Documente Academic
Documente Profesional
Documente Cultură
. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission of the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Professional Practices Framework for Internal Auditing (PPF) was designed by The IIA Board of Directors Guidance Task Force to appropriately organize the full range of existing and developing practice guidance for the profession. Based on the definition of internal auditing, the PPF comprises Ethics and Standards, Practice Advisories, and Development and Practice Aids, and paves the way to world-class internal auditing. This guidance fits into the Framework under the heading Development and Practice Aids. ISBN 0-89413-499-X 02412 01/03 First Printing
Dedication
To
Rosalie
Without whom nothing would be worthwhile.
Use links below to navigate through the document or turn on Bookmarks on the left side of your screen.
Table of Contents
List of Exhibits...................................................................................................... ix About the Author .................................................................................................. xi Acknowledgements.............................................................................................xiii IIA Overview ....................................................................................................... xv GAIN Information ...............................................................................................xvii Introduction ........................................................................................................... 1 Chapter 1: Governance........................................................................................ 5 Chapter 2: Expectations..................................................................................... 11 Chapter 3: Planning ........................................................................................... 17 Chapter 4: Organizing......................................................................................... 29 Chapter 5: Staffing ............................................................................................. 35 Chapter 6: Directing ........................................................................................... 51 Chapter 7: Monitoring ........................................................................................ 61 Footnotes............................................................................................................ 67 Bibliography ........................................................................................................ 69 Resources offered by The Institute of Internal Auditors ...................................... 71 Exhibits ............................................................................................................... 75
Use links below to get to Exhibits within this PDF document OR Click on the file type in the right column to get to the Exhibits in Word or Excel files. Exhibit Number 1-1 1-2 1-3 2-1 3-1 3-2 3-3 3-4 3-5 3-6 5-1 5-2 5-3 5-4 5-5 5-6 5-7 6-1 6-2 Exhibit Title
Exhibits List ix
Exhibits List
Page Number Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Excel
Table of Attribute and Performance Standards with ...........75 Related Practice Advisories Code of Ethics .....................................................................93 The Standards & Glossary...................................................97 Model Audit Committee Charter...........................................113 Position Description: Chief Audit Executive / Director of .....117 Internal Audit Internal Audit Activity Charter .............................................119 Mission Statements .............................................................123 Executive Endorsement of Internal Auditing Charter ...........125 Internal Audit Operating Policy ............................................127 Corporate Audit Policy .........................................................133 Position Description: Staff Auditor........................................137 Position Description: Senior Auditor.....................................139 Position Description: Manager of Internal Auditing ..............141 Position Description: Information Technology Auditor..........143 Knowledge Level: IT Auditor Level I.....................................145 Knowledge Level: IT Auditor Level 2....................................147 Knowledge Level: IT Auditor Level 3....................................149 Risk Sampling Strategy........................................................151 Risk Assessment Model.......................................................153
x Establishing An Internal Audit Activity Manual Exhibit Number 6-3 6-4 6-5 6-6 6-7 7-1 7-2 7-3 7-4 7-5 7-6 Exhibit Title Page Number Word Word Excel Excel Excel Word Word Word Word Word Word
Policies and Procedures Manual Index................................155 Workpaper Samples ............................................................157 Project Time Report .............................................................179 Staff Time Report.................................................................181 Monthly Management Report...............................................183 Quality Assurance and Improvement ...................................185 Audit Productivity Measurement: Auditors ...........................187 Audit Productivity Measurement: Auditors-in-Charge .........189 Compliance Checklist ..........................................................191 Audit Customer Survey .......................................................197 Audit Process Questionnaire ..............................................201
Acknowledgements xiii
Acknowledgements
Thank you for the many people who provided their expertise and support throughout this entire project. Richard F. Chambers, CIA, CGAP, Institute of Internal Auditors P. Dean Bahrman, CIA Cynthia Summers, CIA, CGAP, CCSA, CFSA, PPS World Medical, Inc. Susan B. Lione, CIA, CGAP, CCSA, Institute of Internal Auditors Johanna S. Swauger, CIA, CGAP, CCSA, Institute of Internal Auditors Donald E. Sparks, Institute of Internal Auditors Jo-El LaBorde, Institute of Internal Auditors Stacy M. Mantzaris, CIA, CGAP CCSA, Institute of Internal Auditors Michelle Entzminger, Institute of Internal Auditors Evy Acevedo-Gonzlez, Institute of Internal Auditors Brian E. Kruk, CIA, CCSA, Institute of Internal Auditors Lee Ann Campbell, Institute of Internal Auditors Trish Harris, Institute of Internal Auditors
IIA Overview xv
IIA Overview
INSTITUTE OF INTERNAL AUDITORS (IIA)
William G. Bishop III, President 247 Maitland Avenue Altamonte Springs, FL 32701-4201 U.S.A +1-407-937-1100 FAX +1-407-937-1101 Web site: www.theiia.org IIA Organization: The primary international professional association, organized on a worldwide basis, dedicated to the promotion and development of the practice of internal auditing. The IIA is the recognized authority, chief educator, and acknowledged leader in standards, education, certification, and research for the profession worldwide. The Institute provides professional and executive development training, educational products, research studies, and guidance to more than 80,000 members in more than 100 countries. For additional information about The Institute, visit their Web site, www.theiia.org. IIA Products & IIA Research Foundation Reports: Contact The IIA Distribution Center at C.S. 1616, Alpharetta, Georgia 3009-1616 U.S.A. Phone +1-877-867-4957 (toll free in U.S. and Canada only) or +1-770-442-8633, Ext. 275 FAX +1-770-442-9742 E-mail iiapubs@pbd.com Certification Programs: For information about the CIA program please visit the IIA Web site or contact Customer Service Center at the address above For further information please visit the IIA Web site or contact Customer Service Center at the address above Phone (407) 937-1111 FAX (407) 937-1101 E-mail custserv@theiia.org. Certified Internal Auditor Program - IIA's premier certification. The CIA designation is conferred by the IIA upon qualified candidates who successfully complete a written exam and meet the necessary character, experience, and education requirements. All candidates must hold a bachelors degree or its equivalent from an accredited college-level institution and must have 24 months of internal auditing (or equivalent) experience (a masters degree can be substituted for one years work experience). Certification in Control Self-Assessment (CCSA). The IIAs first specialty certification program, will be conferred upon the IIA qualified candidates who successfully complete a computer-administered exam and meet the necessary education and experience requirements. The CCSA certification program identifies the skill sets needed by successful practitioners of CSA, measures understanding of CSA, and provides guidance for CSA initiatives. Certified Government Auditing Professional (CGAP). The IIA recognizes the important contributions of government auditors and has developed a certification program that distinguishes leaders in public sector auditing - the Certified Government Auditing Professional or CGAP. Auditors from various levels of government who recognize that auditing in the public sector has unique challenges developed the program. Attaining the CGAP designation provides you the ability to differentiate yourself. Since individuals obtaining the CGAP are obliged to complete education, work experience and meet ethical standards, the CGAP credential showcases your commitment to government auditing.
Certified Financial Services Auditor (CFSA). The CFSA demonstrates competency in financial-services audit practices and methodologies. The 150-question pilot will test candidates knowledge on financial services auditing, banking, insurance, and securities.
IIA Programs & Services: Contact The Institute of Internal Auditors Customer Service Center at the address above For further information please visit the IIA Web site or contact Customer Service Center at the address above Phone (407) 937-1111 FAX (407) 9371101 E-mail custserv@theiia.org. Internal Auditor magazine: Award-winning journal of the profession and flagship publication produced by the IIA. The IIA Professional Development Catalog: This biannual catalog includes schedules and descriptions of all IIA seminars (educational, executive development, audit-specialty, and customized on-site) and industry-specific and professional development conferences; certification programs; and educational products on such topics as audit committees and governance, audit management, auditing skills, certification; fraud, ethics, and law; industry, service, and sector specialties; information technology; risk and control; and standards and guidance. Tone at the Top: This quarterly newsletter provides executive management, boards of directors, and audit committee members with information on such issues as ethics, internal control, governance, and the changing role of internal auditing; and guidance relative to internal auditing's roles, responsibilities, and relationships with corporate governance entities. Standards for the Professional Practice of Internal Auditing represent the practice of internal auditing as it should be and are the benchmark against which any internal auditing function should be measured. Visit the Web site for information on the Professional Practices Framework. Global Auditing Information Network (GAIN) Reports provide internal audit executives with benchmarks for comparing their audit departments with those of other organizations, an opportunity to network with peers in their industry and to discuss challenges and share successful practices. IIA Quality Assurance Reviews (QARs) will come to your location to help ensure that your internal auditing is the best it can be. CSA Center: The CSA Center offers guidance, training, and communications opportunities to individuals engaged in the practice of Control Self-Assessment (CSA). The IIAs CSA Center provides its participants with: A unique forum for sharing new information, professional guidance, innovative techniques and successful practices The CSA Sentinel, an exclusive tri-annual newsletter Five CSA-related seminars, and upon satisfactory completion, the CSA Qualification Priority invitation to The IIAs CSA Conference and workshop An annual directory of CSA Center participants IIA member prices on CSA-related products and services For additional information, contact the CSA Center at +1-407-937-1362.
GAIN Global Auditing Information Network A Benchmarking Service Offered by The IIA
The charts and graphs in this manual were extracted from the Global Auditing Information Network (GAIN), the largest, most complete comparative database available for the internal auditing profession. GAIN's baseline comparisons serve as a comprehensive instrument for measuring audit department practices and provides a path for improvement. Subscribers receive:
Low-cost slide-show graphic reports packed with valuable information. Reports compare a subscribers internal audit department to subscribers in related industries, to those of similar staff size, and to all subscribers in the program. Annual updates to help the subscribers organization measure its improvement. Benchmarking information, including: o General organizational statistics o Internal audit department costs o Audit committee information o Customer satisfaction factors o Staff development intelligence o Planning information o Audit life cycle approaches and related resource statistics Networking opportunities with a worldwide professional network of internal audit executives including participation in Flash Surveys.
For more information, contact the GAIN department at: +1-407-937-1365 or +1-407-9371367; e-mail gain@theiia.org; or fax +1-407-937-1101.
www.gain2.org
Introduction 1
Introduction
Establishing an Internal Auditing Activity Manual is a guide for those who are implementing an internal auditing activity within their organizations for the first time, those who have recently been given responsibility for an internal auditing activity already in place, and those who want to improve their existing activity. Internal auditing plays different roles in different organizations. In some it takes on the more historical role of verifier or checker to detect errors or fraud; in others it has a more expanded role that includes providing consulting services in addition to performing assurance reviews. Whatever the role, the internal auditing activity must be well planned, organized, staffed, directed, and monitored. It also must have in place policies and procedures that implement professional standards and systems that can ensure that the standards are followed in performing the work. This also includes ensuring that the work performed meets the expectations and the needs of internal auditing customers. The customer base for internal auditing is typically comprised of two groups, the board, senior management, and external third parties on one hand and operating and line management on the other. It is the goal of this book to provide information and understanding on how an internal auditing activity should operate and enable an organization to initially establish the activity and begin functioning. Once a new internal auditing activity has been established the chief audit executive (CAE) will be able to identify any number of opportunities for improvement on an ongoing basis. While it would take many more pages to completely cover everything relating to establishing an internal auditing activity, what follows are the essentials. Spend the time and resources necessary to implement the steps outlined in this manual and the internal auditing activity will be able to assist the organization by improving the effectiveness of risk management, control, and governance. Chapter 1: Why an Internal Auditing Activity? This chapter begins with a discussion of what corporate governance is and why it has recently been put under the spotlight. Once the meaning of corporate governance is understood, it is then easy to understand the importance of internal auditings link to the establishment of an effective corporate governance structure. The Institute of Internal Auditors (IIA) is the leader and the principal voice of the internal auditing profession. As such, The IIA has defined the role and the scope of the practice of internal auditing. This first chapter concludes with an introduction to the structure of The IIAs Professional Practices Framework, the Standards for the Professional Practice of Internal Auditing (Standards), and The IIAs Code of Ethics. Chapter 2: Expectations If an internal auditing activity is going to be successful, then all the stakeholders need to understand their expectations. What the board expects of the audit committee, senior management, the internal auditing activity, and what each should expect of the other is the focus of this chapter. Understanding the expectations of the stakeholders is the first step in establishing an internal auditing activity. The success of the next step planning will be driven by what the various stakeholders expect of internal auditing.
Chapter 3: Planning This chapter first addresses the identification and selection of the CAE and then the development of the Audit Charter. The charter documents and communicates the purpose, authority, and responsibility of the internal auditing activity. This is important because the charter establishes the independence of the internal auditing activity. Without independence, auditors will be unable to perform their work objectively and provide the stakeholders with the impartial and unbiased assurance and consulting activities that are expected. Chapter 4: Organizing This chapter discusses the development of an organizational plan for the internal auditing activity. To whom the CAE will report to in the organization should be carefully planned. The CAEs relationship with the board and senior management will determine whether it can operate objectively. The chapter identifies several best practices that can help ensure independence and objectivity for the internal auditing activity. Chapter 5: Staffing The CAE has been chosen and the purpose, authority, and responsibility of the internal auditing activity have been established. The next step is to decide how to staff the activity. Based on information provided by The IIAs Global Auditing Information Network (GAIN), this chapter starts off by providing some benchmarks from GAIN surveys on the size, education, experience, and professional certifications of internal auditing staff for a number of industries. It then continues with a discussion of the pros and cons of in-house, outsourcing, and co-sourcing staffing strategies and sources. Chapter 6: Directing Once the staffing resources are in place the challenge becomes how to best use them. This chapter discusses the development of a simple risk assessment methodology and the building of an annual audit plan. While the risk assessment methodology is simplistic, it enables a CAE to quickly develop an audit plan based on risk. The chapter also includes discussions on the importance of managing project budgets and schedules. Examples of project and staff tracking spreadsheets are included in the Exhibits section of the manual. Chapter 7: Monitoring This chapter outlines the seven IIA Standards that identify specific activities that must be part of every Quality Assurance (QA) program of every auditing activity. Quality assurance reviews are required by The IIAs Standards. Quality means that the appropriate policies and procedures are in place and the quality assurance program will provide reasonable assurance to management and the board that the work is being performed in accordance with the Standards and is adding value by improving an organizations operations. The Exhibits The Exhibits contain examples of various items that are helpful in setting up the policies and procedures for a new internal auditing activity. These include an Internal Audit Charter, a Corporate Audit Policy, staff position descriptions, and other items that should provide the CAE with a good start toward establishing or improving an internal auditing activity. Additional information includes a bibliography of resources used in developing this manual, information about The Institute of Internal Auditors, and an extensive resource
Introduction 3
list of products and services offered by The IIA that can provide additional guidance and education for helping establish an effective internal auditing activity. Those responsible for the internal auditing activity play an integral role in good corporate governance for their organization. This manual is designed to help organizations establish an effective internal auditing activity or improve their existing activity. It is important to remember that the responsibilities of the internal auditing activity are constantly changing. The IIA has been instrumental in keeping internal auditors apprised of the constant changes, and those reading and using this manual are encouraged to visit The IIAs Web site at www.theiia.org often for information impacting the dynamic profession of internal auditing.
Governance 5
Chapter 1: Governance
Why Have an Internal Auditing Activity? According to recent statistics from the international news and information organization Bloomberg News, in more than half of the 673 largest bankruptcies of public corporations since 1996, external auditors provided no cautions in annual financial statements in the months before bankruptcy. Five of the seven largest bankruptcies in history, including Enron, Global Crossing Ltd., and Kmart Corp., followed annual reports with clean audit opinions from external auditors.1.1 From 1995 to 2001, corporate financial restatements have increased from 50 a year to more than 150 or a total of 722 public corporations admitted that their audited numbers were so wrong that they had to be redone. These statistics demonstrate that the larger and more complex the company, the more difficult it is for external auditors, management, and boards to have an accurate picture of risks and controls.1.2 Corporate governance is being examined more closely than ever before. Media coverage of corporate crises increasingly focuses on the board; what are directors doing and do the relationships they have with the company weaken the effectiveness of their oversight? The need for internal auditing as an element of corporate governance has never been more clearly demonstrated than by recent events. Take, for example, WorldCom, where the internal auditor, who called the matter to the attention of the audit committee chairman after the then-chief financial officer resisted taking corrective action, discovered $3.8 billion of dubious accounting. Internal auditors, by having an objective view from inside the organization, can play a vital role in the governance process by keeping management, the board, and external auditors aware of risk and control issues and by assessing the effectiveness of risk management. Corporate Governance Exactly what is governance? More specifically, what is corporate governance, and how can an internal auditing activity be used to improve corporate governance? We frequently use the term corporate governance and many of us understand that one of the main responsibilities of boards is to ensure that the governance processes are effective; however, the term is rarely defined. The Toronto Stock Exchange Dey Committee developed a robust definition. Corporate governance means the process and structure used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value. The process and structure define the division of power and establish mechanisms for achieving accountability
Governance 7
practices. In order to close the gap, The IIA developed the Professional Practices Framework. The Professional Practices Framework consists of three types of instruction: 1) Mandatory Guidance, 2) Practice Advisories, and 3) Development and Practice Aids. The Framework includes the Definition of Internal Auditing, the Code of Ethics, Standards for the Professional Practice of Internal Auditing (Standards), Practice Advisories, and Development and Practice Aids. The Definition of Internal Auditing, the Standards, and the Code of Ethics comprise the mandatory elements of the Framework, and were revised in the last three years. A new Code of Ethics and the new official definition were approved in June 1999, with the new Standards following in December 2000. These documents delineate the characteristics, procedures, and activities that are considered essential to the professional practice of internal auditing. All IIA members and Certified Internal Auditors (CIAs), as well as anyone providing internal auditing services, are expected to adhere to these guidelines. 1.4 Practice Advisories (PAs) are pronouncements that represent best practices and, although not mandatory, are strongly recommended and endorsed by The IIA. They are designed to help interpret or explain particular Standards or apply them in specific internal auditing environments. Currently there are more than 60 PAs, with new ones being added all the time. A list of current PAs and the Standards they relate to can be found in Exhibit 1-1. IIA members have access to all the PAs through the IIAs website at www.theiia.org under Guidance. 1.5 Development and Practice Aids consist of a variety of materials, including research studies, books, seminars, conferences, and other products and services. These are items developed or endorsed by The IIA, and generally describe best practices or provide ideas for implementing the Standards and Practice Advisories. 1.6 Development and Practice Aids are available to IIA members and nonmembers on the IIAs website at www.theiia.org under guidance. The Code of Ethics The Code of Ethics, revised in June 2000, identifies four core values or principles considered essential to the effective practice of internal auditing: 1) integrity, 2) objectivity, 3) confidentiality, and 4) competency. These rules are accompanied by 12 rules of conduct describing specific behaviors expected of internal auditors. The rules serve as practical applications of the four principles and are intended to guide the ethical conduct of internal auditors.1.7 The purpose of the Code is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance.1.8 The Code of Ethics can be found in Exhibit 1-2 and on the IIAs web site at www.theiia.org under Guidance.
Governance 9
against which the performance of these services can be measured. The Attribute and Performance Standards apply to all internal auditing services. The implementation Standards expand upon the Attribute and Performance Standards, providing guidance applicable in specific types of engagements. These standards may be expanded to ultimately address industry-specific, regional, or specialty types of audits. Compliance with the concepts enunciated in the Mandatory Guidance is essential before the responsibilities of internal auditors can be met. As stated in the Code of Ethics, internal auditors shall perform internal audit services in accordance with the Standards. All members of The Institute and all Certified Internal Auditors agree to abide by the Standards and the Code of Ethics, and this guidance is intended to be applicable to all members of the internal audit profession, whether or not they are members of The IIA.1.10 A complete list of the Standards can be found in Exhibit 1-3 and under the Guidance tab of the IIAs web site at www.theiia.org.
Expectations 11
Chapter 2: Expectations
Boards, audit committees, senior management and the internal auditors have common goals. Good working relationships are necessary if everyone is going to be successful in accomplishing their goals and meeting their responsibilities. Good working relationships start with an understanding of the expectations of the parties in that relationship. What the board expects of the audit committee, senior management, and the internal audit activity, and what each expects of the other, is important if the stakeholders they serve are to have confidence in the organizations ability to succeed. The Board At the top tier of the governance ladder is the board. The board has the responsibility to look after and protect the interests of all the stakeholders in the organization. In protecting those interests the number one topic on the minds of most board members is the subject of risk. Directors have seen firsthand how unanticipated risk destroy a successful growing organization and send it into bankruptcy. While risk has long been associated with catastrophic insurable events, financial exposure, credit, and liquidity and other negative events, the perception of risk has now evolved to cover a much broader range of threats. Environmental issues, sophisticated financial transactions, legal and regulatory compliance, emerging technologies, political and economic issues, competition, and others have all been added to the list of risks that organizations face in todays business environment. While the board is not directly responsible for risk management, management has the responsibility; the stakeholders expect the to be certain that the responsibility is carried out. In ensuring that the stakeholders interests are being protected, the board should: Establish an audit committee and adopt an audit committee charter describing its duties and responsibilities and its relationship with internal and external auditors and management in the context of its oversight responsibilities of the organizations financial reporting process and internal controls. Exhibit 2.1 is an example of a Model Audit Committee Charter. Maintain a majority of board directors that have no ties to organization or senior management. Create board nominating, corporate governance, and compensation committees composed of independent directors. Ensure that directors appointed to the audit committee are independent of management and have an understanding of generally accepted accounting principles, financial statements, and experience with internal accounting controls. Adopt and disclose corporate governance guidelines addressing director: o o o o o o Qualifications Responsibilities Access to management Compensation Orientation and continuing education, and Annual performance evaluations of the board.
Note: All of the above are required for SEC corporations by either the Sarbanes-Oxley Act of 2002, or the New York Stock Exchange listing standards. The Audit Committee Generally, the audit committee is responsible to the board for overseeing: the reliability of financial reporting, the effectiveness of internal controls over financial reporting, the processes for monitoring compliance with regulatory requirements, and the processes for monitoring compliance with the organizations code of conduct. The committee now has a broader responsibility for overseeing the effectiveness of the organizations risk management and control processes. These broader responsibilities are intended to provide reasonable assurance that an organization will be able to achieve its objectives as they relate to: the effectiveness and efficiency of operations; the reliability of financial and operational information; and compliance with applicable laws and regulations. The audit committee should: Evaluate whether management is setting the appropriate tone at the top by communicating the importance of internal control and the management of risk, and that employees have an understanding of their roles and responsibilities. Consider how management is being held accountable for the security of information technology and the business continuity plans for processing financial information in the event of a system breakdown. Be informed as to whether the internal control recommendations, made by either the internal and external auditors, are implemented by management. Inquire of management about the areas of greatest financial risk and how management is managing that risk. Be made aware of significant accounting and reporting issues, including recent professional and regulatory pronouncements, and understand their impact on the organizations financial statements. Be involved in the hiring of the external auditors, and in the evaluation of their performance. Be informed by management and the internal and external auditors about significant financial and operational risks and exposures and managements plans to minimize such risks. Be made aware of any legal matters that could significantly impact the organizations financial statements. Review and approve the internal audit charter and ensure its compatibility with the audit committee charter. Ensure that the internal auditing activity can independently plan audit projects and conduct and report the results objectively. Meet frequently with the chief audit executive (CAE) and have open and honest discussions on the results of internal auditing activities as well as current business issues. Meet privately with the CAE, without management being present.
Expectations 13
Be involved in the hiring, replacement, reassignment, or termination of the CAE, and in the evaluation of his/her performance. Review and approve the annual internal audit plan. Ensure that the internal audit activity has adequate staffing and budget resources to accomplish the plan. 2.1
Management Management has the responsibly for risk management and should establish effective processes to manage risk. An effective risk management process will not only identify existing risks but also identify new risks as they emerge. Management will typically integrate their risk management processes into the way it runs the business. Senior management should: Identify by strategic initiative or business segment the major objectives that will enable the organization to achieve its targeted operational and financial goals. Identify for the major objectives the risks and critical success factors that must be achieved if the strategic initiatives or business segments are to be successful. Identify processes, programs, or actions needed to manage the risks. Implement appropriate monitoring and measuring activities to ensure that processes, programs, or actions are implemented. Implement a culture that rewards the recognition, communication, and management of risks. Communicate to the organization that internal auditors are part of the risk management process. Work with internal auditing to identify an appropriate risk model for the organization. Help internal auditing identify appropriate risk factors for their risk assessment methodology. Identify for the audit committee and internal auditing significant financial and operational risks and exposures and their plans to minimize such risks. Meet frequently with the CAE and have open and honest discussions on the results of internal auditing activities as well as current business issues. Support the internal audit activity by ensuring that it has adequate staffing and budget resources to accomplish its responsibilities. Support the establishment of a strong and competent professional internal audit activity. Endorse and support the internal audit charter. Ensure the timely implementation of audit recommendations. Set the appropriate tone at the top by communicating the importance of internal control and the management of risk and the role and responsibilities employees have in managing risks. Enable the CAE to participate in key management and project meetings.
Expectations 15
Establish a quality assurance and improvement program for the internal auditing activity that provides assurance that the internal auditing activity: 1) performs in accordance with its charter, 2) adheres to the Standards and the Code of Ethics, 3) operates in an effective and efficient manner, and 4) is perceived by the board and management as adding value and improving an organizations operations.2.2
Planning 17
Chapter 3: Planning
Identify the Chief Audit Executive (CAE) The chief audit executives (CAEs) role is to provide advice, council, and opinions regarding the organizations efficiency and effectiveness in risk management, internal control, and corporate governance. To be effective in this role, the CAE should be someone who can be viewed and accepted as a member of the organizations senior management team. The CAE should manage the internal audit activity, attend and participate in key management meetings, and offer appropriate comments and insights. The CAE should be continuously involved in aiding management in identifying risks through participation on oversight committees and monitoring activities. The CAE should be someone who can gain both managements trust and the boards respect. This is why audit committees should play an active role in the hiring of the CAE. The right candidate should have an understanding of: Internal auditings relationships with the audit committee, the board, and senior and operating management. Internal auditings role in evaluating and improving the effectiveness of risk management, control and governances processes. The Institute of Internal Auditors (IIA) Professional Practices Framework, especially the Standards for the Professional Practice of Internal Auditing (Standards), and the Code of Ethics, and be familiar with the Practice Advisories that are endorsed by The IIA. How to serve as a consultant by supporting and setting an ethical standard and advising management and the board on best practices. How to audit financial, operational, and information technology functions. How to review for compliance, evaluate controls, and formulate control recommendations that support an organizations objectives. Audit activity practices. Understand and address organizational trends, changes, and risks both inside and outside the organization and be able to make recommendations to management and the board concerning these.
The Charter Planning for an effective internal auditing activity starts with the development of an internal auditing charter that complements and supports the audit committee charter. The charter identifies and communicates to the organization the purpose, authority, responsibility, and scope of the internal audit activity. The charter is an important document because it establishes what senior management and the board expect from the CAE and the internal audit staff. The charter should be in writing and approved by the board, or the audit committee on behalf of the board, and endorsed by management. An Audit Charter Example can be found in Exhibit 3-2. An example of two Mission Statements for an internal auditing activity can be found in the Exhibit 3-3. An example of an Executive Endorsement of the Internal Auditing Charter can be found in Exhibit 3-4. The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the Board. (Standard 1000) Within the context of the Standards, board refers to the board of directors, the audit committee of a board, the head of an agency or legislative body to whom internal auditors report, the board of governors or trustees of a nonprofit organization, or any other governing body of an organization. Purpose The purpose of an internal auditing activity is best described by the definition that was approved by The IIA in June 1999:
Planning 19
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Statements of policy on the purpose of internal auditing activities should emphasize that internal audit is an independent, objective activity that is intended to add value and improve an organizations operations. It is important for this purpose to be widely communicated throughout an organization so that it is clear why the internal auditing activity exists to help dispel the "cop" image with which internal auditors have been labeled in the past. By carefully wording the purpose for internal auditing, a positive image of internal audit activities and the profession can be communicated. This can further nurture the acceptance and cooperation of the departments and personnel that will be the activitys customers. An example of a Corporate Audit Policy can be found in Exhibit 3-6. The internal audit activity should be independent, and internal auditors should be objective in performing their work. (Standard 1100) Authority The overall authority of the internal audit activity and the CAE should come from the board and should be specifically spelled out in the charter. The charter should clearly establish the activitys position within the organization and define the scope, or nature, of internal auditing activities. It should authorize, among other things, access to all records, personnel, and property needed to accomplish audit projects. It should give the CAE the authority for full and unrestricted access to the audit committee. It should grant the CAE the authority to allocate resources, establish schedules, determine the scope of audit work, and set audit objectives without interference from management. Responsibility The charter should communicate that the overall responsibility of the internal audit activity is to serve the organization by evaluating the effectiveness of risk management control, and governance processes in a manner that is consistent with the Standards and the Code of Ethics. This also includes coordinating internal audit activities with others so that the most effective and efficient results can be achieved. The charter should delineate the specific responsibilities of the CAE and the staff. These responsibilities should include: Providing an annual assessment on the adequacy and effectiveness of the organizations processes for controlling its activities and managing its risks in the areas included in the scope of work authorized by the charter. Creating and submitting an annual audit plan that has been developed using an appropriate risk-based methodology to the board for their review and approval.
Above all the internal auditing charter needs to articulate the independence of the internal auditing activity. Internal auditors are independent when they can carry out their work freely and objectively. Achieved through organizational status and objectivity, independence permits internal auditors and the internal auditing activity to render impartial and unbiased judgments. Internal auditors need to maintain an independent, objective mental attitude, not subordinating their judgment on audit matters to others. They need the support of senior management and the board so that they can gain cooperation of the audit customers and perform their work free from interference. The following items comprise a checklist for determining whether the internal auditing charter will ensure that the internal auditing activity is independent. The CAE is responsible to an individual in the organization with sufficient authority to: o Promote independence. o Ensure broad audit coverage. o Ensure adequate consideration of audit reports. o Ensure appropriate action on audit recommendations. The CAE has direct communication with the board, regularly attends and participates in board meetings, and meets privately with the board at least annually without the chief executive officer (CEO).
Frequency of Meetings With the Audit Committee Monthly 3.80% Quarterly 52.80% Semi-annual 14.80% Annual 3.50% Other 13.30% Never 1% No AC 10.00%
Source: GAIN Report pages a2
Planning 21
The board concurs in the appointment or removal of the CAE. The purpose, authority, and responsibility of the internal auditing activity are defined in the charter, and the charter has been approved by the board and endorsed by senior management. The charter should also communicate the following: o Authorize auditors access to records, personnel, and physical properties relevant to the performance of audit projects. o Define the scope of internal auditing activities. The charter should require the CAE to annually submit the following information to senior management for approval and to the board for their information: o Summary of the audit work schedule o Staffing plan o Financial budget o Activity reports highlighting significant findings and recommendations 3.1
The scope or nature of internal auditing under the old Standards was narrowly focused around internal control assurance and compliance. The domain of internal auditing work has been expanded considerably in the new Standards. The nature of internal auditing now includes consulting activities in addition to assurance activities that are intended to evaluate and contribute to the improvement of risk management, control, and governance systems. These activities are intended to focus on whether the organizations risk management, control, and governance processes, as represented by management, are adequate and functioning as intended. Because the new definition of internal auditing requires the internal audit activity to add value and improve an organizations operations, adding value is now an expected result of audit activities. By recognizing that auditors can provide both assurance and consulting services, there are now more opportunities for internal auditing to make a significant contribution to an organization The nature of assurance services provided to the organization should be defined in the audit charter. (Standard 1000.A1)
Planning 23
The nature of consulting and assurance work is compared and contrasted in the chart below: ASSURANCE OR CONSULTING 3-2
Assurance Assurance involves The auditor, the operating customer, and the third party to whom assurance is being provided. Assurance assesses: Adequacy of entity internal control. Adequacy of process or sub-entity internal control. Adequacy of enterprise risk management. Adequacy of governance process. Compliance with laws or regulations. The client may be: Internal the board, senior management, the audit committee. External customers, shareholders, regulators, stakeholders. Results are: An opinion. Formal and explicit. Reported to the third party (mandatory). Followed up on (mandatory). Assurance work is: Mandatory for the internal audit activity Full competence is either present in the audit staff or acquired from outside parties. Consulting Consulting involves: The auditor and the client. Consulting provides: Improvement of efficiency or effectiveness. Assistance in design of corrective actions. Controls needed for new systems design. Benchmarking. The client usually is: Operating management. Results are: A recommendation. Often formal. Reported as agreed upon with client. Followed up on to the extent specified in the consulting arrangement. Consulting work is: Optional The engagement can be declined if competencies required to perform the engagement are not present in the audit staff.
Formal engagements those that are planned and subject to written agreement. Informal engagements routine activities such as participation on standing committees, limited-life projects, ad-hoc meetings, and routine information exchange. Special engagements participation on dedicated teams such as a merger and acquisition team or system conversion team. Emergency engagements participation on a team established for recovery or maintenance of operations after a disaster or other extraordinary business event or a team assembled to supply temporary help to meet a special request or unusual deadline.* Assessment services the timely examination of a past, present, or future aspect of operations that renders information to assist management in making decisions. Examples include estimating savings from outsourcing processes or assessing the adequacy of internal controls over proposed systems. Facilitations services assistance to management in the examination of organizational performance for the purpose of promoting change by helping management to identify organizational strengths and opportunities for improvement. Examples include control self-assessment, benchmarking, strategic planning support, and business process reengineering support. Remediation services the assumption of a direct role designed to prevent or remediate known or suspected problems on behalf of the client. Examples include developing and delivering training courses on risk management, internal controls, regulatory compliance, etc; drafting proposed policies; and augmenting operating personnel.**
* **
From Practice Advisory 100.C1-2 From the U.S. Department of Agriculture Graduate School Model.
Planning 25
Several policies governing how consulting services would be provided by an internal audit activity are shown below: SAMPLE POLICIES FOR CONSULTING SERVICES 3-4 The internal audit activity at a state agency developed the following draft policy statement for consulting services. The policy provides a useful model for other audit activities attempting to codify their approach to consulting work. Acceptance of Projects
Procedures for the Review Model 1. When the audit commitment totals 40 or more hours: A project file will be maintained. This file should contain documents such as the preliminary statement of work, meeting agendas, status reports, note, and other pertinent information. Internal auditing staff assigned to the project should document their work as appropriate. Internal auditing staff will obtain background information concerning the area in which the work will be performed. Internal auditing staff assigned to the project will prepare a memo, which requires the signatures of the assigned staff and the CAE. The memo should provide a general description of the project, including: o A revised statement of work, if necessary. o Summary of background information. o Revised estimates of hours and time frame, if necessary. o Description of methodologies and types of evidence to be used. o Expected impact of work; for example, expected impact on control activities. o Other information as appropriate. Periodic status reports will be prepared according to a schedule agreed upon by the assigned staff and CAE. However, status reports will be prepared at least every three months. At the end of the project, internal auditing staff assigned to the project will prepare a closeout memo. The memo will be reviewed by the CAE. The memo should contain: o Discussion of the actual objective if significantly different from the preliminary description of work. o Description of scope and methodologies used. o Discussion of benefits that resulted from the project. o Discussion of any information that can be used in the annual risk assessment. o Conclusions, if any, that can be based on work performed. o Impact of the project on internal auditings independence and objectivity. o Impact on the objectivity of the staff assigned to the project. o Other information as appropriate. If issued, any final report or memo will be included in the project file. When completed, the project file will be stored in the internal audit activitys workpaper files in order of its assigned project number.
Planning 27
2. When the audit commitment totals less than 40 hours: A project file will be maintained. This file should contain documents such as the preliminary statement of work, meeting agendas, notes, and other pertinent information. Internal auditing staff assigned to the project should document their work as appropriate. At the end of the project, internal auditing staff assigned to the project will prepare a closeout memo which includes: o Discussion of the original and actual objectives, if significantly different. o Discussion of benefits that resulted from the project. o Discussion of any information that can be used in the annual risk assessment. o Impact on the objectivity of the staff assigned to the project. o Other information as appropriate. The closeout memo will be reviewed by the CAE and included in the project file. If issued, any final report or memo will be included in the project file. When completed, the project file will be stored in the internal audit activitys workpaper files in order of its assigned project number.
Organizing 29
Chapter 4: Organizing
Once the chief audit executive (CAE) has been identified, the next step is to develop an organizational plan for the internal auditing activity. The internal auditing charter will establish where the internal auditing activity will fit into the overall organizational structure of the organization. The charter will also put into place the elements that will be needed to establish the internal auditing activity as an independent activity that is capable of performing its work objectively, as discussed in the 1100 series of the Standards for the Professional Practice of Internal Auditing (Standards). The internal audit activity should be independent, and internal auditors should be objective in performing their work. (Standard 1100) Independence means the unimpeded determination of scope of work and the unhindered ability to carry out that work.4.1 The most critical element for ensuring auditor objectivity is the organizational independence of the internal audit activity. There is no guarantee that an auditor wont choose to act inappropriately and be influenced in spite of the evidence obtained during an engagement. However, a lack of organizational independence will undermine the appearance, if not the fact, of objectivity. The key to independence is the appropriate placement and status of the internal auditing activity. The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill it responsibilities. (Standard 1110) While the Standards do not identify specific reporting structures for the CAE, it only makes sense that the higher the reporting level, the more independent the internal auditing activity will be. In some organizations, the CAE reports to the chief executive officer. In organizations where this is not the case, the CAE should have direct and unrestricted access to the chief executive officer, and should include periodic meetings to discuss important findings or issues. The Practice Advisories related to Standard 1110, along with a research study from The IIA Research Foundation, Independence and Objectivity: A Framework for Internal Auditors, offer some specific guidance on the effective positing of the internal audit activity: The Minimum The CAE should report to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations. (PA 1110-1)
Percent of Asset Size in Billions 1 to <5 5 to<10 10 to <20 46.8 45.5 55.8 14.3 17.0 14.0 6.3 8.0 3.5 20.6 25.0 18.6 3.2 1.1 4.7 8.7 3.4 3.5
The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. (Standard 1110.A1) As a general rule, the internal audit activity should be organized in a way that affords a higher organizational status as its role expands and more parties inside and outside the organization derive assurance from its work. Internal auditing activities with a narrowly defined role may report to an appropriate lower level of management, as long as the placement assures the audit staff will obtain cooperation from the activity being reviewed and have unrestricted access to required information. For example, an internal audit activity with broad assurance and consulting role should report directly to the governing board of the organization and more specifically to the audit committee of the board or other similar body. However, if the internal audit activity provides assurance only to top management, it requires an organizational status that ensures cooperation by and autonomy from lower-level management. In these situations, the CAE can report to the chief executive officer with little or no direct access to the organizations board or governing body.
Organizing 31
Further Enhancing Independence The independence and the objectivity of the internal audit activity is further enhanced when: The CAE has unrestricted access to the board. The board is involved in decisions to hire or remove the CAE. The board takes part in drafting the internal audit charter. The board influences the budget for and scope of internal audit activities. The board is actively involved in oversight, review, and monitoring of audit activities. Maintaining/Preserving Objectivity The Standards now define the customer base for audit activity services as being comprised of two groups: the board, senior management, and external third parties on the one hand, and operating and line management on the other. As a result, internal auditors can no longer rely solely on their reporting relationship to the first group to satisfy the expectations of their customers in the second group. Operating and line management need to be assured that internal auditors can be objective. The Standards define objectivity as an unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and in the fact that no significant quality compromises have been made. It also states that objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Objectivity means that given appropriate audit scope and professionalism, relevant and sufficient evidential matter will be effectively analyzed and results will be completely and honestly reported to the appropriate parties, without the auditors judgment being skewed. Maintaining an impartial state of mind and avoiding conflicts of interest are requirements if any value is going to be gained from internal audit work. Without them, internal audit services will fail to deliver the reliable and trustworthy information customers need. There are several steps that can be taken to ensure objectivity: (PA 1120-1) The CAE should query the internal audit staff periodically concerning potential conflicts of interest and biases. Staff assignments should be periodically rotated. Audit work should be reviewed by supervision to assure that the work was performed objectively before communicating results. Internal auditors should not accept fees or gifts from employees, customers, suppliers, or business associates. Internal auditors should not be placed in situations were they may feel unable to provide objective, professional judgments.4.2
Organizing 33
o o o o The significance of the operational function to the organization (in terms of revenue, expenses, reputation, and influence) should be evaluated. The length or duration of the assignment and scope of responsibility should be evaluated. Adequacy of separation of duties should be evaluated. The potential impairment to objectivity or independence or the appearance of such impairment should be considered when reporting audit results.
When the time comes to audit the operation, impairment to objectivity can be minimized by asking a contracted, third-party entity or external auditors to conduct the review. If the internal audit activity performs the review, individual auditors with operational responsibility for the area should not participate in the audit of the operation. Whenever possible, auditors conducting the assessment should be supervised by and report the results of the assessment to those whose independence and objectivity is not impaired. Disclosure should be made regarding the operational responsibilities of the auditor, the significance of the operation to the organization (in terms of revenue, expenses, or other pertinent information), and the relationship of those who audited the function to the auditor assuming an operational role. Disclosure of the auditors operational responsibilities should be made in the related audit report and in the auditors standard communication to the audit committee or other governing body.
While these pronouncements are in no way mandatory or exhaustive, they should provide useful advice for auditors grappling with the issue of assuming operational responsibilities.
Staffing 35
Chapter 5: Staffing
One of the most significant challenges in establishing an effective internal audit activity is the need to attract, develop, and retain highly specialized and qualified staff. The internal audit activity must be staffed with qualified and competent individuals. This chapter will discuss different staffing strategies, knowledge skills, and academic disciplines that the audit staff should have, the importance of staff training and development, and the Code of Ethics. Engagements should be performed with proficiency and due professional care. (Standard 1200) Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. (Standard 1210) Position Descriptions/Staffing Levels While the audit charter or policy statement establishes the role and responsibility of the internal audit activity, a capable staff is necessary to carry out these responsibilities. The first step in getting the right staff is to develop position descriptions. Position descriptions simplify recruiting efforts by communicating specific requirements and expectations and by establishing what is desired of the best candidates. Initially there may be a small staff of auditors reporting to the CAE, or the CAE may be the only auditor. As the audit function gains greater acceptance by management, the audit coverage desired will expand necessitating an increase in staff. The IIA has a program called the Global Auditing Information Network (GAIN) that is recognized as the leader in benchmarking services for the internal auditing profession. In its database, GAIN has information on almost 600 internal auditing departments and activities across 13 different industry groups. The GAIN staff uses this database to research and publish reports on a wide variety of internal auditing subjects for its subscribers. Subscribers can get reports by industry, specialty groups, and custom groupings and the results of Flash Surveys on current topics. Financial size (assets or revenues) and the number of employees are two elements that were found that appear to most frequently correlate with the staffing size of an internal audit activity by industry. While making decisions on staffing levels based on averages from all the organizations in the GAIN database should be used with caution, the following ratios might serve as a starting point on establishing initial staffing levels.
There are many things that can influence the size of an audit staff. The data in the GAIN database supports the fact that there can be large differences in staff sizes between industries, and whether the organization is in the public or private sector of the economy. These and other factors, including what management believes is appropriate, will affect the staffing decisions for an internal auditing activity. Sufficient time needs to be included in the plan for securing and training competent staff. Even experienced auditors, when new to an organization, need a period of orientation and training before they can become fully effective. As the staff size increases, the organizational structure of the activity will need to change. When the number of people reporting directly to the CAE becomes too large to effectively supervise, a reporting hierarchy will need to be established. The size of the activity will determine the hierarchy of the department that will need to be staffed. The typical position levels found in an internal audit activity include the CAE, manager, supervisor, senior, and staff auditors. (Exhibits 3-1, 5-1, 5-2, 5-3, and 5-4 are examples of position descriptions for these positions.) One of the keys to competent and reliable audit work is supervision. For this reason it is important that there be an appropriate supervisory span of control established. Supervisors should not be expected to supervise more than four to six staff professionals. Supervisors are an important part of ensuring that the staff conducts quality assurance work and competent consulting engagements.
Staffing 37
Staff Knowledge and Skills The broad scope of internal auditing work makes it almost impossible for any one individual to be knowledgeable and competent in all areas. However, the audit staff as a whole needs to have the knowledge, skills, and discipline necessary to carry out whatever audit engagements it undertakes. Individual auditors should be proficient or have a working knowledge of certain subjects and an understanding of others. The Standards describe what is applicable in Practice Advisory 1201-1: Proficiency 1. Each internal auditor should possess certain knowledge skills and other competencies: Proficiency in applying internal auditing standards, procedures, and techniques is required in performing internal audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. Proficiency in accounting principles and techniques is required of auditors who work extensively within financial records and reports. An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practices. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. An appreciation is required of the fundamentals of such subjects as accounting, economics, commercial law, taxation, finance, quantitative methods, and information technology. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.
2. Internal auditors should be skilled in dealing with people and in communicating effectively. Internal auditors should understand human relations and maintain satisfactory relationships with engagement clients. 3. Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations. 4. The chief audit executive should establish suitable criteria of education and experience for filling internal audit positions, giving due consideration to scope of work and level of responsibility. Reasonable assurance should be obtained as to each prospective auditors qualifications and proficiency. 5. The internal audit staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization.
Agri/Mining/construct Petroleum Wholesale/Retail Chemical/Drug Manufacturing Educational Institution Transportation Communications Bank/Financial Utilities Insurance Services Government
17.7 15.7 12.9 12.5 14.3 18.6 14.4 14.0 15.9 17.1 14.4 15.8 22.4
Staffing 39
A third indicator of technical proficiency is whether an individual possesses, or is working toward, an accreditation. The broadest and most applicable certification to the practice of internal auditing is the Certified Internal Auditor (CIA) certification. The accreditation, sponsored by The IIA, is awarded to individuals who meet specific educational, experience, and character requirements. Individuals must also pass a written examination designed specifically to test a broad area of technical knowledge and related skills. The IIA also offers specialty certifications that include Certification in Control Self-Assessment (CCSA), Certified Government Auditing Professional (CGAP), and Certified Financial Services Auditors (CFSA). These certifications test more specialized knowledge areas and are a complement to the CIA. The other certifications that have been recognized as showing technical proficiency useful in internal auditing include: Certified Public Accountant (CPA), sponsored by the American Institute of Certified Public Accounts and Certified Management Accountant (CMA) sponsored by the Institute of Management Accounts. Although more narrowly focused, the list also should include Certified Information Systems Auditor (CISA), sponsored by the Information Systems Audit and Control Association and the Certified Fraud Examiner (CFE), sponsored by the Association of Certified Fraud Examiners.
Besides the educational fundamentals outlined in the Standards, adaptability, determination, integrity and communication should also be considered when hiring staff. These are characteristics that will serve the staff well as they work to develop the activitys integrity and credibility. Internal auditors must be able to deal successfully with diversity. Each audit assignment will require the auditor to interact with different groups of people; different terminology and jargon; varying operating management attitudes; and different levels of cooperation and understanding from audit customers. Internal auditors need to be determined and disciplined. They must be willing to work long and hard to establish the facts and support their opinions and recommendations with documented, relevant, and sufficient evidence that has been effectively analyzed and completely and honestly reported.
Staffing 41
the strategic advantages of an internally housed internal audit activity, The IIA believes the following arguments need to be considered: Over Time, Outsourcing Providers May Command an Ever-greater Premium for Their Services. The argument is that an organization becomes dependent on the outside provider as the external auditor gains more institutional knowledge about the organization. The counterargument is that (a) there are other outside providers, (b) long-term pricing agreements can be reached, and (c) there is evidence that internal auditing can be reintroduced into an organization. However, management should consider both long run and short-run costs when making a sourcing decision. An External Provider Wont Know the Business as Well as an Internal Auditing Activity. Internal auditors develop a unique perspective of the organization. An internal auditing activity is often staffed with individuals from other parts of the organization who have developed a broad perspective of the organization and have an institutional knowledge of the organizations culture. The internal auditing activity (as well as individual staff members) retains individual accountability for actions and recommendations. A Valuable Management Training Ground is Lost. Many internal auditing activities have served as a significant source of future managers in their organizations. Internal auditing exposes talented individuals to significant strategic operations and controls of the organization. This breadth and depth of knowledge prepares them for future management positions. The Outsourcing Employees Allegiance is to the Outsourcing Provider, not the Client. The internal auditors primary allegiance is with the organization. In-house auditors must consider the ramifications of findings and recommendations on the total organization since he or she must live with the recommendations. Corporate Governance is a Management Function that Cannot be Outsourced. Management must provide oversight of the internal auditing activity whether housed internally or externally. Many believe that a fundamental part of management is the oversight of the organizations internal control system, which in turn is seen as an integral part of the corporate governance structure. Thus, it is argued, since internal auditing is a key element of an effective internal control system, some believe that it cannot be outsourced. The counterarguments are that management must always retain oversight of the activity, even if outsourced, and therefore they are not outsourcing a key control. Institutional Knowledge May be Lost. Internal auditors have a unique perspective gained through their ability to see all parts of an organization. In fact, it is this broad integration that offers the profession its uniqueness and enhances its ability to effectively add value to the organization whether that value is in the improvement of the control system or through the identification of operational risks and potential solutions. Even with audit staff turnover, much of the institutional knowledge is saved within the organization.
Staffing 43
3. Audit management gets firsthand experience with the capabilities of staff members before assigning them progressively higher levels of responsibilities. As individual staff members progress up the internal auditing hierarchy, they can teach others. The application of audit methods and techniques can be consistent.
4. 5.
Disadvantages: 1. The audit activity must be large enough to provide career growth to higher levels of skill and responsibility. If advancement opportunities are not available, the work becomes uninteresting, or the staff no longer feels challenged, they will become bored and leave. Audit staff may become too specialized, even within the activity. If staff members become too specialized, they may find their skills are not readily adaptable to higher levels of responsibility. The staff may become in-bred with audit methods and techniques making it difficult to introduce new approaches and ideas to the activity. Audit staff may become complacent as repetitive reviews begin to foster a "lets get along and not rock the boat" attitude with audit customers.
2.
3.
4.
A core competency strategy can have all the advantages and few of the disadvantages noted if the CAE could provide challenging audit assignments and clear opportunities to advance within the activity based on demonstrated performance. Small audit activities in small to medium-size organizations in slow growth industries will find this difficult to accomplish. Management Migration Model The Management Migration Model is a rotational model built on the premise that talented professionals will migrate to line management positions. Advantages: 1. The audit activity does not have to be large to provide career paths to higher levels of skill and responsibility. Turnover keeps the work from becoming uninteresting and boring. The audit staff receives a broad general exposure to different areas of the organization in a short period of time.
2.
Disadvantages: 1. 2. 3. 4. 5. There is a constant need for staff training and development. The need for supervision is greater to ensure that the work is consistent and effective. Objectivity may be impaired as audit staff may be partial toward audit customers in areas where they have a career interest. The range of audit services is limited because of the low overall experience level of the staff. Audit management will not have much firsthand experience with the skills of individual auditors.
The disadvantages of the management migration strategy can be mitigated if audit management provides higher levels of quality supervision and invests heavily in constant training and staff development. The advantages of this approach are dependent upon the ability to attract talented, capable people that can consistently be placed in other areas of the organization. Each CAE must assess the approach that best suits the staffing needs of the organization. In industries where management is dominated by specialized disciplines, such as engineering, medicine, education, or government, the skill set of internal auditors may not be transferable to other areas. These organizations will want to adopt the core competency model. In other industries where internal audit skills are more closely aligned, such as banking, insurance, and finance, the management migration model would work well. However, these two strategies do not have to be mutually exclusive. Many organizations have leveraged elements of both models into their staffing plans. One approach has been to staff manager and supervisor positions with individuals who want to pursue a professional internal audit career path within the organization. This provides a stable and experienced level of professional internal audit supervision within the activity. The audit staff and audit senior positions could then be staffed from either inside or outside the organization with the intention that these people would be placed in other positions within the organization after 18 months to two years. There are challenges to this approach, but the benefits are clear. Probably the biggest challenge is to create and maintain the image of internal audit as an activity that can
Staffing 45
provide career development opportunities. Another challenge is to successfully market the internal audit activity to management as a source of talented people for filling positions in other areas. Whatever the approach to staffing, management will need to support the staffing level and provide competitive salary levels if the people with the right kind of skills and experience are going to be obtained. Too few staff will provide no available time for training and development and no opportunities for advancement. Outsourcing staff 5.2 Outsourcing Allows Management to Focus on Core Competencies. The argument is that outsourcing frees audit management to focus on pursuing more strategic objectives instead of focusing on the day-to-day activities that tend to take a great deal of time with lower payback. Economies of Scale Should Result in Cost Savings for the Same Services, or Improved Services for the Same Costs. Some outsourcing providers can bring geographic coverage and improved technology to assist organizations in dealing with increasingly complex and diverse business issues. The outsourcers argue that they develop products and computerized audit approaches that can be spread across many clients, thereby keeping costs below that which an inhouse internal auditing activity would incur in developing the same service. Research shows that the actual evidence on cost savings is mixed and should be carefully evaluated by management. Flexibility in Staffing Leads to Better Resource Allocation. It is argued that outsourcing allows the organization to take advantage of help when it is needed without having to pay for it when it is not needed. The counterargument is that existing internal auditing activities could accomplish the same objective with a flexible budget. Access to Leading Practices. The argument is that the outside provider has access to a broad array of other company practices and can bring those best practices into the organization. They are also in a position to perform benchmarking and give advice on best practices. A Clear Customer Focus. The introduction of market discipline creates a customer focus that may be lacking within existing internal activities. Even if not outsourced, the discipline of having internal activities compete to retain the function in-house should improve cost effectiveness. It is further argued that management may make better decisions because they consider the cost of each service rather than viewing internal auditing as a fixed cost. Better International and Cultural Coverage. Large international firms have locations around the world staffed by individuals from the host country. Use of these firms to provide internal auditing coverage, either in conjunction with the internal auditing function, or under a full outsourcing agreement,
Usually a single vendor will not always have all the skills that a particular project may demand, so it pays to shop around and compare. Like other staffing strategies, cosourcing comes with advantages and disadvantages.
Staffing 47
Advantages: Vendors frequently have the skills and experience that are not practical for many organizations to develop in-house. Outsiders can bring a fresh new perspective to projects. Partnering co-source staff with in-house staff can broaden the knowledge and skills of the in-house staff and be important for career development. If the project gets off track or the vendor does not appear to have the necessary skills to complete the project, it is easier to remove a vendor than it is to remove an employee. Disadvantages: It may be difficult to be sure of the quality of the people who will be working on the project until there has been some experience with their work. The in-house staff may resent the use of high-cost vendors on a project they feel they could perform. The time and effort to plan, identify, and supervise a vendor on a project may be costly. The vendors staff may not fit well with the unique culture of the organization and may do more harm than good to the activitys image and reputation with its customers. 5.3 Above all it is important to remember that when an internal audit activity hires a cosource vendor, it needs to be specific about what the vendor is expected to deliver and be prepared to supervise the work. Internal auditing activities that plan and manage cosourcing projects will be able to add value to their organizations by broadening the range of services they can offer to their organizations.
Extent of Co-sourcing
100% >50% >25% Some None
Source: GAIN Report pages P9
Audit Areas: General IT/IS 1.00% 4.40% 2.70% 5.60% 6.70% 7.00% 44.60% 36.30% 42.10% 43.20%
Staff Sources There are many sources for qualified internal audit staff candidates. Some sources provide experienced individuals; others provide raw, basic-skilled individuals who will need training.
Staffing 49
Professional Associations Local chapters of The Institute of Internal Auditors, The American Institute of Certified Public Accountants, the National Association of Accountants, the Information Systems Audit and Control Association, and the Financial Executives Institute are all sources for internal audit candidates. If there are local chapters of these organizations, they will usually have a newsletter that will accept advertisements for open positions. The national organizations of these groups also have professional journals that will accept advertisements for position openings. Internal Auditor, the professional journal of The Institute of Internal Auditors, is delivered to over 35,000 internal auditors throughout the world. Attendance at regional and national conferences sponsored by The IIA can also serve as an opportunity to identify candidates. Placement and Recruiting Firms. There are several firms, some with national affiliations that specialize in locating and recruiting candidates for specific professions. These firms have various fee structures, the majority usually charging between 15 percent and 25 percent of the candidate's starting salary. There may be firms that your organization already uses for recruiting for other positions that may be helpful in locating internal audit candidates. It is a good idea to ask about fee rebates for employees who do not stay beyond an initial period, usually six months. Also obtain some assurance that your activity's current staff will not become the target of recruiting for other organizations. Continuing Education Every auditor should have the opportunity to advance his/her level of skill and responsibility. Continuing education is good for both the audit staff and the internal audit activity. This is why the internal auditing activity needs to have a training program that will provide the staff with the means to learn new methods and develop new skills. Training programs should have as their main goal the achievement of both individual staff goals and objectives and the goals and objectives of the internal audit activity. To achieve this training should be a continuing program, not just an occasional seminar. A continuing program should provide for senior auditors to be assigned for a period of time to supervisory positions, and for supervisors to be assigned a managers responsibilities. This promotes staff learning firsthand the skills and responsibilities required of the positions above them. The skills and experience of each staff member should be formally assessed and training objectives established and reviewed at least annually. The attainment of these training objectives should be part of a staff members performance review and evaluation. It is important to any continuing training program that the staff be aware that the CAE supports it. The staff needs to believe that the CAE expects them to continue to improve their skills and abilities. The CAE can encourage this by: Setting aside, within the annual audit plan, specific hours for staff training.
The IIA, as do other professional organizations mentioned previously, provides numerous training seminars and conferences each year. Internal Auditor is a source of information through its many articles on internal auditing. The IIA has available many publications and study courses relating to internal auditing at www.theiia.org. Joining the local IIA chapter and attending meetings also can provide opportunities to hear speakers on auditing and related topics. The Code of Ethics New members of an internal audit staff should be made aware of their ethical responsibilities. Internal auditors and the auditing profession have a special relationship with management and the board. This relationship requires the highest standards of competency, morality, and dignity. In June 2000, The IIA Board of Directors adopted a new Code of Ethics. (Exhibit 1-2) Compliance with the concepts enunciated in the Mandatory Guidance is essential before the responsibilities of internal auditors can be met. As stated in the Code of Ethics, internal auditors shall perform internal audit services in accordance with the Standards.
Directing 51
Chapter 6: Directing
Once the internal audit activity has been planned, organized and staffed the chief audit executive (CAE) needs to direct and manage the activities. This means dealing with administrative issues like audit planning, resources management, operating policies and procedures, coordination of work, and quality assurance. This chapter provides guidance on how the (CAE) can effectively manage the internal audit activity. The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. (Standard 2000) The Audit Plan Establishing a plan for performing internal audit work is a primary responsibility of the CAE. The planning process includes establishing goals, developing work schedules, establishing staffing plans and financial budgets, and distributing status reports on the progress of activities. The audit plan should be consistent with the internal audit charter and with the goals of the organization. The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organizations goals. (Standard 2010) The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process. (Standard 2010.A1) The chief audit executive should consider accepting proposed consulting engagement based on the engagements potential to improve management of risks, add value, and improve the organizations operations. Those engagements that have been accepted should be included in the plan. (Standard 2110.C1) The Audit Planning Process Audit planning should be based on an assessment of risks and exposures that may affect the organization, and should be done annually in order to reflect the most current strategies and direction of the organization. The best way to add value to an organization is to make sure the risk assessment and the plan developed from the assessment reflect the overall objectives of the organization. Risk assessments need to include input from management. One way to accomplish this is to study the organizations strategic plan and then discuss with management where the risks are in obtaining the objectives in the plan. The overall objective of an internal audit activity is to provide management with information to lessen the negative consequences associated with accomplishing an organizations objectives. Implementing control activities in areas where the risks are high can mitigate the risks of an organization not accomplishing its goals. A risk-based audit plan ensures that audit activities are effectively focused on those areas where the risks or materiality of exposure is greatest.
There are a number of risk models that can help the CAE prioritize potential audit projects. The basic audit planning process consists of two phases: the assessment of business risk and the allocation of audit resources. The first phase, assessing business risk, focuses on: Defining an auditable unit. Establishing the audit universe. Establishing the risk criteria. Constructing the risk model. Ranking the audit universe. The annual audit plan can then be developed reflecting the results of the risk assessment model and the selection policy. The risk assessment model and the selection policy will enable the internal audit activity to define, identify, and set priorities for audit risk annually, or more frequently if business conditions dictate. Procedures will need to be established to update the model after each audit so that it can be the foundation for an integrated approach to audit projects. Risk Assessment Risk assessment is the process of identifying the possibility that events will occur that, will be harmful to the organization and/or will be detrimental to the achievement of the organizations goals. Risk assessment is the most critical phase of audit planning. The task of collecting the data can also be very time consuming. But the benefits to be gained are usually in direct proportion to the effort expended. Keep in mind that audit plans are subjective. A risk assessment and audit planning methodology is a structured approach to a subjective process. Even the most sophisticated risk assessment and planning models is the product of value judgments. The key to good audit planning is to develop a methodology that will produce a plan that reflects managements' concerns. Defining an Auditable Unit The first step in the risk assessment process is to define the auditable units. An auditable unit is simply the subject/business process that becomes the audit entity. The business process is any combination of transactions, systems, processes, or interfaces that constitutes a logical process. Example: payroll, purchasing, accounts payable, etc. While auditable units can be defined as individual applications, companies, or business units, each of these approaches either limits the scope of an audit project or broadens it beyond what can reasonably be managed. Defining the audit universe, as a group of business processes, is the same view management takes in identifying where they typically have concerns. Establishing the Audit Universe To provide flexibility, and to limit to a manageable size the scope of an audit project, subunits can be identified. While there may be a motivation to identify audit units by the specialized skills necessary to do the work, this should be avoided. Determine the skill set
Directing 53
needed for an audit project after the individual objectives for an audit are defined. Business processes that are heavily dependent upon information technology will require auditors performing the work to examine the controls that that technology depends upon. After compiling a list of major auditable units and subunits, identify a number for planning purposes that represents the hours that will be allocated for auditing each auditable unit. Do not spend much time trying to refine the estimated hours for each auditable unit. The hours estimated for each unit should include time for conducting the preliminary survey, developing the audit program, performing the fieldwork, and communicating the results of the review to management. It is appropriate for planning purposes to pick a number that best reflects what the average audit will take. A better estimate can be developed after the preliminary survey work is completed for individual audit projects. Keep in mind that audit projects should be able to be completed within a time frame that allows the reports to be presented at each audit committee meeting. Based on a 40-hour workweek there are 2080 total staff hours available per year. After subtracting out 25% of the hours for holiday, sick, training, staff meetings, etc., that leaves 1560 staff hours available per year for audit projects. Dividing this by four gives us 390 staff hours per quarter for audit projects. If the audit committee meets quarterly, then 350 hours per project would be a good planning number to use. The longer an audit project goes on the harder it is to manage. The more hours that an audit project consumes the higher the expectations from management and the audit committee that it will add value. This in turn increases the pressure on the auditors to find something of value on which to make a recommendation. It is more effective to do two 350-hour audits than it is to do one 700-hour audit. Remember, the work will expand to fill the time allocated for the project. Defining the Risk Criteria The most workable model is one that uses enough items to be descriptive of risk without being cumbersome. Keep the model simple. The following eight criteria (six subjective and two objective) should give an adequate assessment of risk for audit planning purposes. While the following approach may be adequate for some organizations, other criteria may be better suited to other organizations. It is important that management and the audit committee understand and concur with the criteria used in defining risk. Subjective/qualitative criteria: Control Environment Weight = 3 Based on the knowledge/experience of internal audit with considerable input from management. Prior Audit Findings Weight = 3 Based on prior external and internal audit work. Management/Interest Concern Weight = 4 Based upon specific requests from management.
Asset Sensitivity Weight = 1 Based on whether assets are high turnover, mobile, easily convertible to cash, etc. Objective/quantitative criteria: Size Weight = 2 Size may be revenues, assets, expenses, or whatever is appropriate for the process. Weight = 2
Each criterion is assigned a weight that establishes its importance relative to the other criteria being used. Weighting them as much as three times more heavily than the weights assigned to quantitative criteria frequently emphasizes qualitative criteria. In the example above, Management/Interest Concern (Weight = 4) is twice as important as size (Weight = 2) in determining risk. The weights assigned to each of the criteria are purely subjective and like the criteria used to define the risk attributes, management and the board should understand and concur with them. Additional criteria may be needed at some point to further tailor the model to a specific environment. However, adding additional criteria to the model can quickly complicate the evaluation and make the evaluation appear to be convoluted. Every effort should be made to keep the number of criteria to fewer than 10. Constructing the Risk Model The last step in constructing the risk model is ranking all the auditable items in the universe. Each auditable unit should be evaluated using risk criteria similar to those outlined above. Each of the criteria should be rated according to a scale. The scale does not have to be complicated. The scale could be as simple as; 1 = Low risk 2 = Medium risk 3 = High risk
Directing 55
Ranking the Audit Universe The total rating is the sum of the individual criteria weights multiplied by their scale. As with any model, the results should be analyzed to see if they are consistent with what professional judgment would expect. At this point management input is strongly recommended. Allowing management to understand the process and to participate will encourage their "buying into" the plan. The audit universe could then be risk ranked by sorting the units from highest to lowest risk. The chief audit executive should communicate the internal audit activitys plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations. (Standard 2020) Allocating Audit Resources The second phase, the allocation of audit resources, focuses on establishing a strategy or selection approach that optimizes the available audit resources. This requires establishing a risk strategy or selection policy. While the simplest approach would be to start at the top of the list with the high-risk audits, this approach would make the audit coverage narrow. The chief audit executive should ensure that audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. (Standard 2030) A risk sampling strategy would be one way of getting broader audit coverage. Divide the risk-ranked audit universe into high-risk (10%), sensitive (20%), moderate (40%), and lowrisk (30%) segments based on the total auditable units. Plan to audit 100% of the high-risk segment and 50% of the sensitive segment using a random sample technique. Automatically selecting any unit not audited in the last two years. For the moderate segment select 10%, automatically selecting units not audited in the last four years. Select 5% from the low-risk segment, automatically selecting units that have never been audited. This strategy provides for annual audit coverage of about 25% of the total audit universe. It also focuses most audit resources on areas of highest risk. The number of risk segments and the percentage of those segments covered may vary each planning period depending upon the size of the audit universe and the resources available. Getting management and the audit committee to identify the percentage of the universe they want included into the various risk segments allows them to see what level of staffing is going to be necessary to implement a given strategy. For example: If there are 10 auditable units in the high-risk (10%) segment, and each audit project averages about 350 hours, then it is going to take at least two full-time auditors to cover just the high-risk segment each planning period. Another approach is to build more flexibility into the allocation of audit resources so that risks can be addressed as they develop throughout the year. One approach is to leave 30% to 40% of staff time unallocated so that it can be used for engagements that could not have been foreseen, like management and board special requests. Another approach is to commit to spending a certain amount of time in a functional area, but not identifying specific projects. Projects are only committed to after a preliminary survey is completed to determine whether a specific project has any potential to add value to the control
Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity. (Standard 2040) The size and structure of the activity will normally dictate if written policies and procedures are needed and what will be the form and content. When staffs are small and centrally located, directors can provide guidance and direction orally. Written guidance is needed to establish administrative practices, to guide audit work, and to ensure a consistent approach as the staff grows and turnover occurs. Each CAE must develop policies and procedures that address the particular needs of the department and the organization. Exhibit 6-3 is an example of a generic index for a policy and procedures manual. While the full text of this document is too lengthy to include, the index should provide some guidance on what topics may be included in a policy and procedures manual. It may be appropriate to develop checklists for detailed written procedures in a manual. When used as reminders and guides instead of strict steps to be rigorously followed, checklists have certain advantages over procedure manuals. Checklists can easily be changed when needed and copies included in working papers can serve to document the steps performed. Exhibit 6-4 is an example of the forms and checklists that can be used as a guide for preparing audit workpapers. Implementing the Audit Plan One major yardstick that management uses to evaluate the internal audit function is how well the activity accomplishes the audit plan. Audit plans are accomplished by effectively managing each audit project. Audit projects that are not properly managed do not use resources effectively. Projects seem to run over time budgeted and most importantly they impair the credibility of the audit activity. Just as we would expect a production department to maintain production schedules and labor budgets, the same should be expected of the internal audit activity. The administrative tasks associated with managing audit resources can be aided by using automated office systems and other applications available on personal computers. Many activities use automated spreadsheet and word processing effectively for budgeting and scheduling of projects, as well as recording and summarizing staff hours. Internal audit activities should explore new and expanded uses of this technology whenever possible.
Directing 57
Project Budgets and Schedules The chief audit executive should report periodically to the board and senior management on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. (Standard 2060) Individual project schedules and budgets are essential and should become the norm for every audit project. To be effective, budgets and schedules must be integrated with a project reporting system. The reporting system should: Enable the lead auditor on each project to budget and allocate time to individual segments and to track actual time. Provide individual audit staff the ability to report how they spent their time; both project time and non-project time, usually weekly.
Aid audit management in accounting for all of the staff hours and to report to management and the audit committee the status of the audit plan and all audit projects.
Exhibit 6-5 is an example of a spreadsheet for budgeting and controlling the hours for individual projects. This work sheet should be included in the working papers to enable audit supervision to evaluate the effectiveness of the hours used. It also may serve as a guide to budgeting similar projects in the future. Exhibit 6-6 is an example of a staffs spreadsheet time. The report requires staff to account for both project and non-project hours each week, including vacation, holiday, and sick leave. Exhibit 6-7 is an example of a spreadsheet that can be used for the monthly management report. The report would list each active project, the time budgeted, the actual hours to date, and an estimated completion date and other information that reflects how staff resources are being utilized. While schedules and budgets are essential to properly manage audit resources, these should not be self-defeating. Audit projects should always have an initial budget. This figure would typically be the planning number referred to earlier or the actual hours from the last review for recurring audits. After the preliminary survey phase of the project, the lead auditor should revise the budget based on an evaluation of controls and an assessment of testing needed to be done to establish reliance. Budgets should be adjusted whenever the scope of the work changes. However, audit management should review changes in budgets and the reasons for the adjustments should be documented in the work papers.
Directing 59
Audit reports and findings are the result of a process of comparing what should be with what is. Whether there is a difference or not the internal auditor has a basis upon which to form an opinion. Opinions should always be in the context of the overall implications to the organization and the area reviewed. When audit work finds that conditions meet what is expected, acknowledging this in the report is important to provide the appropriate balance. Audit findings in reports should be based on an analysis of the following attributes: A. B. C. D. Criteria: The standards, measures, or expectations used in making an evaluation and/or verification (what should exist). Condition: The factual evidence that the internal auditor found in the course of the examination (what does exist). Cause: The reason for the difference between the expected and actual conditions (why the difference exists). Effect: The risk or exposure the audit customer organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference). Recommendation: That which the audit customer can implement, change, or undertake to move from what does exist to what should exist. (PA 24101)
E.
Management and the Audit Committee The last couple of years have seen increased interest in requiring public organizations to establish audit committees and internal auditing activities. Audit committees are under a lot more pressure to be accountable for their role as financial stewards. Recent studies, articles, commentaries, laws (Sarbanes-Oxley Act of 2002), and regulations continue to focus on the audit committees role in corporate governance. Clearly an audit committee cannot meet its obligations alone. The responsibility of audit committee members to know more about an organization's financial reporting, corporate governance, and control has increased dramatically. Regulators have shifted from a passive to a more proactive accountability of board committees, especially the audit committee. Reporting requirements, disclosures, assertions, and other information about the workings of the audit committee continue to expose members to potential scrutiny as to overall due diligence being exercised. Members of audit committees now more than ever have to rely more and more on internal auditors to keep them aware of significant risk management, control, and governance problems. Audit committees do not like to see management or their organizations embarrassed. Neither do they like confrontations between auditors and management. Audit committees like to know that the internal audit activity has a competent and professional staff that does a professional job of working with management to identify opportunities to improve business performance and reduce business risk.
Monitoring 61
Chapter 7: Monitoring
Of all the changes that were made to the Standards beginning in 2002, the section on quality assurance represents a fundamental change for the practice of internal auditing. There are now seven standards that dictate specific activities that must be part of the quality assurance (QA) program of every internal audit activity. When an internal audit activity is established, it must include an ongoing quality assurance and improvement program. This requirement is broadly covered in Standard 1300 which states: The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program should be designed to help the internal audit activity add value and improve the organizations operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. (Standard 1300) A quality assurance program will need to provide reasonable assurance to management and the board that it: 1) performs in accordance with The IIAs Standards and the Code of Ethics; 2) is perceived by all as adding value and improving the organizations operations; and 3) operates in an effective and efficient manner. Exhibit 7-1 is an example of an outline for a Quality Assurance and Improvement Program. The new standards require that any quality assurance program: 1. 2. 3. 4. Cover all aspects of the internal audit activity. (Standard 1300) Continually monitor the internal audit activitys effectiveness. (Standard 1300) Assure compliance with the Standards and the Code of Ethics. (Standard 1300) Help the internal audit activity add value and improve organizational operations. (Standard 1310) 5. Include both periodic and ongoing internal assessments. (Standard 1311) 6. Include an external assessment at least once every five years, the results of which are communicated to the board. (Standard 1312, and 1320)
Failure to have any of these six elements in a quality assurance program represents noncompliance with the Standards. Quality assurance programs must include examinations of all types of audit engagements. Developing quality assurance programs for only measuring performance while conducting traditional assurance engagements is not sufficient. The program must also measure performance in conducting other services like consulting engagements. The quality of all work performed must be assessed. Assurance activities that focus specifically on workpaper reviews are not all that is necessary for a quality assurance program. Workpaper review is certainly an important quality assessment tool, but needs to be used in conjunction with additional QA tools and methodologies in implementing an effective quality assurance program. Further information and examples of these tools and
Monitoring 63
Compliance with applicable laws, regulations, and government or industry standards. The effectiveness of the continuous improvement activities and adoption of best practices. Whether the internal audit activity adds value and improves the organizations operations.
Internal Assessment While ongoing reviews are primarily achieved through the continuous monitoring activities already discussed, the most effective method for continuously assessing quality is supervision and management oversight. Adequate supervision and management oversight will be the foundation of any quality assurance program that assures conformity with the Standards and actives that add value and improve an organizations operations. Recognizing the importance of effective and continuous supervision and management oversight the Standards have taken the additional step of requiring a formal internal assessment process. Internal assessments should include: Ongoing reviews of the performance of the internal audit activity. Periodic reviews performed through self-assessment or by other persons within the organization who have knowledge of internal auditing practices and the Standards. (Standard 1311)
Ongoing review and monitoring activities should be periodically reviewed. One way to accomplish this is to routinely conduct a self-evaluation. Known as an internal assessment, they are conducted by members of the staff or a team of reviewers employed by the organization, but working in other areas. Former members of the audit staff or other employees with prior auditing experience could be used. If the internal audit activity is large enough, it may establish a formal quality assessment staff position or group that could be responsible for all quality assurance activities. This function should report its findings and conclusions directly to the CAE to ensure adequate credibility and objectivity. External Assessment Another strong statement of the professions commitment to quality came with the enactment of Standard 1312, requiring a periodic external quality assurance review. A qualified, independent reviewer or review team from outside the organization should conduct external assessments, such as quality assurance reviews, at least once every five years. (Standard 1312) There are several ways an internal audit activity can obtain an external assessment. The first option is to contract for a formal quality assessment review (QAR) with The IIA, other industry associations, accounting firms, or consultants. These reviews usually involve a team of qualified reviewers who spend several days to several weeks interviewing the
Self-Assessment with Independent Validation An alternative to conducting an external assessment is for the audit staff to conduct a selfassessment quality review and submit the findings and supporting documentation to an outside consultant for validation. This approach allows the internal audit staff, under the direction of the CAE, to perform and document the self-assessment. The objective of the self-assessment process is to document a set of conclusions about the internal audit activitys compliance with the Standards, the charter, and other relevant criteria in the same fashion that would be provided by an external reviewer. The team and the CAE also develop recommendations and implementation plans for improving the activity. After the self-assessment is completed, a qualified, independent evaluator performs limited tests of the self-assessment and the report recommendations to validate the results and express an opinion as to the level of compliance with the Standards. The independent evaluator should have the same qualifications as those of the reviewers for formal QAR external reviews shown above. It should be noted that using this approach does limit the opportunity to gain valuable input from an external review team with respect to alternative methods and best practices.
Monitoring 65
Communication of Results Another strengthening of the quality improvement methodology established by the Standards is the requirement to communicate the results of external assessment to the board. The chief audit executive should communicate the results of external assessments to the board. (Standard 1320) Whether a CAE conducts a self-assessment with independent validation or chooses to have an external review, the results of the review and particularly the opinion on compliance with the Standards, must be communicated to the board. Additional Guidance It is worth noting two other important quality assurance Standards that addresses use of language (Standard 1330) and partial compliance (Standard 1340). Both Standards are listed below. Internal auditors are encouraged to report that their activities are conducted in accordance with the Standards for the professional Practice of Internal Auditing. However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards. (Standard 1330) Practice Advisory (PA) 1330-1 provides further guidance on implementing this Standard. Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal auditing activity, disclosure should be made to senior management and the board. (Standard 1340) By implementing and maintaining a comprehensive quality assurance and improvement program, management and the board are ensured of having an internal audit activity that will add value, improve operations, and operate in an effective and efficient manner.
Footnotes 67 Footnotes
1.1
Internal Auditors: Integral to Good Corporate Governance, Progress Through Sharing, Internal Auditor, August 2002, pp 46. Restoring Trust in Corporate America, Business Week, June 24, 2002, p. 32. Steinberg, Richard M., and Bromilow, Catherine L., The Role of Internal Audit in Corporate Governance, PricewaterhouseCoopers LLP, TansMISsion Online, Audit Edition, Vol. 2, Issue 1, February 2001. Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework, (Altamonte Springs, FL: The Institute of Internal Auditors, 2002), p. 1. Ibid., p. 1. Ibid, p. 1. Ibid., p. 2. Ibid., pp. 193-195. Ibid., pp. 2-3. The Professional Practices Framework (Altamonte Springs, FL: Internal Auditors, January 2002), pp. iii-vi.
1.2 1.3
1.4
The Institute of
2.1
Governance, Position Paper Presented by The Institute of Internal Auditors to the United States Congress, April 2002. Internal Auditing: In Your Best Interests, Tone at the Top (Altamonte Springs, FL: The Institute of Internal Auditors, October 2002). Internal Audit Independence Checklist, Issues & Answers (Altamonte Springs, FL: The Institute of Internal Auditors). Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors, 2002), p. 14. Ibid., p. 21. Ibid., pp. 22-24. Krogstad, Jack, et al., Where Were Growing, Internal Auditor, October 1999, p. 31. Internal Audit Independence Checklist, Issues & Answers (Altamonte Springs, FL: The Institute of Internal Auditors).
2.2
3.1
3.2
Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors, 2002), pp. 4243. A Perspective on Outsourcing of the IA Function, Professional Practices Pamphlet 98-1 (Altamonte Springs, FL: The Institute of Internal Auditors), pp. 3-4. Ibid., pp. 2-3. Smith, Paul J. Jr., Win-Win Co-Sourcing, Internal Auditor, October 2002, pp. 37-41.
5.1
5.2 5.3
Bibliography 69 Bibliography
A Perspective on Outsourcing of the IA Function, Professional Practices Pamphlet 98-1 (Altamonte Springs, FL: The Institute of Internal Auditors).
Apostolou, Barbara, and Jeffords, Raymond, Working with the Audit Committee (Altamonte Springs, FL: The Institute of Internal Auditors, 1990). Boritz, J. Efrim, Planning for the Internal Audit Function, (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 1983). Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors, 2002). Committee of Sponsoring Organizations of the Treadway Commission, Fraudulent Financial Reporting 1987-1997, March 1999. Committee of Sponsoring Organizations of the Treadway Commission, Internal Control Integrated Framework, 1992. Committee on Corporate Governance Final Report, January 1998. Global Auditing Information Network GAIN (www.gain2.org) (Altamonte Springs, FL: The Institute of Internal Auditors). Governance Position Paper Presented by The Institute of Internal Auditors to the United States Congress, April 2002. Internal Audit Independence Checklist, Issues & Answers (Altamonte Springs, FL: The Institute of Internal Auditors). Internal Auditing: In Your Best Interests, Tone at the Top (Altamonte Springs, FL: The Institute of Internal Auditors, October 2002). Internal Auditing Manual Shell on CD-ROM, Second Addition (Altamonte Springs, FL: The Institute of Internal Auditors, 2000). Internal Auditors: Integral to Good Corporate Governance, Progress Through Sharing (Altamonte Springs, FL: The Institute of Internal Auditors). Krogstad, Jack, et al., Where Were Growing, Internal Auditor, October 1999. Listing Requirements, New York Stock Exchange, revised August 2002. National Association of Corporate Directors, The NACD Board Guidelines, 1999. National Association of Corporate Directors and The Center for Board Leadership, Report of the NACD Blue Ribbon Commission on Audit Committees A Practical Guide, 2000.
New York Stock Exchange and National Association of Securities Dealers, Report on Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees,1999. Quality Assessment Manual, Fourth Edition (Altamonte Springs, FL: The Institute of Internal Auditors, 2002). Restoring Trust in Corporate America, Business Week, June 24, 2002, pp. 30-35. Sarbanes-Oxley Act of 2002, One Hundred Seventh Congress of the United States of America, Second Session, January 23, 2002. Smith, Paul J. Jr., Win-Win Co-Sourcing, Internal Auditor, October 2002, pp. 37-41. Steinberg, Richard M., and Bromilow, Catherine L., Audit Committee Effectiveness What Works Best, 2nd Edition (Altamonte Springs, FL: The Institute of Internal Auditors, 2000). Steinberg, Richard M., and Bromilow, Catherine L., Corporate Governance and the Board What Works Best, 2nd Edition (Altamonte Springs, FL: The Institute of Internal Auditors, 2000). Steinberg, Richard M., and Bromilow, Catherine L., The Role of Internal Audit in Corporate Governance (PricewaterhouseCoopers LLP). The Audit Committee: A Briefing on Roles and Responsibilities Springs, FL: The Institute of Internal Auditors, 1994). (Altamonte
The Best & Worst Boards, Business Week, October 7, 2002, pp. 104-114. The Professional Practices Framework (Altamonte Springs, FL: Internal Auditors, January 2002). The Institute of
Exhibit 1-1 75
Specific Standard
Implementation Standard
Practice Advisory
1000-1: Internal Audit Charter
1000.C1-2: Additional Considerations for Formal Consulting Engagements 1100-1 independence and Objectivity
76 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard
1130 - Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. 1130.A1 - Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year. 1130.A2 - Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity. 1130.C1 - Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement. 1200 - Proficiency and Due Professional Care Engagements should be performed with proficiency and due professional care. 1210 - Proficiency Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities
Implementation Standard
Practice Advisory
1130-1- Impairments to Independence or Objectivity
Exhibit 1-1 77 Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard Implementation Standard
1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.A2 - The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.C1 The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies. 1220 Due Professional Care Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 - The internal auditor should exercise due professional care by considering the: Extent of work needed to achieve the engagements objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of risk management, control, and governance processes. Probability of significant errors, irregularities, or noncompliance. Cost of assurance in relation to potential benefits.
Practice Advisory
1210.A1-1- Obtaining Services to Support or Complement the Internal Audit Activity
78 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard Implementation Standard
1220.A2 - The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C2 - The internal auditor should exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results. Relative complexity and extent of work needed to achieve the engagements objectives. Cost of the consulting engagement in relation to potential benefits. 1230 - Continuing Professional Development Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development. 1300 - Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program should be designed to help the internal audit activity add value and improve the organizations operations and to provide assurance that the internal audit activity is in conformity with the Standards and Code of Ethics. 1230-1-Continuing Professional Development
Practice Advisory
Exhibit 1-1 79 Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard
1310 - Quality Program Assessments The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. 1311 - Internal assessments Internal assessments should include: Ongoing reviews of the performance of the internal audit activity; and Periodic reviews performed through selfassessment or by other persons within the organization, with knowledge of internal audit practices and the Standards. 1312 - External Assessments External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer, or review team from outside the organization. 1320 - Reporting on the Quality Program The chief audit executive should communicate the results of external assessments to the board. 1330 - Use of Conducted in Accordance with the Standards. Internal auditors are encouraged to report that their activities are conducted in accordance with the Standards for the Professional Practice of Internal Auditing. However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards.
Implementation Standard
Practice Advisory
1310-1 - Quality Program Assessments
80 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard
1340 - Disclosure of Noncompliance Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.
Implementation Standard
Practice Advisory
Exhibit 1-1 81 Table of Attribute and Performance Standards with Related Practice Advisories
Specific Standard
Implementation Standard
Practice Advisory
2000-1- Managing the Internal Audit Activity
2010-1- Planning 2010-2- Linking the audit Plan to Risk and Exposures
82 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2030 - Resource Management The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. 2040 - Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity, 2050 - Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts. 2060 - Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. 2100 - Nature of Work The internal audit activity evaluates and contributes to the improvement of risk management, control, and governance systems.
Implementation Standard
Practice Advisory
2030-1- Resource Management 2030-2- SEC External Auditor Independence Requirements for Providing Internal Audit Services 2040-1-Policies and Procedures
2100-1- Nature of Work 2100-2- Information Security 2100-3- Internal Audits Role in the Risk Management Process 2100-4- Internal Audits Role in Organizations Without a Risk Management Process 2100-5- Legal Considerations in Evaluating Regulatory Compliance Programs
Exhibit 1-1 83 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2110 - Risk Management The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. 2110A1 - Internal audit activity should monitor and evaluate the effectiveness of the organizations risk management system. 2110.,A2 - The internal audit activity should evaluate risk exposures relating to the organizations governance, operations, and information systems regarding the : Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts. 2110.C1 - During consulting engagements, internal auditors should address risk consistent with the engagements objectives and should be alert to the existence of other significant risks. 2110.C2 - Internal auditors should incorporate knowledge of risks gained from consulting into the process of identifying and evaluating significant risk exposures of the organization. 2120 - Control The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Implementation Standard
Practice Advisory
2110-1- Assessing the Adequacy of Risk Management Processes
84 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2120.A1 -Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organizations governance, operations, and information system. This should include: Reliability and integrity of financial and operations information. Effectiveness and efficiency of operation. Safeguarding of assets. Compliance with laws, regulations, and contract. 2120A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.
Practice Advisory
2120.A1-1- Assessing and Reporting on Control Processes 2120.A1-2- Using Control Self-assessment for Assessing the Adequacy of Control Processes
Exhibit 1-1 85 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2120A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. 2120.C1-During consulting engagement, internal auditors should address controls consistent with the engagements objectives and should be alert to the existence of any significant control weaknesses. 2120.C2 - Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2130 - Governance The internal audit activity should contribute to the organizations governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) valued are preserved. 2130.A1-Internal auditors should review operations and programs to ensure consistency with organizational valued. 2130C1-Consulting engagement objectives should be consistent with the overall values and goals of the organization.
Practice Advisory
2120.A4-1-Control Criteria
2130-1- Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization
86 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard
2200 - Engagement Planning Internal auditors should develop and record a plan for each engagement. 2201 - Planning Considerations In planning the engagement, internal auditors should consider: The objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activitys risk management and control systems compared to a relevant control framework or model. The opportunities for making significant improvements to the activitys risk management and control systems. 2201.C1 -Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.
Specific Standard
Implementation Standard
Practice Advisory
2200-1-Engagement Planning
Exhibit 1-1 87 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2210 - Engagement Objectives The engagements objectives should address the risks, controls, and governance processes associated with the activities under review. 2210.A1 -When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. 2210.A2 -The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. 2210.C1-Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client. 2200- Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. 2220.A1- The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.
Implementation Standard
Practice Advisory
2210-1-Engagement Objectives
88 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2220.C1 -In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement. 2230 - Engagement Resource Allocation Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 2240 - Engagement Work Program Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded. 2240.A1 -Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved promptly. 2240.C1- Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. 2230-1-Engagement Resource Allocation
Practice Advisory
Exhibit 1-1 89 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard
2300 - Performing the Engagement Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagements objectives. 2310 - Identifying Information Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagements objectives. 2320 - Analysis and Evaluation Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations. 2330-Recording Information Internal auditors should record relevant information to support the conclusions and engagement results. 2330.A1 - The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. 2330.A2 - The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organizations guidelines and any pertinent regulatory or other requirements. 2330.C1 - The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organizations guidelines and any pertinent regulatory or other requirements. 2310-1-Identifying Information
Specific Standard
Implementation Standard
Practice Advisory
2330.A1-1- Control of Engagement Records 2330.A1-2-Legal Considerations in Granting Access to Engagement Records
90 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2340 - Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed 2400 - Communicating Results Internal auditors should communicate the engagement results promptly. 2410 - Criteria for Communicating Communications should include the engagements objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1- The final communications of results should, where appropriate, contain the internal auditors overall opinion. 2410.A2-Engagement communications should acknowledge satisfactory performance. 2410.C1-Communications of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. 2420 - Quality of Communications Communications should be accurate, objective, clear, concise, constructive, complete, and timely. 2421 -Errors and Omissions If a final communication contains a significant error or omission, the chief executive should communicate corrected information to all individuals who received the original communication.
Implementation Standard
Practice Advisory
2340-1- Engagement Supervision
2420-1-Quality of Communications
Exhibit 1-1 91 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2430 - Engagement Disclosure of Noncompliance with the Standards When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the: Standard(s) with which full compliance was not achieved, Reason(s) for non compliance, and Impact of noncompliance on the engagement. 2440 - Disseminating Results The chief audit executive should disseminate results to the appropriate individuals. 2440.A1 -Thechief audit executive is responsible fore communicating the final results to individuals who can ensure that the results are given due consideration. 2440.C1 - Thechief audit executive is responsible for communicating the final results of consulting engagements to clients. 2440.C2 - During consulting engagements, management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board. 2500 - Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2500-1- Monitoring progress
Implementation Standard
Practice Advisory
92 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 2500.C1 - The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 2600 - Managements Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.
Practice Advisory
2500.A1-1-Follow-up Process
Exhibit 1-2 93
Exhibit 1-2 95
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. Competency Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2 Shall perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing. 4.3 Shall continually improve their proficiency and the effectiveness and quality of their services. Adopted by The IIA Board of Directors, June 17, 2000.
Exhibit 1-3 97
The Standards employ terms that have been given specific meanings that are included in the Glossary. The Internal Auditing Standards Board is committed to extensive consultation in the preparation of the Standards. Prior to issuing any document, the Standards Board issues exposure drafts internationally for public comment. The Standards Board also seeks those with special expertise or interests for consultation where necessary. The development of standards is an ongoing process. The Standards Board welcomes input from IIA members and other interested parties to identify emerging issues requiring new standards or revision to current standards. Suggestions should be sent to: Institute of Internal Auditors Senior Manager Technical Services 247 Maitland Ave. Altamonte Springs, Florida 32701 USA E-mail: standards@theiia.org Additional guidance regarding how the Standards might be put into practice can be found in Practice Advisories that are issued by the Professional Issues Committee.
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Exhibit 1-3 99
ATTRIBUTE STANDARDS 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.1 1000.A1 - The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter 1000.C1 - The nature of consulting services should be defined in the audit charter. 1100 Independence and Objectivity The internal audit activity should be independent, and internal auditors should be objective in performing their work. 1110 Organizational Independence The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. 1110.A1 - The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. 1120 Individual Objectivity Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. 1130 Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. 1130.A1 Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year.
When used in these Standards, the term board is defined as a board of directors, audit committee of such boards, head of an agency or legislative body to whom internal auditors report, board of governors or trustees of a nonprofit organization, or any other designated governing bodies of an organization.
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include: Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts. 2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. 2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. 2120.C1 - During consulting engagements, internal auditors should address controls consistent with the engagements objectives and should be alert to the existence of any significant control weaknesses. 2120.C2 Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2130 Governance The internal audit activity should contribute to the organization's governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved. 2130.A1 - Internal auditors should review operations and programs to ensure consistency with organizational values. 2130.C1 Consulting engagement objectives should be consistent with the overall values and goals of the organization. 2200 Engagement Planning
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Compliance The ability to reasonably ensure conformity and adherence to organization policies, plans, procedures, laws, regulations, and contracts. Conflict of Interest Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individuals ability to perform his or her duties and responsibilities objectively. Consulting Services Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organizations operations. Examples include counsel, advice, facilitation, process design, and training. Control Any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Environment The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: Integrity and ethical values. Managements philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel.
Control Processes The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Engagement A specific internal audit assignment, task, or review activity, such as an internal audit, Control Self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement Objectives Broad statements developed by internal auditors that define intended engagement accomplishments. Engagement Work Program A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. External Service Provider A person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline. Outside service
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002
Appoint, compensate, and oversee the work of any registered public accounting firm employed by the organization. Resolve any disagreements between management and the auditor regarding financial reporting. Pre-approve all auditing and non-audit services. Retain independent counsel, accountants, or others to advise the committee or assist in the conduct of an investigation. Seek any information it requires from employeesall of whom are directed to cooperate with the committee's requestsor external parties. Meet with company officers, external auditors, or outside counsel, as necessary.
COMPOSITION The audit committee will consist of at least three and no more than six members of the board of directors. The board or its nominating committee will appoint committee members and the committee chair. Each committee member will be both independent and financially literate. At least one member shall be designated as the financial expert, as defined by applicable legislation and regulation. MEETINGS The committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require. All committee members are expected to attend each meeting, in person or via tele- or video-conference. The committee will invite
Review significant accounting and reporting issues, including complex or unusual transactions and highly judgmental areas, and recent professional and regulatory pronouncements, and understand their impact on the financial statements. Review with management and the external auditors the results of the audit, including any difficulties encountered. Review the annual financial statements, and consider whether they are complete, consistent with information known to committee members, and reflect appropriate accounting principles. Review other sections of the annual report and related regulatory filings before release and consider the accuracy and completeness of the information. Review with management and the external auditors all matters required to be communicated to the committee under generally accepted auditing Standards. Understand how management develops interim financial information, and the nature and extent of internal and external auditor involvement. Review interim financial reports with management and the external auditors before filing with regulators, and consider whether they are complete and consistent with the information known to committee members.
Internal Control
Consider the effectiveness of the company's internal control system, including information technology security and control. Understand the scope of internal and external auditors' review of internal control over financial reporting, and obtain reports on significant findings and recommendations, together with management's responses.
Internal Audit
Review with management and the chief audit executive the charter, plans, activities, staffing, and organizational structure of the internal audit function. Ensure there are no unjustified restrictions or limitations, and review and concur in the appointment, replacement, or dismissal of the chief audit executive. Review the effectiveness of the internal audit function, including compliance with The Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing.
On a regular basis, meet separately with the chief audit executive to discuss any matters that the committee or internal audit believes should be discussed privately.
External Audit
Review the external auditors' proposed audit scope and approach, including coordination of audit effort with internal audit. Review the performance of the external auditors, and exercise final approval on the appointment or discharge of the auditors. Review and confirm the independence of the external auditors by obtaining statements from the auditors on relationships between the auditors and the company, including non-audit services, and discussing the relationships with the auditors. On a regular basis, meet separately with the external auditors to discuss any matters that the committee or auditors believe should be discussed privately.
Compliance
Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of management's investigation and follow-up (including disciplinary action) of any instances of noncompliance. Review the findings of any examinations by regulatory agencies, and any auditor observations. Review the process for communicating the code of conduct to company personnel, and for monitoring compliance therewith. Obtain regular updates from management and company legal counsel regarding compliance matters.
Reporting Responsibilities
Regularly report to the board of directors about committee activities, issues, and related recommendations. Provide an open avenue of communication between internal audit, the external auditors, and the board of directors. Report annually to the shareholders, describing the committee's composition, responsibilities and how they were discharged, and any other information required by rule, including approval of non-audit services. Review any other reports the company issues that relate to committee responsibilities.
Other Responsibilities
Perform other activities related to this charter as requested by the board of directors. Institute and oversee special investigations as needed.
Review and assess the adequacy of the committee charter annually, requesting board approval for proposed changes, and ensure appropriate disclosure as may be required by law or regulation. Confirm annually that all responsibilities outlined in this charter have been carried out. Evaluate the committee's and individual members' performance on a regular basis.
REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Serves as the organizations chief audit executive and as a member of the executive management team. Performs advanced level professional internal auditing work as a key component of the corporate governance structure. Work involves directing a comprehensive audit program including performance, financial, and compliance audit projects; providing consulting services to the organizations management and staff; providing direction to development of the annual audit plan; and providing ongoing training, coaching and supervision to internal audit staff. Maintains organizational and professional ethical standards. Works independently with extensive latitude for initiative and independent judgement. Other essential duties include, but are not limited to: Directs audit staff in the planning, organizing, directing and monitoring of internal audit operations, including assisting in hiring, training and evaluating staff; and taking corrective actions to address performance problems. Directs the identification and evaluation of the organizations risk areas and oversees the development of the annual audit plan. Directs the overall performance of audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Directs the audit staff in conducting interviews, reviewing documents, developing and administering surveys, composing summary memos, and preparing working papers. Directs the audit staff in the identification, development, and documentation of audit issues and recommendations. Communicates the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client, staff, management, and board relationships through individual contacts and group meetings. Pursues professional development opportunities, including internal and external training and professional association memberships, and shares information gained with co-workers. Represents internal audit at management and board meetings and with external organizations. Performs related work as assigned by the audit committee of the board of directors. Chairman, Audit Committee, Board of Directors or Chief Executive Officer or Chief Financial Officer Chief Executive Officer, Chief Financial Officer, Senior Management, Division and Department Management, External and Contract Auditors, Other Industry Organizations Audit Managers, Staff and Project Teams
PREFERRED QUALIFICATIONS Experience in industry auditing or accounting, and in supervising and conducting audits in information systems and other areas pertinent to the industry. Graduate degree in business administration, public administration, or a related field.
This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.
Risks are appropriately identified and managed. Interaction with the various governance groups occurs as needed. Significant financial, managerial, and operating information is accurate, reliable, and timely. Employees actions are in compliance with policies, standards, procedures, and applicable laws and regulations. Resources are acquired economically, used efficiently, and adequately protected. Programs, plans, and objectives are achieved. Quality and continuous improvement are fostered in the organizations control process. Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately.
Opportunities for improving management control, profitability, and the organizations image may be identified during audits. They will be communicated to the appropriate level of management. ACCOUNTABILITY The chief audit executive, in the discharge of his/her duties, shall be accountable to management and the audit committee to:
Provide annually an assessment on the adequacy and effectiveness of the organizations processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work. Report significant issues related to the processes for controlling the activities of the organization and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution. Periodically provide information on the status and results of the annual audit plan and the sufficiency of activity resources. Coordinate with and provide oversight of other control and monitoring functions (risk management, compliance, security, legal, ethics, environmental, external audit).
Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the audit committee for review and approval as well as periodic updates. Implement the annual audit plan, as approved, including as appropriate any special tasks or projects requested by management and the audit committee. Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter. Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion. Issue periodic reports to the audit committee and management summarizing results of audit activities. Keep the audit committee informed of emerging trends and successful practices in internal auditing. Provide a list of significant measurement goals and results to the audit committee. Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the audit committee of the results. Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.
AUTHORITY The chief audit executive and staff of the internal audit activity are authorized to:
Have unrestricted access to all functions, records, property, and personnel. Have full and free access to the audit committee. Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives. Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.
Perform any operational duties for the organization or its affiliates. Initiate or approve accounting transactions external to the internal auditing activity. Direct the activities of any organization employee not employed by the internal auditing activity, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
STANDARDS OF AUDIT PRACTICE The internal audit activity will meet or exceed the Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. _________________________________ Chief Audit Executive _________________________________ Chief Executive Officer ________________________________ Audit Committee Chair Dated ___________________________
This sample internal audit activity charter is one example of how the mission, accountabilities, independence, responsibilities, authority, and standards of audit practice may be summarized.
Mission Statements
MISSION STATEMENT # 1 Our mission is to provide a wide range of quality audit services to our customers. We will accomplish our mission by: Performing independent assessments of systems controls and efficiency, guided by professional standards and using innovative approaches. Supporting our customers' efforts to achieve their objectives. Maintaining a dynamic, team-oriented environment which encourages personal and professional growth, and challenges and rewards our employees for excelling and reaching their full potential. -OrMISSION STATEMENT # 2 Our mission is to assist members of management and the board of directors (or audit committee of the board of directors) in the effective discharge of their responsibilities. To this end internal audit will furnish them with analysis, recommendations, counsel, and information concerning activities reviewed.
2.
3.
4.
In carrying out these objectives, the internal auditors work should be performed with proficiency and due professional care. The staff shall: Proficiency Possess the knowledge, skills, and competencies needed to perform their individual responsibilities. The internal audit activity collectively should have the knowledge, skills, and competencies needed to perform its responsibilities (PPF Section 1210).
Due Professional Care Should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. (PPF Section 1220) 1. The internal auditor should exercise due professional care by considering the: (PPF Section 1220.A1) 2. Extent of work needed to achieve the engagement objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of risk management, control, and governance processes. Probability of significant errors, irregularities, or noncompliance. Cost of assurance in relation to potential benefits.
The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. (PPF Section 1220.A2)
Continuing Professional Development Shall enhance their knowledge, skills, and other competencies through continuing professional development. (PPF Section 1230) All activities of the department shall be carefully planned by the chief audit executive, managers and auditors to ensure consistency with the department's charter and procedures and with the goals of thecorporation. RELATIONS WITH MANAGEMENT It is the policy of internal auditing to conduct internal audits in a constructive manner. Whenever possible, the assistance of division personnel will be solicited in the planning and performance of the assignment. A spirit of collaborative teamwork between the auditor and those audited will be adhered to. This attitude shall not alter the fact that internal auditing personnel have full access to all records, personnel, properties, and any other sources of information needed in the performance of an audit. When necessary, special arrangements will be made for the examination of confidential or classified information.
From time to time, members of the audit staff may be assigned to work under the direction of the public accountants if such assignment is deemed to be in the best interest of the company (e.g., noteworthy savings in audit fees, beneficial staff training, etc.). During such assignment, the auditor will report to the public accountants for direction concerning work assignments. In other administrative matters, he or she will continue to look to the chief audit executive for direction. SPECIAL ASSIGNMENTS From time to time, members of the audit staff may, upon request, be assigned to work directly for other company divisions and departments on special projects which are in no way connected with internal auditing's program. During such assignments, the auditor will report to the requesting organization concerning work assignment; however, in other administrative matters, the auditor will look to the chief audit executive for direction. REVIEW, ACKNOWLEDGMENT AND RESPONSE TO INTERNAL AUDIT REPORTS It is the policy of internal auditing to reach agreement with affected personnel concerning the correctness of the facts surrounding the audit findings prior to distribution of the final report. Where appropriate, corrective action to be taken should be ascertained and included in the report. The individual responsible for the corrective action and the key milestone dates for corrective action completion should also be included. On occasion the internal audit staff may work with audit customers to seek the best solution to deficiencies noted during the audit. To assure that agreement is reached as to statements of facts, the audit results to be included in the report are reviewed with the division head, controller, or their designee who are later furnished a draft copy of the audit report for review prior to distribution. After the chief audit executive is satisfied that the audit report is appropriate in the circumstances, final distribution of the report is made. Copies of the report are issued to the appropriate division personnel. When appropriate, excerpts from audit reports are forwarded to the functional corporate staff head. If responses (action taken or planned and the estimated date of implementation) to recommendations have not been included in the final report, the applicable audit manager and the chief audit executive will work with the division head to obtain mutually agreeable responses to audit points. These action plans will be forwarded to original report recipients. The chief audit executive is ultimately responsible for evaluating division responses. The internal audit department will work with division management and corporate executives as appropriate to resolve any inadequate response. On corporate audits, the audit report is issued to the functional corporate staff head who reviews and responds to the report.
b.
Determine the degree of compliance with those policies, plans, procedures, laws, and regulations which have or could have a significant impact on operations and reports except as qualified by (f) below. Evaluate compliance with enterprise policies and procedures. Review compliance with governmental laws. Review compliance with new accounting rules and standards.
c.
Assess the economy and efficiency with which resources are employed and assets are safeguarded. Provide counsel in implementing new systems and procedures. Advise on internal control matters.
d.
Determine whether operating and financial objectives, goals, associated control procedures, and reported results are accurately and effectively prepared. Assess compliance with established standards of business ethics and the procedures for reporting violations or probable violations of enterprise policies. Report all potential conflicts of interest that come to his/her attention to the board of designated board committee. Many specialized activities of the enterprise can be more effectively reviewed by organizations other than the internal auditing activity. The responsible corporate officer will collaborate with thechief audit executive to reasonably ensure that adequate alternative compliance coverage is available for these selected activities. However, it will remain the responsibility of auditing to review and report on any matters of deficiency that may come to their attention in these specialized areas during the course of their regular audit coverage. Examples of these specialized compliance areas are: Environmental law and regulation. Adequacy of personnel records and quality of documentation.
e.
f.
Internal Auditing Functions The chief audit executive will insure that: a. Organizations within the enterprise and its subsidiaries are audited at appropriate intervals. These audits will review the adequacy of operational and administrative procedures used to carry out responsibilities of planning, custody, control, and accounting in accordance with policies and instructions, and to determine that: These procedures are consistent with enterprise objectives and high standards of administrative practice. All echelons of management are providing higher management with accurate and properly prepared accounting and operating data, budget proposals, etc.
b.
Audits of contracts are conducted in keeping with management's evaluation of risks associated with large project expenditures. Contract audits will also be conducted as needed to insure compliance with enterprise policies. The findings of the examinations by auditors, their opinions and recommendations are reported promptly to management. Reports of such matters are to be designed to promote expeditious action by those concerned.
c.
Internal Audit Reports Internal audit reports will be issued for each regular audit performed in the format specified and in accordance with the procedures established in the auditing activity. Accordingly, management will be held responsible for insuring that corrective action is taken or planned within a reasonable period after a deficiency is reported. Management will also be required to continuously report on a quarterly basis their actions taken for each such deficiency until it is corrected. In this regard the chief audit executive will report to the audit committee of the board of directors any instance where a significant deficiency is not closed in such a manner, within a reasonable time, by the concerned management. Additionally, management will receive a quarterly summary of the audit activities and major findings reported within his/her administrative area for his/her review.
REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs professional internal auditing work. Work involves conducting performance, financial and compliance audit projects; providing consulting services to the organizations management and staff; and providing input to development of the annual audit plan. Maintains all organizational and professional ethical standards. Works under limited supervision with moderate latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Assists in identifying and evaluating the organizations risk areas and provides input to the development of the annual audit plan. Performs audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Conducts interviews, reviews documents, develops and administers surveys, composes summary memos, and prepares working papers. Identifies, develops, and documents audit issues and recommendations using independent judgement concerning areas being reviewed. Communicates or assists in communicating the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client and staff relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams and at management meetings. Performs related work as assigned by audit management. Audit Manager, Audit Supervisor or Senior Auditor Audit Management, Senior Management, All Divisions and Departments, External and Contract Auditors None
MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university. Two years of full-time experience in auditing, accounting, business analysis, or program evaluation. A graduate degree in business administration, public administration, or a related field, or certification as a CIA, CPA, or CISA may substitute for one year of required experience. The combination of a graduate degree and a certification may substitute for two years of required experience.
Must also have the following demonstrated knowledge, skills, and abilities: Knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Skill in negotiating issues and resolving problems. Skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, agency staff, and external contacts, and to work effectively in a professional team environment.
PREFERRED QUALIFICATIONS Experience in industry auditing and accounting. Certification as a CIA, CPA, or CISA.
This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.
MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university, certification as a CIA, CPA, or CISA, and four years of full-time experience in auditing, accounting, business analysis, or program evaluation.
Must also have the following demonstrated knowledge, skills, and abilities: Considerable knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Considerable skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Skill in negotiating issues and resolving problems. Considerable skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment. PREFERRED QUALIFICATIONS Experience in industry auditing and accounting. Certification as a CIA, CPA, or CISA.
This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.
REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs advanced level and/or managerial professional internal auditing work. Work involves managing or conducting performance, financial, and compliance audit projects; providing consulting services to organizational management and staff; providing major input to development of the annual audit plan; and providing training, coaching, and supervision to internal audit staff. Maintains all organizational and professional ethical standards. Works independently under general direction with extensive latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Assists the director of internal audit/chief audit executive in managing audit staff and in the planning, organizing, directing, and monitoring of internal audit operations, including assisting in hiring, training, and evaluating staff; taking corrective actions to address performance problems. Manages the identification and evaluation of the organizations risk areas and provides major input to the development of the annual audit plan. Manages the performance of audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Manages the audit staff in conducting interviews, reviewing documents, developing and administering surveys, composing summary memos, and preparing working papers. Manages the audit staff in the identification, development, and documentation of audit issues and recommendations. Communicates the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client, staff, and management relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams, at management and board meetings and with external organizations. Performs related work as assigned by the director of internal audit/chief audit executive. MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university. Certification as a CIA, CPA, or CISA. Chief Audit Executive /Director of Internal Audit Senior Management, All Divisions and Departments, External and Contract Auditors Assigned Audit Staff and Project Teams
Must also have the following demonstrated knowledge, skills, and abilities: Extensive knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Considerable knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Considerable knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Extensive skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Considerable skill in negotiating issues and resolving problems. Skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment. PREFERRED QUALIFICATIONS Experience in industry auditing or accounting, and in supervising and conducting audits in information systems and other areas pertinent to the industry. Graduate degree in business administration, public administration, or a related field.
This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.
SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs complex level professional internal auditing work. Work involves leading or conducting performance, financial, compliance, and information technology audit projects; providing consulting services to the organizations management and staff; providing key input to development of the annual audit plan; and providing training and coaching to internal audit staff. Responsible for identifying technology risks, and independently evaluating the efficiency and effectiveness of information technology infrastructure and application controls, including security and internal controls. Maintains all organizational and professional ethical standards. Works independently under general supervision with considerable latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Identifies and evaluates the organizations risk areas and provides key input to the development of the annual audit plan. Performs audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Conducts interviews, reviews documents, develops and administers surveys, compose summary memos, and prepares working papers. Identifies, develops, and documents audit issues and recommendations using independent judgment concerning areas being reviewed. Communicates or assists in communicating the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client and staff relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams, at management meetings, and with external organizations. Provides or assists in providing training, coaching, and guidance to internal audit staff in conducting audits and other audit-related issues. Plans and executes audits of client/server technology platforms (Novell, NT, Unix, Sysbase, mainframe) and evaluates IT internal controls and works collaboratively with management to identify actions needed. Conducts data extraction, analysis, and security reviews utilizing software tools. Supports audits and consulting engagements related to programming, mainframe batch and online processes, client-server architecture, Internet and intranet functionality, database extraction, technology strategy, and data communication and network security. Acts as liaison with IT business partners to ensure full understanding of data flow, data integrity, and system security. Assesses information technology control elements to mitigate IT risks regarding the confidentiality, integrity, and availability of business information. Performs related work as assigned by audit management.
MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university, certification as a CISA, and four years of full-time experience in auditing, accounting, business analysis, or program evaluation, including two years experience conducting information technology audits. A graduate degree in business administration, public administration or a related field, or a second certification (CIA, CPA, or CISA) may each substitute for one year of required experience (for a maximum substitution of two years). Must also have the following demonstrated knowledge, skills, and abilities: Considerable knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Considerable skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Skill in negotiating issues and resolving problems. Considerable skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment. Considerable knowledge of distributed technology (i.e., Unix/Sybase and Windows NT), Webbased technology, and basic infrastructure control issues. Considerable skill in assessing the effectiveness of internal controls over key IT risks, identifying significant exposures, analyzing transactions and other management information, and detecting changes in key risks and/or control effectiveness. Skill in developing appropriate recommendations to address exposures. Knowledge of generally accepted IS audit standards, statements and practices, and IS security and control practices. Ability to learn new operations quickly and work independently a must. PREFERRED QUALIFICATIONS Experience in industry auditing or accounting and in conducting audits in information systems and other areas pertinent to the industry. Exposure to CAAT (Computer Assisted Applications Testing). Experience with networking (Novell, Windows NT). Exposure to system security packages (RACF). Possess detailed technical skills in at least one platform (Unix/Sybase, Windows NT). High level of proficiency in information technology control concepts and systems development methodologies. Experience in performing new systems development audits, or related work experience.
2.
3. 4. 5.
3.
100%
10%
20%
10%
40%
4%
30%
1%
100%
AUDIT UNITS/SUBS
MGT INT
ABC Company, Inc. Corporate Internal Audit Policies and Procedures Manual Index Introduction Audit Activity Charter Purpose Authority Independence Scope of Work Reporting Audit Activity Organization Organization Chart Job Descriptions Code of Conduct Confidentiality Audit Planning Audit Universe Risk Criteria Risk Evaluation Administration A. Training On-the-job Formal Training Professional Organizations Professional Certifications Tuition Reimbursement B. Time Reporting Holidays Vacations Illness Project time C. Staff Evaluations Project Performance Reviews Annual Performance Reviews Performance Evaluation Guidelines D. Travel Credit Cards Cash Advances Ground Transportation Air Travel Lodging and Meal Expenses Other Travel Expense Guidelines E. Office Files Physical Security Reference Library Office Supplies Mail Telephone
Workpaper Samples
Audit Number:
TABLE OF CONTENTS
Description Audit Project Initiation Final Audit Audit Report Audit Customer Responses to Audit Report Audit Report Cross-Referenced to Workpapers Audit Report Review Checklist Audit Findings & Interim Audit Memos Items for Discussion Audit Administration Program Audit Planning Documentation Audit Project Time Summary Matters to be Considered in Subsequent Audit Audit Program Used during this Audit Reference* 1 2 3 4 5 6 7 8 9 10 11 12 13
Other (Identify each item consecutively beginning with 14): ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ * Use reference numbers as shown for each item.
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
Planning:__________________ (Date Started) Fieldwork:_________________ (Date Started) Closeout Date: ___________ Report Date: _____________
NOTE: One of Internal Auditing's goals is to issue the audit report within 60 days of the closing meeting or within 15 days of resolution of external delays precluding report release, whichever comes last. Provide an explanation when the report is issued subsequent to 60 days to the closing meeting, including discussion of external delays, if any. Workpaper Approvals: ____________________________________ Supervisor ____________________________________ Manager Page 1 of 1 W/P Ref. 1
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
FINAL AUDIT CHECKLIST Instructions: The Project Supervisor is to complete this checklist prior to release of the final audit report, ensuring completion of all technical and administrative responsibilities. Supervisor Initials 1 2. 3. 4. 5. 6. 7. 8. .All working paper schedules reviewed and initialed by Supervisor. All significant computations recalculated and initialed by Supervisor, including those supporting reported findings. All W/Ps are free of inaccurate, misleading, irrelevant, or gratuitous comments or worksheets. Conclusions reached by auditor(s) on individual tests are adequately supported and initialed by Supervisor. Disposition of all potential audit findings, however significant or insignificant, adequately explained in W/Ps. All program steps completed or an explanation for scope changes documented in the W/Ps and approved by Supervisor. W/Ps comply with department W/P guidelines. Actual time incurred compared to budget. Explanations provided for (a) deviations from departmental goals relative to completion within budget and on schedule and (b) other significant individual variances. "Matters to be Considered in Subsequent Audit" filed in W/Ps. __________ 10. 11. Continuing audit file updated and all irrelevant data removed. __________ Previous draft of report reviewed by Manager, and all subsequent changes. Pg. 1 of 2 W/P Ref. 2 __________ __________ __________ __________ __________ __________ __________
__________ __________
9.
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: FINAL AUDIT CHECKLIST (continued) Audit Number:
Supervisor Initials 12. 13. 14. 15. "Independent Audit Report Review Checklist," and Review notes completed. Completed workpapers. Project Supervisor and AIC review notes, for Manager review completed. Completed Evaluation of AIC and assisting auditors unless previously submitted. __________ __________ __________ __________
Supervisor ______________________
Date ________________
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
INDEPENDENT AUDIT REPORT REVIEW CHECKLIST Instructions: The Project Supervisor is responsible for arranging for the completion of this checklist by an individual independent of the audit, prior to the review of the initial audit report draft by the Audit Manager. The audit report must be cross-referenced to the audit working papers prior to submitting for an Independent Review. The person completing the checklist should be familiar with IIA Standard No. 430 and Statement on Internal Auditing Standards No. 2, both titled, Communicating Results. I. Title Page 1. II. Audit title and as of date or period covered is consistent with body of report and "Audit Planning Documentation." Independent Reviewer Initials __________ Distribution Page 1. III. Planned distribution is appropriate and in compliance with "Audit Planning Documentation." __________ Introduction 1. Information presented is factual, supported by working papers, consistent with "Audit Planning Documentation," and prior audit report, where applicable. __________ IV. Objectives 1. V. Scope 1. 2. 3. 4. Reflects audit location and timing. __________ Tests performed are supported by "Audit Program" and "Audit Planning Documentation." __________ Scope limitations, explained. restrictions, or expansions are __________ Project Supervisor and AIC are identified. __________ Pg. 1 of 2 W/P Ref. 6 Are consistent with "Audit Planning Documentation." __________
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
INDEPENDENT AUDIT REPORT REVIEW CHECKLIST (Continued) VI. Opinion 1. 2. 3. Addresses and is consistent with audit objectives. Clearly presents findings and recommended actions. Actions taken or pending are clearly stated with identification of responsibility and are supported by responses documented in the working papers. Necessity of response indicated. Findings are consistent with working paper "Audit Findings" sheet(s).
__________ __________
4. VII.
Attachments, Exhibits, or Details of Audit 1. 2. 3. 4. Are referred to in and consistent with body of report. Information presented is factual and supported by working papers. Schedules footed and all amounts recomputed, as appropriate. Coordinates of graphs and charts agree with working papers. __________ __________ __________ __________ __________
VIII.Other 1. 2. 3. 4. Individuals involved in closeout meeting are identified. Signature space identifies Manager. All dates, amounts, references, abbreviations, titles, etc., are consistent throughout. Report is appropriately clear and concise and void of grammatical and spelling errors. __________ __________ __________ __________ Pg. 2 of 2 W/P Ref. 6
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
AUDIT FINDINGS This is a preliminary listing of items considered to need corrective action, adjustment, and/or clarification. These items are considered preliminary and are subject to change based upon input from responsible management concerning the correctness of the facts as stated.
NAME _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________
POSITION/TITLE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________
COMPANY _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________
DATE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
W/P REF.
IAM No.
AUDIT FINDINGS
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
INTERIM AUDIT MEMORANDUM (No. _____) Audit Customer Manager ________________________________ Auditor ____________ Audit of _______________________________________ W.P. Ref. __________ Response Due Date ______________________________ Concern: Cause
Criteria/Standard:
Consequence (Effect
Recommendation:
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
ITEMS FOR DISCUSSION This is a listing of items, which the auditors believe should be brought to the attention of responsible management for informational or decisional purposes. These are not audit findings. FINDINGS DISCUSSED WITH: NAME _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ POSITION/TITLE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ COMPANY _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ DATE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
ITEMS FOR DISCUSSION (Continued) W/P Ref. ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ Page ___ of ___ W/P Ref. 8 Item for Discussion
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
AUDIT ADMINISTRATION PROGRAM Planning and Preliminary Survey 1. Discuss the general objectives of the audit with the Project Supervisor and Manager. Determine the specific approach to take in preparing for the preliminary survey, if necessary, and in completing the "Audit Planning Documentation" (workpaper ref. 10). Prepare and obtain approval Documentation," as follows: a. of the "Audit Planning
Work Done By
2.
Discuss the planning approach with the Project Supervisor and Manager. Determine how communications will be made with audit customer. Review any applicable financial data in Internal Auditing's library such as Operating Reports, Annual Reports, 10K's, etc. Review prior audit workpapers and reports including related reports from other departments. Include a copy of the "Matters to be Considered in Subsequent Audit" from the prior audit in the present planning documentation. Indicate the disposition of each item. Perform a preliminary survey, if necessary, to identify specific risks and the audit approach to these risks. The preliminary survey should include a review of any existing Internal Accounting Control Documentation. Include copies of pertinent sections of the documentation in the working papers and ensure key control techniques relative to the audit are tested. Utilize available, assisting auditors to the extent possible. Review the current system documentation, to determine the availability of data using audit software. Document the approach to be used and arrange for technical support if necessary.
__________
b.
__________ __________
c. d.
__________
e.
__________
g.
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
Planning and Preliminary Survey (Continued) h. i. j. k. Prepare or update detail audit programs. Determine what information is needed for the audit that is to be produced by the audit customer. Determine staffing requirements. Complete a budget, setting out estimated time to complete work (will not necessarily agree with the time allocated in annual audit plan). Document planning in the "Audit Planning Documentation" format and submit for approval. accommodation and working space
l. 3.
Obtain approval of transportation and accommodation arrangements and times of departure. Secure approved transportation and accommodations. Ensure all members of the audit team are aware of Travel Policies. Arrange for working space with audit customer.
Administration of Field Work 1. 2. 3. 4. Meet briefly with audit customer personnel to introduce audit staff and to discuss audit objectives. Discuss and fix responsibility for any requests of audit customer personnel. During the audit (at least weekly) inform audit customer management of the status of the audit. Maintain control over workpapers during the audit. __________ __________ __________ __________ Pg. 2 of 4 W/P Ref. 9
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Administration of Field Work (Continued) 5. 6. Ensure the daily work is planned to achieve maximum efficiency. Review systematically work performed by assisting auditors. Ensure applicable program steps have been satisfactorily completed; conclusions are properly stated; and workpapers are well documented, support the conclusions, and are well organized. Keep the Project Supervisor informed of the progress of the audit, i.e., time, needed changes to audit scope, problems with audit customer, audit findings, etc. Daily ensure actual time is posted to the "Audit Project Time Report." Draft "Audit Findings" for closing meeting. Reference findings to the working papers. Schedule Project Supervisor and Manager review. Clear review notes. Discuss staff evaluations with Project Supervisor. The AIC is responsible for preparing the staff evaluation forms for the assisting auditors. Schedule closing meeting as soon as possible after field work (goal is 10 workdays). Audit Number:
__________
7.
8. 9. 10. 11.
__________ __________
12.
Prior Audit Findings 1. Determine whether audit findings from prior audits have been adequately resolved. Document your review in current working papers and place a copy in the working papers of the prior audit.
__________
Report 1. Attend the closing meeting and establish a due date for audit customer responses, if required, to the audit findings. _________ Pg. 3 of 4 W/P Ref. 9
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Report (Continued) 2. 3. Draft the report (during field work, if possible) and submit to Project Supervisor in good form for approval. Have the report draft referenced to the workpapers by an auditor independent of the current audit. a. b. Referencer to complete the "Independent Audit Report Review Checklist." Project Supervisor to approve all changes to the report and approve clearance of all referencer review notes. Audit Number:
Note: The final report is to be approved by the AIC and Project Supervisor prior to being signed by the Manager, or his designee. 4. Final report filed (W/P Ref. 3).
Wrap-up 1. 2. Ensure all review notes have been adequately cleared in the working papers. Summarize the "Audit Project Time Summary" W/P Ref. 11, and tie in to the EIS records. Explain significant variations of actual versus budgeted time. Complete the Audit Project Initiation for the working papers (W/P Ref. 1.) Bind working papers and submit to Project Supervisor. Ensure all applicable matters in the "Table of Contents" are included in the working papers. __________
__________ __________
3. 4.
__________
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
AUDIT PLANNING DOCUMENT I. GENERAL INFORMATION Audit Location(s): Planned Start Date: Audit Type: First Time Audit? II. yes ( ) no ( ) Cyclical Review Yes ( ) No ( ) Est. Completion Date:
AUDIT OBJECTIVES AND SCOPE OF WORK OBJECTIVES (Attach any schedules necessary to support objectives; see standard attachments list, page 3 of this document.) The objectives of this audit are to determine whether:
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: III. BACKGROUND INFORMATION REASON FOR REVIEW Scheduled Audit ( ) Special Request ( ) Other ( )( Describe) Audit Number:
PRIOR AUDIT Report Number: __________________ Significant Prior Findings? Yes ( ) Summary Findings: Report Date: __________________ No ( )
IV.
RESOURCES NECESSARY STAFF AIC: ______________________________________________________ Assistants: ________________________________________________ _________________________________________________________ Pg. 2 of 4 W/P Ref. 10
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: STAFF HOUR INFORMATION Budget (Internal Audit Plan)_______ Estimate ________ (See Audit Staff Budget, Attachment A) Audit Number:
Prior Audit ______ Joint Participation: _______________________________________ (For groups external to Internal Auditing - identify extent & nature.) Explanation of Difference of 10 Staff days or 10 Percent (Whichever is Greater) Between Estimate and Budget of Prior Audit.
V.
COMMUNICATION OF AUDIT PLANS Arranged With: Audit customer: _______________________________________ External Auditors: ______________________________________ Special Problems Discussed, etc.: __________________________________ ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ (See Contact List - Attachment B)
VI.
ONSITE SURVEY (Describe scope, who discussed with, and pertinent comments.) ______________________________________________________________ ______________________________________________________________ ______________________________________________________________
VII.
VIII.
COMMUNICATION OF AUDIT RESULTS See Proposed Distribution List - Attachment C. Pg. 3 of 4 W/P Ref. 10
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
IX.
APPROVAL OF WORK PLAN PREPARED BY AIC/Preparer APPROVED BY Project Supervisor ___________________________ Manager ______________________________________ Director _____________________________________ __________ __________ __________ _______________________________ DATE __________
ATTACHMENTS ( ( ( ( ) ) ) ) Audit Staff Budget Contact List Proposed Audit Report Distribution Prior Findings (if applicable) Attachment No. __A__ __B__ __C__ _____
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
_________
________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________
_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________
_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________
_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:
MATTERS TO BE CONSIDERED IN SUBSEQUENT AUDIT List below any items left pending that need to be followed up during the next audit. Also, list significant changes to take effect before the next audit, suggestions on what audit techniques might be helpful in performing audit tasks, and any areas not covered on the current Audit Findings sheet that might warrant special attention during the next month.
W/E Date
Auditor
Planning Fieldwk Report 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0% 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0% 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0%
% (Total Hrs Period Total / Total Hrs. Project) 0.0 0.00 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0%
Tot Curr Period Tot Prev Period Total to Date Est to Complete Total Project Budget Budget Variance % Budget
Week 1 W/Ending Date Direct Hours: Project Name Project Name Project Name Project Name Project Name
Week 2
Week 3
Week 4
Week 5
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0% 0% 0% 0% 0%
Total Direct Indirect Hours: Holiday Vacation Illness Training Admin Other Total Indirect Total Hours
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0% 0% 0% 0% 0% 0%
Month Ending
Project Name
Prev 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Curr 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
YTD 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Hours Est 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Budget 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Var 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Schd
Var 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Total Direct Total Indirect Grand Total Tot Wks Stf Wkd Tot Wks Period Curr Staff Size Aver Staff Size Aver Hrs/Staff
External assessments, such as quality assurance reviews, should be conducted at least once every 5 years by a qualified, independent reviewer (team) from outside the organization. The following steps outlined by the IIA will assist us in getting started on the external assessment: 1. Read the new Standards and the Code of Ethics and think about them in light of our organization. Are any immediate changes needed? An advance review of the Standards can help us get started on improvements before a review team arrives. 2. Review the Practice Advisories, especially advisories related to quality assurance. 3. Talk with internal auditors from other organizations about their experiences with quality assurance reviews. Obtain an understanding of how the review process might work, how to best prepare for one and review team selection process. IIA Chapter meetings are a good forum for this step. 4. Contact organizations that might be willing to perform the quality assurance review. Consider organizations like the IIA, accounting firms, or other consultants. 5. Obtain a proposal from at least 2 of these organizations and then select the one that provides the best value. The Chief Audit Executive will communicate the results of the internal and external assessments to the Board of Directors/Audit Committee.
Extracted from The Internal Audit Manual Shell on CD-ROM, Institute of Internal Auditors, Altamonte Springs, FL, March 2002, Procedure B-6 The Institute of Internal Auditors
2.
3.
4. 5. 6. 7.
8. 9.
Exhibits 7-5 was extracted from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.
Grading Element 1. Survey work papers, project management form, engagement announcement letter, audit workpapers, and other applicable documents are completed on schedule. Travel requests, orders, country clearances, passport visas, and lodging arrangements pursued sufficiently in advance to ensure minimum lost time on the audit. (5 points) 2. 3. For each audit objective was an audit program developed for its attainment. (10 points) Was management given interim progress reports during the audit; entrance and exit interviews with appropriate management officials were scheduled in advance, adjusted as necessary, and held when agreed. (5 points) All workpapers are reviewed to ensure that they are complete, correct, and fully support the conclusions of the discussion draft findings and are turned in to the audit manager with the issuance of the response draft. (15 points) Discussion draft addresses all audit objectives. All discussion draft findings are fully validated and cross-referenced to the conclusion portion of the summary workpapers; the conclusion portion is fully cross-referenced to the appropriate detailed workpapers. (15 points) Met approved time frames (discussion and response drafts) and cost goals. (10 points) Quality of the written product (discussion and response draft reports of audit). (20 points) The audit provided added value to the organization. (20 points)
4.
5.
6. 7. 8.
Exhibit 7-3 was extracted from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.
Compliance Checklist
The following questions were derived from The IIAs Standards for the Professional Practice of Internal Auditing (Standards), including the Glossary that accompanies the Standards. The Charter 1. Do we have a written charter? 2. Has the board or other governing body approved it? 3. Does it clearly describe internal auditings purpose, authority, and responsibility? 4. Does it describe internal auditings role in risk management, governance, and control processes? 5. Does it include adding value and improving the organizations operations as part of the responsibility of the function? 6. Does it establish the internal audit function at a level within the organization that allows the internal audit activity to fulfill its responsibilities? 7. Does it authorize access to records, personnel, and physical properties relevant to the performance of engagements? 8. Does it clearly describe the scope of internal audit activities? 9. Does it define the nature of consulting and assurance services to be provided to the organization? 10. Does it define the nature of assurances that are to be provided to parties outside the organization? 11. Have we reviewed the elements of our charter and considered whether or not they are consistent with the various descriptions and requirements of internal auditing as presented in the revised definition and Standards for the Professional Practice of Internal Auditing? Independence and Objectivity 12. Is our internal audit activity organizationally independent? 13. Does the chief audit executive report to a level in the organization that allows us to fulfill our responsibilities without interference? 14. When providing assurance to third parties, such as senior management or the board, are we able to determine the scope of internal auditing, perform our work, and communicate the results without interference? 15. Are our internal auditors objective? 16. Do we value and require individual auditor objectivity as essential to effective internal audit services? 17. Do we refuse to make quality compromises or subordinate our judgment on audit matters to others? 18. Do we have a policy and procedure for disclosing apparent or actual impairments to independence and objectivity? 19. Do we make every effort to keep internal auditors from assessing operations for which they were previously responsible if the engagement is designed to provide assurance? 20. Do we require auditors to wait at least one year before providing assurance in areas for which they were previously responsible? 21. Do we note an impairment to objectivity if an auditor provides assurance services for an activity for which the auditor was responsible during the previous year? 22. Do we employ someone outside the audit activity (a manager from another organizational area, for example) to oversee assurance engagements for functions over which the chief audit executive has responsibility? 23. If there are potential impairments to independence or objectivity relating to proposed consulting engagements, do we disclose those impairments to the engagement client prior to accepting the engagement?
4 4 4 4
3 3 3 3
2 2 2 2
1 1 1 1
4 4 4 4
3 3 3 3
2 2 2 2
1 1 1 1
4 4 4
3 3 3
2 2 2
1 1 1
4 4 4 4 4 4 4
3 3 3 3 3 3 3
2 2 2 2 2 2 2
1 1 1 1 1 1 1
4 4 4
3 3 3
2 2 2
1 1 1
4 4 4
3 3 3
2 2 2
1 1 1
25. Was there anything about the audit(s) and/or other audit services such as consulting that you especially liked? (Include new or existing areas where you think audits should be increased and/or consulting services received or which would be helpful.) ___________________________________________________________
2.
3.
4. 5. 6. 7. 8.
9. 10.
11.
12.
Were you or key members of your staff previously informed of all major issues contained in the draft report? Was the exit briefing held on the date and at the time agreed? At the exit briefing, were all findings discussed with you in the level of detail you desired? At the exit briefing, were the auditors flexible in addressing issues of word changes, style, and perspective of findings? Were all issues of fact (not interpretation) resolved during the exit interview? Were replies (or reply instructions) discussed during the exit briefing? How much value do you feel this audit added to the organization? High Value 9 10
13. 14.
15.
No Value 0 1 19.
What three specific changes can we make to best improve our audit process? A. B. C.
Exhibits 7-3 was extracted from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.