CM Week 3 For Corporate Governance
CM Week 3 For Corporate Governance
CM Week 3 For Corporate Governance
No. of Units: 3
She completed her Masters in Business Administration at Baliuag University in 2017. Until recently,
she is the Internal Auditor for Bela Star Distribution Systems Inc., one of the leading commodities
trading companies in North Central Luzon.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
-Ms. Fideliz Arca Vidal, CPA, MBA
Contact Information:
Facebook Account: FIDELIZ ARCA VIDAL
Email Address: [email protected]
Contact Number: 0917-125-7539 (globe)
Topics:
DISLAIMER: The information content provided in this course material is designed to provide helpful
information on the subjects discussed. Some information’s are compiled from different materials and
summarized from different books. Some information’s are based on contributors' perspective and
understanding. References are provided for informational purposes only and do not constitute
endorsement of websites or other sources. Readers should be aware that the websites/electronic
references listed in this course material may change. Hence, the contributors do not claim any
information presented in the materials and do not reflect their own work.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
MODULE 2:
INTERNAL AUDIT
I. Activity:
III. Content:
INTERNAL AUDIT is an independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
INTERNAL AUDITOR are professionals with an in-depth understanding of the business culture,
systems, and processes, the internal audit activity provides assurance that internal controls in place
are adequate to mitigate the risks, governance processes are effective and efficient, and organizational
goals and objectives are met.
MISSION OF INTERNAL AUDIT articulates what internal audit aspires to accomplish within an
organization. Its place in the IPPF is deliberate, demonstrating how practitioners should leverage the
entire framework to facilitate their ability to achieve the Mission.
To enhance and protect organizational value by providing risk-based and objective assurance,
advice and insight.
Internal and external audit should ensure appropriate and regular communication and sharing of
information – a constructive relationship on this basis can be of benefit to the organizations they
serve. However, it is vital that the two assurance functions maintain clear boundaries, as well as
ensure they preserve their independence and objectivity.
Internal and external audit are complementary functions within the assurance framework and both
are essential for the effective governance of an organization. However, internal audit is distinct from
external audit and both functions have their own value and expertise. They perform very different
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
roles and should report separately to the board/audit committee. Both need to be independent,
objective, properly resourced and work according to their respective international standards.
Despite the need to preserve their independence and objectivity, internal and external audit should
maintain a close, constructive relationship. This is to ensure their work is coordinated and there is an
efficient use of resources. On the relationship between internal and external audit, IIA’s Internal Audit
Code of Practice “Guidance on effective internal audit in the private and third sectors” says:
“The chief internal auditor and the partner responsible for external audit should ensure appropriate
and regular communication and sharing of information.”
It is important that regulators and policymakers understand and take into account the differences
between internal and external audit when developing new policies related to audit and corporate
governance. Legislative and regulatory references to “audit” and “the auditor” should be specific as
to whether they are referring to internal audit or external audit.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
Timing and frequency Project(s) tied into financial Ongoing and pervasive.
reporting cycle, focused on
objective of audit opinion, usually
annually.
Focus Mainly historical. Historic, but ideally future focused.
Responsibility for None – duty to report control Fundamental to the purpose of internal
improvement weaknesses. auditing.
Status and authority Statutory and regulatory framework. International professional standards
and Corporate Governance Code.
Independence Professional ethical standards Professional ethical standards
overseen by audit committee and overseen by audit committee.
regulatory framework.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
The Institute of Internal Auditors Philippines Inc. (IIAP) was registered with SEC in 1982 and
formerly known as The Institute of Internal Auditors, Inc. – Manila Chapter. It was founded on
August 14, 1948 by Mr. Santiago F. Dela Cruz Sr. along with a small group of accountants actively
engaged in the profession. Mr. Dela Cruz, who is considered to be the moving spirit of the association,
is the same man who, two years earlier than IIAP, co-established the Philippine College of Commerce
and Business Administration (PCCBA) which we now know as the University of the East.
** Experience can be in any of the following: Internal Audit, Quality Assurance, Risk Management, Audit/Assessment/Disciplines,
Compliance, External Audit, Internal Control
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
Program Requirements
Candidates in the CIA program agree to accept the conditions of the program, including eligibility
requirements, exam confidentiality, Code of Ethics, and Continuing Professional Education (CPE),
along with other conditions enacted by The IIA's Professional Certification Board (PCB).
Experience* X X 5 years IA X
experience or
equivalent**
CIA Exam
Once candidates have been accepted into the CIA program, they must pass all three CIA exam parts
within the program eligibility period.
Work Experience
Candidates may apply to the certification program and sit for exams prior to obtaining the required
work experience. However, candidates will not be certified until unless the experience requirement
is met within the program eligibility period. Experience for the CIA’s certification program is based
on the entry method (refer to the program requirements table above).
Internal Audit
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
Quality Assurance
Risk Management
Audit/Assessment/Disciplines
Compliance
External Audit
Internal Control
A charter provides the organization a blueprint for how internal audit will operate and helps the
governing body to clearly signal the value it places on internal audit’s independence.
Ideally it establishes reporting lines for the chief audit executive (CAE) that support that independence
by reporting functionally to the governing body (or those charged with governance) and administratively to
executive management. It also provides the activity the needed authority to achieve its tasks, e.g., unfettered
access to records, personnel, and physical properties relevant to performing its work.
The charter is a formal document approved by the governing body and/or audit committee (governing
body) and agreed to by management. It must define, at minimum:
Internal audit’s purpose within the organization.
Internal audit’s authority.
Internal audit’s responsibility.
Internal audit’s position within the organization.
The IIA has identified seven key areas that support the overall strength and effectiveness of the activity and
should be covered in the internal audit charter. While some internal audit charters may not include all of these
elements, any area the charter fails to address threatens to weaken it and, ultimately, the activity.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
o A statement on the CAE’s functional and administrative reporting relationship in the
organization.
o A statement that the governing body will establish, maintain and assure that the internal audit
activity has sufficient authority to fulfill its duties by:
- Approving the internal audit charter.
- Approving a timely, risk-based, and agile internal
- audit plan.
- Approving the internal audit budget and resource plan.
- Receiving timely communications from the CAE on performance relative to its
internal audit plan.
- Actively participating in discussions about and ultimately approving decisions
regarding the appointment and removal of the CAE.
- Actively participating in discussions about and ultimately approving the remuneration
of the CAE.
- Making appropriate inquiries of management and the CAE to determine if there are
any inappropriate scope or resource limitations.
- Developing and approving a statement that the CAE will have unrestricted access to,
and communicate and interact directly with, the governing body without management
present.
- Developing and approving an authorization that the activity will have free and
unrestricted access to all functions, records, property, and personnel pertinent to
carrying out any engagement, subject to accountability for confidentiality and
safeguarding of records and information.
o A statement that the CAE will ensure that the internal audit activity remains free of conditions
that threaten the ability of the activity to carry out its activities in an unbiased matter. If
independence or objectivity is impaired in fact or appearance, the CAE will disclose the details
of the impairment to the appropriate parties.
o A statement that the internal audit activity will have no direct operational responsibility or
authority over any of the activities audited.
o A statement that if the CAE has or is expected to have roles and/or responsibilities that fall
outside of internal auditing, safeguards will be established to limit impairments to
independence and objectivity.
o A requirement for the CAE to confirm at least annually the independence of the internal audit
activity to the governing body.
o A statement that the scope of the internal audit activities encompasses, but is not limited to,
objective examinations of evidence for the purpose of providing independent assessments on
the adequacy and effectiveness of governance, risk management, and control processes.
o A statement that the CAE will report periodically to senior management and the governing
body on the results of its department and the work the activity performs.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
- Communicating with senior management and the governing body the impact of
resource limitations on the plan.
- Ensuring the internal audit activity has access to appropriate resources with regard to
competency and skill.
- Managing the activity appropriately for it to fulfill its mandate.
- Ensuring conformance with IIA Standards.
- Communicating the results of its work and following upon agreed -to corrective
actions.
- Coordination with other assurance providers.
o A statement that the internal audit activity will maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity including its evaluation of
conformance to IIA Standards.
o A requirement for the CAE to report periodically the results of its quality assurance and
improvement program to senior management and the governing body and to obtain and
external assessment of the activity at least once every five years.
Depending on the structure, maturity, and resources of the function, internal auditors may perform some
or all of the following tasks.
Offer Insight and Advice – There are times when internal auditors’ expertise, knowledge of controls,
and broad perspective of the organization make them ideal candidates for consulting on a project to
ensure that risks are considered and controls are built into a process on the front-end (e.g., mergers
and acquisitions, new technology implementation). Internal auditors may offer insight regarding
strategic risks and advice, though management must maintain ultimate responsibility for the processes
in their area.
Evaluate Risks – Risks are everywhere (natural disasters, loss of key suppliers, reputation damage,
inefficient operations, fraud, lawsuits, policy violations, regulatory compliance, theft, etc.). It’s the
internal auditor’s job to assess the significance of the organization’s many risks and the effectiveness
of risk management efforts, communicate these to management and the board, and develop
recommendations to improve risk management.
Assess Controls – Internal auditors evaluate control efficiency and effectiveness and provide
management and the board assurance that the controls in place are adequate to respond to the risks that
threaten the organization.
Ensure Accuracy – Internal auditors ensure financial statement accuracy. They examine the reliability
and integrity of financial and operational information.
Improve Operations – With a solid understanding of the organization’s objectives, internal auditors
examine operations to determine whether they
are efficient and effective.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
Promote Ethics – Professional internal auditors agree to abide by a Code of Ethics that upholds the
principles of integrity, objectivity, confidentiality, and competency. They raise red flags when they
discover improper conduct.
Review processes and Procedures – Internal auditors review operations closely and assess whether
existing processes are well designed to help the organization achieve its goals.
Monitor Compliance – Internal auditors assess the organization’s compliance with applicable laws,
regulations, and contracts to ensure that management is addressing these requirements adequately.
They also offer insight into the impact that noncompliance would have on an organization and inform
senior management and the board of noncompliance.
Assure Safeguards – The organization’s tangible property, human resources, and intellectual property
are valuable and must be guarded against potential damage. Internal auditors evaluate the procedures
used to safeguard assets from theft, fire, illegal activities, or other types of loss. They bring deficiencies
to light and make recommendations for enhanced protection.
Investigate Fraud – Because fraud can affect any level of the organization, it’s important that the
board of directors grants the internal audit function access to all records and authority to conduct audits
and investigate possible fraudulent behavior throughout the organization.
Communicate results – After auditing a particular area, internal auditors report their findings and
recommend appropriate courses of action.
Internal auditors are well-disciplined in their craft, and they are committed to growing and enhancing their
skills through continuing professional education. To fulfill all of their roles effectively, internal auditors must
be accomplished in anticipating emerging issues and creating solutions. They must also have business acumen,
critical thinking skills, and be excellent communicators who listen attentively, speak effectively, and write
clearly.
Through their varied roles and responsibilities, internal auditors provide the organization tremendous
value. They serve as the eyes and ears of senior management and the board. They are coaches, internal and
external stakeholder advocates, risk and control experts, efficiency specialists, fact-checkers, and problem-
solvers. They identify both risks and opportunities, and they tell it like it is.
It’s certainly not easy, but for these skilled and competent professionals, it’s all in a day’s work.
The Internal Audit (IA) function of the Abu Dhabi National Oil Company (ADNOC) is in the
fifth year of an ongoing and ambitious transformation program. In that time, the ADNOC IA function
has changed fundamentally from a fragmented set of Internal Audit departments in each of the group’s
operating companies to a centrally led function with standardized processes and an integrated vision
of risk assurance. Along the way it has made big strides in digitizing—and automating—audit
operations.
In addition to new efficiencies, the transformation has given IA capabilities it did not
previously possess. These include the conduct of rapid-fire audit reviews and the use of data analytics
to systematically deliver risk-related insights to group management. As a result, according to Ahmed
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
Abujarad, the Senior Vice President for Audit & Assurance, IA now enjoys an elevated status in
ADNOC as a trusted adviser to the business.
The journey
The transformation began in late 2016 and the challenge IA faced was formidable. “It was
perceived as a satellite organization distant from the business and its realities,” said Ahmed Abujarad,
ADNOC’s Senior Vice President for Audit & Assurance. “Its value proposition was either unknown
or misconceived. There were no synergies across the group’s companies, and no mandate to create a
common view of risk assurance.”
The transformation had to proceed, moreover, amidst a rapidly evolving risk environment.
Shifting energy business models and in recent times the global pandemic has required vigilant and
proactive assurance from IA while it’s undergone fundamental change.
The steps taken to date have helped ADNOC to accelerate audit cycle time and turn agile
auditing from concept to reality. Employing a dynamic, in-out approach, IA is now able, says Mr
Abujarad, to conduct quick, laser-focused reviews and deliver prompt audit advisories across its six
major risk pillars (strategic, financial, operational, IT, standards and regulatory, monitoring and
reporting).
Whether quick or in-depth, the audit reviews provide more insight to senior management than
had previously been the case, says Mr Abujarad. This is thanks in part to the full application since
2019 of data analytics to reviews. “Our audit reports now include analytical insights to help internal
clients take proactive as well as corrective actions”, he says. “Our findings and recommendations
include ‘hindsight’, ‘insight’ and ‘foresight’ perspectives.”
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
Challenges and lessons
Aside from the predictable difficulties associated with new technology deployment, ADNOC
IA has had to grapple with two major challenges during the course of its transformation. The toughest
of these, according to Mr Abujarad, has been building staff engagement in the project across the
group. ADNOC has taken several measures to address this, including establishment of a Group IA
Transformation Office as well as a Group Audit Council, consisting of IA leaders from all group
companies. “Change Champions” have also been nominated to explain and advocate for the changes
in their respective teams.
The experience of COVID-19 has provided an additional audit lesson relating to talent. The
crisis demonstrated the importance of employing what Mr Abujarad terms “soft controls”: monitoring
employee wellbeing and morale in IA and the entire company.
The other significant transformation challenge was the absence of any mechanism to measure
the value of audit delivery and IA’s overall impact in ADNOC. Now assisted by improved data
visibility and analytics capabilities, Mr Abujarad’s team has applied the concept of “Measurable
Value of Audit” (MVA) to identify hard monetary values for the modernized IA’s impact across the
business. These are agreed with the group’s senior management and then reported to them on a regular
basis. “This not only demonstrates our contribution to the organization’s bottom line”, he says, “but
it strengthens the perception of IA as a trusted advisor to the business.”
PwC’s perspective
ADNOC’s transformation of the Internal Audit function and the multitude of benefits they have
already reaped is a great inspiration for considering a review and complete transformation of your
own organization’s Internal Audit function.
Every Internal Audit function can move forward in the transformation journey. Some may go all in
with a full transformation, while others may adopt a more iterative approach depending on industry
regulations, the complexity and needs of their business, and how quickly the larger enterprise is
changing.
Assemble a strong team that's ready and excited to get started on your journey
Discover new capabilities and ideas for internal audit to drive value like never before
Choose ideas that would drive immediate impact with limited/no additional budget
Explore alternative models for sourcing talent and technology – run some pilots
Develop a roadmap for people-led, data-driven transformation
Share and celebrate your successes. Every small win builds momentum!
Transformation does take time and should be guided by a formal transformation plan and road
map that provides direction, purpose, and key tangible building blocks.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]
However, a transformed internal audit function can become a catalyst for achieving deeper levels
of insight, provide more effective assurance for the management team and vastly improve the
organization’s broader risk capabilities.
V. Evaluation
1. What are the biggest challenges of ADNOC in transforming their Internal Audit, if any? And
why so?
2. What are the benefits derived from improving their Internal Audit?
3. How did technology affected internal audit implementation?
VI. References
Cabrera, M. E. (2021). Corporate Governance, Business Ethics, Risk Management and Internal
Control. Manila, Philippines: GIC Enterprises & co., Inc.
SM Baliwag Complex, Dona Remedios Trinidad Highway, Brgy. Pagala, Baliwag, Bulacan
(+63) 927-533-0342 – (+63) 923-949-5265 [email protected]