The internal auditing profession has undergone considerable changes during the past few years. A new definition has been formulated in 1999 for the profession and the Professional Practices Framework, including the Standards, has had to be adapted to incorporate this new definition. An internal auditor, in addition to being a control specialist, must now also assist management in a consulting capacity with risk management and corporate governance. According to the new Standards, an internal auditor should assist his or her organisation in maintaining effective controls by evaluating its effectiveness and efficiency and by continuously promoting improvement. The basis for the control system is a control environment that provides an atmosphere in which people conduct their activities and this has a direct influence on the way activities are structured, objectives are established and risk is addressed. HIV/AIDS is a disease that threatens the world as a whole, global economies, individual countries, governments and also the business world, especially individual organisations. It is therefore vital that the consequences of this potential risk on an organisation are studied. Various studies done on this subject have indicated that managements are aware of the possible risk of HIV/AIDS to their organisations, but no study has at yet investigated the role that internal auditors can play or the effect of HIV/AIDS on the control environment. This study firstly investigated whether HIV/AIDS has an effect on the control environment of an organisation. Secondly, the knowledge of internal auditors regarding the potential risk of HIV/AIDS to the organisation and the role they should play in assisting management with this risk, including its effect on the control environment, was investigated. The research findings showed that HIV/AIDS does have an effect on certain elements of the control environment, namely the competence of the workforce, organisational structure and the human resources policies and practices. The study also concluded that internal auditing should treat the risk of HIV/AIDS like all other risks threatening the organisation. Thus they should assist management in managing the risk and giving assurance to all stakeholders that the risk is being adequately managed. It was also concluded that although internal auditors are aware of the risk of HIV/AIDS to their organisations, especially the control environment, only a few internal auditing departments were performing their responsibilities in full. The level of commitment to managing this risk varied from total ignorance of HIV/AIDS in a business environment, to internal auditors performing audits on certain aspects in the management of this risk. HIV/AIDS is not a normal business risk. Factors such as additional legislation, the disease being non-notifiable, the stigma associated with the illness, the fact that no cure is available, and many more make this a difficult risk to understand and to manage, thus complicating the responsibilities of internal auditors. Professional guidance is needed for the internal auditor on how to handle this risk.
Dissertation (MCom(Internal auditing))--University of Pretoria, 2005.