TIAPS Module 1 Audit and Assurance workbook
• Risk management maturity. • Control weaknesses identified by internal audit. • The focus of the external auditors and financial inspectors (to ensure coherent coverage and minimize unnecessary duplication to the extent to which cooperation is possible while maintaining independence and respective missions). • Resources and skills available to the internal audit function. • Internal audit function strategic plan. C.1.1 Assurance Engagements Assurance can be defined in terms of the examination and assessment processes deployed by auditors to evaluate governance, risk management, and internal control. This is how it is defined by the IPPF. “Assurance” also refers to the confidence provided by an assurance engagement and the comfort derived from it by the client of assurance services. Assurance as a form of confidence and comfort allows for the possibility of different degrees, amounts, or levels, ranging theoretically from total and absolute assurance to the complete absence of assurance. In practice, it is impossible to provide absolute assurance since the scope of an audit is always limited to what was observed and concluded at that moment. Other activities and conditions fall outside of the scope and circumstances continue to change. Uncertainty will always remain. For that reason, external auditors may provide reasonable or limited assurance, although this distinction is not made for internal auditors in the IPPF. The IPPF refers to “reasonable assurance” only in the context of the purpose of risk management and internal control, although it does not define the term. For example, risk management is defined as: A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. 43 “Limited assurance” is not referenced at all in the IPPF. While some internal auditors choose to make the distinction between reasonable (or positive) assurance and limited (or negative) assurance, these are more commonly terms used by external auditors. Internal audit engagements may provide assurance based on “sufficient, reliable, relevant, and useful information” to support conclusions and opinions (Standard 2310 – Identifying Information). There is no allowance for anything that falls short of this requirement. The IIA guidance on audit opinions does allow for distinctions in the level of assurance (see section C.1.5). C.1.2 Consulting (Advisory) Engagements What constitutes consulting services covers a wide spectrum of activities. 43 The International Professional Practice Framework, The Institute of Internal Auditors, 2016 46
The following list is taken from Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value: • Business process improvement. • Continuous monitoring. • Control self-assessment or risk and control self-assessment. • Forensic. • Governance and ethics training. • Internal control review. • Internal control training. • Merger and acquisition analysis. • Participation on committees or taskforces. • Readiness review. • Review of a new product or service before implementation. • Risk self-assessment. • Transition activities. 44 IIA Australia has produced guidance on consulting engagements and advises internal auditors to follow these steps: • Build time into your internal audit plan. Often consulting engagements are not planned at the beginning of the year and some flexible time for ad hoc engagements makes it easier to be responsive to management requests. • Make management aware of the service. Sometimes managers are unaware that internal audit can provide advisory services in response to their requests and it is necessary to promote this across the organization as an available support for management. • Respond promptly. In all cases – assurance and advisory engagements – internal audit needs to be reflective of organizational needs and priorities and flexible when these change. Delays can reduce the value of the sought-after advice and insight. • Don’t do what management should do themselves. This is a reminder to maintain independence and objectivity. The request should be legitimate rather than setting an expectation that internal audit will fill a first or second line role. Internal audit does not need to accept every request made by management and it is always necessary to prioritize. • Don’t give up when the allocated time runs out. Advisory engagements require greater flexibility as they are often harder to fully scope and budget at the outset. There may be options for securing additional internal or external resources to extend the work. Additionally, internal audit should be helping management identify what work needs to be done so there can be agreement about prioritization. • Celebrate success. One of the best ways to promote advisory services is to share news of successful engagements which can be achieved formally or informally through various channels. 45 44 Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value, Seventh Edition, Internal Audit Foundation, 2019 45 Factsheet: Internal Audit Consulting, IIA Australia, 2022 47
- Page 1 and 2: Module 1: Audit and Assurance TIAPS
- Page 3 and 4: Table of Contents Module 1: Audit a
- Page 5 and 6: Relevant Standards Reference is mad
- Page 7 and 8: • Close scrutiny. The activities
- Page 9 and 10: A.2 Public Sector Governance IIA In
- Page 11 and 12: The need for governance arises for
- Page 13 and 14: Although developed for government a
- Page 15 and 16: A.3 Governance Models When evaluati
- Page 17 and 18: defensive aspects to minimize negat
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45: It is common to build an allowance
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67 and 68: IT controls may be manual, automate
- Page 69 and 70: The IIA’s Cybersecurity Toolkit d
- Page 71 and 72: C.3: Reflection Fraud: How are susp
- Page 73 and 74: Global Perspectives and Insights -
- Page 75: CIPFA: 77 Mansell Street, London E1
• Risk management maturity.<br />
• Control weaknesses identified by internal audit.<br />
• The focus of the external auditors <strong>and</strong> financial inspectors (to ensure coherent<br />
coverage <strong>and</strong> minimize unnecessary duplication to the extent to which cooperation is<br />
possible while maintaining independence <strong>and</strong> respective missions).<br />
• Resources <strong>and</strong> skills available to the internal audit function.<br />
• Internal audit function strategic plan.<br />
C.1.1 <strong>Assurance</strong> Engagements<br />
<strong>Assurance</strong> can be defined in terms of the examination <strong>and</strong> assessment processes deployed<br />
by auditors to evaluate governance, risk management, <strong>and</strong> internal control. This is how it is<br />
defined by the IPPF. “<strong>Assurance</strong>” also refers to the confidence provided by an assurance<br />
engagement <strong>and</strong> the comfort derived from it by the client of assurance services.<br />
<strong>Assurance</strong> as a form of confidence <strong>and</strong> comfort allows for the possibility of different degrees,<br />
amounts, or levels, ranging theoretically from total <strong>and</strong> absolute assurance to the complete<br />
absence of assurance. In practice, it is impossible to provide absolute assurance since the<br />
scope of an audit is always limited to what was observed <strong>and</strong> concluded at that moment.<br />
Other activities <strong>and</strong> conditions fall outside of the scope <strong>and</strong> circumstances continue to<br />
change. Uncertainty will always remain. For that reason, external auditors may provide<br />
reasonable or limited assurance, although this distinction is not made for internal auditors in<br />
the IPPF. The IPPF refers to “reasonable assurance” only in the context of the purpose of<br />
risk management <strong>and</strong> internal control, although it does not define the term. For example, risk<br />
management is defined as:<br />
A process to identify, assess, manage, <strong>and</strong> control potential events or situations to<br />
provide reasonable assurance regarding the achievement of the organization’s<br />
objectives. 43<br />
“Limited assurance” is not referenced at all in the IPPF. While some internal auditors choose<br />
to make the distinction between reasonable (or positive) assurance <strong>and</strong> limited (or negative)<br />
assurance, these are more commonly terms used by external auditors. Internal audit<br />
engagements may provide assurance based on “sufficient, reliable, relevant, <strong>and</strong> useful<br />
information” to support conclusions <strong>and</strong> opinions (St<strong>and</strong>ard 2310 – Identifying Information).<br />
There is no allowance for anything that falls short of this requirement. The IIA guidance on<br />
audit opinions does allow for distinctions in the level of assurance (see section C.1.5).<br />
C.1.2 Consulting (Advisory) Engagements<br />
What constitutes consulting services covers a wide spectrum of activities.<br />
43<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
46