Internal Auditing Day 1: Introduction to Internal Auditing

Internal Auditing: Reviewing organization process in order to improve company

operations

IPPF: International Professional Practices Framework

Mandatory Guidance
a) Core Principles
b) Definition of IA
c) Standards (these are non-negotible;)
d) Code of Ethics (Integrity, Objectivity, Confidentiality,
Recommended Guidance; additional guidance for internal auditor
a) Implementation Guidance
b) Supplemental GUidannce
------it's okay to deviate from the should be process but it should be
justifiable and approved by the head.

IIA: Institute of Internal Auditor ( IIA Philippines / local) (Guidance

Setting Body)

MISSION: Enhance and protect organizational value by providing risk-based and

objective assurance, advise and insight.
A) Risk-based : because of limited resources
DEFINITION:
A) Independent, objective assurance and consulting activity designed to add
value and improve an organization’s
operations.
B) It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
governance processes.
C) Provide insight and recommendation to Effectivness of operation,
reliability of financial mngt and reporting, compliance
with laws and regulation
D) May also involve in conducting fraud investigation (If there is a red
flag, responsibility to the mngt).

Governance: Board -- Top Mngt (C-Level roles) -- Middle Mngt -- Process Owners
Board - setting the tone, strategic planning
Risk-Management: To identify, assess, manage and control potential events or
situations to provide reasonable assurance.
Everyone is responsible for risk management
Control: Process effected by an entity's board to provide reasonable assurance

CODE OF ETHICS: ISPPIA (International Standards for the Professional Practice of

Internal Auditing)

A) States the principles and expectations governing behavior of individuals

governing behavior
B) Minimin rule of conduct

4 Principles:
Objectivity: Not unduly influence by self interest
Integrity: Establish trust
Competence: Continuous improvement
Confidentiality: Respect the owner of information

1. Demonstrate integrity
2. Demonstrate competence and due prof care
 3. Obejctve and free from undue influence
4. Aligns wit strategy
5. Appropriately positiones
6. Demonstrate quality and continuous improvement
7. Communicates effectively
8. Provide risk-based assurance
9. Insightful, proactive, and future-focused
10. Promote organizational improvement ( even if nothing's wrong, improve/
recomment more effective or efficient process)

3 LINES OF DEFENSE

1ST: Managemnt Controls and Internal Control Measure; (RISK OWNERS)

2ND: Financial Control, security, risk managemnt, quality, inspection, compliance
(OVERSEE RISK)
3RD: Internal Audit

IA ADMINISTRATIVELY REPORTING TO THE CEO

IA FUNCTIONALY REPORTING to the BOARD

-----------------------------------------------------------------------------------
-
IA FUNCTION

Internal Audit as a Service

1) OUTSOURCE / CO-SOURCE INTERNAL AUDIT SERVICES

----OUTSOURCE - Walang Internal Audit Function
----CO-SOURCE - May IA Function however hindi nila kaya iperform yung ia within a
year
2) COMPLIANCE OR OPERATIONAL AUDIT
----Ensuring that they comply with the law including the policy and regulation that
they have
3) FORENSIC INVESTIGATION
----Indication of fraud
4) REVIEW OF CONTROLS, PROCESSES AND PROCEDURES
---- Specific or tailored engagement (Audit of logistics)
5) ASSISTANCE IN RISK MNGT, SET UP OF ERM FRAMEWORK, IA FUNCTION
----Setting up the IA Function
6) IA TRAINING
---- Like established training in the ILO-ILO branch.
7) EXTERNAL QUALITY ASSESSMENT OF THE IA FUNCTION
----Do they have a charter? did they execute IA Audit plan?

Pros:
1. Flexibility
2. Provide access to leading edge tools and methodologies

Cons:
1. It may prove to be costly and time-consuming if the board decides to bring the
outsourced internal audit function back in house.
2. Significant information needed may be restricted to the outsourced IA provided.

-----------------------------------------------------------------------------------
---
IA AND ITS KEY STAKEHOLDERS

IA FUNCTION
1. BOD
2. Aud. Com.
3. Senior mngt
4. Process Owners
5. Statutory Auditors

-----------------------------------------------------------------------------------
---

IA Process

Risk-Based Audit Planning

- Results would have to be presented to the board for their approval

Planning
a. Preliminary Survey
b. Preparation of audit planning memo (defines and authorize the audit engagement)
c. Basic Audit coverage
d. Preparation of kick off materials
e. Arrange kick off meeting date and time
f. Preparation of Introduction letter
g. Kick off meeting with client management
h. Adjustment of audit plan (Based on clients input, Familliarization with clients
processess)

Fieldwork
a. Perform TOC; Preventive, Detective, Directive
b. Perform Test of Details
c. Sampling Methodology
---increase sample when risk is high. lower sample when controls are in place,
take samples for each type of transaction
d. Customized Audit work program
e. Risk and Control Assessment
---Prioritize areas with high risk

Communication of Results
a. Preliminary Audit Discussion - with process owners
b. Plant/Region Exit meeting - with client management
c. Final Audit Discussion
d. Preparation of Audit report package
e. Audit Client survey
f. Quarterly Reporting to the Board

Follow Through / Monitoring

a. Follow up of action plans
b. Regular alignment of business finance

COMMON IA FINDINGS
1. Non-compliance with policies and procedures
2. Lack of written procedures
3. Inefficient policies and procedures
4. Insufficient documentation
5. Improper use of GL Accounts
6. Non-application or incorrect application of taxes
7. Non-availability or missing of documents
-----------------------------------------------------------------------------------
-----
Internal Controls

Set of policies and procedures placed.

1. The best control is the culture created by the management

2. Actions taken by the management to help the company objectives
3. Controls are responsibilty of the management

Sample List of Business Process

Procurement
Logistics
Project Management
Financing
Management

Types Of Internal Control

Detective
Preventive
Directive: Code of ethics
Corrective

-----------------------------------------------------------------------------------
-----

Fraud

-----------------------------------------------------------------------------------
--------

Data Analytics

Data Driven Audit Analytics

a) Risk focus
b) Performance Focus
How Analytics enhanced audit?

Input ------> Production Conversion -------> Output

Input --- Std Material vs Actual Used

Output --- Actual scrap vs Tolerable scrap