Practical Approach to

delivering value in Internal

Audit Engagement

P o w e r e d b y t h e Tr a i n i n g F a c u l t y o f t h e I n s t i t u t e
of Internal Auditors Nigeria (IIA).

For:

Virtual presentation

Date: August 16 & 17, 2024

Session Outline
✏ Overview: Value or Fear

✏ Value Speaks

✏ A Predictive way to adding value

✏ Perspective on managing internal audit value (Value & the

Beholder)
✏Critical thinking and value addition

✏ Value Addition in Internal Audit Capability

✏Practical considerations for value addition: Internal auditors &

the IAA
I. Adding Value to the Governance process
II. Adding value to the Risk Management process
III. Adding value to the compliance processes

✏ Experience sharing on Value Addition

✏ Conclusion

✏ Questions, Comments & Contributions

1
Overview: Value or Fear
Value or Fear

See Audit…
The power of Green Biro

The Auditor has spoken

3
The intent of the Standards is about value:

The Essence of
Internal Auditing:
Bring about improvement
through a systematic and
disciplined approach

Ethics & adding

value:
Internal Audit services must add
value to improve ways of working

Non-Negotiable
requirement

4
 Value or Fear

Why Value matters:

• It is essence of internal auditing

• It is a way to demonstrate internal audit’s contribution to the improvement of

the organizational processes and operations
Value matters
• It is one of the bases for evaluating effective operation of the internal audit
activity
• Improves perspective of internal audit as a trusted advisor and force of
governance.

5
PHOTO
SPEAKS
What’s in a picture?
A picture is worth a thousand words…..

…..complex and sometimes multiple ideas can be conveyed by a single still

image, which conveys its meaning or essence more effectively than a mere verbal
description

7
PHOTO SPEAKS 1

8
PHOTO SPEAKS 2

9
PHOTO SPEAKS 3

10
PHOTO SPEAKS 4

11
 • In the context of our discussion today, that image is VALUE.

• What does value mean?

Photo Value ……. The benefits that individual internal auditors

and the collective activity brings to improve the
Speaks ways of working in an organization and ultimately
increase the chance of achieving its objectives….

12
A Predictive
Way to Adding
Value
A Predictive way

Ethics & Governing the Managing the Performing IA

Purpose of IA Professionalism IA function IA function Services

Articulates the value 1. Demonstrate Integrity

6. Authorized by the Board 9. Plan Strategically 13. Plan Engagement
of internal auditing (to 2. Maintain Objectivity
7. Positioned Independently 10. Manage Resources Effectively
auditors & 3. Demonstrate Competency
8. Overseen by the Board 11. Communicate 14. Conduct Engagement Work
stakeholders) 4. Exercise Due Professional
Effectively 15. Communicate engagement
Care
12. Enhance Quality conclusion & monitor action
5. Maintain Confidentiality
plan

14
Insights from the IIA Guidance on The Predictive Way

Domain 1: Purpose of Internal Auditing

Internal auditing strengthens the organization’s ability to create, protect and sustain value by
providing the board and management with independent, risk-based, and objective
assurance, advice, insight, and foresight.

IA strengthens the organization’s:

• Successful achievement of its objectives
• Governance, risk management, and control processes
• Decision-making & oversight
• Reputation & credibility with stakeholders
• Ability to serve the public interest

Internal auditing is most effective when:

• It is performed by competent professionals in conformance with the Standards
• The internal audit function is independently positioned with direct accountability to the Governing
authority
• Internal auditors are free from undue influence and committed to making objective assessments

15
There is a way….

• The way is essentially in what internal auditing is about.

• ……designed to add value and improve an

organization's operations.
• …….Do you know the way?

• ……..Finding or no finding?

…….. To what extent does your work demonstrated

that controls have been designed & are operating
effectively?

16
Perspective on
managing internal audit
value (Value & the
“beholder”)
Beauty (Value) is in the eye of the beholder
Value isn’t just about what you think, your level of experience;
…. it doesn’t exist on its own
….. It is created by observers
…. It is about the improvement resulting from IA work.
Who are the beholders?
•Internal Audit Clients;
•Internal Audit Guidance
•Internal Audit Leadership

…..To what extent do you understand the interest of these “beholders” and
consider them in the course of your work?

18
Value is about 1. Of Purpose
2. Of Approach
transparency 3. Of Outcomes
Value is about
transparency

….. How do you view an audit engagement?

“We against them” or “How may I help you?”

20
 1. Transparency of Purpose

Key considerations to demonstrate transparency of purpose:

• Notification of engagement commencement

• Rationale for the audit
• Objectives of the audit engagement
• Scope of the engagement
• Scope exclusion
• Reasons for requesting for audit documentation during the audit.

21
2. Transparency of Approach

Key considerations to demonstrate transparency of approach:

• Approach to the audit – risk-based, CAM etc.

• Steps to be involved in the audit process.
• It's an audit, not investigation;
• Audit timelines
• Follow-up approach and timelines

22
2. Transparency of Approach contd.

• Process owners’ role and expectations:

• Complete certain documentations
• Attend audit meetings
• Provide information relating to the audit area
• Provide explanations to the auditors on the engagement
• Respond to audit observations

23
 3. Transparency of Outcomes

Key considerations to demonstrate transparency of approach:

• Opportunity for operating line managers to know about the observations 1st.
• Opportunity for the process owner to see the draft report 1st
• Scheduling and invitation to exit/close out meetings or conferences.
• Discussion of report before finalization and circulation;
• Communication of final reports to process and action owners.
• Transparency on next steps.
• Follow up audit
• Opportunity for feedback e.g. client satisfaction survey

24
 Relevant insights from The IIA Guidance on
Transparency

Domain 5, Principle 13: Plan Engagements Effectively:

• Internal Auditors plan each engagement using a systematic & disciplined approach

Standard 13.1: Engagement Communications:

- Internal auditors must communicate effectively throughout the engagement
- Internal auditors must communicate the objectives, scope, and timing of the
engagement with management. Subsequent changes must be communicated timely
- Disagreement on engagement results must be discussed with management. Where
mutual understanding is not reached, both positions must be expressed in the report
(including reasons for varying positions).

25
Critical
Thinking and
Value
Addition
 There is a thinking

• Critical thinking….. crucial to IA effectiveness…

on the decline……

• Even ChatGPT knows:

“While internal auditors require a range of skills
to excel in their roles, one skill stands out as
particularly crucial: critical thinking. The ability
to objectively analyze and evaluate information,
identify patterns, and make logical and
reasoned judgments. . . .
• ….. Internal auditors also need a combination
of other skills, such as effective
communication, adaptability, attention to detail,
and knowledge of auditing principles and
techniques.”

•….. Are you a critical thinker?

27
 Critical Thinking and Value Addition contd.

Avoid the urgency trap. Be aware Engage in reflective

of hasty decision habit, “pause or thinking. Reflect on your “thoughts,
take a break” before rushing to experiences & biases.” Helps to
conclusions. become more self-aware, identify
alternative views, & evaluate own
rationale.
Practice active listening & effective
communication. Become an active Embrace curiosity & lifelong
listener to better understand others’ learning. Cultivate a curious
viewpoints & perspectives. Express mindset & a lust for learning. “Be
Strategies for your thoughts “clearly, open to new ideas, seek diverse
constructively, & logically, fostering
preserving productive discussions and debates.
perspectives, & continuously
expand your understanding
Critical Thinking through reading, research, &
(Dr. Well*) Solve problems learning from others.”
systematically. Dissect complex
problems, identify underlying issues,
& consider alternate solutions. Engage in critical thinking
Practice problem-solving methods, exercises. Solve puzzles, riddles,
including “brainstorming, evaluating or logical problems” that hone
alternatives, & anticipating potential your reasoning abilities. Don’t
consequences.” hesitate to “engage in debates,
analyze case studies, or
Practice self-compassion. Acknowledge that deep participate in critical thinking
thinking is not easy amid the many distractions we workshops/courses.”
face. Regular meditation & physical exercise can
help to manage stress. “Deep thinking requires
nurturing yourself & taking time to slow down.”

28
Some insights from the IIA
Guidance on Critical Thinking

A systematic & Disciplined

Approach
Definition of Internal Auditing

Communicates Effectively
The CAE guides the IA function to
communicate effectively with
stakeholder

Demonstrates Professional
Skepticism
Due professional care and inquisitive
mindset

29
Some insights from the IIA Guidance on Critical Thinking
Domain 1: Purpose of Internal Auditing

Internal auditing strengthens the organization’s ability to create, protect and sustain value by
providing the board and management with independent, risk-based, and objective assurance,
advice, insight, and foresight.

IA strengthens the organization’s:

• Successful achievement of its objectives
• Governance, risk management, and control processes
• Decision-making & oversight
• Reputation & credibility with stakeholders
• Ability to serve the public interest

Internal auditing is most effective when:

• It is performed by competent professionals in conformance with the Standards
• The internal audit function is independently positioned with direct accountability to the
Governing authority
• Internal auditors are free from undue influence and committed to making objective assessments

30
Some insights from the IIA Guidance on Critical Thinking

Domain 4: Managing the Internal Audit Function

Principle 11: Communicate Effectively
The CAE guides the IA function to communicate effectively with its stakeholders.
Standard 11.1: Building relationship & Communicating with Stakeholders:
- The CAE must develop an approach for the IA function to build relationships & trust with key
stakeholders, including the board, senior management, operational management, regulators,
and internal and external service providers.
- The CAE must promote formal & informal communication between the IA function &
stakeholders, contributing to improved mutual understanding of the organization’s peculiarities.
Considerations:
The CAE should be included in the organization’s communication channels to keep abreast of
major developments and planned activities that could affect the objectives & risks of the
organization. The CAE should have a “seat at the table”. Independent meeting with board &
senior management.

31
Some insights from the IIA Guidance on Critical Thinking

Domain 4: The Principles contd

Standard 11.2: Effective Communication:
- The CAE must establish and implement methodologies to promote accurate, objective, clear, concise,
constructive, complete, and timely internal audit communications.
Considerations:
Methodologies may include policies, criteria, procedures, style guide to ensure the IA function’s
communication achieve consistency:
• Accurate: free from errors and distortions and faithful to the underlying facts.
• Objective: impartial, unbiased, fair and balanced assessment of all relevant facts and
circumstances.
• Clear: logical & easily understood by relevant stakeholders, avoiding unnecessary technical jargons
• Concise: succinct and free from unnecessary detail and wordiness
• Constructive: helpful to stakeholders & the organization and enabling improvement where needed.
• Complete: relevant, reliable, & sufficient information and evidence to support results of the work.
• Timely: appropriately timed, according to the significance of the issue.

32
Some insights from the IIA Guidance on Critical Thinking

Domain 2: Principle 4: Exercise Due Professional Care

Standard 4.3: Professional Skepticism:
- Internal auditors must exercise professional skepticism when planning & performing IA services.

- To do this, internal auditors must:

- Maintain an attitude that includes inquisitiveness
- Critically assess the reliability of information
- Be straightforward and honest when raising concerns or questioning inconsistent information
- Seek corroborative evidence as appropriate (e.g. incomplete, inconsistent, misleading info.)

Considerations:
Skepticism is the attitude of always questioning or doubting the validity & truthfulness of claims,
statements & other information. Internal auditors apply professional skepticism by not just
accepting every information provided as true or genuine without question. The CAE should help
internal auditors build competencies related to professional skepticism – through workshops &
training opportunities

33
Value Addition
in Internal Audit
Capability
 IA Capability & value addition
The Capability Maturity Model is a continuum used to evaluate the maturity of a process,
department or organization.
The stages of maturity defined as follows:
Level 1 – Initial: No sustainable repeatable capabilities (little or no IA dept or process exists). Ad-
hoc, unstructured. Isolated single audits or review of documents & transactions for accuracy &
compliance

Level 2 – Infrastructure: Sustainable and repeatable internal audit (‘IA’) practices and procedures
(compliance audits focused).

Level 3 – Integrated: IA management and professional practices uniformly applied (advisory

services, management oversight of IA)

Level 4 – Managed: Integrates information from across the organization to improve governance
and risk management (overall assurance on GRC, Independent oversight of the IA function)

Level 5 – Optimized: IA learning from inside and outside the organization for continuous
improvement (internal audit recognized as key agent of change).

35
 IA Capability & value addition contd.

• A maturity model describes process components that are believed to lead to better
outputs and better outcomes. A low level of maturity implies a lower probability of
success in consistently meeting an objective while a higher level of maturity implies a
higher probability of success.
• The organization’s risk tolerance should be considered when determining the level of
maturity that management expects to have in place.
• Auditors may want to use maturity models as criteria to assess business processes as part
of assurance engagements, thus providing an easy-to-communicate understanding of the
governance, risk, or control environment under review.
• In the absence of defined criteria for a process, the auditor can work with management
to define adequate criteria using a maturity model.

The maturity of the internal audit function is directly correlated to the extent to which
the function adds value to the organization

36
Practical
considerations
for value
addition: Internal
auditors & the
IAA
 Practical Considerations

IA VALUE PROPOSITION

IA delivers Objective IA is a Catalyst for With commitment to

Provides Assurance on the
Assurance & Insight on improving an org’s Integrity & Accountability,
GRC processes to help
the effectiveness and effectiveness & efficiency IA provides value to
the organization achieve
efficiency of GRC by providing Insight & governing bodies & senior
its strategic, operational,
processes. recommendations based on mgt as an Objective source
financial, & compliance
Analyses & Assessments of Independent advice
objectives
of data & business process

Source: The IIA Global

38
Adding Value to the Governance
process
Adding value to governance contd.

Considering the business and economic uncertainties, the internal audit function is
expected to continually take a fresh look at corporate governance practices within the
organization by incorporating it in the audit universe and risk-based plans

40
Some insights from IA Guidance on adding value to
governance
Domain 4: Principle 9: Plan Strategically
• The CAE plans strategically to position the IA function to fulfil its mandate & achieve long-term
success
Standard 9.1: Understanding Governance, Risk Management & Control Processes:
- The CAE must develop an understanding of the organization’s GRC processes.
- To achieve this, the CAE must consider how the organization
- Establishes strategic objectives and makes strategic and operational decisions.
- Oversees risk management and control.
- Promotes an ethical culture.
- Ensures effective performance management and accountability.
- Structures its management and operating functions.
- Communicates risk and control information throughout the organization.
- Ensures coordination of activities & communications among the board, providers of assurance services, &
management.
Considerations:
CAE’s understanding is developed by gathering information broadly & viewing it comprehensively. Sources
include discussions with Board, management, review of organizational documentations, prior workpapers, &
other reports

41
Adding value to governance contd.
Protiviti Inc. suggested some governance principles/practices to help focus internal audit
efforts in the area:

Create a framework for oversight and accountability: A company should establish

the respective roles and responsibilities of the board and executive officers

Structure the board to add value: The board should be comprised of directors who will
contribute to its effectiveness with attention to competencies, independence, objective
and sound judgement; commitment; board size & interaction; and board committees

Attract and retain effective directors: A board should have processes to examine its
membership to ensure that directors, individually or collectively, have the necessary
competencies and other attributes

Continuously strive to improve the board’s performance: A board should have

processes to improve its performance and that of its committees. Incl training/awareness

Promote Integrity: The board should actively promote ethical and responsible
behaviour and decision-making. This should include compliance with laws, regulations
and ethical standards and adoption of a whistleblower program

42
Adding value to governance contd.

Recognize and manage conflicts of interest: A company should establish a sound

system of oversight and management of potential and actual conflicts of interest

Recognize and manage risk: A company should establish a sound framework of risk
oversight and management.

Oversee strategy and its implementation: The board should oversee the strategy
development process, resulting strategy, plans for its implementation, and related annual
plan and budget.

Oversee the organization’s performance: The board should monitor the organization’s
performance in the best interests of the company and shareholders

Compensate appropriately: The board should ensure the policies for determining
compensation are based on performance and aligned with the best interest of the
company

43
Adding value to governance contd.

Engage effectively with shareholders, government and the community: The board
should keep shareholders informed of relevant information and endeavour to stay
informed of the views of shareholders, government and the community

Approve significant transactions and events: Ensuring they are supportive of the
organization’s strategic directions.

Oversee and evaluate the external auditor: The board (audit committee) should
appoint, monitor, and evaluate the external auditor.

Oversee and evaluate the Internal audit function: The board (audit committee)
should oversee the internal audit activity

Oversee and evaluate the internal and external legal counsel : The board need to
oversee the relationship between the internal and external legal counsel.

44
Adding value
to the Risk
Management
Process
 Adding value to Risk management process

Enterprise-wide Risk Management process:

The methods and processes used by organizations to strategically manage risks and
leverage opportunities by embedding risk awareness into the strategy-setting process.

It is a broader initiative of linking risks to strategic objectives, developing appropriate

risk responses, and managing risk to within risk appetite on an enterprise-wide level.

Internal audit departments could be involved in a number of ways in this process;

however, the Institute of internal auditors has established guidelines surrounding the
acceptable roles internal auditors can take on with respect to ERM.

46
Risk Management Process - Key Elements

Risk
identification

Risk Risk
Reporting Assessment

Risk
Risk
Response
Monitoring

Risk Action
plans

47
Adding value to Risk management process contd.

Figure 1*: Internal Audit Roles in ERM

* The Institute of Internal Auditors

48
Adding value to Risk management process contd.

A few points to note from the fan:

• The consulting activities provide IA with the greatest opportunity to add value to the process.
• These consulting activities represent majority of the roles IA can assume in an effort to speed
up the process of implementing risk assessment methodology into the governance framework.
• Championing the establishment of ERM is one way IA can speed up the process, by:
• Encouraging leadership from the top
• Raising risk awareness among senior and middle management
• Assisting in the development of a business case for risk management, and
• Suggesting a risk management organizational structure
• Faciliitating the identification & evaluation of strategic risks: by leverging on IA’s experience in
risk assessments. May recommend methodologies.
• The ultimate responsibilities for ensuring risks are managed rests with the board and
executive management. Internal audit is well positioned to add value through its core
assurance and safeguarded consulting roles.

49
Assurance on the risk management process

Assurance on the risk management process itself can be performed to provide reasonable
assurance to senior management and the board that an organization’s risk management program
is effectively designed, documented, and operating to achieve its objectives.

Potential questions that such assurance should be designed to answer could include:
• Does the risk management program have adequate commitment from organization
management, including adequate stature and resources in relation to risks?
• Are the risk management framework design and risk evaluation criteria appropriate for the
internal and external context (environment) of the organization?
• Is there adequate definition and communication of requirements, risk evaluation criteria, and
accountability for the development, implementation, and maintenance of the risk management
framework and specific risk area evaluations?
• Is the risk attitude established at the proper level in the governance structure of the
organization?
• Are internal communication and reporting mechanisms adequate to ensure that key outcomes
of the risk management activities are communicated appropriately within the organization
(balancing transparency with sensitivity)?

50
Assurance on the risk management process contd.

• Do reports to stakeholders adequately reflect the organization’s attitude to & treatment of risks?
• Are external communication and reporting mechanisms adequate to comply with relevant legal,
regulatory, corporate governance, and disclosure requirements?
• Do adequate performance measures and reporting exist to monitor the design and
effectiveness of the risk management framework?
• Are risk evaluation criteria, appetites, responses, and escalation/reporting requirements
consistently applied in practice across the organization? Are people with the appropriate
knowledge responsible for risk identification? Is the current state of risk identification
adequate?
• Are the risk framework and related processes and controls modified as business conditions
and organizational needs change?
• Are people with the appropriate knowledge responsible for risk analysis, evaluation, and
treatment/response? Are these activities adequately reviewed and approved?
• Are risk treatment plans and status monitored and adequately communicated with appropriate
levels of management and the board?

51
Insights from IA Guidance on adding value to Risk management

Domain 4, Principle 9: Plan Strategically:

• The CAE plans strategically to position the IA function to fulfil its mandate & achieve long-term
success
Standard 9.1: Understanding Governance, Risk Management & Control Processes:
- The CAE must develop an understanding of the organization’s GRC processes.

- To achieve this, the CAE must consider how the organization

- Establishes strategic objectives and makes strategic and operational decisions.
- Oversees risk management and control.

- Promotes an ethical culture.

- Ensures effective performance management and accountability.

- Structures its management and operating functions.

- Communicates risk and control information throughout the organization.

- Ensures coordination of activities & communications among the board, providers of assurance services, &
management.
Considerations:
CAE’s understanding is developed by gathering information broadly & viewing it comprehensively. Sources
include discussions with Board, management, review of organizational documentations, prior workpapers, &
other reports

52
Insights from IA Guidance on adding value to Risk management

Domain 4: The Principles 11

Standard 11.5: Communicating the Acceptance of Risk:

- The CAE must communicate unacceptable levels of risk

- When the CAE concludes that management has accepted a level of risk that exceeds the
organization’s risk tolerance, the matter must be discussed with senior management. If the CAE
determines that the matter has not been resolved by senior management, the matter must be
escalated to the board. It is not the responsibility of the CAE to resolve the risk.

Considerations:
The CAE may become aware that management has accepted a risk by reviewing management’s
response to engagement findings and the follow up on agreed action plans.
When risk exceed the risk appetite, impacts may include organizational reputational damage,
significant regulatory sanction/fine, Material misstatements, conflict of interest, fraud or illegal
act.

53
Insights from IA Guidance on adding value to Risk management

Domain 5: Principles 13
Standard 13.2: Engagement risk assessments:
- Internal auditors must develop an understanding of the activity under review & assess relevant risks

Internal auditors must gather RRS information and review:

- The org. strategies, objectives, and risks relevant to the activity under review.
- The organization’s risk tolerance, if established.
- The risk assessment supporting the internal audit plan.
- The objectives of the activity under review.
- The governance, risk management, and control processes of the activity under review.
- Relevant frameworks, guidance, & criteria that may be used to evaluate effectiveness of those
processes

To conduct the engagement risk assessment, internal auditors must:

- Identify the significant risks to the objectives of the activity under review.
- Consider specific risks including those related to fraud
- Evaluate the significance (impact and likelihood) of the risks.
- Assess the design adequacy of the activity’s control processes.

54
Adding Value
to the
Compliance
processes
Adding value to the compliance / control
processes

• Internal Audit can deliver assurance, advisory and related insights over the end-to-end
control and compliance processes of the organization
• Reference to the major activities and processes across the organization, which may
include:
• Supply Chain – Procure to pay, logistics, Supplier management etc.
• Human Resources – Attraction, onboarding, training and development, exit
management, business partnering, employees' services
• Regulatory / Ethical Compliance
• Finance processes – Treasury management (including Liquidity, Cashflow, Debt),
Financial reporting/control, Period-close, Accounts Payable, Accounts Receivable,
Tax etc.
• Technical/ Operational processes
• Information Technology – ITGC, Information Security, Data Privacy, Cybersecurity,
Access Controls etc.

56
Experience
Sharing
CBOK Practitioner Survey

58
CBOK Practitioner Survey contd.

59
 Conclusion

Value is the end-game of the services internal audit provides to the

organization and audit clients.

The individual internal auditors and the activity at large must reflect
on this critical measure of success of internal audit.

ARE YOU ADDING VALUE, TICKING THE BOXES OR CREATING FEAR?

60
Questions,
Comments &
Contributions
 Thank You
References:
IIA Global Internal Audit Standards
*Richard Chambers, July, 2023; Is A Crucial Internal Audit
Skill on the decline (https://www.richardchambers.com/is-a-
crucial-internal-audit-skill-in-decline/)
IIA PG: Assessing the Adequacy of Risk Management Using
ISO 31000

62