TIAPS Module 1 Audit and Assurance workbook
second line roles depends on many factors, including organizational size, complexity of operations, culture, laws and regulations, external environment, skills and resources, and the relative strength and maturity of internal auditing. In some cases, the head of risk management reports directly to the governing body (rather than the CEO) and may be required to do so by regulation. A degree of independence between those with first and second line roles strengthens the effectiveness of risk management and internal control. However, risk management and internal control remain the responsibility of management and ultimately the CEO. Assurance: The internal audit function provides management and the governing body with independent and objective assurance and advice on the adequacy and effectiveness of governance, risk management, and internal control. Independence means being accountable to the governing body (directly or via an audit committee), being free from interference by management and from responsibility for the activities being audited, and having access to the resources, people, and information needed to complete the work of the function. However, independence should not entail isolation. Internal auditing must be fully aligned with the needs of the organization and supportive of its purpose. Cooperation and collaboration with management are encouraged. The head of the internal audit function (the chief audit executive) should engage with and provide reports to senior management on a regular basis as well as communicating with the governing body. The Three Lines Model focuses primarily on the internal elements of an organization. However, external assurance providers (principally the Supreme Audit Institution for government entities, although other external service providers may be used subject to statutory requirements) are also recognized as contributing to governance and the success of organizations. The role of external audit is discussed in more detail in Module T3 Accounting Fundamentals. Where governments are focused on implementing public internal financial control (PIFC), financial and managerial control (FMC) and internal auditing are two of the central components (the third being the Central Harmonization Unit (CHU)). This is strongly reflective of the Three Lines Model in identifying control responsibilities as part of the role of management and internal audit as an independent function. PIFC and FMC are discussed in more detail in Module T3 Accounting Fundamentals. Countries seeking accession to the European Union are required to satisfy, among other things, best practice standards, frameworks, and policies relating to PIFC on a holistic sector-wide basis. These expectations are detailed in Chapter 32 Financial Control of the EU requirements. These include: • Effective and transparent management systems, including accountability arrangements for the achievement of objectives. • A functionally independent internal audit. • Relevant organizational structures, including central co-ordination of PIFC development across the public sector. 10 10 See, for example, the European Commission Staff Working Document: Albania 2022 report. 18
A.3.3 CIPFA International Framework: Good Governance in the Public Sector The Good Governance Framework is specifically designed for public sector entities “to encourage better service delivery and improved accountability.” The definition of governance used is similar to that of The IIA quoted in A.1. Governance comprises the arrangements put in place to ensure that the intended outcomes for stakeholders are defined and achieved. 11 Figure: CIPFA Good Governance Framework The framework is intended to be applicable to individual entities as well as the public sector system. It is based on seven principles: I. Behaving with integrity, demonstrating strong commitment to ethical values, and respecting the rule of law. II. Ensuring openness and comprehensive stakeholder engagement. III. Defining outcomes in terms of sustainable economic, social, and environmental benefits. IV. Determining the interventions necessary to optimize the achievement of the intended outcomes. V. Developing the entity’s capacity, including the capability of its leadership and the individuals within it. 11 International Framework: Good Governance in the Public Sector, CIPFA, 2014 19
- Page 1 and 2: Module 1: Audit and Assurance TIAPS
- Page 3 and 4: Table of Contents Module 1: Audit a
- Page 5 and 6: Relevant Standards Reference is mad
- Page 7 and 8: • Close scrutiny. The activities
- Page 9 and 10: A.2 Public Sector Governance IIA In
- Page 11 and 12: The need for governance arises for
- Page 13 and 14: Although developed for government a
- Page 15 and 16: A.3 Governance Models When evaluati
- Page 17: defensive aspects to minimize negat
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67 and 68: IT controls may be manual, automate
second line roles depends on many factors, including organizational size, complexity of<br />
operations, culture, laws <strong>and</strong> regulations, external environment, skills <strong>and</strong> resources, <strong>and</strong><br />
the relative strength <strong>and</strong> maturity of internal auditing. In some cases, the head of risk<br />
management reports directly to the governing body (rather than the CEO) <strong>and</strong> may be<br />
required to do so by regulation. A degree of independence between those with first <strong>and</strong><br />
second line roles strengthens the effectiveness of risk management <strong>and</strong> internal control.<br />
However, risk management <strong>and</strong> internal control remain the responsibility of management<br />
<strong>and</strong> ultimately the CEO.<br />
<strong>Assurance</strong>: The internal audit function provides management <strong>and</strong> the governing body<br />
with independent <strong>and</strong> objective assurance <strong>and</strong> advice on the adequacy <strong>and</strong><br />
effectiveness of governance, risk management, <strong>and</strong> internal control. Independence<br />
means being accountable to the governing body (directly or via an audit committee),<br />
being free from interference by management <strong>and</strong> from responsibility for the activities<br />
being audited, <strong>and</strong> having access to the resources, people, <strong>and</strong> information needed to<br />
complete the work of the function. However, independence should not entail isolation.<br />
Internal auditing must be fully aligned with the needs of the organization <strong>and</strong> supportive<br />
of its purpose. Cooperation <strong>and</strong> collaboration with management are encouraged. The<br />
head of the internal audit function (the chief audit executive) should engage with <strong>and</strong><br />
provide reports to senior management on a regular basis as well as communicating with<br />
the governing body.<br />
The Three Lines Model focuses primarily on the internal elements of an organization.<br />
However, external assurance providers (principally the Supreme <strong>Audit</strong> Institution for<br />
government entities, although other external service providers may be used subject to<br />
statutory requirements) are also recognized as contributing to governance <strong>and</strong> the success<br />
of organizations. The role of external audit is discussed in more detail in <strong>Module</strong> T3<br />
Accounting Fundamentals.<br />
Where governments are focused on implementing public internal financial control (PIFC),<br />
financial <strong>and</strong> managerial control (FMC) <strong>and</strong> internal auditing are two of the central<br />
components (the third being the Central Harmonization Unit (CHU)). This is strongly<br />
reflective of the Three Lines Model in identifying control responsibilities as part of the role of<br />
management <strong>and</strong> internal audit as an independent function. PIFC <strong>and</strong> FMC are discussed in<br />
more detail in <strong>Module</strong> T3 Accounting Fundamentals. Countries seeking accession to the<br />
European Union are required to satisfy, among other things, best practice st<strong>and</strong>ards,<br />
frameworks, <strong>and</strong> policies relating to PIFC on a holistic sector-wide basis. These expectations<br />
are detailed in Chapter 32 Financial Control of the EU requirements. These include:<br />
• Effective <strong>and</strong> transparent management systems, including accountability<br />
arrangements for the achievement of objectives.<br />
• A functionally independent internal audit.<br />
• Relevant organizational structures, including central co-ordination of PIFC<br />
development across the public sector. 10<br />
10<br />
See, for example, the European Commission Staff Working Document: Albania 2022 report.<br />
18
Change language