Logo

FAQs on Internal Audit

Crowe Vietnam has compiled a set of frequently asked questions (FAQs) about internal audit, along with expert answers provided by our experienced professionals. This resource offers you practical, valuable insights to help ensure strict compliance with both Vietnamese and International Internal Audit Standards.

***Please click on each question below to view detailed content

A. Overview of internal audit
View details
1. What is internal audit?

The concept of “internal audit” is not clearly defined in Decree 05/2019/NĐ-CP, so we refer to the Vietnamese translation of the definition by the Institute of Internal Auditors (IIA) as follows:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Key points to note from this definition:

  • Internal audit is an independent and objective assurance & consulting activity related to governance, risk management, and control, supporting the organization in achieving its objectives. To ensure independence and objectivity, the internal audit function typically reports directly to the highest governing body (which includes independent and non-executive members). Depending on the organizational model, this could be the Supervisory Board (under the General Meeting of Shareholders), the Audit Committee (under the Board of Directors), or the Members’ Council.
  • Internal audit must create added value for the organization (the benefits of internal audit should outweigh its costs) and improve operational effectiveness and efficiency.
  • Internal audit follows a systematic and disciplined approach. Its working processes, execution programs, assessments, and conclusions must be logically and coherently linked.

Although Decree 05/2019/NĐ-CP does not provide a definition like the IIA, Article 4 describes the objective of internal audit as follows:

“Through inspection, evaluation, and advisory activities, internal audit provides independent, objective assurance and recommendations on:

  • Whether the internal control system is adequately designed and operating effectively to prevent, detect, and address the entity’s risks.
  • Whether governance and risk management processes ensure effectiveness and high efficiency.
  • Whether operational and strategic objectives, plans, and tasks are being achieved.”

Based on this description, we can conclude that the concept of internal audit in Vietnam is broadly aligned with the IIA’s international definition.

2. Purpose, authority, and responsibilities of internal audit

Purpose: Internal audit aims to create value and improve the organization’s operations.

Authority: To fully perform its duties, the internal audit function must have:

  • The right to access relevant documents, people, and assets necessary for its work.
  • The right to report and communicate directly with the highest governing body regarding work plans, findings, and obstacles encountered during execution, ensuring timely and adequate support.

These rights must be clearly stipulated in the organization’s internal audit charter so that all departments understand and comply. Additionally, the internal audit function should be organizationally independent, meaning it reports to the highest governing body (which includes independent and non-executive members), such as the Supervisory Board, Audit Committee, or Members’ Council, depending on the company’s structure.

Responsibilities (Duties): Internal audit is responsible for organizing and carrying out independent, objective assurance and consulting activities related to governance, risk management, and internal control, thereby contributing to the achievement of the company’s objectives (strategic, operational, financial, and compliance-related).

From a legal standpoint, the rights and responsibilities of the internal audit function are also clearly set out in Decree 05/2019/NĐ-CP. Companies must understand these provisions when developing their own internal audit charters to ensure full compliance.

1. How to distinguish between Internal Audit and Independent Audit?

Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by applying a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (Source: IIA)

Independent audit refers to the work conducted by practicing auditors, audit firms, or branches of foreign audit firms in Vietnam, who examine and provide their independent opinions on financial statements and other audit tasks under audit contracts.

Based on these definitions, internal audit and independent audit can be distinguished by the following key points:

1.1. Regarding the primary audience for the audit reports:

  • Internal audit: The primary users are the organization’s top leadership, who seek to improve operations and add value to the business.

  • Independent audit: The primary users are external stakeholders, such as investors, partners, banks, and regulatory authorities, who require third-party assurance (provided by a licensed audit professional) on the company’s financial statements.

1.2. Regarding the audited subjects:
  • Internal audit: Focuses mainly on corporate governance, risk management, and internal control activities within the organization; it may also cover external entities if agreed upon by stakeholders.
  • Independent audit: Focuses mainly on the company’s financial statements.
1.3. Regarding the function and nature of work:
  • Internal audit: Includes both assurance activities and advisory/consulting services.
  • Independent audit: Primarily provides assurance services; while independent auditors may offer recommendations to the company, these are considered added value during the audit process and are not part of the core function.
Corporate Governance, Risk Management, and Internal Control as referenced in the definition of Internal Audit – what do they mean?

These three governance-related activities are not completely independent from one another; rather, they are closely interconnected and together aim toward the ultimate goal of providing reasonable assurance that the organization’s objectives will be achieved. The quality (performance) of one affects the quality of the others and vice versa.

  • Effective corporate governance creates favorable conditions and an enabling environment for effective risk management and internal control.
  • Effective risk management enhances the effectiveness of corporate governance and guides internal control in the right direction, ensuring appropriate resource allocation.
  • Effective internal control supports risk management and corporate governance in achieving objectives more easily.

Let’s break this down further.

Corporate Governance

Corporate governance refers to the activities performed by an organization’s highest governing body to communicate, direct, manage, and oversee operations to achieve the set organizational objectives.

Key activities of corporate governance include:

  • Defining core elements such as mission, objectives, risk appetite, business model, core values, and codes of conduct for stakeholders (including shareholders, employees, government, legal authorities, partners, customers, suppliers, the public, and the community).
  • Establishing an organizational structure (defining authority, functions, and responsibilities of each governance role), governance policies, and processes to ensure the achievement of mission and objectives within the set risk appetite, values, and codes of conduct; approving personnel aligned with the organizational structure.
  • Overseeing the implementation of the organizational structure, governance policies, and processes to ensure deviations are promptly corrected.
  • Overseeing the development and maintenance of an organizational culture aligned with the company’s core elements and its development stage.
  • Developing corporate strategy, creating implementation plans, monitoring departmental execution, and adjusting when necessary.
  • Monitoring the achievement of annual business objectives.
  • Overseeing the enterprise-wide risk management and internal control activities.
  • Engaging with independent evaluators, such as internal and external auditors, to support oversight functions.

For specific authority and functions of governance roles (such as the General Assembly of Shareholders, Board of Supervisors, Board of Directors, Audit Committee, Executive Board, etc.), companies should refer to the Law on Enterprises but may also adapt these to fit their unique requirements.

Risk Management

Risk management is the process of identifying, assessing, and responding appropriately to risks (the likelihood of significant undesirable events) to provide reasonable assurance of achieving organizational objectives.
Key steps:

Step 1: Establish the context

Identify relevant contexts such as:

  • Legal and regulatory frameworks
  • Market (interest rates, exchange rates, pricing, market share)
  • Technology
  • Finance
  • Business processes
  • Departments/units
  • … 

Step 2: Identify risks

Use methods such as:

  • Reviewing event lists relevant to the context
  • Conducting surveys/interviews
  • Analyzing indicators or early warning signs
  • Reviewing processes to spot vulnerabilities (what could go wrong?)
  • Analyzing historical losses
  • Conducting SWOT analyses
  • Using hypothetical scenarios
  • …  

Step 3: Assess risks and prioritize

Risk assessment needs to comprehensively consider two factors: (1) level of impact, (2) likelihood of occurrence. Depending on the situation, you may consider using a qualitative assessment method (using a matrix table where each column represents one factor with varying levels for each) or a quantitative method (using scoring and corresponding weightings for each factor). The consolidated assessment results will be used to analyze and rank priorities when allocating limited resources (time, people, budget) to address the risks.

Risk assessment is only relative; it largely depends on the subjective judgment of the evaluators (based on their relevant knowledge and experience).

Step 4: Responding to critical risks

After identifying the high-priority critical risks to be addressed, the company needs to carefully consider and select the following risk response strategies to best fit its “risk appetite” and available resources.

  • Risk elimination: This option means completely abandoning the activities/divisions that generate the risk. Example: if the foreign exchange risk from a certain business operation is too high, the company may choose to sell that operation to eliminate the risk.
  • Risk acceptance: This option means the company accepts the risk and does not invest resources in any further response, believing that this is the optimal approach.
  • Risk reduction: With this option, the company will invest resources to implement related control procedures aimed at reducing the risk to an acceptable level.
  • Risk sharing: The company transfers potential losses to another party through means such as purchasing insurance contracts, entering into hedging agreements, outsourcing, joint ventures, etc.

Once the risk response strategies are selected, they will be assigned to the relevant departments for implementation.

The decision on which risk response to choose depends on factors such as (1) the company’s risk appetite, (2) the feasibility of each option under the specific conditions, (3) implementation costs (which must be lower than the value generated to be worthwhile), and (4) the company’s goals and development strategy.

Step 5: Risk monitoring

At this stage, the following procedures need to be carried out:

  • Continue monitoring the identified risks to see if there are any changes.
  • Evaluate the implementation of response strategies for critical risks, assess the level of residual risk after implementing the response measures to determine whether it is at an acceptable low level and aligned with the company’s risk appetite.
  • Continue reviewing and assessing any newly emerging risks.

Roles of positions within the organizational structure in risk management activities:

  • Board of Directors / Members’ Council: Approves risk management policies and procedures. Oversees and evaluates overall implementation to ensure the policies and procedures are effectively applied. Adjusts and intervenes when signs of deviation are observed. This role can be delegated by the Board of Directors / Members’ Council to the Risk Committee.
  • Executive Management: Responsible for organizing and implementing all risk management activities in accordance with the approved policies and procedures.
  • Internal Audit: Responsible for providing independent and objective assurance and advisory opinions on these activities to help ensure they achieve the intended objectives.
Internal Control? 

(Internal control system) refers to a set of control procedures designed and operated to help reduce the likelihood of serious undesirable events (identified risks) to an acceptable level (based on the results of the risk management process).

Control procedure refers to any activity undertaken to reduce the likelihood of serious undesirable events (identified risks), thereby increasing the likelihood of achieving set objectives.

Types of control procedures:

  • Preventive control procedures: These aim to prevent undesirable events from occurring. Example: using a locked safe to store cash, requiring sufficiently strong passwords when logging into the system, requiring higher-level approval for transactions exceeding a certain threshold, etc.
  • Detective control procedures: These aim to alert relevant parties about undesirable events so that timely corrective action can be taken before the situation becomes severe or worsens. Example: counting and reconciling cash in the safe against the records, automated system alerts sent to relevant individuals when abnormal access attempts are detected, etc.
  • Corrective control procedures: These aim to eliminate the negative impacts of undesirable events so that the overall impact does not exceed the allowable threshold. Example: If expenses have already exceeded a certain threshold, subsequent transactions must be reviewed and adjusted to ensure that the total expenses do not exceed the approved budget.
  • Directive control procedures: These help relevant individuals improve their awareness and skills, thereby reducing the likelihood of undesirable behaviors or events. Example: issuing sufficiently detailed user manuals, providing effective internal training, providing specific job descriptions, etc.

In addition to the above classifications, depending on the specific situation, control procedures can also be classified as follows:

  • Key controls / supplementary controls: “Key” means the procedures themselves can stand alone to ensure the set objective; “supplementary” means the procedure can only play a supporting or additional role to another procedure and cannot function alone.
  • Manual controls / automated controls: “Manual” means performed by humans through their senses and judgment, so the quality can vary depending on human-related factors such as mood, health, stress, mindset, time, personality, risk… “Automated” means performed by machines through pre-programmed instructions, so they are not affected by human factors; however, they have other potential disadvantages, such as rigidity, lack of flexibility when needed, or systemic impact if an error occurs, and they may be subject to unauthorized tampering (hacking).
  • Controls for individual transactions / groups of transactions: Some controls are performed on each transaction, but others must be applied to groups of transactions because the processing workflow only allows for control over batches (e.g., transactions grouped by day/week/month).
  • General IT controls / application-specific controls: General IT controls apply across the entire IT environment, while application controls are designed specifically for individual applications.

Steps of a control procedure:

To ensure effectiveness, a control procedure needs to include the following steps:

  • Establish standards for the object to be controlled
  • Check and compare the criteria against the established standards
  • Verify and analyze the differences/variances (if any)
  • After accurately and fully identifying the differences/variances, notify the relevant parties and implement necessary adjustments (if possible)
  • Reassess the established standards (based on the findings obtained) to determine whether further adjustments are needed to reduce risks even more

The relationship between Risk and Control Procedures

  • A single risk, depending on the specific situation and the influence of various related factors, may need to go through multiple control procedures before it can be reduced to an acceptable level for the business.

  • A single control procedure can simultaneously be effective against multiple different risks. It is essential that control procedures ensure the cost of implementation is lower than the potential loss caused by the risk; if the cost of implementation is higher, then carrying out the control procedure no longer holds meaningful value and may even hinder the operations of the business.

Control Environment: reflects the attitudes and behaviors of the company’s top leadership and executive management regarding the importance of control activities within the organization. A strong control environment helps spread and enhance the sense of discipline and risk control among all members of the organization, thereby creating favorable conditions for control procedures to be properly established and effectively implemented as intended.

The control environment of an organization is reflected through the following factors:

  • Integrity and ethical values related to risk control awareness: How does the organization demonstrate its respect for these ethical values through company documents, communication activities, and the attitudes and behaviors of the company’s leadership?
  • Leadership philosophy and style of the company’s executives: Do the top leaders have a leadership philosophy and style that align with the company’s ethical values? Are they consistent and truly set an example for employees?
  • Organizational structure: Is it appropriate for the business model and nature of operations? An inappropriate organizational structure will reduce the effectiveness of control procedures.
  • Assignment of functions and authorities: Are the functions and authorities of each position related to internal control clearly, thoroughly, and appropriately defined?
  • Human resources policies: Are compliant behaviors recognized, encouraged, and highly evaluated? Are non-compliant behaviors subject to appropriate sanctions?
  • Competence of related personnel: An environment with many competent and suitable personnel will create a positive influence on many others within the organization.

The roles of positions within the organizational structure in risk management activities:

  • Board of Directors / Members’ Council: Oversees and assesses the overall internal control activities and makes adjustments/interventions when signs of deviation are detected. This role may be delegated by the Board of Directors / Members’ Council to the Risk Committee for execution.
  • Executive Management (Board of Management): Responsible for organizing, guiding, and implementing internal control activities across all departments of the company, ensuring that risks (as assessed by the risk management activities) are controlled within acceptable levels.
  • Internal Audit: Responsible for providing independent and objective assurance and consulting opinions on these activities to help ensure that they achieve their intended goals.
What types of internal audit reports are there? What do they include? Who are they submitted to?

Based on the provisions of Article 16 and Article 17 of Decree 05/2019/ND-CP dated January 22, 2019, there are the following types of reports issued by the Internal Audit Department, with the key contents outlined below:

Internal audit report for each audit conducted during the year: includes the following contents:

  1. Audit subject;
  2. Audit scope;
  3. Assessments and conclusions on the audited subject and the basis for these opinions;
  4. Weaknesses, existing issues, errors, violations, recommendations for corrective actions, remediation, and handling of violations;
  5. Proposals for process rationalization and improvements;
  6. Recommendations for improving risk management policies, organizational structure of the unit (if applicable);
  7. Opinions of the management of the audited department/unit. In case the audited department/unit disagrees with the audit results, the internal audit report must clearly state the disagreement and the reasons;
  8. Signature of the Audit Team Leader or Audit Group Leader or the person in charge of the audit.

In the case of outsourcing internal audit services, the audit report must at least include the signature of the legal representative or an authorized person and the stamp (if any) of the service provider. Additionally, the audit report may include the signatures of other relevant individuals from the service provider depending on the agreement between the parties.

Special (ad-hoc) audit report is prepared for audits conducted upon request or when there are indications of violations or high-risk signs at audit subjects. The contents are presented similarly to the internal audit report for each audit mentioned above.

Annual internal audit report is the report summarizing the results of the implementation of the internal audit plan of the previous year and must clearly state the following contents:

  1. The planned audit schedule;
  2. The audit work that has been completed;
  3. Major issues and violations that have been identified;
  4. Measures recommended by the internal audit;
  5. Evaluation of the internal control system related to the audited activities and proposals for improving the internal control system;
  6. The status of implementation of the measures, recommendations, and proposals made by internal audit;
  7. Signature of the head of internal audit.

According to the International Standards for the Professional Practice of Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA), although it does not classify reports in the same way as above, it does provide regulations and guidelines on presenting the work results of the internal audit function (referred to as “Audit/Consulting Engagement Results Report”) in the following sections:

  • 2400 – Communicating Results
  • 2410 – Criteria for Communicating
  • 2420 – Quality of Communications
  • 2421 – Errors and Omissions
  • 2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”
  • 2431 – Engagement Disclosure of Nonconformance
  • 2440 – Disseminating Results
  • 2450 – Overall Opinions

Internal audit reports within the enterprise are submitted to:

(1) the direct superior (for listed companies, this is the Supervisory Board or the Board of Directors (including independent and non-executive members)),

(2) executive management (Chairman of the company, General Director/Director),

(3) other recipients as specified in the company’s internal audit charter (see also Article 16, Decree 05/2019/NĐ-CP dated January 22, 2019).

The internal audit charter is a document that stipulates the following contents:

  • The purpose, authority, function, responsibilities, scope of internal audit activities, and audit methodologies.
  • The authority, functions, and responsibilities of the head of internal audit and internal auditors.
  • The responsibilities of related departments.
  • Requirements regarding independence, objectivity, professional ethics, and audit quality.

The internal audit charter must be approved by the highest governing body of the enterprise (for listed companies, this is the Supervisory Board or the Board of Directors (with independent and non-executive members)) to ensure organizational independence for the internal audit function.

The enterprise’s internal audit charter must comply with the relevant provisions outlined in Decree 05/2019/NĐ-CP, but it can be supplemented and adjusted to suit the enterprise’s specific characteristics and requirements.

At present, organizations can refer to Circular 66/2020/TT-BTC dated July 10, 2020, which issues the Sample Internal Audit Charter by the Ministry of Finance as a reference when developing their own internal audit charter, ensuring compliance with Decree 05/2019/NĐ-CP, current legal regulations, and the organization’s structure and operations. Download the sample charter here (Link).

Additionally, enterprises can engage companies that provide internal audit services to assist in drafting this charter to ensure the highest quality from the outset.

Internal audit procedures: These are detailed regulations and guidelines on preparing the annual internal audit plan, planning each specific audit, conducting audit tasks, preparing and delivering audit reports, monitoring post-audit corrections, following up on audit recommendations, and maintaining internal audit records and documentation.

This document must also be approved by the same governing body that approves the Internal Audit Charter.

This document serves as a handbook for internal audit team members to use and comply with, ensuring consistent and required audit quality.

Internal audit methodology: This refers to the “risk-based approach” (according to Decree 05/2019/NĐ-CP and international best practices), specifically reflected as follows:

  • The annual internal audit plan must be developed based on risk assessment results to prioritize and focus resources on auditing units, departments, and processes assessed as having high risk levels, and it must be updated, adjusted, and modified according to operational changes and accompanying risk changes.
  • For each specific audit, the scope of review is also based on risk assessment; therefore, assurance opinions will be at a reasonable, acceptable level rather than absolute assurance.
What is the current status of Internal Audit activities at listed enterprises in Vietnam? What are the difficulties or obstacles?

Through our examination of internal audit practices at various listed companies on Vietnam’s stock market and observations regarding the overall state of businesses today, we have several key insights:

1. Most enterprises have not clearly defined the role of the internal audit department within their organizational structure. However, based on publicly available documentation, internal audit functions are still conducted but by other departments such as Supervisory Boards, Risk Management Committees, or Audit Sub-committees. This situation stems from the lack of mandatory regulations to establish internal audit departments prior to Decree 05 coming into effect, resulting in companies creating these units primarily from their internal needs.

2. Many enterprises remain reluctant to voluntarily adopt proper internal audit practices due to several reasons:

  • Enterprises do not fully understand internal auditing (its objectives, responsibilities, and operational methods) and thus fail to appreciate its true value compared to the costs involved. Consequently, there is insufficient motivation to dedicate the required time, finances, and human resources. Some enterprises perceive internal audit functions as overlapping with responsibilities already managed by other departments, thus seeing little need for a distinct internal audit department.
  • Enterprises resist altering their established management practices and systems, hesitant to abandon familiar approaches.
  • Senior management may harbor implicit personal interests, making them reluctant to grant internal audit full authority and responsibilities.
  • Enterprises lack confidence in their resource capacity to implement internal audit practices effectively, ensuring tangible benefits for the organization.

3. Even for enterprises voluntarily establishing internal audit departments, the execution of internal audit activities remains limited in terms of quality and scope compared to international standards and practices.

The primary reasons behind these issues include an inadequate environment for developing internal audit activities, characterized by: (1) insufficient guidance and support from governmental and professional bodies, (2) absence of formally issued standards and guidelines, (3) a limited and inexperienced internal auditor community, and (4) a shortage of suitably trained personnel.

However, based on our observations, given current trends, we believe these issues will gradually improve. Draft regulations related to internal auditing are soon to be issued and disseminated widely, regulatory bodies and investors are beginning to impose stricter internal audit requirements, professional associations and training institutions are increasingly active in Vietnam, enterprises are becoming more aware of the importance and value of internal auditing, and the internal auditor community is steadily developing and expanding.

1. Which enterprises are legally required to implement internal auditing activities?

According to Article 10 of Decree 05/2019/ND-CP, the following entities must implement internal audit activities:

a) Listed companies;

b) Enterprises where the state owns more than 50% of charter capital, operating under the parent-subsidiary model;

c) State-owned enterprises operating under the parent-subsidiary model.

Enterprises not listed above are encouraged to implement internal audit activities.

What are the penalties for violations?

Currently, Decree 05/2019/ND-CP does not specify penalties for violations. However, in specialized sectors such as banking, credit institutions, insurance, and securities businesses, the penalties are as follows:

For banks and credit institutions, according to Article 8 of Decree 88/2019/ND-CP effective from December 31, 2019:
“3. Fines from VND 80,000,000 to VND 100,000,000 for one of the following violations:
a) Internal audit does not perform duties stipulated in Clause 2, Article 41 of the Law on Credit Institutions and relevant laws;…
4. Fines from VND 100,000,000 to VND 150,000,000 for failure to establish a dedicated internal audit under the Supervisory Board.”

For the securities sector, under Decree 145/2016/ND-CP effective from December 15, 2016:

  • Clause 2, Article 23:
    “2. Fines from VND 70,000,000 to VND 100,000,000 for one of the following violations:

    d) Failure to establish or maintain an internal audit system, internal control system, or risk management; failure to supervise and prevent conflicts of interest between customers or between securities companies, foreign branches of securities companies in Vietnam, securities professionals, and customers;”
  • Clause 2, Article 26:
    Fines from VND 70,000,000 to VND 100,000,000 for fund management companies, branches of foreign fund management companies in Vietnam for one of the following violations:
    “a) Failure to establish a risk management system, internal control department, or internal audit; failure to ensure adequate staffing in internal control and internal audit departments or ensure staffing meets conditions; failure to supervise and prevent conflicts of interest between customers or between fund management companies, securities professionals, and customers;”
  • Article 35a:
    “c) Fines from VND 40,000,000 to VND 80,000,000 for failing to issue and comply with internal regulations on anti-money laundering; failing to perform internal audit activities related to anti-money laundering;”
2. Which enterprises are not legally required but are recommended to implement internal auditing?

Enterprises exhibiting the following characteristics should consider establishing an internal audit department if overall benefits outweigh associated costs:

  • Enterprises with multi-level governance structures.
  • Enterprises operating across various industries or sectors.
  • Enterprises experiencing significant growth in scale.
  • Senior executives find their roles increasingly overwhelming, making effective oversight and decision-making challenging, with rising risks.
  • Enterprises aiming to enhance credibility among stakeholders by adopting best governance practices, effective risk management, and improved operational performance.
3. What should enterprises consider when initiating internal audit activities?

Internal auditing is a process requiring gradual adjustments in awareness, management culture, procedures, policies, and personnel.

Initially, enterprises should focus on the following:

  • Establishing an Internal Audit Charter: This document is foundational, defining the core elements of internal auditing, such as roles, responsibilities, and core principles. It should comply with Decree 05, Circular 66/2020/TT-BTC, and international best practices. Approval from the highest governance body, including independent and non-executive members, is necessary.
  • Ensuring organizational independence of the internal audit department, reporting directly to the highest level of governance, including independent and non-executive members.
  • Selecting and appointing a Chief Audit Executive (CAE): This key position oversees the entire internal audit function, requiring strong ethical standards, professional competence, and independence.
  • Outsourcing detailed internal audit tasks initially to receive timely and appropriate support, subsequently developing internal processes and staff progressively.
  • Promoting internal awareness: Enterprises should emphasize educating employees on the purpose and importance of internal auditing to ensure cooperation towards mutual goals and risk mitigation. Misconceptions about internal auditing as merely a policing function can lead to management misuse or employee resistance, significantly hindering effective implementation.
1. What should the organizational structure of the Internal Audit Department be? What positions are included, and what are their functions/duties?

The Internal Audit Department, fundamentally, consists of the following positions:

1.1. Head of Internal Audit (also known as the Chief Internal Auditor), with the following primary responsibilities:

  • Responsible for managing and overseeing the Internal Audit Department to effectively perform its functions (duties) in accordance with the regulations issued by the enterprise and strict compliance with relevant regulations.
  • Holds the highest accountability for the results of audits conducted by the Internal Audit Department.
  • Engages with senior management and executives on all matters requiring approval from competent authorities as per regulations, explains significant audit findings, and proposes solutions for issues arising from the operations of the Internal Audit Department.

Refer to Article 24 of Decree 05/2019/ND-CP for further details.

1.2. Internal Auditor , primarily responsible for effectively carrying out assigned audits and ensuring compliance with relevant regulations.

Refer to Article 23 of Decree 05/2019/ND-CP for further details.

1.3. Assistants to the above positions: Responsible for supporting the Head of the Department and Internal Auditors in performing detailed tasks as required.

2. Are there any mandatory regulations for recruiting personnel for this department, and what should be noted?

The only relevant regulation is Article 11 of Decree 05/2019/ND-CP, specifically as follows:

Article 11. Qualifications for Internal Audit Personnel

1. Must hold a bachelor’s degree or higher in disciplines relevant to audit requirements, with comprehensive and up-to-date knowledge in the assigned audit areas.

2. Must have at least 05 years of work experience in the trained discipline, or at least 03 years of work experience at the current organization, or at least 03 years of experience in auditing, accounting, or inspection.

3. Must have general knowledge and understanding of laws and the organization’s operations; possess the ability to collect, analyze, evaluate, and synthesize information; and have knowledge and skills in internal auditing.

4. Must not have been disciplined at the level of a warning or higher for violations in economic, financial, or accounting management, and must not be under disciplinary sanctions.

5. Other qualifications as specified by the organization.

In our opinion, in addition to the basic qualifications above, enterprises should prioritize:

  • Individuals with a strong sense of compliance, independence, and objectivity, as these are core qualities essential for this role.
  • Individuals with a personality suited to a role requiring effective interaction with various people and in diverse situations.
  • Individuals with professional certifications in internal auditing, as they possess the appropriate mindset and methodologies for internal auditing and are generally committed to developing a career in internal auditing.
Specific tasks of the Internal Audit Department within an enterprise:
At the beginning of the year:
  • Participate in senior internal meetings regarding corporate strategy and business plans to clearly understand business objectives, which support the creation of internal audit plans and programs.
  • Develop an annual internal audit plan and submit it for approval by competent authorities.
  • Prepare the budget and staffing estimates for the year and submit them for approval.
  • Review internal audit regulations, procedures, and methods to make necessary adjustments aligned with business changes.
Throughout the year:
  • Conduct audits as per the approved annual audit plan following established regulations, processes, and audit methods. Report audit findings to stakeholders after each audit, provide explanations when required, propose recommendations, and monitor the implementation status of these recommendations by relevant departments.
  • Perform special audits and consulting engagements upon request.
  • Advise agencies, units, or enterprises on selecting and controlling the use of independent auditing services to ensure efficiency and cost-effectiveness. Engage with independent auditors as necessary.
  • Organize ongoing training to enhance and maintain the professional competence of internal auditors.
At the end of the year:
  • Prepare and submit a comprehensive report summarizing the activities of the internal audit department throughout the year to management and executives.
  • Conduct annual self-assessments regarding the quality of internal audit activities, including compliance with independence, objectivity, and professional ethics. This may be performed internally or through external specialized organizations. Make necessary adjustments and improvements based on assessment results.
  • Prepare required tasks for drafting next year’s internal audit plan and operating budget.

For more details, refer to Article 20 of Decree 05/2019/ND-CP

Factors to Ensure Effective Operation of the Internal Audit Department
The following factors, if well-executed, will contribute to improving the effectiveness and efficiency of the Internal Audit Department within an enterprise:
  • Strong and practical support from the highest level of leadership: In addition to approving critical documents such as regulations, procedures, etc., senior leadership must ensure these documents are effectively implemented in practice through appropriate attitudes and actions to guarantee that the Internal Audit Department can fully exercise its authority and functions. The proposals and communications from the Internal Audit Department should be prioritized and supported by senior leadership rather than being ignored or delayed. It can be said that internal audit activities will remain superficial without the support of top leadership.
  • Formal documentation of regulations, procedures, templates, and internal audit methodologies, with continuous updates and adjustments, rather than relying on verbal communication or emails: Such documentation ensures that all members of the department (including leadership and staff) align their mindset and actions consistently, avoiding discrepancies or individualistic approaches.
  • The objectives, authority, functions, and scope of internal audit outlined in the regulations must align with Vietnamese and international standards and practices: Widely accepted standards and practices are developed and refined by numerous experts to enable internal audit to fulfill its inherent roles effectively while avoiding conflicts related to independence and objectivity. Enterprises may adapt these to their specific characteristics but must ensure no material deviations.
  • Regular focus on training and internal communication regarding the purpose and significance of internal audit activities: This helps eliminate prejudices from other departments’ personnel about internal audit, thereby increasing cooperation and coordination across departments.
  • Availability of personnel with strong professional expertise and ethical standards: Internal audit activities require personnel with both high expertise and ethical integrity to provide high-quality, independent, and objective insights to senior leadership. Therefore, recruitment and training efforts should be adequately invested in. Additionally, enterprises may consider outsourcing solutions to address personnel shortages while staying within budget constraints.
  • Regular self-assessment of audit quality: This is a requirement of internal audit standards to ensure the enterprise consistently maintains the required audit quality. Enterprises can conduct this assessment internally or engage an independent audit firm to perform it.
  • Establishment and maintenance of a robust control environment: With a strong control environment, the role of internal audit can be maximized, as everyone in the enterprise will have a heightened awareness of control and risk, leading to highly effective coordination with the Internal Audit Department.
What to do when other departments in the enterprise do not cooperate effectively with the Internal Audit Department?
  • Internal auditors should thoroughly investigate the root causes and nature of the issue to identify appropriate short-term and long-term solutions within their authority.
  • If the issues require the support and approval of senior leadership, they should promptly communicate and propose solutions.
  • Short-term solutions typically involve direct intervention by competent authorities, while long-term solutions aim to enhance awareness and attitudes toward internal audit. Examples include increasing communication efforts, providing training, strengthening the control environment, and revising regulations, procedures, or methodologies.
  • Utilizing outsourcing services can also be an effective alternative solution in certain cases.

1. Can an enterprise outsource internal audit services?

Based on Clause 3, Article 10, Decree 05/2019/ND-CP:

“3. Enterprises specified in this Article may engage an independent audit organization that meets the legal requirements for audit activities to provide internal audit services. In cases where an enterprise outsources internal audit services to an independent audit organization, it must ensure compliance with the fundamental principles of internal auditing and the requirements to uphold these principles as stipulated in Articles 5 and 6 of this Decree.”

2. What are the advantages and limitations of outsourcing internal audit services?

2.1. Depending on specific circumstances, enterprises should consider the following advantages of outsourcing if the external market can meet their needs:

  • Meeting deadlines for task completion: If there are strict deadlines to meet, outsourcing is often a more feasible solution. Independent audit firms typically have sufficient resources to perform tasks when required, whereas building and operating an in-house internal audit department takes significant time due to the high level of expertise required, recruitment, training, and developing regulations, policies, methodologies, and tools, all of which demand considerable time to establish.
  • Saving effort and time for enterprise leadership: Building and operating an in-house internal audit department requires more effort and time from leadership compared to outsourcing. Internal auditing is a highly specialized field, requiring continuous updates and differing significantly from the enterprise’s core business. The more staff involved, the more effort and time leadership must dedicate to recruitment, management, training, staff development, termination, and rehiring. Leadership’s time and effort are better focused on business strategy to achieve higher efficiency for the enterprise. Leadership only needs to understand the key aspects of internal auditing to coordinate and oversee at a high level, while specialized and detailed tasks can be outsourced.
  • Potentially more cost-effective for the enterprise: While the cost of each outsourcing engagement may be high, it is often lower than the total costs of maintaining an in-house internal audit department over a financial period (e.g., salaries, bonuses, mandatory insurance, income taxes, training costs, additional management costs for the department, union fees, office rental, equipment, travel expenses, allowances, etc.). Costs can escalate further if the enterprise operates multiple units across the country or internationally. Outsourcing can help reduce the burden of recurring costs for the enterprise.
  • Ensuring higher work quality: Audit firms typically employ staff with superior and more consistent expertise due to their continuous specialized training and extensive practical experience. Training employees is often a challenge for enterprises. Additionally, external auditors often bring fresh ideas, having worked with diverse clients across various industries and staying updated with the latest legal and professional knowledge. Their insights can help enterprises implement improvements to optimize processes and enhance performance, thereby increasing profitability.
  • Enhancing independence and objectivity: Although the internal audit department must maintain independence and objectivity from other departments within the enterprise, in practice, frequent internal interactions can create risks that compromise this independence and objectivity, such as favoritism or familiarity, potentially leading to audit reports that do not accurately reflect reality. Outsourcing mitigates these risks, making it a key reason many enterprises choose this option. Furthermore, when independence and objectivity are maximized (both in form and substance), other departments face increased pressure and motivation to perform their tasks to the best of their ability to avoid being flagged for errors or discrepancies.
  • Leveraging the reputable brand of the internal audit service provider: The reputable brand of the service provider can enhance the confidence of partners in the enterprise’s operational efficiency and risk management. This can lead to more favorable terms and benefits in transactions with relevant parties.

2.2. Conversely, outsourcing has the following limitations, which require corresponding solutions:

  • External auditors may not fully understand certain specialized internal matters: This is inevitable, so if outsourcing is chosen, the enterprise must appoint a suitable coordinator responsible for collaborating and communicating comprehensively with the external provider about relevant internal matters to ensure optimal performance. Depending on the nature and scale, enterprises should consider outsourcing part or all of the internal audit tasks. Tasks that are difficult for external providers to handle should be performed in-house.
  • Concerns about work quality and information confidentiality: This is a common issue when outsourcing any service. To mitigate this risk, enterprises should invest effort in selecting service providers from the outset. Providers must meet requirements for reputation, expertise, and resources, and enterprises should shortlist 2-3 qualified providers to allow for flexibility or supplementation when needed.
  • Costs may exceed the budget: Enterprises should discuss with the service provider to determine the optimal scope of work within the allowable budget, such as outsourcing part or all of the internal audit tasks. Additionally, enterprises can negotiate fee reductions to maintain a long-term relationship.
  • Lack of regular and detailed audit result reporting: In all outsourcing cases, the enterprise must appoint an overall coordinator for internal audit activities to stay updated on audit results promptly and comprehensively and to communicate effectively with the service provider when necessary. Enterprises should also require the service provider to participate in audit result debriefing sessions when requested.
Audit services

The responsibilities and authority of internal auditors and the Head of the Internal Audit Department will be specifically outlined in the internal audit regulations of each enterprise. However, Decree 05/2019/ND-CP describes these details in Articles 23 and 24, which you can refer to for further information.

Necessary and Sufficient Conditions to Become an Internal Auditor?

Article 11 of Decree 05/2019/ND-CP stipulates the following:

“Article 11. Qualifications for Internal Audit Personnel

  1. Must hold a bachelor’s degree or higher in disciplines relevant to audit requirements, with comprehensive and up-to-date knowledge in the assigned audit areas.
  2. Must have at least 05 years of work experience in the trained discipline, or at least 03 years of work experience at the current organization, or at least 03 years of experience in auditing, accounting, or inspection.
  3. Must have general knowledge and understanding of laws and the organization’s operations; possess the ability to collect, analyze, evaluate, and synthesize information; and have knowledge and skills in internal auditing.
  4. Must not have been disciplined at the level of a warning or higher for violations in economic, financial, or accounting management, and must not be under disciplinary sanctions.
  5. Other qualifications as specified by the organization.

However, in addition to the above qualifications, you should possess the following suitable qualities:

  • A strong sense of compliance, independence, and objectivity, as these are core qualities essential for this role.
  • A personality suited to a role requiring effective interaction with various people and in diverse situations.
  • Participation in professional internal audit certification training to develop the appropriate mindset and methodologies for internal auditing.

Other audit insights

Related regulations

View details

Technical articles

View details

Frequently asked questions

View details
Scroll to Top