Internal Audit 101 Introduction Internal Auditing as a profession is increasingly being looked at by senior management to provide timely information

to assure management about systems that have been put in place for the effective and efficient running of businesses. It is therefore important that practicing internal auditors as well as those who make use of the service have a good understanding in order to shape their expectations. This would go a long way to reduce the expectations gap and also foster better collaboration among the internal auditors, senior management, the audit committee and the external auditors. We are beginning a series of articles that I would like to refer to as Internal Audit 101 that will seek to address some very pertinent questions that linger in the minds of those who are currently being served by internal auditors in one way or the other. The series will also try to put the internal auditors in the right professional mode to enable them deliver quality services to their sponsors. We start off this week with the first one. To achieve the above objectives, we shall be looking at topics such as what is internal auditing, who qualifies to be an internal auditor, what is involved in internal auditing, The Institute of Internal Auditors - who they are and what they do. We will also look at some of the guidance documents that have been provided by the IIA. We shall then go on to look at how to plan to undertake internal audit engagements. We begin our discussions with the question; what is internal auditing? A lot of people and professionals within and without have their own opinion of what the internal audit profession is about. These numerous opinions feed into the various expectations they have regarding the role of the internal auditor and subsequent expectations they have of the internal auditors work. What is internal auditing? The Institute of Internal Auditors (IIA) has developed the globally accepted definition as follows: Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Based on this definition the internal audit activity must be able to cover the entire spectrum of business activities, literally chasing where the money goes to ensure that value is derived from every dime spent. Of course this pursuit of where the money goes must be driven by risk or how much money is going where and what the expectations and objectives of the activity is. This obviously means that the internal auditor is now required to expand the scope of the internal audit activity to include both support functions such as human resource management, procurement, administration, marketing, and information technology as well as core operational functions. Many internal auditors in both the public and private sectors are still spending the entire calendar year sitting with and harassing the finance

and accounts department all because they cannot move out of that area to deal with other equally important functions within the organisation. Their annual audit plans or program are full of finance and accounting related auditable units. I will spend some time to discuss this definition, but let me just pause here for a while to look briefly at the Institute of Internal Auditors (IIA). A brief on The IIA The IIA which was established in 1941 (70 years ago), is an international professional association with its global headquarters in Altamonte Springs, Florida, USA. It is the internal audit profession s global voice, recognized authority, acknowledged leader, chief advocate and principal educator. Very tall order I would say, but so far executed brilliantly. The mission of the IIA is to provide dynamic leadership for the global profession of internal auditing. Many are not aware that internal auditing is now a profession in its own right. We know of doctors, lawyers, and accountants as professionals who belong to a body that regulates and supervises the performance of their work. In much the same way, internal auditors are also professionals. The current trend in Ghana is that when an organisation needs a person to work as an internal auditor, they require the person to be a certified of qualified accountant with CA (GH) or ACCA (UK). However, in countries such as South Africa persons with CA (SA) are not seen as internal auditors but as accountants. Therefore all internal audit adverts require Certified Internal Auditors (CIA) and qualified accountants. Of course qualified accountants do end up getting internal audit job, but these are accountants who have had the privilege of working as internal auditors in the past. Let me quickly add that in such circumstances, they are required to enroll in the CIA professional certification program so they finally gain the CIA designation. The big four accounting houses have therefore responded by creating two separate professional training routes; one for those who desire to practice as accountants and those who prefer to practice as internal auditors. Audit committees are also required by the Institute of Internal Auditors (SA) to have at least one member who is responsible to technical audit issues to be certified as an internal auditor in order to demonstrate that he has the competence to deal with both external and internal audit issues. Why this emphasis on certification, one would ask. The reason is that the internal auditor needs more than just the accounting knowledge to be able to handle his job. The ISPPIA recommends the CIA as the recognised certification for internal auditors plus other designations offered by other appropriate professional organisations. Is internal audit a Profession? Let s look at the requirements and use it as a benchmark to answer this question. A professional body must have some five basic characteristics to qualify as such. These are as follows: 1. A Common Body of Knowledge (CBOK) 2. Code of ethics

3. Professional Standards 4. Certification program 5. Continuous Professional Education Common body of knowledge: Every professional body thrives on a CBOK. The CBOK is what informs and drives the professional bodies and is based on rigorous and intensive scientific research. Without it there would be no knowledge base for professional bodies. The IIA has sponsored five CBOK studies since inception with the first one being published in 1972. The latest one CBOK 2006 was released in 2007. The aim of the CBOK is to broaden the understanding of how internal auditing is practiced throughout in the world. The database contains information about compliance with the IIAs ISPPIA, the state of the internal audit activity (IAA), staffing, skills, competencies, and the emerging role of the IAA. While all prior CBOK were only conducted in English, CBOK 2006 effectively translated the questionnaires into 16 additional languages. It is the first study that invited The IIAs entire worldwide membership to participate. With 9,366 usable respondents from 91 countries, the CBOK 2006 became the most comprehensive study ever in the history of The IIA. Code of Ethics: The IIA requires all members to adhere to a code of ethics which is a statement of the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing. The purpose of code of ethics is to promote an ethical culture in the profession of internal auditing. This is requirement for all members of professional bodies. Professional Standards: Members of professional bodies are required to perform their work according to some set standards which will be used as criteria for measuring the quality or otherwise of performance. The IIA has the ISPPIA as the professional guidance that lays down the mandatory and strongly recommended guidance for carrying out the internal audit activity. An excerpt from the introduction to the Standards is reproduced below: The purpose of the Standards is to: 1. Delineate basic principles that represent the practice of internal auditing. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The structure of the Standards is divided between Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals performing internal auditing. The Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. The Attribute and Performance Standards are also provided to apply to all internal audit services . -The IIA 2010 - Introduction to the Standards.

Certification Program: The Certified Internal Auditor CIA program is the flagship qualification administered by The IIA. It is the only globally accepted designation for internal auditors and the standard by which individuals demonstrate their professionalism in internal auditing. Moreover, earning the CIA designation is more than just proof of what you know and what you ve achieved it s the best way for auditing professionals to communicate to the world that they are prepared to meet today s challenges. Earning the CIA is seen as a very valuable accomplishment and a professional advantage for persons in the internal audit profession. The CIA exam tests your knowledge of current internal auditing practices, risks and controls, and more. Just the process of preparing for the exam will enhance your professional insight and strengthen your grasp of The IIA s ISPPIA. The exam covers the following areas: 1. 2. 3. 4. The Internal Audit Activity s Role in Governance, Risk, and Control Conducting the Internal Audit Engagement Business Analysis and Information Technology Business Management Skills

Continuous Professional Education Once certified, CIAs are required to maintain their knowledge and skills and stay abreast of improvements and current developments in the internal audit profession through continuing professional education requirements. CIAs are required to self-certify as to the completion of the required continuing education hours. It is the CIA's responsibility to assure that the CPE hours claimed conform to the guidelines established by The IIA's Board of Regents. Forms are submitted by CIAs on a biennial basis and serve as signed statements that all applicable CPE requirements have been met. These factors outlined above make it obvious that the internal audit profession is a recognised one which has come to stay. Back to the Definition There are some key words within the definition of internal auditing. These words, when understood within the right context help to shape our understanding of what internal auditing is all about. I am repeating the definition here but this time with some emphasis on these key words, which I will discuss one after the other. Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Quite a number of words as one can see, but I believe they are all very important. Actually this definition is more often referred to as the new definition of internal auditing due to the expanded

scope of the activity. I know for sure that many internal auditors have used it to win a lot of C-level arguments concerning the work of the internal auditor. Let s start off with independent and objectivity . Independence is fundamental to the reliability of the internal auditors reports. I quite remember way back in school when auditing was introduced as a new subject. We were made to learn several factors that were used to assess the degree of independence the auditor had; factors such as performance of non-audit services and percentage of auditor fees to total auditor revenues among others. Interestingly when it comes to internal auditor independence, the applicable standards, the International Standards for the Professional Practice of Internal Auditing (ISPPIA) does not apply those factors used in assessing the external auditor independence. According to Standard 1100, the internal audit activity must be independent, and internal auditors must be objective in performing their work. The standard interprets it as follows: Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. S1100 Independence and Objectivity (ISPPIA)

Arguments have been advanced by some that in so far as the internal auditor sits with the management and staff of the organisation and takes his salary from the same payroll with them, he is in a way, not independent. Clearly this standard makes is clear that the internal auditor s independence is not like that of the external auditor at all. The standard deals with issue separately and talks about organisational independence and individual objectivity. With respect to the first part; the organisational independence, the standards require the chief audit executive to report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. When this is in place then the internal auditor will be free from interference in determining the scope of the internal audit activity. This status must be confirmed to the Board at least annually. With respect to individual objectivity, internal auditors are required to have an impartial, unbiased, attitude and avoid conflicts of interest. Conflict of interest, in the case of the internal auditor, arises when he has a competing professional or personal interest in any assignment he is about to

undertake or is undertaking. A conflict of interest, where it exists, undermines the confidence of the internal auditor, the internal audit activity and the profession as a whole.