Rodriguez, Zyra Denelle M.

A-331 AAPRINCIPLES

OVERVIEW OF INTERNAL AUDIT ROLES

1. Describe the nature of work of an internal auditor. Identify necessary items

of performance of an internal audit charter.

According to Clark (2019), the nature of work of an internal auditor depends

on the company on which they are employed. They sometimes vary due to the

certain operations, sizes, and other factors of their company. But, there are certain

duties that they are expected to do during their internal audit activities such as:

 Assess the company’s IT and/or business processes objectively

 Assess the company’s risk management plans and efforts on whether

they are applied efficiently

 Ensure that all relevant laws and regulations are being followed by the

company

 Evaluate and make recommendations on how the company can

improve its internal control

 Identify any gaps on company processes

 Promote proper ethical behavior and identify those that do not follow

the ethical standards

 Assure that there are safeguards

 Investigate any occurrence or possibility of fraud and error

 Communicate all findings, budget needs, or access needs to the

necessary individuals like the board, senior management, or those

charged to governance
Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

 Make recommendations based on the findings after the performance of

the internal audit activity

 Provide assurance or consultation services to the company

 Maintain Independence and Objectivity

 Document all information

 Add value to the company

According to The Institute of Internal Auditors (2019), the IIA identified

seven vital components that must be included in the internal audit charter that

supports the overall strength and effectiveness of the charter. All must be

included in the internal audit charter as failure to include one may weaken the

performance of the internal audit activity.

 Mission and Purpose

The internal audit’s mission pertains to the goal of the

internal audit activity which is to enhance or protect the value of the

organization by providing assurance and advices. The purpose

refers to the reason why the internal audit is conducted, which is to

provide an independent assurance and consultation that adds value

to the organizations and help improve its operations.

 International Standards for the Professional Practice of

Internal Audit
Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

The charter must include the promise that the internal audit

activity will be conducted in accordance to the standards. The

internal audit activity will be done according to the mandatory

requirements of the International Professional Practice Framework

or the IPPF’s IIA. This includes the Standards, Core Principles for

the Professional Practice of Internal Auditing, Definition of Internal

Auditing, and the Code of Ethics.

 Authority

The internal audit charter must include two statements: (1) a

statement that shows the reporting responsibility of the CAE to the

organization; (2) a statement that gives sufficient authority to the

internal auditor to fulfill and gather all that is needed to accomplish

the internal audit activity. The authority must be specified on the

extent of the access to be able to perform the internal audit activity

properly.

 Independence and Objectivity

The internal audit charter should also include a statement

that the internal audit activity will be conducted with freedom from

conditions and situations that may threaten the internal auditor from

performing in a manner that is free from bias and error. The activity

must be conducted with independence and objectivity, if there is

failure to do so, the CAE must disclose the details of the

Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

impairment to the appropriate parties or those charged with

governance. Aside from this statement, the charter must include a

statement on the establishment of safeguards for situations where

the responsibilities and roles of the CAE will fall outside the internal

audit activity. It is also required for the CAE to annually confirm the

independence of the internal audit activity to those charged with

governance.

 Scope of Internal Audit Activities

The internal audit charter should include a statement on the

scope of the activity. This encompasses the examinations of

evidences to provide independent assurance and assessments on

the effectiveness of the internal control, risk management, and

governance. The scope includes all the requirements and the limits

of the internal audit activity. It must also include a statement that

the CAE will report, in a periodic manner, the results of the internal

audit activity.

 Responsibility

The charter should also include a statement that clearly

defines the responsibilities. The responsibilities include: annual

submission of a risk-based internal audit plan, communication of

the CAE on the limits of the plan to those charged with governance,

ensuring that the internal auditors have access to the appropriate

resources, management of the activity for its fulfillment, ensuring

Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

that the activity is done in accordance to standards, communication

of results to those charged with governance, and coordination with

the other assurance providers.

 Quality Assurance and Improvement Program

A statement that ensures that all aspects of the internal audit

activity will be conducted with a promise to maintain quality

assurance and improvement program in accordance to the IIA

Standards. It is also the responsibility of the CAE to report, at least

once every five years, the results of the quality assurance and

investment program to those charged with good governance.

2. What are the roles of an internal auditor in various scenarios of risk

management?

Internal auditing is important in Enterprise Risk Management in providing

assurance to the board regarding the efficiency and effectiveness of the

company’s risk management. As mentioned by The Institute of Internal Auditors

(2009), the role of the internal auditor can be divided into three: Core Internal

Audit Roles in regard to ERM, Legitimate Internal Audit Roles with Safeguards,

and Roles Internal Auditor should not undertake.

Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

1. Core Internal Audit Roles in regard to ERM – these roles are

part of the goal of the internal audit which is to give assurance and

add value to the company. These activities include:

 Giving assurance on the risk management

 Giving assurance on that the risk are correctly

evaluated

 Evaluating the reporting of key risks

 Reviewing the management of key risks

2. Legitimate Internal Audit Roles with Safeguards – these

pertains to the consultancy services of the internal auditors that are

done with safeguards to enhance the value added or enhanced by

the internal audit activity.

 Facilitating identification & evaluation of risks

 Coaching management in responding to risks

 Coordinating ERM activities

 Consolidated reporting on risks

 Maintaining and developing the ERM framework

 Championing establishment of ERM

 Developing RM strategy for board approval

3. Roles Internal Auditor should not undertake – these are roles

that impair the independence and objectivity of the internal auditor

and internal audit activity.

 Setting the risk appetite

Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

 Imposing risk management processes

 Management Assurance on risks

 Taking decisions on risk responses

 Implementing risk responses on management’s behalf

 Accountability for risk management

3. What are the roles of an internal auditor in the following?

3.1 Business continuity process

Internal auditors help the company or business have a strategic

perspective on all the facets of the business as they are able to dive

deeper on all aspects of the business. They are able to check and make

sure that all company policy and programs are properly implemented and

that they are done in accordance to laws and standards required. The

internal auditors help in making sure that the organizational has plans and

structures for current and future business operations and ensure that

these plans are risk-based and are adequate.

The Internal auditor also ensures the continuity, response during

times of emergency, recovery during crisis and disaster, and integration of

the communication plans aligned with the best practices, culture, and

strategy of the company. It is a necessity that before applying these plans,

they must be tested and practiced in order to ensure that their execution

will provide value and not loss to the company.

Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

Company’s business continuity program must be: integrated with

risk control, governance, performance improvement, and are connected

with the company’s existing programs and policies; all plans must be risk

based, they follow necessary standards, are made to supply the specific

needs of the company; and the overall program must include governance

and structure components, risk assessment and analysis components,

plans and procedure components, and sustainment and continuous

improvement components. All of these are checked and monitored by the

internal auditor during internal audit activities (Trollope, et al., n.d.).

3.2 Evaluating an organization’s privacy network

According to the “Risk in Focus 2020” survey as cited by Hrubey

and Varney (2020), the leading concern of the audit professionals in

Europe is cybersecurity and data privacy. Most of the respondents

mentioned that cybersecurity and data privacy were on of the five risks

that their organization is currently facing nowadays. This is the third year

in a row that such issues are auditor’s leading concern.

It is the responsibility of the internal auditor to provide assurance

regarding the privacy network of the company and give insights on all

important points that pertains to risks and priorities of data privacy and

cybersecurity. They are the ones who will monitor if the policies to

maintain the privacy network is effective in the current conditions and help

improve the policies for possible risk and conditions in the future.
Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

This new environment of technology and privacy may create risk to

the internal audit functions but it may also enable the internal auditors to

open another opportunity to add value to the company. Internal audit done

by the internal auditor will help the company identify the highest risk area

in the privacy network.

3.3 Use of Personal Information

The internal auditor helps the company in the monitoring use and

protection of the personal information of all personnel and employees of

the company. The internal auditor will work together with the Data

Protection Officer or DPO in supporting compliance with data protection

regulations. It is also the internal auditor who will independently assess

the effectiveness of the internal control implemented to safeguard the use

of personal information.

The lack of compliance may harm the company and the internal

auditor will assure that this will not happen through the performance of the

internal audit activity. The suggestions and recommendations of the

internal auditor will help maintain or improve policies and procedures

regarding the usage of personal information. The internal auditor may also

emphasize that the use of personal data must be for the company only

and no for other matters (Haenebalcke, 2018).

Rodriguez, Zyra Denelle M. A-331 AAPRINCIPLES

References

Clarke, I. (2019, May 1). What Is An Internal Auditor and Why Should You Hire One?.

https://linfordco.com/blog/what-is-an-internal-auditor/

Haenebalcke,E. (2018, May 22). What role can internal auditor play in GDPR

compliance?. https://iapp.org/news/a/what-role-can-internal-auditors-play-in-

gdpr-compliance/

Hrubey, P. & Varney, M. (2020). Privacy Data and Protection Part I: Internal Audit’s

Role in Establishing a Resilient Framework.

https://www.crowe.com/-/media/Crowe/LLP/folio-pdf-

hidden/Privacy_and_Data_Protection_Crowe_IIA_IAF_Joint_Report_CC2015-

006.pdf?la=en-

US&modified=20200407161139&hash=54B11C074D2C2BAC010A20485CB549

8D617F07F1

The Institute of Internal Auditors (2019). The Internal Audit Charter.

https://na.theiia.org/about-ia/PublicDocuments/PP-The-Internal-Audit-Charter.pdf

The Institute of Internal Auditors (2009). IIA Position Paper: The Role of Internal

Auditing in Enterprise-wide Risk Management. https://na.theiia.org/standards-

guidance/Public%20Documents/PP%20The%20Role%20of%20Internal

%20Auditing%20in%20Enterprise%20Risk%20Management.pdf

Trollope, C., et al. (n.d.). The Role of Internal Auditors in Business Resilience.

https://chapters.theiia.org/IIA%20Canada/Thought%20Leadership

%20Documents/The-Role-of-the-Internal-Auditor-in-Business-Resilience.pdf