The Essential Guide to Internal Auditing, 2nd Edition


In recent years the field of internal auditing has undergone significant changes. Auditors no longer spend all of their time preparing detailed reports on low-level problems for junior operational managers; instead they focus on the high-level risks to organizations and present their findings to executive boards and audit committees. They are expected to work with and alongside busy managers to enable them to identify and manage risks to their organizations, while retaining a degree of independence so as to ensure the professional scepticism so essential to the audit role.

Previously published as The Essential Handbook of Internal Auditing, this book has been completely revised to comply with the Institute of Internal Auditor's (IIA) International Standards for the Professional Practice of Internal Auditing, released during 2009. Drawing on his extensive experience of internal audit, K.H. Spencer Pickett clarifies the new audit context and shows how this context fits into the wider corporate governance, risk management and internal control arenas, providing a comprehensive guide to the theory and practice of internal auditing.


  • Covers the new standards for internal audit issued by the IIA.
  • Defines the new role of auditors in corporate governance, risk management and internal controls.
  • Provides practical advice on the essentials of auditing, including professional standards, different audit approaches, the management of internal audit, planning, performance and reporting audit work and specialist areas such as fraud and information system (IS) auditing.
  • Is supported by a book companion web site at

K.H. Spencer Pickett has an international reputation as a leading author on the subject of internal auditing and specializes in the development of E-learning resources.
List of Abbreviations.

1 Introduction.


1.1 Reasoning behind the Book.

1.2 The IIA Standards and Links to the Book.

1.3 How to Navigate around the Book.

1.4 The Essential Guide as a Development Tool.

1.5 The Development of Internal Auditing.

Summary and Conclusions.


2 Corporate Governance Perspectives.


2.1 The Agency Model.

2.2 Corporate Ethics and Accountability.

2.3 International Scandals and Their Impact.

2.4 Models of Corporate Governance.

2.5 The Institute of Internal Auditors.

2.6 The External Audit.

2.7 The Audit Committee.

2.8 Internal Audit.

2.9 The Link to Risk Management and Internal Control.

2.10 Reporting on Governance, Risk and Internal Controls.

2.11 New Developments.

Summary and Conclusions.


3 Managing Risk.


3.1 What is Risk?

3.2 The Risk Challenge.

3.3 Risk Management Process.

3.4 Mitigation through Controls.

3.5 Risk Registers and Appetites.

3.6 The Risk Policy.

3.7 Enterprise-Wide Risk Management.

3.8 Control Self-Assessment.

3.9 Embedding Risk Management.

3.10 The Internal Audit Role in Risk Management.

3.11 New Developments.

Summary and Conclusions.


4 Internal Controls.


4.1 Why Controls?

4.2 Control Framework – COSO.

4.3 Control Framework – CoCo.

4.4 Other Control Models.

4.5 Links to Risk Management.

4.6 Control Mechanisms.

4.7 Importance of Procedures.

4.8 Integrating Controls.

4.9 The Fallacy of Perfection.

4.10 The Complete Control Model.

4.11 New Developments.

Summary and Conclusions.


5 The Internal Audit Role.


5.1 Defining Internal Audit.

5.2 The Four Main Elements.

5.3 The Audit Charter.

5.4 Audit Services.

5.5 Independence.

5.6 Audit Ethics.

5.7 Police Officer versus Consultant.

5.8 Managing Expectations through Web Design.

5.9 Audit Competencies.

5.10 Training and Development.

5.11 New Developments.

Summary and Conclusions.


6 Professionalism.


6.1 Audit Professionalism.

6.2 Internal Auditing Standards.

6.3 Due Professional Care.

6.4 Professional Consulting Services.

6.5 The Quality Concept.

6.6 Supervision.

6.7 Internal Review.

6.8 External Reviews.

6.9 Marketing the Audit Role.

6.10 Creating the Audit Image.

6.11 New Developments.

Summary and Conclusions.


7 The Audit Approach.


7.1 The Risk-Based Systems Approach.

7.2 Control Risk Self-Assessment (CRSA).

7.3 The CRSA Process.

7.4 Integrating Self-Assessment and Audit.

7.5 Fraud Investigations.

7.6 Information Systems Auditing.

7.7 Compliance.

7.8 Value for Money (VFM).

7.9 The Consulting Approach.

7.10 The ‘Right’ Structure.

7.11 New Developments.

Summary and Conclusions.


8 Setting an Audit Strategy.


8.1 Risk-Based Strategic Planning.

8.2 Resourcing the Strategy.

8.3 Managing Performance.

8.4 The Auditor Appraisal Scheme.

8.5 Methods of Staff Appraisal.

8.6 The Audit Manual.

8.7 Time Monitoring System.

8.8 Audit Planning Process.

8.9 The Annual Audit Plan.

8.10 The Quarterly Audit Plan.

8.11 New Developments.

Summary and Conclusions.


9 Audit Fieldwork.


9.1 Planning the Audit.

9.2 Interviewing Skills.

9.3 Ascertaining the System.

9.4 Evaluation.

9.5 Testing Strategies.

9.6 Evidence and Working Papers.

9.7 Statistical Sampling.

9.8 Audit Testing and Statistical Sampling.

9.9 Reporting Results of the Audit.

9.10 Structuring the Audit Report.

9.11 Audit Committee Reporting.

9.12 New Developments.

Summary and Conclusions.


10 Meeting the Challenge.


10.1 The New Dimensions of Internal Auditing.

10.2 The Audit Reputation.

10.3 Globalization.

10.4 Providing Audit Assurances.

10.5 Meeting the Challenge.

Summary and Conclusions.


Appendix A Auditing the Risk Management Process: A Case Study.