WIXLIB

xiv FOREWORDIn times of fast change, technological innovation and pressure to deliver in virtually all sectorsof activity, the Handbook provides the right guidance to achieve greater learning. More than this,it gives the stimulus for each of us to continue to improve our professional approach to providingan effective internal audit service.Neil CowanPast President, IIA.UK&IrelandIIA Global Ambassador

ACKNOWLEDGEMENTSA very special thanks to my wife, Jennifer, for all her help and support in preparing the new editionand a big hug to our children Dexter and Laurel-Jade; just for being there.For their past, present and continuing support, a thank you to Nigel Freeman, Neil Cowan,Richard Todd, Andy Wynne, Professor Andrew Chambers, Vernon Bailey, Paul Moxey, JohnWatts, Marian Lower, Eric Hall, Keith Wade, Graham Westwood, Steve Hardman, Mr andMrs Livermore, Mr and Mrs Newman, Master Lajos Jakab, Mohammed Khan, Horace Edwards,Hock-Chye Ong, Don Daniels, Jack Stephens, Sue Seamour, Adrian Hogg, Mike Mintrum, AlanDavies, Tony Otokito, and staff at the Institute of Internal Auditors (UK&Ireland). Also a thank youto my large family including Aunt Edith, Aunt Joyce, Uncle Tony, and also: Tony, Graham, Kathy,Ellen, James, Lenny, Marianne (Maza), Lucie, Stella, Adrian, Maria, Irvine, Nigel, Nichole, Trevor,Barbara, Michael, Elaine and Karron.A very special acknowledgement to Professor Gerald Vinten, Editor of the Managerial AuditingJournal, who introduced me to the previously mysterious world of the author.

Chapter 1INTRODUCTIONIntroductionThe second edition of the Internal Auditing Handbook reflects the significant changes in the fieldof internal auditing over the last few years. Since 1997 there have been many developmentsthat impact the very heart of the audit role. There really are ‘new look’ internal auditors whocarry the weight of a heightened expectation from society on their shoulders. Auditors no longerspend their time looking down at detailed working schedules in cramped offices before preparinga comprehensive report on low-level problems that they have found for junior operationalmanagers. They now spend much more time presenting ‘big picture’ assurances to top executivesafter having considered high-level risks that need to be managed properly. Moreover, the internalauditor also works with and alongside busy managers to help them understand the task ofidentifying and managing risks to their operations. At the same time the internal auditor has toretain a degree of independence so as to ensure the all-important professional scepticism that isessential to the audit role. The auditor’s report to the Audit Committee must have a resilienceand dependability that is unquestionable. These new themes have put the internal auditor atthe forefront of business and public services as one cornerstone of corporate governance—andthe new Internal Auditing Handbook has been updated to take this on board, with new chapterson corporate governance and risk management. Back in 1997 the Handbook described internalauditing as a growing quasi-profession. The quantum leap that occurred between the old and newmillennium is that internal auditing has now achieved the important status of being a full-blownprofession. Note that the term chief audit executive (CAE) is used throughout the handbook andthis person is described by the Institute of Internal Auditors (IIA) as assuming the:Top position within the organization responsible for the internal audit activities. In a traditionalinternal audit, this would be the internal audit director. In the case where internal audit activitiesare obtained from outside service providers, the chief audit executive is the person responsiblefor overseeing the service contract and the overall quality assurance of these activities, reportingto senior management and the board regarding internal audit activities, and follow up ofengagement results. The term also includes such titles as general auditor, chief internal auditor,and inspector general.11.1 Reasoning behind the BookThe original Internal Auditing Handbook focused on the practical aspects of performing the audittask. It contained basic material on managing, planning, performing and reporting the audit,recognizing the underlying need to get the job done well. The new edition has a different focus.Now we need first and foremost to understand the audit context and how we fit into the widercorporate agenda. It is only after having done this that we can go on to address the response tochanging expectations. In fact, we could argue that we need to provide an appropriate responserather than think of the audit position as being fixed and straightforward. It is no longer possible

2 THE INTERNAL AUDITING HANDBOOKto simply write about an audit programme and how this is the best way to perform the audittask. To do justice to the wealth of material on internal auditing, we must acknowledge thework of writers, thought leaders, academics, journalists and noted speakers at internal auditconferences. The first Internal Auditing Handbook set out the author’s views and understandingof the audit role. The new Handbook contains a whole range of different views and extractsof writings from a variety of representatives from the audit community. There are also specialcontributions from Richard Todd and Andy Wynne who have provided several examples, writtenspecially for the Handbook, taken from their many years of professional internal auditing work.Gerald Vinten, Paul Moxey, Mohammed Khan, John Watts and Neil Cowan have likewise sharedtheir experiences with the reader. The new context for internal auditing is set firmly within thecorporate governance arena. As a response, the Institute of Internal Auditors has designed a newdefinition of internal auditing:Internal auditing is an independent, objective assurance and consulting activity designed to addvalue and improve an organization’s operations. It helps an organisation accomplish its objectivesby bringing a systematic, disciplined approach to evaluate and improve the effectiveness of riskmanagement, control and governance processes.2The new Internal Auditing Handbook has early chapters on Corporate Governance Perspectives,Managing Risk and Internal Controls. It is only after having addressed these three interrelated topicsthat we can really appreciate the internal audit role. There are chapters on quality, professionalstandards, audit approaches, managing internal audit, planning, performance and reporting auditwork and specialist areas such as fraud and IS auditing. The final chapter attempts to look at ourfuture and changes that may well be on the way. The new Handbook includes many referencesand quotes from a wide variety of sources; since all views are important, even where they conflict.This variety can only help move the profession onwards and upwards. The Handbook restsfirmly on the platform provided by the professional standards of the Institute of Internal Auditors.Internal auditing is a specialist career and it is important that we note the efforts of a professionalbody that is dedicated to our chosen field. Note that despite the recent changes in the field ofinternal auditing there is much of the first book that is retained in the new edition. Change meanswe build on what we, as internal auditors, have developed over the years rather than throw awayanything that is more than a few years old. As the saying goes—it is important not to throw awaythe baby with the bath water.1.2 The IIA Standards and Links to the BookThe Handbook addresses most aspects of internal auditing that are documented in the Instituteof Internal Auditor’s (IIA) professional standards. The Attribute Standards outline what a goodinternal audit set-up should look like, while the Performance Standards set a benchmark for theaudit task. Together with the Practice Advisories (and Professional Briefing Notes) and otherreference material (as at January 2003) they constitute a professional framework for internalauditing. The IIA’s main Attribute and Performance Standards are listed below:IIA—ATTRIBUTE STANDARDS1000—Purpose, Authority, and ResponsibilityThe purpose, authority, and responsibility of the internal audit activity should be formally definedin a charter, consistent with the Standards, and approved by the board.

INTRODUCTION 31100—Independence and ObjectivityThe internal audit activity should be independent, and internal auditors should be objective inperforming their work.1200—Proficiency and Due Professional CareEngagements should be performed with proficiency and due professional care.1300—Quality Assurance and Improvement ProgramThe CAE should develop and maintain a quality assurance and improvement program thatcovers all aspects of the internal audit activity and continuously monitors its effectiveness. Theprogram should be designed to help the internal auditing activity add value and improve theorganisation’s operations and so provide assurance that the internal audit activity is in conformitywith the Standards and the Code of Ethics.IIA—PERFORMANCE STANDARDS2000—Managing the Internal Audit ActivityThe CAE should effectively manage the internal audit activity to ensure it adds value to theorganisation.2100—Nature of WorkThe internal audit activity evaluates and contributes to the improvement of risk management,control and governance systems.2200—Engagement PlanningInternal auditors should develop and record a plan for each engagement.2300—Performing the EngagementInternal auditors should identify sufficient, reliable, relevant, and useful information to achievethe engagement’s objectives.2400—Communicating ResultsInternal auditors should communicate the engagement results promptly.2500—Monitoring ProgressThe CAE should establish and maintain a system to monitor the disposition of results communicated to management.2600—Management’s Acceptance of RisksWhen the CAE believes that senior management has accepted a level of residual risk that isunacceptable to the organisation, the CAE should discuss the matter with senior management.If the decision regarding residual risk is not resolved, the CAE and senior management shouldreport the matter to the board for resolution.1.3 How to Navigate around the BookA brief synopsis of the Handbook should help the reader work through the material. It is clear thatthe Handbook is not really designed to be read from front to back but used more as a referenceresource. Having said that, there should be some logic in the ordering of the material so that it

4 THE INTERNAL AUDITING HANDBOOKfits together if the reader wishes to work through each chapter in order. One important point tomake is that although most chapters contain ten main sections, they are each of variable length.Some readers find different chapter lengths inconvenient, but there is little point trying to fit setmaterial into standard boxes when some chapters naturally consume more material than others.In fact some sections are quite long because they need to cover so much ground. Apologies inadvance if this policy proves bothersome at all.Chapter 1—IntroductionThis first chapter deals with the content of the Handbook and lists the IIA standards. It also coversthe way the Handbook can be used as a development tool for the internal audit staff, linked towebsite material that can be used to form the basis of learning workshops and resources. Theway internal auditing has developed over the years is an important aspect of the chapter, wherebythe progress of the profession is tracked in summary form from its roots to date. It is important toestablish the role of internal audit at the start of the book to retain this focus throughout the nextfew chapters that cover corporate perspectives. Note that the internal audit process appears insome detail from Chapter 5 onwards. Likewise our first encounter with the IIA standards appearsin this chapter based on the ‘Platform’ theory to underpin the entire Handbook.Chapter 2—Corporate Governance PerspectivesChapter 2 covers corporate governance in general in that it summarizes the topic from a businessstandpoint rather than focusing just on the internal audit provisions. A main driver for ‘gettingthings right’ is the constant series of scandals that have appeared in every developed (as well asdeveloping) economy. The governance equation is quickly established, and then profiles of someof the well-known scandals are used to demonstrate how fragile the accountability frameworksare. New look models of corporate governance are detailed using extracts from various codesand guidance to form a challenge to business, government and not-for-profit sectors. Note thatthe chapter may be used by anyone interested in corporate governance as an introductionto the subject. The section on internal auditing is very brief and simply sets out the formalrole and responsibilities, without going into too much detail. One topic that stands out in thechapter relates to audit committees as many view this forum as the key to ensuring corporateresponsibility and transparency. The corporate governance debate is ongoing and each new coderefers to the need to start work on updates almost as soon as they are published. As such, it isnever really possible to be up to date at publication and the reader is advised to keep an eye onnew developments as and when they arise.Chapter 3—Managing RiskAnother new chapter for the Handbook. Many writers argue that we are entering a newdimension of business, accounting and audit whereby risk-based strategies are essential to thecontinuing success of all organizations. Reference is made to various risk standards and policiesand we comment on the need to formulate a risk management cycle as part of the responseto threats and opportunities. The corporate aspiration to embed risk management into the wayan organization works is touched on. The growing importance of control self-assessment has

INTRODUCTION 5ensured this appears in the Handbook, although this topic is also featured in the chapter onaudit approaches. The chapter closes with an attempt to work through the audit role in riskmanagement and turns to the published professional guidance to help clarify respective positions.There is a link from this chapter to risk-based planning in the later chapter on Setting an AuditStrategy. Throughout the Handbook we try to maintain a link between corporate governance,risk management and internal control as integrated concepts.Chapter 4—Internal ControlsSome noted writers argue that internal control is a most important concept for internal auditorsto get to grips with. Others simply suggest that we need to understand where controls fit intothe risk management equation. Whatever the case, it is important to address this topic beforewe can get into the detailed material on internal auditing. An auditor armed with a good controlmodel is more convincing that one who sees controls only as isolated mechanisms. Chapter 4takes the reader through the entire spectrum of control concepts from reasoning, control models,procedures, and the link to risk management. One key section concerns the fallacy of perfectionwhere gaps in control and the reality of imperfection are discussed. This forms the basis for mostbusiness ventures where uncertainty is what creates business opportunities and projects. With theadvent of risk management this does not mean controls take a back seat, it just means controlsneed to add value to the business equation.Chapter 5—The Internal Audit RoleThis chapter moves into the front line of internal audit material. Having got through the reasoningbehind the audit role (governance, risk management and control), we can turn to the actual role.The basic building blocks of the charter, independence, ethics and so on are all essential aspectsof the Handbook. Much of the material builds on the original Handbook and is updated to reflectnew dimensions of auditing. One key component is the section on audit competencies whichforms the balancing factor in the equation—‘the challenges’ and ‘meeting the challenges.’ Mostauditors agree that there is the set audit role and then there are variations of this role. Thosewho have assumed one particular variation of the audit role need to appreciate where it fits intothe whole.Chapter 6—ProfessionalismThe auditors’ work will be determined by the needs of the organization and the experiencesof senior auditors, and most audit shops arrive at a workable compromise. One feature ofthe upwards direction of the internal audit function is the growing importance of professionalstandards as a third component of the equation we discussed earlier. Some of the publishedstandards are summarized in this chapter, although the main footing for the Handbook revolvesaround the IIA standards. Moreover, quality is a theme that has run across business for many years.If there are quality systems in place, we are better able to manage the risk of poor performance. Itwould be ironic for internal audit reports to recommend better controls over operations that arereviewed when the audit team has no system in place that ensures it can live up to professionalstandards. Processes that seek to improve the internal audit product are covered in this chapter,including the important internal and external reviews that are suggested by audit standards.

6 THE INTERNAL AUDITING HANDBOOKChapter 7—The Audit ApproachThe range and variety of audit services that fall under the guise of internal auditing have alreadybeen mentioned. A lot depends on the adopted approach and rather than simply fall into oneapproach, it is much better to assess the possible positions armed with a knowledg

1. Auditing,Internal.I.Title. HF5668.25.P532003 657 .458—dc21 2003053781 British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library IS