Lecture 10

Internal Auditing
Chapter 26 of Arens
Chapter 8 and 11 :Internal
Audit Practices in Malaysia

1
Learning Outcomes

 Define the role of internal auditing (IA)

 Describe the evolution (changing nature) of IA
 Discuss the objective and scope of IA
 Outline the merits and demerits of outsourcing the
internal audit function
 Evaluate other types of engagements, such as, fraud,
systems audit, value for money and financial reviews

2
Introduction
 The Malaysian Code on Corporate Governance
considers the internal audit function as an
integral part of an effective system of
corporate governance.
 Listed entities are required to establish an
internal audit function either within the
corporate structure or through outsourcing of
such services by professional accounting firms.

3
 The Institute of Internal Auditors (IIA) is an
international professional association that was
initially established in the US in 1941. It now has
branches throughout the world and has members
specializes in internal auditing, risk
management, governance, internal control, IT
audit, education and security.
 For the internal auditing profession worldwide,
IIA is the recognized authority, principal
educator, and acknowledged leader in
certification, research and technology guidance.
. The IIA provides professional recognition for
internal auditors with its Certified Internal
Auditor (CIA) certification.
4
 Internal Auditing In Malaysia
 THE INSTITUTE OF INTERNAL AUDITORS MALAYSIA (IIA
Malaysia) is a non-profit professional organisation
dedicated to the advancement and development of
the internal audit profession in Malaysia
 IIA Malaysia was established in 1977 as a Chapter of
The Institute of Internal Auditors Inc, USA and
elevated to the status of a National Institute in 1988
when our membership exceeded the 500 mark. In
July 1994, IIA Malaysia was incorporated as a
Company Limited by Guarantee and since then, we
have grown progressively in size and stature. Today,
we serve more than 3000 members in Malaysia.

5
 Affiliation to The IIA, USA
 IIA Malaysia is affiliated to The Institute of Internal
Auditors Inc (The IIA), USA, a worldwide body founded
in 1941 by a small group of dedicated internal auditors
who wanted an organisation that would represent their
profession and provide educational activities and
standards for the professional practice of internal
auditing.
 Through the affiliation members are able to share in a
collective wisdom of more than 170,000 members in
over 165 countries and territories.

6
 Internal audit defined
 Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations.
 It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.

7
 What is its value to the
organisation?
 Internal auditors deal with issues that are fundamentally
important to the survival and prosperity of any
organisation. Unlike external auditors, they look beyond
financial risks and statements to consider wider issues
such as the organisation's reputation, growth, its impact
on the environment and the way it treats its employees.
 In sum, internal auditors help organisations to succeed.
We do this through a combination of assurance and
consulting. The assurance part of our work involves
telling managers and governors how well the systems and
processes designed to keep the organisation on track are
working. Then, we offer consulting help to improve those
systems and processes where necessary. 8
 Initially….
 'people saw the auditors as the financial police,
checking up on them’. ‘I suppose in many cases
this was a fair perception, as we primarily
reported on the number of errors in
transactions.' Chief Manager, Group Internal Audit with
the Hong Kong Hospital Authority, Dennis Fullgrabe FCPA
.

9
 Evolution of internal auditing

Corporate
Governance
Risk Management
Value for
Technologies
Money
Continuous Self
Automation of Auditing Assessment
Audit process CAATs
Inspection & Improved
Examination Efficiency

1970 1980 1990 2000

10
IIA International Standards for the
professional Practice of Internal
Auditing (known as the Red book)
 The IIA professional practice
framework includes a code of ethics
and IIA Standard for professional
Practices of internal auditing

11
Attribute Standards
 1000:Purpose,Authority and Responsibility of the
audit activity must be formally defined in an
independent audit charter; consistent with the
internal audit charter and present it to senior
management and the board
 1100: Independence and objectivity. The internal
audit activity must be independent and internal
auditors' must be objective in performing their work
 1200:Proficiency and due professional care.
Engagements must be performed with proficiency and
due professional care
 1300: Quality Assurance and Improvement Program.
The chief audit executive must develop and maintain
a quality assurance and improvement program that
cover all aspects of the internal audit activity
12
 Performance Standard
 2000: Managing the internal audit activity. The chief executive must effectively
manage the internal audit activity to ensue it adds value to the organization
 2100: Nature of work. The internal audit activity must evaluate and contribute to
the improvement of risk management, control and governance processes using a
systematic and disciplined approach.
 2200: Engagement Planning. Internal auditors must develop and a plan for each
engagement including the documents engagement's objectives, scope, timing and
resource allocations
 2300: Performing the engagement. Internal auditors must identify, analyze and
document sufficient information to achieve the engagement’s objectives
 2400: Communicating Results. Internal auditors must communicate the
engagement results
 2500: Monitoring Progress: The chief audit executive must establish and maintain a
system to monitor the disposition of results communicated to management
 2600: Management’s Acceptance of Risks. When the chief audit executive believes
that senior management has accepted a level of residual risk that may be
unacceptable to the organization, the chief audit executive must discuss the matter
with senior management. If the decision regarding residual risk is not resolved, the
chief audit executive must report the matter to the board for 13
resolution
 Ethical Principles
 Integrity: The integrity of internal auditors
establishes trust and thus provides the basis to
reliance on their judgement
 Objectivity: Internal auditors exhibit the highest
level of professional objectivity in gathering,
evaluating and communicating information about
activity or process being examined. Internal
auditors make a balanced assessment of all the
relevant circumstances and are not unduly
influenced by their own interests or others in
forming judgement
14
 Ethical Principles
 Confidentiality: Internal auditors respect the value
and ownership of information they receive and
do not disclose information without appropriate
authority unless there is a legal or professional
obligation to do so
 Competency: Internal auditors apply knowledge,
skills and experience needed in the performance
of internal auditing services

15
 Changing role includes
 Moving from “Service to management” to “service to
organisation” concept
 Internal auditing role extends beyond controls to internal
consulting and education role
 Being upfront & proactive in the management and operational
processes instead of “fault finding”
 Emphasising on managing risk – identifying what the key risks
are, the impact to the business and controls
 It is an integral part of the governance framework., and not
working on its own agenda
 Risk management and corporate governance add a new
dimensions to the role of internal auditing.
16
 More challenges
 The corporate governance issues, accounting
irregularities, and legislative actions that have taken
place as a result of Enron, WorldCom and now Parmalat
scandals
 Keeping pace with changing technology
 Ability to evaluate computerised and systems based
controls to determine reliance
 Auditors need to have skills to access information that is
kept electronically
 Increase demands from auditee for internal audit to add
value
 Call for CPE and certification
17
Functions of Internal Auditors
 The work performed by internal auditors can provide
better assurance that operations are well managed and
that the organization is well protected against fraud
 Key objective of internal auditors is to assist all members
of the organizations (management at all levels and
members of the BOD) in the effective discharge of their
responsibilities
 Internal auditors can contribute to the organization by
reviewing the systems established to ensure compliance
with those policies, plans, procedures, laws and
regulations that could have a significant impact on
operations and reports and determining whether the
organization is in compliance.
18
 Internal auditors can contribute to the
organization by reviewing the means of
safeguarding assets and, as appropriate,
verifying the existence of such assets
 Internal auditors can be independent if the
proper setting is provided which is affected by
the organizational status of the internal audit
function, by the authority and responsibilities
given to internal auditors and by the degree of
objectivity maintained by internal auditors in
performing their audit
 Internal auditors can contribute to the
organization by appraising the economy and
efficiency with which resources are employed.
19
Internal audit’s evolving role
Traditional Progressive (Best Practices)
1. Audit Focus  Business focus
2. Transaction based  Process Based
3. Financial account focus  Customer focus
4. Compliance objective  Risk identification, process
improvement objective
5. Policies and procedures focus
 Risk management focus
6. Multi year audit coverage
 Continual risk – reassessment
7. Policy adherence coverage
8. Budgeted cost centre  Change facilitator
9. Career auditors  Accountability for performance
results
10. Methodology: Focus on
policies, transactions and  Opportunity for other management
compliance positions
 Methodology: Focus on goals,
strategies and risk management
process

20
 Internal Audit Department
 Financial
 Financial control. Examining records and evidence in
order to detect errors and prevent fraud
 Operational
 Non Financial control. Examination of the control
procedures and whether people adhere to it. Improve
operational economy, efficiency and effectiveness
weaknesses.
 Management
 Review and evaluation of the management structure,
performance of managers, appraisal of the environment
etc.

21
 Internal Audit Department
 Review of compliance with external laws and
regulation
 Special investigations, including fraud
investigation
 Risk assessments

22
The Audit Approach
 The System Approach
 Control Risk Self Assessment
 Facilitation Skills
 Integrating Self Assessment and Audit
 Fraud Investigations
 Information Systems Audit
 Compliance
 VFM, Social and Financial Audit
 The consulting approach
 The right structure

23
Audit Field Work

 Planning the Audit

 Interviewing Skills
 Ascertaining the System
 Evaluation
 Testing Strategies
 Evidence and Working Papers
 Statistical Sampling
 Reporting Results of the Audit
 Formal Presentations
 Audit Committee Reporting
24
Conflict in Internal Audit
Function
 Inability to understand the importance of client service
 Lack of understanding of the importance of internal
audit in relation to the organization and the overall
community
 Lack of understanding of the trends and challenges
faced by the profession and increase demands of the
profession.

 Refer to Internal Audit Practices in

Malaysia Chapter 8.3

25
Conflict with Auditee

 Internal auditors are often seen as fault finders, the

‘outsiders’ who interrupt the normal progress of work
and take the glory from the spoils.
 An internal auditor has the objective of providing
independent assessment and advice for the
maintenance and improvement of well-balanced
internal controls appropriate to the organisation

26
Conflict with
Auditee(continued)
 This objective is often hidden and not
communicated to the auditee. The aftermath of
this is misconception on the part of the auditee
as to the internal auditor’s real intentions.
 The auditee often has a personal agenda too,
which ranges from getting the assurance from
the auditor, that the existing controls adopted
are appropriate, effective and reasonable to a
far-fetched one such as being able to conceal
weakness in control or even fraud
27
Managing Conflict

 ‘Whatis in it for me?’ (WHIIIFM)

 The auditee has certain expectation of an
audit or of internal auditors. Knowing what
these needs and wants are helps the auditor
focus on the deliverable that matters. Taking
an adversarial stand in an audit is what could
trigger tension and crisis. Knowing what
would be the service that is required by the
auditee promotes a collaborative spirit and
augers well for good team building and a WIN-
WIN strategy between the auditor and
auditee.

28
Preventive steps
 Preventive steps to avoid conflict with
the auditee are:
 Understand the business
 Communicating your value proposition
 Demonstrating professionalism

29
 Eight Habits of Highly
Effective Auditors
 Knowledge of the roles of the Audit Committee
 Clarity of Auditor’s role
 Mastering the audit process structure
 Thriving during the various stages of an audit
“rollercoaster”
 Clarity on the components and functions of the Terms
of Reference
 Ability to sell audit via audit objectives
 Mastering the First Steps of Familiarization
 The initial Meeting(Obtain and maintain rapport)
30
Other auditing services

31
Consulting services.
 Consulting services are advisory in nature, and
are generally performed at the specific request
of an engagement client. The nature and scope
of the consulting engagement are subject to
agreement with the engagement client.
 Consulting services generally involves two
parties: (1) the person or group offering the
advice the internal auditor, and (2) the person
or group seeking and receiving the advice the
engagement client.

32
 Through these activities, internal
auditors contribute to the effective
corporate governance within an
organization, which includes all the
management-administered policies and
procedures to control risk and oversee
operations within a company.

33
Evaluating risks and controls.
 Internal auditors should be directly involved in
the entity’s risk management process. Internal
auditors are often asked to determine the
sources of these risks, may sometimes be called
on to recommend approaches to manage
identified risks.
 Internal auditors have long been involved in
evaluating and enhancing their organizations’
system of internal control over financial
reporting and over other areas of the
organization, and internal auditors often play a
substantial role in ensuring compliance with
theses requirements.
34
Risk Management
 Risk management is a proactive and an on-
going process involving the identification
,assessment, control, monitoring and
reporting of risk exposures
 A structured risk management approach also
enhances and encourages the identification
of greater opportunities for continuous
improvement through innovation

35
Establishing Risk Management
Process
 Risk Assessment
 Risk Management Strategies(TARA)
 Risk Monitoring

Refer to Chapter11 of Internal audit practices in Malaysia

36
 Role of internal auditor in
risk management
 Ultimately ,it is the role of executive management and
the Audit Committee to determine the role of internal
audit in the risk management process. Management’s
view on internal audit's role is likely to be determined
by factors such as culture of the organisation ,ability of
the Internal audit staff and local conditions and customs
of the country.
 If an organisation has not established a risk
management process, the internal auditor should bring
this to management ‘s attention along with suggestions
for establishing such a process
37
Reviewing Compliance.
 If a company fails to comply with many
requirements of corporate and security laws, the
relevant authorities can levy significant fines
and penalties against the offending company.
 Internal auditors play an important role in
helping management ensure that the
organization complies with the laws, rules and
regulations that apply to the entity, as well as
ensuring that employees comply with
organization guidelines and rules.

38
Financial Auditing.
 Although the financial auditing performed by
internal but it differs from the audits conducted
by external auditors in several ways. For
example, the internal auditor do not generally
audit periodic financial statements but tend to
focus on specific financial issues as directed by
management.
 The nature of the audit report is also different.
Because the intention of the audit may relate
either very general or very specific factors, it is
impossible to require a standardized internal
audit report.
39
Operational Auditing (Aka VFM)
 Due to the unique position in an organization,
internal auditors typically achieve a thorough
understanding of how the organization
operates, the internal auditor are able to
provide various types of services to improve the
entities in which they work.
 An auditor should be prepared to recognize
when enhancements should be made to align
current operations with the entity’s objectives.
They are primarily conducted to identify the
causes of problems or to enhance the efficiency
or effectiveness of operations.
40
Value for money (VFM) auditing
(Performance auditing)
 An examination that provides an objective and
constructive assessment of the extent to
which:
 Financial,human and physical resources are
managed with due regard to economy, efficiency
and effectiveness; and
 Accountability relationships are served.” (The
Canadian Comprehensive Auditing Foundation)
 Performance audits include economy and
efficiency and program audits. (The United
States General Accounting Office Auditing
Standard)
41
Core of VFM audit
 The core of VFM auditing is the framework of
economy, efficiency and effectiveness
 Effectiveness = achievement of goals or objectives
 Efficiency = usage of resources to achieve the
goals or objectives
 Economy = acquisition of proper quantity and
quality of resources at right times and lowest cost

42
 Systems audit
 Evaluate whether the existing systems and
working processes are adequate to meet business
goals, objectives and requirements
 Includes pre-implementation and post
implementation audits, and current systems
audit

43
IA and Fraud
 There is a reasonable expectation of detecting
material fraud or error and reporting significant
weaknesses in the systems, controls and
deficiencies in operation.
 to detect material and continuing irregularities
 Assist in investigating cases of fraud
or irregularity

44
 Internal audit reports
 The internal auditors' report may take any form as there
are no formal reporting requirements for these reports as
there are for the external auditor's report.
 Internal auditors produce reports for directors and
management as a result of work performed.
 These reports are internal to the business and are
unlikely to be shared with third parties other than the
external auditors.
 Usually at the end of the audit fieldwork, the internal
auditors produce a draft report which is sent out for
consideration by the relevant management.
 Once this has been approved, the internal auditors will
meet with management to discuss the work and the
findings and recommendations.
 After the meeting, the internal auditors then produce a
formal report which, once approved by the relevant
people, is used to produce the final45 report for
distribution.
 In order to make the audit report more clear and
simple, and to convey what exactly it intends to
convey and serve a useful purpose, the following
main points should be borne in mind while drafting
audit reports :
 Report must be simple and brief but comprehensive ;
 It should contain appropriate headings ;
 In the report will be incorporated all irregularities &
objections which have not been replied or replied
unsatisfactorily and those replied satisfactorily but have
financial implications which were found during personal
discussions or as per memos issued ;

46
 Where Audit is satisfied with its findings on
examination of any area during the course of
a particular audit assignment, mention will be
made of the same in the report ;
 The matter shall be presented according to
significance i.e. most important points will be
highlighted;
 Suggestions, where necessary, shall be given
by Internal Audit ;
 The report shall be timely ;
 Where possible, a summary of corrective
action to be taken would be submitted along
with the report;
47
Contents of the report

 There are no formal requirements for internal

audit reports as there are for the external audit
report.
 The external audit report is a highly stylised
document which is substantially the same for any
audit.
 A report from the internal auditors in relation to
an assignment can take essentially any form.

48
 Standard report format
 TERMS OF REFERENCE
 EXECUTIVE SUMMARY
 BODY OF THE REPORT
 APPENDICES FOR ANY ADDITIONAL INFORMATION

49
 The executive summary of an internal audit
report should give the following information.
 The main body of the Background of the
assignment
 Objectives of the assignment
 Major outcomes of the work
 Key risks identified
 Key action points
 Summary of the work left to do
 report will contain the detail such as the audit
tests carried out and their findings, full lists of
action points, including details of who has
responsibility for carrying them out, the future
50
time scale and costs.
Relationship between internal and
external auditors
Employer Commercial/gov Public
ernment practices, e.g.
organisations KPMG, PWc
Certification Body IIA MIA

Certifying Certified Internal Chartered

designation Auditor (CIA) accountant
Licence to No Public practice
practice certificate
Primary To BOD/Audit To members
responsibility Committee
Scope of audit All activities of an Financial
51 reports
organisation
Distinction between internal and external
audit
Internal audit
 Objective
 Designed to add value and improve an
organisation's operations.
 Reporting
 Reports to the board of directors, or
other people charged with governance,
such as the audit committee. Reports are
private and for the directors and
management of the company.
52
 Scope
 Work relates to the operations of the
organisation.
 Relationship
 Often employees of the organisation,
although sometimes the function is
outsourced.
 Planning and collection of evidence
 Strategic long term planning carried out,
to achieve objective of assignments, with
no materiality level being set. Some audits
may be procedural, rather than risk-based.
Evidence mainly from interviewing staff
and inspecting documents
53
External audit
 Objective
 An exercise to enable auditors to
express an opinion on the financial
statements.
 Reporting
 Reports to the shareholders or
members of a company on the truth
and fairness of the accounts. Audit
report is publicly available to the
shareholders and other interested
parties.
54
 Scope
 Work relates to the financial statements.
 Relationship
 Independent of the company and its
management. Usually appointed by the
shareholders.
 Planning and collection of evidence
 Planning carried out to achieve objective regarding
truth and fairness of financial statements. Materiality
level set during planning (maybe amended during
course of audit).
 External audit work is risk-based. Evidence collected
using a variety of procedures to obtain sufficient
appropriate audit evidence. 55
 Internal and independent external auditors'
review of internal control procedures
 Internal auditors review and test the system of
internal control and report to management in order
to improve the information received by managers and
to help in their task of running the company.
 They will recommend changes to the system to ensure
that management receives objective information
which is efficiently produced.
 They also have a duty to search for and discover
fraud.
 The external auditors review the system of internal
control in order to determine the extent of the
substantive work required on the year-end accounts.
56
 The external auditors report to the shareholders
rather than the managers or directors.
 They report on the truth and fairness of the
financial statements, not directly on the system
of internal control.
 External auditors usually however issue a report
to management, laying out any areas of
weakness and recommendations for improvement
in the system of internal control.
 They do not have a specific duty to detect fraud,
although they should plan their audit procedures
so as to detect any material misstatements in
the accounts on which they give an opinion.
57
Internal and external auditors-
similarities
 Both must be competent as auditors and remain
objective in performing their work and reporting their
results
 Both follow a similar methodology in performing their
audits, including planning and performing tests of
control and substantive procedures
 Both consider risk and materiality in decoding the
extent of their tests and evaluating results. However,
their decisions about materiality and risks may differ
because external users may have different needs than
management or the board.

58
An Effective Internal Audit Function on
corporate governance
 Corporate governance is the oversight
mechanisms in place to enhance corporate
accountability.
 It is a system/process/structure by which an
entity is directed and controlled (ie
manage)to ensure the proper stewardship
over an entity’s operations and enhancement
of long term shareholders’ values as well as
stakeholders’ interest.
 Management and the board of directors play
primary roles and the independent auditor
plays a key facilitating role. 59
 Internal audit can play a key role in assessing
and monitoring internal control policies and
procedures.
 The internal audit function can assist the board
in other ways as well:
 By, in effect, acting as auditors for board
reports not audited by the external auditors
 By being the experts in fields such as auditing
and accounting standards in the company and
assisting in implementation of new standards
 By liaising with external auditors, particularly
where external auditors can use internal
audit work and reduce the time and
therefore cost of the external audit.
60
 The IIA identifies the four cornerstones of
corporate governance as being: the audit
committee, executive management, the internal
auditors, and the external auditors.
 The internal audit function can help
management and the board identify and manage
risk, and help ensure the compliance of the
organization with applicable laws, rules, and
regulations.
 In addition, if reporting responsibilities are
properly defined, the internal audit function can
assist the audit committee in ensuring that
executive management is exercising responsible
and appropriate stewardship over the entity’s
resources for the benefit of the entity’s
stakeholders. 61
Reliance on the work of IA
and using the work of
specialists & internal auditors

62
 Reliance on the work of IA
 ISA 610 – “Considering the work of internal auditing”
 External auditors should
Consider the activities of internal auditing and
their effects on the external audit procedures
Gain sufficient understanding about internal
audit activities to assist in their audit planning
Assess the competency and objectivity of
internal auditors
 Criteriainclude organisation status, scope of
responsibility, technical competence and due professional
care
63
 Reliance on the work of IA
 When external auditor intends to use specific
work of internal auditing, the external auditor
should evaluate and test that work to confirm its
adequacy for the external auditor’s purposes.
- includes:
1. adequate technical training & proficiency & work of
assistants is properly supervised, reviewed &
documented;
2. Sufficient appropriate evidence obtained;
3. Conclusions reached are appropriate & reports prepared
consistent with results of work performed; and
4. Any exceptions or unusual matters disclosed by internal
auditing are properly resolved.
64
Relationship between internal and
independent auditors
 The work of internal auditors may be a supplement
to, but not a substitute for, the work of
independent auditors in a financial statement audit
 The chief internal auditor normally coordinates the
work of the internal audit function with the work of
the independent (external) auditor
 It is usual that the independent auditor reviews the
internal auditing function’s planned work program
 ISA 610 ‘Considering the Work of Internal Audit’
provides guidance to independent auditors on
obtaining an understanding of the activities of
internal auditing and its effect on audit risk
65
65
Internal auditing performance assessment
by the independent auditor
 An independent auditor should obtain sufficient
understanding of internal audit activities to assist in the
planning the audit and developing an effective audit
approach (ISA 610)
 Criterion used to assess the performance of an internal
audit function include a review of its:
 organisational status
 scope of activities
 technical competence
 due professional care
66
66
ISA 610(Revised)
 Auditing standard permit the external auditor
to use the internal auditor for direct assistance
on the audit.
 By relying on the internal audit staff for
performing some of the audit testing, external
auditors may be able to complete the audit in
less time and at a lower fee.
 When internal auditors provide direct
assistance, the external auditor should assess
their competence and objectivity and supervise
and evaluate their work.
67
 Interactions between Internal
and External Auditors

Some of the Before relying

work performed on the work of
internal
by internal auditors, the
auditors is external
directly auditor must
relevant to the evaluate the
work of the internal
independent auditors’
auditor. objectivity and
68
competence.
Interactions Between Internal and
External Auditors
 The objectives and types of work performed by
internal and external auditors are quite
different. External auditors do their work with
the purpose of expressing an opinion as to
whether the entity’s financial statements are
free from material misstatements.
 Because external auditors rely on the concept of
materiality, they typically are not concerned
with auditing in a particular area in great deal of
depth.
69
 They gathers evidence until they obtain
reasonable assurance that no misstatements are
present that would be considered significant in
the context of the financial statements.
 The internal auditors, assist management and
the board of directors in evaluating and
managing risk, assessing compliance with laws
and regulations, assessing operational efficiency,
and performing detailed financial audits of areas
requiring particular attention.

70
 The internal auditor can reduce the incidence
of employee fraud, saving money and improving
controls in the process.
 Some of the work performed by internal
auditors is directly relevant to the work of the
external auditor. For example, the external
auditor can sometimes make use of control
testing work performed by the internal auditor.
 Before relying on the work of internal auditors,
the external auditor must evaluate the internal
auditors’ objectivity and competence.

71
Internal auditing-outsourcing

Outsourcing of internal audit

services
Partial or full outsourcing
Refer to Chapter 8.4 internal audit
practices in Malaysia

72
Outsourcing - Objectives
 Objective
 To reduce the management work on internal
audit function
 To reduce the cost of having an in house
internal audit function
 Assisting management to reduce or manage
risk of competitive demand from
shareholders, customers and other market
participants

73
Outsourcing the internal audit function

 Outsourcing is the use of external suppliers as a

source of finished products, components or
services. It is also known as sub-contracting.
 It can be expensive to maintain an internal audit
function consisting of employees of the company.
 It is possible that the monitoring and review
required by a certain company could be done in a
small amount of time and full-time employees
cannot be justified.
 In such circumstances, it is possible to outsource
the internal audit function, that is, purchase the
service from outside.
74
 Types of Outsourcing
 Full outsourcing involves finding an external
organization to assist in performing critical as
well as non critical tasks, saving the
organization time, money and effort.
 Partial outsourcing involves outsourcing only a
part of the process. For example, a car
manufacturer outsources the car painting
process to an outside party.

75
 Procedures of Outsourcing
Where outsourcing is carried out, some general procedures to
minimize the risks and disadvantages are appropriate
including:
 Controls over acceptance of internal audit contracts to
ensure no impact on independence or ethical issues.
 Regular reviews of the quality of internal work
performed.
 Separate departments covering internal and external
audit.
 Clearly agreed scope, responsibilities and reporting lines.
 Performance measures, management information and risk
reporting
 Procedure manuals for internal audit,
 Increasingly there is a trend towards partnership approach,
where specialist skills are provided by consultants or are
outsourced, while the core internal audit department
remains in-house. 76
Managing an outsourced department
 A company will need to establish controls over the
outsourced internal audit department. These would
include:
 Setting performance measures in terms of cost and
areas of the business reviewed and investigating any
variances
 Ensuring appropriate audit methodology (working
papers/reviews) is maintained
 Reviewing working papers on a sample basis to
ensure they meet internal standards/guidelines
 Agreeing internal audit work plans in advance of
work being performed
 If external auditor is used, ensuring the firm has
suitable controls to keep the two functions separate
so that independence and objectivity is not
impaired 77
 Internal audit departments may consist of
employees of the company, or may be
outsourced to external service providers. The
advantages of outsourcing the internal audit
function include speed, cost and a tailored
answer to internal audit requirements.
 One of the main disadvantages may include
threats to independence and objectivity if the
external audit service is provided by the same
firm.

78
Advantages of Outsourcing Internal Audit
 There is a greater focus on cost efficiency of
the internal audit function.
 Internal audit staff can be used from a broader
source of expertise, e.g. professional firms that
may specialize in the particular type of
organization.
 Reduces the risk of high turnover or loss of
staff from the internal audit department.
 Skills required for only a short time each year
can be provided without incurring excessive
costs of maintaining an in-house expertise.
79
 Contracting out could increase independence, since staff
from an external firm will need to comply with ethical
guidelines and are more likely to be rotated to avoid
close working relationship from building up.
 Outsourcing could provide access to new market place
techniques without the need for significant levels of
investment or in-house development.
 For example, outsourcing may include the use of audit
methodology software that an in-house team would have
to buy or develop.
 With a professional outsourced department, less
management time is required on internal audit, e.g. in
appraisal, training and development.
 External sources are useful for providing specialist,
expensive skills such as IT or treasury that an in-house
80
department may find difficult to recruit or retain.
Disadvantages of Outsourcing internal
Audit
 Conflict of interest may arise if the outsourced
internal audit service is being provided by the
external auditors.
 There may be pressure on independence arising
from the cost associated with the provision of
internal audit.
 The outsourced department may experience
pressure from management, either through a
threat not to renew the outsourcing contract by
withholding payment.
81
 There is a risk of lack of knowledge, or awareness
of the organizational objectives, culture or
business.
 There is and increased cost of outsourcing service,
with less time spent on internal audit.
 There is a risk of blurring roles between internal
and external audit, resulting in lesser credibility in
both.
 An outsourced department may not be able to
provide the same flexibility or ready staff
availability, particularly when problem arises, since
they do not have a permanent presence.
 Standard of service may fall once the contract has
been secured and the previous team disbanded.
82
 Current situation
 Sarbanes-Oxley Act (2002) Sec 201 prohibits
audit firms to engage in outsourcing of internal
audit services
 MIA Exposure Draft proposes member firm should
not provide internal audit services to audit client
which is a listed entity or subsidiary of a listed
entity
 According to IFAC, such service would not impair
independence provided the audit firm does not
act in the capacity of the client management.

83
Safeguard to consider for
outsourcing of internal audit
 To ensure audit client is responsible for
 Establishing, maintaining and monitoring internal
controls
 Have a senior management within the client
organisation to be responsible for internal audit
function
 Approve the scope, risk and frequency of internal
audit work
 Evaluating and determining which recommendations
to be implemented
84
 Safeguards (cont’d)
 Evaluating the adequacy of audit procedures
performed and the findings and taking actions
 Ensuring findings and recommendations are
reported to the BOD
 The Audit firm can arrange for the staff
participating in internal audit services, do not get
to work on external audit engagement

85
End of Lecture

86