Internal Audit Principles - World Bank

INTERNAL AUDIT PRINCIPLES

1 DEFINITIONS

The Institute of Internal Auditors (IIA) defines internal auditing as:

”Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.”

Internal audit can be divided at least into the following categories based on the audit
technique or objective:

Systems based audit refers to an in-depth evaluation of the internal control system with
the objective to assess to extent to which the controls are functioning effectively. It is
designed to assess the accuracy and completeness of financial statements, the legality and
regularity of underlying transactions and the economy, efficiency and effectiveness of
operations. A systems based audit should be followed-up through substantive testing of a
number of transactions, account balances, etc. to determine whether the financial
statements of the auditee are accurate and complete, the underlying transactions legal and
regular and/or the criteria for economy, efficiency and effectiveness have been achieved.

Performance audit or Operational audit, which assesses whether the activity,
programme or body has been managed economically and/or efficiently and/or effectively.
A particular performance audit will not necessarily seek to reach conclusions about all three
aspects above: it should be clear from the audit objectives, which need to be examined. When
carrying out audits of economy or efficiency, however, the auditor does need to make a
general consideration of the effectiveness of the audited entity: it may be better that the entity
does the right thing badly rather than doing the wrong thing well.

Financial or accounting audit, which evaluates the accuracy of the accounting and related
procedures and practices. It assesses the accuracy and completeness of the financial
statements of the activity, programme or body being audited; and/or evaluates whether the
transactions underlying the financial statements are legal and regular. However, according to
the definition of internal auditing, internal auditors are mainly evaluating the system of
internal control. Therefore internal auditors’ primary interest is not the accounting as such, but
rather the controls which ensures the quality of accounting information and financial
reporting.

Compliance audit, which evaluates the how well the organisation conforms and
adherences with relevant policies, plans, procedures, laws, regulations, and contracts.
Usually all audits include the compliance element, because the auditor uses the laws,
policies and regulations as a yardstick to measure the performance of the organisation.
Therefore these guidelines do not contain separate section for compliance audit, but the
aspect is included in all audit instructions later in these guidelines.

Anders Jansson 1(13)
www.mapsec.com

2 INTERNAL AUDIT CHARTER

The internal audit unit is an integral part of the organisation and functions under the
policies established by top management. The statement of purpose, authority and
responsibility (charter) for the internal audit unit, approved by top management should be
consistent with the Standard for the Professional Practice of Internal Auditing. An
example model of the charter is in appendix 1.

2.1 Organisational status of internal audit

Internal audit can be successful only if it has the full support of the top management.
Internal auditors are inter-organisation consultants who do not have the authority to give
orders what is to be done and how. The management always bears the responsibility to
implement the recommendations. Should they decide not to act in accordance with the
recommendations, they are liable for the consequences.

This means that the recommendations have to be good and saleable to the management.
They have to be well grounded and reasonable, and definitely designed to improve the
operations in question.

In most cases, the internal audit unit is subject to the Minister or Head of the institution.
In any case the internal audit should not work under the Financial Manager Chief
Accountant as many of the controls have to do with financial functions, and therefore,
there may become difficult supervisor/employee situations resulting in conflicts.

2.2 Mandate and authorisation of the auditors

As per the standards, the internal auditors have to have free access to records, personnel
and physical properties of the employer. The mandate is to be expressed in the charter of
the internal audit unit, and approved by the top management. Coming from the top
management the mandate ensures proper working conditions to the internal auditors.

The objective of internal audit is to assist members of the organisation in the effective
discharge of their responsibilities. Therefore, internal audit furnishes them with analyses,
appraisals, recommendations, counsel and information concerning the activities reviewed.
The audit objective includes promoting effective control at reasonable cost.

Internal auditors do not have authority to insist or order any recommendations to be
implemented. They have no power over the activities audited but the responsible
managers have it at all times.

2.3 Internal audit and management

In order to be able to assist and support the management, the internal auditors must have
open communication lines with the top management. Continuous discussions (formal and
informal) must be held between the two parties. This is one of the ways for the auditors to
keep abreast with the latest development in the organisation and to focus the audits on the

Anders Jansson 2(13)
www.mapsec.com

right things. The more information auditors have the better they can discharge their
duties.

Simultaneously, auditors may keep the management aware of their concerns, their duties
and discuss any misunderstanding and/or faulty expectations that the management may
have as to auditors’ duties and responsibilities.

Inquiries to the management's expectations and satisfaction with the work performed
should be made periodically so that no dissatisfaction with the services by the internal
auditors incurs due to faulty expectations.

At its best, the relationship with the management is interactive and the auditors are used
as consultants, teachers, trainers, mentors, and sounding boards. They are the specialists
in internal controls, security matters, quality issues whose knowledge is appreciated not
only by the top management but by the entire organisation.

The ways for the internal auditors to reach this position are varied: professional high-
quality work, meaningful recommendations which add value to the organisation,
professional certifications, integrity and ethical behaviour as well as persistence in
performing and following up audits.

It also requires profound understanding of different management styles, concerns of the
management, personnel issues and accessibility to the management, ability to locate real
and potential problems in the organisation environment, and to offer feasible solutions to
problems.

When we talk about inter-organisation training we do not only mean training of the staff
but also of the management. Internal auditors must possess knowledge and ability to
teach the management the latest status and thinking of internal controls, and to keep the
management aware and informed about potential fraud within the organisation.

2.4 Confidentiality of audit information

Internal auditors frequently have access to information which may be considered sensitive
from a commercial, political or security point of view. The internal audit department and its
personnel must exercise due professional care to ensure that such information is properly
safeguarded and thus should establish procedures and controls to assure the physical security
of working papers. Similarly, it is normal to treat working papers, communications with
audited entities and draft reports as confidential documents until recognised and established
procedures for their release have been followed.

3 THE RELATIONSHIP BETWEEN INTERNAL AND EXTERNAL AUDIT
3.1 The role of the external auditors

Anders Jansson 3(13)
www.mapsec.com

External auditors seek to obtain sufficient evidence to support an opinion on overall
fairness of the financial statements and accounting. Their perspective is therefore mainly
backwards, what happened last year. The internal audit on the other hand is mainly
interested in the situation now and in the future.

External auditors also need to evaluate the system of internal control. Mainly external
auditors are interested in internal controls only as far as they concern the financial
statements and accounting.

Also the main difference between internal and external auditors is their line of reporting
and responsibility. Internal audit works for the top management of the organisation
whereas external auditors work for the stakeholders and to some extent to the authorities.

The main objective of internal audit is to evaluate established and implemented financial
systems, i.e. procedures, which are used in preparation, accounting and presenting reliable
information on financial transactions.

That is why it is possible to acknowledge, that the main objective of an external auditor is
to confirm that the final result (the sum) is correct, whilst the main objective of an internal
auditor is to confirm that procedures, used as a basis to reach the end result, are correct.

The majority of external audit objectives coincide with internal audit objectives and
goals; quite often even adequate or identical procedures and methods for identifying audit
environment, selection of evidence, audit are used.

3.2 Co-operation between internal and external auditors

To use the resources efficiently, it is necessary to co-ordinate the audit work. The director
of internal audit should coordinate internal and external audit work to avoid duplication
of work but to enhance the use of one another's work.

Internal audit may participate in the work of external auditors. This is recommendable
because internal auditors naturally know the organisation in much more detail. External
auditors on the other hand have access, at least on request, on the internal audit reports.

The main objective of internal audit is to evaluate established and implemented financial
systems, i.e. procedures, which are used in preparation, accounting and presenting
reliable information on financial transactions.

That is why it is possible to acknowledge, that the main objective of an external auditor is
to confirm that the final result (the sum) is correct, whilst the main objective of an
internal auditor is to confirm that procedures, used as a basis to reach the end result, are
correct.

The majority of external audit objectives coincide with internal audit objectives and
goals; quite often even adequate or identical procedures and methods for identifying audit
environment, selection of evidence, audit are used. That is why close relations between
both audit organisations (services, institutions) are so important.

Anders Jansson 4(13)
www.mapsec.com

3.2.1 Introduction

The work of other auditors and experts can be used in three ways in the context of the
internal audits:
• At the task planning stage, reports prepared by other auditors and experts may

provide the auditor with information about potential strengths and weaknesses in
systems of control and about any history of serious errors that have arisen in the
audit field.
• During the testing stage, the work of other auditors and experts can be used to provide
a part of the audit evidence deemed necessary to achieve the audit objectives. By
using the work of other auditors, it may be possible to reduce the amount of work
undertaken by the internal audit and thus release resources for other audit tasks.
• At the end of the audit, the reports of other auditors and experts can provide
information to corroborate or cast doubt upon the findings obtained or preliminary
conclusions that the auditor has reached on the basis of the evidence gathered during
the audit testing stage.

External auditors are often in a position to rely upon the work of internal auditors and
thus reduce the amount of detailed testing that they themselves have to undertake. Such
reliance often requires planning and close cooperation before or at the earliest stages of
the audit. Thus, if any preliminary assessment of internal auditing is positive, the external
auditors have the opportunity to consider and discuss with the internal auditor the extent
to which the internal auditing work programme might be adapted to better take account of
the needs of external audit. This may both minimise duplication of effort and maximise
the scope for the external audit to use the work of internal auditing.

3.2.2 Using the work of others at the planning stage

The work of other auditors and experts can be useful to the auditor at the planning stage.
However, caution must be exercised in its use. Whilst the auditor may, as part of the
planning process, take account of any available reports of other auditors and experts,
he/she will always need to consider the reliability and appropriateness of these reports
before determining their influence upon the audit testing to be carried out. This involves
ensuring that the other auditor or expert that carried out the work was independent of the
audited entity or activity and was objective in carrying out the work. In addition, the
auditor needs to consider whether the objectives of the work and methods used by the
other auditor coincide sufficiently closely with those for the audit task, whether the
conclusions reached by the other auditor or expert were based upon sufficient evidence
and whether the other auditor or expert concerned was professionally and technically
competent.

3.2.3 Using the work of others at the end of the audit

When the work of other auditors or experts corroborates the findings obtained or
conclusions reached by the external auditor’s audit, then the auditor concerned can draw
some comfort from that fact. However this comfort is additional to, and cannot be in place
of, the competent, reasonable and relevant evidence that the auditor must obtain to
achieve the objectives of the audit.

Anders Jansson 5(13)
www.mapsec.com

When there is a discrepancy between the findings or conclusions arising from an audit of
the internal audit and those presented in the report of another auditor or expert, this may
point to a weakness either in the work carried out by the internal auditor or in that done by
the other auditor or expert. Alternatively, an apparent discrepancy may arise because the
objectives of the two pieces of work were different. As far as is possible and cost-
effective, the auditor needs to:
• investigate the cause of any such discrepancy;
• Reconsider whether the analysis and interpretation of the audit evidence obtained

was adequate and reasonable.

3.2.4 Obtaining audit evidence from the work of other auditors

External auditors can use the work of internal auditors to obtain part of the audit evidence
that is necessary to achieve the objectives of the audit task. The aims of so doing are to
reduce the external auditor’s staff resources that are necessary to carry out the audit task,
to avoid unnecessary duplication of audit work and to minimise disruption imposed upon
the audited entity.

When using the work of another auditor or expert, it is important to consider carefully
whether:
• There is an adequate knowledge of the audit field to be able to make an informed

assessment of the impact of the work of the other auditor or expert;
• the other auditor or expert has the required professional competence in the context of

the specific assignment;
• the work of the other auditor or expert is adequate and the working methods are

suitable for the purposes in the context of the objectives of the audit task concerned.

4 REPORTING

Immediate action should be taken on major, critical risks and such risks should be
reported as soon as they become apparent. Verbal communication during the audit
should be used in order to keep the auditees aware of development of the audit, and
any minor issues should be dealt with immediately. If they warrant a mention in the
final audit report, it may be done with reference to them having already been settled.

In some cases a written interim memorandum may be issued, especially if the audit
takes a long time and there are issues which should be referred to the responsible
management for immediate action.

The final audit report has to be presented in writing and signed by the responsible
auditor. Before the final report is issued, the findings and recommendations should be
discussed with the auditees in a closing conference. This is to avoid any
misunderstanding and mistakes in the report and to agree on the timing for the
implementation of recommendations.

The language in the audit reports should be
• objective (factual, unbiased and free from distortion and without prejudice),
• clear (understandable and logical),

Anders Jansson 6(13)
www.mapsec.com

• concise (come to the point and avoid unnecessary detail),
• constructive (their tone and content help the auditees and lead to improvement),
• timely (issued without delay).

Construction of the reports should be the following:
• cover page (to hide the contents from any by-passer and to give a professional

look),
• index if the report is more than five (5) pages long,
• executive summary for the top management,
• detailed report and
• potential appendices.

The cover page gives the name of the auditee, auditor/s, and receivers of the report
and retention place.

The executive summary has to be written in such a way that it forms a stand-alone
report. Its tone has to be addressed to the top management giving the background,
purpose and scope of the audit, an overall opinion of the auditee's operations and
internal controls, 3 to 5 major findings and recommendations with the auditee
management's response, if any.

The detailed findings are to be written in the following logical format easy for the
reader:

1. Criteria give the standards, measures, or expectations used in making an
evaluation and/or verification.

2. Condition is the factual state of matters that the auditor found in the course of
examination.

3. Cause gives the reason for the difference between the intended and the factual
conditions (why there is a difference).

4. Effect means what happens or what might happen as a result of the existing
condition.

5. Recommendation/s, i.e. what should be done to improve the situation.

It would be preferable if you, at the end of each finding/recommendation, could get
the responsible manager's statement what and when he/she will do something about
the dissatisfactory condition identified and recommended for improvement.

4.1 Following up

No audit is finalised before you make the follow-up. You are to verify that something
is done based on your recommendations, or if the management takes the responsibility
of not doing anything, you have to check and document that as well.

You should give the auditee sufficient time to take corrective action. You should in
fact agree on the timing for the implementation with the auditee in the closing/exit
conference.

Anders Jansson 7(13)
www.mapsec.com

If there are no major recommendations, it is quite possible that you perform a follow-
up audit in three to five years' time when you audit the same function/unit.

Should there be major and critical changes needed, you may perform the follow-up
over the phone and ask (on daily/weekly basis) for verification of implementation of
the corrective action agreed on.

5 BUILDING UP AND UPDATING THE SKILLS OF INTERNAL AUDITORS

5.1 Personal requirements

The auditor:
• has to understand the business, at least the basics
• has to have good communication and negotiation skills
• has to have guts to disagree with “authorities”
• has to have imaginations
• needs to be able to sell
• has to understand human behaviour and its differences
• has to be able to be diplomatic
• needs to have technical audit skills
• needs to have analytical skills
• needs to be able to find solutions and solve problems
• needs to be able to report clearly
• is absolutely unbiased.

Looking at the above list, which only contains some requirements for an auditor, one can
see that the task is not that easy after all.

5.2 Business requirements

The requirements become far more demanding when thinking how many different kind of
business and other sectors there are in any modern organisation. The internal audit unit in
an organisation has to be able to audit at least:

• management
• administration
• organisational issues
• security
• information systems (PC’s, LANs, payment systems, systems development,

operation systems, applications, continuity, information security,…)

• and much more

No one in the world could master all those business issues and have all the useful
qualifications. But then no-one has to. Firstly the second list is for the internal audit, not
for an individual auditor. Secondly you do not have to master the business sector to be
able to audit it; auditors are, after all mainly evaluating the internal controls.

Anders Jansson 8(13)
www.mapsec.com

Unless the internal audit consists only from one person, it is highly recommended to build
the organization so that all the main business areas are covered with certain level of
expertise. The auditors should specialize on their own business sectors and improve their
understanding and abilities by continuous education, training and participation in business
activities (as observer or consultant of course).

5.3 Personal abilities

The interpersonal skills are quite difficult to develop and improve. They include many
aspects that some people naturally have and some don’t. The development is not however
impossible and also in this case nothing beats the practice and experience. There are also
training programs to improve ones negotiation skills and behavioural abilities.

5.4 Planning, executing and reporting abilities

Every auditor obviously has to be able to conduct the entire audit. This means that he/she
has to have thorough understanding on all of the audit phases and their significance and
standard requirements. Special emphasis has to be placed on the audit reporting, because
it is the visual outcome of the audit, it affects the image, not only of the auditor, but the
whole audit unit.

5.5 Technical audit abilities

Technical audit skills are much easier to study and improve. There is a lot of relevant
training material and publications available for auditing nearly anything. Also there is a
lot of formal training available.

There are numerous tools and audit techniques that an auditor can employ. This list is not
exhaustive, but rather an indication on how complicated issues we are dealing with.

An auditor can use the following techniques:

• Risk assessment, this is a must to everyone, because the risk is the most important

factor on deciding the audit objects.

• Flowcharting for analyzing operations for efficiency and control
• Internal control questionnaires as means of revealing information about the

function to be surveyed and ultimately audited. OBS! Just asking questions is
not auditing, the answers need to be verified.

• Different kind of statistical methods, like sampling
• Using information systems to analyze the data files
• Using technical tools to analyze the information systems, i.e. performing IS

audits.

• Etc, etc.

5.6 Training

There are several different ways of training and studying internal auditing ranging from
formal classroom education through work-shop training to on-the-job training.

Anders Jansson 9(13)
www.mapsec.com

All the auditors need to have enough time fore continuous training. This need is
recognized e.g. by IIA and ISACA, who require that all the certified internal or
information systems auditors need to have forty hours professional training every year to
retain the certification. And these forty hours is an absolute minimum even to retain the
professional ability, to improve it requires much more.

The top management and the audit management especially have the main responsibility in
ensuring that all the auditors have enough opportunities to develop their skills.

5.7 Training program

There should be a training program tailored for every new auditor. The purpose is to
orient the new member to the environment and to guide him/her through the
administrative and technical matters. The amount for professional training depends on the
abilities of the person.

Also all the existing auditors have to have a training program, which includes enough
time and other resources for annual training. This is to ensure that the expertise will
remain in the changing environment.

5.8 On-the-job training

One very efficient training method is on-the-job training, where a more experienced
auditor or specialist in some business sector trains a less experienced colleague. This
method should also be used during the orientation of a new auditor.

Also the working principle that auditors work in pairs usually improves the abilities of
both of the auditors.

5.9 Staff meetings and reviews

Regular staff meetings are very useful also for training purposes. When the acute audit
issues are discussed, everyone will benefit from the experience of others. The system,
where the work performed by some auditor is reviewed by someone else, also works as a
training vehicle and of course improves the quality of work.

Anders Jansson 10(13)
www.mapsec.com

APPENDIX 1: CHARTER OF INTERNAL AUDIT

Mission

The internal audit supports effective and efficient discharging of the guiding and
monitoring duties of the organization’s management by producing assurance services for
its internal customers relating to governance, control and risk management processes.

The internal audit brings added value and promotes achievement of the set goals by
giving improvement recommendations, producing objective and independent information
and by training supervisors and employees in understanding and application of
monitoring processes and self-assessment of business and other activities within the
organisation.

The internal audit sets its own objectives and performs its duties so that the values of the
organisation are included in them and that these values also guide the work of the
auditors. The internal auditors function as partners of the other organizational parts and
work as experts in different teams (especially development teams) if they do not endanger
their independence.

Purpose

The internal audit is one of the management’s control tools who through its operations
assist the entire organisation by examining and evaluating the adequacy and efficiency of
internal control, risk management, quality of operations and governance processes.

The internal audit furnishes the organisation with analyses, appraisals, recommendations,
counsel and information.

The purpose is to ascertain that the internal control system, by taking into account also
the information produced by the external auditors, functions so that the management can
be reasonably sure that the set objectives and goals will be achieved, the operations are
effective, reporting is reliable, and safeguarding of assets and compliance with the laws
and regulations is done.

Objectives

The objective is to verify that the internal control system functions efficiently,
economically and effectively in e.g. following areas:

1. Setting and achievement of objectives, and results
2. Risk analyses and management
3. Quality and continuous improvement of operations
4. Organizational functions
5. Reliability, adequacy and effectiveness of internal controls in respect of

reporting
6. Economical use of resources

Anders Jansson 11(13)
www.mapsec.com

7. Safeguarding of assets
8. Compliance with the decisions of the Board and rules and regulations
9. Compliance with laws, regulations by the supervisory authorities

The aim is to promote disciplined and proactive risk management, change management
and to assure positive monitoring as part of the overall management.

Responsibilities

In their work, the internal auditors apply the international standards for professional
practice of internal auditing, code of conduct of the IIA (The Institute of Internal
Auditors) and respective professional standards of the IS auditing (published by the
ISACA, Information Systems Audit and Control Association).

The annual audit plans have to be drawn up so that the auditing is performed with the
resources available so that they give sufficient coverage and are based on risk analyses. In
individual cases auditing services and quality assurance review services may be bought
from professional outside service providers.

The internal auditors have to follow-up the implementation of recommendations, and
their effectiveness in relation to managing risks identified.

Confidentiality of information

The internal auditors have to use information received in their work with care and
wisdom. It may not be used to achieve personal gain or in a way that would damage the
organisation. All information is to be considered as confidential inside and outside the
organisation.

Responsibility of the management and of the personnel

Responsibility for appropriate control system and its functionality is with the top
management. The management and the entire personnel are responsible for practicing
internal controls.

The management is responsible for due handling of internal audit reports in their
meetings. The responsible unit heads are to monitor implementation of recommendations
within agreed-on timetable. Should the management within their authorisations decide not
to implement the recommendations, they take the responsibility for their decision. The
internal audit will report to the Management board and board of directors what they have
recommended, how the reports have been handled and what decisions have been taken.

Position
The internal audit is an independent function reporting to the general manager.

Scope of work and authorisations

Anders Jansson 12(13)
www.mapsec.com

In relation to other organizational parts, the internal audit has the right to negotiate,
inform and right to receive information but no implementation rights.

The internal audit has the right to audit and to have access to all units and operations
within the organisation, all information independent of its format and filing, all physical
assets and also to oral information and explanations. The internal audit has read-alone
access rights to all IT systems and system descriptions of the organisation. To practice the
right to receive information, the head of the IA unit has the right to be present in top
management meetings.

Planning

The internal audit unit prepares its own work plan in accordance with the same process as
the other parts of the organisation. The top management will be informed about the plan.
The general manager approves the plan.

Reporting

As per your regulation.

Internal procedures

Will be prepared separately.

Anders Jansson 13(13)
www.mapsec.com