Expand all

Is Internal Audit mandatory for listed entities on Bursa Malaysia?

The Bursa Malaysia Listing Requirements stipulates the following:

  • 15.27 Internal audit
    1. A listed issuer must establish an internal audit function which is independent of the activities it audits.
    2. A listed issuer must ensure its internal audit function reports directly to the Audit Committee.

The Malaysian Code of Corporate Governance 2012 also stipulates:

  • Recommendation 6.2
  • The board should establish an internal audit function which reports directly to the Audit Committee.

What is internal auditing?

The globally accepted definition of internal auditing, as prescribed by The Institute of Internal Auditors (Global IIA), is as follows:

"Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

What is the benefit/advantage of being an internal auditor?

Some of the benefits and advantages of being an internal auditor include:

  • A good training ground for future business leaders.
  • Working across all areas of an organisation, and gaining a more holistic view of the organisation’s operations.
  • Internal auditors are well compensated and highly sought after, especially if they have the relevant certifications such as Certified Internal Auditor (CIA), Certification in Risk Management Assurance (CRMA), Certified Financial Services Auditor (CFSA), Certification in Control Self-Assessment (CCSA), etc.

Is there any license that needs to be obtained from IIA Malaysia to provide IA services?

IIA Malaysia does not issue any licences and there is no such requirement.


Expand all

Are there any standards/guidance for the Internal Audit (IA) profession?

The Global IIA is the IA profession's acknowledged leader, recognised authority, and principal educator. The Global IIA provides comprehensive guidance for the IA profession through its International Professional Practices Framework (IPPF).

The Global IIA had enhanced the existing IPPF in July 2015 by including a Mission of Internal Audit statement to support the internal audit profession, as well as Core principles for the Professional Practice of Internal Auditing describing internal audit effectiveness in support of the Standards and Code of Ethics. The IPPF is divided into mandatory and recommended guidance as follows:

Mandatory Guidance

  • Core Principles for the Professional Practice of Internal Auditing
  • Definition of Internal Auditing
  • Code of Ethics
  • International Standards for the Professional Practice of Internal Auditing (Standards)

Recommended Guidance

  • Implementation Guidance (replaces all existing Practice Advisories)
  • Supplemental Guidance (All Practice Guides, Global Technology Audit Guides [GTAGs], and Guides to the Assessment of IT Risks [GAIT] automatically become part of the recommended Supplemental Guidance).
To learn more about the new IPPF, visit www.theiia.org/goto/IPPF.

Is there any model IA Charter available for reference?

There is a Model IA Charter released by The Global IIA, which describes the following:

  • Role and Responsibilities
  • Independence and Objectivity
  • Internal Audit (IA) Plan
  • Reporting and Monitoring
  • Quality Assurance And Improvement Program
You may download the model IA Charter at: Click here

Is there any model Audit Committee (AC) Charter/Terms of Reference available for reference?

There is a Model Audit Committee (AC) Charter released by The Global IIA, which describes the following:

  • Purpose
  • Authority
  • Composition
  • Meetings
  • Responsibilities
You may download the model AC Charter at: Click here

Is there any IA Competency Framework available for reference?

There is an IIA Global Internal Audit Competency Framework that was released in 2014. This tool defines the competencies needed to meet the requirements of the IPPF for the success of the internal audit (IA) profession. The Framework outlines the 10 core competencies recommended for each broad job level, namely IA staff, IA management, and the chief audit executive. Each core competency is supported by a list of more detailed competencies that further define the core competency statement.

You may download the IIA Global Internal Audit Competency Framework at: Click here

What is COSO?

COSO, the Committee of Sponsoring Organisations of the Treadway Commission, is a committee established in 1985 to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organisational performance and governance and to reduce the extent of fraud in organisations.

The latest Internal Control – Integrated Framework was updated in May 2013. The COSO Framework helps businesses and other entities assess and enhance their internal control systems. It is recognised as a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control. There are five COSO components, namely, Control Environment, Risk Assessment, Information and Communication, Control Activities and Monitoring activities. Please refer to some of the COSO publications for a better understanding on how the COSO components are applied and practiced within an organisation. Please visit COSO’s website for more information Click here

How to obtain IA reading materials?

IIA Malaysia has a Resource Centre that is accessible to its members. The Resource Centre is open from Monday to Friday between 9.00am - 5.30pm. IIA Malaysia also sells publications related to Governance, Risk, Control (GRC) and Examination related books, i.e. CIA, CRMA, CFSA, CCSA etc.

To browse the list of the books, please click on the following link: Click here

What is Global Audit Information Network® (GAIN®)?

The Global Audit Information Network® (GAIN®) Annual Benchmarking Study allows you to benchmark your IA department easily, affordably, and transparently. It lets you compare your audit department's size, experience, and other metrics against the averages of similar organisations in peer groups that you choose. Metrics include:

  • Organisational statistics.
  • Department staffing and costs.
  • Oversight including Audit Committee information.
  • Operational measures including audit lifecycles.
  • Performance measures.
  • Risk assessment and audit planning information.
Please click on this link Click here for more information.

Expand all

How do internal auditors and external auditors differ? Should internal auditors and external auditors be working together?

Internal auditors report independently to the Audit Committee, and the Board (if necessary), and are employees of the organisation. The results of their work are not obliged to be reported to the public. In contrast, external auditors are independent of the organisation, and provide an opinion on the state of the financial statements annually. Both professions adhere to codes of ethics and professional standards set by their respective professional associations. However, there are major differences with regards to their relationships to the organisation, scope of work and objectives.

Internal Auditor External Auditor
Objective Determined by professional standards, the Audit Committee (AC) and consultation withmanagement. Objectives are set primarily by statutory requirement and applicable financial reporting standards.
Client Primary clients are the management and the AC. Primary client is the shareholders.
Scope of work
  • They serve the organisation by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes.
  • Concerned with all aspects of the organisation, both financial and nonfinancial. The internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes.
  • They also are concerned with the prevention of fraud in any form.
  • They provide an independent opinion on the organisation's financial statements, annually.
  • They assess whether the financial statements prepared by the organisation conform with generally accepted accounting principles, whether they fairly present the financial position of the organisation, whether the results of operations for a given period of time are accurately represented, and whether the financial statements have been materially affected.

The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency. The internal and external auditors should meet periodically to discuss common interests; benefit from their complementary skills and areas of expertise. In fulfilling its oversight responsibilities for assurance, the board should require coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.

How to set Key Performance Indicators (KPI) or assess the performance of an IA function?

The Practice Guide on ’Measuring Internal Audit Effectiveness and Efficiency’, helps internal auditors measure their effectiveness and efficiency by providing guidance on establishing a performance measurement process, identifying key performance measures, monitoring and reporting on the level of customer service provided to internal audit (IA) stakeholders. Appendix C of this Practice Guide lists examples of IA effectiveness and efficiency metrics.

Another reference is Bursa Malaysia’s Corporate Governance Guide - Towards Boardroom Excellence (2nd Edition). Evaluation of IA is covered in Paragraph 8.4 (page 113), which provides the Audit Committee with an IA Function Evaluation Checklist (Exhibit 13).

Do internal auditors use tools and technology, such as data analysis to perform the audits?

Standard 1220.A2 in the IPPF, requires the internal auditors to consider the use of technology-based audits and other data analysis techniques, in exercising due professional care. The Practice Guide entitled ‘Global Technology Audit Guide (GTAG) 16: Data Analysis Technologies’ guides internal auditors on the use of data analysis.

Is the preparation and review of the Statement on Risk Management and Internal Control (SORMIC) part of the internal auditors’ responsibility?

The entire annual report is the responsibility of the Board and the management. It is not the responsibility of the internal auditors to prepare SORMIC. However, some audit committees require the internal audit function to review the statement to ascertain whether the disclosures in the said statement are consistent with their understanding of the processes implemented by management.

How often should an Internal Audit (IA) function have an external Quality Assessment (QA)?

IPPF Standard 1312 on External Assessments states clearly that external assessments must be conducted at least once every 5 years by a qualified, independent assessor or assessment team from outside the organisation.

What is the implication if an organisation does not perform an external assessment (QA) as required by the Standards?

In the event that there is no Quality Assessment (QA) conducted on the IA function as required by the Standard 1312 in the IPPF, the internal audit activity cannot state that it is in conformance with the Standards (IIA’s International Standards for the Professional Practice of Internal Auditing).


Expand all

What is ‘consulting services’?

The IPPF defines Consulting Services under the glossary as below:

"Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advise, facilitation and training."

Is there any specific mandate needed to be included in the audit charter in conducting consulting services?

Yes, as stated under Standard 1000.C1 in the IPPF, the nature of consulting services must be defined in the internal audit charter.

What is the degree of the client's involvement in setting the scope/agreement on the scope etc.? If there is non-agreement on the scope, what is the action to be taken?

Consulting services are collaborated through a joint discussion by the Managers and the Chief Audit Executive (CAE). However, if there is any disagreement (on the scope suggested or if the internal auditors are not well equipped with relevant skills), the CAE may seek the advice of Audit Committee.

Can an internal auditor provide consulting services for the areas that they have previously audited?

Based on the Standard 1130.C2 in the IPPF, consulting services can be provided for the areas that the auditor had previously audited provided there is no impairment to his/her independence or objectivity.