Frequently Technical Questions on the IIA’s International

Professional Practices Framework (IPPF) and the

International Standards for the Professional Practice of
Internal Auditing (the Standards)

Disclaimer
These Frequently Asked Questions (FAQs) have been prepared by the Technical Department of the IIA
SA in consultation with the Technical- and Public Sector Committee of the IIA SA. These FAQs are not
intended to serve as authoritative guidance and do not form part of the Standards or the IPPF. The
questions and responses outlined in this document are based on queries commonly received by the IIA
SA’s Technical Department and have been compiled to assist Internal Audit professionals in the
execution of their duties and responsibilities in line with the IPPF and the Standards.

The questions and responses provide a summarised analysis of topical issues and should not be
considered to be comprehensive. Any examples provided are illustrative only and do not represent a
comprehensive list of scenarios or circumstances that may exist in practice. In all instances, readers are
encouraged to refer to the relevant IPPF elements and Standards (especially those IPPF elements that
must be conformed to) and acquaint themselves with the requirements as it pertains to their particular
context/environment. The questions and responses focus on issues that are of interest to Internal Audit
professionals in both the public, private and not for profit sector.

Version History
VERSION VERSION DATE ACTION UPDATE DESCRIPTION
NO.
V1.0 05/03/2021 Issued Initial publication of combined FAQs with reference to
the IPPF and the Standards

1
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Section 1: Internal Audit
Consulting Engagement We are currently appointed as Internal Auditors of Standard 1000 requires the nature of both the Standards & Implementation
a Government institution. We are required in assurance and consulting services provided to the Guidance:
terms of the Internal Audit Charters to review the organization to be defined in the internal audit charter. 1000 Purpose, Authority, and
Annual Financial Statements prior to submission to Assurance services involve the internal auditor's Responsibility
the Auditor General. The institution requires objective assessment of evidence to provide an 1130 Impairment to
assistance in compiling the AFS as there is a lack of independent opinion or conclusions regarding an Independence or Objectivity
skilled officials in the finance unit. As part of our entity, operation, function, process, system, or other
consulting activities as Internal Audit we wish to subject matter. The nature and scope of the assurance Practice Guide:
assist the Government entity to prepare the AFS. engagement are determined by the internal auditor. Independence and Objectivity
To safeguard our independence the consulting There are generally three parties involved in assurance
team from internal audit will not be involved in the services: (1) the person or group directly involved with
review of the AFS. Is it acceptable to take on the the entity, operation, function, process, system, or
compilation of the AFS and then review the AFS other subject matter - the process owner, (2) the
using 2 different teams to safeguard our person or group making the assessment - the internal
independence? auditor, and (3) the person or group using the
assessment - the user. Consulting services are advisory
in nature, and are generally performed at the specific
request of an engagement client. The nature and scope
of the consulting engagement are subject to agreement
with the engagement client. Consulting services
generally involve two parties: (1) the person or group
offering the advice -the internal auditor, and (2) the
person or group seeking and receiving the advice - the
engagement client. When performing consulting
services the internal auditor should maintain
objectivity and not assume management responsibility.
The request in question fits the description of the
consulting engagement and should therefore be
defined in an internal audit charter and approved by
the audit committee. There should be an agreement
between the internal auditor and the engagement
client that stipulates exactly what the scope for the

2
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
consulting engagement is (reviewing AFS). This
agreement should also make it clear that internal audit
is on the third line of defence and may not be held
accountable for management responsibility in the
decision making. When the internal auditor provides
the consulting services of this nature, it is often not a
problem because the final approval of the AFS is
carried out by the external auditors. Reviewing the AFS
before the external auditor comes in is different from
when an internal auditor is made responsible for the
finances in the organisation. The audit team will need
to uphold proficiency while carrying out this task; this
means that the internal auditor allocated for this task
must be someone who is competent in finance (e.g.
posting to general ledger and processing closing entries
and the like).
Previously consulted If one performs a consulting activity over a specific The IIA Standard 1130 requires a minimum of 12 Standards & Implementation
areas function, is there a “cool off” period before one months to lapse before an internal auditor may provide Guidance:
can perform an assurance engagement over the assurance in an area in which consulting services were 1130 impairment to
same function? provided. Independence and Objectivity

Practice Guide:
Independence and Objectivity
Objective Sampling Is it fine if the internal auditor select a sample Objectivity is an unbiased mental attitude that allows Standards & Implementation
which includes recruitment done in the IAA for an internal auditors to perform engagements in such a Guidance:
HR audit? manner that they believe in their work product and 2320 analysis and Evaluation
that no quality compromises are made. 1120 Individual Objectivity

To uphold objectivity, internal auditors must have an Practice Guide:

impartial, unbiased attitude and avoid any conflict of Independence and Objectivity
interest. Conflict of interest is a situation in which an
internal auditor, who is in a position of trust, has a
competing professional or personal interest. Such
competing interests can make it difficult to fulfil his or
her duties impartially. A conflict of interest exists even if

3
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
no unethical or improper act results. A conflict of
interest can create an appearance of impropriety that
can undermine confidence in the internal auditor, the
internal audit activity, and the profession. A conflict of
interest could impair an individual's ability to perform
his or her duties and responsibilities objectively.
Including files from internal audit in the sample may
therefore appear as a threat to objectivity as one may
feel that the internal auditor will not subject the file of
those closely working with under same scrutiny as other
files. It is therefore why it is highly recommended that
the internal auditor avoids this situation by excluding
the files of IA employees from the sample.

Audit sampling is defined as, the application of audit

procedures to less than 100 percent of items within a
class of transactions or account balance such that all
sampling units have a chance of selection. The sample
sizes differ from one organisation to the other, based on
factors such as the risk appetite of the organisation, the
perceived risk associated with the particular process and
the like. There are sampling approaches that may be
used to achieve audit objectives namely

1) Statistical sampling (random and systematic)

This involves the use of techniques from which

mathematically constructed conclusions regarding the
population can be drawn. Statistical sampling allows the
auditor to draw conclusions supported by arithmetic
confidence levels (e.g., odds of an erroneous conclusion)
regarding a population of data output. It is critical that
the sample of transactions selected is representative of
a population. Without ensuring that the sample
represents the population, the ability to draw

4
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
conclusions based on the review of the sample is
limited, if not erroneous. The internal auditor should
validate the completeness of the population to ensure
that the sample is selected from an appropriate data set.

2) Non-statistical or judgemental sampling

This is an approach used by the auditor who wants to
use his or her own experience and knowledge to
determine the sample size; it may not be based
objectively and, thus, results of a sample may not be
mathematically supportable when extrapolated over
the population. That is, the sample may be subject to
bias and not representative of the population. The
purpose of the test, efficiency, business characteristics,
inherent risks, and impacts of the outputs are common
considerations the auditor will use to guide the sampling
approach. Non-statistical sampling may be used when
results are needed quickly and needed to confirm a
condition rather than being needed to project the
mathematical accuracy of the conclusions.

Sampling in audit is an extremely important element.

Not only is it important to utilise the appropriate
sampling method for the particular type of data, it is
also essential to apply the sampling method correctly
in order to get the required results.
Roles and Responsibilities Does the IIA have any criteria to consider when The CAE has got the responsibility to effectively Standards & Implementation
of a Chief Audit Executive appointing a CAE? Are there any guidelines and manage the internal audit activity in order to add value Guidance:
any criteria for acting CAE? to the organisation. This includes a whole lot of 2000 Managing the Internal Audit
activities such as planning work for the year, identifying Activity
skills gap, ensuring that training is provided to build 1300 Quality Assurance and
competencies needed to perform all or part of the Improvement Program
audit engagements.
Practice Guide:

5
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
The CAE is further responsible for supervision of the Chief Audit Executives —
audit completed by both that subordinates as well as Appointment, Performance,
the consultants where work has been outsourced to an Evaluation, and Termination
external parties on behalf of the internal audit activity. How to employ an internal
auditor
The IIA’s Global Internal Audit
Competency Framework
The final approval of the Please can you clarify to me about the approval of Standard 1000 states that the final approval of the Standards & Implementation
IA charter the audit charter, because when I read the Practice internal audit charter resides with the Board. I would Guidance:
Advisory, it is stated that senior management suggest that you look at it as a process that has got 1000 Purpose, Authority and
review and approved the charter with acceptance more than one level of authority. Management does Responsibility
by the board. In my point of view I think that approve but it is not a final approval as only the board
management review and approved the charter and has the authority to grant final approval. Practice Guide:
the board is only accepting. The board approve the Interaction with the Board
purpose, responsibility and authority that defined
on the charter, but is accepting the Audit charter
that approved by management. Then also on
Practice Advisory under functional reporting state
that the Board is approving the charter. CIA exam
question: Which is true about audit charter?
Confusing option: The senior management
approves the audit charter before submitting it to
the board. I want to know whether the confusion
option is right or wrong.
Excluding CAE in I am a CAE and have been excluded in the Staffing or resourcing of the internal audit activity is Standards & Implementation
appointment process of appointment of the internal auditors even though the responsibility of the CAE and therefore the CAE Guidance:
IA staff they will be reporting to me. Is this acceptable may not be excluded from resource management as 1130 Impairment to
practice? per Standard 2030. This is different from a scenario Independence or Objectivity
when an auditor is instructed to sit in a panel of 2030 Resource Management
interview for a position that falls outside of internal
audit as this could impair the independence and Practice Guide:
objectivity of the internal auditor when the review of Independence and Objectivity
the recruitment process is undertaken.
Internal audit sitting in In our organization, Internal Audit attends It is good that the CAE sits in management meetings as Standards & Implementation
management meetings Management meetings. It is seen as being part of this sends a message that IA is a strategic partner in an Guidance:

6
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
the decision making. Some feel we are violating organisation. Internal auditors’ role in a management 1130 Impairment to
the standards in terms of Independence while committee should not be that of taking responsibility Independence or Objectivity
some feel IA is part of the organization, in for implementation of any part of the management
attending their audit projects will be well directed duties. The IA Charter should explain the extent of Practice Guide:
in terms of risk. Your assistance in this regard will involvement of the CAE in management meetings. As Formulating and Expressing
be highly appreciated. an auditor at any given point your role should not be Internal Audit Opinions
that of assuming management responsibility, but that
of providing advice, assurance and/or consulting
services.
Outsourcing IAA or clarification purposes, my Organisation will be According to the IIA Standard 2000, the Chief Audit Standards & Implementation
referred to as Company A and the Client as Executive (CAE) must effectively manage the internal Guidance:
Company B. Company A has entered into a audit activity when outsourced. This means that the
contract with company B to provide internal audit person responsible for the internal audit function or 1100 Independence and
services to Company B. Company B does not have the CAE has to be in-house. It further reflects that “the Objectivity
a CAE and is outsourcing the internal audit services oversight and responsibility for internal audit cannot be 2000 Managing the Internal Audit
to Company A. Company A conducts risk based outsourced”. Where the IAF is outsourced, the person Activity
internal audit services based on their internal audit liaising with the external service provider, should 2070 External Service Provider
methodology and the internal audit plan for the ideally be a senior or executive manager assigned the and Organizational Responsibility
engagements is shared with Company B’s Audit task of managing the internal audit function. Such an for Internal Auditing
Committee. Company A’s CAE attends audit individual should be a dedicated resource, suitably
committees and audit reports are tabled at the qualified in internal audit and be accorded a high Practice Guide:
committee. degree of functional independence within the Independence and Objectivity
Is this in line with King III and any other Auditing organisation.
Standards? Is stating that Company A’s Internal The CAE must report functionally to the board and
Audit function is accountable to Company B’s Audit administratively to the organization’s chief executive
Committee (client) allowed? What are the officer; this facilitates organizational independence. At
implications (if any)? If Internal Audit of Company a minimum the CAE needs to report to an individual in
A cannot be accountable, who should technical be the organization with sufficient authority to promote
accountable in this scenario? Who is going to independence and to ensure broad audit coverage,
assess the CAE’s performance? adequate consideration of engagement
communications, and appropriate action on
engagement recommendations. Functional reporting to
the board typically involves the board:
• Approving the internal audit activity’s overall
charter.

7
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
• Approving the internal audit risk assessment and
related audit plan.
• Receiving communications from the CAE on the
results of the internal audit activities or other
matters that the CAE determines are necessary,
including private meetings with the CAE without
management present, as well as annual
confirmation of the internal audit activity’s
organizational independence. Approving all
decisions regarding the performance evaluation,
appointment, or removal of the CAE.
• Approving the annual compensation and salary
adjustment of the CAE.
• Making appropriate inquiries of management and
the CAE to determine whether there is audit scope
or budgetary limitations that impede the ability of
the internal audit activity to execute its
responsibilities.
The CAE has got the responsibility to obtain competent
advice and assistance if the internal auditors lack the
knowledge, skills, or other competencies needed to
perform all or part of the engagement. When the
decision has been taken to outsource an internal
activity, the CAE is still responsible for supervision of
the audit completed by the external parties as the work
is done on behalf of the internal audit activity. It is not
possible for the CAE to divorce this responsibility
because the CAE is required to also evaluate the
performance of the engagement to establish if the
services rendered are of value. This evaluation will not
be adequately carried out if the CAE does not
understand the scope, results of work done and has
not interrogated the reports.

8
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
The assessment of the CAE’s performance - even
though the performance evaluation might be carried
out through HR processes by the level to which the CAE
reports administratively, the audit committee as the
functional reporting line must review and approve such
evaluation.
Test of controls vs Our team is split as some feel that the Standards Internal auditing on the other side is defined as an Standards & Implementation
substantive procedures require us to test the controls (i.e. evidence that independent, objective assurance and consulting Guidance:
the control was performed) and that we should activity designed to add value and improve an 2010 planning t
not be going into substantive testing of internal organisation's operations. It helps an organisation
controls as this is for external audit. What is the accomplish its objectives by bringing a systematic, Practice Guide:
view and opinions of the IIA on this? disciplined approach to evaluate and improve the Reliance by internal audit on
effectiveness of risk management, control, and other assurance providers
governance processes.
From this definition, it can be said that internal auditing
has a broader scope than just the financial processes. It
is however not straight forward what internal auditors
must do; except for evaluating financial controls and
making recommendations towards improved system of
internal controls as stated in the IIA Standards.
It can be said that reviewing and signing off of financial
statements is not a mandate of internal audit but that
of external auditors. It is advised that combined
assurance framework be developed and implemented
by organisations so that duplication of efforts by
assurance providers can be minimized.
Carrying out of audit procedures such as testing of
controls or substantive testing is allowed in both
disciplines as long as they are conducted within the
context of achieving audit objectives.
Standardised Audit How can I test the adequacy of internal controls Unfortunately IIA does not have a standardised audit Standards & Implementation
Procedures when performing an audit and please provide a program for any aspect of organisational being. Guidance:
template to be used if possible. I have looked at a Internal Audit units in each organisation must prepare 2010 Planning
couple of sampling techniques but have not yet a risk-based audit plan and an internal audit program
found one that I can use. I also would like to know for each financial year, advise the accounting officer Practice Guide:

9
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
whether government process as per the standards and report to the audit committee on the
equate/ are similar to the control environment as implementation of the internal audit plan. There are
per the Components of Internal Control. What is courses and books you may read that are offered by IIA
governance processes? I have conducted many on how to compile an audit program.
preliminary analytic reviews but somehow I still
feel like something is missing. How does one
conduct an analytic review that identifies all the
risk arising from the auditee?
Request for an audit Kindly assist with the approach for IIA SA does not keep any programme that details how Standards & Implementation
programme Accommodation Management Service Audit and to conduct any form of audit engagement. The Guidance:
Occupational Health Safety. information you are looking for might be available on
the internet if you “Google” it but it is advisable that Practice Guide:
you scrutinize information that is sourced from the
internet as some may have not been written by people
who do not necessarily have the correct skill and
knowledge pertaining to the topic written about. It is
also recommended that you go to internet sites such as
www.auditnet.org that normally keep audit program
for specific processes.

Kindly take note that with compliance audit such as the

one you need assistance with, the starting point would
be the review of the policy that guides this process.
You may then formulate audit objectives and compile
the audit programme after you have understood what
the policy requires.
Compliance to POPI act Can you please provide guidance on what the Engagement records or working papers are the Standards & Implementation
document retention policies are from an IIA SA property of the organization. Standard 2330.A2 places Guidance:
perspective with regards to the new PoPI Act and the responsibility to develop retention requirements 2330 Documenting Information
the relating impact on Internal Audit functions? for engagement records on the Chief Audit Executive.
This would include the medium, confidentiality and Practice Guide:
safekeeping of the records. Factors like IT and physical
security, accessibility of the records, etc. must be
considered when the retention requirements (policies)
are developed. In this process unnecessary duplication

10
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
of records can be avoided. The policies that guide the
retention of records must be documented; approved
by the CAE and made available (communicated) to all
Internal Audit staff members. The legislation applicable
to the environment such as PFMA, POPI and
Companies Act must be considered when compiling the
retention of records policy.
Engagement supervision From technical and best practice perspectives, Standard 2340 – Engagement Supervision requires Standards & Implementation
kindly advice whether review/coaching notes engagements to be supervised to ensure objectives are Guidance:
should be retained on the audit file. Currently, the achieved, quality is assured and staff is developed. The 2340 Engagement Supervision
Managers raise these notes on the work CAE has overall responsibility for supervising the 2330 Documenting Information
performed by the IA Staff, and they are deleted/ engagements, whether performed by or for internal
removed from the file; only when those items have audit activity, but may designate appropriately Practice Guide:
been resolved/ cleared. experienced members of the internal audit activity to
perform the review. Appropriate evidence of
supervision must be documented and retained.
Engagement records or working papers are the
property of the organization and should be retained in
a way that is consistent with the regulations applicable
to the environment.
Standard 2330.A2 places the responsibility to develop
retention requirements for engagement records on the
Chief Audit Executive. This would include the medium,
confidentiality and safekeeping of the records. Factors
like IT and physical security, accessibility of the records,
etc. must be considered when the retention
requirements (policies) are developed. In this process
unnecessary duplication of records can be avoided. The
policies must be documented; approved by the CAE
and made available (communicated) to all Internal
Audit staff members.
Benchmark ratio or May the IIA kindly assist us in providing the IIA Standards state “Internal auditing is an Standards & Implementation
percentage for balanced following information, for benchmarking purposes: independent, objective assurance and consulting Guidance:
internal audit service a. The extent to which internal audit functions activity designed to add value and improve an 2200 Engagement Planning
split the following services (as a ratio/ percentage): organisation's operations. It helps an organisation

11
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
- Assurance services accomplish its objectives by bringing a systematic, 1130 Impairment to
- Consulting services disciplined approach to evaluate and improve the Independence or Objectivity
- Performance auditing (three E’s – Effective, effectiveness of risk management, control, and
Efficient and Economic not performance governance processes” Practice Guide:
management/ Predetermined Objective (PDO) From the definition, it is clear that Internal Audit is integrated Auditing
audits) - Continuous auditing required to provide these two services i.e. assurance Continuous Auditing: Implications
As previously discussed we realise that there are and consulting. Assurance is provided on a broad for Assurance
many factors to consider, such as the definitions business sphere and includes but not limited to 1)
for these services used by an organisation; specific compliance audits with the focus on adherence to
projects to be executed e.g. mergers and policies and regulation; 2) performance auditing
acquisitions etc. focuses on the acquisition and utilisation of resources
in comparison with industry benchmarks 3) operational
audits that look at the environmental matters and
more
Continuous auditing is a method used to perform
control and risk assessments automatically on a more
frequent basis, enabling internal auditors to have a
current view on system of internal controls as opposed
to the old approach where testing of controls was
carried out on a retrospective and cyclical basis, often
many months after business activities have occurred.
The time spent on continuous auditing will also depend
on the IT systems in use and the availability of
information to use for continuous auditing. The
transaction types (manual vs system generated) will
also play a role.
The IIA SA does not have benchmarks for these audit
services as it is not a simple matter; it depends on a
number of factors such as the following:
• It will vary according to the needs of each
organisation. For instance in an environment
where there are lot of projects that are being
implemented, performance audit would assist in
revealing whether there is efficiency and
effectiveness in the way in which the project is

12
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
managed and whether all the money is being
spent economically.
• In environments where highest risks are around
compliance, it would be beneficial to conduct
compliance audits.
Internal auditors need to be aware that it is not
necessary to carry out performance auditing in an area
where there is limited risk of resource
misappropriation such as Human Resource
Management. This area mainly operates purely from
policies. In this instance, a compliance audit will add
more value.
On the other hand, if we take procurement section to
conduct a compliance audit on. The audit results might
mislead because the whole exercise of whether the
resources are procured economically and whether they
are utilised effectively and efficiently will not be
evaluated. In the South African context, performance
auditing is meant at enforcing accountability especially
in the public sector where the main aim of the business
is not to make profits.
In the private sector, things are a little bit different as
the aim of the business is to create wealth for the
owners. The private sector often puts measures in
place to track progress to the company’s plans.
I recommend that you place more emphasis on risk
when developing an audit coverage plan for audit,
consulting, performance auditing and management,
etc. work. The ratio requested in the question will
differ from organisation to organisation, from industry
to industry, and could even differ from one year to the
next year in the same organisation - e.g. when a new
financial system is implemented consulting should be
higher during the implementation period. It is
becoming general practice now that the annual ratio is

13
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
motivated by the CAE to the Audit Committee. It is also
worth stating that internal audit are required to be
much more of a consulting department to senior
management and the board these days compared to
15-20 years ago. The CAE should just ensure that
independence and objectivity is not directly affected,
i.e. where auditors are used for functions which are
typically a management review or overview function
(consulting).
Audit sampling Our internal audit department currently base our Audit sampling is defined as, the application of audit Standards & Implementation
sample sizes on the frequency of a control. procedures to less than 100 percent of items within a Guidance:
1) If the control is an annual control, the sample class of transactions or account balance such that all 2320 Analysis and Evaluation
size = 1. sampling units have a chance of selection. The sample
2) If the control is a quarterly control, the sample sizes differ from one organisation to the other, based Practice Guide:
size = 2. on factors such as the risk appetite of the organisation,
3) If the control is a monthly control, the sample the perceived risk associated with the particular
size = 3. process and the like.
4) If the control is a weekly control, the sample size Statistical sampling (e.g., random and systematic)
= 10. involves the use of techniques from which
5) If the control is a daily control, the sample size = mathematically constructed conclusions regarding the
20. population can be drawn. Statistical sampling allows
6) If the control is a multiple daily control, the the auditor to draw conclusions supported by
sample size = 30. arithmetic confidence levels (e.g., odds of an erroneous
The Practice Advisory 2320-3 Audit Sampling that conclusion) regarding a population of data output. It is
was issued in May 2013, made me question the critical that the sample of transactions selected is
relevance of these sample sizes. I couldn't find representative of a population. Without ensuring that
anything that support these sample sizes even the sample represents the population, the ability to
though it's commonly used in practice (even by the draw conclusions based on the review of the sample is
big 4 firms). The practice advisory seems to favour limited, if not erroneous. The internal auditor should
statistical sampling, however in practice; most validate the completeness of the population to ensure
Internal Audit shops use non-statistical sampling. that the sample is selected from an appropriate data
Can you please confirm whether the sample sizes set.
based on the frequency of the control is adequate Non-statistical or judgemental sampling is an approach
to ensure adherence to the Standards? If so, can used by the auditor who wants to use his or her own
experience and knowledge to determine the sample

14
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
you please refer me to the theory on which the size; it may not be based objectively and, thus, results
sample sizes are based on? of a sample may not be mathematically supportable
when extrapolated over the population. That is, the
sample may be subject to bias and not representative
of the population. The purpose of the test, efficiency,
business characteristics, inherent risks, and impacts of
the outputs are common considerations the auditor
will use to guide the sampling approach. Non-statistical
sampling may be used when results are needed quickly
and needed to confirm a condition rather than being
needed to project the mathematical accuracy of the
conclusions. Sampling in audit is an extremely
important element. Not only is it important to utilise
the appropriate sampling method for the particular
type of data, it is also essential to apply the sampling
method correctly in order to get the required results. It
will not be possible to deal with this matter in detail in
this reply and it recommended that you consult
authoritative literature on this subject.
Balance between I am a CAE and want guidance regarding the IIA Standards state “Internal auditing is an Standards & Implementation
consulting and assurance annual planning. How much of the available time independent, objective assurance and consulting Guidance:
services should Internal Audit Activity allocate to consulting activity designed to add value and improve an 1210 Proficiency
services? organisation's operations. It helps an organisation 1130 Impairment to
accomplish its objectives by bringing a systematic, Independence or Objectivity
disciplined approach to evaluate and improve the
effectiveness of risk management, control, and Practice Guide:
governance processes” Integrated Auditing
The Standards also define consulting services as
advisory in nature, and are generally performed at the
specific request of an engagement client. The nature
and scope of the consulting engagement are subject to
an agreement with the client. Consulting services
generally involve two parties:
(1) The person or group offering the advice - the
internal auditor, and

15
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
(2) The person or group seeking and receiving the
advice - the engagement client.
When performing consulting services the internal
auditor should maintain objectivity and not assume
management responsibility.
The ratio of consulting versus assurance services is
however not a straight forward matter as it depends on
a number of factors.
• It varies from one organisation to the other.
Invariably the IAA should provide for 20% of the
time in their annual plan for ad-hoc audit
assignments, of which many are often consulting
related.
• The volume of consulting services could depend
on factors such as:
• the organisation undergoing restructuring
• changes such as new core system implementation,
• Mergers etc.
In such cases management and the board may increase
requests for internal auditors to provide consultation in
areas on which they have knowledge and expertise. For
example, in an IT environment where there are new
products that are being developed, internal audit might
be asked to consult and use their IT knowledge to
advise on the control mechanisms to be employed
within the system during development process.
Planning should be dynamic and the year plan adjusted
for strategic and operational conditions in which the
organisation finds itself for each Audit Committee
meeting.
Internal auditors should also understand that they are
bound by Standard 1210- Proficiency not to accept and
carry out internal audit assignment for which they do
not have adequate and required level of knowledge
and skill.

16
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Internal audit vs external For the past two years we have been involved in Audit of financial statements (external auditing) Standards & Implementation
audit regarding financial the Quarterly Review of Interim Financial generally means an audit review of the organisation’s Guidance:
processes Statements of the government departments. There financial statements by an external and independent 2010 Planning
has been always confusion on internal audit work auditor in order to express an opinion on whether the
regarding the audit of Financial Statements as it financial statements fairly represent the financial Practice Guide:
seems we are now operating as External Auditors. standing of the subject matter.
Based on the above may you please clarify the Internal auditing on the other side is defined as an
following: independent, objective assurance and consulting
(a) What is the role of Internal and External activity designed to add value and improve an
Auditors with regards to the audit of financial organisation's operations. It helps an organisation
statements? accomplish its objectives by bringing a systematic,
(b) Where do we draw the line between the work disciplined approach to evaluate and improve the
of Internal Auditors, are they confined to Test of effectiveness of risk management, control, and
Controls or they should overlap to Substantive/ governance processes.
Detail Testing or conduct both? From this definition, it can be said that internal auditing
has a broader scope than just the financial processes. It
is however not straight forward what internal auditors
must do; except for evaluating financial controls and
making recommendations towards improved system of
internal controls as stated in the IIA Standards.
It can be said that reviewing and signing off of financial
statements is not a mandate of internal audit but that
of external auditors. It is advised that combined
assurance framework be developed and implemented
by organisations so that duplication of efforts by
assurance providers can be minimized.
Carrying out of audit procedures such as testing of
controls or substantive testing is allowed in both
disciplines as long as they are conducted within the
context of achieving audit objectives.
Responsibility for changes Should Internal Auditors be held culpable for Standard 2400 – Communicating Results states that Standards & Implementation
in the system of internal events that happen between the cut-off date and “Internal auditors must communicate the results of Guidance:
control the day reports are presented to the Audit engagements”. 2400 Communicating Results
Committee? Standard 2420 – Quality of Communications further
requires that communications must be accurate, Practice Guide:

17
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
objective, clear, concise, constructive, complete, and
timely.
These standards highlight the importance of
communicating with impact, developing an ongoing
communications process with management to 1) keep
current on changing business and risk issues, 2)
develop systematic and trending information that
would be valued by stakeholders and 3) maximizing the
efforts to get management attention to audit issues
and ensuring that top management and the audit
committee are kept aware of management’s corrective
actions.
It then becomes clear that any matters arising between
the internal audit cut-off date and reporting date must
be assessed whether the matter should be
communicated to the Audit Committee and how much
the impact is. Matters arising differ; some are not
significant, some are significant and warrant inclusion
in the final report whereas some are critical and need
to be communicated immediately through an interim
report. Internal auditors also sign the code of ethics
which requires establishment of trust in order to
provide basis for reliance on internal audit work, this
cannot be fulfilled if there are significant matters that
have been knowingly left out in an internal audit
report.
A career in internal audit I am an intern at TETA under performance IIA does not recognise training in monitoring and Standards & Implementation
monitoring and evaluation and I have a national evaluation as internal auditing experience. For entry Guidance:
diploma in auditing; I want to further my studies level auditors who only have a qualification in internal
and am not certain if internal auditing is relevant auditing, there is Internal Audit Technician (IAT) Practice Guide:
to what I am currently doing at work. Please learnership program which assists in fast tracking the
advice. learning process in the internal audit field and it is
followed by General Internal Auditor program for
auditors who have some experience and the premium
being Certified Internal Auditor. You need to make a

18
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
decision whether you want to grow in the area where
you are currently employed (monitoring and
evaluation) or you still want to pursue a career in
internal auditing in which case you will still need to
follow the IAT, GIA, CIA program as explained earlier.
Please note that IIA SA defines an Internal Audit
Professional as someone who has an academic
qualification, who has gone through the IIA SAs
structured on-the-job training program (Professional
Training Program), has gone through a test of
competence (IAT, GIA and CIA) and who is a member of
the IIA. These four elements must be in place as they
speak to the Internal Auditor’s competence and
accountability to Code of Ethics.
Standard audit I have been instructed to prepare the audit Internal auditing is not a financial discipline like Standards & Implementation
programme for financial program to carry out the review of 9 Departments external auditing. However, it is rather necessary for Guidance:
review several Interim Financial Statements. Is there any specific internal auditors to be financially literate as they often 2050 Coordination
departments internal auditing standard on review of interim have to review financial processes. Please note that
financial statements that I must comply with? I internal auditing is broader that finance as it is Practice Guide:
have found ISRE 2400 issued by the international expected to cover a whole range of business areas such King III Report on Corporate
auditing and assurance board. This to me is as HR, Risk management and many more. In some Governance
applicable to external auditors whereas I am part environments which are rather technical, IA functions
of the internal audit of the province. May I use this are compelled to even have engineers in their teams.
standard for guidance to draft my audit ISRE 2400 is a guideline for external auditor like you are
programme? mentioning but may be used by internal auditors if the
objective of the internal audit assignment is consistent
with the output as anticipated by ISRE 2400. While
trying to understand this, it is worth considering the
King III Report on Corporate Governance which makes
implementation of the combined assurance highly
recommended where there are several assurance
providers in order to minimize duplication of efforts.
The International Standards for the Internal Audit
profession states in standard 2050: “The Chief Audit
Executive should share information and coordinate

19
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
activities with other internal and external providers of
relevant assurance and consulting services to ensure
proper coverage and minimise duplication of efforts”.
Treasury Regulations that have been issued in terms of
Public Finance Management Act (PFMA) state that “The
internal audit function must assist the accounting
officer in maintaining efficient and effective controls by
evaluating those controls to determine their
effectiveness and efficiency, and by developing
recommendations for enhancement or improvement.
The controls subject to evaluation should encompass
the following:
(a) the information systems environment;
(b) the reliability and integrity of financial and
operational information;
(c) the effectiveness of operations;
(d) safeguarding of assets; and
(e) compliance with laws, regulations and controls.
I suggest that you take all these factors into
consideration when compiling the required program to
ensure that you do not stray from the role of internal
auditing and at the same time do not duplicate
Auditor-General’s scope.
A career in internal audit I don’t have any qualification as an internal audit The IIA SA defines an Internal Audit Professional as Standards & Implementation
but I want to go into this career. Is it possible to someone who has an academic qualification, who has Guidance:
attend any short courses from your institute or is it gone through the IIA SAs structured on-the-job training
only for people who have basics in internal program (Professional Training Program), has gone
auditing field? through a test of competence (IAT, GIA and CIA) and Practice Guide:
who is a member of the IIA. These four elements must
be in place as they speak to the Internal Auditor’s
competence and accountability to a code of ethics.
Attending short courses offered by the IIA will not be
enough for you to become an internal auditor, these
are designed to only emphasize certain issues that are
critical for auditors to understand.

20
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Transferring Audit Our organisation was established in response to a Engagement records or working papers are the Standards & Implementation
working papers certain section of the Constitution. Just recently property of the organization. Standard 2330.A2 places Guidance:
the President of the Republic proclaimed an the responsibility to develop retention requirements 2330 Documenting Information
independent office as a national department. Since for engagement records on the Chief Audit Executive.
1994 the Administration of this office was the This would include the medium, confidentiality and Practice Guide:
responsibility of a certain department. The time safekeeping of the records. Factors like IT and physical
now to split the mandate and operate as two security, accessibility of the records, etc. must be
independent offices has come and effective from considered when the retention requirements (policies)
the 1st of April 2014. This is just phase 1 of our are developed. In this process unnecessary duplication
transition as ultimately we should be separate of records can be avoided. The policies that guide the
branch of the State equal to Parliament and the retention of records must be documented; approved
Executive. In establishing an IA unit and not to re- by the CAE and made available (communicated) to all
invent the wheel, I need access to the prior year Internal Audit staff members. The legislation applicable
audit working papers of all the functions and units to the environment such as PFMA in this case must be
that our new office is taking over from the considered when compiling the retention of records
department. I will appreciate it if you can provide policy.
me guidance on compiling my requests for same Coming to the question, there are two solutions to this
from relevant Internal Standards for the matter a) DOJ may enter into an agreement with the
Professional Practice of Internal Auditing. newly formed office about how the retention of the
records in question will be implemented and the
process to be followed should any of the two parties
need to access these records. b) DOJ may provide
Office of XYZ with copies of all the records in question
and only release the original files when there is a need
for it. The benefits and costs of both options should be
explored to make an appropriate decision.
Evaluation od outsourced Please assist me with a template for the evaluation IIASA does not have a template for this purpose as yet. Standards & Implementation
internal audit of our outsourced Internal Audit? I suggest you download the document on the following Guidance:
website: 2030 Resource Management
https://iiasa.site- 2340 Engagement Supervision
ym.com/global_engine/download.asp?fileid=DDD9656
6-863B-46A8-B28B-0E8BA60E2478 Practice Guide:
You need to ensure that your requirements are How to Employ an Internal
specified in detail in the contract and that the Auditor
ownership of all the working papers resides with your

21
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
organisation. A template for the evaluation can be
compiled from the deliverables specified in the
outsource agreement.
IA role regarding In my organisation, management want us to do a Internal auditing is defined by the IIA as an Standards & Implementation
performance information 100% verification of Performance information independent, objective assurance and consulting Guidance:
prior to submission to Top Management, on a activity designed to add value and improve an 1130 Impairment to
quarterly basis and believe that IA has a organisation's operations. It helps an organisation Independence or Objectivity
responsibility to do it? accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the Practice Guide:
effectiveness of risk management, control and Independence and Objectivity
governance processes”
The purpose of managing performance information is
to keep track of progress on predetermined objectives
so that corrective measures can be taken in order to
achieve business objectives. Internal audit, in the
process of evaluating controls must be careful not to
take management responsibility. Collecting, analysing
and interpreting the performance data is a
management function. Internal audit should review the
process followed in managing performance information
and on a sample basis, test the adequacy and
effectiveness of controls in place for managing
performance information.
Due to limited resources, internal audit cannot give
absolute assurance. Internal audit give reasonable
assurance based on the results that have been reached
following sample testing.
Internal audit planning Are there any recent leading practice In terms of IIA Standards it gives guidance with regard Standards & Implementation
communication in terms of the annual audit to Audit Planning under Standard 2010 & the relevant Guidance:
planning process that needs to be considered? Practice Advisory is 2010. 2010 Planning
Internal auditors must determine appropriate and
sufficient resources to implement the internal audit Practice Guide:
annual plan.

22
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
purpose of internal What is the main purpose of internal auditing? The Definition of Internal Auditing by the Institute of Standards & Implementation
auditing Internal Auditors states the fundamental purpose, Guidance:
nature, and scope of internal auditing as follows:
Practice Guide:
“Internal auditing is an independent, objective
assurance and consulting activity designed to add value
and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control,
and governance processes.”

In South Africa, it is a lawful requirement for all

organisations to have an internal audit activity; which
may be shared or established for one organisation. It
may be in-house, co-sourced or outsourced. Please go
through the King III report on Corporate Governance,
Companies Act, Public Finance Management Act, and
Municipal Finance Management Act to get an
understanding of requirements of the business
environment in both the private and public spheres.
Following up on findings A current audit is scheduled for the same division IIA Standard 2500 determines that the CAE must Standards & Implementation
raised that was audited last year however none of the establish a follow-up process to monitor and ensure Guidance:
recommendations were implemented and no that management actions have been implemented 1 2500 Monitoring Process t
changes were made to the system or control. The effectively or that senior management has accepted
division await implementation to an electronic the risk of not taking action. Practice Guide:
system in order to ensure the recommendations The decision to continue with the audit even though
made by internal audit are implemented. Can we nothing has been implemented or not should be made
postpone the audit even though it was part of the in consultation with management and the audit
current year audit plan and what is an appropriate committee.
way or reporting to the audit committee on The decision should be based on Standard 2500 and
assurance ought to be provided? read further on Practice Advisory 2500.A1-1. These will
assist in deciding whether to postpone the audit or not.
My organisation is in the process of setting up an Internal Auditors including CAEs are required to always Standards & Implementation
Irregular Expenditure Condonation Committee adhere to the Standards and Guidance of the Institute Guidance:

23
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
which they believe should be chaired by internal of Internal Auditors (including Practice Advisories). If an 1130 Impairment to
audit. In my opinion being part of any committee auditor is instructed to assume the responsibility of Independence or Objectivity
within the organisation will impair my management in any situations such as the following:
independence as it relates to operational duties. • Holding the Chief Financial Officers role; Practice Guide:
What is the way forward on the above situation? • Sitting in a bid evaluation committee representing Independence and Objectivity
management
• Chairing management committees such as
disciplinary, risk management, and more
It appears as though independence and objectivity on
the operational responsibilities carried out has been
impaired. If the operational responsibilities carried out
or part thereof, has been included in the internal audit
plan, the auditor who assumed the responsibility and
the staff reporting to the auditor in question may not
audit that operation.
Before the auditor accepts the operational
responsibility, it should be explain to the Accounting
officer or assigning management what the impact of
assuming a management role is. If the non-audit
management function is carried out, the auditor in
question or the staff reporting to the auditor in
question may not audit the operation in question. The
CAE should minimize the impairment to objectivity by
using a contracted, third party entity or external
auditors to complete audits of the operations that had
been assigned to the auditor in question.
Dishonest employees What to do with an internal auditor who lies about There might be a breach of ethical conduct here but Standards & Implementation
being absent at work, he was not at work and did primarily it sounds like a weakness in supervising Guidance:
not submit leave form; he further lied and said he subordinates. In a properly controlled environment,
was at the Client’s premises. Can this auditor be the supervisor will know what subordinates are doing Practice Guide:
charged for breaching honesty? based on the work that has been allocated to them. It Evaluating Ethics-related
is also the supervisor who would know the where Programs and Activities
about of the subordinate as subordinates should report
to their line management for the duration of the
working hours. I suggest that this be dealt with as per

24
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Human Resource Management processes first and only
after that the matter will be referred to IIA.
This matter would have been different if the internal
auditor was a member of the IIA; for an example had
leaked information that she/he had come across while
conducting an audit engagement. This would have
been a clear breach of ethical conduct which requires
upholding of integrity and confidentiality clauses. If this
was the case, the employer would need to report the
matter to IIA. Upon investigation, IIA would then
initiate disciplinary processes against the member.
Internal audit planning Should we continue to indicate estimated hours to Internal auditors must determine appropriate and Standards & Implementation
complete the annual risk based audit plan as we sufficient resources to achieve engagement objectives Guidance:
never really complete the plan 100 % every year based on an evaluation of the nature and complexity of 2010 Planning
with only 5 auditors in the division? I always try each engagement, time constraints, and available
and do the high risk areas in the annual plan first. resources. Time is a very crucial factor that internal Practice Guide:
Are there any standard practices that I can refer to auditors must manage in order to efficiently complete Measuring internal audit
on this issue? the plan. It would be hard to think of any other way in Effectiveness and Efficiency
which internal audit can monitor and manage its
activities if it were not time-based.
When each project is planned and allocated hours, it
makes it easier for the CAE to keep track of the work
and identify challenges that adversely affect audit plan.
When audit assignments are not completed within the
planned hours, the CAE can also adjust the preceding
year’s plan accordingly taking into consideration the
challenges that caused delays and whether these
challenges have been rectified.
It seems as though the challenge is not with
documenting the hours but rather insufficient capacity
in your unit to complete the planned audits. Therefore
these will need you to plan in line with the resources
available in your unit; i.e. hours available vs. number of
people in the internal audit unit. If financial resources

25
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
allow, you should consider either hiring more internal
auditors or outsourcing some audit assignments.
Follow up on findings What is the responsibility of Internal Audit function IIA Standard 2500 determines that the CAE must Standards & Implementation
raised by external with regard to External Auditors audit findings? establish a follow-up process to monitor and ensure Guidance:
auditors Does Internal Audit function have to track their that management actions have been implemented 2500 Monitoring Process
resolution and perform a follow up audit on them? effectively or that senior management has accepted
the risk of not taking action. This includes outcomes Practice Guide:
from both the internal and external audit, even though Integrated Auditing
external auditors may conduct their own follow up mid
yearly. It is advisable that internal audit should conduct
follow up audits to track progress towards full
implementation of all audit outcomes. Practice
Advisory 2500.A1-1 describes how this should be
accomplished
internal audit manual What should be included in the internal audit The chief audit executive develops policies and Standards & Implementation
manual? procedures. Formal administrative and technical audit Guidance:
manuals may not be needed by all internal audit 2040 Policies and Procedures
activities. A small internal audit activity may be
managed informally. Its audit staff may be directed and Practice Guide:
controlled through daily, close supervision and Assisting Small Internal Audit
memoranda that state policies and procedures to be Activities in Implementing the
followed. In a large internal audit activity, more formal International
and comprehensive policies and procedures are Standards for the Professional
essential to guide the internal audit staff in the Practice of Internal Auditing
execution of the internal audit plan.
The internal audit manual is not a text book on audit,
the theory of which should be acquired by Internal
Auditors through, inter alia, attending courses, in-
house training and workshops.
The objectives of a manual are to:
1.1.1 Document in details the internal audit policies
and procedures.
1.1.2 Serve as a useful guide to the internal audit staff
in respect of their responsibilities, approach, and

26
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
authorities to conduct effective internal audits of the
organization and communicate audit results.
1.1.3 Use the documentation as a basis for internal
initiatives for the improvement of systems and
improving internal control procedures.
Employing internal audit If a person employed as an internal auditor is No, accepting a job offer when one does not have Standards & Implementation
staff offered the post of internal audit manager, yet appropriate experience is not breach of Code of Ethics Guidance:
does not have any prior internal audit experience because IIA Standards do not instruct the human 2000 Managing the Internal Audit
let alone experience in internal audit at a resource functions of organisations but guides the Activity
management level or a CIA qualification, and the manner and behaviour that all the IA professionals are
person wilfully accepts this position. Is this not a expected to demonstrate when they are carrying out Practice Guide:
breach of the Code of Ethics which states that internal audit assignment. Organisations have different Developing the Internal Audit
internal auditors must act with competence? Is it hiring processes, some are strict and some are not Strategic Plan
also not a breach of objectivity as the person is hence sometimes people with minimal experience do
wilfully accepting the position for gain, despite the get positions that are perceived to be senior in nature.
fact that they are not competent in the role? Is Competence as defined in the IIA Standards is the
there a duty placed on other members in the team application of knowledge, skills, and experience
who are also members of the IIA, to report such an needed in the performance of internal audit services.
instance? If reported, what will happen to the This does not refer to the acceptance of position but
individual breaching the Code of Ethics? rather to acceptance of an assignment. IIA Standards
come to effect when a person accepts the position, the
internal audit manager (CAE) is then expected to carry
out duties as detailed in Standard 2000: Managing the
Internal Audit Activity.
Functional reporting I am a CAE and would like to know who should The chief audit executive (CAE)’s reporting functionally Standards & Implementation
assess my performance? to the board and administratively to the organization’s Guidance:
chief executive officer, facilitates organizational 1100 Independence and
independence. At a minimum the CAE needs to report Objectivity
to an individual in the organization with sufficient
authority to promote independence and to ensure Practice Guide:
broad audit coverage, adequate consideration of Independence and Objectivity
engagement communications, and appropriate action
on engagement recommendations..
Functional reporting to the board typically involves the
board:

27
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
• Approving the internal audit activity’s overall
charter.
• Approving the internal audit risk assessment and
related audit plan.
• Receiving communications from the CAE on the
results of the internal audit activities or other
matters that the CAE determines are necessary,
including private meetings with the CAE without
management present, as well as annual
confirmation of the internal audit activity’s
organizational independence.
• Approving all decisions regarding the performance
evaluation, appointment, or removal of the CAE.
• Approving the annual compensation and salary
adjustment of the CAE.
• Making appropriate inquiries of management and
the CAE to determine whether there is audit scope
or budgetary limitations that impede the ability of
the internal audit activity to execute its
responsibilities.
Even though the performance evaluation might be
carried out through HR processes by the level to which
the CAE reports administratively, the audit committee
as the functional reporting line must review and
approve such evaluation.
Internal Audit planning Should internal audit use the hours when Internal auditors must determine appropriate and Standards & Implementation
compiling a plan as this is not regulated by any IIA sufficient resources to achieve engagement objectives Guidance:
standard? based on an evaluation of the nature and complexity of 2010 Planning
each engagement, time constraints, and available
resources. Time is a very crucial factor that internal Practice Guide:
auditors must manage in order to efficiently complete Measuring Internal Audit
the plan. It would be hard to think of any other way in Effectiveness and Efficiency
which internal audit can monitor and manage its
activities if it were not time-based.

28
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
When each project is planned and allocated hours, it
makes it easier for the CAE to keep track of the work
and identify challenges that adversely affect audit plan.
When audit assignments are not completed within the
planned hours, the CAE can also adjust the preceding
year’s plan accordingly taking into consideration the
challenges that caused delays and whether these
challenges have been rectified.
Internal audit performing Internal auditors are instructed to act in positions Internal Auditors including CAEs are required to always Standards & Implementation
non internal audit such as Municipal Managers, Chief Financial adhere to the Standards and Guidance of the Institute Guidance:
functions Officers or Heads of Directorates. Based on the of Internal Auditors (including Practice Advisories). If an 1130 Impairment to
standards that guides internal auditors is it allowed auditor is instructed to assume the responsibility of Independence or Objectivity
for them to act in management positions or is it management in any of the situations such as the
compromising their independence and objectivity? following: Practice Guide:
• Holding the Chief Financial Officers role; Formulating and Expressing
• Holding the Chief Executive Officer role; Internal Audit Opinions
• Sitting in a bid evaluation committee representing Independence and Objectivity
management;
• Chairing Fraud and Prevention Committee;
• Chairing a disciplinary hearing; and more
It appears as though independence and objectivity on
the operational responsibilities carried out has been
impaired. If the operational responsibilities carried out
or part thereof, has been included in the internal audit
plan, the auditor who assumed the responsibility and
the staff reporting to the auditor in question may not
audit that operation.
Before the auditor accepts the operational
responsibility, it should be explain to the Accounting
officer or assigning management what the impact of
assuming a management role is. If the non-audit
management function is carried out, the auditor in
question or the staff reporting to the auditor in
question may not audit the operation in question. The
CAE should minimize the impairment to objectivity by

29
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
using a contracted, third party entity or external
auditors to complete audits of the operations that had
been assigned to the auditor in question.
Responsibilities of the Does the IIA have any guidance on the The CAE has got the responsibility to obtain competent Standards & Implementation
internal auditor when responsibilities of the internal auditor where they advice and assistance if the internal auditors lack the Guidance:
using specialist use specialists (e.g. IT, forensic, etc.) to perform knowledge, skills, or other competencies needed to 2070 External Service Provider
work on their clients? We are often faced with perform all or part of the engagement. When the and Organizational Responsibility
situations where the Internal Audit Managers decision has been taken to outsource an internal 2340 Engagement Supervision
believe that it is not their responsibility to activity, the CAE is still responsible for supervision of
understand the scope, results of work done and the audit completed by the external parties as the work Practice Guide:
interrogate the reports. It is a dilemma in cases is done on behalf of the internal audit activity. It is not Chief Audit Executives —
where we need to ensure that our internal audit possible for the CAE to divorce this responsibility Appointment, Performance,
clients receive value adding service and ensuring because the CAE is required to also evaluate the Evaluation, and Termination
that there is a level of accountability between the performance of the engagement to establish if the
Internal Audit Manager and the specialists? services rendered are of value. This evaluation will not
be adequately carried out if the CAE does not
understand the scope, results of work done and has
not interrogated the reports.
Risk management report Is the head of Risk Management allowed to No, risk management should not report to internal Standards & Implementation
to internal audit administratively report to the head of Internal audit because normally Internal Audit is expected to Guidance:
Audit? independently provide assurance on the adequacy and 1130 Impairment to
effectiveness of Risk Management processes. Independence or Objectivity
Before the auditor accepts this operational
responsibility, it should be explain to the Accounting Practice Guide:
officer or assigning management what the impact of Independence and Objectivity
assuming a management role is. If this risk
management is allowed to report to internal audit, the
CAE should minimize the impairment to objectivity by
using a contracted, third party entity or external
auditors to complete audits of this organisation’s risk
management process.
Internal audit performing Can the head of internal audit accept being No, managing risks is management responsibility and Standards & Implementation
risk management appointed as head of risk management without will impair the internal audit activity’s objectivity. Guidance:
compromising her independence? Internal Auditors including CAEs are required to always 1130 Impairment to
adhere to the Standards and Guidance of the Institute Independence or Objectivity

30
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
of Internal Auditors (including Practice Advisories)
which call for upholding of independence and Practice Guide:
objectivity at all times. Independence and Objectivity
Before the auditor accepts this operational
responsibility, it should be explain to the Accounting
officer or assigning management what the impact of
assuming a management role is. If this risk
management function is carried out, the auditor in
question or the staff reporting to the auditor in
question may not audit this area. The CAE should
minimize the impairment to objectivity by using a
contracted, third party entity or external auditors to
complete audits of this organisation’s risk management
process.
Discussion of the draft My supervisor, who is the MM, was given the final This is a matter for agreement between the Audit Standards & Implementation
audit report report. This was also distributed to other senior Committee, Executive management and Internal Guidance:
managers, who will be sitting in the audit Auditors and should also be contained in the Internal 2440 Disseminating results
committee. Senior management, insist that the Audit Charter, the guidance to which one should refer
draft report should have been given to them first, when performing day to day duties. Practice Guide:
before preparing the final that goes to the audit In a case such as this one, it would be wise to ensure
committee. that you have a discussion around the
distribution/comment process and agree a maximum
time period for return comment on issues raised (e.g. 7
working days) after which it can be assumed that if no
comment is received management are in agreement
with the audit findings. You would need to do this and
communicate it throughout the organisation to ensure
that individual managers/executives cannot delay the
release of reports which may reflect them in a bad
light. This matter should also be included in the
engagement letter so that it can be agreed upon at the
planning stage of the audit i.e. persons who will be on
the report distribution list.
Our advice would be to ensure that you put the
necessary processes in place to ensure that no

31
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
objections can be raised when you have released a
report in the future and apply them consistently.
Conducting an audit of Should internal audit post audit of payment The question is not clear but if the concern is about Standards & Implementation
payment process processes? If yes, what are the risks of not doing auditing the payment process; the internal audit plan Guidance:
it? should have been compiled in response to the risk 2010 Planning
register. If payment processing has been identified as
one of the high risks in an organisation and therefore Practice Guide:
included in the internal audit plan and approved by the Developing the Internal Audit
audit committee; internal audit has to conduct this Strategic Plan
audit and give feedback to management so that the
risk rating can be adjusted accordingly. The CAE will
need to take accountability and explain to the audit
committee why the audit was not conducted if it was
approved in the plan because resources were allocated
to conduct the audit.
Signing off an internal I would like to know who can sign the internal The chief audit executive has overall responsibility for Standards & Implementation
audit report audit report, in terms of qualification or supervising the engagement, it will therefore make Guidance:
membership. sense that as the supervisor, the CAE should sign off 2440 Disseminating results
the audit reports as a sign that he/she is endorsing and
taking responsibility of the contents of the report. Practice Guide:
Formulating and Expressing
Internal Audit Opinions
Materiality when Should an internal audit function apply materiality Yes, materiality should be considered when assessing Standards & Implementation
assessing risk on an audit guidelines when assessing risk impact of audit risks. This process is clearly explained in the COSO Guidance:
plan focus areas? framework on the webpage link: 1220 Due professional Care 2210
http://www.coso.org/documents/volumeiii- Engagement Planning
applicationtechniques.pdf
Internal auditing should be implemented on a risk Practice Guide:
based approach because it is aimed at evaluating Assessing the Adequacy of Risk
effectiveness and adequacy of the internal control Management Using ISO 31000
systems to enhance sustainability of the business
operation and not with financial statement materiality
as external audit financial attestation does. Standard
1220.A1 refers to consideration of materiality to which
assurance procedures are applied; however this is not

32
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
the only determining factor for raising findings or
deciding on what to audit.
Internal audit and conflict I am employed as a Senior Internal Audit Manager Objectivity is one of the principle internal auditors are Standards & Implementation
of interest in one of these Black Audit Firms. We started a required to uphold all the time and is a mental attitude Guidance:
small recruitment company with my wife in 2011 which internal auditors should maintain while 1130 Impairment to
and we are both directors. I registered in performing engagements. The internal auditor should Independence or Objectivity
databases of many companies as a supplier have an impartial, un-biased attitude and avoid conflict 1110 Organizational
including some of our current clients. One of our of interest situations, as that would prejudice his/her Independence
clients and our directors are considering this as a ability to perform the duties objectively. The results of
conflict of interest and the client is pressurising my internal audit work should be reviewed before they are Practice Guide:
employer to dismiss me. Is this conflict of interest? released in order to provide a reasonable assurance Independence and Objectivity
that the work has been performed objectively. If there
are already concerns around conflicting interest, then
you are not seen as objective.
It is better if you clearly and formally disclose the
potential conflict of interest so that you can be
allocated projects where you have no interest. You may
not perform an engagement in an area where you are
considered as having conflict of interest. You may read
the IIA article on conflicting interest in this link:
http://www.theiia.org/theiia/about-the-
profession/internal-audit-
Internal audit sitting in As IT auditor I have also become a member of the Internal auditors’ role in a steering committee should Standards & Implementation
the steering committee ICT Steering committee - just to clarify again that not be that of taking responsibility for implementation Guidance:
my role is one of observer? of any part of the management duties. The ICT should 1130 Impairment to
be having a charter or terms of reference please refer Independence or Objectivity
to it. As an auditor at any given point your role should
not be that of assuming management responsibility, Practice Guide:
but that of providing assurance and/or consulting Formulating and Expressing
services. Internal Audit Opinions
Internal Audit performing I am an IT audit specialist, in the Internal Audit Internal auditors’ role in processes such as the one Standards & Implementation
consulting or advisory department of my company. I was recently asked explained in this scenario should not be that of taking Guidance:
functions to be involved in the disaster recovery (DR) testing responsibility for implementation of any part of the 1130 Impairment to
that IT was performing. Being part of Internal DRP, but rather that of advisory, which conforms to Independence or Objectivity
consulting services.

33
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Audit, what should be the extent of my The Standards define consulting services as advisory in Practice Guide:
involvement in DR? nature, and are generally performed at the specific Formulating and Expressing
request of an engagement client. The nature and scope Internal Audit Opinions
of the consulting engagement are subject to an
agreement with the client. Consulting services
generally involve two parties: (1) the person or group
offering the advice - the internal auditor, and (2) the
person or group seeking and receiving the advice - the
engagement client. When performing consulting
services the internal auditor should maintain
objectivity and not assume management responsibility.
The sign off should however not in any way imply that
you are certifying that the system is successful , but
should be clear that you observed the process and at
the time of concluding the engagement management
provided assurance that it is working. You can only give
such opinion not sign-off after you have audited the
area and performed tests that substantiate that the
DRP is operating as intended.
Internal auditors not May I have any five punitive measures that can be Internal Auditors are employed like any other Standards & Implementation
performing adequately taken against auditors who do not perform their employee in an organisation. There should be a policy Guidance:
duties? and procedure that guides how under-performance in 2000 Managing the Internal Audit
the organisation will be dealt with. There should be Activity
performance agreements signed by all employees
including internal auditors. Evaluation of performance Practice Guide:
should then be based on these performance Attribute Standards and
agreements. IIA has set Standards that are detailed on Performance Standards
what principles auditors should always uphold and can How to employ an internal
be used as measures of performance. The CAE should auditor
be held accountable for work performed in the unit as
he or she is responsible for resource allocation and
management
Standardised audit Can you help me with standard audit procedures Unfortunately IIA does not have a standardised audit Standards & Implementation
procedure or program for the sustainability audit covering program for any aspect of organisational being. Guidance:
both limited and reasonable assurance? Internal Audit units in each organisation must prepare

34
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
a risk-based audit plan and an internal audit program Practice Guide:
for each financial year and advises the accounting
officer and report to the audit committee on the
implementation of the internal audit plan. There are
courses and books you may read that are offered by IIA
on how to compile an audit program.
You may also surf internet sites such as
http://www.auditnet.org/ for samples of various audit
programs.
Internal audit guidelines May you please assist regarding the following? The information your requesting is not provided by the Standards & Implementation
Guidelines or process regarding ad-hoc audits, IIA as it will differ from one organisation to the other. Guidance:
Guidelines for audit plan (long, medium, and short- What we do have available are resources in our library 1130 Impairment to
term), Guidelines for audit risk matrix/assessment and bookstore (Audit Planning, Internal Audit Independence or Objectivity
during audits and Guidelines for archiving audit Operations Manual CD & Risk Management Books, 1110 Organizational
files and reports. etc.). Independence
It is highly recommended that you visit the IIA offices 2000 Managing the Internal Audit
to read more on the subject matters you are interested Activity
in, and where some of the resources are not available
in the library for borrowing then buy from our Practice Guide:
bookstore. Developing the Internal Audit
Strategic Plan
Audit follow up May I ask for a guideline or standard to follow Follow-up is a process by which internal auditors Standards & Implementation
when a follow up audit is performed? evaluate the adequacy, effectiveness, and timeliness of Guidance:
actions taken by management on reported 2500 Monitoring Progress
observations and recommendations, including those
made by external auditors and others. This process also Practice Guide:
includes determining whether senior management
and/or the board have assumed the risk of not taking
corrective action on reported observations. The CAE is
responsible for scheduling follow-up activities as part
of developing engagement work schedules. There is
however no standard program for this exercise.
Threats to independence As an internal auditor constantly experiencing Impairment to organizational independence and Standards & Implementation
or objectivity independence threats, in terms of standards and individual objectivity may include, but is not limited to, Guidance:
advisories, what can we do to stop such personal conflict of interest, scope limitations,

35
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
infringements and do we have a duty to report the restrictions on access to records, personnel, and 1130 Impairment to
matter to a specific body/ party? properties, and resource limitations, such as funding. Independence or Objectivity
Internal auditors are to report to the chief audit 1110 Organizational
executive (CAE) any situations in which an actual or Independence
potential impairment to independence or objectivity
may reasonably be inferred, or if they have questions Practice Guide:
about whether a situation constitutes an impairment to
objectivity or independence.
If the CAE determines that impairment exists or may be
inferred, he or she needs to reassign the auditor(s)
and/or consider whether it is appropriate to inform the
board regarding the matter. Intimidation is not to be
accepted by Internal Auditors and it must be reported
to the authorities such as Special Investigation Units,
South African Police Services and the like. IIA SA has
written an article “Forensic Investigations in the Public
Sector” in the June/July 2013 IA Adviser based on a
presentation that was delivered by Steven Powell in
the Internal Audit Annual Conference. This
presentation highlights the red flags of intimidation
and states what must be done in such cases.
Internal Audit Report I am looking at possibly revamping the internal Please note that IIA does not have reporting templates. Standards & Implementation
audit report template we are currently using. Is It is however recommended that you liaise with other Guidance:
there where I can obtain examples of ideal audit internal audit functions, preferably those that generally 2400 Communicating Results
report templates? conform to IIA Standards as per Quality Assurance
Review results. Practice Guide:
Internal audit reporting depends on the needs of Formulating and expressing
various stakeholders (audit committees, board, Internal Audit Opinions
management, etc.), but internal audit should primarily
ensure that there are standard items which are
maintained, i.e. name of the audit, scope and objective,
findings and recommendations/ agreed management
actions.

36
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Internal auditor I am an internal auditor at the Municipality. I have There should be internal HR Policies and Procedures Standards & Implementation
witnessing an been instructed to be a witness that an employee that provides clear guidelines on how to address such Guidance:
administrative task (Manager) of the Municipality has been handed a matters, therefore the requirement of internal audit to 1130 Impairment to
suspension letter. I have refused to do it as I feel witness suspension should have been outlined therein. Independence or Objectivity
this is an operational work and the IIA standards Witnessing the handover of the suspension letter
do not allow it. Please advise if this is right? would not have an impact on your integrity as internal Practice Guide:
auditor as it is normally a function that can be Independence and Objectivity
performed by any official within the municipality as it
does not necessarily require internal audit skills.
This is different from when an auditor is instructed to
assume the responsibility of management in any of the
situations such as the following:
• Holding the Chief Financial Officers role;
• Sitting in a bid evaluation committee representing
management;
• Chairing a disciplinary hearing; and the like
internal auditor Is it ethical for an internal auditor to question staff Audits are usually planned and approved for the year, Standards & Implementation
conducting interviews in relations to an internal audit in the company, in consultation with Senior Management and approved Guidance:
with staff while general without discussing the issues with the relevant by the audit committee. 2010 Planning
manager concerned is not General Manager, and reporting it to higher Before commencement of the audits, an engagement 2020 Communication and
aware authority like the CEO? letter should be issued by internal audit and signed by Approval
the relevant head of the particular unit, i.e. General
Manager. Then interviews with staff in that particular Practice Guide:
area will be done as part of the audit. A draft report
with findings will be discussed with line management
and action plans will be provided to address the
identified weaknesses. A final report will then be
issued, a copy of which should be submitted to the
CEO.
The other scenario is, if an investigation relating to
fraud is done, in that case the General Manager will be
informed as well of the intention to do so, but it can
sometimes happen that the report is submitted directly
to the CEO, if the General Manager is implicated in the
case.

37
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Internal Audit Charter Is there a need for an Internal Audit Charter in a Yes, there is a need for a charter even if the internal Standards & Implementation
situation where the organization has outsourced audit activity has been outsourced. The organisation Guidance:
the internal audit function? still has the responsibility for marinating an effective 1000 Purpose, Authority and
internal audit activity and it’ll also assist to clarify the Responsibility
mandate of Internal Audit. You will recall that the 2070 External Service Provider
nature of assurance services provided to the and Organizational Responsibility
organization must be defined in the internal audit for Internal Auditing
charter. If assurances are to be provided by parties
outside the organization, the nature of these assurance Practice Guide:
services must also be defined in the internal audit Interaction with the Board
charter.
Internal Auditor signing I am an internal auditor and registered as a Internal auditors are eligible to carry out audit Standards & Implementation
off financial statements member with the IIA. Am I eligible to become an engagements. Internal auditors cannot compile and Guidance:
accounting officer of a CC and drafting financials sign off financial statements. Only registered 1200 Proficiency and Due
and signing them off? If not what are the accountants are eligible to do that. You have to be a Professional Care
requirements? registered accountant, i.e. CA and registered with
SAICA. For more information you can visit Practice Guide:
www.saica.co.za.
CIA exam Has there been any change in how the CIA exam is The Certified Internal Auditor (CIA) exam comprises of Standards & Implementation
structure besides new questions? four parts. The time allotted for each actual exam is 90 Guidance:
multiple choice questions in 2 hours and 30 minutes for
each part. The total is 800 marks. You need to score a Practice Guide:
minimum of 600 (75%) to pass. The new CIA 2013 Exam
Syllabus is as follows:

Part 1 – Internal Audit Basics is 125 questions over 2.5

Hours (150 minutes)

The new CIA exam Part 1 topics tested include aspects

of mandatory guidance from the IPPF; internal control
and risk concepts; as well as tools and techniques for
conducting internal audit engagements. Note: All items
in this section of the syllabus will be tested at the
Proficiency knowledge level unless otherwise indicated
below.

38
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources

Part 2 – Internal Audit Practice is 100 questions over

2.0 Hours (120 minutes)

The new CIA exam Part 2 topics tested include

managing the internal audit function via the strategic
and operational role of internal audit and establishing a
risk-based plan; the steps to manage individual
engagements (planning, supervision, communicating
results, and monitoring outcomes); as well as fraud
risks and controls. Note: All items in this section of the
syllabus will be tested at the Proficiency knowledge
level unless otherwise indicated below.

Part 3 – Internal Audit Knowledge Elements is 100

questions over 2.0 Hours (120 minutes)

The new CIA exam Part 3 topics tested include

governance and business ethics; risk management;
organizational structure, including business processes
and risks; communication; management and leadership
principles; information technology and business
continuity; financial management; and the global
business environment. Note: All items in this section of
the syllabus will be tested at the Awareness knowledge
level unless otherwise indicated below.
It will be helpful if you go to
https://global.theiia.org/certification/Public%20Docum
ents/CIA%20Four-part%20to%20Three-
part%20Exam%20Content%20Map.pdf
Internal Auditor’s duty Is there where I can obtain detailed job There is an Internal Audit Manual shell available in the Standards & Implementation
descriptions for internal audit staff? IIA SA Library which provides all the relevant Guidance:
information about establishing and maintaining
Internal Audit Functions, which includes amongst Practice Guide:
others the job descriptions for internal audit staff. IIA

39
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
also published a “How to employ an internal auditor” How to employ an internal
article, it will be helpful in identifying what skills and auditor
qualifications are pre-requisite for several audit roles.
The document will enable you to draw up a job
description and is obtainable from
http://www.iiasa.org.za/files/How_to_employ_an_Inte
rnal_Auditor.pdf
Internal Audit Charter I am in the process of setting up a group's internal We do not necessarily have a checklist available, but it Standards & Implementation
audit department. I have prepared the Audit is recommended that you attend the IIASA courses Guidance:
Charter and have the proposed IA department relevant to Building, Leading and Managing the Internal 1000 Internal Audit Charter
structure. Is there any check list for setting up a Audit Department. The advantage of attending these
department so that I make sure all the areas have courses is that the skills for enhancing your Practice Guide:
been addressed? department’s processes are in-house and continuously
improved on. There is also the option of networking
with the CAE’s of other established & effective Internal
Audit Activities whom have been through this route
before and have practical examples of how they have
gone about establishing their units.
Practice Advisory 1000-1 should be used as a
reference. The IA Charter should also be an agenda
item for the Audit Committee to be addressed at least
once a year. IIA Standards and King III requirements
should be incorporated. You can consult the IIA
website www.theiia.org for an example of a charter
and also surf the net to find examples of charters which
you can then tailor to your specific needs.
The following links have got examples of how the IA
Charter should be:
https://global.theiia.org/standards-
guidance/Public%20Documents/ModelCharter.pdf
A career in internal Audit I am currently a second year student at a We do provide student membership which is Standards & Implementation
university, studying B Com Accounting and I have a reasonably priced for students. Navigate through our Guidance:
keen interest in becoming an internal auditor. website and look at our membership classes and fees.
After completing your B Com; you must go through the Practice Guide:
Internal Audit Technician (IAT) learnership program

40
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
which will assist in fast tracking the learning process in
the internal audit field.
The IIA SA defines an Internal Audit Professional as
someone who has an academic qualification, who has
gone through the IIA SAs structured on-the-job training
program (Professional Training Program), has gone
through a test of competence (IAT, GIA and CIA) and
who is a member of the IIA. These four elements must
be in place as they speak to the Internal Auditor’s
competence and accountability to a code of ethics.
Please go to link http://www.iiasa.org.za/about-
us/about-the-profession/how-do-i-become-an-
internal-auditor.html
Time given to audit clients What is the maximum time to be given to the IIA Standards require that the audit client be given a Standards & Implementation
for provision of auditee to respond to audit findings before reasonable time to respond to audit findings before Guidance:
management comments finalizing the audit report? finalization of the audit report, this is because audit 2420 Quality of Communications
assignments are time based. Such arrangements differ 2440-1 Disseminating Results
from one Internal Audit Activity to the other and these
are usually defined in the engagement letter at the Practice Guide:
beginning of the audit. The assumption is that the Formulating and Expressing
engagement letter is discussed with the audit client Internal Audit Opinions
and it is at this stage that the time frames should be
agreed upon. Should one of the parties not comply
with agreed timeframes, then there should be an
escalation process in place, to assist in resolving such
challenges. These would have been also discussed at
the engagement planning stage. It is not necessary to
delay issuing of the audit report because the client
refuses to provide comments hence escalating the
matter might be considered. Internal auditors are
required by the IIA Standards to communicate in a
manner that is accurate, objective, clear, concise,
constructive, complete and timely.

41
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Accounting for work Is the Audit Manager supposed to take The CAE is responsible for all internal audit Standards & Implementation
completed by accountability for all the audit work done in his or engagements, whether performed by or for the Guidance:
subordinates her department or leave each auditor to be "seen internal audit activity, and all significant professional 2340 Engagement Supervision
to" by the client regarding let's say some of the judgments made throughout the engagement. Through
findings or even the work being done? supervision, the CAE also is accountable for work Practice Guide:
performed by subordinates. Chief Audit Executives —
Please refer to the IIA Standard 2340 – Engagement Appointment, Performance,
Supervision. Evaluation, and Termination
Practice Advisory 2340-1 offers further guidance in this
respect.
Linking risk assessment I am a Trainee Internal Auditor and trying to link The IIA Standards require that the internal audit plan Standards & Implementation
with the 3 year rolling risk assessment with the formulation of a 3 year be risk-based. The results from an enterprise risk Guidance:
plan rolling strategic plan, please assist in this regard. assessment will form the basis of developing a 3 year 2010 Linking the Audit Plan to
rolling strategic plan. This process requires a deep Risk and Exposures
understanding of the risks combined with various other 2010 Using Risk Management
factors and is best to be assigned to a well experienced Process in Internal Audit Planning
internal auditor (Head of Internal Audit or Audit
manager). Practice Guide:
Unfortunately IIA does not have a “manual” to guide Coordinating Risk Management
this process. Approaching the person(s) in your IA unit and Assurance
who are responsible for the development of the audit
plan to brief you on this might be helpful. Perhaps you
can request to assist, as part of your training, when the
next review of the plan is undertaken.
Internal Audit Charter I am in the process of compiling an internal audit Practice Advisory 1000-1 should be used as a Standards & Implementation
charter for my company. What I would like to reference. The IA Charter should also be an agenda Guidance:
know, is whether there is a framework from where item for the Audit Committee to be addressed at least 1000 Internal Audit Charter
I can start? once a year. Any changes that have been made to the
IIA Standards and King III since your last review of the Practice Guide:
Charter should be incorporated to the updated charter.
You can consult the IIA website www.theiia.org for an
example and also surf the net to find examples of
charters which you can then tailor to your specific
needs.

42
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
The following links have got examples of how the IA
Charter should be:
http://www.theiia.org/guidance/standards-and-
guidance/audit-committees-board-of-
directors/internal-audit-department-charter/

http://internal-audit.web.cern.ch/internal-
audit/charter.html

http://www.bis.org/banking/iacharter.pdf
Total score for CIA exam I want to find out about the total score for the CIA The Certified Internal Auditor (CIA) exam comprises of Standards & Implementation
Part 2 Exam. What are the total score/marks three parts. The time allocated as follows: Guidance:
required to pass the exam? • Part 1 – Internal Audit Basics (125 questions in 2.5 1000 Internal Audit Charter
Hours/150 minutes)
• Part 2 – Internal Audit Practice (100 questions in Practice Guide:
2.0 Hours/120 minutes)
• Part 3 – Internal Audit Knowledge Elements (100
questions in 2.0 Hours /120 minutes)
The total mark for each exam part is 800. Candidates
need to score a minimum of 600 (75%) to pass.
Student membership Can I register to become a member of the IIA if I Student membership is possible. For detailed Standards & Implementation
am still a student? information on types of membership, please contact Guidance:
Membership at the IIASA at e-mail:
[email protected] or Fax: 086 685 0160 Practice Guide:
How to retain I have an electronic copy of my working papers Engagement records or working papers are the Standards & Implementation
engagement records and hard copy of the working papers on file. Can I property of the organization. Standard 2330.A2 places Guidance:
only have an electronic version of my working the responsibility to develop retention requirements 2330 Documenting Information
documents or must some documents be printed for engagement records on the Chief Audit Executive.
and filed? This would include the medium, confidentiality and Practice Guide:
safekeeping of the records. Factors like IT and physical
security, accessibility of the records, etc. must be
considered when the retention requirements (policies)
are developed. In this process unnecessary duplication
of records can be avoided. The policies must be

43
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
documented; approved by the CAE and made available
(communicated) to all Internal Audit staff members.
Audit sampling I need assistance in compiling a sampling Sampling in audit is an extremely important element. Standards & Implementation
methodology that can be credible and Not only is it important to utilise the appropriate Guidance:
transparent? sampling method for the particular type of data, it is
also essential to apply the sampling method correctly Practice Guide:
in order to get the required results. It will not be
possible to deal with this matter in detail in this reply
and it recommended that you consult authoritative
literature on this subject.
internal auditors changing How will it impact on my CIA qualification if I A certified internal auditor who is not practicing in the Standards & Implementation
responsibility accept another position (outside internal audit) auditing field who wants to maintain certification Guidance:
within our organisation? should report to the IIA as though he/ she is still
practicing. The only difference is the number of CPE Practice Guide:
hours that are required from a CIA who is no longer Certification Candidate Handbook
practicing which is 20 hours per year (non-practicing)
as opposed to 40 hours per year required for CIA who
are currently practicing. You may go to this link for
more information:
https://na.theiia.org/certification/certification-
candidate-handbook
Materiality when Should materiality be considered when developing Internal auditing should be implemented on a risk Standards & Implementation
developing an audit plan an internal audit plan? based approach because it is aimed at evaluating Guidance:
effectiveness and adequacy of the internal control 1220 Due professional Care
systems to enhance sustainability of the business 2210 Engagement Planning
operation and not with financial statement materiality
as external audit financial attestation does. Standard Practice Guide:
1220.A1 refers to consideration of materiality to which Assessing the Adequacy of Risk
assurance procedures are applied; however this is not Management Using ISO 31000
the only determining factor for raising findings or
deciding on what to audit.
Follow up on findings My Chief Audit Executive does not believe that it is IIA Standard 2500 determines that the CAE must Standards & Implementation
raised internal audit’s responsibility to follow up on establish a follow-up process to monitor and ensure Guidance:
reported findings. Is this the correct approach? that management actions have been implemented 2500 Monitoring Process

44
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
effectively or that senior management has accepted Practice Guide:
the risk of not taking action. GTAG 3: Continuous Auditing:
Practice Advisory 2500.A1-1 describes how this should Implications for Assurance,
be accomplished Monitoring, and Risk Assessment
Internal auditor’s duties Can you send me a job description for a Chief Audit There is a competency framework compiled by IIA that Standards & Implementation
Executive? illustrates different capabilities of different levels Guidance:
among the internal audit profession. IIA has also 1130 Impairment to
published a “How to employ an internal auditor” Independence or Objectivity
article, it will be helpful in identifying what skills and
qualifications are pre-requisite for several audit roles. Practice Guide:
The document will enable you to draw up a job How to employ an internal
description and is obtainable from auditor.
http://www.iiasa.org.za/files/How_to_employ_an_Inte Chief Audit Executives —
rnal_Auditor.pdf Appointment, Performance,
Evaluation, and Termination.
Measuring Internal Audit
Effectiveness and Efficiency.
What can be done if internal auditors are denied A scope limitation is a restriction placed on the internal Standards & Implementation
access to certain information and records when audit activity that precludes the activity from Guidance:
that information forms part of the scope of the accomplishing its objectives and plans. 1130 Impairment to
audit? A scope limitation, along with its potential effect, Independence or Objectivity
needs to be communicated, preferably in writing, to 1110 Organizational
the board. Independence
Restrictions on access to records” is deemed as
“impairment” and therefore MUST be disclosed to the Practice Guide:
audit committee and the Board. The interpretation of Independence and Objectivity
Standard 1130 explains how the appropriate parties
and nature of the impairment should be determined.
Latest version of Where can I obtain the latest version of the If you are a fully paid up member of the IIA, you can Standards & Implementation
standards Standards? call Membership at 011 450 1040 and ask for your Guidance:
international membership number and password. You
can then log onto www.theiia.org and download the Practice Guide:
standards and practice advisories from the
international website. If you are not a member, IIASA
does sell the IPPF book and manual.

45
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Internal Audit Charter Our Internal Audit Charter was reviewed and Internal Audit Charter should be reviewed on a yearly Standards & Implementation
approved by the Audit Committee 18 months ago. basis. Any changes that have been made to the IIA Guidance:
Is it necessary to review the Charter again at this Standards and King III since your last review of the 1000 Internal Audit Charter
stage? Charter should be incorporated to the updated charter.
The IA Charter should also be an agenda item for the Practice Guide:
Audit Committee to be addressed at least once a year.
Evaluation of outsourced Please assist me with a template for the evaluation IIASA does not have a template for this purpose as yet. Standards & Implementation
internal audit of our outsourced Internal Audit.? I suggest you download the document on the following Guidance:
website: 2030 Resource Management
http://www.iiasa.org.za/files/How_to_employ_an_Inte 2340 Engagement Supervision
rnal_Auditor.pdf
You need to ensure that your requirements are Practice Guide:
specified in detail in the contract and that the How to employ an Internal
ownership of all the working papers resides with your Auditor
organisation.
A template for the evaluation can be compiled from
the deliverables specified in the outsource agreement.
Standard audit procedure Can you help me with standard audit procedures The municipality operates based on the Municipal Standards & Implementation
for a municipality for a municipality? Finance Management Act. Internal Auditors in a Guidance:
municipal environment would still be expected to
perform duties that are generic to all other internal Practice Guide:
audit functions as mandated in section 165 of the
MFMA which states that each municipality and each
municipal entity must have an internal audit unit that
prepares a risk-based audit plan and an internal audit
program for each financial year and advises the
accounting officer and reports to the audit committee
on the implementation of the internal audit plan and
matters relating to
(i) internal audit;
(ii) internal controls;
(iii) accounting procedures and practices;
(iv) risk and risk management;
(v) performance management;
(vi) loss control; and

46
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
(vii) compliance with this Act, the annual Division of
Revenue Act and any other applicable legislation;
Internal audit must perform such other duties as may
be assigned to it by the accounting officer. There are
no audit procedures that are unique to the municipal
environment; however the general audit procedures
for any operational process should be scrutinized to
validate their applicability to the municipal
environment as it would be necessary in any other
environment.
Internal Auditor I am an Internal Auditor at XX organisation and I Internal Auditors including CAEs are required to always Standards & Implementation
performing non audit have been requested by a Director, who is a adhere to the Standards and Guidance of the Institute Guidance:
functions member of the Bid Adjudication Committee, to of Internal Auditors (including Practice Advisories). If an 1130 Impairment to
represent him in an upcoming Committee meeting. auditor is instructed to assume the responsibility of Independence or Objectivity
Should I agree/accommodate? management in any situations such as the following:
• Holding the Chief Financial Officers role; Practice Guide:
• Sitting in a bid evaluation committee representing Formulating and Expressing
management Internal Audit Opinions
• Chairing a disciplinary hearing
It appears as though independence and objectivity on
the operational responsibilities carried out has been
impaired. If the operational responsibilities carried out
or part thereof, has been included in the internal audit
plan, the auditor who assumed the responsibility and
the staff reporting to the auditor in question may not
audit that operation.
Before the auditor accepts the operational
responsibility, it should be explain to the Accounting
officer or assigning management what the impact of
assuming a management role is. If the non-audit
management function is carried out, the auditor in
question or the staff reporting to the auditor in
question may not audit the operation in question. The
CAE should minimize the impairment to objectivity by
using a contracted, third party entity or external

47
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
auditors to complete audits of the operations that had
been assigned to the auditor in question.
In “conformance” with Will it be correct to state that an engagement has Within five years of start-up of an internal audit activity Standards & Implementation
the standards been performed “in conformance with the the conformance phrase can be used provided the Guidance:
Standards” even though the Internal audit Activity internal audit activity has an internal quality 1320 Reporting on the Quality
has not successfully undergone a QAR? assessment improvement programme and has Assurance and improvement
reported on this status being a “Generally Conforms” program
(GC) to the Audit Committee or Board. 1321 Use of "Conforms with the
The external QAR needs to be performed in year 5 or International Standards for the
earlier. Professional Practice of Internal
Thereafter, the use of the conformance phrase is not Auditing"
appropriate until an external review has demonstrated
that the internal audit activity is in General Practice Guide:
Conformance with the Definition of Internal Auditing, Quality Assurance and
The Code of Ethics and the Standards. Improvement Program
Instructions for inventory I need set of instructions for inventory count. IIA does not keep any programme that details how to Standards & Implementation
count conduct inventory counts. This information might be Guidance:
available on the internet if you “Google” it.
If this was intended to get an audit program on how to Practice Guide:
audit a stock counting exercise, IIA does not keep audit
program for any specific topic or exercise; it is
recommended though that you go to internet sites
such as www.auditnet.org that normally keep audit
program for specific processes.
Can you advise me on report writing? • Structure Internal Audit produce reports for many levels of Standards & Implementation
supportive of the content of report writing organisational use, some to be distributed to the Audit Guidance:
• The ABC of report writing Committee, executive management and others to 2020 Communication and
lower levels of management. The structure of reports is approval
not prescribed as different information may be 2060 Reporting to Senior
required to be conveyed to the various levels of users Management and the Board
of such reports. For instance, the Audit Committee may 2400 Communicating
only require high level graphic type input, the executive 2410 Criteria for Communicating
more detail of the strategically significant control 2421 Errors and omissions 2430
breakdowns that they need to manage and ensure are Use of "Conducted in accordance
with the International Standards

48
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
addressed and lower levels of management the specific for the Professional Practice of
issues that need attention. Internal Auditing"
Elements of the reports to consider at each Level: 2431 Engagement disclosure of
• BOARD Non-conformance
• Executive summary of the results of the audit 2440 Disseminating results
• Scope limitations
• Graphic Trend Analysis Practice Guide:
• Level of assurance that board can take from the Formulating and Expressing
audit results Internal Audit Opinion
• Significant issues arising (not only materiality) that
could hinder achievement of organisational
objectives
• Impact of findings on strategic organisational risk

Section 2: Compliance
1.1 Effective sizing of the Can IIA SA please provide me with the benchmark It is advised that the CAE conduct some research on Standards & Implementation
internal audit activity. that may be used as a sector-specific sizing of this matter, sources such as the Ikutu report and also Guidance:
internal audit unit? participate in studies like GAIN. IIA SA does not have 1210 Proficiency
any benchmarking information other that those 2030 Resource Management
mentioned in the paragraph above. The structure and
size of the IAA is very much dependent on the factors Practice Guide:
such as the following: How to Employ an Internal
∙ The complexity of the processes to be audited Auditor
∙ Whether the IAA will be outsources or in-house
∙ The amount of work that the organisation expects IAA
to carry out as far as evaluating controls is concerned
∙ Economic resources and more

The CAE is advised to attend activities such as forums,

conferences, CAE breakfast that are normally organised
by the IIA SA in order to network with other CAEs and
possibly learn how other IAA are structured and
functioning. When this exercise is carried out, matters
such as effectiveness and efficiency of the IAA should
be considered. For an example, if one organisation was

49
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
to copy the size of another, the sizing might not be
appropriate for the organisation; where the
circumstances, work load and management’s
expectations of the IAA are different.
Organisational Structure Can IIA SA please provide me with the structure The Public Finance Act (PFMA) and the Municipal IPPF: STANDARDS AND PRACTICE
for IAA that our internal audit activity should adopt? We Finance Management Act (MFMA) and relevant ADVISORIES: 1210 Proficiency
are a small organisation in the public sector and Regulations (Treasury Regulations) do require that all
just in the establishment phase and want to make Public Entities and Municipalities must have an internal PRACTICE GUIDES: Developing
sure that we comply with the IIA standards? audit function (it can be outsourced) and that the audit the Internal Audit Strategic Plan
work must be performed in conformance with the
International Standards for the Professional Practice of
Internal Auditing (IPPF) which are generally known as
IIA Standards. IIA SA does not have a distinct structure
that can be recommended for IAA to follow as the
compilation of the structure would be dependent on
factors such as the following: The complexity of the
processes to be audited Whether the IAA will be
outsources or in-house The amount of work that the
organisation expects IAA to carry out as far as
evaluating controls is concerned Economic resources
and more It is advised that the CAE conduct some
research on this matter, IIA SA can then help in
reviewing the structure that the municipality is
deciding to implement and provide support and advise
on whether the structure selected will not impact
negatively on conformance to the Standards. The CAE
is advised to attend activities such as forums,
conferences, CAE breakfast that are normally organised
by the IIA SA in order to network with other CAEs and
possibly learn how other IAA are structured and
functioning. When this exercise is carried out, matters
such as effectiveness and efficiency of the IAA should
be considered. For an example, if one municipality was
to copy the size of another municipality, the sizing
might not be appropriate for the municipality; where

50
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
the circumstances, work load and management’s
expectations of the IAA at the municipality differ.
Can audit firms go My firm renders internal audit services to The IIA SA does not provide a quality assurance status IPPF: STANDARDS AND PRACTICE
through external organisation that have outsourced to service providers of ADVISORIES: 1300
assessments part or the whole of IA function. I would like IIA to internal audit services. The primary reason for this is Quality Assurance and
conduct a QAR on my that an organisation that Improvement Program PA 1312-1
organisation. should have an internal audit activity would have an External Assessments
individual in the
organisation with the knowledge and ability to manage PRACTICE GUIDES: Quality
the outsourced service. Assurance and Improvement
This individual is accountable to the organisation’s Program
governance structures and as
such a quality assurance status can only be provided
over the work performed in
that particular instance. No blanket status assessments
will be made.
Standard 1300 – Quality Assurance and Improvement
Program requires the chief
audit executive to develop and maintain a quality
assurance and improvement
program (QAIP) that covers all aspects of the internal
audit activity.
A quality assurance and improvement program is
designed to enable an
evaluation of the internal audit activity’s conformance
with the Definition of
Internal Auditing and the Standards and an evaluation
of whether internal
auditors apply the Code of Ethics. The program also
assesses the efficiency and
effectiveness of the internal audit activity and identifies
opportunities for
improvement. QAIP is an ongoing and periodic
assessment of the entire spectrum

51
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
of audit and consulting work performed by the internal
audit activity; it includes
both the internal and external assessments.
Accreditation of audit I am a member of IIA and have got a firm that has No, IIA SA does not accredit firms. Standard 1312- IPPF: STANDARDS AND PRACTICE
firms by IIA been newly established. I External Assessments is ADVISORIES:
would like to know whether IIA is able to accredit applicable to an internal audit activity (IAA) and not on 1300 Quality Assurance and
firms that conduct external the service provider to Improvement Program
assessments on Internal Audit functions and what whom the internal audit services have been PA 1312-1 External Assessments
procedure must I follow to be outsourced. As part of the external
accredited. review, a thorough evaluation of working papers and PRACTICE GUIDES:
discussions with the Quality Assurance and
executive management as well as the audit committee Improvement Program
of the organisation in
which the external assessment is conducted; is carried
out amongst other things.
It would then be impractical to conduct such an
evaluation on a firm as these
governance structures would not be present. If a firm
has its own internal audit
function, then Standard 1312 apply.
IIA SA is the sole provider of the quality assurance
speciality course which is
recommended for people who conduct external
assessments. Candidate who have
completed the course with IIA SA receive certificate
that confirms the
candidate’s competence in the following areas:
Advanced knowledge about the new Professional
Practices Framework,
including the International Standards for the
Professional Practice of Internal
Auditing.
Understanding the Quality Assurance Standards and
the mandatory external
assessment requirements.

52
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
State-of-the-art quality assessment techniques and
processes
Best practices and key benchmarking criteria that
separate top performing
internal audit activities from the rest of the pack
Preparing the IAA in which they are serving for a future
external assessment
Exploration of Self-Assessment with Independent
Validation option
QAR for audit firms Do audit firms need to have a QAR done similar to Quality Assessment Reviews in all internal audit IPPF: STANDARDS AND PRACTICE
the in-house functions? activities (IAAs) functions must ADVISORIES:
We are an audit firm rendering internal audit be conducted at least once every five years by a 1300 Quality Assurance and
services to clients and report to qualified, independent reviewer Improvement Program
the client’s audit committee. or review team from outside the organization. PA 1312-1 External Assessments
The external assessment (QAR) covers a number of
aspects such as the PRACTICE GUIDES:
following: Quality Assurance and
Assessment of IAA’s conformity to The IIA’s Improvement Program
International Standards for the
Professional Practice of Internal Auditing (Standards)
and Code of Ethics,
Evaluation of the IAA’s efficiency and effectiveness in
carrying out its
mission (as set forth in its IA charter, negotiated with
management and
approved by the Audit Committee)
Offering advices and recommendations to enhance the
management and
work processes of the IAA, as well as its value to the
organisation, where
appropriate and to
Assisting the IAA in its pursuit of adding value and
consulting services.
It is not possible to measure all these on an audit firm
as there would be no

53
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
governance structures in place. The audit firms
therefore do not have to, the
QAR can only be on the Internal Audit function. Work
that has been outsourced
or co-sourced to Audit Firms is reviewed as part of the
audit work performed
and the opinion on the outcome of the QAR will then
be expressed for the
internal audit function not the audit firm.

Access to Internal Audit I want to know if internal audit reports can be Engagement records or working papers are the IPPF: STANDARDS AND PRACTICE
reports made available to third parties property of the organization and ADVISORIES:
or service providers. We are in a position where a should be retained in a way that is consistent with the 2330 Documenting Information
client insists on having access regulations applicable to PA 2330.A1-1 Control of
to the company’s internal audit reports. We feel the environment. The Companies Act 2008 Part C that engagement records
that this could potentially open deals with Transparency,
us up to penalties and fines. How can we avoid Accountability and Integrity of companies explains how 2330 Documenting Information
doing this? the records must be PA 2330.A2 Retention of Records
dealt with. The Board also has got the responsibility to
Standard 2330.A2 places the responsibility to develop
retention requirements
for engagement records on the Chief Audit Executive.
This would include the
medium, confidentiality and safekeeping of the
records. Factors like IT and
physical security, accessibility of the records, etc. must
be considered when the
retention requirements (policies) are developed. In this
process unnecessary
duplication of records can be avoided. The policies
must be documented;
approved by the CAE and made available
(communicated) to all Internal Audit
staff members.

54
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Job description for QAR May you please assist me with job descriptions for Quality Assurance Assessor should be assisting the CAE IPPF: STANDARDS AND PRACTICE
officer QAR senior audit specialists? in developing and ADVISORIES:
maintaining a quality assurance and improvement 1300 Quality Assurance and
program that covers all Improvement Program
aspects of the internal audit activity. This is interpreted
as developing a quality 1310: Requirements of the
assurance and improvement program that is designed Quality Assurance and
to enable 1) an evaluation Improvement
of the internal audit activity’s conformance with the Program.
Definition of Internal
Auditing and 2) an evaluation of whether internal 1311: Internal Assessments.
auditors apply the Code of
Ethics. 3) The program also assesses the efficiency and 1312: External Assessments.
effectiveness of the
internal audit activity and identifies opportunities for 1320: Reporting on the Quality
improvement. Assurance and Improvement
Since the evaluations are conducted on an internal Program.
audit activity, it is of utmost
importance that this role is given to someone who has 1321: Use of “Conforms with the
an internal audit International Standards for the
background and preferably at a skilled or senior level. Professional Practice of Internal
In compiling a job Auditing.”
description, there is a competency framework
compiled by IIA that illustrates 1322: Disclosure of Non-
different capabilities of different levels among the conformance.
internal audit profession. IIA
has also published a “How to employ an internal PRACTICE GUIDES:
auditor” article, it will be helpful Quality Assurance and
in identifying what skills and qualifications are Improvement Program
prerequisite for several audit
roles.
Attending a QAR course that is offered by IIA will also
be essential so that the
person gains an insight on the methodologies to be
used and it would also be

55
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
beneficial to conduct a QAR with one of the
experienced QAR team leaders, even if
it is on a voluntary basis to gain practical knowledge
from first-hand encounters.

Section 3: Governance
Combined Assurance Whose responsibility is it to manage the The activities internal audit will take in relation to Standards & Implementation
implementation of the combined assurance model combined assurance would need to be defined Guidance:
in an organisation? (Institute of Directors in Southern Africa) in the internal
audit charter (Standard 1000.A1) of the organization Practice Guide:
and consequently would have a bearing on the Audit
Committee, Risk Committee and possibly the Board
charters, as the Board may choose not to delegate all
the combined assurance activities of internal audit to
the Audit Committee.
IIA Standard 2050 states “The Chief Audit Executive
should share information and coordinate activities with
other internal and external providers of relevant
assurance and consulting services to ensure proper
coverage and minimise duplication of efforts”.
Internal audit activities are ideally positioned to assist
the Board in discharging its responsibilities with regard
to Combined Assurance and can therefore coordinate
all assurance provision to the Board. This is supported
by the IIA standard 2050, which refers to the CAE’s
responsibly to coordinate the activities of other
assurance and consulting services.
This view is further supported by the King III report
which recognises the Internal Audit as a key assurance
provider on matters of risk management and systems
of internal control and also recommends that Internal

56
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Audit should play a pivotal role in the combined
assurance model.
Effective Audit committee Please assist I require an Internal Audit Function/ Yes there is a guideline issued by the King Committee Standards & Implementation
Department evaluation document for our Audit available on www.iod.co.za and also the IIA has Guidance:
committee? published a framework in 2009 that can also assist to
prepare the report. Practice Guide:
http://c.ymcdn.com/sites/www.iodsa.co.za/resource/c King III Report on Corporate
ollection/24CB4885-33FA-4D34-BB84- Governance
E559E336FF4E/KingIII_Ch7_Example_Evaluation_of_Int
ernal_Audit_June2009.pdf
Skills audit committee What is the minimum criteria would one expect to Audit committee members should collectively be Standards & Implementation
should have have in an expert who is contracted to attend AC financially literate and understand the business well. Guidance:
meeting of a revenue authority, but is not a They should at least have a balance between the
member and an official of the organisation? business’ operational knowledge and control-risk Practice Guide:
understanding. It is really not easy to tell what skills Interaction with the Board
exactly because it depends on the core business of the
organization. Audit Committee cannot be made up by
financial gurus only, if this would be the case then the
other governance which is on non-financial aspect will
suffer in the business.
Absence of audit I am currently working as an Internal Auditor at a This information is limiting as I do not know all the Standards & Implementation
committee at the branch Branch of an international bank. The branch does facts. No matter how small or big the internal audit Guidance:
level not have its own audit committee nor does it have activity is, independence and objectivity must be
non-executive members in any of its committees upheld. Assuming that there is an audit committee at Practice Guide:
such as the Risk Committee and Executive the Head Office level, internal auditor at the branch
Committee. Who else can I report to ensure should be reporting administratively to the Branch
Internal Audit's independence? manager and functionally to the audit committee at
the head office level.
King III code and Report We are planning to issue an integrated report as The Institute of Directors in Southern Africa (IoDSA) has Standards & Implementation
per king III for the first time this financial year, and released an amendment to the King Code of Guidance:
not sure where to start, is there any course that Governance for South Africa 2009 and the King Report
you can recommend or any support that you can on Governance for South Africa 2009 (collectively Practice Guide:
offer? referred to as King III). King III is available from the
Institute of Directors only. Visit www.iodsa.co.za for

57
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
more information. You may contact them directly to
establish if there are sample of these reports.
Effectiveness of audit The audit committee (AC) term expires on 31 For the period between 31 March 2012 and 30 April Standards & Implementation
committee March 2012. However the new AC will be 2012 when the AC will be appointed, there will be no Guidance:
appointed by 30 April 2012. The next meeting governance committee. This is risky as there might be a
scheduled AC is 29 May 2012.Will it be unlawful if governance matter that needs immediate Practice Guide:
we do not have an AC for this short period or consideration and there will be no one to attend to it.
should we extend the term of the existing AC until It is better to renew the existing AC contract until 30
we appoint? April 2012 when the new appointment is effected.
Effectiveness of audit Is there where can I find guidance on the format Yes there is a guideline issued by the King Committee Standards & Implementation
committee and extent of the written assessment to the audit available on www.iod.co.za and also the IIA has Guidance:
committee regarding the effectiveness of internal published a framework in 2009 that can also assist to
controls and risk management as required by the prepare the report. Practice Guide:
principles of King III?
Kaw requiring Which law or statutory requirements, apart from The Public Finance Act (PFMA) and the Municipal Standards & Implementation
establishment of internal the IIA, exist that requires the establishment and Finance Management Act (MFMA) and relevant Guidance:
audit activity quality assessment of an internal audit Regulations (Treasury Regulations) do require that all
department? Public Entities and Municipalities must have an internal Practice Guide:
audit function (it can be outsourced) and that the audit
work must be performed in conformance with the
International Standards for the Professional Practice of
Internal Auditing (IPPF).
The Companies Act requires that the audit committee
should receive and deal appropriately with any
concerns or complaints, whether from within or
outside the company, or on its own initiative, relating
to (i) the accounting practices and internal audit of the
company. One other requirements (Comply or explain
approach - voluntary) is that of the King report on
Corporate Governance (King III), which applies to all
entities regardless of the manner or form of
incorporation or establishment, however includes the
positioning of Internal Audit as a strategic function and
the King Code recommends that the Internal Audit

58
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Function should adhere to the IIA Standards and Code
of Ethics.
King II Code and Report Can you please assist me with an example of the Practice notes for King III is found on the IOD website Standards & Implementation
Integrated Report that King III refers to? www.iodsa.co.za Guidance:
The Audit Committee Forum website www.acf.co.za
also gives guidance on King III for audit committee Practice Guide:
reporting purposes.
Questionnaires for Is there an existing questionnaire that you IIA IIASA does not have a questionnaire for this purpose. I Standards & Implementation
conducting surveys provide for the purpose to conduct a survey to suggest that you consult King III and see the questions Guidance:
determine how staff perceives Corporate that need to be answered by the Board and generalise 1111 Board Interaction
Governance in our organisation? it for staff purposes. You may also read through the 2110 Governance
books on how to conduct research for further
information on compilation of a questionnaire. Practice Guide:
Interaction with the Board
King II Code and Report I need a copy of King III, where can I get it? The Institute of Directors in Southern Africa (IoDSA) has Standards & Implementation
released an amendment to the King Code of Guidance:
Governance for South Africa 2009 and the King Report
on Governance for South Africa 2009 (collectively Practice Guide:
referred to as King III). King III is available from the
Institute of Directors only. Visit www.iodsa.co.za for
more information.

Section 4: Information Technology

IT audits are denied What can be done if IT auditors are denied access A scope limitation is a restriction placed on the internal Standards & Implementation
access to certain to certain information and systems when that audit activity that precludes the activity from Guidance:
information and records information forms part of the scope of the audit? accomplishing its objectives and plans. 1130 Impairment to
A scope limitation, along with its potential effect, Independence or Objectivity
needs to be communicated, preferably in writing, to 1110 Organizational
the board. Independence
Restrictions on access to records” is deemed as
“impairment” and therefore MUST be disclosed to the Practice Guide:
audit committee and the Board. The interpretation of Independence and Objectivity
Standard 1130 explains how the appropriate parties
and nature of the impairment should be determined.

59
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Internal audit Planning Should IT audit use hour-based measurements Internal auditors including IT auditors must determine Standards & Implementation
when compiling a plan as this is not regulated by appropriate and sufficient resources to achieve Guidance:
any known standard? engagement objectives based on an evaluation of the 2010 Planning
nature and complexity of each engagement, time
constraints, and available resources. Time is a very Practice Guide:
crucial factor that internal auditors must manage in Measuring Internal Audit
order to efficiently complete the plan. It is best practice Effectiveness and Efficiency
to use time-based measurement in monitoring and
managing IA activities if it were not time-based. When
each project is planned and allocated hours, it makes it
easier for the CAE to keep track of the work and
identify challenges that adversely affect audit plan.
When audit assignments are not completed within the
planned hours, the CAE can also adjust the preceding
year’s plan accordingly taking into consideration the
challenges that caused delays and whether these
challenges have been rectified.
Materiality when Should IT auditors apply materiality guidelines Yes, materiality should be considered when assessing Standards & Implementation
assessing risk on an IT when assessing risk impact of audit focus areas? all kinds of risks. This process is clearly explained in the Guidance:
audit plan COSO framework on the webpage link: 1220 Due professional Care 2210
http://www.coso.org/documents/volumeiii- Engagement Planning
applicationtechniques.pdf
Materiality can have qualitative and/or quantitative Practice Guide:
aspect. This refers to the notion that a misstatement or Assessing the Adequacy of Risk
omission of information can be significant to the users Management Using ISO 31000
due to the nature, rather than the size, thereof. An
example is an important disclosure that is omitted from
the organisational report.
Materiality is quantified and considered twice during
the audit process: first during the planning phase of the
audit (when it is referred to as "planning materiality"),
and second during the concluding phase of the audit
(when it is referred to as "final materiality").
Standard 1220.A1 refers to consideration of materiality
to which assurance procedures are applied; however

60
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
this is not the only determining factor for raising
findings or deciding on what to audit.
Crucial skills for IT I am a newly appointed CAE and have been given IT auditors are internal auditors who specialise in Standards & Implementation
auditors the authority to create IT audit unit that will report computer auditing and like other internal auditors they Guidance:
to me. I want to groom some of the auditors I are required to abide by the International Professional
already have in my team but do not know how to Practices Framework issued by Institute of Internal Practice Guide:
shortlist or even to recommend further training for Auditors.
them. WHAT SKILLS DO PROSPECTIVE IT AUDITORS NEED?
IT auditors should have certain characteristics
important to a successful IT audit career. They should
have IT, financial, and operational audit experience,
according to Reinhard who sums up these
qualifications by saying "The ideal IT auditor should be
able to discuss IP routing with the network folks in one
hour and financial statement disclosures with the
controller in the next."
Reinhard further presents the following as a general list
of attributes over and above communication and other
soft skills that are crucial:
• Basic audit skills. Basic audit certifications are
needed, including the Certified Public Accountant
or Certified Internal Auditor designations.
• Desire to understand technology. A genuine
interest in all things technical usually preceded a
decision to go into IT auditing.
• Educational background in computer science or
related field. The growing complexity and
vulnerabilities of computer networks requires that
all auditors have some degree of technical
expertise.
• Communication skills. Many internal auditors, and
especially IT auditors generally lack good
communication skills, according to Davis. "IT
auditors need to remember their geek-speak, but
also brush up on their business argot. IT auditors

61
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
need to speak the language of all your
stakeholders so they can translate complex
technical problems into quantifiable business
decisions."
• Ability and willingness to train others in general IT
audit skills. Because much of what IT auditors
learn is through on the job training, IT auditors
must be able to train co-workers and subordinates
in the fast-paced environment of IT auditing.
• The ability to understand new technologies in a
short-time period. With the meteoric rise in new
technologies, coupled with the increasing
sophistication of hackers, IT auditors must be able
to stay on top of the most current trends.
WHAT CERTIFICATIONS DO IT AUDITORS NEED?
There is a wide range of ever-evolving technology skills
and certifications. Even an auditor with extensive
experience will most likely need certifications to back
up that knowledge, according to Prentice. Below are
some of the more general certifications: Certified
Information Systems Auditor (CISA): ISACA's globally
recognized cornerstone certification for IS, audit,
control, assurance, and security professionals who
control, monitor, and assess an organization's
information technology and business systems. This is
considered the current industry standard for IT
auditors.
• Certified Information Systems Security
Professional (CISSP): An independent information
security certification governed by the
International Information Systems Security
Certification Consortium, also known as ISC²,
which provides security training to information
assets.

62
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
• Certified Information Security Manager (CISM):
ISACA's certification program for those who
manage, design, oversee, or assess an enterprise's
information security.
• Microsoft Certified Systems Engineer (MCSE):
Microsoft's certification in designing and
implementing infrastructure based on Microsoft
Windows 2000 platform and Windows Server
System.
IT auditing also demands an area of expertise within
overall frameworks such as ISO 27001 and ISO 27002
[formerly ISO 17799]. Certified Fraud Examiner (CFE)
certification also gives one credibility in areas of
concentration e.g. fraud and forensics.
IT auditors performing I am an IT audit specialist, in the Internal Audit IT auditors are internal auditors who specialise in Standards & Implementation
consulting and advisory department of my company. I was recently asked computer auditing and like other internal auditors their Guidance:
functions to be involved in testing of the disaster recovery role in processes such as in the involvement in the 1130 Impairment to
plan (DRP) that IT was performing. Being part of disaster recovery testing should not be that of taking Independence or Objectivity
Internal Audit, what should be the extent of my responsibility for implementation of any part of the
involvement in DRP? DRP, but rather that of advisory, which conforms to Practice Guide:
consulting services. Formulating and Expressing
The Standards define consulting services as advisory in Internal Audit Opinions
nature, and are generally performed at the specific
request of an engagement client. The nature and scope
of the consulting engagement are subject to an
agreement with the client. Consulting services
generally involve two parties: (1) the person or group
offering the advice - the internal auditor, and (2) the
person or group seeking and receiving the advice - the
engagement client. When performing consulting
services the internal auditor should maintain
objectivity and not assume management responsibility.
The sign off should however not in any way imply that
you are certifying that the system is successful , but
should be clear that you observed the process and at

63
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
the time of concluding the engagement management
provided assurance that it is working. You can only give
such opinion not sign-off after you have audited the
area and performed tests that substantiate that the
DRP is operating as intended.
Framework for IT auditing I am a newly appointed CAE and have been given IT auditors are internal auditors who specialise in Standards & Implementation
the authority to create IT audit unit that will report computer auditing and like other internal auditors they Guidance:
to me. Is there any framework that I should be are required to abide by the International Professional
using in order to effectively manage this new unit? Practices Framework issued by Institute of Internal Practice Guide:
Auditors. Global Technology Audit Guide
When it comes to the technicalities of IT auditing, (GTAG®) 17 Auditing IT
COBIT 5: A Business Framework for the Governance Governance
and Management of Enterprise may be used as it
guides the activities and approach of the IT audit unit.
COBIT 5 is the latest edition of ISACA’s globally
accepted framework, providing an end-to-end business
view of the governance of enterprise IT that reflects
the central role of information and technology in
creating value for enterprises. The principles, practices,
analytical tools and models found in COBIT 5 embody
thought leadership and guidance from business, IT and
governance experts around the world. COBIT 5 is based
on five key principles for governance and management
of enterprise IT:
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to- End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management
COSO has also been widely accepted as the framework
for all internal control–related attest engagements, and
especially applicable for an audit of financial
statements. However, the market changed with SOX
404, and the introduction of ever-onerous
requirements on IT controls has made COBIT a popular

64
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
framework. Today’s auditors are more comfortable
with the IT concepts, whereas COSO is more general;
COBIT is more granular in its IT approach.

Section 5: Risk Management Jonathan

Can CFO be made to be a According to principle 4.4 of King 3 the CEO may The ideal situation would be to separate the roles PRACTICE GUIDES:
Chief Risk Officer appoint a CRO to assist however the role of the CRO Coordinating Risk Management
with the execution of the risk management can be fulfilled by any executive manager in your and Assurance
process. Keeping this in mind, 1.) organisation. The total process
whom typically is the correct individual in a listed of risk management, which includes a related system of
company to fulfil the role of internal control, is the
Chief Risk Officer?, and 2.) Is there any specific responsibility of the Board according to Principle 2.2 of
reason/s why the CFO King III Report.
can/should not also perform this function? Management is accountable to the Board for designing,
implementing and
monitoring the process of risk management, and
integrating it into the day-today activities of the
company. Management is also accountable to the
Board for
providing assurance that it has done so. According the
IIA Three lines of defence
model (see attached) risk management is a second line
of defence. Should the
responsibility reside with the CFO, there will be limited
level two independent
assurance to the Board as the CFO in his normal activity
is a level one assurance
provider. If the CFO acts as risk manager effectively,
he/she will be referee and
the player.
A Chief Risk Officer (CRO) should be appointed to
coordinate the risk
management activities, fully integrate activities of the
risk functions and jointly

65
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
identify, assess potential risks facing your organisation
and jointly determine
optimal treatment for risks. The (CRO) will perform
following functions:
Act as a coach to management by assisting them in
designing and
implementing suitable risk management framework
and regularly review
such systems for appropriateness and effectiveness;
Encouraging and creating awareness of risk
management throughout your
organisation;
Monitor the company wide risk profile and ensure that
major risks are
identified and reported upwards;
Ensuring consistency in evaluation and reporting of
risks throughout your
organisation;
Assist the board in fulfilling the corporate governance
responsibilities;
Assist in the execution of the approved risk
management process;
Not responsible for risk, but facilitates challenges and
drives the integrated
approach;
May have authority for managing a selection of
significant risk types;
Is a member of the risk management committee and
reports to the CEO and
Audit and Risk Committee;
Oversees the corporate risk management function and
is the ultimate
champion of the corporate risk management
framework process.

66
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
The following are some of the benefits of integrated
risk management:
Focus on corporate objectives; maximum coverage of
high risks;
Elimination of focus on low risks; elimination of gaps
and duplication;Performance improvement embedded
across risk functions that focus on
effectiveness and efficiency.

Impact of conducting risk “The accounting officer and the executive team When internal audit conducts a risk assessment, it can IPPF: STANDARDS AND PRACTICE
assessments have taken into consideration, a be either in a facilitative ADVISORIES:
high-risk assessment report conducted and issued manner as part of risk management or in risk 2120 Risk Management
by Internal Audit and assessment that will be used for PA2120-1 Assessing the adequacy
decided to place the some officials on special leave purposes of audit planning. of risk management processes
as announced by the Standard 2010 raises a need for internal auditors to
department’s spokesperson. “This is to allow for an have adequate knowledge PRACTICE GUIDES:
investigation to be about management of risks in an organisation in order Coordinating Risk Management
conducted on matters arising from the internal to be able to provide and Assurance
audit.” he reasoned. I would assurance to the Board by determining whether risks
like to know 1) if someone's suspension can be are being managed
based on a "risk assessment appropriately in relation to the risk appetite and
report" and 2) What "High-Risk-Assessment" strategy as set in organisational
report is, as opposed to the policies and/or frameworks.
Risk Assessment report. Has the IIA come across On the other hand, COSO explains that risk assessment
this concept in professional follows event
literature? identification and precedes risk response. The purpose
is to assess how big the
risks are, both individually and collectively, in order to
focus management’s
attention on the most important threats and
opportunities, and to lay the
groundwork for risk response. Risk assessment is about
measuring and
prioritizing risks so that risk levels are managed within
defined tolerance

67
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
thresholds without being over controlled or forgoing
desirable opportunities.
The CAE should communicate the results of the risk
assessment to the senior
members of management and to the Audit Committee/
Board. It is purely a
prerogative of the senior management and the Board
to decide on actions to be
taken following the results of the risk assessment.
The disciplinary procedures are a prerogative of
management and should be
clearly set out in a policy and procedure. Management
can decide to what level
of detail they would like to define actions to be taken
against employees who
breaches company policies, company code of conduct
and ethics.
The details of this scenario are not clear enough, but
consider the following:
a) Risk assessment report – was this a review of the risk
process, in which case
one could probably find and argue reason for
suspension under a)b) Risk assessment report – if this
was merely a risk facilitation, it is not clear
what the logic would be for a suspension.
c) Risk assessment report – was this maybe a follow-up
on a previous risk
assessment that was done where certain issues had to
be addressed and
risks managed and due to non-action of the agreed
measures certain risks
materialised that caused harm to the Department. In
this case one could
argue something under a) above.

68
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
A risk assessment identifies the likelihood of something
going wrong and the
impact thereof on the organization or the specific
process; it therefore is not a
confirmation of something that has gone wrong. This
would have been different
if there was audit evidence to substantiate the audit
finding and based on that,
people got suspended. Once the audit evidence shows
something like gross
negligence or fraud, it would be a matter of tabling
audit evidence that is
sufficient, but not a risk assessment.
It is not clear if ‘high risk assessment’ as asked refers to
normal risk assessment
or perhaps to strategic risk assessment. IIA SA has
neither come across nor
developed practice guide where this phrase was used.
Risk rating - finding rating I work in a complex environment and whenever I I work in a complex environment and whenever I raise IPPF: STANDARDS AND PRACTICE
raise findings, management findings, management ADVISORIES:
do not accept the ratings of findings and always do not accept the ratings of findings and always want 2130 Risk Management
want to be shown where the to be shown where the PA2130-1Assessing the Adequacy
rating came about. Is there a matrix that rating came about. Is there a matrix that summarizes of Control Processes
summarizes how audit findings how audit findings 2010 Planning
should be rated should be rated. When an auditor raises findings, at a PA2010-2 Using the Risk
very basic level each finding should have management Process in Internal
criteria, risk, root cause and an effect. The risk should Audit
be rated according to the 2600 Communicating the
organisational ratings scales as stipulated in the risk Acceptance of Risks
policies. The internal
auditor should rate the findings in line with the residual PRACTICE GUIDES:
risk to show that the Coordinating Risk Management
mitigating controls have been taken into consideration. and Assurance
IA role where there is no What role should IAA play in an instance where an The internal audit plan must be risk based, which IPPF: STANDARDS AND PRACTICE
ERM organisation does not means that internal audit ADVISORIES:

69
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
have any risk management framework or plan? planning needs to make use of the organizational risk 1130 Impairment to
management process, Independence or Objectivity PA
where one has been developed. In planning an 1130-1 Impairment to
engagement, the internal auditor Independence or Objectivity
considers the significant risks of the activity and the
means by which 1130 Impairment to
management mitigates the risk to an acceptable level. Independence or Objectivity
When an organisation does not have a risk PA 1130.A1-1 Assessing
management unit, the internal Operations for Which Internal
auditor uses risk assessment techniques in developing Auditors
the internal audit Were Previously Responsible
activity’s plan and in determining priorities for PA 1130.A2-1 Internal Audit’s
allocating internal audit Responsibility for Other (Non-
resources. Risk assessment is used to examine audit)
auditable units and select areas Functions
for review to include in the internal audit activity’s plan
that have the greatest PRACTICE GUIDES:
risk exposure. It is worth noting that ERM is broader Independence and Objectivity
than risk assessment that Coordinating Risk Management
internal audit does, expecting internal audit to account and Assurance
for risk management
would be an unrealistic expectation and has a potential
to significantly impair
internal audit’s objectivity.
Managing risks is management responsibility and may
impair the objectivity of
the internal audit activity. Internal Auditors including
CAEs are required to
always adhere to the Standards and Guidance of the
Institute of Internal
Auditors (including Practice Advisories) which call for
upholding of
independence and objectivity at all times. An effective
risk management process

70
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
assists in identifying key controls related to significant
inherent risks. Enterprise
risk management (ERM) is a term in common use. The
Committee of Sponsoring
Organizations (COSO) of the Treadway Commission
defines ERM as “a process,
effected by an entity’s board of directors,
management, and other personnel,
applied in strategy setting and across the enterprise,
designed to identify
potential events that may affect the entity, and
manage risk to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity
objectives.” Implementation of
controls is one common method management can use
to manage risk within its
risk appetite. Internal auditors audit the key controls
and provide assurance on
the management of significant risks.
How IA can add value to How can the IA function add value to the ERM "Internal auditing is an independent, objective IPPF: STANDARDS AND PRACTICE
ERM process? assurance and consulting activity ADVISORIES:
designed to add value and improve an organization’s 2120 Risk Management
operations. It helps an PA2120-1 Assessing the adequacy
organization accomplish its objectives by bringing a of risk management processes
systematic, disciplined
approach to evaluate and improve the effectiveness of
risk management, control PRACTICE GUIDES:
and governance processes." Source: International Coordinating Risk Management
Professional Practices and Assurance
Framework (IPPF), The Institute of Internal Auditors.
From the definition one can safely conclude that 1)
providing the audit
committee and executive management with
assurances that the ERM process is

71
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
efficient, effective, and operating as it was intended
and 2) using the output of
the ERM process to develop its risk-based audit plan
and to identify unexpected
high-risk areas as circumstances change are ways in
which IA can add value as
far as ERM is concerned.

Prioritising risks The IA annual plan must be risk-based, is there any Internal auditors need to have adequate knowledge IPPF: STANDARDS AND PRACTICE
guideline that coaches about management of risks ADVISORIES:
internal auditors on how to prioritise risks? in an organisation because this knowledge will assist in 2110 Governance
determining whether 2120 Risk Management
risks are being managed appropriately in relation to the PA2120-1 Assessing the adequacy
risk appetite and of risk management processes
strategy in an organisation. This however is a bit PRACTICE GUIDES:
different from the required Coordinating Risk Management
risk-based audit planning, which is the use of the and Assurance
updated organisational risk
register and focusing on the most significant risks when
compiling an audit plan.
Please not that where there is risk management,
internal audit does not
necessary need to scrutinise each and every risk that
appears in the risk register
when planning as this would have been carried out by
the Risk management
function, IA is required to focus on the top risks as
explained earlier on. Risk
management is a key responsibility of senior
management and the board. To
achieve its business objectives, management ensures
that sound risk
management processes are in place and functioning.
Boards have an oversight

72
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
role to determine that appropriate risk management
processes are in place and
that these processes are adequate and effective. In this
role, they may direct the
internal audit activity to assist them by examining,
evaluating, reporting, and/or
recommending improvements to the adequacy and
effectiveness of
management’s risk processes. This order ranks the risks
by a combination of probability and impact. Risk B
would take precedence over Risk A, as it has a higher
probability of occurring. Risk
D would take precedence over Risk C, due to
probability and impact.
Internal audit vs risk What exactly is the difference between internal Enterprise-wide risk management (ERM) is a IPPF: STANDARDS AND PRACTICE
management audit and risk management? structured, consistent and ADVISORIES:
continuous process across the whole organization for 1130 Impairment to
identifying, assessing, Independence or Objectivity
deciding on responses to and reporting on PA 1130-1 Impairment to
opportunities and threats that affect Independence or Objectivity
the achievement of its objectives. 1130 Impairment to
Responsibility for ERM Independence or Objectivity
The board has overall responsibility for ensuring that PA 1130.A1-1 Assessing
risks are managed. In Operations for Which Internal
practice, the board will delegate the operation of the Auditors
risk management Were Previously Responsible
framework to the management team, who will be PA 1130.A2-1 Internal Audit’s
responsible for completing the Responsibility for Other (Non-
activities below. There may be a separate function that audit)
co-ordinates and projectmanages these activities and Functions
brings to bear specialist skills and knowledge.
Everyone in the organization plays a role in ensuring PRACTICE GUIDES:
successful enterprise-wide Independence and Objectivity
risk management but the primary responsibility for
identifying and managing

73
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
risks lies with management.
The role of internal auditing in ERM
Internal auditing is an independent, objective
assurance and consulting activity.
Its core role with regard to ERM is to provide objective
assurance to the board
on the effectiveness of risk management. Research has
shown that board
directors and internal auditors agree that the two most
important ways that
internal auditing provides value to the organization are
in providing objective
assurance that the major business risks are being
managed appropriately and
providing assurance that the risk management and
internal control framework
is operating effectively
Internal audit performing I have been newly appointed as the CAE and not No, it is not allowed. Managing risks is management IPPF: STANDARDS AND PRACTICE
risk management the CEO expects me to responsibility and will ADVISORIES:
manage risk management as well. The reasons impair the objectivity of the internal audit activity. 1130 Impairment to
given are that IA plan should Internal Auditors including Independence or Objectivity
be risk based so to eliminate duplication of efforts, CAEs are required to always adhere to the Standards PA 1130-1 Impairment to
IA is expected to take and Guidance of the Independence or Objectivity1130
responsibility of the risk management process. Is Institute of Internal Auditors (including Practice Impairment to Independence or
this allowed? Advisories) which call for Objectivity
upholding of independence and objectivity at all times. PA 1130.A1-1 Assessing
An effective risk management process can assist in Operations for Which Internal
identifying key controls Auditors
related to significant inherent risks. Enterprise risk Were Previously Responsible
management (ERM) is a PA 1130.A2-1 Internal Audit’s
term in common use. The Committee of Sponsoring Responsibility for Other (Non-
Organizations (COSO) of the audit)
Treadway Commission defines ERM as “a process, Functions
effected by an entity’s board

74
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
of directors, management, and other personnel, PRACTICE GUIDES:
applied in strategy setting and Independence and Objectivity
across the enterprise, designed to identify potential
events that may affect the
entity, and manage risk to be within its risk appetite, to
provide reasonable
assurance regarding the achievement of entity
objectives.” Implementation of
controls is one common method management can use
to manage risk within its
risk appetite. Internal auditors audit the key controls
and provide assurance on
the management of significant risks.
The internal audit plan must be risk based, which
means that internal audit
planning needs to make use of the organizational risk
management process,
where one has been developed. In planning an
engagement, the internal auditor
considers the significant risks of the activity and the
means by which
management mitigates the risk to an acceptable level.
The internal auditor uses
risk assessment techniques in developing the internal
audit activity’s plan and in
determining priorities for allocating internal audit
resources.
Risk assessment is used to examine auditable units and
select areas for review
to include in the internal audit activity’s plan that have
the greatest risk
exposure. It is worth noting that ERM is broader than
risk assessment that
internal audit does, expecting internal audit to account
for risk management

75
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
would be an unrealistic expectation and has a potential
to significantly impair
internal audit’s objectivity.
Internal audit performing Please advise on further motivations from the IIA The responsibility to manage risks is management IPPF: STANDARDS AND PRACTICE
risk management for the need to have the responsibility and will impair ADVISORIES:
Audit and Risk as independent functions from each the internal audit activity’s objectivity. Internal 1130 Impairment to
other. Any motivational Auditors including CAEs are Independence or Objectivity
letters from clients you assist asking the two required to always adhere to the Standards and PA 1130-1 Impairment to
functions to be split. Guidance of the Institute of Independence or Objectivity
Internal Auditors (including Practice Advisories) which 1130 Impairment to
call for upholding of Independence or Objectivity
independence and objectivity at all times. PA 1130.A1-1 Assessing
Before the auditor accepts this operational Operations for Which Internal
responsibility, it should be explain to Auditors
the Accounting officer or assigning management what Were Previously Responsible
the impact of assuming a PA 1130.A2-1 Internal Audit’s
management role is. Responsibility for Other (Non-
If this risk management function is carried out, the audit)
auditor in question or the Functions
staff reporting to the auditor in question may not audit
this area. The CAE should PRACTICE GUIDES:
minimize the impairment to objectivity by using a Formulating and Expressing
contracted, third party entity Internal Audit Opinions
or external auditors to complete audits of this
organisation’s risk management
process.
Risk acceptance What is the procedure that management need to Internal auditors need to obtain sufficient and IPPF: STANDARDS AND PRACTICE
follow for Risk Acceptance, appropriate evidence to ADVISORIES:
i.e. where management say we accept the risk and determine that the key objectives of the risk 2600 Communicating the
therefore won't implement management processes are being acceptance of risks
the recommendation. met to form an opinion on the adequacy of risk 2120 Risk Management
management processes. PA2120-1 Assessing the adequacy
Completeness of management’s risk analysis and of risk management processes
actions taken to remedy issues
PRACTICE GUIDES:

76
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
raised by risk management processes, and suggested Coordinating Risk Management
improvements should be and Assurance
also reviewed. Should the CAE conclude that
management have accepted a level
of risk that may be unacceptable to the organisation,
the CAE must discuss the
matter with senior management. If the CAE determines
that the matter has not
been resolved, the CAE must communicate the matter
to the Audit Committee.

Section 4: Fraud
Duties of forensic auditors May you please assist me with job descriptions for The home for fraud and forensic investigation is the
forensic auditors? Association of Certified
Fraud Examiners (ACFE) (http://www.acfe.org.za/).
Although internal auditors
need to have significant knowledge of the risk of fraud,
the investigation and
preparation of dockets for the police etc. lies within the
ambit of the ACFE. They
also have developed a learnership which is designed to
help with the practical
training of forensic investigations. Please contact ACFE
for further guidance.
Responsibility to report I am an internal auditor and have come across an During normal course of executing audits, internal IPPF: STANDARDS AND PRACTICE
fraud area where I strongly believe auditors often discover ADVISORIES:
that fraud is taking place. I am not a CAE and sensitive information that is substantial to the 2060 Reporting to Senior
would like to know whose organization and poses significant Management and the Board
responsibility is to report fraud? potential consequences. This information may relate to PA 2060-1 Reporting to Senior
exposures, threats, Management and the Board
uncertainties, fraud, waste and mismanagement, illegal
activities, abuse of PRACTICE GUIDES
power, misconduct that endangers public health or Internal Auditing and Fraud
safety, or other wrongdoings.

77
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Furthermore, these matters may adversely impact the Fraud Prevention and Detection
organization’s reputation, in an Automated World
image, competitiveness, success, viability, market
values, investments and more
if not addresses properly. Once the internal auditor has
deemed the new
information substantial and credible, he or she would
normally communicate
the information through the Chief Audit Executive — in
a timely manner — to
senior management and the board in accordance with
Standard 2060 and PA
2060-1.
An internal auditor has a professional duty and an
ethical responsibility to
carefully evaluate all evidence and the reasonableness
of his or her conclusions
and decide whether further actions are needed to
protect the organization’s
interests and stakeholders, the outside community, or
the institutions of society.
Internal auditors also need to consider the duty of
confidentiality imposed by
The IIA’s Code of Ethics to respect the value and
ownership of information and
avoid disclosing it without appropriate authority unless
there is a legal or
professional obligation to do so. During this evaluation
process, the auditor may
seek the advice of legal counsel and, if appropriate,
other experts.
This communication would typically follow the normal
chain of command for the
internal auditor. If the chief audit executive (CAE), after
those discussions,

78
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
concludes that senior management is exposing the
organization to an
unacceptable risk and is not taking appropriate action,
he or she needs to
present the information and the differences of opinion
to the board in
accordance with Standard 2600.

Fraud examination I am an internal auditor and have been assigned to Internal auditors’ role in relation to fraud risk IPPF: STANDARDS AND PRACTICE
investigate potential fraud management could include initial ADVISORIES:
in an organisation. Should this not be carried out or full investigation of suspected fraud, root cause 2060 Reporting to Senior
by specialised fraud analysis and control Management and the Board
investigators? improvement recommendations, monitoring of a PA 2060-1 Reporting to Senior
reporting/whistleblowing Management and the Board
hotline and providing ethics training sessions. If
assigned such duties, internal PRACTICE GUIDES:
auditing has a responsibility to obtain sufficient skills Internal Auditing and Fraud
and competencies
including knowledge of fraud schemes, investigations
techniques and laws that
are applicable to the processes that are being
investigated. Internal audit must
only accept the assignment if objectivity and
proficiency will not be
compromised. Some assignments are too sensitive to
be carried out by internal
audit and are better undertaken by an independent
commission.
An internal auditor has a professional duty and an
ethical responsibility to
carefully evaluate all evidence and the reasonableness
of conclusions and decide
whether further actions are needed to protect the
organization’s interests and

79
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
stakeholders, the outside community, or the
institutions of society. Internal
auditors also need to consider the duty of
confidentiality imposed by The IIA’s
Code of Ethics to respect the value and ownership of
information and avoid
disclosing it without appropriate authority unless there
is a legal or professional
obligation to do so. During this evaluation process, the
auditor may seek the
advice of legal counsel and, if appropriate, other
experts.
Fraud reporting follows the normal chain of command
for the internal auditor. If
the chief audit executive (CAE), after those discussions,
concludes that senior
management is exposing the organization to an
unacceptable risk and is not
taking appropriate action, he or she needs to present
the information and the
differences of opinion to the board in accordance with
Standard 2600.
Specialising in Forensic I’m a 3rd year Internal auditing student and I want The home for fraud and forensic investigation is the
Auditing to specialize in forensic Association of Certified
auditing more than internal, any guidelines? Fraud Examiners (ACFE) (http://www.acfe.org.za/).
Although internal auditors
need to have significant knowledge of the risk of fraud,
the investigation and
preparation of dockets for the police etc. lies within the
ambit of the ACFE. They
also have developed a learnership which is designed to
help with the practical
training of forensic investigations. Should you wish to
specialise in forensic

80
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
investigations we advise that you contact the ACFE for
further guidance.
The relevant standards for internal auditors are listed
below. If you wish to
choose the broader non-forensic audit career you need
to make the IIA your
home
Adoption of non-IIA There is an ISA 240 simply tabulates the There is nothing that prevents internal audit from IPPF: STANDARDS AND PRACTICE
standards regarding fraud responsibility of Auditors in relation considering other standards ADVISORIES:
risk to fraud in which case I developed a questionnaire in executing their work; however the IIA has issued a 1200 Proficiency and Due
pertaining to fraud for our guidance relating to Professional Care
clients. Can internal auditors not perhaps adopt Internal Auditing and Fraud. While external auditors PA 1210-1 Proficiency
International Standard of focus on misstatements in
Auditing (ISA) 240 – The Auditor’s Responsibilities the financial statements that are material, internal PRACTICE GUIDES:
Relating to Fraud in auditors are often in a better Internal Auditing and Fraud
an Audit of Financial Statements for internal audit position to detect the symptoms that accompany
fraud reviews in various fraud. Internal auditors usually Fraud Prevention and Detection
clients in addition to the Performance Standards have a continual presence in the organization that in an Automated World
(mentioned above)? provides them with a better
I thought this is relevant to internal auditors understanding of the organization and its control
without being limited to the systems. Specifically, internal
external auditors. auditors can assist in the deterrence of fraud by
examining and evaluating the
adequacy and the effectiveness of internal controls. In
addition, they may assist
management in establishing effective fraud prevention
measures by knowing the
organization’s strengths and weaknesses and providing
consulting expertise.
Referring to the attached guidance for more
information and see how best
internal audit remains focused and aligned to its
responsibilities.

81
FAQ no. Topic/Subject Question/Problem Statement Response/Answer Useful Link(s) & Resources
Responsibility for What does COSO framework say regarding the risk The COSO framework deals mainly with Internal IPPF: STANDARDS AND PRACTICE
detecting fraud risks of fraud and how companies Control Framework and not much is ADVISORIES:
should manage it? Or is it just taken for granted said is said with regard to the responsibility of Internal 1200 Proficiency and Due
that within the ERM framework, Audit’s role on Fraud. The IIA Professional Care
fraud is considered? Standards require that engagements should be PA 1210-1 Proficiency
performed with proficiency and due
professional care and that internal auditor should have PRACTICE GUIDES:
sufficient knowledge to identify Internal Auditing and Fraud
the indicators of fraud but is not expected to have the
expertise of a person whose Fraud Prevention and Detection
primary responsibility is detecting and investigating in an Automated World
fraud.

82