge: Demonstrate ability to conduct both assurance and consulting
engagements in conformance with the Standards.
Expert: Review the internal audit activity’s ability to conduct both assurance and consulting
activities to add value and improve the organization’s operations. 26
Internal Audit Charter
General Awareness: Describe the purpose of an internal audit charter; identify the required
elements of an internal audit charter, according to the Standards.
Applied Knowledge: Prepare an internal audit charter in conformance with the Standards, and
receive approval from the board.
Expert: Evaluate and revise an internal audit charter to achieve conformance with the
Standards and promote world- class performance. 27
Reference has already been made to an internal audit charter and mandate. In the IPPF,
Standard 1000 – Purpose, Authority, and Responsibility states:
The purpose, authority, and responsibility of the internal audit activity must be formally
defined in an internal audit charter, consistent with the Mission of Internal Audit and the
mandatory elements of the International Professional Practices Framework. 28
The Mission of Internal Audit referred to is:
To enhance and protect organizational value by providing risk-based and objective
assurance, advice, and insight. 29
The IPPF does not refer to the mandate of internal audit. The authority and powers of the
internal audit function, especially for public entities, may be derived from legislation. In
principle, in accordance with the IPPF, the authority comes from the governing body. The
internal audit charter is a formal document approved by the governing body in which the
mandate is defined and should be reviewed and updated on a regular basis.
26
Internal Audit Competency Framework, The IIA, 2022.
27
Internal Audit Competency Framework, The IIA, 2022.
28
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
29
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
32

According to The IIA Position Paper: The Internal Audit Charter, the document should
contain the following:
• Internal audit mission and purpose.
• Reference to or inclusion of the mandatory elements of the IPPF by which the
internal audit function will be governed. (Recognizing the mandatory elements of the
IPPF in the charter is a requirement of Standard 1010 – Recognizing Mandatory
Guidance in the Internal Audit Charter.)
• Authority, clarifying the functional and administrative reporting relationships and the
role of the governing body in upholding the authority of the internal audit function.
• Independence and objectivity, ensuring the head of internal audit will safeguard the
independence of the function and the objectivity of auditors, applying safeguards
when required, and reporting threats and limits to independence and objectivity to
the governing when they arise.
• Scope to confirm the internal audit’s responsibility for providing assurance and
advice on the adequacy and effectiveness of governance, risk management, and
internal control.
• Responsibilities of the head of internal audit.
• Requirements for a quality assurance and improvement program, including an
external quality review at least once every five years. 30
Without sufficient authority, the internal audit function is unable to fulfil its mandate. Its work
may be obstructed by managers who are not interested or who would prefer to avoid scrutiny
for whatever reason. Internal audit may also be constrained by limited resources or by being
denied access to information it needs to complete its work. There is a close link between
authority and independence. The pronouncements of the internal audit function are more
likely to be considered authoritative if it operates independently but it is only able to do that if
it has sufficient force behind it, whether by legislation or the endorsement of the governing
body (ideally both).
According to the IIA, to ensure the internal audit function has sufficient authority, the
governing body (or audit committee) is expected to:
• Approve the internal audit charter.
• Approve the internal audit plan.
• Approve the internal audit budget and resource plan.
• Receive timely communications on performance relative to the internal audit plan.
• Approve the appointment and removal of the head of internal audit (typically in
response to discussions with and recommendations from senior management).
• Approve the remuneration of the head of internal audit (typically in response to
discussions with and recommendations from senior management).
• Make appropriate inquiries of management and the head of internal audit to
determine if there are any inappropriate scope or resource limitations.
• Ensure the head of internal audit has unrestricted access to, and can communicate
and interact directly with, the governing body without management present.
30
IIA Position Paper: The Internal Audit Charter, The Institute of Internal Auditors, 2019
33

• Ensure the internal audit function has free and unrestricted access to all functions,
records, property, and personnel pertinent to carrying out any engagement, subject
to accountability for confidentiality and safeguarding of records and information. 31
The authority conferred on the internal audit function through its mandate as confirmed in the
charter and/or legislation carries with it reciprocal responsibilities for the head of the internal
audit function. These include:
• Submitting at least annually a risk-based internal audit plan.
• Communicating with senior management and the governing body the impact of
resource limitations on the plan.
• Ensuring the internal audit activity has access to appropriate resources regarding
competency and skill.
• Managing the activity appropriately for it to fulfill its mandate.
• Ensuring conformance with IIA Standards.
• Communicating the results of the internal audit function’s work and following up on
agreed-to corrective actions.
• Coordinating with other assurance providers.
• Reporting periodically on the results of quality assurance and improvement
program. 32
31
IIA Position Paper: The Internal Audit Charter, The Institute of Internal Auditors, 2019
32
IIA Position Paper: The Internal Audit Charter, The Institute of Internal Auditors, 2019
34

B.2: Reflection
When was the last time you reviewed the internal audit mandate?
Is the internal audit function able to fulfil all the responsibilities in its mandate?
What changes are needed either to strengthen the mandate or enable the function to
satisfy its responsibilities?
35

B.3 Threats to Independence and Objectivity
Threats to independence and objectivity occur when the requirements described in B.1 are
not in place or are under strain. An appearance of a lack of independence or a conflict of
interest can be just as much of an impairment as something more concrete.
Threats to independence may arise for the following reasons:
• The head of internal audit reports functionally to a senior manager with responsibility
for activities to be audited who tries to limit the scope or influence the findings of an
audit.
• The internal audit function’s resources are determined by a senior manager with
responsibility for activities to be audited who tries to limit the scope or influence the
findings of an audit.
• The head of internal audit has or has had recent responsibility for activities to be
audited by members of the internal audit function.
• The head of internal audit has limited access to the governing body to discuss any
topics of interest or concern freely without the presence of management who might
otherwise inhibit or deflect such discussions.
• The internal audit charter, approved by the governing body, specifically restricts the
internal audit function’s access to areas the governing body considers to be
“unimportant” or “too sensitive.”
Threats to objectivity may arise for the following reasons:
• Self-interest. The auditor stands to gain personally from a particular outcome of the
audit.
• Adverse interest. The auditor stands to lose personally from a particular outcome of
the audit.
• Duress: The auditor in some other way is under pressure to conduct or conclude the
audit in a particular way.
• Familiarity. The auditor is overly acquainted with the activity under review through
recent or extensive involvement.
• Self-review. The auditor is reviewing an area for which they have or have recently
had significant influence.
• Management participation. The auditor is responsible for the activity under review or
managers who are responsible are involved in undertaking parts of the audit.
• Advocacy threat. The auditor is acting or has recently acted as an advocate for those
responsible for the activity under review.
• Undue influence. The auditor in some other way has too much influence over the
activity, perhaps by virtue of close relationships.
• Lack of competence: The auditor may not be sufficiently skilled or experienced to
apply the necessary professional skepticism, open-mindedness, and disciplined
approach to ensure findings and recommendations are objective.
• Lack of independence of the internal audit function: The auditor is part of an internal
audit function whose independence is compromised.
36

When independence or objectivity are impaired (in fact or in appearance) this should be
disclosed to appropriate parties, especially with management and the governing body, in
accordance with Standard 1130 – Impairment to Independence or Objectivity.
The organizational environment in both the private and public sectors can be highly
politically charged and this can impact internal auditing. The function can be sidelined or
under-resourced as a way of limiting its scope and influence. The governing body may not
have time, skill, or inclination to provide adequate oversight and there may be no audit
committee to act as a champion for independent and impactful internal auditing. Pressure
may be applied on individuals to steer clear of certain areas or activities or to moderate their
findings and reports. Reports that identify significant weaknesses in politically sensitive
areas may be suppressed or “buried.” Former chair of The IIA Global Board of Directors
Patty Miller has written extensively on this topic and the need for auditors to have political
awareness and moral courage. 33
33
See, for example, Organizational Political Pressure and the Impact on Internal Audit, Patty Miller, 2017.
37

B.3: Reflection
Have you ever experienced a situation where you were discouraged (from within the
internal audit function or outside of it) from looking at an area or activity?
Have you ever been denied the necessary resources or access to people and data
needed to conduct your audit to the full extent of the engagement scope and objectives?
Have you ever been asked to change your report by “toning it down” or removing
inconvenient findings?
38

B.4 Safeguards for Independence and Objectivity
In accordance with Standard 1110 – Organizational Independence, “the chief audit executive
must confirm to the board, at least annually, the organizational independence of the internal
audit activity.” 34 If there is interference in determining scope, performing work, or
communicating results, “the chief audit executive must disclose such interference to the
board and discuss the implications.” 35
Certain safeguards to avoid or limit impairments to independence and objectivity and to
reduce the threat of impairment to an acceptable level are specified in Standard 1130 –
Impairment to Independence or Objectivity. These include:
• Internal auditors should not provide assurance for operations for which they were
responsible within the previous year.
• Assurance engagements for areas over which the head of internal audit has
responsibility should be overseen by a party outside of the internal audit function.
• Caution is required where auditors previously provided advisory services to ensure
this does not impair objectivity in an assurance engagement.
There are specific requirements when the head of internal audit is asked to assume
additional responsibilities that may impair independence and/or objectivity. Standard 1112 –
Chief Audit Executive Roles Beyond Internal Auditing states the following:
The chief audit executive may be asked to take on additional roles and responsibilities
outside of internal auditing, such as responsibility for compliance or risk management
activities. These roles and responsibilities may impair, or appear to impair, the
organizational independence of the internal audit activity or the individual objectivity of
the internal auditor. Safeguards are those oversight activities, often undertaken by the
board, to address these potential impairments, and may include such activities as
periodically evaluating reporting lines and responsibilities and developing alternative
processes to obtain assurance related to the areas of additional responsibility. 36
To identify impairments, it is necessary to consider the perspectives of stakeholders. The
appearance of impropriety can undermine trust. Close relationships with individuals do not
automatically weaken an internal auditor’s professionalism but can create an impression or
even an expectation of bias or “friendly” reporting. The same is true of strong familiarity with
an area of responsibility or activity. An auditor may well be capable of making an objective
assessment, but others may regard the audit work with some skepticism. Regular reminders
and training for internal auditors regarding independence and objectivity are important.
Requirements for maintaining independence and objectivity can also be reinforced through
policies, procedures, audit manuals, templates, and so on.
34
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
35
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
36
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
39

Examples of appropriate measures the head of internal audit may take to safeguard against
impairments and ensure sufficient independence and objectivity include the following:
• Discuss a perception of impairment with relevant parties to describe the controls in
place (such as policies, processes, supervision, and review of audit work) that would
minimize any actual impairment and so reduce concerns.
• Assign a sufficiently competent alternate auditor to an engagement to avoid a conflict
of interest in fact or appearance.
• Discuss an actual impairment with senior management and the board to seek
support and resolution, which may include noting and accepting the risk in the short
term while recruiting additional resource for future engagements or contracting with
an alternate auditor on a temporary basis from another public entity or external
agency.
• Reporting an impairment that has been identified after completion of an engagement
to the client and the governing body to consider its potential impact on the accuracy
and reliability of the conclusions, as required by Standard 2121 – Errors and
Omissions.
One of the more persistent threats to independence of the internal audit function in the public
sector is the absence of a functional reporting line by the head of internal audit to an
independent governing body, in some cases because such a body (or individual) does not
exist in the way envisaged by the IPPF. There may not be a duly constituted board and the
senior executive – as the de facto governing body – may act with little or no separation
between management and governance roles. Where there is a governing body, the
appointments to it may be directed by the government with political motivations or in
accordance with various conventions and practices that have little to do with providing
competent oversight of the entity and its internal audit function. Approval of the internal audit
plan and budget may be made by those with responsibilities for areas to be audited. In such
a position, the head of internal audit must be extra vigilant to maintain and demonstrate
independence in determining engagement priorities based on risk and organizational need.
In all cases, the head of internal audit must report on the status of independence of the
function. Peer review as part of the quality assurance and improvement program as well as
more regular external review can also be used to provide validation of independence.
Practice varies regarding the establishment of audit committees. For example, a city council
– as the governing body of a municipality – may meet periodically as an audit committee
such that the members of the council are also the members of the audit committee.
Alternatively, an audit committee may have a separate existence from the governing body
and act as an advisory panel with membership comprising other independent individuals.
Where a government has adopted the European Commission model for Public Internal
Financial Control (PIFC), the Central Harmonization Unit (CHU) may act as the audit
committee for multiple entities (although bandwidth constraints usually limit the role to
monitoring internal audit activity rather than findings.) PIFC is discussed in module T3
Accounting Fundamentals. In large complex public organizations, especially multilateral
bodies like the United Nations, but also for ministries with multiple subordinated entities,
there may be audit committees with oversight responsibilities of lower-level bodies reporting
to their respective governing authorities that are also coordinated by a higher-level
committee or board that considers all reports to ensure a coherent aggregated perspective.
40

In other cases, there is no audit committee and oversight is exercised directly by the
governing body.
Availability of resources can also be an issue for independence, including funding for
external quality reviews, required by the Standards at least once every five years. Where
small audit teams are faced with a large or complex audit universe, the head of the function
must make clear to the governing body the areas that cannot be covered and where
assurance cannot be provided. The audit plan must still prioritize engagements according to
risks and needs.
The nature of such threats to independence in the public sector may be political. Elected and
appointed officials may be seeking to extend their terms of office or establish their legacy
and are desirous of demonstrating favorable results. Communications are often “spun” in
such a way that the information is preferentially presented via generalizations, incomplete
truths, and omissions. Auditors may be asked directly or indirectly to tone down or refrain
from reporting what may be perceived as negative findings and conclusions in the interests
of maintaining favorable public or line ministry opinion. Internal auditors must demonstrate
strength of character and moral courage to resist such pressures.
41

B.4: Reflection
How would you rate the level of independence of your internal audit function in fact and in
appearance?
What steps could be taken to strengthen organizational independence?
What factors may weaken the objectivity of auditors in your internal audit function in fact
and in appearance?
What steps could be taken to strengthen individual auditor objectivity?
42

C. Assurance and Advisory Engagements
Learning Outcomes
On completion of this section, students will be better able to:
• Compare and contrast assurance and advisory engagements.
• Determine an appropriate balance of audit and advisory engagements.
• Identify competencies needed for assurance and advisory engagements.
• Plan an assurance engagement of organizational governance.
• Evaluate IT and cybersecurity risks and controls as part of an audit engagement.
• Evaluate the effectiveness of entity-wide risk management.
• Describe how internal audit contributes to an organization’s responsiveness to fraud,
IT, and cybersecurity risks.
C.1 Characteristics of Assurance and Advisory Engagements
IIA Internal Audit Competency Framework
Organizational Strategic Planning and Management:
General Awareness: Identify the risk and control implications of different organizational
structures. Describe the strategic planning process. Describe common performance
measures. Explain organizational behavior and performance management techniques.
Describe management’s effectiveness to lead and build organizational commitment.
Applied Knowledge: Evaluate the organization’s governance structure and the impact of
organizational structure and culture on the overall control environment and risk management
strategy. Analyze the organization’s strategic planning process. Examine performance
measures used by the organization. Examine existing organizational behavior and
performance management techniques. Examine management’s effectiveness to lead and
build organizational commitment.
Expert: Recommend improvements to the overall control environment and risk management
strategy. Recommend improvements to the organization’s strategic planning process. Select
appropriate performance measures. Recommend appropriate organizational behavior and
performance management techniques. Recommend actions to improve management’s
approach to leading and building organizational commitment. 37
The definition of internal auditing quoted in B.1 identifies it to comprise both assurance and
consulting services (the latter commonly referred to as advisory services). These terms are
both defined in the IPPF.
37
Internal Audit Competency Framework, The IIA, 2022.
43

Assurance Services
An objective examination of evidence for
the purpose of providing an independent
assessment on governance, risk
management, and control processes for the
organization. Examples may include
financial, performance, compliance, system
security, and due diligence engagements. 38
Consulting Services
Advisory and related client service
activities, the nature and scope of which are
agreed with the client, are intended to add
value and improve an organization’s
governance, risk management, and control
processes without the internal auditor
assuming management responsibility.
Examples include counsel, advice,
facilitation, and training. 39
The IPPF provides additional comment to help distinguish between these two types of
services.
Assurance services involve the internal auditor’s objective assessment of evidence to
provide opinions or conclusions regarding an entity, operation, function, process, system,
or other subject matters. The nature and scope of an assurance engagement are
determined by the internal auditor. Generally, three parties are participants in assurance
services: (1) the person or group directly involved with the entity, operation, function,
process, system, or other subject matter—the process owner, (2) the person or group
making the assessment—the internal auditor, and (3) the person or group using the
assessment—the user.
Consulting services are advisory in nature and are generally performed at the specific
request of an engagement client. The nature and scope of the consulting engagement
are subject to agreement with the engagement client. Consulting services generally
involve two parties: (1) the person or group offering the advice—the internal auditor, and
(2) the person or group seeking and receiving the advice—the engagement client. When
performing consulting services the internal auditor should maintain objectivity and not
assume management responsibility. 40
The internal audit charter or legislation should describe the services to be provided.
Assurance engagements are typically scheduled as a result of the head of internal audit’s
assessment of organizational risks and priorities and form part of the internal audit plan.
Consulting (or advisory) engagements tend to be agreed in response to requests from
management but may also be proposed by the internal audit function to address
opportunities for improvement where auditors can usefully lend their expertise. However, a
consulting engagement should not be accepted simply because it has been requested:
The chief audit executive should consider accepting proposed consulting engagements
based on the engagement’s potential to improve management of risks, add value, and
improve the organization’s operations. Accepted engagements must be included in the
plan. 41
38
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
39
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
40
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
41
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
44

It is common to build an allowance into the internal audit plan and budget for ad hoc
engagements which are non-periodic reactive assignments conducted at the entreaty of the
governing body, senior managers, external auditors, or the head of internal audit, and may
be an assurance engagement or advisory in nature. A change of internal or external
circumstances may require engagements to be added to the plan. The Covid 19 pandemic
led to significant redrafting of audit plans as priorities and operations were severely
disrupted.
One issue the head of internal audit must decide when creating the plan is an appropriate
balance of assurance and advisory engagements. The starting point is a risk-based
approach, meaning engagements are prioritized in response to organizational objectives and
risks. Standard 2010 – Planning directs the internal audit function as follows:
To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the organization’s
strategies, key business objectives, associated risks, and risk management processes.
The chief audit executive must review and adjust the plan, as necessary, in response to
changes in the organization’s business, risks, operations, programs, systems, and
controls.
2010.A1 The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of senior
management and the board must be considered in this process.
2010.A2 The chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other
conclusions.
2010.C1 The chief audit executive should consider accepting proposed consulting
engagements based on the engagement’s potential to improve management of risks,
add value, and improve the organization’s operations. Accepted engagements must be
included in the plan. 42
The assessment of risk needs to be independent, although the input of management and the
governing body should be considered.
There is no scientific formula for determining the right balance between assurance and
advisory engagements in the audit plan, but the following factors are relevant:
• Internal audit mandate and responsibilities (as defined in the charter or legislation).
• Roles previously adopted by the internal audit function.
• Strength of internal audit function independence.
• Organizational objectives and priorities.
• Internal and external risks (including new risks).
• The role of the governing body in providing oversight and level of engagement with
executive activity.
42
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
45

• Risk management maturity.
• Control weaknesses identified by internal audit.
• The focus of the external auditors and financial inspectors (to ensure coherent
coverage and minimize unnecessary duplication to the extent to which cooperation is
possible while maintaining independence and respective missions).
• Resources and skills available to the internal audit function.
• Internal audit function strategic plan.
C.1.1 Assurance Engagements
Assurance can be defined in terms of the examination and assessment processes deployed
by auditors to evaluate governance, risk management, and internal control. This is how it is
defined by the IPPF. “Assurance” also refers to the confidence provided by an assurance
engagement and the comfort derived from it by the client of assurance services.
Assurance as a form of confidence and comfort allows for the possibility of different degrees,
amounts, or levels, ranging theoretically from total and absolute assurance to the complete
absence of assurance. In practice, it is impossible to provide absolute assurance since the
scope of an audit is always limited to what was observed and concluded at that moment.
Other activities and conditions fall outside of the scope and circumstances continue to
change. Uncertainty will always remain. For that reason, external auditors may provide
reasonable or limited assurance, although this distinction is not made for internal auditors in
the IPPF. The IPPF refers to “reasonable assurance” only in the context of the purpose of
risk management and internal control, although it does not define the term. For example, risk
management is defined as:
A process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization’s
objectives. 43
“Limited assurance” is not referenced at all in the IPPF. While some internal auditors choose
to make the distinction between reasonable (or positive) assurance and limited (or negative)
assurance, these are more commonly terms used by external auditors. Internal audit
engagements may provide assurance based on “sufficient, reliable, relevant, and useful
information” to support conclusions and opinions (Standard 2310 – Identifying Information).
There is no allowance for anything that falls short of this requirement. The IIA guidance on
audit opinions does allow for distinctions in the level of assurance (see section C.1.5).
C.1.2 Consulting (Advisory) Engagements
What constitutes consulting services covers a wide spectrum of activities.
43
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
46

The following list is taken from Sawyer’s Internal Auditing: Enhancing and Protecting
Organizational Value:
• Business process improvement.
• Continuous monitoring.
• Control self-assessment or risk and control self-assessment.
• Forensic.
• Governance and ethics training.
• Internal control review.
• Internal control training.
• Merger and acquisition analysis.
• Participation on committees or taskforces.
• Readiness review.
• Review of a new product or service before implementation.
• Risk self-assessment.
• Transition activities. 44
IIA Australia has produced guidance on consulting engagements and advises internal
auditors to follow these steps:
• Build time into your internal audit plan. Often consulting engagements are not
planned at the beginning of the year and some flexible time for ad hoc engagements
makes it easier to be responsive to management requests.
• Make management aware of the service. Sometimes managers are unaware that
internal audit can provide advisory services in response to their requests and it is
necessary to promote this across the organization as an available support for
management.
• Respond promptly. In all cases – assurance and advisory engagements – internal
audit needs to be reflective of organizational needs and priorities and flexible when
these change. Delays can reduce the value of the sought-after advice and insight.
• Don’t do what management should do themselves. This is a reminder to maintain
independence and objectivity. The request should be legitimate rather than setting an
expectation that internal audit will fill a first or second line role. Internal audit does not
need to accept every request made by management and it is always necessary to
prioritize.
• Don’t give up when the allocated time runs out. Advisory engagements require
greater flexibility as they are often harder to fully scope and budget at the outset.
There may be options for securing additional internal or external resources to extend
the work. Additionally, internal audit should be helping management identify what
work needs to be done so there can be agreement about prioritization.
• Celebrate success. One of the best ways to promote advisory services is to share
news of successful engagements which can be achieved formally or informally
through various channels. 45
44
Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value, Seventh Edition, Internal Audit Foundation, 2019
45
Factsheet: Internal Audit Consulting, IIA Australia, 2022
47

C.1.3 Assurance and Advisory Engagements Compared
There are many similarities between assurance and advisory engagements and internal
auditors will apply many common skills. In particular, both types of engagements must be
defined in the internal audit charter and internal auditors must adhere to appropriate
standards and apply due professional care. There are also important differences, as shown
below.
Feature
Purpose
Key differences between advisory and consulting services
Assurance services
Advisory services
To provide assurance through an To offer advice, usually in response
opinion on the adequacy and to a request.
effectiveness of governance, risk
management, and internal control
based on an objective assessment
of evidence.
Principal parties • Internal auditor.
• Unit manager or process owner.
• Recipient of assurance (senior
management and the governing
body).
Scope and
approach
Objectives
Governance, risk
management, and
internal control
Auditor
assignment
Conflicts of
interest
Determined by internal auditor with
consultation with relevant manager.
Based on a risk assessment, taking
account of the possibility of error,
fraud, and noncompliance.
Must be part of the engagement
scope and objectives.
The head of internal audit must
obtain the necessary skills for the
engagement, either from the team
or from other sources rather than
defer the engagement.
In accordance with Standard 1130,
internal auditors should not provide
assurance for operations for which
they were responsible within the
previous year.
• Internal auditor.
• Client.
Agreed between client and internal
auditor.
Consistent with the organization’s
goals and priorities.
May be included in the engagement
scope and objectives.
The head of internal audit must wait
until the necessary skills for the
engagement are available.
In accordance with Standard 1130,
internal auditors may provide
consulting services relating to
operations for which they had
previous responsibilities but any
potential impairments to
independence or objectivity must be
disclosed prior to accepting the
engagement.
In undertaking advisory engagements, care must be taken to ensure the independence of
the function and objectivity of auditors for future engagements. Implementing controls,
making executive decisions, enforcing policies, directing the application of resources, and in
general terms “owning the risk” are responsibilities of management which internal auditors
should not assume. In offering training, facilitating control self-assessment workshops,
48

helping managers developing controls, and providing advice on potential improvements,
internal auditors are sharing the benefit of their expertise and insights with management.
However, they must refrain from taking ownership of decisions management must take. This
is illustrated by the table diagram below (adapted from The IIA fan graphic 46 ).
Threats to Functional Independence and Auditor Objectivity
Responsibilities Examples Safeguards
needed
Core responsibilities
of the internal
auditor
Broader
responsibilities
providing additional
value
Management
responsibilities
• Providing assurance on the adequacy and
effectiveness of governance, risk
management, and internal control.
• Evaluating processes.
• Assessing risks.
• Sharing insights and opinions.
• Making recommendations for innovation and
improvement.
• Coaching and training.
• Developing the risk management framework.
• Designing controls.
• Coordinating activities.
• Monitoring responses made to the fraud or
ethics hotline.
• Taking operational decisions on behalf
functional units.
• Determining organizational strategy.
• Participating in the decision-making process
as part of a working group or taskforce.
• Implementing controls.
• Enforcing policies.
• Accepting responsibility for managing risks.
Can be
undertaken
without special
safeguards
May be
undertaken with
additional
safeguards
Should not be
undertaken by
members of the
internal audit
function
This is relevant to consideration of threats to and safeguards for independence and
objectivity discussed in B but also helps separate the point at which advisory services may
stray into managerial responsibilities.
C.1.4 Blended Engagements
The principal differences between assurance and advisory engagements can be
summarized as follows:
• Purpose: assurance engagements provide an opinion based on an assessment;
consulting engagements provide support and expertise to advise on the acquisition,
development, or improvement of resources (inc people), systems, and processes.
46
IIA Position Paper, The Role of Internal Auditing in Enterprise-wide Risk Management, The IIA, 2009.
49

• Determination of nature and scope: for assurance engagements this must include
governance, risk management, and internal control; for consulting engagements it is
a matter to be decided through discussion.
• Parties involved: assurance engagements are agreed with the involvement of the
internal auditor, manager of the activity being audited, senior management, and the
governing body; consulting engagements may be agreed between the internal
auditor and manager of the activity being audited.
Despite these differences, assurance and advisory engagements have many synergies and
do not need to be kept separate. There are advantages from conducting a blended
engagement through which the auditor delivers both assurance and advice. Auditors are
continuously increasing their knowledge and understanding about the organization and its
internal and external operating environments. Indeed, the Standards require auditors to
apply their knowledge gained through consulting to assurance engagements. It is common
to conclude an assurance engagement with recommendations through which the auditor
advises the manager of the audited activity on opportunities for innovation and improvement
and this may be extended to include involvement with some of the developmental work.
Sometimes what is planned as an assurance engagement may be extended to include
consulting as well. For example, the auditor may identify through the course of an assurance
engagement that members of staff do not fully understand key concepts about risk
management and internal control and as a result offers to provide training. Extensions to
scope in this way need to be approved by the manager and audit supervisor.
It is also possible for an engagement that starts as consulting to be extended to include
assurance too. For example, when an internal auditor participates as an advisor to an IT
project, it may transpire that existing hardware and software controls need to be reviewed.
The auditor will be able to test and provide assurance. Once again, extensions to
engagements should be approved by the audit supervisor.
It is also possible for an engagement to be planned as a blend of assurance and consulting.
Consideration should be given to the following as part of the planning process:
• Risk-based planning should ensure priority is given to the most significant risks,
objectives, and activities. Where management is planning major projects – such as
public administration reform organizational restructuring, long-term financial
strategies, IT upgrades, introduction of new services, or relocation of activities,
personnel, and resources – internal audit may be invited to act as an advisor. This
may create natural opportunities for blended engagements.
• Allocation of scarce resources should follow the risk-based prioritization of
engagements. Efficiencies may be gained through planning a blended engagement.
• Significant findings and necessary follow-up resulting from prior engagements may
also suggest opportunities for blended engagements.
50

C.1.5 Internal Audit Opinions
Auditors may be asked to provide an opinion either within an individual audit report or at a
broader level. Assurance may be provided at the process, function, or entity level. This
includes an opinion on the adequacy and effectiveness of governance, risk management,
and internal control for the organization. In some situations, the head of internal audit is
asked to offer such an opinion periodically. This may be limited to the system of internal
control or enterprise risk management (ERM). Such an opinion may be more limited still,
such as an opinion of internal control over financial reporting or for aspects of compliance.
When asked to provide such an opinion, the head of internal audit may plan a specific audit
engagement but is also likely to draw upon the results of multiple engagements. The opinion
may be expressed in terms of a grade for the level of assurance (such as by “traffic lights”
red, yellow (amber), or green, or a grade from 1-4). The assurance may be expressed as
reasonable (or positive) assurance or limited (or negative) assurance, although such terms
are not defined in the IPPF (see section C.1.1). However, The IIA allows for Internal auditors
providing an opinion in the form of reasonable or limited assurance in its Practice Guide:
Formulating and Expressing Internal Audit Opinions. 47 Whatever form it takes, it is important
there is clear understanding about the meaning and the basis on which the opinion is given.
Macro level opinions are usually based on multiple engagements. This requires care as the
findings may have been gathered over different periods of time using different criteria. Other
evidence may be drawn from multiple formal and informal sources, placing appropriate
reliance according to the characteristics of each. According to the Practice Guide, macro
level opinions may include:
• An opinion on the organization’s overall system of internal control over financial
reporting.
• An opinion on the organization’s controls and procedures for compliance with
applicable laws and regulations, such as health and safety, when those controls and
procedures are performed in multiple countries or subsidiaries.
• An opinion on the effectiveness of controls such as budgeting and performance
management, when such controls are performed in multiple subsidiaries and
coverage comprises the majority of the organization’s assets, resources, revenues,
etc.
In comparison, micro level opinions are often derived from a single engagement and may
include:
• An opinion on an individual business process or activity within a single organization,
department, or location.
• An opinion on the system of internal control at a subsidiary or reporting unit, when all
work is performed in a single audit.
• An opinion on the organization’s compliance with policies, laws, and regulations
regarding data privacy, when the scope of work is performed in a single or just a few
business units. 48
47
Practice Guide: Formulating and Expressing Internal Audit Opinions, The IIA, 2009.
48
Practice Guide: Formulating and Expressing Internal Audit Opinions, The IIA, 2009.
51

When asked to provide an opinion, the head of the audit function should be clear of the
intended purpose and audience, the scope and time period covered by the opinion, and the
criteria and rating process to be used. When applying criteria – for example, the COSO
Internal Control Integrated Framework – there is still a need to convert the evaluation into a
suitable rating by considering what degree of conformance is acceptable or satisfactory. This
is likely to involve a consideration of materiality and impact.
C.1.6 Competencies Needed for Assurance and Advisory Engagements
The IIA Competency Framework defines the knowledge, skills, and abilities needed by
internal auditors, managers, and heads of internal audit to deliver internal audit services in
accordance with the requirements of the IPPF. They are organized under four domains and
defined at three competency level (general awareness, applied knowledge, and expert). The
domains are as follows:
Domain
Professionalism
Performance
Environment
Leadership and
Communication
Description
Competencies required to demonstrate the authority, credibility, and
ethical conduct essential for a valuable internal audit activity.
Competencies required to plan and perform internal audit engagements
in conformance with the Standards.
Competencies required to identify and address the risks specific to the
industry and environment in which the organization operates.
Competencies required to provide strategic direction, communicate
effectively, maintain relationships, and manage internal audit personnel
and processes.
When applying these to assurance and advisory engagements, there are many
commonalities, as described below.
Domain
Professionalism
Performance
Environment
Competencies for Assurance and Advisory Engagements
All aspects of professionalism are relevant for all internal audit work,
including ethical conduct, conformance with the standards, and
maintaining objectivity.
In general, the knowledge base required for assurance and advisory
engagements is largely identical, but the skills and abilities needed for
these two types of engagement place different requirements on the
internal auditor. The standards relating to performing audits identify
some specific differences for assurance and consulting engagements.
However, knowledge and understanding of governance, risk
management, and internal control are essential for all engagements.
Likewise, the techniques for conducting fieldwork are also very similar
although the contexts may differ.
Regardless of the type of engagement, internal auditors must
understand the internal and external environments of their organization
including the strategic priorities, resources, risks, legal and regulatory
requirements, and other factors impacting the attainment of goals.
52

Leadership and
Communication
Internal audit supervisors, managers, and leaders have their respective
roles and delegated authorities for ensuring the efficient and effective
operation of the internal audit function for all services provided.
Communication skills are of paramount importance for all internal audit
work. This includes developing relationships and adopting styles of
communication appropriate for the intended audience. Consulting
engagements have a greater degree of flexibility in approach and
reporting compared with the testing and recoding of findings needed for
assurance engagements. However, the same requirements for
accuracy, timeliness, and relevance apply.
There are also competencies that have greater relevance for each of the two types of
engagements.
Competencies of greater relevance for assurance engagements include:
• Adherence to process and methodology.
• Engagement planning.
• Due care and attention for detail.
• Systematic testing, analysis, and data processing.
• Root cause analysis.
• Critical thinking.
• Drawing significant findings and conclusions from large volumes of information.
• Effective reporting.
• Moral courage to ask difficult questions and tenacity to seek out the truth.
In comparison, advisory engagements can require a lot more versality and flexibility from the
auditor. There is a greater variety of activities that fall within the broad class of missions. The
objectives and scope more be more open-ended. Skills like process design and engineering,
facilitation, strategic thinking, root cause analysis, building a consensus, and creative
problem solving are likely to be more to the fore. 49
Competencies of greater relevance for advisory engagements include:
• Creativity and originality.
• Collaboration, teamwork, and relationship management.
• Deep expertise in specific processes or activities.
• Rapid assimilation of complex data.
• Operating under pressure in a dynamic environment.
• Unstructured problem-solving.
• Providing continuous feedback and offering insights during the engagement.
49
See Anderson, et al, Internal Auditing: Assurance and Advisory Services, fourth edition, The IIA, 2017.
53

C.1: Reflection
Approximately what percentages of the internal audit plan are committed to assurance and
consulting engagements? Is the balance appropriate for organizational needs, priorities, and
expectations?
What allowance is made in internal audit planning for ad hoc engagements made at the
request of management? Is this sufficient?
How often are consulting engagements proposed by the head of the internal audit function
rather than by management?
How much of the content of the audit plan is truly risk-based as opposed to completing a
list of expected audits that are repeated annually?
Are blended engagements considered as an option for increasing efficiency and
effectiveness?
Do you agree with the analysis of the different competencies needed for assurance and
advisory engagements? Is this considered when auditors are assigned to engagements?
54

C.2 Auditing Governance
The IIA Supplement Guidance: The Role of Auditing in Public Sector Governance
emphasizing the essential characteristics of the internal audit function for providing valuable
assurance insight:
• Organizational independence.
• A formal mandate (in “the public sector’s constitution, charter, or other basic legal
document.”)
• Unrestricted access “to employees, property, and records.”
• Sufficient funding.
• Competent leadership.
• Objective staff.
• Competent staff.
• Stakeholder support.
• Professional audit standards. 50
In respect of governance, internal audit may contribute in various ways:
• Oversight: Internal audit can extend the reach of senior management and the
governing body to observe organizational activities and circumstances and determine
whether policy is being implemented as intended with appropriate assessment of
risks and implementation of controls. Auditing provides transparency through
verification of performance, position, and prospects, and by sharing it with
stakeholders.
• Detection: Audits reveal “inappropriate, inefficient, illegal, fraudulent, or abusive acts
that have already transpired.” Such information can be used to strengthen controls,
initiate training, and pursue disciplinary or legal proceedings. Detection can occur as
part of an investigation of potential conflicts of interest or suspected wasteful,
abusive, or fraudulent activities. Alternatively, detection also occurs when red flags
are identified during a routine engagement involving the identification of risks and
testing of controls.
• Deterrence: Anticipated audit work as well as the exposure of detected weaknesses
can deter other lapses in proper oversight and management.
• Insight: Auditors can share their expertise and understanding and make
recommendations in terms of potential improvements with reference to best
practices.
• Foresight: Auditors can also anticipate future risks by considering trends as well as
changes in legislation and regulation. 51
Organizational governance may be audited in an individual engagement. Alternatively, an
opinion on governance may be derived from multiple engagements (see C.1.5). Assurance
and advisory engagements may be used. Any engagement that considers risk management
and internal control contributes to an auditor’s understanding of governance.
50
Supplemental Guidance: The Role of Auditing in Public Sector Governance, The IIA, 2012.
51
Supplemental Guidance: The Role of Auditing in Public Sector Governance, The IIA, 2012.
55

Performance audits are also useful in determining governance with regard to particular
policies and initiatives. Some governance audits pay particular attention to the working of the
governing body and may evaluate the effectiveness of meetings, strategic planning,
management of conflicts of interest, nominations, and so on. External agencies can provide
this service for greater independence and objectivity.
Suggested questions internal auditors may ask as part of their investigation into the
adequacy and effectiveness of governance, focusing on the key aspects of governance
(performance, conformance, value creation and protection, and accountability) are given
below, based on guidance from IFAC:
• Do the structures and processes of governance serve to optimize stakeholder value?
• Do they serve to ensure an appropriate balance of stakeholder interests?
• Do they support both performance in respect of achieving organizational purpose and
conformance with laws, regulations, policies, and other expectations?
• Are governance processes fully integrated into the organization and its culture,
planning, behaviors, and activities?
• Is the governing body appropriately constituted and structured to lead on governance
for the organization, overseeing senior management and internal audit, and engaging
with key stakeholders?
• Has the governing body established a set of fundamental values by which the
organization operates?
• Are these values well communicated, monitored, and appropriately reinforced and
enforced?
• Does the strategy adopted by the governing body demonstrate a sound
understanding of the political context, operating model, and internal and external
environment?
• Does the strategy promoted by the governing body provide sufficient direction and
focus for the organization?
• Has the governing body ensured that management has established an appropriate
and effective framework for risk management and internal control?
• Does the governing body ensure resource allocation by management is aligned with
strategic priorities?
• Does the governing body evaluate its own effectiveness as well as that of its strategy
and organizational activities toward continual improvement and achievement of
objectives?
• Are the interests and needs of stakeholders given appropriate consideration and do
stakeholders receive relevant, timely, and reliable information? 52
52
Evaluating and Improving Governance in Organizations, IFAC, 2009.
56

C.2: Reflection
How does your internal audit function contribute to the ongoing development and
improvement of organizational governance?
Does your internal audit function provide assurance on governance for specific areas
and/or for the entity as a whole?
Is governance highlighted as an important consideration in every engagement?
57

C.3 Fraud, IT, and Cybersecurity
In providing assurance, internal auditors must be attentive to all relevant risks and their
potential to impact organizational objectives and priorities. The IPPF gives particular mention
to two key risk areas: fraud and IT.
For example, Standard 1210 – Proficiency has the following requirements:
1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud
and the manner in which it is managed by the organization, but are not expected to have
the expertise of a person whose primary responsibility is detecting and investigating
fraud.
1210.A3 Internal auditors must have sufficient knowledge of key information technology
risks and controls and available technology-based audit techniques to perform their
assigned work. However, not all internal auditors are expected to have the expertise of
an internal auditor whose primary responsibility is information technology auditing. 53
C.3.1 Fraud
IIA Internal Audit Competency Framework
Fraud:
General Awareness: Recognize types of fraud, fraud risk, and red flags for fraud.
Applied Knowledge: Evaluate the potential for fraud and how the organization detects and
manages fraud risks; recommend controls to prevent and detect fraud and educate to
improve the organization’s fraud awareness.
Expert: Apply forensic auditing techniques in fraud prevention, deterrence, and
investigation. 54
Fraud is referenced seven times in the Standards and is defined as:
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are
not dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment or
loss of services; or to secure personal or business advantage. 55
53
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
54
Internal Audit Competency Framework, The IIA, 2022.
55
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
58

Fraud may be perpetrated via measures such as:
• Claims for fictitious expenses or duplicate claims.
• Use of fake or stolen identity.
• Disbursements to fictitious vendors or beneficiaries.
• Unwarranted refunds.
• Lost or voided checks.
• Interception of goods received.
• Concealment through false accounting (such as capitalizing expenses, ignoring bad
debts, mischaracterizing expenditure as “miscellaneous” or something else, and
over- or under-reporting.)
• Embezzlement of funds and other resources.
All parties within an organization have a responsibility to contribute to fighting fraud.
Organizational
role
Governing body
and audit
committee
Senior
management
Those with first
line roles
Those with second
line roles
Role in fighting fraud
• Ultimate responsibility for fraud risk governance.
• Lead by example.
• Set “tone at the top.”
• Ensure there are appropriate fraud risk management structures and
processes in place.
• Ensure the internal audit plan is sufficiently attentive to fraud risk.
• Receive and respond to reports from internal auditing regarding the
adequacy and effectiveness of fraud risk management.
• Receive and respond to reports from fraud risk experts, examiners,
inspectors, external auditors, and others.
• Lead by example.
• Promote ethical conduct.
• Address suspicions of fraud when they surface.
• Provide training.
• Implement and maintain controls for fraud.
• Report incidents of fraud or suspected fraud.
• Provide specialist expertise in developing and implementing controls for
fraud.
• Monitor and analyze the effectiveness of fraud risk management.
Internal auditors • Provide independent and objective assurance and advice on the
adequacy and effectiveness of fraud risk governance, management,
and control.
• Map and coordinate fraud risk assurance from internal and external
providers.
59

Common controls for fraud relating to cash and financial transactions, for example, include:
• Segregation of incompatible duties. Responsibility for custody of an asset,
authorization for its deployment, and recording its usage should ideally be assigned
to different individuals. Where this is not possible because of a shortage of resources
then compensating controls, including increased supervision, regular reconciliations,
stock takes, and scrutiny by inspectors and auditors, should be applied.
• Centralization of cash collection points.
• Individual cash drawers for each employee responsible for collecting money to assist
with traceability and accountability for errors and fraud.
• Endorsing checks when they are received to limit opportunities for misuse.
• Maintaining sequential receipts.
• Timely recording of transactions.
• Timely deposits of cash.
• Physical security of blank checks.
• Regular reconciliations.
Figure: Segregation of Incompatible Duties
Many of the controls described above are needed for managing risks related to human,
system, and process errors as well as the possibility of fraud. To ensure the general integrity
of the control environment, there should be clear tone at the top, a well-defined code of
conduct to confirm behavioral expectations, consistent and timely handling of breaches,
continuous awareness raising and regular training, documented policies and processes, and
opportunities for anonymous whistleblowing.
A defining characteristic of fraud is that such acts are deliberate. Frauds are not errors
caused by bad luck or incompetence. Individuals acting alone or with others usually have a
need or an incentive (motivation) to commit fraud (such as economic or social hardship,
ambition, or duress), identify an opportunity to take an unfair and unwarranted advantage of
60

circumstances (unethical and often but not always illegal), and tend to provide a
rationalization to themselves and anyone else (such as when they are caught) in terms of
their needs or perceived entitlement (“everyone else is doing it,” “the organization deserves it
for having weak controls,” “it’s only $100,” “I need it more than they do,” “it’s a victimless
crime,” etc.). Often individuals start committing fraud with a small value or with the intention
of only doing it once but the temptation and the rationalization increase. Motivation,
opportunity, and rationalization are the key elements of the fraud risk triangle and provide a
basis for considering appropriate controls for each of these dynamics. Organizations must:
• Reduce motivation (through ethical training and by addressing signs of stress).
• Limit opportunity (through awareness raising and segregation of incompatible duties,
for example).
• Combat potential rationalization (through being seen to take fraud seriously, dealing
with incidents fairly and swiftly, and providing fair compensation to all).
Figure: Controls for the Primary Causes of Fraud (based on the Cressey Fraud Risk
Triangle)
The IIA Practice Guide: Internal Audit and Fraud – Assessing Fraud Risk Governance and
Management at the Organizational Level distinguishes three aspects an internal auditor
must be aware of when evaluating risks and controls:
• Fraud risks – the potential for fraud (which is ever-present).
• Fraud schemes – active plans by individuals or groups to commit fraud.
• Fraud events – where fraud has been committed. 56
56
IIA Practice Guide: Internal Audit and Fraud – Assessing Fraud Risk Governance and Management at the Organizational
Level, 2nd edition, 2022.
61

Internal auditors have an important role to play in raising fraud risk awareness, helping to
reduce the likelihood and impact of fraud, and supporting the identification of fraud schemes
and events. The following extracts from the Standards illustrate the role and its limits.
1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud
and the manner in which it is managed by the organization, but are not expected to have
the expertise of a person whose primary responsibility is detecting and investigating
fraud. 57
1220.A1 Internal auditors must exercise due professional care by considering the:
• …
• Probability of significant errors, fraud, or noncompliance. 58
2060 Reporting [by the chief audit executive] must also include significant risk and
control issues, including fraud risks, governance issues, and other matters that require
the attention of senior management and/or the board. 59
As part of a regular audit engagement, internal auditors should:
• Gather information to understand the purpose and context of the engagement, as
well as the governance, risk management, and controls relevant to the area or
process under review. Information may be drawn from multiple sources, including
previous audit engagements, reports from specialist investigators (such as fraud
examiners, external auditors, and financial inspections), interviews, external research
of similar situations, and fraud risk and control models and benchmarks.
• Brainstorm fraud scenarios to identify potential fraud risks.
• Assess the identified fraud risks to determine which risks require further evaluation
during the engagement. 60
Certain red flags should alert the internal auditor to the potential for fraud. These may
include:
Issues
Give-away phrases
used
Potential Red Flags for Fraud
• “As a work around …”
• “Just this one time …”
• “I have always done it this way.”
• “Once in a while we …”
• “Off the record …”
• “There are no policies or procedures for this process.”
• “Someone told me to do it this way; however, I am not sure
why.”
• “This is really how it is done.”
• “The way it is supposed to work …”
57
The International Professional Practices Framework, The IIA, 2016.
58
The International Professional Practices Framework, The IIA, 2016.
59
The International Professional Practices Framework, The IIA, 2016.
60
IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.
62

Management Issues • Lack of area expertise.
• Lack of supervision.
• History of legal violations.
Personnel Issues • Lack of background checks.
• Dissatisfied employees.
• Unwillingness to share duties.
Process Issues • Duties not segregated.
• Poor physical security.
• Poor access controls. 61
Guidance published by the World Bank Group identifies examples of internal frauds
perpetrated by employees:
• Procurement fraud (e.g., false invoicing, credit card misuse, manipulations in the
procurement process or procuring low quality items, receiving kickbacks for referring
contract work to related parties).
• Theft and skimming (e.g., removing and selling inventory, cash, consumables, or
information, fraudulent acceptance of goods and services, and receiving
compensation without reporting transactions).
• Fraudulent expenditure claims (e.g., using false receipts to claim travel and
accommodation allowances).
• Payroll fraud (e.g., adding fake employees to the payroll or claiming overtime for
hours not worked). 62
Accounting fraud, money laundering, and tax evasion can be added to this list.
When internal auditors suspect fraud, great care needs to be taken. The organization
requires well-defined procedures to follow in such circumstances. In some cases, the
internal auditor is expected to pass over the evidence giving rise to a suspected fraud to
investigators or law enforcement to pursue. Auditors may be asked to be witnesses or
provide other evidence. The careful preservation of papers and audit trails is extremely
important. In some organization, internal auditors are expected to investigate fraud, but as
with all activities this should only occur where individuals have the competency to do so.
61
IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.
62
Public Sector Internal Audit: Focus on Fraud, Center for Financial Reporting Reform, World Bank Group, 2017.
63

C.3.2 Information Technology
IIA Internal Audit Competency Framework
Information Technology:
General Awareness: Describe the basic concepts of IT and data analytics. Describe the
various risks related to IT, information security, and data privacy. Recognize the purpose and
applications of IT control frameworks and basic IT controls.
Applied Knowledge: Apply data analytics and IT in auditing. Identify and assess various risks
related to IT, information security, and data privacy. Apply IT control frameworks.
Expert: Evaluate the use of data analytics and IT in auditing. Recommend actions to address
IT risks, information security, and data privacy. Evaluate the use of IT control frameworks. 63
IT audit is no longer the exclusive preserve of specialists. Information technology is utilized
universally across departments and forms a part of most procedures. Hence, all internal
auditors need to be able to recognize IT risks and evaluate the effectiveness of controls.
IT creates many opportunities and threats for organizations. It is used as a tool to provide
services to clients and support routine operations including controls. IT usage includes:
• Routine storage, access, and manipulation of large amounts of data, presenting
potential issues for data privacy and protection.
• Wide usage and availability of mobile phones, tablets, laptops, memory sticks with
huge storage capacity, and other personal devices.
• Ready access to “big data” and the potential for continuous auditing.
• The increasing use of data analytics
• Social media for personal and business use.
• Cloud computing for flexible storage and access.
• Blockchain.
• Artificial intelligence, machine learning, and virtual reality.
• Online receipts, payments, and banking.
IT tools and techniques are also available for internal auditors to assist with planning,
communication, testing, remote observation, analysis, and follow up. (This is covered in
more detail in T2: Good Governance, Managerial Accountability, Developing Strategy, and
Data Analysis.)
IT creates key risk areas for organization including:
• Compliance risks (especially for data privacy and protection).
• Reputational damage and erosion of trust by citizens, service users, vendors, donor
organizations, and others.
• Financial penalties.
• Operational disruption.
• Skills gaps and shortages.
63
Internal Audit Competency Framework, The IIA, 2022.
64

Risk management techniques can be applied to IT risks although specialist frameworks and
standards have been developed to define best practices and reflecting the complexity of the
area. IT is subject to rapid development and service users (including staff to operate
systems supported by IT) are likely to have high expectations. Customer online experiences
of companies like Amazon reduce our tolerance of anything less effective or user-friendly.
Internal auditors are expected to account for IT risks in every engagement.
Standard 2110 – Governance
2110.A2 The internal audit activity must assess whether the information technology
governance of the organization supports the organization’s strategies and objectives.
Standard 2120 – Risk Management
2120.A1 The internal audit activity must evaluate risk exposures relating to the
organization’s governance, operations, and information systems.
Standard 2130 – Control
2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to risks within the organization’s governance, operations, and
information systems. 64
Internal auditors should identify IT risks within audits and evaluate the effectiveness of
management responses to them. There should be appropriate expertise to enable the
internal audit function to consider all IT risks, although not all auditors need to be specialists.
Where the expertise is lacking within the team, the head of the function will need to draw on
other sources to provide the desired level of assurance to senior management and the
governing body. A risk management framework such as COSO Internal Control – Integrated
Framework may be used to support auditors in developing audit objectives and plans,
undertaking testing and analysis, and formulating conclusions. Specialist standards may also
be used to guide the work of internal audit and serve as a benchmark for expected practice.
There are two main classes of IT controls namely general controls and application controls.
General controls operate at the most fundamental level and work to ensure the integrity of IT
outputs. Application controls are fully automated and are designed to ensure correctness of
processing throughout the system.
64
The International Professional Practice Framework, The Institute of Internal Auditors, 2016
65

Class of IT Examples
Controls
General Controls • The organizational and IT control environments.
• Technical-support policies and procedures.
• Policies and processes for change management.
• Procedures for source code/document version-control.
• Standards for software development lifecycle.
• Hardware/software configuration, installation, testing,
management, standards, policies, and procedures.
• Security policies, standards, and processes.
• Procedures and policies for incident-management.
• Procedures for back-up and disaster recovery.
Application • Authentication.
Controls
• Authorization.
• Change management.
• Completeness checks.
• Identification.
• Input controls.
• Problem management.
• Validity checks.
The relationships among the classification of IT controls are shown in the following graphic,
adapted from GTAG: Information Technology Risks and Controls, The IIA, 2012 65 :
Figure: Types of IT Controls
65
GTAG, Information Technology Risks and Controls, The IIA, 2012
66

IT controls may be manual, automated, or semi-automated. A useful article by AuditBoard
makes the distinction clear:
Automated controls are ideal in situations with high volume, uniform transactions. In
this case, there is little need for manual intervention or judgment. Automated controls
include the risk of relying on inaccurate systems and data or putting trust in an
inappropriate automation algorithm.
Manual controls are preferred when there is a need for human judgment. The need
for manual controls often arises when there is a low volume of transactions that
require discretion in deciding the outcome of the internal control process. Manual
controls run the risk of human error and intentional override.
A third control category also exists called semi-automated controls, sometimes
referred to as IT-dependent controls. With this type of automated control, human
intervention is still required, but the person’s action is dependent on the output for a
system. 66
In addition, the process of testing controls can be automated with significant benefits, as
described by EY:
• Increased operational efficiency (compared with manual controls and risk compliance
processes that may be “fragmented, siloed, and unsustainable.”)
• Reduced compliance costs associated with the manual effort, time, and errors.
• Improved controls assurance, allowing for high volume, high accuracy, and live
insights.
• Continuous controls improvement, making the shift “from controls testing as a
compliance exercise to a value-added program.” 67
The advanced tools described in Module 2 Good Governance, Managerial Accountability,
Developing Strategy, and Data Analysis section B.3.1, including data analytics, robotic
process automation, artificial intelligence, machine learning, deep learning networks, and
exploratory data analysis, can be used to enable automated controls testing.
C.3.3 Cybersecurity
IT is not just something that might fail through error, poor practice, and bad luck; it provides
a target for deliberate and often malicious attacks. The IIA Cybersecurity Toolkit provides a
checklist for undertaking cybersecurity audits of key areas to consider as part of the planning
and testing stages.
• Cybersecurity governance. (This is discussed in more detail in section A.4.)
• Inventory of information assets (hardware, software, and data).
66
Automated Controls Testing and SOX Testing, AuditBoard, 2016.
67
Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021.
https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-future-internal-roffey/
67

• Standard security configurations (following best practices for key items of hardware
and software).
• Information access management (appropriate for each layer, i.e., application user,
developer, administrator).
• Proactive and preventive controls (e.g., malware detection, vulnerability scanning,
penetration testing, and data encryption).
• Response and remediation. 68
Cybersecurity is a key element of IT risk and focuses on how an organization protects its
information assets (computers, networks, programs, and data) through the use of various
technologies, processes, and practices. Cybersecurity risks arise in the context of access,
damage, and alteration to, and availability, control, theft, and distribution of, these assets.
As with the management of fraud and IT risks, cybersecurity can be considered in the
context of more general frameworks as well as specialized models. The guide to COSO in
the Cyber Age uses the COSO Internal Control – Integrated Framework as the basis for a
review of cybersecurity risks and how internal audit may review these.
COSO Internal Questions for Internal Audit to Consider
Control Element
Control Environment • Does the board of directors understand the organization’s
cyber risk profile and are they informed of how the organization
is managing the evolving cyber risks management faces?
Risk Assessment • Has the organization and its critical stakeholders evaluated its
operations, reporting, and compliance objectives and gathered
information to understand how cyber risk could impact such
objectives?
Control Activities • Has the entity developed control activities, including general
control activities over technology, that enable the organization
to manage cyber risk within the level of tolerance acceptable to
the organization?
• Have such control activities been deployed through formalized
policies and procedures?
Information and
Communication
• Has the organization identified information requirements to
manage internal control over cyber risk?
• Has the organization defined internal and external
communication channels and protocols that support the
functioning of internal control?
• How will the organization respond to, manage, and
communicate a cyber risk event?
Monitoring Activities • How will the organization select, develop, and perform
evaluations to ascertain the design and operating effectiveness
of internal controls that address cyber risks?
• When deficiencies are identified how are these deficiencies
communicated and prioritized for corrective action?
• What is the organization doing to monitor their cyber risk
profile? 69
68
Cybersecurity Toolkit, The IIA, 2021
69
COSO In the Cyber Age, COSO, 2015
68

The IIA’s Cybersecurity Toolkit describes internal audit’s contribution to cybersecurity
governance through consideration of the main components of a governance model, as
follows:
• Board-level oversight: Confirm that the board of directors sees regular reporting on
cybersecurity risks and risk mitigation activities.
• Policies and procedures: Verify whether significant processes described below are
adequately covered in policies and procedures, and whether the guidance has been
reauthorized within a reasonable time period.
• Risk management: Determine whether management has conducted a
comprehensive cyber risk assessment, covering all geographic areas of operation,
business lines, etc.
• Records and information management: Verify whether system architecture and data
flow documentation is complete, accurate, and consistently retained.
• Compliance: Determine whether IT and IS leaders have identified relevant external
requirements and implemented controls to ensure the organization meets the
standards
• Data classification: Confirm that a classification scheme has been defined and is
recorded for all systems and databases.
• Vendor management: Verify whether third-party risks have been assessed, and
whether vendors that store or process sensitive data are subject to sufficient
contractual, oversight, and technical controls.
• Management reporting: Determine whether KPIs or KRIs have been defined for
cybersecurity, and whether reporting is accurate and actionable.
• Personnel: Determine whether IT and IS staffing is sufficient and has the expertise to
deploy security tools and enforce policies. 70
The IIA series Global Perspectives and Insights provides a three-part guidance on
cybersecurity. Among other things, the guidance emphasizes the importance of a
collaborative approach to cybersecurity in which the internal auditor has an important role,
placing particular importance on the relationship between internal audit and the senior
manager charged with information security. Oversight by the governing body is also critical. 71
70
Cybersecurity Toolkit, The IIA, 2021.
71
Global Perspectives and Insights – Cybersecurity in 2022, Parts 1-3, The IIA, 2022.
69

C.3.4 Data Privacy
There are strict requirements regarding data privacy. Although laws and regulations vary and
continue to evolve, when someone provides an organization with personal data they
generally have a right to:
• Know the purpose for collecting the data.
• Know what personal information an organization has.
• Control what information is collected and how it is used, including who has access to
it.
• Request to change and delete any personal information held at any time for any
reason.
Organizations can find themselves operating outside of these requirements due to
inadequate controls, such as:
• The processes used for data collection are poorly designed and maintained and as a
result the organization is collecting unnecessary, incomplete, or inaccurate
information, or they do not gain appropriate permission from the owner of personal
data for its usage and storage.
• The organization allows data to be corrupted, stolen, or leaked, or shares it –
contrary to the agreement with the data owner – with a third party that misuses it.
• Data is stored beyond a permissible or useful period when it should be deleted.
Organizations must maintain awareness of internal and external requirements for data
privacy, keep staff informed, and ensure policies and processes are regularly reviewed and
kept up to date.
70

C.3: Reflection
Fraud:
How are suspected frauds handled in your organization?
Do internal auditors receive sufficient training?
Are internal auditors involved in awareness raising about fraud risk?
IT:
How does your internal audit function ensure it has the skills and expertise needed to audit
IT risks and controls?
To what extent is automated controls testing utilized?
Who in your organization takes the lead on managing IT risks?
How does internal audit collaborate with and support those responsible for IT risk
management?
Cybersecurity:
How does your internal audit function ensure it has the skills and expertise needed to
audit cybersecurity risks and controls?
Who in your organization takes the lead on managing cybersecurity risks?
How does internal audit collaborate with and support those responsible for cybersecurity
risk management?
Data Privacy:
Who in your organization takes the lead on managing data privacy risks?
How does internal audit collaborate with and support those responsible for data privacy
risk management?
71

References and Additional Reading
12 Principles of Good Governance, Council of Europe, 2008.
https://www.coe.int/en/web/good-governance/12-principles
APEC Economic Committee’s Good Practice Guide on Public Sector Governance, 2011.
https://www.apec.org/docs/default-source/publications/2011/3/good-practice-guide-onpublic-sector-governance/2011_ec_good-practice-guidepsg.pdf?sfvrsn=7398b3dc_1#:~:text=Six%20principles%20of%20good%20public%20sec
tor%20governance,-
Although%20public%20sector&text=The%20following%20six%20principles%20have,and
%20probity%3B%20stewardship%20and%20leadership
Assessing the Effectiveness of Internal Control: PEMPAL Guidance for Public Sector
Internal Auditors, PEMPAL, 2020.
https://www.pempal.org/sites/pempal/files/IACOP/NEWSPAPER/iacop_assessing_the_e
ffectiveness_of_internal_control_-_pempal_guidance.pdf
Assessing Cybersecurity Risks: The Three Lines Model, The IIA, 2020.
https://www.theiia.org/globalassets/documents/content/articles/guidance/gtag/gtagassessing-cybersecurity-risk.pdfCybersecurity
Toolkit, The IIA, 2021.
https://www.theiia.org/globalassets/documents/content/tools/iia-member-certifiedcybersecurity-toolkit.pdf
Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021.
https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-futureinternal-roffey/
Automated Controls Testing and SOX Testing, AuditBoard, 2016.
https://www.auditboard.com/blog/automated-controls-and-sox-testing/
COSO In the Cyber Age, COSO, 2015. https://www.coso.org/Shared%20Documents/COSOin-the-Cyber-Age.pdf
Delivering Excellent Public Finance: CIPFA’s Whole System Approach to Public Financial
Management, Cipfa. https://www.cipfa.org/policy-and-guidance/reports/whole-systemapproach-volume-1
European Commission Staff Working Document Albania 2022 Report,
https://neighbourhood-enlargement.ec.europa.eu/system/files/2022-
10/Albania%20Report%202022.pdf.
Evaluating and Improving Governance in Organizations, IFAC, 2009.
https://www.ifac.org/system/files/publications/files/IGPG-Evaluating-and-Improving-
Governance.pdf
Factsheet: Internal Audit Consulting, IIA Australia, 2022.
http://www.iia.org.au/sf_docs/default-source/technical-resources/2018-factsheets/internal-audit-consulting.pdf?sfvrsn=2
72

Global Perspectives and Insights – Cybersecurity in 2022, Part 1: How the New SEC
Proposals Could Change the Game, The IIA, 2022.
https://www.theiia.org/globalassets/site/content/articles/global-perspectives-and-
insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-
3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf
Global Perspectives and Insights – Cybersecurity in 2022, Part 2: Critical Partners —
Internal Audit and the CISO, The IIA, 2022.
https://www.theiia.org/globalassets/site/content/articles/global-perspectives-and-
insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-
3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf
Global Perspectives and Insights – Cybersecurity in 2022, Part 3: Cyber Incident Response
and Recovery, The IIA, 2022.
https://www.theiia.org/globalassets/site/content/articles/global-perspectives-and-
insights/2022/global-perspectives--insights--cybersecurity-in-2022-parts-1-
3/gpi_cybersecurity_in_2022_parts_1_3_final.pdf
GTAG: Information Technology Risks and Controls, The IIA, 2012.
https://www.theiia.org/en/content/guidance/recommended/supplemental/gtags/gtaginformation-technology-risk-and-controls-2nd-edition/
Internal Audit Competency Framework, The IIA, 2022.
https://www.theiia.org/globalassets/documents/standards/ia-competencyframework/2022-4103-sem-competency-framework-graphics-table_fnl.pdf
IIA Position Paper: The Internal Audit Charter, The Institute of Internal Auditors, 2019.
https://www.theiia.org/globalassets/documents/resources/the-internal-audit-charter-ablueprint-to-assurance-success-august-2019/pp-the-internal-audit-charter.pdf
IIA Practice Guide: Engagement Planning – Assessing Fraud Risks, The IIA, 2017.
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/engagement-planning-assessing-fraud-risks/pg-engagement-planning-assessingfraud-risks.pdf
IIA Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management, The
IIA, 2009, https://www.theiia.org/globalassets/documents/resources/the-role-of-internalauditing-in-enterprise-wide-risk-management-january-2009/pp-the-role-of-internalauditing-in-enterprise-risk-management.pdf
IIA Practice Guide: Formulating and Expressing Internal Audit Opinions, The IIA, 2009.
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/formulating-and-expressing-internal-audit-opinions/09523_pro-opinionspracguidefnl-lo-cx3.pdf
73

IIA Practice Guide: Internal Audit and Fraud – Assessing Fraud Risk Governance and
Management at the Organizational Level, 2nd edition, 2022.
https://www.theiia.org/globalassets/site/content/guidance/recommended/supplemental/pr
actice-guides/practice-guide-internal-audit-and-fraud-2ndedition/pg_internal_audit_and_fraud_2nd_edition_final.pdf
IIA Practice Guide: Unique Aspects of Internal Auditing in the Public Sector, The IIA, 2022.
https://www.theiia.org/en/content/guidance/recommended/supplemental/practiceguides/unique-aspects-of-internal-auditing-in-the-public-sector/
The IIA Three Lines Model, The IIA, 2020. https://www.theiia.org/globalassets/site/aboutus/advocacy/three-lines-model-updated.pdf
Independent Audit Committees in Public Sector Organizations, The IIA, 2014.
https://www.theiia.org/globalassets/documents/standards/independent-audit-committeesin-public-sector-organizations.pdf
International Framework: Good Governance in the Public Sector, CIPFA, 2014.
https://www.cipfa.org/policy-and-guidance/standards/international-framework-goodgovernance-in-the-public-sector
The International Professional Practices Framework, The Institute of Internal Auditors, 2016.
https://www.theiia.org/en/standards/international-professional-practices-framework/
Law No 114/2015, Internal Auditing in Public Sector, Republic of Albania.
https://track.unodc.org/uploads/documents/BRI-legal-resources/Albania/21_-
Albania_Law_on_internal_auditing_in_public_sector_2016-03-17-EN.pdf
Organizational Political Pressure and the Impact on Internal Audit, Patty Miller, 2017.
https://na.eventscloud.com/file_uploads/dab848a33de87b2ec71fd1f0cb0b2321_GS-2-
Politics-PattyMiller.pdf
Public Sector Internal Audit: Focus on Fraud, Center for Financial Reporting Reform, World
Bank, 2017. https://cfrr.worldbank.org/sites/default/files/2019-
11/public_sector_internal_audit_fraud_pages.pdf
Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value, Internal Audit
Foundation, 2019. https://www.theiia.org/en/products/bookstore/sawyers-internalauditing-enhancing-and-protecting-organizational-value-7th-edition/
Supplemental Guidance: The Role of Auditing in Public Sector Governance, The IIA, 2012.
https://www.theiia.org/globalassets/documents/standards/public_sector_governance1_1
_.pdf
74

CIPFA: 77 Mansell Street, London E1 8AN
+44 20 7543 5600
cipfa.org
CEF: Cankarjeva cesta 18, 1000 Ljubljana, Slovenia
+386 1 369 61 90
cef-see.org
The Chartered Institute of Public Finance and Accountancy. Registered with the Charity
Commissioners of England and Wales No 231060. Registered with the Office of the
Scottish Charity Regulator No SCO37963.
75