The mandatory elements of the IPPF are:

1) Core Principles for the Professional Practice of Internal Auditing

Core Principles for the Profession of Internal Auditing

The Core Principles, above all, define tangible internal audit effectiveness. When all
Principles are present and operating cohesively, internal audit function achieves
maximum efficiency. Though the way every internal auditor approaches these Core
Principles may vary from organization to organization, there’s no denying that a
failure to achieve any of the Principles would signal an internal audit activity that’s not
performing at its absolute best.
• Demonstrates integrity.
• Demonstrates competence and due professional care.
• Is objective and free from undue influence (independent).
• Aligns with the strategies, objectives, and risks of the organization.
• Is appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.

2) Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control, and
governance processes.

3) Code of Ethics

Internal auditors are expected to apply and uphold the following principles:

 Integrity
The integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment.

 Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being
examined. Internal auditors make a balanced assessment of all the relevant
circumstances and are not unduly influenced by their own interests or by others in
forming judgments.

 Confidentiality
Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority unless there is a legal or
professional obligation to do so.
Competency
Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.

Rule Principal Explanation

Integrity The integrity of Internal Auditors Internal auditors:
establishes trust and thus provides the  Shall perform their work with
basis for reliance on their judgement. honesty, diligence and
responsibility.
 Shall observe the law and
make disclosures expected
by the law and the
profession.
 Shall not knowingly be a
party to any illegal activity, or
engage in acts that are
discreditable to the
profession of internal auditing
or to the organisation.
 Shall respect and contribute
to the legitimate and ethical
objectives of the
organisation.
Objectivity Internal Auditors exhibit the highest level Internal auditors:
of professional objectivity in gathering,  Shall not participate in any
evaluating and communicating activity or relationship that
information about the activity or process may impair or be presumed
being examined. Internal Auditors make to impair their unbiased
a balanced assessment of all the assessment. This
relevant circumstances and are not participation includes those
unduly influenced by their own interest activities or relationships that
or by others in forming their judgement. may be in conflict with the
interests of the organisation.
 Shall not accept anything
that may impair or be
presumed to impair their
professional judgement.
 Shall disclose all material
facts known to them that, if
not disclosed, may distort the
reporting of activities under
review.
Confidentiality Internal auditors respect the value and Internal auditors:
ownership of information they receive  Shall be prudent in the use
and do not disclosure information and protection of information
without appropriate authority unless acquired in the course of
there is a legal or professional obligation their duties.
to do so.  Shall not use information for
any personal gain or in any
manner that would be
contrary to the law or
detrimental to the legitimate
and ethical objectives of the
organisation.
Competency Internal Auditors apply the knowledge, Internal auditors:
skills and experience needed in the  Shall engage only in those
performance of the internal auditing services for which they have
services. the necessary knowledge,
skills and experience.
 Shall perform internal
auditing services in
accordance with the
International Standards for
 the Professional Practice of
Internal Auditing.
 Shall continually improve
their proficiency and the
effectiveness and quality of
their services.
 Shall engage only in those
services for which they have
the necessary knowledge,
skills and experience.

4) International Standards for the Professional Practice of Internal Auditing

The Standards are a set of principles-based, mandatory requirements consisting of:

 Statements of core requirements for the professional practice of internal auditing

and for evaluating the effectiveness of performance that are internationally
applicable at organizational and individual levels.
 Interpretations clarifying terms or concepts within the Standards.

The Standards comprise two main categories: Attribute and Performance Standards.
Attribute Standards address the attributes of organizations and individuals performing
internal auditing. Performance Standards describe the nature of internal auditing and
provide quality criteria against which the performance of these services can be measured.
Attribute and Performance Standards apply to all internal audit services.

Internal Auditor apply the knowledge, skills and experience needed in the performance of
the internal audit services and to ensure that the core requirements for the professional
practice of internal audit are adopted and imbedded in the function. To check and ensure
that the nature of internal auditing and provide quality criteria against which the
performance of these services can be measured.

Attribute Standards

1000 – Purpose, Authority, and Responsibility

1010 – Recognizing Mandatory Guidance in the Internal Audit Charter

1100 – Independence and Objectivity

1110 – Organizational Independence

1111 – Direct Interaction with the Board

The hief Internal Auditor must communicate and interact directly with the Board.

1112 – Chief Audit Executive Roles Beyond Internal Auditing

Where the Chief Internal Auditor has or is expected to have roles and responsibilities that fall
outside of internal auditing, safeguards must be in place to limit impairments to independence or
objectivity.

1120 – Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

1130 – Impairment to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must
be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

1200 – Proficiency and Due Professional Care

Engagements must be performed with proficiency and due professional care by the internal auditor.

1210 – Proficiency

Internal Auditor must possess the knowledge, skills and other competencies needed to perform their
individual responsibilities. Internal Audit activity collectively must possess or obtain the knowledge,
skills and other competencies needed to perform its responsibilities.

1220 – Due Professional Care

Internal auditor must apply the care the skill expected of a reasonable prudent and competent
internal auditor. Due professional care does not imply infallibility.

1230 – Continuing Professional Development

Internal Audit must enhance their knowledge, skills and other competencies through continuing
professional development.

1300 – Quality Assurance and Improvement Program

The Chief Internal Auditor must develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.

1310 – Requirements of the Quality Assurance and Improvement Program

The quality assurance and improvement program must include both internal and external
assessments.

1311 – Internal Assessments

Internal assessments must include:

 Ongoing monitoring of the performance of the internal audit activity.

 Periodic self-assessments or assessments by other persons within the organization with

sufficient knowledge of internal audit practices.

1312 – External Assessments

External Assessment must be conducted at least once every 5 years by a qualified, independent
assessor or assessment team from outside the organization. The Chief Internal Auditor must discuss
with the Board:

 The form and frequency of external assessment

 The qualifications and independence of the external assessor or assessment team, including
any potential conflict of interest.

1320 – Reporting on the Quality Assurance and Improvement Program

1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal
Auditing”

Indicating that the internal audit activity conforms with the International Standards for the
Professional Practice of Internal Auditing is appropriate only if supported with the Quality Assurance
and Improvement Program.

1322 – Disclosure of Nonconformance

When nonconformance with the Code of Ethics or the Standards impact the overall scope of
operation of the internal audit activity, the chief internal auditor must disclosure the
nonconformance and the impact to senior management and the board.

Performance Standards

2000 – Managing the Internal Audit Activity

2010 – Planning

2020 – Communication and Approval

2030 – Resource Management

2040 – Policies and Procedures

2050 – Coordination and Reliance

2060 – Reporting to Senior Management and the Board

2070 – External Service Provider and Organizational Responsibility for Internal Auditing

2100 – Nature of Work

2110 – Governance

The internal audit activity must assess and make appropriate recommendations to improve the
organization’s governance processes:

 Making strategic and operational decision

 Overseeing risk management and controls
 Promoting appropriate ethics and values within the organization
 Ensuring effective organizational performance management and accountability
 Communicating risks and control information to appropriate areas of the organization
 Coordinating the activities of, and communicating information among, the Board, external
and internal auditors, other assurance providers and the management.

The Internal Audit (IA) Activity must evaluate the design, implementation and effectiveness of the
organization’s ethics related objectives, programs and activities.

The IA activity must assess whether the information technology governance of the organization’s
supports the organization’s strategies and objectives.

2120 – Risk Management

The IA activity must evaluate the effectiveness and contribute to the improvement of the risk
management processes.

2130 – Control
The IA activity must assist the organization in maintaining effective controls by evaluating their
effectiveness and efficiency and by promoting continuous improvement.

2200 – Engagement Planning

2201 – Planning Considerations

2210 – Engagement Objectives

2220 – Engagement Scope

2230 – Engagement Resource Allocation

2240 – Engagement Work Program

2300 – Performing the Engagement

2310 – Identifying Information

2320 – Analysis and Evaluation

2330 – Documenting Information

2340 – Engagement Supervision

2400 – Communicating Results

2410 – Criteria for Communicating

2420 – Quality of Communications

2421 – Errors and Omissions

2430 – Use of “Conducted in Conformance with the International Standards for the Professional
Practice of Internal Auditing”

2431 – Engagement Disclosure of Nonconformance

2440 – Disseminating Results

2450 – Overall Opinions

2500 – Monitoring Progress

2600 – Communicating the Acceptance of Risks

Agile Internal Auditing

 Deliver deeper insights into strategic business issues and risks

 Respond rapidly to changing priorities and emerging issues
 Become forward-looking in anticipating risks
 Move to more risk-based audit planning and fieldwork
 Streamline workpapers
 Deliver impactful, relevant, timely, readable, and visual reports
 Access the applicable skillsets for the project at hand
  Deepen specialized skillsets, particularly in cyber and analytics

When undertaking change, Internal Audit groups we have worked with have found it useful to define
desired outcomes as “have-to-haves” and “want-to-haves”.

Part 1: Understanding Agile Internal Audit

Part 2: Putting Agile Internal Audit into action

Part 3: Using Agile Internal Audit to drive change

When an organisation or programme is using an agile approach, ‘Agile Auditing’ delivers better
alignment and provides real-time assurance rather than retrospective assurance.

 An ‘Agile’ approach helps the audit team eradicate low value work and realise efficiencies
that allow them to focus more time and effort on higher value, complex audits.
 Stakeholders have a better audit experience as they receive informal assurance early in the
audit process and have more opportunity to clear up misunderstandings at the outset.
 Huddles: Junior members benefit from closer involvement in all aspects of the audit and are
able to demonstrate competency earlier.
 Audit teams stay together during the course of most audits, challenging the view that
continually moving people into new teams is effective or efficient.
 The approach should be one of which that enables the team to eliminate processes or work
that is of low value and to focus on processes / work that contribute to the overall
betterment of the company.
 Stakeholders have a better audit experience as they receive informal assurance early in the
audit process and have more opportunity to highlight any concerns and challenges at the
outset. Offering the auditee the opportunity to speak freely in a safe environment not only
fosters good relationship but builds rapport. The approach should be one which eliminate
processes that are low value and prioritize activities that are of higher value.
 To provide insights and input on emerging risks and likely scenarios / events that could
contribute to any non-compliance or gaps within the entity. To response rapidly to changing
priority and emerging risks and becoming forward looking in anticipating risks and
proactively highlighting any limitations or potential weaknesses if identified, to eradicate low
value work and realize efficiencies that allow them to focus more time and effort on higher
value complex audit. For any process that require changes or updates, to assess the controls
which are put in place and to ensure that the challenges are managed and reported
accordingly.

Review the following:

 Collect the Code of Ethics from internal audit staff and determine if it is signed by them
as read and understood.
 Determine if a register of allocation of internal auditors on consulting assignments is
kept.
 Check with the quality assessment team member assigned to the Internal Audit Process
program segment and determine whether any significant objectivity issues were noted.
  Determine if any impairment to independence and/or objectivity exists or Code of Ethics
issues have occurred and have been disclosed to appropriate parties.

1. The Head of Internal Audit reports to a level in the organization that allows the internal audit
activity to fulfil its responsibilities.
2. The administrative reporting relationship to senior management does not interfere with the Head
of Internal Audit’s responsibility to the Board.
3. There are no restrictions to the scope, resources and access of internal audit activity.
4. The nature of the Head of Internal Audit’s functional reporting relationship to the board provides
the direct interaction needed to promote independence and communicate audit results.
5. Auditors are aware they must report any real or perceived objectivity or Code of Ethics issues as
soon as such issues arise.
6. Audit engagements are performed with an unbiased mental attitude.
7. There are no restrictions to the scope, resources and access of the internal audit activity.
8. Any impairments have been disclosed to appropriate parties.
9. Auditors are aware they must report any real or perceived objectivity or Code of Ethics issues as
soon as such issues arise.

No. Items

1 The Head of Internal Audit reports to a level in the organization that allows the internal
audit activity to fulfil its responsibilities.

2 The administrative reporting relationship to senior management does not interfere

with the Head of Internal Audit’s responsibility to the Board.

3 There are no restrictions to the scope, resources and access of internal audit activity.

4 The nature of the Head of Internal Audit’s functional reporting relationship to the
board provides the direct interaction needed to promote independence and
communicate audit results.

5 Auditors are aware they must report any real or perceived objectivity or Code of Ethics
issues as soon as such issues arise.

6 Audit engagements are performed with an unbiased mental attitude.

7 There are no restrictions to the scope, resources and access of the internal audit
activity.

8 Any impairments have been disclosed to appropriate parties.

9 Auditors are aware they must report any real or perceived objectivity or Code of Ethics
issues as soon as such issues arise.

1. Examine the recent status reports used to monitor and communicate the disposition of
internal audit activity to confirm that:
  A system is used to monitor internal audit results to ensure that management actions
have been effectively implemented or that senior management has accepted the risk of
not taking action.
 The monitoring system is used to communicate the disposition od internal audit results
to relevant stakeholders.
 The disposition of results of consulting engagements is monitored to the extent agreed
upon with the client.

2. For the representative sample of completed engagements selected, examine supporting

records for the engagements to confirm that engagement communications:
 Include the engagement objectives and scope as outlined in the engagement planning
documentation.
 Report the engagement’s applicable conclusions, recommendations and action plans.
 Are delivered to parties who can ensure that the results are given due consideration.

3. For the representative sample of completed engagements selected, examine supporting

records for the engagements to determine that engagement communications are:
 Accurate, that is, reported engagement results are consistent with findings and
conclusions contained in the audit working papers.
 Objective, clear, concise and constructive in language and tone.
 Complete, that is reported engagement results include all relevant issues documented
in the audit working papers.
 Timely in their delivery to enable engagement results are given appropriate
consideration.

4. For any consulting engagements included in the representative sample of completed

engagements selected in Step II.A, examine supporting records for the engagements to
confirm that engagement communications:

 Include appropriate progress and results of the consulting engagements based on the
nature of the engagements and needs of the client.
 Report to senior management and the board any significant governance, risk
management or control issues that may be identified during the course of performing the
consulting engagement.

5. For the representative sample of completed engagements selected, examine supporting records
for the engagements to confirm that engagement communications:

No. Item

a. Include the engagement objectives and scope as outlined in the engagement

planning documentation.

b. Report the engagement’s applicable conclusions, recommendations and action

plans.

c. Are delivered to parties who can ensure that the results are given due
consideration.
 1. Engagement planning considers the objectives of the activity being reviewed, significant
risks, and the adequacy and effectiveness of the activity’s risk management and control
processes.
2. Engagement planning considers the opportunities for making significant improvements to
the activity’s governance, risk management and control processes.
3. On significant consulting engagements, internal auditors document their understanding of
the client’s objectives, scope, respective responsibilities and other client’s expectations.
4. Engagement objectives reflect the results of the preliminary risk assessment and use an
adequate criteria to evaluate governance, risk management and controls.
5. The scope of engagement is sufficient to address the agreed upon objectives.
6. The internal audit activity and internal audit staff have knowledge, skills and other
competencies needed to complete individual engagements.
7. There is evidence that appropriate resources (e.g staff) are allocated to achieve engagement
objectives.
8. Engagement audit programs are developed, establishing the procedures for identifying,
analysing, evaluating and recording the information needed to achieve the engagement
objectives.
9. Prior to implementation, the audit program and subsequent program adjustments are
formally approved.

Conformance Assessment

a. The internal audit activity’s policies and procedures adequately provide specific guidance to
ensure that internal auditors develop and document a plan for each engagement, including
the engagement’s objectives, scope, timing and resource allocations.
b. The activities must be included in the engagement process and to ensure the items are
correctly updated in the system, there is evidence that appropriate resources are allocated
c. Engagement audit programs are developed, establishing the procedures for completing the
requirements and gathering sufficient audit evidence to complete the review.
d. For any changes made to the process, establishing the procedures for identifying, analysing,
evaluating and recording the information needed to achieve the engagement objectives.

Performance Standards

 The audit plan provides sufficient coverage of information technology governance, current
systems, systems under development and technology management issues.
 The plan provides sufficient coverage of the organization’s risk management processes.
 For any requirement to perform the activity’s polices and procedures and to adequately
provide specific guidance to ensure that the plans adequately capture the all the conditions
and the internal audit activity can demonstrate that it has evaluated the effectiveness and
contributed to the improvement of the risk management processes and to ensure that the
items are correctly updated.
 The activities must be included in the engagement process and to ensure the items are
correctly updated in the system, there are no restrictions.

1. Engagement planning considers the objectives of the activity being reviewed,

significant risks, and the adequacy and effectiveness of the activity’s risk management
and control processes.

2. Engagement planning considers the opportunities for making significant

improvements to the activity’s governance, risk management and control processes.
 3. On significant consulting engagements, internal auditors document their
understanding of the client’s objectives, scope, respective responsibilities and other
client’s expectations.
4. Engagement objectives reflect the results of the preliminary risk assessment and use
an adequate criteria to evaluate governance, risk management and controls.
5. The scope of engagement is sufficient to address the agreed upon objectives.
6. To check and confirm that the items are correctly updated according to the
requirements of the governance, risk management and controls activities.

Review and evaluate the process that is used to develop, maintain and implement internal audit
policies/procedures manual.

Review the internal audit activity policy/or procedure table of contents. Determine whether the
form/content of the manual is sufficient based on the size, structure and complexity of the internal
audit activity.

Check the quality assessment team members assigned to the other quality assessment program
segments and determine whether any internal audit policy/procedure manual issues were noted.

There is evidence that the Head of Internal Audit has communicated the internal audit activity’s
annual plan and interim changes, including the impact of resource limitations, to senior
management and the board for review and approval.

Periodic reporting includes significant risk exposures and control and governance issues.

No. Requirement

1 Review and evaluate the process that is used to develop, maintain and implement internal
audit policies/procedures manual.

2 Review the internal audit activity policy/or procedure table of contents. Determine
whether the form/content of the manual is sufficient based on the size, structure and
complexity of the internal audit activity.

3 Check the quality assessment team members assigned to the other quality assessment
program segments and determine whether any internal audit policy/procedure manual
issues were noted.

4 There is evidence that the Head of Internal Audit has communicated the internal audit
activity’s annual plan and interim changes, including the impact of resource limitations, to
senior management and the board for review and approval.

5 Periodic reporting includes significant risk exposures and control and governance issues.

6 The activities must be included in the engagement process and to ensure the items are
correctly updated in the system, there are no restrictions.

7 Assessment must be carried out accordingly to ensure that the governance issues are
correctly updated to reflect the risk exposure and controls in place.

8 To check and ensure that the items are correctly updated to reflect the requirements as
per the details updated in the system and check the updates accordingly.
 9 Check the quality assessment team members assigned to the other quality assessment
program segments and determine whether any internal policy/procedure manual issues
were noted.

Agile Project Delivery is based on the following core principles:

People Processes and Tools

Working Prototypes Documentation

Customer Collaboration Agile / Waterfall Rigidity of Requirements

Responding to Change Following a Set Plan

Traditional Methodology Agile Methodology

A rigid, long term plan is created and followed While long-term goals are considered, plans are
with little to no room for flexibility created in 2-3 week sprints and are flexible in
how they are carried out.

Steps are completed and then followed through Because this model is focused on highest risk
to the end without reevaluating any prior step controls and/or business processes in a given
moment, steps are often revisited and
reevaluated.

Limited communication and collaboration Stakeholders are encouraged to communicate

between the auditor and the control/process and collaborate openly
owner

Results are reviewed at the end of the entire Results on control performance are shared as
auditing process soon as tests have been completed 

Code of Conduct requirements:

 Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on
their judgment.

 Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors
make a balanced assessment of all the relevant circumstances and are not unduly influenced
by their own interests or by others in forming judgments.
  Confidentiality
Internal auditors respect the value and ownership of information they receive and do not
disclose information without appropriate authority unless there is a legal or professional
obligation to do so.

 Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of
internal audit services.

For any challenges encountered by the internal auditor which could give rise to potential conflict of
interest situations, should be avoided or mitigated.

To employ safeguards pertain to any situation which could jeopardize the role of internal audit
function.

In terms of reporting structure, internal audit should perform the following:

No. Requirement Remarks

1 Review and evaluate the process that is used to The internal audit Manual is prepared
develop, maintain and implement internal audit based on the IPPF Framework using
policies/procedures manual. COSO as its internal control
methodology and benchmarking
against ISO 9001. The manual is
aligned with regulatory requirements
and incorporates industry best
practices.

In order to maintain relevance, the

Manual is reviewed once every 2 years
or as and where there are changes to
the requirements.

2 Review the internal audit activity policy/or The internal audit Manual has been
procedure table of contents. Determine whether prepared taking into consideration the
the form/content of the manual is sufficient nature, size and complexity of
based on the size, structure and complexity of the operations and meeting local
internal audit activity. regulatory requirements.

The IA Manual consist of the following

content:

 INTRODUCTION
 GOVERNANCE
 REPORTING STRUCTURE
 ROLES & RESPONSIBILITES
 ANNUAL AUDIT PLAN
 AUDIT METHODOLOGY
 QUALITY ASSURANCE
 EXTERNAL ASSESSMENT
 AUDIT FILING
3 Check the quality assessment team members Instapay went live on 3 Sept 2019 with
assigned to the other quality assessment program only 1 Audit Manager and thereafter
segments and determine whether any internal an additional support staff was hired.
audit policy/procedure manual issues were noted. The Quality assessment will be rolled
out once additional headcount is
obtained.

As a control, the Audit working

program and documentation is
reviewed by the Internal Audit
Manager and any gaps are highlighted
for rectification.

4 There is evidence that the Head of Internal Audit The Audit Committee is appraised on a
has communicated the internal audit activity’s quarterly basis on the developments
annual plan and interim changes, including the of the internal audit plan and activities
impact of resource limitations, to senior including the resource requirements
management and the board for review and and challenges.
approval.

5 Periodic reporting includes significant risk All audit reports are tabled to the
exposures and control and governance issues. Audit Committee and the reports
cover the 5 COSO components which
are governance, control activities, risk
assessment, information and
communication and monitoring
processes.

6 The activities must be included in the An Audit notification will be sent out
engagement process and to ensure the items are the Auditee and thereafter an opening
correctly updated in the system, there are no meeting will be held with the auditee.
restrictions.
During the opening meeting, the
auditee will be notified regarding the
following:

 Audit fieldwork period

 Audit objectives, scope, and
coverage period
 Document Request
 Two-way communication i.e.
updates pertaining to the
risks, controls, key changes to
the processes, and any
challenges faced by the
Department
 Other administrative matters

In terms of access to documentation,

 Internal Auditor has a Charter in place
which was approved by the Audit
Committee.

7 Assessment must be carried out accordingly to A risk-based audit plan is prepared on

ensure that the governance issues are correctly an Annual basis taking into
updated to reflect the risk exposure and controls consideration the following factors:
in place.
 Last audit conducted and
grading
 Regulatory requirements to
conduct an audit
 Number of risk events /
incidents / breaches / non-
compliance / information
leakage / fraud
 Complexity of the product /
business operations.
 Importance / focus of the
business / product to
Management
 Issuance of new products /
services and key changes in
the processes and products
since last audit
 Number of new guidelines /
regulations issued from the
regulator
 Risks residing in the
department
 Discussion with management
of Instapay & assessment of
current operational issues /
Request by Management

8 To check and ensure that the items are correctly The updates are reflected in the Audit
updated to reflect the requirements as per the Plan and any outstanding audit
details updated in the system and check the observations are tracked until
updates accordingly. resolution.

9 For any changes made, to evaluate the process Internal Audit Manual is developed
that is used, developed and maintain internal and reviewed by the Internal Audit
audit procedures and manual. Head.

The Document will be tabled to the

Audit Committee for approval.

10. To assess the impact and probability of the risk The Annual Audit Plan is developed
exposure of the auditable areas and to perform a based on the principle of risk-based
risk based analysis and plan accordingly. As for assessment taking into consideration
the regulatory audits where the frequency is regulatory requirements in order to
 determined, to include the areas as part of the determine the audit frequency. An
Internal Audit Plan and perform the checks auditable unit with a higher risk is
accordingly. required to be audited on a regular
basis compared to a lower risk unit.
Regulatory requirements will however
override the audit cycle and frequency
in case regulatory requirements
suggest a more frequent audit.

11 To perform quality assessment checks and to The quality assessment checks will be
ensure that all the risk items are correctly carried out once the IA Department
captured. expands.

Currently, there are only 2 personnel

in the department. The Audit
Executive performs the audit and the
reports are reviewed by the IA
Manager.

For audits which the IA function does

not have the capability or resource to
perform i.e IT Audit, accordingly the
audit will be outsourced to an external
assurance service provider.

With regard to QA, once the business

grows and the headcount increases,
the Internal Audi Department will
have a QA function.

12 Obtain and review any periodic reports to the All audit reports are tabled to the
audit committee/ senior management on internal Audit Committee tother with
audit results. Determine whether the report management responses and action
include: plan.
 Performance relative to the internal audit Furthermore, all outstanding audit
activity’s plan (e.g any significant changes observations are tracked and updates
to the plan, internal audit performance are provided to the Audit Committee.
measures)
 Any significant risk exposures or control Any changes to the Plan i.e delay in
issues that adversely affect the timelime / spillover etc. are
organization’s ability to achieve its highlighted to the AC.
strategic and key supporting objectives.

13 Check the quality assessment team members The QA program has been put in place,
assigned to the other quality assessment program however the exercise will only be
segments and determine whether any internal implemented once headcount
audit policy/procedure manual issues were noted. increases.
14 Engagement scope considered the relevant The scope includes governance,
systems, records, personnel and physical control actives, risk assessment,
properties (including those under the control of information and communication and
third parties) and is consistent with the audit the monitoring activities. In addition
objectives. to the 5 COSO components, the scope
incudes the minimum requirements as
 per BNM’s Guidelines and critical
areas based on IAD’s assessment and
feedback from Management.
The internal audit activity and internal audit staff All the staff have the necessary
have knowledge, skills and other competencies qualifications and relevant experience
needed to complete individual engagements. and technical knowhow to perform
the engagements.

For audits which IA does not possess

the skills to perform, they will be
outsourced to a competent assurance
service provider.

Staffing is adequate considering the

nature, size and complexity of
operation.
Engagement audit programs are developed, The audit programs are prepared by
establishing the procedures for identifying, the Audit executive and reviewed by
analysing, evaluating and recording the the internal audit Manager before
information needed to achieve the engagement commencement of the audit.
objectives.
The requirements are to be completed
as per the audit program step by step.

For the representative sample of completed All documentation and filing will be
engagements selected, examine supporting reviewed by the Internal Audit
records for the engagements to confirm that Manager. Any gaps noted will be
engagement communications: highlighted during the review.
 Include the engagement objectives and
scope as outlined in the engagement
planning documentation.
 Report the engagement’s applicable
conclusions, recommendations and action
plans.
Are delivered to parties who can ensure that the
results are given due consideration.
For the representative sample of completed Proper justification is provided on
engagements selected, examine supporting sample selections in the working
records for the engagements selected, examine papers. The approach adopted is to
supporting records for the engagements to verify first test the controls, if there is
that an engagement work program is absence of control, the substantive
documented and that: testing can be reduced.
 There is evidence that appropriate
resources (e.g staff) are allocated to If there is control in place, the test the
achieve engagement objectives. effectiveness of the control. Samples
can be selected to test effectiveness of
The work program establishes the procedures for the control put in place.
identifying, analysing, evaluating and recording
the information needed to achieve the In the event there is absence of
engagement objectives. control, to sample and check if there
are any lapses (Note: Absence of
 control doesn’t necessarily mean there
is a lapse. Sampling is done to confirm
that there is a lapse) If there is
absence of control but no lapses, to
recommend implementing adequate
control to prevent any incident from
occurring.
To check the following: All documentation and filing will be
reviewed by the Internal Audit
Manager. Any gaps noted will be
highlighted during the review.
Opportunities to add value were considered by The focus on IA is on regulatory
identifying potential engagements, management compliance and minimizing financial
requests and other priorities not foreseen during risks such as seepage of income or
risk assessment/planning. lapses of primary controls especially
on key processes.

The audit program is updated prior to

the fieldwork and is reviewed by the
Internal Audit Manager.

An understanding of the area being

reviewed would enable the auditee to
carry out the engagement effectively.

IA strives to add value by proactively

notifying management on the risks.
The role of Internal Auditor has
evolved and IA is viewed as a trusted
partner rather than a fault finder. IA
adds value by being future focused
and insightful.

Traditional Methodology Agile Methodology

A rigid, long term plan is created and followed While long-term goals are considered, plans are
with little to no room for flexibility created in 2-3 week sprints and are flexible in
how they are carried out.

Steps are completed and then followed through Because this model is focused on highest risk
to the end without reevaluating any prior step controls and/or business processes in a given
moment, steps are often revisited and
reevaluated
Limited communication and collaboration Stakeholders are encouraged to communicate
between the auditor and the control/process and collaborate openly
owner

Results are reviewed at the end of the entire Results on control performance are shared as
auditing process soon as tests have been completed.

Item AWP Ref: Remarks

1. Review and evaluate the To review and evaluate the requirements to
internal audit activity’s ensure that the audit activity’s communication
communication and and reporting practices.
reporting practices and any
internal audit activity
policy / or procedure on
communicating results.
2. Review the planned versus The planned vs actual analysis is performed and
actual engagements for the any delay / deferment or changes are tabled to
current and prior years. the Audit Committee for approval.
 For significant projects
that were planned and
not executed,
determined the
rationale and whether
they are scheduled to
roll forward or will it be
cancelled.
 For projects that were
added to the plan,
determine the rationale
and the adequacy of
consideration /
approval to add them to
the plan.

3. Obtain the audit Yes, the agendas and minutes are adequately
committee’s (or documented. The deliberations are adequately
equivalent) agendas and captured in the minutes.
minutes. Confirm that the
required board/ or audit
committee communication
requirements were
covered or determined
why they were not
applicable.
4. Obtain and review any
periodic reports to the
audit committee/ senior
Item AWP Ref: Remarks
management on internal
audit results. Determine
whether the report
include:
 Performance relative to
the internal audit
activity’s plan (e.g any
significant changes to
the plan, internal audit
performance measures)
 Any significant risk
exposures or control
issues that adversely
affect the organization’s
ability to achieve its
strategic and key
supporting objectives.
5. Determine whether the
Head of Internal Audit
has developed a process
to communicate
management’s
acceptance of risk,
including possible
scalation of these risks to
the audit committee or
board.
 If a process exists,
confirm via interviews
that key internal audit
stakeholders (e.g.
audit committee, CEO
and the executive to
whom the Head of
Internal Audit reports
administratively) are
aware of and support
the process.
 Check with the quality
assessment team
member assigned to
the Internal Audit
Governance Program
segment and
determine if there are
any observations that
are related to this
topic (e.g audit
committee oversight
leading practices or
Item AWP Ref: Remarks
concerns)
6. Review the results of the
interviews with key
internal audit
stakeholders and staff
members (e.g audit
committee, CEO, Head of
Internal Audit) and
evaluate any themes or
significant comments
regarding:
 The value the internal
audit activity adds
value to the
organization.
 The value of the
insights included in
the periodic reports to
the audit committee
and senior
management.
 The practices that
have been or would
be used to
communicate any
matters where the
Head of Internal Audit
has concluded that
management may
have accepted a level
of risk that may be
unacceptable to the
organization.

Conformance Assessment Recap

Standard 2500
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. Communication include the Yes, Audit
engagement’s objectives and reports are
scope as well as applicable discussed
conclusions, recommendations with the
and action plans. auditee
during the
exit meeting
and the
action plans
 and timelines
are agreed
upon.
2. If appropriate, an opinion or Yes, the
conclusion is included in the audit format of the
report. audit reports
incorporates
a summary
and
conclusion.
The Audit
rating is
assigned
based on the
conclusion.
3. Communication of the progress Yes, the
and results of engagement are auditee is
appropriate based on the nature of keep updated
the engagement and the needs of o the
client. progress of
the
engagements
and any
observations
noted are
verbally
highlighted t
the auditee
during the
review.
4. Engagement communication is Yes, the
accurate, objective, clear, concise, auditee is
constructive, complete and timely. notified on
the objective,
scope,
duration and
the audit
purpose in
the audit
notification
and
thereafter
discussed in
the opening
meeting.
5. If a final communication contains a All audit
significant error or omission, there reports are
is communication of corrected reviewed
information to all parties. several time
before the
final
 issuance. If
there is any
correction
requires, a
revised audit
report will be
issues and
the relevant
parties will
be notified.
6. If appropriate, reports state that The Audit
the engagement was “Conducted Manual
in conformance with the makes
International Standards for the reference to
Professional Practice of Internal the IPFF and
Auditing. its basis of
developing
the manual.
IPPF is not
referenced in
the individual
audit reports
as it’s not
necessary for
FIs.
7. If required, engagement The audits
communication discloses non- are mainly to
conformance with the Definition of assess
Internal Auditing, the Code of compliance
Ethics or the Standards. with
regulatory
guidelines
and to assess
the
effectiveness
of the
controls and
processes
surrounding
the activities
within the
department.
Any non-
compliance
to the
minimum
standards of
the
department
will be
highlighted
 accordingly.
8. Final results are communicated to Yes, the audit
appropriate parties according to reports are
the policy of the organization. issued to the
HOD and
senior
management.

Conformance Assessment Recap

Standard 2400
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. Audit working papers include all Yes, the audit program
the relevant information to achieve includes the information
the objectives. checked and the outcome of
each stepped checked.
2. Conclusions and engagement Conclusion is arrived after
results are based on appropriate the checks are performed
analyses and evaluations. and proper analyses are
evaluations are completed.
3. Sufficient information is Yes, all conclusions are
documented to support the clearly documented and
conclusions and audit results. worded. Any ambiguity
noted during the review by
the Internal Audit Manager
will be highlighted to the
Internal Audit Executive for
correction.
4. Audit working papers have All audit documents are
controlled access and are retained retained as per Instapay’s
access and are retained according record retention policy
to the policy of the organization. which is 7 years.
5. There is evidence that Currently the IA team is
engagements are properly small and consist of the
supervised to ensure objectives are Internal Audit Manager and
achieved, quality is assured, and 1 executive. All audits are
staff is developed. closely monitored and
supervised by the Internal
Audit Manager.

Conformance Assessment Recap

Standard 2200
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. Engagement planning considers Yes, the audit
the objectives of the activity being takes into
reviewed, significant risks, and the consideration
adequacy and effectiveness of the the risk within
activity’s risk management and the
control processes. department
and challenges
that are
encountered. A
two way
communication
between the
auditor and the
auditee takes
place during
the opening
meeting and
the auditee is
given the
opportunity to
highlight any
concerns they
may have.
2. Engagement planning considers Yes, COSO
the opportunities for making methodology is
significant improvements to the used which
activity’s governance, risk includes
management and control assessment on
processes. governance,
control
activities, risk
assessment,
information
and
communication
and monitoring
activities.
3. On significant consulting Currently, all
engagements, internal auditors stakeholders
document their understanding of are within the
the client’s objectives, scope, organization.
respective responsibilities and The meetings
other client’s expectations. and discussions
held with the
auditees are
minuted /
documented.
4. Engagement objectives reflect the Yes, the
results of the preliminary risk preliminary risk
assessment and use an adequate assessment is
criteria to evaluate governance, performed
 risk management and controls. when planning
the audit
assignment,
thereafter a
discussion is
held with the
auditee during
the opening
meeting and
any further
concerns / risks
/ challenges
highlighted will
be taken into
consideration
when
performing the
engagement.
5. Consulting engagement objectives As Instapay us
address governance, risk a small setup
management and control and has an
processes to the extend agreed open space,
upon with the client. Consultation
engagements
are performed
verbally during
discussions.
6. Engagement scope considered the Yes, the scope
relevant systems, records, of third parties
personnel and physical properties are included
(including those under the control especially
of third parties) and is consistent where
with the audit objectives. outsourcing
arrangements
are critical i.e
Operations, IT
etc.
7. The scope of engagement is Yes, the scope
sufficient to address the agreed is discussed
upon objectives. and with CEO
and agreed
upon.
8. The internal audit activity and Yes, the audit
internal audit staff have personnel
knowledge, skills and other possess the
competencies needed to relevant skillset
complete individual engagements. to perform the
audit.
Guidance is
provided by
the internal
 audit manager.
In the case
where the
audits are
technical in
nature and
required
specialized
skills, a suitable
outsourced
service
provider will be
engaged.
9. There is evidence that appropriate Yes, given the
resources (e.g staff) are allocated present
to achieve engagement operating
objectives. environment,
the headcount
is adequate.
10.Engagement audit programs are Yes, the
developed, establishing the programs
procedures for identifying, include the
analysing, evaluating and relevant
recording the information needed segments and
to achieve the engagement the steps
objectives. together with
the outcome
are clearly
documented.
11.Prior to implementation, the audit Yes, all audit
program and subsequent program programs are
adjustments are formally reviewed by
approved. the internal
audit manager.

Conformance Assessment Recap

Standard 2200, 2300, 2400 and 2500
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. The internal audit activity’s Yes, the audit
policies and procedures engagement is
adequately provide specific performed using a
guidance to ensure that systematic approach
internal auditors develop and as following:
document a plan for each
engagement, including the i. AUDIT
engagement’s objectives, NOTIFICAITON
 scope, timing and resource ii. AUDIT
allocations. PLANNING
MEMORANDUM
iii. AUDIT
PROGRAM
iv. KICK OFF
MEETING
v. FIELDWORK
vi. AUDIT REPORT
vii. AUDIT OPINION
FRAMEWORK
viii. EXIT MEETING
ix. FOLLOW-UP
2. The internal audit activity’s Yes, comprehensive
policies and procedures audit programs are
adequately provide specific put in place to guide
guidance to ensure that staff on the areas to
internal auditors identify, be assessed.
analyse, evaluate and
document sufficient
information to achieve the
engagement’s objectives.
3. The internal audit activity’s Yes, an exit meeting
policies and procedures will be held with the
adequately provide specific auditee upon
guidance to ensure that completion of the
internal auditors communicate audit. The final audit
the results of engagements. report will be issued
to the auditee and
management for
implementation.

Internal Audit will

track and monitor
the action plans until
resolved.
4. The internal audit activity’s Yes, all audit reports
policies and procedures are sent to the
adequately provide specific auditee and
guidance to ensure that a management.
system is established and
maintained to monitor the Internal audit
disposition of results maintains a tracker
communicated to for all unsolved audit
management. observations and
monitors the target
dates.
5.
 Conformance Assessment Recap
Standard 2100
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. The audit plan provides sufficient Yes, The coso internal control
coverage of the organization’s framework is adopted and each
governance process. audit includes an assessment of the
5 components as following:

Governance
Control Processes
Risk Assessment
Information and Communication
Monitoring Activities

2. The internal audit activity can Yes, as part of each audit

demonstrate that it has assessed engagement, the governance will be
and made appropriate assessment. If gaps were noted,
recommendations for improving accordingly they will be highlighted.
the governance process.
3. The audit plan provides sufficient Yes, as part if the HR audit, the
coverage of the design, ethics related objectives and
implementation and effectiveness processes were assessed.
of the organization’s ethics-related
objectives, programs and activities.
4. The audit plan provides sufficient Yes, as part of the audit, the
coverage of information technology governance, systems and processed
governance, current systems, undertaken via the systems will be
systems under development and assessed.
technology management issues.

5. The plan provides sufficient Yes, sufficient coverage on risk

coverage of the organization’s risk assessment is performed.
management processes.
6. The internal audit activity can Yes, in the event gaps were
demonstrate that it has evaluated identified, IA will make
the effectiveness and contributed recommendations for
to the improvement of the risk improvements.
management processes.
7. The plan provides sufficient Yes, the processes are assessed in
coverage of the organization’s each audit, any gaps noted will be
control processes. highlighted.
8. The internal audit activity can Yes, internal audit adds value by
demonstrate that it has assisted proactively highlighting risks and
the organization in maintaining an offering insights to Management.
effective control process by
evaluating their effectiveness and Internal Audit takes into
efficiency and by promoting consideration the maturity of
continuous improvement. organization.
 Conformance Assessment Recap
Standard 2100
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
9. There is evidence that, where Yes, the 5 COSO components are
appropriate, the scope of individual included in each audit. Generally
audit engagements includes the the areas include governance,
risks and controls relating to the control activities, risk assessment,
organization’s governance, information and communication
operations, and information and monitoring activities.
systems.

Observation/Recommendation/Opportunities for Improvement:

Additional Comments:

Conformance Assessment Recap

Standard 2030, 2050 and 2070
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. Resources (human and technology) Yes, given the current size of
and financial budgets are organization and complexity, the
appropriate, sufficient and internal audit is adequately
effectively deployed to support the staffed. As business grows, the
completion of the approved plan. headcount will increase.
2. Internal audit work is effectively Yes, the Internal Audit Manager
coordinated with that of the role include coordinating the
external auditors and with internal engagements with external audits
providers of assurance and mainly on the outsourced audits
consulting services. i.e Principal 4 Attestation, IT audit
etc.
3. If a third-party/ external service Yes, as a best practice and to
provider serves as the internal audit avoid potential conflict of
activity, the external service interest, the statutory audit firm
provider has made the organization is not engaged to provide internal
aware that the organization has the audit services.
responsibility for maintaining an
effective internal audit activity.

Conformance Assessment Recap

Standard 2010 and 2450
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. The Head of Internal Audit has The Internal Audit Manager
established a risk based plan prepares a risk based audit plan
consistent with the organization’s taking into consideration various
goals. The plan is reviewed and factors as below:
adjusted, as necessary in response  Last audit conducted and
to changes in the organization’s grading
business, risks, operations,  Regulatory requirements
programs, systems and controls. to conduct an audit
 Number of risk events /
incidents / breaches /
non-compliance /
information leakage /
fraud
 Complexity of the
product / business
operations.
 Importance / focus of the
business / product to
Management
 Issuance of new
products / services and
key changes in the
processes and products
since last audit
 Number of new
guidelines / regulations
issued from the regulator
 Risks residing in the
department
 Discussion with
management of Instapay
& assessment of current
operational issues /
Request by Management
2. The Head of Internal Audit Yes, feedback from Management
identified and considered the input is obtained in preparing the Plan.
and expectations of the board, Any feedback from the Audit
management and other Committee during the previous
stakeholders in developing the plan. meetings is also taken into
consideration.

Thereafter the Plan is tabled to

the Audit Committee before
being finalized.
3. The Head of Internal Audit Internal Audit taken into
identified and considered the consideration the various
expectations of senior feedback and input from
management, the board, and other Management and other
stakeholders for overall opinions stakeholders.
and other conclusions.
 Conformance Assessment Recap
Standard 1200
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. The internal audit activity and Yes, the internal audit team
internal audit staff have knowledge, possess the capability to carry out
skills and other competencies the audit assigned as per the
needed to complete the annual Audit Plan.
audit plan.
For audits which IA doesn’t have
the capability i.e IT Audit, a
suitable assurance provider will
be identified to conduct the
outsourced arrangement.
2. The internal audit activity and Yes. Same as above.
internal audit staff have knowledge,
skills and other competencies
needed to complete individual
engagements.
3. Where skills are lacking, the Head of Yes, for audits which internal
Internal Audit has engaged capable audit doesn’t have the required
assistance or has declined the capability or resource,
engagement. justification will be provided for
outsourcing the engagement.
4. We have effective recruiting and Yes, as part of the IA recruitment,
development policies/or practices. candidates will be required to sit
for a test to test their audit
capabilities and report writing
skills.

These are in addition to the

minimum qualifications and
experience required.
5. Staff performance is reviewed on a Yes, staff performance is
regular basis and criterion used is reviewed on an ongoing basis and
adequate and appropriate for the feedback is provided to staff
needs of the internal audit activity. during meetings.
6. The internal audit staff is aware of Yes, IAD should be independent
the due professional care standard of the activities being audited
(e.g extend of work needed to which should be performed with
achieve the engagement’s impartiality, proficiency and due
objectives, use of technology-based professional care. The BAC
audit and data analysis techniques determines the merit of IAD’s
and cost of assurance in relation to function which should be
potential benefits. consistent with the standards
develop by the Internal Audit
Profession and in accordance
with BNM’s guidelines.
7. The level of due professional care Yes, same as above.
expected of a reasonably prudent
and competent internal auditor is
consistently applied on audit
engagements.
8. Auditors undergo specific training Yes, moving forward training
based on collective staff training needs analysis will be performed
needs analysis, including IT concepts annually and a certain percentage
and fraud training. of KPI will be allocated for
training & development.
9. Continuing professional Same as above.
development is a priority and is used
to enhance and maintain internal
audit competencies.

Item AWP Ref: Remarks

1. Identify the position of the The internal audit manager functionally reports to
internal audit activity the Audit Committee and administratively to CEO.
within the organization by
reviewing the organization This is to maintain the independence of the
chart. department and to remain objective without undue
influence from Management.
2. Determine if the reporting Same as above.
lines, as stated in the
internal audit charter,
allow the internal audit
activity to carry out its
responsibilities in an
unbiased manner.
3. Review the internal audit Objectivity is essential to ensure independence.
activity’s Manual regarding Internal Auditors should maintain an independent
reporting of conflict of mentality to enable them to exercise judgement,
interest and review conflict express opinion and present recommendations with
of interest declarations. impartiality. Objectivity is also achieved by ensuring
that internal auditors are not placed in situations in
which they feel unable to make objective
judgements. In IAD, such objectivity should be
achieved by:
 Avoiding conflict of interest or bias.

4. Review the audit Instapay’s Audit Committee terms of reference

committee charter and include the following:
determine if the charter
states the functional
responsibilities of the a. to approve on the appointment,
board to the internal audit performance appraisal and remuneration,
activity, especially relating transfer and dismissal of the Head of
to: Internal Audit.
Item AWP Ref: Remarks
 Approval of the b. to review and approve the Audit Plan, Audit
internal audit activity Charter, Manual, Methodology and
charter. budgeted man-days.
 Approving the risk- c. to review the scope of Internal Audit and to
based internal audit confirm that Management has placed no
plan restrictions on the scope of audits.
 Receiving d. to establish a mechanism to assess the
communications from performance and effectiveness of the
the Head of Internal internal audit function.
Audit on the internal e. to ensure that the internal audit function is
audit activity’s adequately resourced and has appropriate
performance relative standing within Instapay so that the Internal
to its plan and other Auditors can function effectively and will be
matters. able to obtain cooperation from other
 Approving decisions functions within Instapay.
regarding the f. to ensure cooperation between the Internal
appointment, removal and External Auditors.
and remuneration of g. to consider the findings of Banking
the Head of Internal Supervision Division of BNM (if any) and
Audit. Management’s response.
h. to review the key audit reports and consider
the major findings of internal investigations;
and ensuring that Senior Management is
taking necessary corrective actions in a
timely manner to address control
weaknesses, non-compliance with laws,
regulatory requirements, policies and other
problems identified by the Internal Audit
and other control functions.
i. to note the significant disagreement
between the Head of Internal Audit and the
Senior Management team, irrespective of
whether these have been resolved, in order
to identify any impact the disagreements
may have on audit process or findings.
5. Review minutes of the Yes, there is detailed deliberation of issues and the
audit committee meetings minutes reflect them.
to determine if functional
responsibilities of the
board were carried out.
6. Review the performance To roll out the performance measure from FYE
evaluation of the Head of 2024.
Internal Audit and
determine the board
participation and the key
performance evaluation as
indicated by the internal
audit activity’s
performance measures.
7. Review the following: The principles set out below form the basic
Item AWP Ref: Remarks
 Collect the Code of guidelines for the professional conduct of all
Ethics from staff of IAD.
internal audit staff
and determine if it i. Integrity
is signed by them ii. Objectivity
as read and iii. Confidentiality
understood.
iv. Competency
 Determine if a
register of
allocation of
As per the current setup, there are 2 personnel
internal auditors
on consulting in Internal Audit Department and all audits are
assignments is performed under the supervision of the Head of
kept. Audit. When the headcount increases,
 Check with the allocation and tracking of resources will be
quality assessment performed.
team member
assigned to the Nil conflict of situation noted.
Internal Audit
Process program
segment and
determine whether
any significant
objectivity issues
were noted.
 Determine if any
impairment to
independence
and/or objectivity
exists or Code of
Ethics issues have
occurred and have
been disclosed to
appropriate
parties.

Conformance Assessment Recap

Standard 1100 and Code of Ethics
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. The Head of Internal Audit reports Yes, the head of internal audit
to a level in the organization that reports directly to the Audit
allows the internal audit activity to Committee and administratively
fulfil its responsibilities. to CEO. This enables the
internal audit to function
independently.
2. The administrative reporting Yes, there is a clear reporting
 Conformance Assessment Recap
Standard 1100 and Code of Ethics
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
relationship to senior management line by IA to the Audit
does not interfere with the Head of Committee and administrative
Internal Audit’s responsibility to the reporting is to the CEO.
Board.
To ensure that the function
remains independent and to
avoid conflict of interest
situation.
3. There are no restrictions to the As per the Internal Audit
scope, resources and access of Charter, the auditor must have
internal audit activity. unrestricted access to
information and in performing
the their responsibilities.
4. The nature of the Head of Internal Internal Audit Manager has a
Audit’s functional reporting formal reporting channel to the
relationship to the board provides Audit Committee and access to
the direct interaction needed to the AC Chairman.
promote independence and
communicate audit results. There is direct communication
with the AC.
5. Auditors are aware they must Yes, any such issues will be
report any real or perceived highlighted and reported to AC.
objectivity or Code of Ethics issues However, there were no such
as soon as such issues arise. conflicts noted.
6. Audit engagements are performed  As per the Code of Ethics,
with an unbiased mental attitude. IAD must exhibit the highest
level of professional
objectivity in gathering,
evaluating and
communicating information
about the activities or
processes being examined.
Internal auditors make a
balanced assessment of all
the relevant documentary
evidence and are not unduly
influenced by their own
interests or others in
forming judgements.

 IAD shall not participate in

any activity or relationship
that may impair or be
presumed to impair their
unbiased assessment. This
participation includes those
activities or relationships
 Conformance Assessment Recap
Standard 1100 and Code of Ethics
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
that conflict with interests of
the organization.

 IAD shall not accept any

monetary or non-monetary
item that may impair or be
presumed to impair their
professional judgement.

 IAD shall disclose all material

facts known to them that, if
not disclosed, may distort
the reporting of activities
under review.
7. There are no restrictions to the As per the Internal Audit
scope, resources and access of the Charter, IA should have
internal audit activity. unrestricted access to
information.
8. Any impairments have been Yes, any impairments will be
disclosed to appropriate parties. disclosed accordingly.
9. Auditors are aware they must Yes, any conflict of interest
report any real or perceived issue must be reported as soon
objectivity or Code of Ethics issues as it arises.
as soon as such issues arise.

To check the following:

Item AWP Ref: Remarks

1. Obtain the QAIP Program There are two components
and determine if it is within QAIP as following:
consistent with the
Standards. Where a. Ongoing Monitoring -
applicable, also review the Upon completion of each
most recent external audit assignment, QA will
assessment report. perform a quality
assessment by utilizing
the Checklist for Quality
Assurance
b. Periodic Self Assessment
–Periodic self-
assessments are designed
to assess conformance
with the Internal Audit
Charter, IIA’s ‘Definition
Item AWP Ref: Remarks
of Internal Auditing’, ‘
Standards’, ‘Code of
Ethics’, regulatory
requirements and to
assess the efficiency and
effectiveness of the
internal audit function.

The periodic self-

assessment is conducted
to assess the adequacy
and effectiveness of the
on-going monitoring
portion of the Quality
Assurance Improvement
Program (QAIP) in order
to conclude whether the
internal audit activity is
adding value to the
organization.
2. Obtain the most recent Currently the QAIP is not
self-assessment report and implemented as the
review the report to department is staffed by one
determine if conformance Manager and an Audit
with the definition of Assistant.
Internal Auditing, the Code
of Ethics and the Standards Both the Manager and the
were evaluated and if Executive is involved in the
there were any Audit.
opportunities to improve
the internal audit activity’s Thus, this will be rolled out
efficiency and once business grows and the
effectiveness. If additional headcount increases.
evidence is required,
consider performing the
following steps:
 Review the supporting
records for QAIP
(ongoing monitoring
activities and periodic
self-assessments) and
any customer service
standards.
 Determine if any
disclosures of non-
conformance were
required. If there were
issues, determine that
the impact of
nonconformance was
Item AWP Ref: Remarks
communicated to senior
management and the
board.
3. Obtain the Board Once the QAIP is rolled out the
committee agendas and outcome will be tabled to the
minutes of meetings for Audit Committee for
the past year and notification.
determine if the results of
the QAIP appeared on any
of the agendas.
 Determine if the results
of the QAIP (ongoing
monitoring and period
internal assessment) is
reported at least
annually by reviewing
the Board Audit
Committee packs for
measurement criteria
communicated to the
Board by the Head of
Internal Audit.
 Obtain a QAIP report
that was tabled (as per
the agenda) at a board
meeting and determine
if the results of the self-
assessment report
include the reviewer’s
or review team’s
assessment with the
respect to the degree of
conformance.
 Determine the means of
communication on the
implementation of
actions to achieve
conformance to the
Definition of Internal
Auditing, the Code of
Ethics and the
Standards.
4. Review internal audit This is addressed under
reports that were issued xx.xx.xx
and determine if the
statement “Conforms with
the International Standards
for the Professional
Practice of Internal
Auditing” is stated on the
Item AWP Ref: Remarks
reports or any other
correspondence of the
internal audit activity.
 Determine if results of
the QAIP (both the
internal and external
assessments) support
this statement by
reviewing the quality
assessment
communications and
reports.
5. Review the survey and/or Not applicable. Refer to the
interview results for this justification above.
program segment.
Determine if the results
will have any impact on
your results and
conclusion.
6. Check with the quality Refer to the justification
assessment team members above.
assigned to the other
program segments and
determine whether any
QAIP issues were noted.

Conformance Assessment Recap

Standard 1300
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Key Conformance Criteria GC PC DNC NA
1. The Head of Internal Audit formally Yes the QAIP processes are
established and documented a QAIP documented in the Internal
consistent with the Standards. Audit Manual. Refer to section
7.0 Quality Assurance.
2. The QAIP enables the internal audit The QAIP includes 2
activity to evaluate conformance components which are:
with the Definition of Internal
Auditing, the Code of Ethics and the a. Ongoing monitoring
Standards. b. Periodic Sell-
Assessment

3. The QAIP id used to identify QAIP will be rolled out once

 Conformance Assessment Recap
Standard 1300
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
opportunities to improve the there is sufficient headcount.
internal audit activity’s efficiency
and effectiveness. Currently the Internal Audit
Manager and the Audit
Executive are both involved in
the audits. QAIP will need to be
carried out by auditors who are
not involved in the engagement
to maintain effectiveness.
4. There is evidence of ongoing Refer to the point above.
reviews of the performance of the
internal audit activity.

5. Periodic self-assessments are being Refer to the point above.

performed according to the
frequency/ scope in the QAIP and
are consistent with IIA’s
International Professional Practices
Framework (IPPF) guidelines.
6. There is evidence of comprehensive Refer to the point above.
external assessments by qualified,
independent external assessors or
assessment teams.
7. The results of full external Refer to the point above.
assessments and periodic self-
assessments are formally
communicated to senior
management and the board upon
completion of such assessments.
8. The results of ongoing monitoring As per the Internal Audit
are communicated to senior Manual under 7.4, the results
management and the board at least will be communicated to BAC
annually. for assurance that the internal
audit activity maintains the
standards of performance that
is required by IIA.
9. Where applicable, there is Yes, the QAIP requirement is
appropriate wording in the internal reflected in the Audit Manual.
audit charter and/or audit reports.
10. Any non-conformance with the Yes, as per Internal Audit’s
Definition of Internal Auditing, the reporting structure, all audit
Code of Ethics and the Standards reports are tabled to BAC for
that impacts the scope or operation notification and endorsement.
of the internal audit activity will be
disclosed to senior management Accordingly, the outcome of the
and the board. QAIP will be tabled to BAC once
completed.
 Conformance Assessment Recap
Standard 1300
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not
Applicable)
Observation/Recommendation/Opportunities for Improvement:

As the Internal Audit Department is currently lean and consist of the Internal Audit Manager and
Executive, the QAIP has not been rolled down and both personnel are involved in each audit.

Once business grows and there is additional headcount in the department, the QAIP will be
implemented.

Additional Comments:

Nil.

Item AWP Ref: Remarks

1. Review the internal audit The IA function is headed by
activity’s organization chart the Internal Audit Manager
and staff profile. Evaluate who is a qualified practitioner
the internal audit with vast experience working
responsibilities and overall in large Banks such as MUFG,
level of core competencies. IIBM, MIDF and Ambank. He is
an associate member of CPA
Australia and posses a
Bachelor’s Degree in
Accounting & Economics from
Monash University.

The internal audit manager is

assisted by an IA Executive
who has exposure working in
mid-size audit firms and
possess a Bachelor’s degree in
Accounting.

2. Review staff and

management job
description (and any
competency model or
framework)
 Determine whether job
descriptions (or the
competency model)
 provide suitable criterial
of education and
experience for filling
internal audit positions.
3. Review planning guide
information pertaining to
specialized skills required
by the internal audit
activity and the staffing
analysis (support for the
current and prior year
audit plans).
 Determine whether the
current internal audit
activity staff possesses
adequate information
technology (IT) audit
skills.
 Determine whether any
other specialized skills
or expertise (i.e fraud
detection skills,
consulting skills, etc.)
are required to
effectively meet the
unique needs of the
organization.
 If specialized skills are
needed, determine
whether the current
staff possess these
skills.
 Evaluate whether the
qualifications of any
third-party providers of
internal audit services
used during the review
period, and the type of
assistance provided,
where appropriate.