What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz

1. An introduction to internal
auditing

2. An introduction to internal auditing
• This slide is not to be shown
• The slide show aims to provide an introduction to internal auditing.
• The notes give more information on each slide.
• The slides and the notes will need changing for your organization.
• The slide presentation is not automatic, you will need to click through it.
• There are 25 slides, which should take around 25 minutes to show
(excluding questions).
• Some slides have animations.
• For more details about the internal audit processes see the free books
available from www.internalaudit.biz.
08/06/2019 2

3. An introduction to internal auditing
From www.internalaudit.biz

4. Contents
• The organization
• The objectives and risks
• The responses to risks
• The purpose of internal auditing
• Internal audit’s opinions
• Audit planning
• The individual audit
• The periodic summary report
08/06/2019 4

5. Internal Auditing
08/06/2019 5

6. The organization
It has ‘stakeholders’ – people who
are interested in what it
delivers.
They may be investors, owners, suppliers,
customers, employees.
08/06/2019 6

7. The organization
It has a governing board – people
who are responsible for
delivering what the stakeholders
want.
They may be directors, trustees, partners.
08/06/2019 7

8. The organization
So stakeholders have objectives
which they expect the governing
board to deliver.
These objectives may be to increase profits,
deliver food to famine areas or recruit more
students.
08/06/2019 8

9. The objectives
Unfortunately the achievement of
these objectives is threatened by
circumstances called risks.
These risks may be: competitors launching new
products, floods destroying roads or poor exam
results.
08/06/2019 9

10. The objectives
These risks require responses to
mitigate them to a level which
should enable the objectives to
be achieved.
This risk level is known as the ‘risk appetite’ of
the organization.
08/06/2019 10

11. The responses
The responses (controls) to mitigate risks are:
• Terminate the operation causing the risk (stop
manufacturing a dangerous product).
• Transfer the risk (insure against the risk, such as a fire).
• Treat the risk by having processes to reduce them (known as
‘internal controls’)
• Tolerate the risk if it is too expensive to use one of the
above responses - but have a contingency plan.
08/06/2019 11

12. The responsibilities
Who has the responsibility for:
• Objectives? The stakeholders and governing board specify
the objectives.
• Risks? The governing board and management identify the
risks hindering the achievement of the objectives.
• Responses? The governing board and management decide on
the responses to be taken to reduce the risks to a level they
consider acceptable.
We can refer to the above processes as the internal control
framework.
08/06/2019 12

13. The worries
How do the stakeholders and
governing board know that their
objectives will be achieved
because the responses are
sufficient and operating?
08/06/2019 13

14. Internal audit
Their worries are much reduced
because the organization has an
08/06/2019 14

15. Internal auditing
So what is the purpose of internal auditing?
Internal auditing provides an independent
and rational opinion to an organization as
to whether it is likely to achieve its
objectives, based on the management of
opportunities and risks.
This can be called, ‘Objective focused internal auditing’.
08/06/2019 15

16. Internal auditing
The main aim of internal auditing is to
assist the organization to achieve its
objectives
The management
of an organization
have
Objectives
An internal control
is a process which
manages a risk
Internal auditing
provides an independent and rational opinion to an
organization as to whether it is likely to achieve its
objectives, based on the management of opportunities
and risks.
.
A risk is a set of circumstances that
hinder the achievement of an objective
08/06/2019 16

17. The opinion
What opinion does the internal audit department provide?
It provides an answer to the question:
Will the organization achieve its
objectives because risks are being
managed to acceptable levels?
What does it need to answer this question?...
08/06/2019 17

18. The opinion
In order to come to its opinion about the
management of risks, internal audit needs to be
sure that management:
– Have implemented controls to bring the risks to below
the risk appetite.
– Have therefore identified the risks which require
controls.
– Have specified the objectives which are threatened by
the risks.
08/06/2019 18

19. The opinions
• Internal audit has therefore to assess the organization’s internal
control framework:
– Has the governing body and management established clear objectives?
– Have managers been trained to identify and assess risks?
– Have controls been implemented to reduce these risks to a level considered acceptable by
the governing body?
• Based on the answers to these, and other, questions internal audit can
decide on whether to plan audits based on the organization’s risk
assessment.
• If it can’t plan audits because risks have not been identified and assessed,
it needs to consult the governing body for guidance.
08/06/2019 19

20. The audit plan
• If internal audit can plan, it will identify audits required based on
the assessed risks and discuss this plan with management.
• This plan will be updated when management identify emerging
risks.
• The audits in the plan should provide the governing body with the
overall opinion they need to report on the adequacy of risk
management to their stakeholders.
• The internal audit plan will therefore cover all functions within an
organization.
08/06/2019 20

21. The individual audit
• The plan consists of individual audits which will:
– Deliver an opinion on whether particular objectives are likely to be achieved.
– Be based on work to examine whether
• Management has established a proper internal control framework in the functions delivering the
objectives.
• Controls mitigating the risks which threaten the objective(s) are sufficient and operating.
– Check that action is being taken to ensure the objectives will be achieved.
• Audit work will:
– Check that objectives have been specified and risks identified and assessed.
– Check that controls are sufficient and operating to bring these risks to within
the organization’s risk appetite.
08/06/2019 21

22. The individual audit
• The stages of the audit will be:
– Planning the audit.
– Obtaining information about the functions/departments involved.
– Agreeing the scope of the audit with management.
– Introducing the audit to all the staff likely to be involved.
– Checking the internal control framework established by management.
– Documenting the objectives, risks and controls, using the internal control framework as a basis.
– Testing that the internal controls are sufficient and operating.
– Discussing the findings with management.
– Issuing a draft report for discussion which gives an opinion as to whether the objective(s) of the
functions/departments being audited are likely to be achieved. (if the objectives are not likely to be
achieved because some risks are above the risk appetite, the opinions on the next slide will be given).
– Issuing the final report to management and senior management, as appropriate.
08/06/2019 22

23. The individual audit
If the objectives are not likely to be achieved
because some risks are above the risk appetite the
individual audit opinion will answer the questions:
• Has management established a proper internal control framework? That is:
– specified their objectives?
– identified the risks threatening these objectives?
– established controls which should reduce the risks to acceptable levels?
• Are these controls sufficient and operating to bring the risks to below the
risk appetite and ensure the achievement of the related objective?
• Where necessary, is action being taken which will bring the risks to below
the risk appetite and ensure the achievement of the objective?
08/06/2019 23

24. Periodic summary report
The internal audit department will issue summary reports
from individual audits giving opinions on whether:
• Objectives are being achieved.
• The risks above the board's risk appetite (‘significant’ risks) have been identified,
evaluated and managed.
• The internal control framework has been effective in managing the significant
risks, having regard, in particular, to any major deficiencies in internal control that
have been reported.
• Necessary actions are being taken promptly to remedy any major deficiencies.
• Whether the audit plan, agreed with the audit committee at the start of the year,
has been achieved. If it has not, why not. (If the report is an interim one, the
progress towards achieving the plan).
08/06/2019 24

25. Internal auditing
(Further information from www.internalaudit.biz)
08/06/2019 25