AFM 452: Internal Audit

Estimated study time: 21 minutes

Table of contents

Sources and References

Primary textbook — Anderson, U. L., Head, M. J., Mar, R., Ramaroorti, S., Riddle, C., & Salamasick, M. Internal Auditing: Assurance and Advisory Services, 5th ed. Internal Audit Foundation, 2021. Supplementary — Institute of Internal Auditors (IIA). International Professional Practices Framework (IPPF). IIA, 2024; ISACA. COBIT 2019 Framework: Governance and Management Objectives. ISACA, 2018. Online resources — IIA Global standards and practice guides (theiia.org); ISACA IT audit frameworks; IIA’s Three Lines Model (2020); COSO Internal Control — Integrated Framework (2013).

Chapter 1: Introduction to Internal Auditing

1.1 What is Internal Auditing?

Internal auditing is an independent, objective assurance and consulting activity that adds value and helps an organization accomplish its objectives. It does this by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

This definition, drawn from the International Professional Practices Framework (IPPF), reveals several essential characteristics of internal auditing:

  • Independence and objectivity: Internal auditors must maintain organizational and individual independence, free from biases or conflicts of interest that would impair their ability to provide unbiased assessments. Structural independence is achieved through a reporting line to the board (or its audit committee), rather than to management alone.
  • Assurance and consulting: Internal audit plays a dual role. Assurance services involve objective examination of evidence to provide independent assessments. Consulting services are advisory in nature — helping management improve processes without the auditor taking on management responsibility.
  • Systematic approach: Internal auditing is not ad hoc troubleshooting. It follows a structured methodology encompassing risk-based planning, fieldwork execution, documentation, and reporting.
  • Focus on risk management, control, and governance: Internal audit addresses the three foundational pillars of organizational health — how risks are identified and managed, how controls are designed and operating, and how governance structures direct and oversee the organization.
Internal Audit Function (IAF): The organizational unit responsible for performing internal audit activities. The IAF is led by the Chief Audit Executive (CAE) and reports functionally to the board's audit committee and administratively to management (typically the CEO or CFO).

1.2 Why Internal Audit Matters

The organizational value of internal audit extends well beyond compliance. Consider the range of stakeholders who benefit from an effective internal audit function:

  • Board and audit committee: Receive independent assurance that management’s risk and control representations are accurate; early warning of emerging risks.
  • Senior management: Gain objective insights into operational effectiveness and control gaps; support for achieving strategic objectives.
  • External auditors: Internal audit can reduce external audit effort and cost when its work meets applicable quality standards.
  • Regulators: Regulated industries (banking, insurance) expect robust internal audit functions as part of their supervisory frameworks.
  • External stakeholders: Confidence that the organization is well-governed supports investor and creditor trust.

The shift in how internal audit is conceived — from a “policeman” finding faults to a “trusted advisor” helping the organization improve — reflects the evolution from a compliance-focused to a value-creation-focused function.

Chapter 2: The International Professional Practices Framework (IPPF)

2.1 Overview of the IPPF

The IPPF is the conceptual framework established by the Institute of Internal Auditors (IIA) that guides the global internal audit profession. The 2024 edition of the IPPF reorganized guidance into:

Mandatory guidance (conformance required for claim of compliance with IIA standards):

  • Global Internal Audit Standards: Previously “Definition, Code of Ethics, and Standards” — these establish the requirements for conducting and governing internal audit work.
  • Topical Requirements: Supplemental mandatory standards for specific topics (e.g., financial services, cybersecurity).

Recommended guidance (best practices that are strongly encouraged but not mandatory):

  • Topical Guides: Practical guidance for specific types of audits or subject matters.
  • Practice Guides: Detailed guidance for implementing standards.
  • Global Perspectives and Insights: Thought leadership on emerging topics.

2.2 Core Principles of Internal Auditing

The 2024 Global Internal Audit Standards establish core principles reflecting expected professional conduct:

  1. Demonstrates Integrity: The internal auditor acts with honesty and courage — reporting findings even when politically inconvenient.
  2. Demonstrates Competence and Due Professional Care: Knowledge, skills, and experience proportionate to the engagement’s complexity; appropriate quality assurance over work.
  3. Is Objective and Free from Undue Influence: Structurally and behaviorally independent from management interference.
  4. Aligns with the Organization’s Strategies, Objectives, and Risks: The audit plan addresses the organization’s most significant risks and strategic priorities.
  5. Is Appropriately Positioned and Adequately Resourced: Sufficient budget, staff, and organizational access to fulfill the mandate.
  6. Demonstrates Quality and Continuous Improvement: Operates a quality assurance program; continuously updates skills and methodology.
  7. Communicates Effectively: Reports are clear, timely, accurate, and actionable.
  8. Provides Risk-Based Assurance: The audit plan and individual engagements are driven by risk.
  9. Is Insightful, Proactive, and Future-Focused: Goes beyond identifying past problems to anticipate emerging risks.
  10. Promotes Organizational Improvement: Drives meaningful change through recommendations and follow-up.

2.3 The Internal Audit Charter

The internal audit charter is a formal document that defines the internal audit function’s purpose, authority, and responsibility. It is approved by the board’s audit committee and sets out:

  • The IAF’s organizational position and reporting relationships.
  • Scope of internal audit activities (access to records, personnel, and properties).
  • Authority to conduct engagements and communicate results.
  • Independence and objectivity provisions.
  • Relationship with external auditors.

The charter provides the IAF with the formal authority necessary to perform its functions effectively. Without a well-crafted charter, internal audit may face resistance to scope, limited access, or organizational ambiguity about its role.

Chapter 3: Governance and Internal Auditing

3.1 Governance Structures and Internal Audit Independence

Effective governance requires that internal audit maintains meaningful independence from the activities it reviews. This is achieved through:

Functional reporting to the audit committee: The CAE should have direct, unrestricted access to the audit committee chairman without management’s knowledge or presence. The audit committee approves the internal audit budget, the audit plan, and the appointment/removal of the CAE — insulating internal audit from management pressure.

Administrative reporting to senior management: Day-to-day administrative reporting (HR matters, budget administration) typically flows through the CEO or CFO. The critical distinction is that governance and oversight decisions rest with the board, not management.

Impairment of independence: Independence is impaired when internal auditors audit activities they were previously responsible for, when they perform management functions (e.g., implementing controls they recommended), or when management can restrict the audit plan or suppress unfavorable findings.

3.2 The IIA’s Three Lines Model

The IIA’s Three Lines Model (2020) — an evolution of the classic “Three Lines of Defense” — describes how governance and risk management responsibilities are distributed:

LineWhoRole
First LineBusiness operations (management and staff)Own and manage risks; operate controls
Second LineRisk management, compliance, finance functionsOversee risk management; challenge first line
Third LineInternal auditProvide independent assurance to governing body
Governing BodyBoard/audit committeeSet objectives; hold management accountable

A critical insight of the 2020 update is that all three lines serve the governing body (board), not just each other in a hierarchical chain. Internal audit provides assurance specifically to support the board’s governance oversight function.

Example: A bank's treasury function (first line) manages interest rate risk through hedging. The risk management department (second line) establishes risk limits, models, and monitoring. Internal audit (third line) independently assesses whether treasury's risk management is effective and whether the risk management department's oversight is robust — reporting its findings to the audit committee.

3.3 Governance Attributes and Their Impact on Internal Audit

Strong governance structures enhance internal audit effectiveness:

  • Board independence: Boards with genuinely independent directors are more likely to support a robust, adequately resourced internal audit function.
  • Audit committee expertise: Audit committees with members who have relevant financial and operational expertise provide more effective oversight of internal audit work.
  • Organizational culture: “Tone at the top” — management’s visible commitment to integrity and control — determines how receptively findings are received and how urgently recommendations are implemented.
  • Transparency: Organizations with strong disclosure cultures are more likely to treat internal audit findings as improvement opportunities rather than threats.

Chapter 4: Risk Management and Internal Auditing

4.1 Background on Risk and Its Relationship to Internal Audit

Internal auditors must understand risk at multiple levels: organizational (enterprise-wide), process (business unit), and individual (transaction). Risk drives the allocation of audit resources — the audit plan prioritizes engagements where the risk of material control failures or objective non-achievement is highest.

Risk: The possibility that an event will occur and adversely affect the achievement of objectives. Risk is characterized by its likelihood (probability of occurrence) and impact (magnitude of consequence if it occurs).

Inherent risk represents the level of risk in the absence of any risk responses. Residual risk is what remains after management has implemented controls and other risk responses. Internal audit assesses whether residual risk is within the organization’s risk appetite — and whether management’s representation of residual risk is accurate.

4.2 Enterprise Risk Management (ERM) and Internal Audit

Internal audit supports ERM without taking ownership of it. This distinction is important: if internal audit assumes responsibility for managing risks, it compromises its independence to provide objective assurance over those same activities.

Internal audit’s appropriate roles in relation to ERM include:

  • Providing assurance on the adequacy and effectiveness of the ERM process itself.
  • Evaluating whether risk responses are appropriate relative to risk appetite.
  • Assessing the completeness of the risk register (are significant risks missing?).
  • Reporting on the status of significant risks to the audit committee.

Internal audit should not own the risk management process, make final decisions on risk responses, or take accountability for managing specific risks — these are management responsibilities.

4.3 How Risk Focus Differs by Engagement Type

Different types of internal audit engagements emphasize different risk dimensions:

Operational audits: Focus on the efficiency and effectiveness of business processes. Risk emphasis is on process controls, performance measurement, resource utilization, and compliance with internal policies. The auditor maps the process, identifies key risks within the process (where could things go wrong?), and tests whether controls adequately mitigate those risks.

Financial audits: Focus on the reliability of financial information. Risk emphasis aligns closely with financial statement assertions — existence, completeness, accuracy, cutoff, valuation, and presentation. Procedures mirror external audit methodology but serve internal purposes.

IT/IS audits: Focus on technology risks — system security, data integrity, availability, and confidentiality. The ISACA COBIT framework provides the primary reference for IT governance and control objectives. IT audit risks include unauthorized system access, inadequate disaster recovery, poor change management, and data quality issues.

Compliance audits: Assess adherence to applicable laws, regulations, internal policies, and contractual obligations. Risk emphasis is on legal and regulatory requirements that carry sanctions or reputational consequences for non-compliance.

Chapter 5: Information Technology Risks and Cybersecurity

5.1 The IT Risk Landscape

The pervasive role of information technology in organizational operations means that IT risks are embedded in virtually every business process internal audit examines. IT-specific risks include:

Cybersecurity risks: Unauthorized access to systems or data (breaches), denial-of-service attacks, ransomware, phishing, and insider threats. The financial, operational, and reputational consequences of cyber incidents have expanded dramatically as organizations store more sensitive data and rely more heavily on digital operations.

System availability and continuity risks: Systems that are unavailable during critical periods (peak transaction times, quarter-end financial close) can disrupt operations materially. Business continuity and disaster recovery planning become audit considerations.

Data integrity risks: Inaccurate, incomplete, or unauthorized modifications to data undermine the reliability of management information and financial reporting. Poor data quality can lead to incorrect decisions and, in financial reporting contexts, misstatements.

Change management risks: Inadequately controlled changes to IT systems (software updates, system configurations) can introduce errors or vulnerabilities. A robust change management process ensures changes are authorized, tested, and approved before implementation.

Access management risks: Excessive system access (users with permissions beyond their job requirements) enables both intentional fraud and inadvertent errors. Periodic access reviews and the principle of least privilege are key controls.

5.2 IT General Controls vs. IT Application Controls

IT General Controls (ITGCs) are controls that apply across the entire IT environment rather than to specific systems. They establish the foundation for the reliability of application controls. Key ITGC categories:

  • Access controls: Logical access management, password policies, multi-factor authentication.
  • Change management: Authorization, testing, and documentation of system changes.
  • Operations: Job scheduling, backup and recovery, incident management.
  • Program development: Controls over the software development life cycle.

IT Application Controls are embedded within specific applications and govern individual transactions. Types include:

  • Input controls: Validation of data entered (field format checks, range checks, completeness checks).
  • Processing controls: Ensuring transactions are processed completely and accurately (balancing, reconciliation).
  • Output controls: Ensuring outputs are accurate, complete, and distributed appropriately.
Example: In a purchasing system, an input control might validate that a vendor code entered exists in the approved vendor master file (a completeness/validity check). A processing control might verify that the three-way match (purchase order, receiving report, and vendor invoice) reconciles before payment is released. An output control might require that all payment runs be reviewed and approved by the treasurer before transmission.

5.3 Differences Between IT Audit and Operational Audit

While operational audits focus on the efficiency and effectiveness of business processes (for which IT is an enabler), IT audits focus specifically on technology risks — the security, integrity, availability, and reliability of IT systems and data.

IT auditors require specialized knowledge of systems architecture, network security, database management, and IT governance frameworks (COBIT, ISO 27001). Operational auditors focus more heavily on business process understanding, policy adherence, and performance measurement.

In practice, modern internal audits are increasingly integrated — operational auditors must understand the IT controls supporting the processes they review, while IT auditors must understand the business context of the systems they examine.

Chapter 6: Business Processes and Internal Controls

6.1 Risk Through the Lens of Business Process Objectives

Every business process exists to achieve specific objectives. The starting point for process-level risk assessment is understanding those objectives clearly: what must this process accomplish, and what could prevent it from doing so?

Objective-setting for process audits: Before identifying risks, auditors articulate the process objectives (e.g., the accounts payable process must: record all valid vendor invoices completely and accurately, pay only for goods and services actually received, pay invoices at the correct amounts and in the correct period). Risks are then identified as conditions that could cause these objectives to fail.

6.2 From Risk Identification to Audit Test Design

The logical chain from risk to audit procedure:

  1. Identify process objectives (what must go right?)
  2. Identify risks (what could go wrong — both errors and fraud?)
  3. Identify controls (what prevents or detects the risk?)
  4. Evaluate control design (is the control theoretically capable of preventing/detecting the risk?)
  5. Test control operating effectiveness (is the control actually being performed as designed?)
  6. Determine residual risk (given control effectiveness, what is the remaining risk?)
  7. Design substantive tests (if residual risk is above acceptable threshold, perform direct testing)

This framework applies to any type of internal audit engagement — operational, financial, IT, or compliance.

6.3 Control Testing Methodologies

Inquiry alone is insufficient to conclude on control effectiveness — people describe what they believe happens or what should happen, not necessarily what actually happens. Inquiry must be supplemented by:

  • Observation: Watching the control being performed provides evidence at the time of observation. Limited to controls performed regularly during the audit period.
  • Inspection of documentation: Reviewing records of control performance (approvals, sign-offs, reconciliation documentation). Provides evidence that the control was performed but not necessarily that it was performed effectively.
  • Reperformance: The auditor independently executes the control procedure and compares the result to management’s result. This provides strong evidence of operating effectiveness.

Sample size for control testing depends on the desired level of reliance and the tolerable deviation rate. Statistical tables (or software) determine sample sizes — for example, to achieve high reliance with a tolerable deviation rate of 5%, approximately 60 items may need to be tested.

Chapter 7: The Internal Audit Engagement Process

7.1 Planning the Internal Audit Engagement

Effective engagement planning begins well before fieldwork. The planning phase encompasses:

Establishing engagement objectives: What is the internal audit engagement designed to achieve? Objectives should be directly linked to the identified risks — they specify what the auditor will assess and what assurance will be provided.

Scoping the engagement: Define the population of business units, processes, time periods, and systems within the engagement boundary. Scope decisions balance the cost of audit coverage against the risk of leaving significant areas unexamined.

Preliminary risk assessment: Before fieldwork, the auditor forms initial views about where risks may be concentrated within the scope. Preliminary assessment informs the allocation of audit effort — spending more time on higher-risk areas.

Developing the audit program: A detailed document listing the specific audit procedures to be performed, the assertions or objectives each procedure addresses, the timing, and the responsible auditor. The audit program is the primary tool for guiding fieldwork execution and documenting coverage.

Resource assignment: Matching auditor competencies to engagement requirements — IT-intensive engagements require IT audit specialists; foreign operations may require local language and regulatory knowledge.

Communication with management: Effective audit planning includes an opening meeting with management to explain the engagement objectives, timeline, and information requirements. This builds cooperation and surfaces information the auditor may not have obtained independently.

7.2 Fieldwork and Documentation

Evidence gathering follows the audit program, applying the range of techniques described earlier. The guiding principle is obtaining sufficient, appropriate evidence to support each engagement conclusion.

Working papers document the audit work performed and constitute the evidence base supporting the audit conclusions and findings. Working papers must be sufficiently detailed to:

  • Enable an experienced auditor who was not on the engagement to understand what was done and why.
  • Support the findings, conclusions, and recommendations in the audit report.
  • Demonstrate compliance with audit standards.

Working paper retention policies vary by organization but typically range from 5 to 7 years for internal audit documentation.

Supervision and review: Each auditor’s work is reviewed by a more senior auditor to ensure it is complete, accurate, and appropriately documented. The CAE or engagement manager reviews the overall package before the audit report is finalized.

7.3 Fraud Awareness in Internal Audit

While internal auditors are not primarily responsible for detecting fraud (that is first line management’s responsibility), they must maintain fraud awareness and be alert to indicators (“red flags”) throughout their work.

Common fraud indicators:

  • Unusual journal entries (round numbers, entries near period-end, entries by unusual personnel)
  • Employees living beyond apparent means
  • Reluctance to take vacations (concealing ongoing fraud)
  • Discrepancies between physical assets and records
  • Missing or altered documentation
  • Unusual vendor relationships (vendors with no physical address, P.O. boxes)

When fraud is suspected, internal audit should escalate promptly to the CAE and, through the CAE, to the audit committee — not attempt to conduct a fraud investigation independently, which requires specialized forensic skills and legal expertise.

Chapter 8: Managing the Internal Audit Function

8.1 Strategic Planning and the Risk-Based Audit Plan

The annual audit plan is the CAE’s primary management tool — it defines which engagements will be performed, when, and with what resources. A risk-based audit plan allocates effort proportionally to risk exposure across the organization’s auditable entities (processes, business units, systems, projects).

Audit universe: A comprehensive inventory of auditable entities — every distinct process, business unit, system, or project that could be subject to internal audit review. The audit universe provides the starting point for risk-ranking and coverage planning.

Risk-ranking methodology: Each auditable entity is scored on factors such as inherent risk exposure, time since last audit, regulatory requirements, change in the business environment, and management requests. The highest-ranked entities are prioritized for audit coverage in the coming plan period.

Coverage decisions: Not every auditable entity will receive audit coverage each year. The CAE must make explicit, documented decisions about coverage cycles — balancing depth (thorough review of high-priority areas) against breadth (periodic coverage of lower-risk areas).

Plan approval: The audit plan is reviewed and approved by the audit committee. Management may request additions or removals, but the audit committee has final authority — preserving the CAE’s independence from management dictating audit priorities.

8.2 Reporting Audit Findings

The internal audit report is the primary communication vehicle for conveying findings, conclusions, and recommendations. Effective audit reports are:

  • Accurate: Facts, evidence, and conclusions are correctly stated.
  • Objective: Findings are free from bias; both strengths and weaknesses are reported.
  • Clear: Understandable to the intended audience without unnecessary technical jargon.
  • Concise: Focused on what matters; free of irrelevant detail.
  • Constructive: Recommendations are practical and actionable.
  • Complete: All significant findings are included; nothing material is omitted.
  • Timely: Issued promptly enough that findings remain relevant and corrective actions can be implemented.

Anatomy of an audit finding: A complete finding contains four elements — Condition (what is), Criteria (what should be), Cause (why the gap exists), and Consequence (what is the impact or risk). Recommendations address the cause to eliminate the gap.

8.3 ESG and Emerging Areas in Internal Auditing

ESG and internal audit: As organizations face increasing pressure to report on environmental and social performance, internal audit is being asked to provide assurance over ESG data quality and process integrity. This requires auditors to develop competency in:

  • Understanding ESG reporting frameworks (GRI, SASB, TCFD, IFRS Sustainability Standards).
  • Evaluating the controls over ESG data collection, aggregation, and reporting.
  • Assessing the completeness and accuracy of ESG disclosures.

Continuous auditing: Technology enables auditors to monitor transaction populations in real time rather than performing periodic point-in-time reviews. Continuous auditing applies analytics tools to identify anomalies, deviations from expected patterns, or breaches of control thresholds as they occur — providing more timely assurance and allowing faster response to control failures.

Agile auditing: Traditional audit methodologies are linear (plan, execute, report) and can take months. Agile internal audit adapts project management principles from software development — working in short “sprints,” delivering interim results to stakeholders, and adjusting scope based on real-time findings. This increases relevance and responsiveness.

8.4 Quality Assurance in Internal Audit

The IPPF requires that the CAE develop and maintain a quality assurance and improvement program (QAIP) to evaluate the IAF’s conformance with the Standards and the effectiveness of its engagements.

Internal quality assessments: Ongoing supervision and review within engagements; periodic self-assessments by the CAE reviewing the overall IAF.

External quality assessments: An independent review of the IAF conducted by a qualified external party at least once every five years. The external assessor evaluates conformance with the Standards and overall audit effectiveness, providing the audit committee with independent assurance about the quality of the internal audit function.

The QAIP results — including any identified non-conformance — must be communicated to senior management and the audit committee.

Back to top