INTERNAL AUDITING:

WHAT'S THE LATEST?

Lilian S. Linsangan,

CPA, CIA, CCSA, CFE

Internal Auditing - Evolution

What precipitated it?

Globalization of
Business

Internal Auditing - Evolution

Growing Complexity of Business

Internal Auditing

Evolution

Manual

Computerized

Internal Auditing

Evolution

Internal Police/
Adversary

Valued Advisor
Partner

Internal Auditing

Definition
Internal Auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control and governance processes

Internal Auditing

Definition
Internal Auditing is an independent, objective

assurance and consulting activity

designed to add value and improve an organization's
operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of
risk management, control and governance processes

Internal Auditing

Nature of Activity

Objective
ASSURANCE
* an objective examination of
evidence for the purpose of
providing an independent
assessment of governance, risk
management, and control
processes

CONSULTING
* Objective advisory,
facilitative, and training
activities, the nature and scope
of which are agreed to with the
customer, intended to improve
governance, risk management,
and control processes.

Paul J. Sobel, Blended Engagements

Internal Auditing

Assurance vs Consulting
Primary aim of
the engagement

Who
determines
the nature
and scope

ASSURANCE
* To provide an
independent assessment
based on examination of
evidence
CONSULTING
* To provide and
independent advice,
facilitation, or training
services at the request of
the customer

ASSURANCE
* Internal audit
function determines
the nature and scope
of the engagement
CONSULTING
* The customer and
the IA function agree
on the nature and
scope of the
engagement

Parties
involved
ASSURANCE
* The process
owner, the IA
function, the users
of the assessment
CONSULTING
* The customer
and the IA function

Internal Auditing

Assurance vs Consulting

The challenge
is . . . . . striking
a balance and
making a
paradigm shift.

Internal Auditing

Definition
Internal Auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization's operations. It helps an
organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of risk

management,
control and governance processes

Internal Auditing

Coverage
Governance

Assurance
Risk
Management

Internal
Audit
Consulting

Controls

Internal Auditing on Governance

Assess & make recommendations for improving the

governance process in its accomplishments of the
following objectives (IIA-PS 2110)

Promoting appropriate ethics and values within the

organization
Ensuring effective organizational performance management
and accountability
Communicating risk and control information to appropriate
areas of the organization
Coordinating the activities of and communicating
information among the board, external and internal
auditors, and management

Internal Auditing on Governance

Evaluate the design, implementation and

effectiveness of the organization's ethics-related
objectives, programs and activities (2110.A1)
Assess whether the information technology
governance of the organization supports the
organization's strategies and objectives (2110.A2)

Internal Auditing on Risk Management

Evaluate the effectiveness and contribute to the

improvement of risk management processes (2120)
Interpretation):

Organizational objectives support and are aligned with the

organization's mission
Significant risks are identified and assessed
Appropriate risk responses are selected that align risk with
the organization's risk appetite
Relevant risk information is captured and communicated in a
timely manner across the organization, enabling staff,
management and the board to carry out their responsibilities

Internal Auditing on Risk Management

Evaluate risk exposures relating to the

organization's governance, operations, and
information systems regarding the (2120.A1):
Reliability and integrity of financial and operational
information
Effectiveness and efficiency of operations and
programs
Safeguarding of assets
Compliance with laws, regulations, policies, procedures
and contracts

Internal Auditing on Risk Management

Evaluate the potential for the occurrence of fraud

and how the organization manages fraud risk
(2120.A2)

Address risk consistent with the engagement's

objectives and be alert to the existence of other
significant risks (2120.C1)
Incorporate knowledge of risks gained from consulting
engagements into their evaluation of the
organization's RM processes (2120.C2)

Internal Auditing on Risk Management

Objective assurance on the following areas:

Risk management processes, both their
design and how well they are working
Process

Management

Assessment
&
Reporting

Management of those risks classified as

"key", Including the effectiveness of the
controls and other responses to them
Reliable and appropriate assessment of
risks and reporting of risk and controls
status
IIA ERM PP
January 2009

Internal Auditing on Risk Management

Consulting Role
Making available to management tools and
techniques used by internal auditing to analyze risks
and controls
Being a champion for introducing ERM into the organization,
leveraging its expertise in risk management and control
and its overall knowledge of the organization
Providing advice, facilitating workshops, coaching the organization
on risk and control and promoting the development of a common
language, framework and understanding
Acting as the central point for coordinating, monitoring
and reporting on risks

Supporting managers as they work to identify the best way to

mitigate a risk
IIA ERM PP
January 2009

Internal Auditing on Control

Must assist the organization in maintaining effective

controls by evaluating their effectiveness and
efficiency and by promoting continuous
improvement (2130)
Incorporate knowledge of controls gained from
consulting engagements into evaluation of the
organization's control processes.

Internal Auditing

Definition
Internal Auditing is an independent, objective
assurance and consulting activity designed to

add

value and improve an organization's

operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness
of risk management, control and governance
processes

Internal Auditing

Deliver Value

Assurance

Internal Auditing
Insight

Objectivity

IIARF - Insight: Delivering Value to Stakeholders

Internal Auditing

Insight the capacity to gain an accurate and

deep intuitive understanding of a person or thing
One of the key goals of the IA
function is to provide its
stakeholders with insights gleaned
while performing assessments, both
with respect to the implications of
those assessments and providing
recommendations

IIARF - Insight: Delivering Value to Stakeholders

Internal Auditing

Evolution

Internal Police/
Adversary

Valued Advisor
Partner

2010 Global IA Survey

What it is all about

2010 Global IA Survey

Most comprehensive study ever to capture the

current perspective and opinions from a large cross
section of IA stakeholders about internal auditing
worldwide
13,500 usable responses
107 countries

2010 Global IA Survey

REPORTS:
1.
Characteristics of an Internal Audit Activity
2.
Core Competencies for Today's Internal Auditors
3.
Measuring Internal Audit Value
4.
What's Next for Internal Auditing
5.
Imperatives for Change: The IIA's Global
Internal Audit Survey in Action

2010 Global IA Survey

Characteristics of Internal Audit

2010 Global IA Survey

Characteristics of the Internal Audit Population:

30% are in the age group of 26 36, compared with
11% in 2006
2/3 male; 1/3 female
Increasing % of IAs obtaining master's/graduate or
doctoral degrees
Increasing % of those with IA majors
50%+ of IA units get their staff from within,
followed by employment agencies and referrals from
professional affiliates

2010 Global IA Survey

Characteristics of the Internal Audit Population:

IA units rely on outsourcing or co-sourcing to
compensate for missing skills in the IA activity
Approx. 50% will recruit more staff during the next 5
years; others will maintain current staffing level
Most CAEs report either to CEO or Audit Committee;
highest % reporting to AC was in Middle East, US &
Canada, and Latin America

2010 Global IA Survey

Characteristics of the Internal Audit Population:

In the next 5 years, focus of IA activities will be:

Corporate

governance

ERM
Strategic

reviews
Ethics audit
Migration to IFRS

2010 Global IA Survey

Characteristics of the Internal Audit Population:

In the next 5 years, IA will give lesser emphasis on:

Operational

and compliance audits

Financial risks
Fraud investigation
Evaluation of internal controls

2010 Global IA Survey

Core Competencies for Today's
Internal Auditors

2010 Global Survey

Core Competencies Common at all levels

Communications skills (including oral, written, report
writing and presentation)
Problem identification and solution skills (including core,
conceptual and analytical thinking)
Keeping up to date with industry and regulatory
changes and professional standards.

2010 Global Survey

Incremental Core Competencies

IA Staff
Accounting

frameworks, tools and techniques

IT/ICT frameworks, tools and techniques

Management
Organizational

skills, including project and time management

Conflict resolution and negotiation skills

CAE
Ability

to promote the value of IA function within the organization

Conflict resolution and negotiation skills

2010 Global IA Survey

Core competencies

Behavioral
Confidentiality
Communication

Skills

Technical
Understanding

business
Risk analysis & control assessment techniques

Knowledge
Auditing
Internal

audit standards

2010 Global IA Survey

Measuring Internal Auditing's Value

2010 Global IA Survey

Most respondents believe IA add value; objectivity

and independence as the major driver
While most respondents view IA as contributing to
controls; they do not have the same view for risk
management & governance
Declining trend in outsourcing

2010 Global IA Survey

Most important factors to the perceived contribution

of IA activity
Appropriate access to AC
Independence; functioning without coercion to change
or withdraw audit findings
More use of audit tools or technology in typical audit
engagements

2010 Global IA Survey

Measurement methods frequently used:

% of audit plan completed
Acceptance and implementation of recommendations
Surveys/feedback from board/AC/management
Surveys/feedback from auditee
Reliance by external auditors on the IA activity
Assurance of sound risk management

2010 Global IA Survey

What's Next for Internal Auditing

2010 Global IA Survey

Clear convergence of the governance and controls

context of IA activity
Role in risk management and governance will
continue to increase:
Training AC members
Advisory role in strategy development
Education role for the organization's personnel

2010 Global IA Survey

Top 5 activities performed in 2010

Operational auditing (89%)
Audit of compliance with regulatory code, including
privacy requirements (75%)
Auditing financial risks (72%)
Investigations of fraud and irregularities (71%)
Evaluating the effectiveness of control framework (i.e.
COSO and COBIT) (69%)

2010 Global IA Survey

Top seven (7) activities expected to be performed

in the next 5 years:
Corporate governance reviews (23%)
Audits of ERM processes (20%)
Reviews addressing linkage of strategy and
performance (20%)
Ethics audit (19%)
Social and sustainability audits (19%)
Migration to IFRS (19%)
Disaster recovery testing and support (18%)

2010 Global IA Survey

Top five (5) audit tools and techniques predicted to

be used more in the next 5 years:
CAATs (63%)
Electronic workpapers (55%)
Continuous / Real-time Auditing (54%)
Data Mining (52%)
Risk-based Audit Planning (52%)

2010 Global IA Survey

Imperatives for Change:
The IIA's Global Internal Audit Survey in
Action

2010 Global IA Survey

Ten (10) Imperatives for Change
Group 1 Emphasize Risk Management &
Governance
1. Sharpen your focus on risk management and
governance
2. Conduct a more responsive and flexible risk-based
audit plan

2010 Global IA Survey

Ten (10) Imperatives for Change
Group II Address Key Stakeholder Priorities
3. Develop a strategic vision for IA
4. Focus, monitor and report on IA's value
5. Strengthen Audit Committee communications
and
relationships
6. View compliance with IIA's International Standards
for the Professional Practice of
Internal Auditing as
mandatory, not optional

2010 Global IA Survey

Ten (10) Imperatives for Change
Group III Optimize Internal Audit Resources
7. Acquire and develop top talent
8. Enhance training for internal audit activities
9. Take advantage of expanding service provider
membership

Group IV Leverage Technology Effectively

10. Step up use of audit technology and tools.

Internal Auditing

What does it mean for

IAs?

Internal Auditing

....

presents significant

challenges

Internal Auditing

. . . .but,

at the same time offers a lot of

opportunities for career and

personal advancement

Internal Auditing

Developments in 2012

New IPPF Standards

Internal Auditing

New IPPF Standards

Effective January 1, 2013
Changes:
Applicability

to individual auditors
Explicitly including in the interpretation of Standard
1110 - Organizational Independence that functional
reporting to the Board include:
Approving the

IA budget & resource plan

Approving the remuneration of the CAE

Internal Auditing

New IPPF Standards

Changes (cont.):
Including

in the interpretation of Standard 2010

Planning that:
In

the absence of a RM framework, the CAE uses his/her

own judgment after consideration of input from senior
management & the board.
The CAE must review & adjust the plan in response to
changes in organizations business, risks, operations,
programs, systems & controls

Internal Auditing

New IPPF Standards

Changes (cont.):
2120

Risk Management & 2130 Control

Inclusion

of "Achievement of the organization's strategic

objectives" among the objectives of RM & IC, along with:
Reliability and integrity of financial and operational
information;
Effectiveness and efficiency of operations and
programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies,
procedures, and contracts.

Internal Auditing

New IPPF Standards

Changes (cont.):
2201

Planning Considerations inclusion of

"governance" among the activities that must be
covered in planning
2210 Engagement Objectives inclusion of
"governance & risk management" (along with
control) in the areas for which adequate evaluation
criteria must be established.

Internal Auditing

New IPPF Standards

Changes (cont.):
2440

- Disseminating Results the interpretation

clearly indicated that the CAE retains the
responsibility for the report even if he/she delegates
the signing of the report.
2600 "Resolution of Senior Management's
Acceptance of Risks" changed to "Communicating
the Acceptance of Risks"

Interpretation It is not the CAE's responsibility to resolve the

risks

Internal Auditing

New IPPF Standards

Changes (cont.):
Glossary:

Board - The highest level of governing body charged with the

responsibility to direct and/or oversee the activities and
management of the organization. Typically, this includes an
independent group of directors (e.g., a board of directors, a
supervisory board, or a board of governors or trustees). If such a
group does not exist, the board may refer to the head of the
organization. Board may refer to an audit committee to which
the governing body has delegated certain functions.

New IPPF Guidance

Internal Auditing

New IPPF Guidance

Assessing Organization Governance in the Private
Sector
Developing Internal Audit Strategic Plan
Auditing Privacy Risks
Integrated Auditing
Evaluating Ethics-related Programs & Activities
Coordinating Risk Management & Assurance
Quality Assurance and Improvement Program

Internal Auditing

New IPPF Guidance (technology related)

GTAG 17 Auditing IT Governance
GTAG 7 Information Technology Outsourcing
GTAG 2 Change and Patch Management Controls:
Critical for Organizational Success
GTAG 1 Information Technology Risk and Controls

New Practice Advisory

2320-2 Root Cause Analysis

Internal Auditing

Public Sector Supplementary Guidance

Public Sector Definition

The Role of Auditing in Public Sector Governance
Value Proposition of Internal Audit and the Internal Audit
Capability Model
Implementing a New Internal Audit Function in the Public
Sector
IIA Standards/GAGAS, a Comparison
Optimizing Public Sector Audit Activities
Model Legislation (coming soon)
Transparency in Public Sector Reporting (coming soon)

New Syllabus for CIA

Internal Auditing

New Syllabus for CIA

To be launched in mid 2013
Realign content from the current four-part exam
to a three-part exam
Removed certain topics
Introduced new topics
Changed knowledge level on certain topics
"A"

- Awareness
"P" - Proficiency

Internal Auditing

New Syllabus for CIA

Significant Additions:

Build and maintain networking with other organization

executives and the audit committee (P)
Educate senior management and the board on best
practices in governance, risk management, control and
compliance (P)
Assess the adequacy of the performance measurement
system, achievement of corporate objective (A)

Internal Auditing

New Syllabus for CIA

Significant Additions:

Report on the effectiveness of the internal control and

risk management frameworks (P)
Plan engagement to assure identification of key risks and
controls (P)
Nurture instrumental relations, build bonds, and work
with others toward shared goals (P)
Environmental and social safeguards (A)
Corporate social responsibility (A)

Internal Auditing

New Syllabus for CIA

Significant Additions:

Outsourcing business process (A)

Stakeholder relationships (A)
Organizational theory (structure and configuration) (A)
Lead, inspire, mentor, and guide people, building
organizational commitment and entrepreneurial
orientation (A)
Create group synergy in pursuing collective goals. (A)

Whats Happening @ the Local Front?

IIA - Philippines

Internal Auditing
Develop IA Resources
Building Block Framework
Developmental
Courses

Business Analysis

Technical
Courses

Information
Technology &
Security

Foundation
Courses

Audit process

Leadership &
Management

Special Topics
& Integration

Fraud

Assurance &
Consulting

Audit
Communication

Ethics,
Governance &
Risks

Internal Auditing

Foundation Courses

Internal
Auditing

* Internal
Auditing theory
* Operations
audit
* Engagements &
practice
*Problem-solving
and decisionmaking

Audit
Communication

Ethics,
Governance
& Risks

*Communicating
audit results
* Specialized
communication
skills
* Presentation
skills

* Ethics, social
responsibility &
governance
* Risk
management,
controls and
methodology

Internal Auditing

Technical Courses
Information
Technology
& Security

* Information
systems auditing
* Advance IT
audit
* Information
Security and
Technology

Fraud

Assurance &
Consulting

* Fraud
examination
* Forensic
accounting and
fraud
investigation
* Law
criminology &
ethics

* Assurance
and consulting,
skills &
attitudes

Internal Auditing

Developmental Courses
Business
Analysis

* Operations
management
* Financial
Analysis &
Finance
*Managerial
Accounting

Leadership &
Management

* Strategic mgt.
* Global business
environment
* HR & organization
behavior
* Dynamics of
management &
leadership

Special Topics
& Integration
Courses
* Control Self
Assessment
* Quality
Assurance
Review
*CIA Review
Course

Internal Auditing

Certifications

Integration

CFSA
CCSA

CIA

CISA
CFE
CISM
etc.

Internal Auditing
Integration through Collaboration

IIA-P
ACFEP

ISACA
IT, AUDIT
& FRAUD
SUMMIT

Internal Auditing Course

FEU Bachelor of Science in Business Administration

Major in Internal Auditing
Since

2006 (BSC- major in Internal Auditing)

USC Masters of Arts in Internal Auditing

Since

2004

Internal Auditing

The world is in your

hands, now it is up to
you to decide how you
use it.

END OF PRESENTATION