Steps to Iaa
Transcript of Steps to Iaa
-
7/28/2019 Steps to Iaa
1/36
STEP #1: Review the IIAs Professional Practices FrameworkThe best place to begin our journey is by first reviewing the IIAs Professional PracticesFramework. Bydefinition, any profession needs to hold its members to a high andconsistent level of behavior, and theprofession of internal auditing is no
d i f f e ren t . Based on th i s , t he I IA p romulga tes the Professional PracticeFrameworkthat is used as a guide for internal auditors in the performance of their work.The three categories of guidance are
1) The International Standards for the
Professional Practice of Internal Auditing1 (Standards),2 ) P r a c t i c e A d v i s o r i e s , a n d3 ) C o d e o f E t h i c s .
Note: A summary of the IIAStandards and Code of Ethics are shown inAppendices B and CTogether these documents a re cons idered to be essen t ia l f o r t he p rofes sio nal pra ct ic e of inte rna lauditing.
TheStandardshave the following four purposes:
1)Outline the basic principles that represent the practice of internal auditing, as it should
be.
2)Provide framework for performing and promoting a board range of value added
internal auditingservices.
3)Establish the basis for the evaluation of internal auditing performance.
4)Foster (support) improved organizational processes and operations.The IIA Practice
Advisories represent the best practices of implementing the
Standards
. The PracticeAdvisories are not mandatory and do not represent all of the
considerations that may be necessarywhen applying them, but they are simply the
recommended stet of items that should be addressed orfollowed.Finally, there are the
IIAsCode of Ethics. Whereas the Standards provide guidance for internal auditors in the
performance of their duties, The Code of Ethics provides an ethical guide for the
conduct of internal auditors
-
7/28/2019 Steps to Iaa
2/36
STEP #2: Understand stakeholders requirements
For this stage we are trying to answer the question,
How can the internal audit activitybest serve the organization?
In order to answer this question, you need to do a lot of information gathering, and partof this process is to understand the stakeholders requirements. To better understand
the stakeholders requirements you can do the following:
Interview senior management and member of the audit committee. This gives you
a chance to start building a rapport with the top. As we have already said, without their
full and un-mitigating support, the chances of your success are severely diminished.
You want to ensure that they have a clear understanding of the internal audit function.
You can then clarify their expectations.
Review the audit committees Charter. You want to have clearer understanding ofthe audit committeesresponsibility regarding internal auditing (see below)
Note: See Appendix D for a sample Audit Committee Charter.
-Review with management and the chief audit executive the charter, activities, staffing,
and organizational structure of the internal audit function.
-Have final authority to review and approve the annual audit plan and all major changes
to the plan.
-Ensure there are no unjustified restrictions or limitations, and review and concur in theappointment, replacement, or dismissal of the chief audit executive.
-At least once per year, review the performance of the CAE and concur with the annual
compensation and salary adjustment.
-
Review the effectiveness of the internal audit function, including compliance with The
Institute of Internal Auditors'
International Standards for the Professional Practice of Internal Auditing.
-On a regular basis, meet separately with the chief audit executive to discuss any
matters that the committee or internal audit believes should be discussed privately.
Meet with the external auditor. The external auditors would be in a good position to
advise you on some of the problems they have identified during their own reviews.
Coordination between the internal and external auditors is an important issue for the
-
7/28/2019 Steps to Iaa
3/36
internal auditing function and this is agood method to start developing a good, working
relationship.
Meet with other stakeholders,including operations managers.
During these meetings you can get a better feel for their risks and concerns
-
7/28/2019 Steps to Iaa
4/36
STEP # 3: Develop an Internal Audit Charter
After gathering all of the necessary information during the second stage, you should
now be in a position to develop the
Internal Audit Charter.During this stage you will be working with the board and senior management to
articulate the mission for internal audit. It is the Charter that lets internal auditors do
their work. It will probably be the CAE to write up the draft Charter, but for it to mean
something it has to be approved by senior management and accepted by the audit
committee. After its approval and acceptance, it then needs to be communicated to
people within the company. The Charter should define the following items in respect to
the internal audit activity:
1)The scope of the services (i.e., assurance and consulting) and work to be performed,
2)The objectives of the function,
3)The authority of the function to access records, personnel and physical
properties in theorganization,
4)The accountability of the function, and
5)The responsibility of the function.Note: See
Appendix E
for a sample Internal Audit Function Charter. This sample Charter was adapted rom the
one posted on the IIA website (www.theiia.org).Of course, no Charter can possibly
encompass all of the activities that could be possible, so when tailoring your Charter,
just make sure it fits your companys needs. Also, you need to recognize that even
though the Charter is a formal and approved document (approved by senior
management and accepted by the audit committee), it is not a document that is
unchanging. In the beginning you should review the document at least annually (and
more often as circumstances may require) to ensure that it is still relevant and
addresses the needs and issues that the organization and the internal audit activity are
facing. It may be good to include all of the activities you think you might want theinternal audit function be involved in, in the coming two to three years. This does not
mean you have to do these activities, only that you could if the need arose. One of the
important things to remember when developing the Charter is to make sure that your
function maintains its independence and objectivity. We look at these terms below.
http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/ -
7/28/2019 Steps to Iaa
5/36
Review the Independence and Objectivity of the Internal Audit Function
Independence:
The function is a unique function within the organization. It is not part of the
organizations regularmanagement structure and as such does not play a managementrole within the organization. Ideally, you want the internal audit activity to
functionally report to the Audit Committee of the Board of Directors, and
administratively to the CEO or some other designated management person.
Why is this?
As with external auditors, internal auditors need to be protect their independence from
any undue internal management pressure. This means that the internal auditor should
be able to perform its Work freely and objectively without having to worry about
individuals or groups within the organization influencing or affecting what it is trying to
do. Functionally reporting to the Audit Committee or some other governing authoritymeans that they are responsible for:
Approving the functions Charter.
Approving the internal audit risk assessment and related audit plan,
Receiving communications from the CAE on the results of the function or other private
meetings with the CAE without management present.
Approving decisions regarding the appointment or removal of the CAE, and
Making appropriate inquiries of management and the CAE to determine whether there
are scope or budgetary limitations that impeded the ability of the function to execute its
responsibilities. Now, when we are talking about independence, we know that you are
not go to be as independent assay your companys external auditor because, one, it is
management that is going to be involved in the approval of your budget, and two, if you
need to buy some office supplies, youre not going to go to the audit committee to get
approval for the expenditures. For issues like this you should go to someone in
administration, perhaps the chief financial officer. Administrative reporting typically
would include:
Setting the budget for the function,
Having the HR department administer personnel evaluations and compensation,
Monitoring internal communications and information flows, and
-
7/28/2019 Steps to Iaa
6/36
Administering the organizations internal policies and procedures. The idea of
independence is not to be taken lightly. Its this idea of independence that differentiates
internal auditing from the other departments within your organization. When looking at
independence you might want to consider seeking some external assistance in making
sure the function is truly, as best it can, independent. External auditors might be in
a good position to review the independence and objectivity of the internal audit activity.
To some extent, external auditors also have some sake in the establishment of a well-
run internal audit function. Its possible that the external auditors may rely on some of
the work of the internal auditors; so therefore, they want to have some comfort that the
work of the internal auditors is not being manipulated. But their willingness to rely on
some of the work will be diminished if they feel the internal audit function lacks
independence, or objectivity.
Objectivity:
What we mean by objectivity is that you, as an internal auditor, have to be able toremain objective when conducting your work. You should1)
Impartial
.2) Have an unbiased attitude, and
3) Avoid conflicts of interest Being objective means that the conclusions or opinions
that you are drawing are based solely on facts at hand, and are not influenced by
feelings, emotions, relationships with others, monetary bribes or any other outside
influence.
Impairment of Objectivity:
When we talk about objectivity you need to keep in mind others perception of whether
the internal auditor is being objective or not. For example, if the internal
auditor accepts a gift or money of significant value from the client, objectivity would be
perceived to be impaired even if the auditor, in fact, was objective. Also, objectivity is
assumed to be impaired if an auditor performs an assurance review of any activity over
which he or she has recently had responsibility. Individuals who are assigned to or
transferred to your department should
not audit areas where they worked until a reasonable period of time haselapsed. Basedon the IIA Standards, the amount of time is about one year.
-
7/28/2019 Steps to Iaa
7/36
STEP #4: Develop an initial Risk Assessment for your company
Risk assessment
is the systematic process of assessing and integrating professional judgment about
probable adverse conditions and/or events. The questions should always be asked:What could go wrong here?
What assets do we need to protect?
By answering these questions you can then understand the means of controlling the
risks. The COSO study, Internal Control-Integrated Framework, summaries risk
assessment in the following way:
6 Every entity faces a variety of risks from external and internal sources that must beassessed. A pre-condition to risk assessment is the establishment
of objectives, linked at different level sand internally consistent. Risk Assessment is the
identification and analysis of relevant risks to achievement of objectives, forming a basis
for determining how the risks should be
managed.Because economic, industry, regulatory and operating conditions will continue
to change,mechanisms are needed to identify and deal with the special risks
associated with change.The assessment of risks starts by developing the audit
universe or list of all auditable entities. This would be a compilation of the subsidiaries,
business units, departments, groups, processes, or other established subdivisions of an
organization that exist to manage one or more business risks. The assessment of risk
involves determining the volume of transactions and the average dollar amount per
transaction, the dollar value of assets that are exposed to loss, as well as the probability
that a loss will occur. The company objectives must be established before risks can be
assessed. Risk assessment forms the basis for determining how risks (both internal and
external) should be managed.
External risks
include changes in technology, changes in the market in which an entity operates, new
legislation bringing new requirements, natural disasters, economic changes, a failure ofa key supplier, or being sued, defrauded, or robbed.
Internal risks
include employee embezzlement accompanied by falsification of records to conceal the
theft; lack of compliance with government regulations; or other illegal acts by
employees, such as taking a bribe. Internal risks can also include disruption in computer
-
7/28/2019 Steps to Iaa
8/36
systems, poor management decisions, errors, or accidents. Changes in management
responsibilities can affect control activities; and an ineffective board or audit committee
may leave openings for fraudulent actions on the part of anyone within the company
-
7/28/2019 Steps to Iaa
9/36
STEP #5: Develop the Audit Plans
Based on the IIA
Standards
7
The CAE should establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organizations goals. The function of the audit plan is
to put into writing the audit goals, schedules, staffing needs, and reporting. The plan
should also demonstrate that audit resources are used efficiently and effectively. Based
on this, we can see that audit plans are a good method of promoting internal auditing in
the company. Even though, audit plans are designed to act as a guide or roadmap for
your company when you do the audits, you need to remember that the plans are not
written in stone and might be modified during an audit if circumstances require it. The
audit plan should be prepared at least annually, but it is highly recommendedto develop strategic audit plans as well. The primary purpose of the strategic plans is
to ensure sufficient internal audit coverage.
Strategic Audit Plans:
Strategic means in the future, so this plan would show your audit coverage going out
two, three or more years. Developing this long-term plan is something you should not
take lightly. Sawyer 8 identifies 6 purposes of the strategic plan. These are:1)To
provide a guide for your internal audit department,2)To provide a basis for your budget
request,3)A way of involving management and the board in audit planning,4)Providesthe standard by which you can measure the accomplishments of your department,5)A
means to show management and the board that your department is under competent
control,and6)A notice to the external auditor of proposed audit coverage. Sawyer 9
also outlined some of the basic elements that every strategic plan
should contain. These elements are:
1)All the operations of the company should be analyzed for audit ability and potential
risks.
2)Each organizational component should be analyzed as
to specific objectives, performancestandards, and controls. Proposed audit hours shoud
be allocated each of the identifiableelements constituting an audit project.
3)Relative risks should be assessed, taking into account the objectives of internal
control set forth in the Standards:107
Standard 2010.8
-
7/28/2019 Steps to Iaa
10/36
Sawyers Internal Auditing, 5th
Edition, page 945.9
Sawyers Internal Auditing, 5th
Edition, page 947.10
Standard 2120.A1.16
Reliability and integrity of information.
Compliance with internal and external rules and regulations.
Safeguarding assets.
Economical and efficient use of resources.
Achievement of established organizational objectives and goals. The big issue for the
strategic plan is to make sure that all areas of the company are audited at least
periodically. Without such a plan, it is possible that a certain area would never be
audited because it does not meet the requirements for the annual audit. Now, we want
to look at the annual audit planning process.
Annual Audit Plans:
The CAE has the responsibility to develop the annual audit plan based on theassessment of risk and the exposures that may affect the company. Based on risk and
exposure the CAE can prioritize the activities to be audited. You just need to make
certain that the plans are consistent with the Charter and with the goals of the company.
How do you determine which engagements to conduct?
Its ultimately the responsibility of the CAE to determine which engagements are to be
performed. Sometimes it may come down to the judgment of the CAE in making this
decision. Other factors to consider when prioritizing are:
The length of time since the last engagement was performed in the area;
Request from senior management, the audit committee or othergoverning bodies;
An engagements relation to the external audit;
Changing circumstances in the business, operations, programs, systems or controls;
-
7/28/2019 Steps to Iaa
11/36
Changes in the risk environment or control procedures in the department;
The potential benefit that could be achieved from the engagement; and
Changes in the skills of the availab le staff (it may be that a new employee has new
skills, or training has given a staff member new skills) because new skills may enableconducting different types of engagements. Note: In the development of audit plans,
it is generally recommended to leave some time for management request (usually about
10%).We have already mentioned that the primary factor in prioritizing engagements is
risk. When we
discussrisk assessment, you need to remember that there are two types of assessment
s, quantitative (numerical) assessments as well as qualitative (characteristics)
assessments. Quantitative assessments would include the dollar value of the assets at
risk or the potential loss, while qualitative includes things such as the risk in the area of
fraudulent behavior or the importance of the section to the operations of the business as
a whole.
One way to measure the extent of risk in different areas is to multiply the dollar amount
that is at risk of loss by the percentage chance of the loss occurring. In this way, the
CAE is able to address the fact that while petty cash is at great risk because it is cash
that is, in essence, available to everyone in the organization, there is not much cash at
risk at any one time because there is never much cash in petty cash at any point
in time. When combining these factors, petty cash is probably a lower priority when
compared to an area where there is a lower risk of loss, but the loss value would be
much greater. The above discussion has focused on a monetary measurement.
However, there are also risks that are not related to the assets of the company or aspecific monetary amount that also need to be assessed. For example, control
procedures (or, more accurately, lack of control procedures) may also be an area of risk
that would need investigation.
Note: See Appendix F for a sample Schedule of Audit Coverage for a three-
year period. The difference between this 3-year plan and the annual plan is that the
annual plan would include the timing of the audits, and possibly the assigned personnel.
-
7/28/2019 Steps to Iaa
12/36
STEP #6: Build the budget
You are going to build your internal audit budget based on the results of the risk
assessment and audit plan. The internal audit budget must be sufficient to so you can
deliver a risk-based plan developed during the fifth stage. The amount that you are
going to budget to achieve your objectives will be driven by the auditplan, organizational structure, and staffing strategy. In 2004, the IIA conducted a
random survey of 730 companies to get an idea of what companies spend to support
their internal auditing functions
(see Exhibit 1). The survey identified a general range of 0.03% to 0.22% of revenues
for an internal audit budget. The percentage goes up to 1.33% of revenue for
companies with revenue of less than 100 million USD.The following information below
was provided by The IIA Global Auditing Information Network (GAIN)Reports:
Exhibit 1Average Internal Audit Cost By Revenue
Revenue Range Internal AuditStaff CountAverageRevenueAverage
InternalAuditAverage InternalAudit as %
of Revenue$15B74$41,347,965,743$11,678,4230.03%
Source: The IIA Global Auditing Information Network (GAIN).For more information visitwebsite:www.theiia.org/gain
You will have two classifications of costs in the internal audit budget:
Capital expenditures andAdministrative expenses
.1) Capital Expenditures include costs for purchasing desktop computers, notebooks,
printers, copy machine, cell phones, office furniture, etc.2)
Administrative costs could include the following:
The salary of the CAE.
The salary of remaining auditors.
Travel expenses. This could be a significant cost, particularly, if your company has
multiple locations.
IT support costs.
http://www.theiia.org/gainhttp://www.theiia.org/gainhttp://www.theiia.org/gainhttp://www.theiia.org/gain -
7/28/2019 Steps to Iaa
13/36
Office equipment repair costs.
Office supplies.
General office maintenance costs
-
7/28/2019 Steps to Iaa
14/36
STEP #7: Determine the staffing requirements
The CAE needs to make sure his or her staff is professional. This means having
the right people in the right positions. This follows along the idea that its better to be
understaffed then to hire the wrong people who could very quickly ruin the creditability
of your department. But, the CAE does need to be concerned about not meeting theregulatory requirements, e.g., NYSE, Sarbanes-Oxley, and others.
What staffing options do you have?
In our earlier example, the company is going to float an IPO on the NYSE. In this case,
the company is mandated to have an internal audit function. Again, listed companies
may choose to outsource this function to a third party service provider other than its
independent auditor. Based on this requirement, you have three alternatives. You can:
(1) build the IAA in-house, (2) full you to source the IAA, or (3) partially outsource the
IAA.Building in-house:
This alternative tends to be the more traditional way of creating and building internal
audit activities. Advantages to this approach can include the ability to groom employees
for future needs within the company. The company also has the advantage of having
staff available on a permanent basis who understand the culture, structure, and
practices of the company. In addition, the full-time staff is in a position to further develop
specialized skills through professional certification programs (i.e., CIA, CFSA,CISA, and
others), which further professionalizes the department.
Fully Outsourcing:
Outsourcing
is generally defined as contracting out the IAA to others who are not employees of the
company. There are a variety of reasons why a company may consider fully outsourcing
the internal auditing function, including:
have an operational function immediately,
dence and objectivity. This is because they would
not be onstaff of the company.
-
7/28/2019 Steps to Iaa
15/36
What could be a disadvantage of outsourcing?
One disadvantage could be that since the contracted auditors are not part of the
company they might not have the loyalty to the company has in-house auditors. Also, in-
house auditors would be more familiar with the business environment of the company,
and thus, be in a better position to help the company. Finally, internal auditing issupposed to be a value added function, but if executive management and the board are
not a 100% on board, then outsourcing could limit the benefits of the IAA.
Partial Outsourcing:
Even with fully developed in-house internal auditing staff, its unlikely you will have the
capability to provide complete audit coverage. In these cases, you should consider
partially outsourcing to an outside organization that can provide specialized skills so you
can meet your objectives. For example, if your company offers a pension plan then it
is not unusual for an actuary to be hired to look at the reasonableness of future pensionliabilities. Or, if your company produces environmental waste, it might be good to hire
an outside firm to look at compliance with environmental laws. You should never think
that your department has to be specialist in every area of the organization. It is just not
realistic to think so. When deciding whether to hire in-house, outsource or possibly do
both, you need to ask yourself:
1)What are the priorities for the internal auditing function? If you build in-house, can to
hire the staff that can handle the work? Can they do the work professionally, and get it
done on time?
2)If you outsource, can you improve the effectiveness of your department? What are thelong-term implications? Will outsourcing save the company funds? How about long-
term needs?
3)Can you source staff internally on a part-time basis to help meet the departments
objectives?
For example, if you had scheduled an environmental audit for the current period,
perhaps the company has an experienced environmental engineer who could help with
the audit. An important issue with this is to make sure the employee maintains his or
her objectivity. The CAE simply needs to realize that outsourcing is a viable option. Thecompany has particular
needsand compliance deadlines and these factors will dictate whether building, outsour
cing, or using acombination of both is right for your company. Each option has its
benefits and risks so an analysis should be conducted to determine which option is the
right option. Some of the things to consider in your analysis are:
-
7/28/2019 Steps to Iaa
16/36
Independence of the service provider.
Allegiance of in-house versus external service provider.
Professional standards followed by the service provider.
Qualifications ofthe service provider.
Staffing training, turnover, rotation of staff, management.
Flexibility in staffing resources to meet engagement need or special request.
Availability of resources.
Retention of institutional knowledge for future assignments.
Access to best practices or insight to alternative approaches.
Culture of the company receptiveness to service providers.
Coverage of remote locations (if relevant).
Coordination with in-house internal audit services.
Coordination with external auditors.
Use of internal auditing as a training ground for internal promotions.
Retention, access to and ownership of working papers.
Acquisition and availability of specialty skills.
Cost considerations.
Good standing membership in an appropriate professional organization.
Drafting Job Descriptions:
By drafting descriptions, it will be much easier for you to determine whether your
department is properly staffed. Having good job descriptions is also an important basisfor the recruitment and promotion of staff. In
Appendix G
We have drafted sample job descriptions for the various internal auditing positions. We
included job descriptions for the positions:
-
7/28/2019 Steps to Iaa
17/36
Chief Audit Executive
Internal Auditing Manager
Internal Auditing Senior Supervisor
Internal Auditor SupervisorIts unlikely you would have the resources available to
initially fill these positions, but again you alwaysneed to be thinking beyond current
needs
STEP #8: Establish a plan for the development of Staff
Once youve hired the staff, staff development will be an important part of the long-term
success of your department. Staff development consists oftraining, counseling and
performance evaluations. Training needs to be provided with the goal of providing the
staff with the necessary skills to
performtheir jobs in the short term, and also to develop and broaden their skills for their long-termdevelopment. Individuals often see training as a benefit and a well-developed
training program is an excellent recruiting tool for the company. Individuals personal
desires should be considered, but are not the only consideration. This means that it is
possible that people will be trained, or assigned to, areas and engagements that they
are not personally interested
in.However, not only should training benefit the individual, it should also help the functio
n meet itsorganizational goals. As such, some staff may be trained in areas where the
function does not currently have skills, but which are required in the company.
Counseling, ormentoring, is a growing element of staff development. The CAE has aresponsibility for counseling and assisting staff members in their growth in the
organization. This is not to say that the CAE is supposed to have weekly counseling
sessions with each member, but the CAE has a responsibility o step in as needed. In a
large internal audit department, there may be a formal counseling/mentoring program
and, in this case, the CAE most likely is responsible for the oversight and management
of the process. Additionally, the CAE may be the counselor for some of the higher-level
staff members in the department.
Performance appraisals
should be performed at least annually, and more often if needed. Theperformance
evaluations need to focus on the skills that are necessary for the individual to perform
their work and for IAA as a whole to perform its duties. These staff evaluations should
be seen as a means
of giving internal audit employees the opportunity to identify their weaknesses and give t
hem anopportunity to improve their performance. The evaluation should not be based
-
7/28/2019 Steps to Iaa
18/36
on personal likes or dislikes or other non-job related factors. This is particularly true
when the evaluation is an engagement evaluation of their work on a specific job, and
not an annual evaluation. There should be sufficient time to allow everyone to prepare
for conducting the annual evaluation. This usually involves the auditor and the manager
both filling out the evaluation form and preparing for the meeting. The meeting should
be scheduled when both parties are not pressed for time so that anything hat arises
during the evaluation can be discussed and addressed without one person trying to
hurry through the evaluation because of other commitments. The performance
evaluation form can be a standard form (and will be a standard form in large
companies) because this provides focus to the evaluation on the areas that are most
important. However, for this process to work as well as possible, the evaluation needs
to be carefully thought through by the evaluator and should not include
standard comments that are applicable to everyone. Examples and specific references
to events should be provided and included whenever possible.
Note: See Appendix H for a sample internal auditing evaluation form.
-
7/28/2019 Steps to Iaa
19/36
STEP #9: Communicate the existence of the Internal Audit Function in the
Company
This next step seems obvious, but it is a very critical part of establishing the internalaudit function int he organization. You have to have some level of confidence that when
you actually start your work you will have the complete cooperation of the employees
and departments in the organization. Without theircomplete cooperation, you just wont
be able to do your
work.When management communicates the existence of the internal auditing activity th
ey should bepromoting the function as a management orientated resource, not a futile
exercise. If they do this, internal auditors have a better chance of getting what they
need. Sawyer listed some ways for management to market the internal audit function.
Brochures. An easily read non-technical booklet can go a long way toward removingthe mystery and hence the fear from internal auditing.
Bulletins/newsletters. Bulletins can highlight urgent, current findings. Newsletters can
beanecdotal and hence easily understood without getting into internal audit jargon.
Organization publications. These often include human interest stories on employees.
And a well-written story might be accepted and useful in showing the human side of
internal auditing.
Organization programs. Many organizations sponsor civic or charitable activities.
Helping to lead one of these will present internal auditors in a favorable light.
Open house/open door. Hosting an open house lets internal auditors meet operating
personnel under relaxed circumstances.
Client vs. auditee. In both written and oral statements it is preferable to refer to the
people being audited as clients or customers.
Advisory board. To develop an interchange of information about organization re
organization, changes, and developments, develop an advisory board of operating
managers, chaired by the chief audit executive. Subjects discussed could relate to risk
exposures and potential problems. The boardis advisory only but can augment theapproach to what and when to audit.
Pre-audit meeting. This is good way to start building a relationship with the client.
During the meeting you can explain internal auditing and its true function one that
is more than the mysterious resident critic.
-
7/28/2019 Steps to Iaa
20/36
Risk rating. This has generally been regarded as a one-dimension, internal audit
function. But by promoting liaisons between internal auditors and selected operating
people, it can be developed into a problem solving partnership.
Post audit questionnaire. Properly used, the questionnaire can be a valuable quality
assurance tool. Client opinions can help fine-tune the audit process.
Client training. This can include courses for client personnel and a period of actually
working in the internal audit function for top-level new hires who are destined for
management positions. This can offer hands-on training in assessing internal controls
and valuable experience when the trainees take on the jobs they were hired for.
Quality programs. Internal auditors can be in the forefront of the quality quest
sweeping the country. Audit reports receive wide distribution in the organization and
should be quality-oriented to foster the attitude of doing it right the first time
-
7/28/2019 Steps to Iaa
21/36
STEP #10: Establish a quality assurance program
Our final stage is the establishment of a quality assurance program. It is through this
program that wewill be able to measure the success of the internal audit activity.At this
point, you might be asking yourself, So,
whos going to be auditing the internal auditors?
Theanswer, in short is, they will be auditing themselves.
So, how can internal auditors, audit themselves?
You do this by being objective and by being professional. The role of auditing the
internal auditing function falls on the shoulders of the CAE.According to the
Standards:
The CAE should develop and maintain a quality assurance and improvementprogram (QAIP) that covers all aspects of the internal audit activity and continuously
monitors its effectiveness.
Thisprogram includes periodic internal and external quality assessments and ongoing in
ternalmonitoring. Each part of the program should be designed to help the internal
auditing activity add value and improve the organizations operations and to provide
assurance that the internal audit activity is in conformity with the
Standards and the Code of Ethics. Thus, it is the QAIP that justifies the internal audit
activity, but it will be the CAE doing the justifying. Therefore, the internal audit function
is really auditing itself. But, as we will see later this is only partially true.
Quality Program Assessment:
The CAE will be responsible for the implementation of a quality program, the monitoring
of that quality program and the assessment of the quality of the program. The quality
program should include both internal and external assessments. The function of these
internal and external assessments is for the company stakeholders to feel comfortable
with the services the IA function is providing to the organization. Theyre asking theques
tion -Is the internal auditing function contributing to the overall success of the
organization?
Quality program assessments should include evaluation, if appropriate, of:
Compliance with theStandards and Code of Ethics, including timely corrective actions
to remedy any significant instances of noncompliance,
Adequacy ofthe IAAs charter, goals, objectives, policies, and procedures,
-
7/28/2019 Steps to Iaa
22/36
Contribution to the organizations governance, risk management and control
processes.
Compliance with applicable laws, regulations, and other governmental or industry
standards,
Effectiveness of continuous improvement activities and adoption of best practices, and
Whether the auditing activity addsvalue and improves the organizations operations.
The results of these assessments will then be provided to the above-mentioned
stakeholders. A problem that can often arise when doing quality program assessments
is that qualities can mean different things to different people. This is particularly true of
service operations such as the internal audit function. For example, the internal audit
department may be conforming to the Standards, but that doesnt mean its operating in
an effective or efficient manner. To resolve this potential problem, organizations develop
quality circles. A quality circle is a group of employees (anywhere from five to 15employees) who are intimately familiar with an operation and are brought together to
improve quality and productivity. They do this by studying the operation, or problem,
making recommendations, and depending on the operation, they may have the authority
to implement
recommendations.Quality circles frequently use benchmarking as a means to improve q
uality and productivity.
Benchmarking is the process of a company using the standards set by other
companies as a target or model for its own operations. (This is also called best
practices.) It is the process of continuously trying to emulate (imitate) the bestcompanies in the world. By striving to meet the standards of the best companies, an
organization may be able to create a competitive advantage
by achieving a higher standard than its competitors. Benchmarking can use both
financial (profit margin) and non-financial (%of defects).The company that is used as the
benchmark does not necessarily need to be in the same industry as the company that is
trying to improve
-
7/28/2019 Steps to Iaa
23/36
Appendix D
Audit Committee Charter - Sample
PURPOSE:
To assist the board of directors in fulfilling its oversight responsibilities for the financial reportingprocess, the system of internal control, the audit process, and the company's
process for monitoring compliance with laws and regulations and the code of conduct.
AUTHORITY:
The audit committee has authority to conduct or authorize investigations into any
matters within its scope of responsibility. It is empowered to:
Appoint, compensate, and oversee the work of any registered public accounting firm
employed bythe organization.
Resolve any disagreements between management and the auditor regarding
financial reporting.
Pre-approve all auditing and non-audit services.
Retain independent counsel, accountants, or others to advise the committee or assist
in the conduct of an investigation.
Seek any information it requires from employees-all of whom are directed to cooperate
with the committee's requests-or external parties.
Meet with company officers, external auditors, or outside counsel, as necessary.
COMPOSITION:
The audit committee will consist of at least three and no more than six members of the
board of directors. The board or its nominating committee will appoint committee
members and the committee chair. Each committee member will be both independent
and financially literate. At least one member shall be designated as the "financial
expert," as defined by applicable legislation and regulation.
MEETINGS:
The committee will meet at least four times a year, with authority to convene additional
meetings, as circumstances require. All committee members are expected to attend
each meeting, in person or vital- or video-conference. The committee will invite
members of management, auditors or others to attend meetings and provide pertinent
information, as necessary. It will hold private meetings with auditors (see below) and
-
7/28/2019 Steps to Iaa
24/36
executive sessions. Meeting agendas will be prepared and provided in advanceto
members, along with appropriate briefing materials. Minutes will be prepared.
RESPONSIBILITIES:
The committee will carry out the following responsibilities:Financial Statements
Review significant accounting and reporting issues, including complex or unusual
transactions and highly judgmental areas, and recent professional and regulatory
pronouncements, and understand their impact on the financial statements.
Review with management and the external auditors the results of the audit, including a
nydifficulties encountered.
Review the annual financial statements, and consider whether they are complete,
consistent within formation known to committee members, and reflect appropriate
accounting principles.
Review other sections of the annual report and related regulatory filings before release
and consider he accuracy and completeness of the information.
Review with management and the external auditors all matters required to be
communicated to the committee under generally accepted auditing
Standards.
Understand how management develops interim financial information, and the nature
and extent of internal and external auditor involvement.
Review interim financial reports with management and the external auditors before
filing with regulators, and consider whether they are complete and consistent with the
information known to committee members.
Internal Control
Considerthe effectiveness of the company's internal control system, including informati
ontechnology security and control.
Understand the scope of internal and external auditors' review of internal control over
financialreporting, and obtain reports on significant findings and recommendations, toge
ther with management's responses.
-
7/28/2019 Steps to Iaa
25/36
Internal Audit
Review with management and the chief audit executive the charter, activities, staffing,
andorganizational structure of the internal audit function.
Have final authority to review and approve the annual audit plan and all major changesto the plan.
Ensure there are no unjustified restrictions or limitations, and review and concur in thea
ppointment, replacement, or dismissal of the chief audit executive.
At least once per year, review the performance of the CAE and concur with the annual
compensation and salary adjustment.
Review the effectiveness of the internal audit function, including compliance with The
Institute of Internal Auditors'
International Standards for the Professional Practice of Internal Auditing.
On a regular basis, meet separately with the chief audit executive to discuss any
matters that the committee or internal audit believes should be discussed privately.
External Audi
Review the external auditors' proposed audit scope and approach, including
coordination of audit effort with internal audit.
Review the performance of the external auditors, and exercise final approval on the
appointment or discharge of the auditors.
Review and confirm the independence of the external auditors by obtaining statements
from the auditors on relationships between the auditors and the company, including
non-audit services, and discussing the relationships with the auditors.
On a regular basis, meet separately with the external auditors to discuss any matters
that the committee or auditors believe should be discussed privately.
Compliance
Review the effectiveness of the system for monitoring compliance with laws and
regulations and the results of management's investigation and follow-up (including
disciplinary action) of any instances of noncompliance.
Review the findings of any examinations by regulatory agencies, and any auditor
observations.
-
7/28/2019 Steps to Iaa
26/36
Review the process for communicating the
code of conduct to company personnel, and for monitoring compliance therewith.
Obtain regular updates from management and company legal counsel regarding compli
ancematters.
Reporting Responsibilities
Regularly report to the board of directors about committee activities, issues, and relate
drecommendations.
Provide an open avenue of communication between internal audit, the external
auditors, and the board of directors.
Report annually to the shareholders, describing
the committee's composition, responsibilities andhow they were discharged, and any
other information required by rule, including approval of non-audit services.
Review any other reports the company issues that relate to committee responsibilities.
Other Responsibilities
Perform other activities related to this charter as requested by the board of directors.
Institute and oversee special investigations as needed.
Review and assess the adequacy of the committee charter annually, requesting board
approval for proposed changes, and ensure appropriate disclosure as may be required
by law or regulation.
Confirm annually that all responsibilities outlined in this charter have been carried out.
Evaluate the committee's and individual members' performance on a regular basis
-
7/28/2019 Steps to Iaa
27/36
Appendix E
Sample Internal Audit Charter
Mission and Scope of Work:
The mission of the internal audit department is to provide independent, objective assurance andconsulting services designed to add value and improve the companys
operations. It helps the
companyby bringing a systematic, disciplined approach to evaluate and improve the eff
ectiveness of riskmanagement, control, and governance processes.
Role:
The Internal Auditing Function is established by the Board of Directors, and its
responsibilities are defined by the Audit Committee of the Board of Directors as part of
their oversight function.
Professional Standards:
The internal auditing staff shall govern themselves by adherence to The Institute of
Internal Auditors Code ofEthics. The
InstitutesInternational Standards for the Professional Practice of InternalAuditing (
Standards
) shall constitute the operating procedures for the department. These twodocuments co
nstitute an addendum to their charter. The Institute of InternalAuditorsPracticeAdvisories will be adhered to as applicable. In addition, Internal Auditing will adhere to the
companys policies and procedures and Internal Auditings Standard Operating
Procedures Manual. The Standard Operating Procedures Manual shall include attribute,
performance, and implementation standards to guide the Department.
Authority:
The chief audit executive and staff ofATMs internal audit department are authorized to:
Have unrestricted access to all functions, records, property, and personnel.
Have full and free access to the audit committee.
Allocate resources, set frequencies, select subjects, determine scopes of work,
and apply the techniques required to accomplish audit objectives.
-
7/28/2019 Steps to Iaa
28/36
Obtain the necessary assistance of personnel in units of the organization where they
perform audits, as well as other specialized services from within or outside
the organization.
The chief audit executive and staff of the internal audit department are not authorized
to:
Perform any operational duties for the organization or its affiliates.
Initiate or approve accounting transactions external to the internal auditing department.
Direct the activities of any organization employee not employed by the internal auditing
department, except to the extent such employees have been appropriately assigned to
auditing teams or to otherwise assist the internal auditors.
Organizational Status:
The CAE shall report administratively to the Chief Executive Officer (CEO) and
functionally to the Audit Committee of the Board of Directors.
Independence:
All internal audit activities shall remain free of influence by any element in the
organization, including matters of audit selection, scope procedures, frequency, timing,
or report content to permit maintenance of an independent and objective mental attitude
necessary in rendering reports. Internal auditors shall have no direct operational
responsibility or authority over any of the activities they review. Accordingly, they shall
not develop nor install systems or procedures, prepare records, or engage in any otheractivity which would normally be audited.
Mission and Scope of Work:
The scope of work of the internal audit department is to determine whether the
organizations network of risk management, control, and governance processes, as
designed and represented by management, is adequate and functioning in a manner to
ensure:
Risks are appropriately identified and managed.
Interaction with the various governance groups occurs as needed.
Significant financial, managerial, and operating information is accurate, reliable, and
timely.
Employees actions are in compliance with policies, standards, procedures, and
applicable laws and regulations.
-
7/28/2019 Steps to Iaa
29/36
Resources are acquired economically, used efficiently, and adequately protected.
Programs, plans, and objectives are achieved.
Quality and continuous improvement are fostered in the organizations control process.
Significant legislative or regulatory issues impacting the organization are recognized
and addressed appropriately. Opportunities for improving management control,
profitability, and the organizations image may be identified during audits. They will be
communicated to the appropriate level of management.
Audit Planning:
Annually, the CAE shall submit to senior management and the Audit Committee a
summary of the audit work schedule, staffing plan, and budget for the following fiscal
year. The audit work schedule is to be developed based on a prioritization of the audit
universe using a risk-based methodology. Any significant deviation from the formallyapproved work schedule shall be communicated to senior management and the Audit
Committee through periodic activity reports.
Reporting:
A written report will be prepared and issued by the CAE or designee following the
conclusion of each audit and will be distributed as appropriate. A copy of each audit
report and a summarization will be forwarded to the CAE and the Chairman of the Audit
Committee
The CAE or designee may include in the audit report the auditees response andcorrective action taken or to be taken in regard to the specific findings and
recommendations. Managements response should
include a timetable for anticipated completion
of action to be taken and an explanation for any recommendations not addressed. In
cases where a response is not included within the audit report, management of the
audited areashould respond, in writing, within thirty days of publication
to Internal Auditing and those on the distribution list. Internal Auditing shall be
responsible for appropriate follow-up on audit findings and recommendations. All
significant findings will remain in an open issues file until cleared by the CAE or the
Audit Committee.
Periodic Assessment:
The CAE should periodically assess whether the purpose, authority, and responsibility,
as defined in this charter, continue to be adequate to enable the internal auditing activity
to accomplish its objectives. The result of this periodic assessment should be
-
7/28/2019 Steps to Iaa
30/36
communicated to senior management and the Board
of Directors.Chief Audit Executive ______________________Chief Executive Officer __
____________________Audit Committee Chairman______________________Date
______________________
-
7/28/2019 Steps to Iaa
31/36
Appendix G
Job (Position) Descriptions for Internal Auditing Staff
Help to facilitate the recruiting by stating explicit job requirements.
Provide a means to justify salaries.
Means to express themanagements expectations.
Method for the internal audit activity to engage in personnel planning.The following
job (position) descriptions are presented in
Sawyers Internal Auditing 5thedition, pages839, 846-848.
CHIEF AUDIT EXECUTIVE
Authority:
The chief audit executive is authorized to direct a broad, comprehensive program of
internal auditing within the organization. Internal auditing examines and evaluates the
adequacy and effectiveness of
thesystems of management control provided by the organization to direct its activities to
ward theaccomplishment of its objectives in accordance with organization polices and
plans. In accomplishing these activities, the chief audit executive and members of the
audit staff are authorized to have full, free, and unrestricted access to all organization
functions, records, property, and personnel.
Responsibility:
The chief audit executive is responsible for:
Establishing policies for the auditing activity and directing its technical and
administrative functions.
Developing and executing a comprehensive audit programs for the
evaluation of management controls provided over all organization activities.
Examining the effectiveness of all levels of management in their stewardship of organiz
ationresources and their compliance with established policies and procedures.
Recommending improvement ofmanagements controls designed to safeguard organiz
ationresources, promote organization growth, and ensure compliance with government l
aws andregulations.
Reviewing procedures and records for
-
7/28/2019 Steps to Iaa
32/36
Their adequacy to accomplish intended objectives, and appraising policies and plans
relating to the activity or function under audit review.
Authorizing the publication of reports on audits, including recommendations for
improvement.
Appraising the adequacy of operating managements actions to correct reported deficie
ntconditions; accepting adequate corrective action; continuing reviews with appropriate
managementpersonnel on action the chief audit executive considers inadequate until th
ere has been asatisfactory resolution of the matter.
Conducting special audits as requested by management, including the reviews of
representations made by persons outside the organization. Acting in a consulting
capacity relative to the above areas of responsibility.
INTERNAL AUDITING - MANAGER
Purpose:
To administer the internal audit activity of an assigned location or operation.
To develop a comprehensive, practical program of engagement coverage for the
assigned location or operation.
To obtain accomplishment ofthe program in accordance with acceptable engagement
standards and stipulated schedules.
To maintain effective working relations with executive and operating management.
Authority and Responsibility:
Within the general guidelines provided by the chief audit executive:
Prepares a comprehensive, long-range program of engagement coverage for the
location to which assigned.
Identifies those activities subject to engagement coverage, evaluates their significance,
andassesses the degree of risk inherent in the activity in terms of cost, schedule, and
quality.
Establishes the related departmental structure.
Obtains and maintains an audit staff capable of accomplishing the internal audit
function.
-
7/28/2019 Steps to Iaa
33/36
Assigns engagement areas, staff, and budget to supervisors.
Develops a system of cost and schedule control over engagement projects.
Establishes standards of performance and, by review, determines that performance
meets the standards.Provides executive management within the assigned location with reports on engagem
entcoverage and engagement results, and interprets those results so as to improve the
engagement program and the engagement coverage.
Establishes and monitors accomplishment ofobjectives directed toward increasing the
internal audit activity's ability to serve management.
INTERNAL AUDITING - SUPERVISOR
Purpose:
To develop a comprehensive, practical program of engagement coverage for assigned
areas.
To supervise the activities of staff assigned to the review of various organizational and
functional activities.
To ensure conformance with acceptable standards, plans, budgets, and schedules.
To maintain effective working relations with operating management.
To provide for and conduct research and develop manuals and training guides.
Authority and Responsibility:
Under the general guidance of a manager:
Supervises the work of staff engaged in the reviews of organizational and functional
activities
Provides a comprehensive, practical schedule of annual engagement coverage within
general areas assigned by the manager.
Determines areas ofrisk and appraises their significance in relation to operational
factors of cost, schedule, and quality. Classifies engagement projects as to degree of
risk and significance and as to frequency of coverage.
Provides for flexibility in engagement schedules so as to be responsive to
management's special needs.
-
7/28/2019 Steps to Iaa
34/36
Schedules projects and staff assignments so as to comply with management's needs,
within the scope of the internal audit activity's overall schedule.
Coordinates the program with the organization's public accountant.
Reviews and approves the purpose, scope, and approach of each engagement projectfor assigned areas.
Directs engagement projects to see that professional standards are maintained in the
planning and execution and in the accumulation of information.
Counsels and guides staff to see that the approved engagement objectives are
met and that adequate, practical coverage is achieved.
Reviews and edits engagement communications and, in organizations with the auditor-
in-charge for the assigned project, discusses the communications with appropriate
management.
Presents oral briefing to branch-level management.
Provides for and performs research on engagement techniques.
Provides formal plans for the recruiting, selecting, training, evaluating, and supervising
of staff personnel. Develops manuals and other training aids.
Accumulates data, maintains records, and prepares reports on the administration of
engagement projects and other assigned activities.
Identifies factors causing deficient conditions and recommends courses of action to
improve the conditions, including special surveys and audits.
Provides for a flow of communication from operating management to the manager and
to the chief audit executive. Assists in evaluating overall results of the engagements.
INTERNAL AUDITOR - SENIOR
Purpose:
To conduct reviews of assigned organizational and functional activities.
To evaluate the adequacy and effectiveness of the management controls over those
activities.
To determine whether organizational units are performing their planning, accounting,
custodial,
riskmanagement, or control activities in compliance with management instructions, appli
-
7/28/2019 Steps to Iaa
35/36
cablestatements of policy and procedures, and in a manner consistent with both
organizational objectives and high standards of administrative practice.
To plan and execute engagements in accordance with accepted standards.
To report engagement observations and to make recommendations for correctingunsatisfactory conditions, improving operations, and reducing cost
To perform special reviews at the request of management
To direct the activities of assistants.
Authority and Responsibility:
Under the general guidance of a supervisor:
Surveys functions and activities in assigned areas to determine the nature
of operations and the adequacy of the system of control to achieve establishedobjectives.
Determines the direction and thrust of the proposed engagement effort.
Plans the theory and scope of the engagement, and prepares an engagement work
program.
Determines the engagement procedures to be used, including statistical sampling
and the use of information technology.
Identifies the key control points of the system.
Evaluates a system's effectiveness through the application of a knowledge
of business systems,including financial, manufacturing, engineering, procurement, and
other operations, and anunderstanding of engagement techniques.
Recommends necessary staff required to complete the engagement.
Performs the engagement in a professional manner and in accordance with the approv
edengagement work program.
Obtains, analyzes, and appraises information as a basis for an informed, objective conclusion(opinion) on the adequacy and effectiveness of the system and the efficiency of
performance of the activities being reviewed.
Directs, counsels, and instructs staff assistants assigned to the engagement, and
reviews their work for sufficiency of scope and for accuracy.
-
7/28/2019 Steps to Iaa
36/36
Makes oral or written presentations to management during and at the conclusion of the
engagement, discussing observations and recommending corrective
action to improve operations and reduce cost.
Prepares formal written communications, expressing opinions on the adequacy and
effectiveness of the system and the efficiency with which activities are carried out.
Appraises the adequacy of the corrective action taken to improve deficient conditions