AFM 452: Internal Audit

Adam Vitalis

Estimated study time: 1 hr 7 min

Table of contents

Sources and References

Primary textbook — Anderson, U. L., Head, M. J., Mar, R., Ramaroorti, S., Riddle, C., & Salamasick, M. Internal Auditing: Assurance and Advisory Services, 5th ed. Internal Audit Foundation, 2021 (commonly called “Sawyer’s”). Supplementary — Institute of Internal Auditors (IIA). Global Internal Audit Standards (GIAS). IIA, 2024; ISACA. COBIT 2019 Framework: Governance and Management Objectives. ISACA, 2018; Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control — Integrated Framework. COSO, 2013. Online resources — IIA Global standards and practice guides (theiia.org); ISACA IT audit frameworks; IIA Three Lines Model (2020); COSO ERM — Integrating with Strategy and Performance (2017).

Chapter 1: Introduction to Internal Auditing

1.1 What Is Internal Auditing?

Internal auditing is an independent, objective assurance and consulting activity that adds value and helps an organization accomplish its objectives. It does this by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

This definition, established by the IIA and embedded in the Global Internal Audit Standards, reveals several essential characteristics of the profession:

Independence and objectivity: Internal auditors must maintain organizational and individual independence, free from biases or conflicts of interest that would impair their ability to render unbiased assessments. Structural independence is achieved primarily through the reporting relationship — the Chief Audit Executive (CAE) reports functionally to the board’s audit committee rather than solely to management.
Assurance and consulting: Internal audit serves a dual role. Assurance services involve an objective examination of evidence to provide an independent assessment of risk management, control, or governance processes. Consulting services are advisory in nature — helping management improve processes without the auditor taking on management responsibility or accountability.
Systematic, disciplined approach: Internal auditing is not ad hoc investigation or troubleshooting. It follows a structured methodology encompassing risk-based planning, engagement-level planning, fieldwork execution, documentation, and reporting.
Focus on risk management, control, and governance: These three domains are the foundational pillars of organizational health — how risks are identified and managed, how controls are designed and operating, and how governance structures direct and oversee the organization toward its objectives.

Internal Audit Function (IAF): The organizational unit responsible for performing internal audit activities. The IAF is led by the Chief Audit Executive (CAE). The CAE reports functionally to the board's audit committee (governance oversight) and administratively to management — typically the CEO or CFO — for day-to-day operational matters such as HR and budget administration.

Chief Audit Executive (CAE): The senior executive responsible for effectively managing the internal audit function in accordance with the internal audit charter and the mandatory elements of the IPPF. The CAE communicates and interacts directly with the board on matters of governance, risk, and control.

1.2 A Brief History of Internal Auditing

Internal auditing as a formalized profession has its roots in the early twentieth century, when large industrial corporations began deploying internal accountants to verify financial records and detect fraud before external auditors arrived. The Institute of Internal Auditors was founded in 1941 in New York City, and from that point the profession began developing its own standards, ethics, and body of knowledge.

Several historical forces accelerated the development and expansion of internal audit:

Corporate scandals and regulatory response: Events such as the savings and loan crisis of the 1980s, the Enron and WorldCom collapses of 2001–2002, and the 2008 financial crisis each prompted legislated and regulatory responses that raised expectations for internal audit. The Sarbanes-Oxley Act of 2002 (SOX) — while primarily targeting external audit — substantially elevated internal audit’s role in evaluating internal controls over financial reporting (ICFR).
Growing organizational complexity: As organizations expanded globally, into new industries, and with greater reliance on technology, the variety of risks requiring expert, independent assessment multiplied. Internal audit expanded from a financial compliance function into a broad risk-assurance activity covering operations, IT, strategy, and sustainability.
Professionalization: The creation of the Certified Internal Auditor (CIA) credential in 1974, the progressive development of the IPPF, and the establishment of national IIA chapters worldwide formalized internal audit as a distinct profession with its own competency model, ethical obligations, and technical standards.

1.3 Why Internal Audit Matters

The organizational value of internal audit extends well beyond compliance verification. Consider the stakeholders who benefit from an effective internal audit function:

Stakeholder	Primary Benefit from Internal Audit
Board / Audit Committee	Independent assurance that management’s risk and control representations are accurate; early warning of emerging risks
Senior Management	Objective insights into operational effectiveness, control gaps, and opportunities for improvement
External Auditors	Potential reliance on internal audit work can reduce external audit scope and cost when quality standards are met
Regulators	Evidence of sound governance and risk management; regulatory expectation in banking, insurance, and other supervised industries
Investors and Creditors	Confidence that the organization is well-governed supports trust in financial disclosures
Employees	Clarity on policies and control expectations; fair investigation processes

The conceptual shift in how internal audit is understood — from a “corporate police” function detecting faults after the fact, to a “trusted advisor” helping the organization proactively manage risk — reflects decades of professional evolution. Modern internal audit does not merely report what went wrong; it helps leadership understand why it went wrong, what the consequences are, and how to prevent recurrence.

1.4 The CIA Exam and Professional Certification

AFM 452 explicitly prepares students for the Certified Internal Auditor (CIA) examination, the only globally recognized credential for internal auditors. Administered by the IIA, the CIA consists of three parts:

Part 1: Essentials of Internal Auditing — The IPPF, independence, governance, risk management, and controls.
Part 2: Practice of Internal Auditing — Engagement planning, fieldwork, communication, monitoring, and fraud.
Part 3: Business Knowledge for Internal Auditing — Finance, operations, IT, and financial statement analysis in the context of internal audit.

Professional certification signals to employers a baseline competency in the standards, methodology, and professional obligations of internal audit. CIA holders are increasingly found in CAE roles, risk management positions, and senior advisory functions.

Chapter 2: The International Professional Practices Framework (IPPF)

2.1 Overview of the IPPF

The International Professional Practices Framework (IPPF) is the conceptual and authoritative framework established by the IIA that organizes, promotes, and communicates the standards, principles, and guidance governing the global internal audit profession. The 2024 update — which introduced the Global Internal Audit Standards — represented the most significant overhaul of the framework in the IIA’s history.

The IPPF divides guidance into two broad categories:

Mandatory guidance — Conformance with these elements is required for an IAF to claim compliance with the IIA Standards:

Global Internal Audit Standards (GIAS): Comprehensive, principles-based requirements covering governance of the IAF, individual engagement conduct, and reporting.
Topical Requirements: Supplemental mandatory standards addressing specific subject areas (e.g., financial services internal audit, cybersecurity assurance).

Recommended guidance — Best practices that are strongly encouraged but not mandatory:

Topical Guides: Practical implementation guidance for specific types of audits (e.g., auditing culture, auditing cybersecurity).
Practice Guides: Detailed procedural guidance supporting implementation of the Standards.
Global Perspectives and Insights: Thought leadership on emerging topics and future directions for internal audit.

Key insight: Internal auditors who claim their work conforms to IIA Standards must actually conform to those Standards — they cannot selectively apply only certain sections. When non-conformances exist, these must be disclosed to stakeholders. This transparency requirement preserves the credibility of the Standards as a meaningful quality signal.

2.2 The Definition of Internal Auditing

The IIA’s official definition of internal auditing anchors the entire IPPF:

Internal Auditing (IIA Definition): "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

Every word in this definition carries meaning that the Standards flesh out in detail. “Independent” and “objective” are conditions that must be actively maintained and monitored. “Assurance and consulting” acknowledges the dual nature of internal audit work. “Systematic, disciplined approach” implies methodology — not just checking boxes. “Risk management, control, and governance” establishes the three domains that define the scope of internal audit inquiry.

2.3 Core Principles for the Professional Practice of Internal Auditing

The 2024 Global Internal Audit Standards articulate core principles that reflect what effective professional practice looks like. These are not aspirational statements — they describe the expected baseline of a professionally conducted internal audit function:

Demonstrates Integrity: The CAE and internal auditors act with honesty and courage, especially when reporting findings that are politically sensitive or unwelcome.
Demonstrates Competence and Due Professional Care: Knowledge, skills, and experience are proportionate to engagement complexity; quality assurance mechanisms ensure work meets professional standards.
Is Objective and Free from Undue Influence: Both structural (organizational) and behavioral (individual) independence from management interference are maintained.
Aligns with the Organization’s Strategies, Objectives, and Risks: The audit plan addresses the organization’s most significant risks and strategic priorities, not just areas of historical convenience.
Is Appropriately Positioned and Adequately Resourced: Sufficient budget, qualified staff, and organizational access to fulfill the IAF’s mandate.
Demonstrates Quality and Continuous Improvement: Operates a quality assurance and improvement program; professional skills and methodology are kept current.
Communicates Effectively: Reports and other communications are clear, timely, accurate, and actionable for the intended audience.
Provides Risk-Based Assurance: Both the annual plan and individual engagements are driven by assessed risk, not by tradition, management preference, or audit convenience.
Is Insightful, Proactive, and Future-Focused: Goes beyond identifying past problems to anticipate emerging risks and contribute forward-looking perspective.
Promotes Organizational Improvement: Drives meaningful change through recommendations with demonstrated root cause analysis, practical remediation guidance, and disciplined follow-up.

2.4 The Code of Ethics

The IIA’s Code of Ethics establishes the standards of conduct expected of internal auditors. It applies to individuals and entities that provide internal audit services. The Code consists of two essential components: Principles and Rules of Conduct.

Principles

Integrity: Internal auditors establish trust and thus provide the basis for reliance on their judgment. They do not participate in illegal activity or engage in acts discreditable to the profession.
Objectivity: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information. They make balanced assessments of all relevant circumstances and are not unduly influenced by their own interests or by others.
Confidentiality: Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
Competency: Internal auditors apply the knowledge, skills, and experience needed in performing internal audit services. They only undertake services for which they have, or can reasonably acquire, the necessary knowledge, skills, and experience.

Rules of Conduct (Selected)

Selected Rules of Conduct — Objectivity:

Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This includes activities, relationships, and personal conflicts that conflict with the interests of the organization.
Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment.
Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

2.5 The IIA Standards: Attribute vs. Performance Standards

The Global Internal Audit Standards (and their predecessor, the International Standards for the Professional Practice of Internal Auditing) are organized into two broad categories:

Attribute Standards: Address the characteristics of organizations and individuals performing internal auditing. These establish the baseline organizational conditions for effective internal audit — independence, objectivity, proficiency, due professional care, and quality assurance.

Performance Standards: Describe the nature of internal audit activities and provide quality criteria for evaluating performance. They cover risk-based audit planning, engagement planning, performance of engagements, communicating results, monitoring progress, and communicating the acceptance of risks.

Standard Category	Key Topics
Attribute Standards	Purpose, authority, and responsibility (the charter); independence and objectivity; proficiency and due professional care; quality assurance and improvement program (QAIP)
Performance Standards	Managing the IAF; nature of work (assurance and consulting); engagement planning; performing the engagement; communicating engagement results; monitoring progress; communicating the acceptance of risks

2.6 The Internal Audit Charter

The internal audit charter is a formal document that defines the IAF’s purpose, authority, and responsibility within the organization. The charter is a mandatory requirement under the IIA Standards. The CAE is responsible for periodically reviewing the charter and presenting it to senior management and the board for approval.

A comprehensive charter addresses:

Purpose: Why the IAF exists; its mission to provide independent assurance and consulting to help the organization achieve its objectives.
Authority: The organizational authority granted to the IAF — specifically, unrestricted access to records, personnel, and physical properties relevant to any engagement; the authority to allocate resources, set frequencies, select subjects, determine scopes, and apply techniques necessary to accomplish audit objectives.
Responsibility: Obligations the IAF fulfills — conforming to the IIA Standards, reporting significant risk exposures and control issues to the audit committee, and managing the IAF effectively.
Organizational independence provisions: The CAE’s dual reporting structure; the audit committee’s authority over the appointment, removal, and compensation of the CAE.
Nature of assurance and consulting: Clarification that assurance engagements require disciplined risk-based planning while consulting services are performed at management’s request.
Relationship with external audit: How the IAF coordinates with the external auditor to promote efficiency and prevent duplication.

Why the charter matters: Without a well-drafted, board-approved charter, internal audit may face management resistance to scope, arbitrary restrictions on access, or confusion about whether internal audit reports to management or the board. The charter is the legal foundation for independence and authority.

Chapter 3: Governance and Internal Auditing

3.1 Corporate Governance — Concepts and Structures

Corporate governance refers to the system by which organizations are directed and controlled. It encompasses the structures, processes, and relationships that determine how the interests of shareholders, management, and other stakeholders are balanced and how decisions are made and monitored.

Key governance mechanisms relevant to internal audit:

Board of directors: The ultimate governing body. Responsible for setting organizational objectives, approving strategy, overseeing management performance, and ensuring accountability to shareholders.
Audit committee: A board committee comprising independent directors responsible for overseeing financial reporting, external audit, internal audit, and risk management. The audit committee is internal audit’s primary governance partner.
Management: Responsible for executing strategy, managing operations, and implementing controls. Management is the primary consumer of internal audit services — and also the subject of internal audit evaluation.
External auditors: Provide independent assurance on financial statements. Coordinate with internal audit to leverage complementary coverage.

3.2 The IIA’s Three Lines Model

The IIA’s Three Lines Model (2020) describes how governance and risk management responsibilities are distributed within an organization. It superseded the earlier “Three Lines of Defense” model, with the critical conceptual shift that all three lines exist to serve the governing body — not simply each other in a hierarchical escalation chain.

Line	Who	Primary Role
First Line	Business operations (management, process owners, front-line staff)	Own and manage risks; operate and maintain effective controls; achieve organizational objectives
Second Line	Risk management, compliance, quality, finance, legal, HR functions	Establish risk management frameworks; develop policies; provide oversight and challenge to the first line
Third Line	Internal audit	Provide independent assurance to the governing body on the effectiveness of governance, risk management, and controls
Governing Body	Board of directors / audit committee	Set objectives, values, and strategy; hold management accountable; receive assurance

Example — Three Lines in a Financial Institution:

First Line: The retail banking division manages credit risk by applying lending policies when approving loans, monitoring delinquencies, and escalating problem accounts.
Second Line: The Credit Risk Management department establishes the credit risk framework, sets portfolio concentration limits, reviews the lending team's compliance with policy, and reports aggregate credit risk to the risk committee.
Third Line: Internal audit independently assesses whether the lending team's credit risk management is effective (first-line review) and whether the Credit Risk Management department's oversight framework is well-designed and operating (second-line review). Findings are reported to the audit committee.

Interaction Between Lines

A common misconception is that internal audit should avoid overlapping with second-line functions such as risk management and compliance. In practice, effective internal audit often includes assessing the quality of second-line activities — not to undermine them, but to provide the audit committee with an independent view of whether second-line oversight is rigorous and effective.

Internal audit should not perform second-line functions. If internal audit takes responsibility for risk monitoring, policy development, or compliance testing as an ongoing function, it loses the independence necessary to provide objective assurance over those same activities. The boundary must be clear.

3.3 Independence — Organizational and Individual

Independence is the foundational condition that distinguishes internal audit from every other internal function. Without genuine independence, internal audit cannot provide the objective assurance that stakeholders rely upon.

Organizational Independence

Organizational independence is structural — it is established through the reporting relationship and charter provisions:

Dual reporting: The CAE reports functionally to the audit committee and administratively to the CEO/CFO. Functional reporting means the audit committee approves the audit plan, budget, and CAE appointment/removal — not management.
Direct, unrestricted access: The CAE must be able to communicate directly with the audit committee chairman without management’s presence or prior knowledge.
Budget independence: The audit committee approves the IAF’s budget, preventing management from defunding internal audit in retaliation for inconvenient findings.

Individual Objectivity

Individual objectivity is a mental attitude — the internal auditor must not allow personal interests or relationships to distort professional judgment:

Conflicts of interest: Auditors should not audit activities for which they were previously responsible for at least one year (the “cooling-off period” concept). Auditors with personal financial interests in the entity being audited must recuse themselves.
Self-review threats: Auditors who previously designed or implemented a control cannot objectively evaluate that control’s design or effectiveness.
Familiarity threats: Close personal relationships with auditees can lead to reduced skepticism.

Impairment of Independence or Objectivity: A condition that prevents the internal auditor from rendering unbiased assessments. When impairment exists — whether actual or perceived — it must be disclosed to appropriate parties. Depending on the severity, the auditor may need to be removed from the engagement.

3.4 Governance Attributes That Strengthen Internal Audit

The effectiveness of internal audit does not depend solely on the skills of the auditors. Governance quality significantly shapes how internal audit operates and how its findings are received:

Board independence: Boards with a majority of genuinely independent directors are more likely to support a robust, adequately resourced internal audit function — and less likely to tolerate management suppression of findings.
Audit committee financial expertise: SEC and stock exchange listing requirements mandate that at least one audit committee member have accounting or financial management expertise. Greater technical competency improves the quality of audit committee oversight of IAF work.
Tone at the top: The visible and consistent commitment of the CEO and board to integrity, accountability, and sound control environments determines whether audit findings are treated as improvement opportunities or political threats. An organization with weak tone at the top will resist internal audit, restrict access, and fail to implement recommendations.
Transparency and accountability: Organizations with strong disclosure cultures — transparent to investors, regulators, and employees about risk and performance — are more likely to embrace the findings of an effective internal audit function.

Chapter 4: Risk Management and Risk-Based Auditing

4.1 Foundational Risk Concepts

Risk is central to every aspect of internal auditing — from the design of the annual audit plan to the assessment of individual controls within an engagement. Internal auditors must understand risk at multiple levels: enterprise-wide, process-level, and transaction-level.

Risk: The possibility that an event will occur and adversely affect the achievement of objectives. Risk has two dimensions: likelihood (probability of occurrence) and impact (magnitude of consequence if the event occurs). Risk = Likelihood × Impact is a commonly used approximation.

Inherent Risk: The level of risk in the absence of any management actions or controls. Inherent risk is a property of the business environment and process characteristics — how risky would this activity be if we did nothing to control it?

Residual Risk: The risk that remains after management has implemented controls and other risk responses. Residual risk should fall within the organization's risk appetite. Internal audit assesses whether management's representation of residual risk is accurate — whether controls are actually working as claimed.

Risk Appetite: The amount of risk an organization is willing to accept in pursuit of its objectives. The board sets risk appetite at an enterprise level; management operationalizes it through risk tolerances applied to specific activities.

4.2 The Risk Assessment Process

Risk assessment is not a one-time activity. Effective organizations maintain dynamic, continuously updated views of their risk landscapes. For internal audit purposes, risk assessment occurs at two distinct levels:

Enterprise-level risk assessment (used for audit planning): The CAE surveys the organization’s entire risk landscape to determine which areas carry the greatest risk exposure and therefore warrant audit attention. This typically draws on the organization’s existing enterprise risk management (ERM) outputs, strategic plan, financial data, regulatory requirements, and management input.

Engagement-level risk assessment (used for engagement planning): Once a specific auditable entity has been selected for review, auditors perform a detailed risk assessment of that entity’s objectives, risks, and controls. This risk assessment drives the development of the audit program — identifying which controls to test and how.

4.3 Enterprise Risk Management (ERM) and Internal Audit

Enterprise Risk Management (ERM) is a process by which organizations identify, assess, manage, and monitor risks across all activities to provide reasonable assurance regarding the achievement of objectives. The COSO ERM Framework (2017 update) is the primary reference for ERM in North American practice.

Internal audit’s relationship to ERM is carefully defined to preserve independence:

Appropriate internal audit roles in ERM:

Provide assurance on the adequacy and effectiveness of the ERM process itself — is it comprehensive, current, and integrated into decision-making?
Evaluate whether the risk register is complete — are significant risks missing or underweighted?
Assess whether risk responses are appropriate relative to the stated risk appetite.
Report on the status of significant risks and the effectiveness of risk management to the audit committee.
Facilitate risk identification workshops as a consulting service (with appropriate disclosures).

Roles internal audit should NOT perform in ERM:

Own or manage risk registers as an ongoing operational function.
Make final decisions about risk responses or risk appetite.
Take accountability for managing specific risks.
Implement risk controls (which would impair the ability to later provide assurance over those controls).

The independence boundary: If internal audit crosses from assuring ERM to managing ERM, it loses the independence necessary to objectively evaluate the very processes it is now responsible for. This is the same principle that prevents auditors from auditing their own prior work.

4.4 How Risk Focus Differs by Engagement Type

Different types of internal audit engagements require different risk lenses. Understanding the nature of the engagement determines which risks to prioritize and which testing approaches to apply.

Operational Audits

Operational audits evaluate the efficiency and effectiveness of business processes in achieving their objectives. Risk emphasis is on:

Process risks: Where could the process fail to deliver expected outputs?
Control risks: Are controls well-designed to mitigate process risks, and are they operating effectively?
Performance risks: Are resources being used efficiently? Are outcomes being measured meaningfully?

Operational audits frequently employ process mapping (flowcharts, narratives) to document the process, identify control points, and surface risk areas. Common areas include procurement, payroll, accounts payable, inventory management, and customer service.

Financial Audits

Internal financial audits focus on the reliability of financial information, including management accounts, financial reports, and transactions. The risk framework borrows from external audit — financial statement assertions:

Assertion	Description	Risk Example
Existence/Occurrence	Assets and transactions actually exist	Revenue recorded for fictitious sales
Completeness	All transactions are recorded	Liabilities omitted from the balance sheet
Accuracy/Valuation	Amounts are correctly calculated and recorded	Inventory valued above recoverable amount
Cutoff	Transactions recorded in the correct period	Revenue recognized in the wrong quarter
Classification/Presentation	Transactions properly classified and disclosed	Debt reclassified as equity
Rights and Obligations	Assets are owned and liabilities are owed	Leased assets reported as owned

Compliance Audits

Compliance audits assess adherence to applicable laws, regulations, internal policies, contractual obligations, and industry standards. Risk emphasis is on legal and regulatory requirements that carry sanctions, fines, or reputational consequences for non-compliance. Examples include anti-money laundering (AML) compliance, data privacy regulations (PIPEDA, GDPR), and environmental regulations.

IT Audits

IT audits evaluate technology risks — security, integrity, availability, and confidentiality of information systems. Risk emphasis differs from operational audits because technology risks are often latent (not visible to business users), systemic (a single failure can cascade across many processes), and highly technical. The COBIT framework is the primary reference for IT governance and control objectives.

Chapter 5: Information Technology Risks and IT Auditing

5.1 The IT Risk Landscape

The pervasive role of information technology means that IT risks are embedded in virtually every business process. An internal auditor reviewing any significant business process must understand the IT environment supporting that process — the systems, data flows, access controls, and change management practices.

Major Categories of IT Risk

Cybersecurity risks: Unauthorized access to systems or data, denial-of-service attacks, ransomware, phishing, social engineering, and insider threats. The financial, operational, and reputational consequences of cyber incidents have expanded dramatically as organizations depend more heavily on digital infrastructure and store ever-greater volumes of sensitive data.

System availability and continuity risks: Systems that are unavailable during critical periods — peak transaction times, quarter-end financial close, or emergency response — can disrupt operations materially. Business continuity plans (BCPs) and disaster recovery plans (DRPs) are key controls that internal audit may assess.

Data integrity risks: Inaccurate, incomplete, or unauthorized modifications to data undermine management information quality and financial reporting reliability. Poor data governance leads to incorrect decisions, customer dissatisfaction, and in financial reporting contexts, material misstatements.

Change management risks: Inadequately controlled changes to IT systems — software patches, configuration changes, development deployments — can introduce errors or vulnerabilities. Unauthorized or poorly tested changes have caused significant operational disruptions at major organizations.

Access management risks: Users with system permissions beyond the requirements of their current role represent both fraud risk (intentional misuse) and error risk (inadvertent misuse). Segregation of duties in IT — ensuring no single user can both create and approve transactions, or both program and operate systems — mirrors the segregation of duties principle in business processes.

5.2 IT General Controls (ITGCs)

IT General Controls (ITGCs) are controls that apply across the IT environment broadly, rather than to specific applications or transactions. They establish the foundation upon which the reliability of application-level controls depends. If general controls are weak, the reliability of application controls cannot be assumed — even if those controls appear to be functioning.

Key ITGC Domains

Logical Access Controls: Who can access which systems and data, and with what level of privilege?

User provisioning and deprovisioning procedures
Password policies and multi-factor authentication (MFA)
Privileged access management (administrator accounts)
Periodic user access reviews
Segregation of duties in system access

Change Management Controls: How are changes to IT systems authorized, tested, and implemented?

Formal change request and approval workflows
Testing procedures (unit testing, integration testing, user acceptance testing)
Separation of development and production environments
Emergency change procedures
Change logs and post-implementation reviews

Computer Operations Controls: How are systems run day-to-day?

Job scheduling and monitoring
Backup and recovery procedures
Incident and problem management
Capacity and performance monitoring

System Development Life Cycle (SDLC) Controls: How are new systems and major enhancements developed?

Requirements documentation and approval
Security-by-design in new development
Project governance and oversight
Documentation standards

Why ITGCs matter for financial reporting: Under the Sarbanes-Oxley Act, the assessment of internal controls over financial reporting (ICFR) must consider IT general controls over systems that process financially significant transactions. If an ITGC such as change management is ineffective, automated application controls in financial systems cannot be relied upon — requiring significantly more manual testing of individual transactions.

5.3 IT Application Controls

IT Application Controls are embedded within specific applications and govern individual transactions processed by those systems. Unlike general controls, application controls are specific to each system and each transaction type.

Application Control Type	Description	Example
Input Controls	Validate data as it is entered	Vendor code must exist in approved vendor master file; invoice date cannot be future-dated
Processing Controls	Ensure transactions are processed completely and accurately	Three-way match (PO, receiving report, invoice) required before payment processing; batch totals reconciled after processing
Output Controls	Ensure outputs are complete, accurate, and delivered appropriately	Payment files reviewed and approved before transmission; reports distributed only to authorized recipients
Interface Controls	Ensure data transfers between systems are complete and accurate	Record counts and hash totals compared before and after file transfers; exceptions logged and investigated

Example — Application Controls in a Procure-to-Pay System:

Input control: When a buyer enters a purchase requisition, the system validates that the requested item's account code is an active, valid GL account. If not, the transaction is rejected with an error message.
Processing control: Before generating a payment, the system automatically performs a three-way match — confirming that the purchase order quantity, the goods receipt quantity, and the vendor invoice quantity agree within a tolerance. If they do not match, the invoice is routed to the accounts payable supervisor for review.
Output control: The payment file generated by the AP system is reviewed by the treasurer, who compares the file control total to the manually maintained payment log before releasing the file to the bank.

5.4 The COBIT Framework

COBIT (Control Objectives for Information and Related Technologies) is a framework developed by ISACA that provides a comprehensive model for IT governance and management. COBIT 2019 organizes IT governance into six domains covering the life cycle of IT: from planning and building systems to delivering, running, monitoring, and evaluating them.

COBIT is particularly useful for internal audit because it provides pre-defined governance and management objectives — specific statements of what good IT governance and management looks like. These objectives serve as the criteria for evaluating the current state of IT governance.

Key COBIT governance objectives relevant to IT audit:

APO12 — Managed Risk: Integrate IT risk management with enterprise risk management; maintain a current IT risk profile.
DSS05 — Managed Security Services: Protect enterprise information from unauthorized access; manage cybersecurity controls.
BAI06 — Managed IT Changes: Manage all changes to IT in a controlled manner; prevent unauthorized changes.
BAI09 — Managed Assets: Manage IT assets through their lifecycle; account for all assets.

5.5 Differences Between IT Audit and Operational Audit

While operational auditors focus on business process efficiency and effectiveness (for which IT is an enabling infrastructure), IT auditors focus specifically on technology risks:

Dimension	Operational Audit	IT Audit
Primary focus	Business process efficiency, effectiveness, and compliance	Technology security, integrity, availability, and reliability
Key frameworks	COSO Internal Control Framework, industry-specific standards	COBIT, ISO 27001, NIST Cybersecurity Framework
Auditor skill set	Business process knowledge, accounting, policy analysis	Systems architecture, network security, database management, scripting
Evidence types	Transaction documents, approvals, reconciliations, interviews	System logs, configuration files, access reports, penetration test results
Control focus	Segregation of duties, authorization, reconciliation	Logical access, change management, encryption, incident response

In practice, modern internal audits are increasingly integrated — operational auditors must understand the IT controls supporting the processes they review, and IT auditors must understand the business context of the systems they examine.

Chapter 6: Internal Control

6.1 What Is Internal Control?

Internal control is the process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: operations, reporting, and compliance. This definition, from the COSO Internal Control — Integrated Framework, makes several important points:

Control is a process — not an event, not a document, not a software system. It is the ongoing conduct of people and systems working according to designed procedures.
Control is effected by people at all levels of the organization — not just the internal control department or compliance team. The first line of defense is people performing their jobs with appropriate controls built in.
Control provides reasonable assurance — not absolute assurance. No system of internal control can guarantee the achievement of objectives because controls can be circumvented through collusion, management override, or simple human error.
The three objective categories — operations, reporting, and compliance — mirror the scope of internal audit itself.

6.2 The COSO Internal Control — Integrated Framework

The COSO Internal Control — Integrated Framework (2013) is the dominant model for designing, evaluating, and communicating about internal control. It organizes internal control into five interrelated components:

Component	Description
Control Environment	The tone and culture set by leadership; organizational structure; assignment of authority and responsibility; the Human Resources policies that shape people’s values and capabilities
Risk Assessment	The organization’s process for identifying and analyzing risks to achieving objectives — including the risk of fraud
Control Activities	The policies and procedures that ensure management directives are carried out; addresses what the organization does to mitigate risks
Information and Communication	Systems that support the identification, capture, and exchange of information needed to carry out control responsibilities
Monitoring Activities	Ongoing evaluations and separate evaluations to ascertain whether each of the five components is present and functioning

The framework also identifies 17 principles — specific requirements that must be present and functioning for an organization to have an effective system of internal control. For example, Principle 10 states: “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”

6.3 Types of Controls

Controls can be classified along multiple dimensions. Internal auditors must understand these classifications because they inform how controls are tested and how findings are framed.

By Objective

Preventive controls: Designed to stop errors or irregularities from occurring in the first place. Examples: authorization requirements before a transaction proceeds; input validation rules in an IT system; segregation of duties preventing a single person from initiating and approving a payment.
Detective controls: Designed to discover errors or irregularities that have already occurred. Examples: bank reconciliations; exception reports; management review of period-end results; physical inventory counts.
Corrective controls: Designed to fix errors or irregularities once detected. Examples: error correction procedures; insurance; backup restoration procedures.

By Nature

Manual controls: Performed by people. Examples: supervisor review and sign-off on journal entries; physical inspection of goods received.
Automated controls: Embedded in IT systems and performed without human intervention. Examples: system validation of vendor codes; automated three-way match.
IT-dependent manual controls: Performed by people but relying on IT-generated reports or outputs. Examples: a manager reviewing an automated exception report and investigating flagged items.

By Level

Entity-level controls: Apply across the entire organization. Examples: the code of conduct, the internal audit function itself, financial reporting close procedures, disclosure controls.
Process-level controls: Apply to specific business processes. Examples: the three-way match in procurement; payroll reconciliation procedures.
Transaction-level controls: Apply to individual transactions. Examples: requiring dual authorization for payments above a threshold.

6.4 Control Design vs. Operating Effectiveness

A crucial distinction in internal audit practice is between the design of a control and its operating effectiveness.

Control Design Effectiveness: Whether a control, if operating as intended, is capable of preventing or detecting the risk it is meant to address. A poorly designed control cannot achieve its objective regardless of how rigorously it is applied.

Control Operating Effectiveness: Whether a well-designed control is actually being performed as designed, consistently and continuously, throughout the period under review. A well-designed control that is not followed in practice provides little actual risk mitigation.

An auditor evaluates design first — before investing time in operating effectiveness testing. If a control has a design deficiency, operating effectiveness testing is moot because even perfect operation of a poorly designed control will not adequately mitigate the risk.

Design vs. Operating Effectiveness — Illustration:

Scenario: A company has a control requiring that all purchase orders above \$10,000 receive dual authorization from two managers before issuance.

Design assessment: The auditor considers whether dual authorization is an appropriate control for the risk being addressed (unauthorized or excessive purchasing). If the risk is that a single manager could approve purchases for personal benefit, dual authorization is a well-designed preventive control — one person alone cannot authorize the purchase.

Operating effectiveness assessment: The auditor selects a sample of purchase orders above \$10,000 from the period under review and inspects each for evidence of two distinct authorized signatures (or electronic approvals with timestamps). If 3 of 25 sampled POs have only one authorization, the control has a deviation rate of 12% — which may exceed the tolerable deviation rate and constitute a control deficiency.

6.5 Control Deficiencies and Their Severity

When internal audit identifies a control weakness, the finding must be characterized by its severity, which determines the urgency of remediation and the level of disclosure required.

Control Deficiency: A deficiency exists when a control is missing or not designed to reduce the risk of a misstatement in a financial statement assertion to an acceptable level, or when a control is not operating effectively enough to prevent or detect misstatements.

Significant Deficiency: A control deficiency, or a combination of control deficiencies, important enough to merit attention by those responsible for oversight of the organization’s internal control.

Material Weakness: A significant deficiency (or combination of significant deficiencies) that results in a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. Material weaknesses must be publicly disclosed under SOX Section 302/404 for public companies.

Chapter 7: The Internal Audit Engagement Process

7.1 The Audit Engagement Life Cycle

A complete internal audit engagement proceeds through four phases: planning, fieldwork, reporting, and follow-up. Each phase has specific objectives, activities, and deliverables.

Phase	Key Activities	Primary Deliverables
Planning	Engagement objectives, scope definition, preliminary risk assessment, audit program design, resource assignment	Engagement planning memo, risk-and-control matrix, audit program
Fieldwork	Evidence gathering, control testing, documentation in working papers, preliminary finding development	Working papers, control testing results, draft findings
Reporting	Finding validation with management, draft report, management responses, final report issuance	Draft and final audit report
Follow-up	Tracking management remediation of agreed findings, reassessing residual risk	Follow-up workpapers, status report to audit committee

7.2 Engagement Planning

Effective engagement planning begins well before auditors set foot in the business unit. The planning phase establishes the foundation for all subsequent work.

Establishing Engagement Objectives

Engagement objectives define what the audit is designed to achieve. They are directly derived from the risks identified for the auditable entity: each objective states the assurance the auditor will provide regarding whether key risks are adequately controlled.

Example — Engagement Objectives for a Payroll Audit:

Objective 1: Payroll is processed only for active, authorized employees (completeness and existence).
Objective 2: Employee pay rates and deductions reflect authorized HR records (accuracy).
Objective 3: Payroll disbursements are made to the correct employees via authorized payment methods (validity).
Objective 4: Payroll-related liabilities (source deductions, benefits) are accurately recorded and remitted on time (completeness, accuracy, cutoff).

Preliminary Risk Assessment

Before designing specific tests, auditors assess which areas within the engagement scope carry the greatest risk. This involves reviewing prior audit reports, incident history, turnover in key roles, system changes, regulatory developments, and the inherent nature of the activity.

The preliminary risk assessment determines where to concentrate audit effort and which controls are key — those whose failure would represent the greatest risk to the engagement objectives.

Developing the Risk-and-Control Matrix (RCM)

The risk-and-control matrix (also called a control matrix or risk register) is the central analytical document of an internal audit engagement. It maps process objectives to risks to controls to audit tests, creating a clear logical chain between risk and assurance.

Risk-and-Control Matrix — Accounts Payable Process (Excerpt):

Process Objective	Risk	Control Description	Control Type	Control Owner	Audit Test
Only valid, authorized invoices are paid	Payment to fictitious or unauthorized vendors	Three-way match (PO, receiving report, invoice) must be completed before payment release; system enforces this automatically	Automated preventive	AP System / AP Supervisor	Inspect system configuration to confirm three-way match is enabled and cannot be bypassed; select sample of 25 invoices and confirm three-way match completed for each
Invoice amounts are accurately recorded	Duplicate payment of the same invoice	System performs duplicate invoice check on vendor + invoice number + amount before processing; duplicates flagged for AP supervisor review	Automated detective	AP System / AP Supervisor	Test system configuration of duplicate check; review exception log and confirm all flagged duplicates were investigated and resolved; select sample of vendor payments and check for duplicate payment
Payments are made only to authorized vendors	Payments to unauthorized or fictitious vendors	New vendors must be approved by Procurement Director before addition to vendor master file; vendor master changes require dual authorization and are logged	Manual preventive	Procurement Director	Select sample of new vendors added in the period; inspect approval documentation; inspect vendor master change log for unauthorized modifications

Developing the Audit Program

The audit program is a detailed, step-by-step document specifying exactly which audit procedures will be performed, for what purpose, by whom, and when. Each step references the RCM — connecting the procedure back to the risk and control it addresses.

The audit program serves multiple functions:

Quality assurance: Ensures engagement scope is fully covered and that each risk has at least one test.
Staff guidance: Provides clear instructions to junior auditors performing fieldwork.
Documentation: When completed with sign-offs and cross-references to working papers, the audit program documents the work performed.
Supervisor review: Reviewers can verify that all programmed steps were completed and that results were appropriately addressed.

7.3 Fieldwork — Evidence Gathering and Testing

Types of Evidence

Evidence quality varies. Internal audit standards require that evidence be sufficient (enough of it) and appropriate (relevant and reliable). Auditors should obtain the strongest available evidence for each assertion.

Evidence Type	Reliability	Examples
Physical evidence	High (if observed directly)	Physical inventory count; direct observation of process
Documentary evidence — external origin	High	Bank statements; third-party confirmations; supplier invoices
Documentary evidence — internal origin	Moderate-High	Approved purchase orders; signed reconciliations
Analytical evidence	Moderate	Trend analysis; ratio comparison to prior periods or benchmarks
Oral evidence (inquiry)	Low alone; supports other evidence	Management explanations; staff descriptions of procedures

Evidence-Gathering Techniques

Inquiry: Interviewing process owners, operators, and management about how controls work and why. Provides important context but is insufficient alone — people describe how controls should work, not necessarily how they do work.

Observation: Watching a control being performed at the time of fieldwork. Provides direct evidence but is limited to the moment of observation — the auditor cannot conclude the control was performed the same way throughout the entire period under review.

Inspection of documentation: Reviewing records, documents, reports, and files that provide evidence of control performance. High reliability for evidence of whether a control was performed (signatures, timestamps) though less conclusive about quality of performance.

Reperformance: The auditor independently executes the control procedure (e.g., prepares the bank reconciliation independently and compares to management’s version) and compares the result to the control performer’s result. Provides the strongest evidence of operating effectiveness.

Data analytics: Using software tools to analyze entire populations of transactions rather than samples, identifying anomalies, outliers, or patterns inconsistent with expected behavior. Increasingly central to modern internal audit fieldwork.

Audit Sampling

When testing controls or transactions, internal auditors generally cannot examine every item in a population. Sampling allows conclusions about the entire population based on a subset.

Audit Sampling: The application of an audit procedure to less than 100% of the items within a population of audit relevance such that all sampling units have a chance of selection, and the auditor can evaluate the results to form or assist in forming a conclusion about the population.

Statistical sampling uses probability theory to express results in terms of quantified precision and confidence levels. Common methods include random sampling, systematic sampling, and monetary unit sampling (MUS).

Non-statistical (judgmental) sampling relies on auditor judgment to select items. While less rigorous statistically, it is appropriate when the population is small, when specific items of interest are known, or when cost constraints limit extensive sampling.

Sample size determinants for control testing:

Desired confidence level (higher confidence → larger sample)
Tolerable deviation rate (lower tolerance → larger sample)
Expected population deviation rate (higher expected deviations → larger sample)
Population size (only relevant for small populations)

A common internal audit heuristic: for high-reliance, low-tolerance control testing, sample 25–60 items; for moderate reliance, 15–25 items; for low reliance or infrequent controls, sample fewer items scaled to the number of times the control occurred during the period.

7.4 Working Papers and Documentation

Working papers (or workpapers) are the auditor’s records of work performed and evidence obtained. They form the basis for the audit report and demonstrate compliance with audit standards.

Characteristics of Effective Working Papers

Complete: Sufficient detail to enable an experienced auditor who was not on the engagement to understand what was done, why it was done, and what was found.
Clear: Organized, legible, and logically structured. Cross-referenced to the audit program and to other working papers.
Accurate: All data, calculations, and quotes are correct.
Appropriately detailed: Not so sparse as to be uninformative; not so verbose as to obscure conclusions.
Signed and dated: Each working paper identifies the preparer, the reviewer, and the dates of preparation and review.

Working Paper Organization

A typical engagement working paper file includes:

Planning documents: Engagement memo, preliminary risk assessment, scoping decisions, audit program.
Process documentation: Flowcharts, narratives, RCMs documenting the audited process.
Control testing workpapers: One workpaper per control tested, including the sample selection, results for each item, and a conclusion.
Finding development workpapers: Documentation of each finding — condition observed, criteria applied, root cause analysis, evidence.
Supervision and review: Sign-offs at each review level.

Working paper retention policies typically require internal audit files to be retained for five to seven years, depending on organizational policy and regulatory requirements.

7.5 Fraud Awareness in Internal Audit

The Auditor’s Responsibility Regarding Fraud

Internal auditors are not primarily responsible for detecting fraud — that is first-line management’s responsibility, supported by controls such as authorization, reconciliation, and physical safeguards. However, internal auditors must maintain professional skepticism and fraud awareness throughout all engagements. The IIA Standards require that internal auditors evaluate the potential for fraud in assessing risk and how the organization manages fraud risk.

The Fraud Triangle

The Fraud Triangle, developed by criminologist Donald Cressey, describes the conditions that enable most occupational fraud:

The Fraud Triangle — Three conditions typically present when occupational fraud occurs:

Pressure (Incentive): A personal motivation to commit fraud — financial stress, gambling debts, performance targets, or greed.
Opportunity: A weakness in controls that allows fraud to be committed without detection — lack of segregation of duties, inadequate supervision, system access vulnerabilities.
Rationalization: A mental framework allowing the perpetrator to justify the behavior — "I'm just borrowing it," "They underpay me," "Everyone does this."

Controls primarily address opportunity — the element internal audit can most directly influence.

Common Fraud Schemes Relevant to Internal Audit

Asset misappropriation: The most common form of occupational fraud. Includes employee theft of cash (skimming, larceny), fraudulent disbursements (fictitious vendors, payroll ghosts, expense reimbursement fraud), and theft of non-cash assets (inventory, intellectual property).
Financial statement fraud: Deliberate misrepresentation of financial results — premature revenue recognition, capitalization of expenses, improper reserves. Less common but typically larger in financial impact.
Corruption: Bribery, kickbacks, conflicts of interest, and bid rigging in procurement. The FCPA (U.S.) and Corruption of Foreign Public Officials Act (Canada’s CFPOA) create legal obligations to prevent and detect.

Red Flags for Fraud

Common Fraud Red Flags Internal Auditors Should Note:

Employees who never take vacations or refuse to allow others to cover their duties
Employees living visibly beyond their apparent financial means
Unusual journal entries — round numbers, unusual accounts, unusual timing (late Friday, period-end), unusual preparers
Vendors with no physical address, PO boxes only, addresses matching employee addresses
Missing or altered documentation; reluctance to provide requested documents
Excessive voids and adjustments in point-of-sale or cash-handling processes
Employees who are overly defensive or hostile about audit inquiries
Unexplained reconciling items that persist without resolution

When fraud is suspected, internal audit should immediately escalate to the CAE, who in turn escalates to the audit committee and legal counsel. Internal auditors should not conduct fraud investigations independently — forensic investigations require specialized skills in evidence collection, legal proceedings, and chain-of-custody documentation.

Chapter 8: Risk-Based Audit Planning

8.1 The Audit Universe

The audit universe is a comprehensive inventory of all auditable entities within an organization — every distinct process, business unit, system, project, subsidiary, or function that could be subject to internal audit review. The audit universe is the starting point for risk-ranking and coverage planning.

Building the audit universe requires:

Process decomposition: Mapping the organization’s key business processes (procure-to-pay, order-to-cash, hire-to-retire, financial close, IT operations, etc.).
Organizational structure: Identifying business units, divisions, subsidiaries, and geographic locations.
Systems inventory: Cataloguing significant IT systems and their associated risks.
Project and initiative register: Capturing significant change projects that represent elevated risk (system implementations, restructurings, mergers).

The audit universe typically contains dozens to hundreds of entries, far more than can be covered in a single year’s audit plan. The risk-ranking process determines which entries receive audit coverage and when.

8.2 Risk-Ranking Methodology

Each auditable entity in the universe is scored on multiple risk factors to produce a relative risk rating. Higher-rated entities receive priority in the annual plan. Common risk factors include:

Risk Factor	Description
Inherent risk exposure	The nature of the activity — financial materiality, regulatory requirements, complexity, transaction volume
Time since last audit	Entities not recently reviewed carry higher risk of undetected issues
Change and disruption	Recent system implementations, reorganizations, new products, or leadership changes elevate risk
Management’s risk assessment	ERM outputs identifying this entity as high-risk
Audit committee or management requests	Specific areas of concern raised by governance
Regulatory requirements	Mandated coverage frequencies (e.g., SOX scope entities must be covered on a rotation)
Prior audit findings	Entities with unresolved or repeat findings carry elevated risk

The scoring methodology should be documented and applied consistently. Results are reviewed and challenged by the CAE, who exercises professional judgment to adjust rankings and finalize the plan.

8.3 The Annual Audit Plan

The annual audit plan is the CAE’s primary planning document — specifying which engagements will be performed during the year, their timing, duration, and resource requirements. It is presented to the audit committee for approval before the year begins, and updated during the year as risk profiles change.

The audit plan should:

Cover the highest-risk areas in the audit universe with appropriate frequency.
Balance assurance engagements (the core mandate) with consulting engagements (advisory work requested by management).
Reflect available internal audit resources (staff headcount, co-source arrangements, technology tools).
Include a contingency reserve for unplanned engagements that arise during the year (emerging risks, management requests, regulatory inquiries).

Audit committee approval of the plan is essential to independence. If management had unilateral authority to determine what internal audit reviews, internal audit could not provide objective assurance about management activities. The audit committee, as the board’s representative, provides the governance oversight that insulates the audit plan from management manipulation.

Dynamic Updating of the Audit Plan

A risk-based audit plan is not static. As the organizational risk profile changes throughout the year — new acquisitions, emerging regulatory issues, significant operational disruptions — the CAE should reassess and update the plan accordingly. Material changes to the plan should be communicated to and approved by the audit committee.

Chapter 9: Reporting Audit Findings

9.1 The Internal Audit Report

The internal audit report is the primary deliverable of an assurance engagement — the formal document through which the IAF communicates its findings, conclusions, and recommendations to stakeholders. Effective reporting is one of the most critical professional skills of a senior internal auditor.

IIA Standards require that audit communications be:

Accurate: Correctly stated facts, evidence, and conclusions.
Objective: Free from bias; presenting a balanced view of strengths and weaknesses.
Clear: Understandable to the intended audience without unnecessary technical jargon.
Concise: Focused on what matters; free of irrelevant detail that dilutes impact.
Constructive: Recommendations are practical, actionable, and cost-effective.
Complete: All significant findings are included; nothing material is omitted.
Timely: Issued promptly after fieldwork so findings remain relevant and corrective actions can be implemented.

9.2 Anatomy of an Audit Finding

A complete, professional audit finding contains four essential elements — often remembered by the acronym CCCC or as the 4Cs:

The Four Elements of an Audit Finding:

Condition: What is — the factual situation observed during the audit. Based on evidence, not opinion. Specific and quantified where possible ("In 8 of 25 sampled transactions…").
Criteria: What should be — the standard, policy, regulation, or expectation against which the condition is compared. The source of criteria must be authoritative (IIA Standards, company policy, applicable law).
Cause: Why the gap between condition and criteria exists — the root cause of the deviation. This is analytically the most challenging element and the most important for effective remediation.
Consequence: What is the risk or impact of the condition — what could happen, or has happened, as a result of the gap. Quantified where possible; tied to organizational objectives.

The Recommendation addresses the cause to close the gap between condition and criteria, reducing the consequence to an acceptable level.

Example — Complete Audit Finding (Vendor Master File Access):

Condition: During our review of vendor master file access controls for the period January 1 – December 31, 2024, we identified that 12 of 47 users with edit access to the vendor master file are no longer in roles requiring such access — three have transferred to other departments and nine have access levels inconsistent with their current job responsibilities. Additionally, user access was not reviewed on a periodic basis during the year; the last formal access review was conducted in Q4 2022.

Criteria: Per the company's Information Security Policy (Section 4.2), system access should be provisioned on a least-privilege basis and reviewed at least annually. Access rights should be removed or adjusted within five business days of a role change.

Cause: There is no automated process linking HR role changes to vendor master access provisioning. The Accounts Payable Manager, who is responsible for user access reviews, has not received formal training on the access review process, and the annual review cadence was not included in the AP function's formal control calendar.

Consequence: Inappropriate access to the vendor master file creates a significant risk that fictitious vendors could be added or existing vendor banking details modified, enabling fraudulent payments. Based on annual AP disbursements of \$45 million, even a small number of fraudulent payments could result in material financial losses. Additionally, the company may be non-compliant with its Information Security Policy and applicable vendor payment controls expected by external auditors.

Recommendation:

Management should immediately review and remediate all 12 identified access exceptions, revoking or adjusting access as appropriate.
The AP Manager should establish a quarterly user access review process and document results in a formal log.
IT and HR should work together to implement an automated notification workflow linking HR role changes to AP system access provisioning triggers.
Annual training on access management should be incorporated into the AP team's onboarding and recertification process.

Management Response: Management agrees with this finding. The AP Director will complete the access remediation by March 15, 2025 and implement a quarterly review process by April 1, 2025. The automated HR-to-AP notification workflow will be implemented by June 30, 2025.

9.3 Overall Audit Opinion and Report Structure

Many internal audit functions include an overall audit opinion summarizing the general state of internal control for the area reviewed. Common rating scales include:

Satisfactory / Effective: Controls are adequate; no significant or material deficiencies noted.
Needs Improvement: Controls are generally adequate but some gaps require remediation; residual risk is above acceptable levels for specific areas.
Unsatisfactory / Ineffective: Multiple significant deficiencies or material weaknesses observed; control environment is not adequate to mitigate key risks.

A typical audit report structure:

Report header: Audit title, entity, period covered, report date, distribution list.
Executive summary: Brief overview of objectives, scope, and overall opinion — designed for senior leadership who may not read the full report.
Background: Description of the audited activity, organizational context, and why it was selected for audit.
Objectives and scope: The specific assurance objectives and boundaries of the engagement.
Methodology: High-level description of audit approach and procedures performed.
Findings and recommendations: Detailed presentation of each finding in 4C format with management response.
Appendices: As needed — detailed testing results, organizational charts, glossary of terms.

9.4 The Validation Process and Management Responses

Before the final report is issued, internal audit validates draft findings with the responsible management. This process:

Corrects factual errors: Auditors may have misunderstood process details; management can provide clarifying information.
Ensures context is complete: Management may identify mitigating controls or circumstances the auditor was not aware of.
Elicits management responses: Management commits to specific remediation actions with target completion dates and identified owners.

Management responses are incorporated into the final report verbatim or in summary form. If management disagrees with a finding, the disagreement — and internal audit’s position on it — should be documented in the report. Significant disagreements may be escalated to the audit committee.

Chapter 10: Quality Assurance and Improvement Program (QAIP)

10.1 What Is the QAIP?

The IIA Standards require that the CAE develop and maintain a quality assurance and improvement program (QAIP) designed to enable an evaluation of the IAF’s conformance with the Standards and an assessment of whether internal auditors apply the Code of Ethics. The QAIP also assesses the efficiency and effectiveness of the IAF and identifies opportunities for improvement.

The QAIP consists of both internal assessments and external assessments.

10.2 Internal Assessments

Internal assessments encompass two activities:

Ongoing monitoring: Supervision of individual engagements throughout the audit life cycle. Senior auditors review working papers before report issuance; the CAE reviews the overall engagement package. Findings from ongoing monitoring are addressed in real time.

Periodic self-assessments: Conducted by the CAE (or designated senior staff) to assess the IAF’s overall performance against the Standards. Typically performed annually. The self-assessment considers: whether the audit plan covers the highest-risk areas, whether engagement objectives are achieved, whether reports are timely and of high quality, whether staff competencies are adequate, and whether the IAF is properly resourced.

10.3 External Quality Assessments

External quality assessments (EQAs) are independent reviews of the IAF conducted by a qualified party outside the organization. The IIA Standards require that EQAs be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

The external assessor evaluates:

Conformance with the IIA Standards and Code of Ethics.
Adequacy of the IAF’s charter, independence, and authority.
Quality of the risk-based audit planning process.
Effectiveness of engagement planning, execution, and reporting.
Adequacy of the QAIP itself.
Overall value delivered to the organization.

The external assessor issues a formal report with one of three conclusions:

Generally Conforms: The IAF is in conformance with the Standards. The most favorable rating.
Partially Conforms: The IAF has a number of deficiencies in conformance.
Does Not Conform: The IAF has significant and pervasive deficiencies.

QAIP results — including any identified non-conformances and the external assessment conclusions — must be communicated to senior management and the audit committee.

10.4 Continuous Improvement

The QAIP is not a compliance exercise — it is a continuous improvement tool. Results from both internal and external assessments should drive specific improvements to the IAF’s methodology, staffing, technology, and reporting. A mature QAIP includes:

Tracking of improvement initiatives from prior assessments.
Benchmarking against peer organizations and industry best practices.
Integration of new professional standards as they are issued.
Regular discussion of QAIP results at the audit committee level.

Chapter 11: The Evolving Internal Audit Function

11.1 Data Analytics in Internal Audit

Data analytics is one of the most transformative developments in internal audit practice of the past decade. Rather than testing samples of 25–60 transactions and inferring conclusions about the population, analytics tools allow auditors to examine entire transaction populations — identifying anomalies, patterns, and outliers that statistical sampling could easily miss.

Common Data Analytics Applications in Internal Audit

Benford’s Law analysis: Tests whether the distribution of leading digits in numerical datasets (transaction amounts, journal entries) follows the naturally occurring distribution described by Benford’s Law. Significant deviations may indicate manipulation or data entry error.
Duplicate payment detection: Systematically comparing all invoices within a period on vendor, amount, date, and invoice number to identify potential duplicates across the entire population.
Journal entry analysis: Analyzing all journal entries for anomalies — entries by unusual preparers, entries at unusual times (weekends, holidays), entries with round numbers, entries with unusual account combinations.
Access rights analysis: Comparing current user access permissions against job descriptions or role profiles to identify segregation-of-duties conflicts or access anomalies across the full user population.
Continuous monitoring: Embedding analytics routines that run automatically against transaction systems on a scheduled basis, generating exception reports for management or internal audit review.

Tools and Technologies

Common tools used in internal audit analytics include:

ACL Analytics (Galvanize/Diligent): Purpose-built audit analytics software with built-in audit routines for data import, cleansing, and analysis.
IDEA (CaseWare): Similar audit analytics platform widely used in Canadian public accounting and internal audit.
Python and R: Programming languages increasingly used by data-savvy internal auditors for custom analysis, visualization, and machine learning applications.
Power BI / Tableau: Business intelligence tools used to visualize audit data and build dashboards for continuous monitoring.

11.2 Agile Auditing

Traditional internal audit methodology follows a linear, sequential process: plan the entire engagement, execute fieldwork, draft the report, issue the report — often over a period of two to four months. By the time findings are reported, the business environment may have shifted and the urgency of some issues may have diminished.

Agile internal audit adapts principles from agile software development — particularly the concepts of iterative delivery, short cycles (sprints), and continuous stakeholder feedback — to the internal audit process.

Key Principles of Agile Auditing

Short sprint cycles: Rather than a single 12-week engagement, auditors work in 2–4 week sprints, delivering interim results at each sprint’s end.
Continuous stakeholder communication: Instead of a single formal report at the end, internal audit shares findings with management as they are developed — allowing early remediation and real-time risk management.
Scope flexibility: The audit scope can be adjusted mid-engagement based on findings. If a sprint reveals an unexpected risk area, the team can pivot to investigate rather than rigidly completing the original program.
Prioritized backlog: Like a product backlog in software development, the audit backlog prioritizes the most important risk areas and control tests, ensuring that the highest-risk items are addressed first.

Agile Auditing Considerations

Agile auditing is not universally applicable. Regulatory or compliance-driven engagements (SOX, AML) may require predefined scope and documentation standards that do not accommodate agility. Additionally, the informal communication style of agile methods must be balanced against the formal documentation requirements of the Standards.

11.3 ESG Assurance and Internal Audit

Environmental, Social, and Governance (ESG) reporting has become a major priority for organizations responding to investor, regulatory, and societal pressure to disclose non-financial performance. As ESG reporting frameworks mature — IFRS Sustainability Disclosure Standards (ISSB), GRI Standards, SASB Standards, TCFD recommendations — the demand for independent assurance over ESG data has grown significantly.

Internal Audit’s Role in ESG

Internal audit is increasingly being called upon to:

Assure ESG data quality: Evaluate the controls over ESG data collection, aggregation, and reporting — do the data accurately reflect organizational performance?
Evaluate ESG governance: Assess whether the board and management have appropriate structures, oversight, and accountability for ESG commitments.
Assess ESG risk management: Determine whether climate risk, human rights risk, and other ESG-related risks are identified, assessed, and managed consistently with the organization’s risk management framework.
Review ESG disclosures: Confirm that ESG disclosures in annual reports and sustainability reports are accurate, complete, and consistent with underlying data.

Key ESG Audit Challenges

Data maturity: ESG data collection processes are often less mature than financial data processes — relying on manual spreadsheets, estimates, and inconsistent measurement methodologies.
Multiple frameworks: Organizations may report under multiple, partially overlapping ESG frameworks simultaneously — GRI, SASB, TCFD, and ISSB — creating complexity in scope definition.
Subject matter expertise: Effective ESG audit requires specialized knowledge of greenhouse gas accounting, supply chain human rights standards, and ESG rating methodologies that internal auditors may not possess without co-sourcing.

11.4 Continuous Auditing and Real-Time Assurance

Continuous auditing involves using technology to monitor transaction populations and control performance in real time or near-real time, rather than at periodic intervals. It represents a fundamental shift in the timing and frequency of internal audit work.

In a continuous auditing model:

Analytics routines run automatically against production systems on a scheduled basis (daily, weekly, monthly).
Exceptions are generated automatically and routed to internal audit or management for investigation.
Internal auditors shift focus from sample-based testing to exception investigation and root cause analysis.
The audit committee receives more frequent, more timely assurance signals — rather than point-in-time reports months after the fact.

Continuous auditing works best in high-volume transaction environments (accounts payable, payroll, procurement) where large populations and clear control criteria make automated exception identification practical.

11.5 Internal Audit and Emerging Technologies

As organizations adopt transformative technologies — artificial intelligence, robotic process automation, blockchain, and cloud computing — internal audit must develop competency in auditing these environments.

Artificial Intelligence (AI) and Machine Learning (ML): AI systems introduce new risks — model bias, lack of interpretability, training data quality, and unauthorized model changes. Auditing AI requires understanding model governance frameworks, validation processes, and monitoring of model performance over time.

Robotic Process Automation (RPA): Software robots that execute routine business processes create new control considerations — bots are not subject to traditional human controls (authorization, segregation of duties) and must be governed through bot management platforms and change management controls.

Cloud Computing: Cloud migrations shift infrastructure control from internal IT teams to third-party providers. Internal audit must understand the shared responsibility model (who controls what in the cloud), evaluate third-party assurance reports (SOC 1, SOC 2), and assess how data residency and access controls apply in cloud environments.

Blockchain: Distributed ledger technologies are used in supply chain provenance, financial transactions, and smart contracts. Internal audit considerations include the immutability of blockchain records (which prevents error correction as well as fraud), the governance of smart contract code, and the security of private cryptographic keys.

Chapter 12: Integration and Application

12.1 Connecting the Concepts — The Internal Audit Value Chain

All of the concepts covered in AFM 452 connect in a logical chain that explains how internal audit creates value:

The organization sets objectives (strategic, operational, reporting, compliance).
Risks to those objectives are identified through enterprise risk management and process-level risk assessment.
Management implements internal controls to mitigate risks to within risk appetite.
Internal audit, operating under the IPPF with independence and objectivity, performs a risk-based audit plan — testing whether controls are adequately designed and operating effectively.
Findings are reported to management and the audit committee, with root-cause analysis and practical recommendations.
Management remediates findings; internal audit follows up to confirm remediation.
The QAIP ensures internal audit itself is continuously improving.
The audit committee uses internal audit’s assurance to fulfill its governance oversight responsibilities.

12.2 Internal Audit in Regulated Industries

Regulated industries face specific internal audit requirements that go beyond the IIA Standards:

Banking: The Office of the Superintendent of Financial Institutions (OSFI) in Canada — and the Federal Reserve, OCC, and FDIC in the U.S. — establish specific expectations for bank internal audit functions, including coverage of credit risk, liquidity risk, capital adequacy, AML/ATF compliance, and cybersecurity. OSFI’s Corporate Governance Guideline explicitly addresses internal audit independence requirements.

Insurance: Insurance regulators expect internal audit to provide assurance on actuarial processes, reserving adequacy, claims management, and regulatory compliance. Own Risk and Solvency Assessment (ORSA) processes must be independently evaluated.

Public companies (SOX): Section 302 and 404 of the Sarbanes-Oxley Act require management to evaluate ICFR annually, and external auditors to attest to management’s assessment (for large accelerated filers). Internal audit typically plays a significant role in the Section 404 process — documenting and testing controls, identifying deficiencies, and supporting management’s assessment.

12.3 The CAE’s Relationship with Key Stakeholders

The CAE operates at the intersection of multiple demanding relationships, each requiring careful management:

Audit committee: The primary governance relationship. The CAE must provide candid, complete, and timely information — including bad news. The audit committee’s ability to fulfill its oversight function depends entirely on receiving objective information from an independent internal audit function.

CEO/CFO: The administrative reporting relationship. The CAE must maintain cooperative working relationships while preserving independence. Tension is inevitable when audit findings reflect poorly on management — the CAE must navigate this tension with professionalism and courage.

Business management: Internal audit’s “clients” in the consulting sense — business managers often value internal audit insight for improving operations and managing risk. Building trust with business management improves cooperation, access, and implementation of recommendations.

External auditors: A relationship of coordination and complementarity. External auditors may rely on internal audit work for their financial statement audit, reducing cost and duplication. Regular communication between the CAE and external audit partner supports efficient combined assurance.

12.4 Career Pathways and the Internal Audit Profession

Internal audit provides exceptional preparation for senior leadership roles. The exposure to diverse business processes, risk management, governance, and technology across an entire organization gives internal auditors a breadth of organizational understanding unavailable in most other functions.

Common career pathways from internal audit:

Senior internal audit roles: Senior auditor, audit manager, CAE — progressing within the profession.
Risk management: Chief Risk Officer or risk manager roles leverage the risk assessment and ERM expertise developed in internal audit.
Compliance: Chief Compliance Officer roles build on internal audit’s regulatory expertise and governance understanding.
Finance leadership: CFO and controller roles value the internal control, financial reporting, and process improvement background of internal auditors.
Consulting and advisory: Public accounting firms and advisory firms actively recruit internal auditors with industry and governance expertise.

The CIA credential is the professional benchmark for internal audit career progression. Complementary credentials frequently pursued by internal auditors include the CISA (Certified Information Systems Auditor, for IT audit), CFE (Certified Fraud Examiner), CPA (Chartered Professional Accountant), and CRMA (Certification in Risk Management Assurance).

12.5 Ethical Challenges in Internal Audit Practice

Internal auditors frequently encounter ethical dilemmas that the Code of Ethics and Standards address in principle but that require professional judgment in application:

Pressure to soften findings: Management may request that a finding be characterized as less severe, or omitted entirely. The auditor must maintain objectivity — findings must be accurately and completely reported regardless of management preferences.

Scope restrictions: Management may attempt to exclude certain areas from review or limit access to documents or personnel. Scope restrictions must be disclosed to the audit committee; if significant, they may prevent the auditor from expressing a meaningful opinion.

Whistleblower situations: An auditor may become aware of illegal activity or significant wrongdoing that falls outside the scope of the current engagement. The Code of Ethics and organizational whistleblower policies guide escalation — typically to the CAE and, through the CAE, to the audit committee or legal counsel.

Confidentiality vs. disclosure: Internal auditors access highly sensitive organizational information. Maintaining confidentiality is a professional obligation — information obtained during an audit must not be used for personal benefit or shared with unauthorized parties. However, legal and regulatory obligations may require disclosure that overrides confidentiality.

The consistent application of professional ethics — particularly independence, objectivity, and integrity — is what distinguishes the internal audit profession and sustains the trust that makes internal audit valuable to organizations and their stakeholders.

These notes are based on Sawyer’s Internal Auditing (Anderson et al., 5th ed.), the IIA Global Internal Audit Standards (2024), the COSO Internal Control — Integrated Framework (2013), and ISACA’s COBIT 2019 framework. They are intended as a study supplement; students should engage with primary sources for examination and professional practice purposes.