8. managing the internal audit activity i

STUDY UNIT EIGHTMANAGING THE INTERNAL AUDIT ACTIVITY I

8.1 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28.2 Communication of Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58.3 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68.4 Relationship with the Audit Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78.5 Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158.6 Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228.7 Study Unit 8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

This is the first of two study units on management of the internal audit activity (IAA). According toGeneral Performance Standard 2000 – Managing the Internal Audit Activity,

The chief audit executive should effectively manage the internal audit activity to ensure itadds value to the organization.

Practice Advisory 2000-1: Managing the Internal Audit Activity elaborates on this responsibility asfollows:

1. The chief audit executive is responsible for properly managing the internal audit activityso that:

● Engagement work fulfills the general purposes and responsibilities described in thecharter, approved by senior management, and accepted by the board.

● Resources of the internal audit activity are efficiently and effectively employed.● Engagement work conforms to the International Standards for the Professional

Practice of Internal Auditing.

The chief audit executive (CAE) should (1) establish risk-based plans, (2) communicate plans andresource needs to senior management and the board for their approval, (3) develop policies andprocedures, (4) coordinate efforts with other service providers, and (5) report periodically to seniormanagement and the board. The CAE also must develop a quality assurance and improvementprogram for the IAA.

Core Concepts■ The CAE establishes risk-based plans to determine the IAA’s priorities. They should be consistent

with the goals of the organization.■ Planning involves establishing (a) goals, (b) engagement work schedules, (c) staffing plans and

financial budgets, and (d) activity reports.■ Plans should be based on risk assessment.■ The audit universe includes components of the organization’s strategic plan.■ The CAE communicates plans and resource requirements to senior management and the board

for review and approval.■ The CAE reports to senior management and the board on the IAA’s (a) purpose, (b) authority,

(c) responsibility, and (d) performance. The CAE also reports on significant risk, control, andgovernance issues, as well as other matters upon request.

■ The audit committee and the IAA have interlocking goals. Thus, a strong working relationship isessential for them to fulfill their responsibilities.

■ Sound governance depends on the synergy among (a) the board, (b) management, (c) internalauditing, and (d) external auditing.

■ The CAE ensures that the IAA’s resources are appropriate, sufficient, and effectively used.■ The CAE establishes policies and procedures to guide the IAA.

1

Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com

http://www.gleim.com

8.1 PLANNING

1. This subunit concerns the need for risk-based planning for the IAA. Planning for themanagement of the IAA is addressed in one Specific Performance Standard, oneAssurance Implementation Standard, one Consulting Implementation Standard, and twoPractice Advisories.

2. 2010 Planning – The chief audit executive should establish risk-based plans todetermine the priorities of the internal audit activity, consistent with theorganization’s goals.

a. PRACTICE ADVISORY 2010-1: PLANNING

1. Planning for the internal audit activity should be consistent with its charter andwith the goals of the organization. The planning process involves establishing:

● Goals.● Engagement work schedules.● Staffing plans and financial budgets.● Activity reports.

2. The goals of the internal audit activity should be capable of being accomplishedwithin specified operating plans and budgets and, to the extent possible,should be measurable. They should be accompanied by measurement criteriaand targeted dates of accomplishment.

3. Engagement work schedules should include the following:

● What activities are to be performed;● When they will be performed; and● The estimated time required, taking into account the scope of the

engagement work planned and the nature and extent of related workperformed by others.

4. Matters to be considered in establishing engagement work schedule prioritiesshould include:

● The dates and results of the last engagement;● Updated assessments of risks and effectiveness of risk management and

control processes;● Requests by senior management, the audit committee, and the governing

body;

NOTE: Governmental regulatory requirements (for example, an audit ofthe use of financial assistance provided from public funds) also may be asource of engagements.

● Current issues relating to organizational governance;● Major changes in the enterprise’s business, operations, programs,

systems, and controls;● Opportunities to achieve operating benefits; and● Changes to and capabilities of the audit staff. The work schedules should

be sufficiently flexible to cover unanticipated demands on the internal auditactivity.

2 SU 8: Managing the Internal Audit Activity I



PA Summary

● Planning for the IAA is subject to its charter and organizational goals. Theprocess establishes (1) goals, (2) work schedules, (3) staffing plans and financialbudgets, and (4) activity reports.

● IAA goals should be (1) accomplished within specified plans and budgets,(2) measurable, and (3) accompanied by criteria and accomplishment dates.

● Work schedules answer the questions what is to be done, when, and how long(considering work planned and the work performed by others).

● Setting work schedule priorities requires consideration of matters ranging fromresults of prior engagements to changes in the entity’s business.

b. PRACTICE ADVISORY 2010-2: LINKING THE AUDIT PLAN TO RISK ANDEXPOSURES

1. The internal audit activity’s plan should be designed based on an assessmentof risk and exposures that may affect the organization. Ultimately, theobjective is to provide management with information to mitigate the negativeconsequences associated with accomplishing the organization’s objectives. Thedegree or materiality of exposure can be viewed as risk mitigated byestablishing control activities.

NOTE: Risk is concerned with the probability rather than the certainty of loss.Assessing the risk of an activity involves analysis of numerous factors,estimation of probabilities and amounts of potential losses, and an appraisal ofthe costs and benefits of risk reduction. Consequently, in assessing themagnitude of risk associated with any factor in a risk model, the necessity ofinformed judgment by the internal auditor is implied.

2. The audit universe can include components from the organization’s strategicplan. By incorporating components of the organization’s strategic plan, the audituniverse will consider and reflect the overall business plan objectives.Strategic plans are also likely to reflect the organization’s attitude toward riskand the degree of difficulty in achieving planned objectives. It is advisableto assess the audit universe on at least an annual basis to reflect the mostcurrent strategies and direction of the organization. The audit universe can beinfluenced by the results of the risk management process. When developingplans, the outcomes of the risk management process should be considered.

3. Work schedules should be based on, among other factors, an assessment ofrisk priority and exposure. Prioritizing is needed to make decisions forapplying relative resources based on the significance of risk and exposure. Avariety of risk models exist to assist the chief audit executive in prioritizingpotential engagement subject areas. Most risk models use risk factors toestablish the priority of engagements, such as dollar materiality, asset liquidity,management competence, quality of internal controls, degree of change orstability, time of last engagement, complexity, and employee and governmentrelations.

4. Changes in management direction, objectives, emphasis, and focus should bereflected in updates to the audit universe and related plan.

5. In conducting engagements, methods and techniques for testing and validatingexposures should be reflective of the risk materiality and likelihood ofoccurrence.

SU 8: Managing the Internal Audit Activity I 3



6. Management reporting and communication should convey risk managementconclusions and recommendations to reduce exposures. For management tofully understand the degree of exposure, it is critical that reporting identify thecriticality and consequence of the risk activity to achieving objectives.

7. The chief audit executive should, at least annually, prepare a statement of theadequacy of internal controls to mitigate risks. This statement should alsocomment on the significance of unmitigated risk and management’s acceptanceof such risk.

PA Summary

● The IAA’s plan is based on an assessment of risk and exposure. The objectiveis to provide information to help management mitigate the negative consequencesof accomplishing the organization’s objectives. The degree of exposure is riskmitigated by control.

● The audit universe may reflect the organization’s strategic plan. Thus, it mayreflect (1) the overall business objectives, (2) the attitude toward risk, (3) thedifficulty of reaching objectives, and (4) the results of risk management. The audituniverse should be assessed at least annually to reflect the most currentstrategies and direction of the organization.

● Work schedules are based on an assessment of risk priority and exposure.Various risk models may be used to prioritize engagements. Most risk modelsare based on risk factors, e.g., quality of controls, degree of change, ormateriality.

● The audit universe and plan must be updated for changes in managementdirection.

● Methods of testing exposures should reflect risk materiality and probability.● Management reporting must state risk management conclusions and

recommendations. It also must identify the criticality and consequence of therisk activity.

● The CAE should prepare an annual statement of the adequacy of controls, thesignificance of unmitigated risk, and management’s acceptance of such risk.

3. 2010.A1 – The internal audit activity’s plan of engagements should be based on a riskassessment, undertaken at least annually. The input of senior management and the boardshould be considered in this process.

4. 2010.C1 – The chief audit executive should consider accepting proposed consultingengagements based on the engagement’s potential to improve management of risks, addvalue, and improve the organization’s operations. Those engagements that have beenaccepted should be included in the plan.




8.2 COMMUNICATION OF PLANS

1. This subunit concerns communicating the IAA’s plans to senior management and the board.The topic is covered in one Specific Performance Standard and one Practice Advisory.

2. 2020 Communication and Approval – The chief audit executive should communicatethe internal audit activity’s plans and resource requirements, including significantinterim changes, to senior management and to the board for review and approval.The chief audit executive should also communicate the impact of resourcelimitations.

a. PRACTICE ADVISORY 2020-1: COMMUNICATION AND APPROVAL

1. The chief audit executive should submit annually to senior management forapproval, and to the board for its information, a summary of the internal auditactivity’s work schedule, staffing plan, and financial budget. The chief auditexecutive should also submit all significant interim changes for approval andinformation. Engagement work schedules, staffing plans, and financial budgetsshould inform senior management and the board of the scope of internalauditing work and of any limitations placed on that scope.

2. The approved engagement work schedule, staffing plan, and financial budget,along with all significant interim changes, should contain sufficient information toenable the board to ascertain whether the internal audit activity’s objectives andplans support those of the organization and the board.

PA Summary

● The CAE annually submits to senior management for approval and to the board asummary of the IAA’s work schedule, staffing plan, and financial budget. TheCAE also submits all significant interim changes. The scope of work and anylimitations on it should be disclosed.

● These communications should allow the board to determine whether the IAA’sobjectives and plans are consistent with the organization’s.




8.3 REPORTING

1. This subunit addresses reporting of the IAA’s accomplishments and other matters. The topicis the subject of one Specific Performance Standard and one Practice Advisory.

2. 2060 Reporting to the Board and Senior Management – The chief audit executiveshould report periodically to the board and senior management on the internalaudit activity’s purpose, authority, responsibility, and performance relative to itsplan. Reporting should also include significant risk exposures and control issues,corporate governance issues, and other matters needed or requested by the boardand senior management.

a. PRACTICE ADVISORY 2060-1: REPORTING TO THE BOARD AND SENIORMANAGEMENT

1. The chief audit executive should submit activity reports to senior managementand to the board at least annually. Activity reports should highlight significantengagement observations and recommendations and should inform seniormanagement and the board of any significant deviations from approvedengagement work schedules, staffing plans, and financial budgets, and thereasons for them.

2. Significant engagement observations are those conditions that, in thejudgment of the chief audit executive, could adversely affect the organization.Significant engagement observations may include conditions dealing withirregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts ofinterest, and control weaknesses. After reviewing such conditions with seniormanagement, the chief audit executive should communicate significantengagement observations and recommendations to the board, whether or notthey have been satisfactorily resolved.

3. Management’s responsibility is to make decisions on the appropriate action tobe taken regarding significant engagement observations and recommendations.Senior management may decide to assume the risk of not correcting thereported condition because of cost or other considerations. The board shouldbe informed of senior management’s decisions on all significant observationsand recommendations.

4. The chief audit executive should consider whether it is appropriate to inform theboard regarding previously reported, significant observations andrecommendations in those instances when senior management and the boardassumed the risk of not correcting the reported condition. This may beparticularly necessary when there have been organization, board, seniormanagement, or other changes.

5. In addition to subjects covered above, activity reports should also compare(a) actual performance with the internal audit activity’s goals and engagementwork schedules, and (b) expenditures with financial budgets. Reportsshould explain the reason for major variances and indicate any action taken orneeded.

NOTE: Thus, the CAE should report key performance indicators.




PA Summary

● The CAE submits activity reports at least annually. They describe (1) significantengagement observations (those adversely affecting the organization) andrecommendations and (2) significant deviations from work schedules, staffingplans, and financial budgets, and the reasons for them.

● Significant observations and recommendations are reviewed with seniormanagement and then communicated to the board, whether or not resolved.

● Management is responsible for making decisions about actions to be taken butmay assume the risk of not correcting the reported conditions. The board shouldbe informed of all decisions regarding significant matters.

● The CAE considers whether the board should be informed about previouslyreported significant matters when senior management and the board assumedthe risk of not correcting the reported condition.

● Activity reports also compare (1) performance with goals and work schedules and(2) expenditures with budgets. Reports explain major variances and indicateaction taken or needed.

8.4 RELATIONSHIP WITH THE AUDIT COMMITTEE

1. This subunit consists of one Practice Advisory that describes the IAA’s roles andresponsibilities in its dealings with the governance body commonly known as the auditcommittee. The PA interprets Standard 2060 (see Subunit 8.3). The subunit also containsadditional outlines of the audit committee’s characteristics and responsibilities, including asample charter.

a. PRACTICE ADVISORY 2060-2: RELATIONSHIP WITH THE AUDIT COMMITTEE

1. The term “audit committee,” as used in this document, refers to the governancebody that is charged with oversight of the organization’s audit and controlfunctions. Although these fiduciary duties are often delegated to an auditcommittee of the board of directors, the information in this Practice Advisory isalso intended to apply to other oversight groups with equivalent authority andresponsibility, such as trustees, legislative bodies, owners of an owner-managedentity, internal control committees, or full boards of directors.

2. The Institute of Internal Auditors recognizes that audit committees and internalauditors have interlocking goals. A strong working relationship with theaudit committee is essential for each to fulfill its responsibilities to seniormanagement, board of directors, shareholders, and other outside parties. ThisPractice Advisory summarizes The Institute’s views concerning the aspects andattributes of an appropriate relationship between an audit committee and theinternal audit function. The Institute acknowledges that audit committeeresponsibilities encompass activities that are beyond the scope of this advisoryand in no way intends it to be a comprehensive description of audit committeeresponsibilities.




3. There are three areas of activities that are key to an effective relationshipbetween the audit committee and the internal audit function, chiefly through theChief Audit Executive (CAE):

● Assisting the audit committee to ensure that its charter, activities, andprocesses are appropriate to fulfill its responsibilities.

● Ensuring that the charter, role, and activities of internal audit are clearlyunderstood and responsive to the needs of the audit committee and theboard.

● Maintaining open and effective communications with the auditcommittee and the chairperson.

Audit Committee Responsibilities

4. The CAE should assist the committee in ensuring that the charter, role andactivities of the committee are appropriate for it to achieve its responsibilities.The CAE can play an important role by assisting the committee toperiodically review its activities and suggesting enhancements. In this way,the CAE serves as a valued advisor to the committee on audit committee andregulatory practices. Examples of activities that the CAE can undertake are:

● Reviewing the charter for the audit committee at least annually andadvise the committee whether the charter addresses all responsibilitiesdirected to the committee in any terms of reference or mandates from theboard of directors.

● Reviewing or maintaining a planning agenda for the audit committee’smeeting that details all required activities to ascertain whether they arecompleted. The agenda assists the committee in reporting to the boardannually that it has completed all assigned duties.

● Drafting the audit committee’s meeting agenda for the chairman’sreview, facilitating the distribution of the material to the audit committeemembers, and writing up the minutes of the audit committee meetings.

● Encouraging the audit committee to conduct periodic reviews of itsactivities and practices compared with current best practices to ensurethat its activities are consistent with leading practices.

● Meeting periodically with the chairperson to discuss whether the materialsand information being furnished to the committee are meeting their needs.

● Inquiring of the audit committee whether any educational orinformational sessions or presentations would be helpful, such astraining new committee members on risk and controls.

● Inquiring of the committee whether the frequency and time allotted to thecommittee are sufficient.

Internal Audit Activity’s Role

5. The CAE’s relationship to the audit committee should revolve around a core roleof the CAE ensuring that the audit committee understands, supports, andreceives all assistance needed from the internal audit function. The IIA supportsthe concept that sound governance is dependent on the synergy generatedamong the four principal components of effective corporate governancesystems: boards of directors, management, internal auditors, and externalauditors. In that structure, internal auditors and audit committees are mutuallysupportive. Consideration of the work of internal auditors is essential for theaudit committee to gain a complete understanding of an organization’s opera-tions. A primary component of the CAE’s role with the committee is to ensurethis objective is accomplished and the committee views the CAE as their trustedadvisor. The CAE can perform a number of activities to accomplish this role:




● Request that the committee review and approve the internal audit charteron an annual basis.

● Review with the audit committee the functional and administrativereporting lines of internal audit to ensure that the organizational structurein place allows adequate independence for internal auditors (PracticeAdvisory 1110-2: Chief Audit Executive (CAE) Reporting Lines).

● Incorporate in the charter for the audit committee the review of hiringdecisions, including appointment, compensation, evaluation, retention,and dismissal of the CAE.

● Incorporate in the charter for the audit committee the review and approvalof proposals to outsource any internal audit activities.

● Assist the audit committee in evaluating the adequacy of the personneland budget, and the scope and results of the internal audit activities, toensure that there are no budgetary or scope limitations that impede theability of the internal audit function to execute its responsibilities.

● Provide information on the coordination with and oversight of othercontrol and monitoring functions (e.g., risk management, compliance,security, business continuity, legal, ethics, environmental, external audit).

● Report significant issues related to the processes for controlling theactivities of the organization and its affiliates, including potentialimprovements to those processes, and provide information concerningsuch issues through resolution.

● Provide information on the status and results of the annual audit plan andthe sufficiency of department resources to senior management and theaudit committee.

● Develop a flexible annual audit plan using an appropriate risk-basedmethodology, including any risks or control concerns identified bymanagement, and submit that plan to the audit committee for review andapproval as well as periodic updates.

● Report on the implementation of the annual audit plan, as approved,including as appropriate any special tasks or projects requested bymanagement and the audit committee.

● Incorporate into the internal audit charter the responsibility for the internalaudit department to report to the audit committee on a timely basis anysuspected fraud involving management or employees who aresignificantly involved in the internal controls of the company, assist in theinvestigation of significant suspected fraudulent activities within theorganization, and notify management and the audit committee of theresults.

● Inform the audit committee that quality assessment reviews of theinternal audit activity should be done every five years to comply with TheIIA’s International Standards for the Professional Practice of InternalAuditing (Standards). Regular quality assessment reviews will provideassurance to the audit committee and to management that internal auditingactivities conform to Standards.




Communications with the Audit Committee

6. To a large degree, the overall effectiveness of the CAE and audit committeerelationship will revolve around the communications between the parties.Today’s audit committees expect a high level of open and candidcommunications. If the CAE is to be viewed as a trusted advisor by thecommittee, communication is the key element. Internal auditing, by definition,can help the audit committee accomplish its objectives by bringing a systematic,disciplined approach to its activities. However, in the absence of appropriatecommunication, it is not possible for the committee to determine whether internalauditing has met its objectives. The chief audit executive should considerproviding communications to the audit committee in the following areas:

● Discussion of sensitive issues in private meetings on a regular basis.● Annual summary report or assessment of the results of the audit

activities relating to the defined mission and scope of audit work.● Periodic reports to the audit committee and management summarizing

results of audit activities.● Information about emerging trends and successful practices in internal

auditing.● Discussion of fulfillment of committee information needs.● Review of completeness and accuracy of information submitted.● Confirmation of coordination of activities between internal and external

auditors. The CAE should determine whether there is any duplicationbetween the work of the internal and external auditors and give thereasons for such duplication.

PA Summary

● The audit committee or its equivalent is a governance body that oversees auditand control.

● The audit committee and the IAA have interlocking goals and must have a strongrelationship so that both may fulfill their responsibilities.

● The CAE assists the audit committee by (1) helping it to review its activities and(2) suggesting enhancements. The CAE may (1) review the audit committee’scharter to advise whether all of the committee’s responsibilities are addressed,(2) review or maintain its planning agenda to determine whether all activities arecompleted, (3) draft its meeting agenda for review and write up the minutes ofmeetings, (4) encourage periodic committee reviews for comparison with currentbest practices, (5) meet with the chair to discuss whether the informationreceived by the audit committee is sufficient, (6) inquire about providingeducational presentations, and (7) inquire about the sufficiency of thefrequency and time allotted to the audit committee.

● The CAE’s core role is to ensure that the audit committee understands, supports,and receives all assistance needed from the IAA. The principal components of aneffective governance system are (1) the board, (2) management, (3) the IAA,and (4) external auditing. Consideration of the work of the IAA is essential to theaudit committee’s understanding of operations. The CAE ensures(1) accomplishment of this objective and (2) that the audit committee views theCAE as a trusted advisor.




● The CAE’s role as advisor to the audit committee includes suggesting steps topromote the IAA’s status and independence, for example, audit committee reviewof (1) the IAA charter annually, (2) functional and administrative reporting lines,(3) decisions about the employment of the CAE, (4) outsourcing of IAAfunctions, (5) personnel and budgets, and (6) scope and results of IAA functions.

● The CAE also should (1) develop a risk-based and flexible annual audit plan tobe approved by the audit committee, (2) report on its implementation, and(3) provide information about its results and the sufficiency of IAA resources.

● The CAE reports on (1) coordination with and oversight of other control andmonitoring functions and (2) issues related to control processes. Moreover, theCAE includes in the IAA charter the responsibility for timely reporting ofsuspected fraud involving anyone significantly involved in internal control,assisting in the investigation, and notifying management and the auditcommittee of the results. The CAE also informs the audit committee that a qualityassessment review of the IAA should be done every five years to comply with theStandards.

● Communication is the key element in the relationship of the CAE and the auditcommittee. Thus, regular private meetings should be held. The CAE shouldconsider communications about the following: (1) annual and periodic reports,(2) trends and practices in auditing, (3) fulfilling the audit committee’sinformation needs, (4) reviewing information for completeness and accuracy,and (5) confirming coordination with external auditors and explaining anyduplication of work.

2. Audit committees. The audit committee is a subcommittee of outside directors who areindependent of management. Its purpose is to help keep external and internal auditorsindependent and to assure that the directors are exercising due care.

a. The role of an audit committee or an equivalent in strengthening the position ofauditors is widely recognized. The audit committee should

1) Have a written charter developed by its governing authority describing its dutiesand responsibilities.

2) Review the independence of the external auditor.3) Report to stakeholders (e.g., shareholders). Reports should include a letter

from the chair of the audit committee describing its responsibilities andactivities.

4) Monitor compliance with codes of conduct and legal and regulatory standards.5) Have sufficient resources.6) Oversee the regulatory reporting process.7) Monitor instances in which management seeks second opinions on significant

accounting issues.b. Many stock exchanges require a listed organization to have an audit committee.c. An audit committee composed of nonmanagement directors promotes the

independence of all auditors, especially when it selects the external audit firm andthe chief audit executive. A strong audit committee insulates the auditors frominfluences that may compromise their independence and objectivity.

1) An audit committee also may serve as a mediator of disputes between theauditors and management.




d. Audit Committee Functions

1) Select an external auditor and review the audit fee and the engagement letter2) Review the external auditor’s overall audit plan3) Review preliminary annual and interim financial statements4) Review results of engagements performed by external auditors, including the

management letter (advice and observations not required to be communicatedby auditing standards)

5) Approve the charter of the internal audit activity (Standard 1000)6) Review and approve the internal audit activity’s plans and resource

requirements and receive a summary of the IAA’s work schedule, staffing plan,and financial budget (Standard 2020 and PA 2020-1)

7) Communicate directly with the chief audit executive, who should regularlyattend and participate in meetings (PA 1110-1)

8) Review evaluations of risk management, control, and governance processesreported by the internal auditors

9) Ensure that engagement results are given due consideration and receivedistributions of final engagement communications by the internal auditors(PA 2440-1)

10) Review policies on unethical and illegal procedures11) Review financial statements to be transmitted to regulatory agencies12) Participate in the selection of accounting policies13) Review the impact of new or proposed legislation or regulations14) Review the organization’s insurance program15) Consider the effectiveness and efficiency of information systems16) Evaluate executive performance and compensation

e. External auditors have recognized the importance of reporting to audit committeesor comparable governance bodies. Among the matters that may be communicatedare (1) internal-control-related matters, (2) significant accounting policies,(3) management judgments and accounting estimates, (4) significant auditadjustments, (5) disagreements with management, and (6) difficulties encounteredduring the audit.

1) One of the factors encompassed by the control environment component ofinternal control is participation by the board, audit committee, or othergoverning authority. The control consciousness of the organization isimproved if the audit committee is (a) independent of management,(b) composed of experienced and respected people, (c) extensively involved inoversight of organizational activities, (d) willing to raise and pursue difficultquestions with management, and (e) in close communication with the internaland external auditors.

2) Fraud involving senior management or fraud that materially misstates thefinancial statements should be reported directly to the audit committee.

a) The external auditors also should obtain assurance that the auditcommittee is adequately informed about other illegal acts coming to theauditors’ attention.




f. The following is The IIA’s sample charter for the audit committee (Sawyer’s InternalAuditing, 5th ed., pages 1328-1332):

Audit Committee Charter

PURPOSE

To assist the board of directors in fulfilling its oversight responsibilities for the financial reporting process,the system of internal control, the audit process, and the company’s process for monitoring compliancewith laws and regulations and the code of conduct.

AUTHORITY

The audit committee has authority to conduct or authorize investigations into any matters within itsscope of responsibility. It is empowered to:

Appoint, compensate, and oversee the work of any registered public accounting firm employed by theorganization.

Resolve any disagreements between management and the auditor regarding financial reporting.

Pre-approve all auditing and non-audit services.

Retain independent counsel, accountants, or others to advise the committee or assist in the conductof an investigation.

Seek any information it requires from employees – all of whom are directed to cooperate with thecommittee’s requests – or external parties.

Meet with company officers, external auditors, or outside counsel, as necessary.

COMPOSITION

The audit committee will consist of at least three and no more than six members of the board ofdirectors. The board or its nominating committee will appoint committee members and the committeechair.

Each committee member will be both independent and financially literate. At least one member shall bedesignated as the “financial expert,” as defined by applicable legislation and regulation.

MEETINGS

The committee will meet at least four times a year, with authority to convene additional meetings, ascircumstances require. All committee members are expected to attend each meeting, in person or viatele- or video-conference. The committee will invite members of management, auditors, or others toattend meetings and provide pertinent information, as necessary. It will hold private meetings withauditors (see below) and executive sessions. Meeting agendas will be prepared and provided inadvance to members, along with appropriate briefing materials. Minutes will be prepared.

RESPONSIBILITIES

The committee will carry out the following responsibilities:

Financial Statements

● Review significant accounting and reporting issues, including complex or unusualtransactions and highly judgmental areas, and recent professional and regulatorypronouncements, and understand their impact on the financial statements.

● Review with management and the external auditors the results of the audit, including anydifficulties encountered.

● Review the annual financial statements, and consider whether they are complete,consistent with information known to committee members, and reflect appropriateaccounting principles.

● Review other sections of the annual report and related regulatory filings before releaseand consider the accuracy and completeness of the information.

● Review with management and the external auditors all matters required to becommunicated to the committee under generally accepted auditing standards.

● Understand how management develops interim financial information, and the nature andextent of internal and external auditor involvement.

● Review interim financial reports with management and the external auditors before filingwith regulators, and consider whether they are complete and consistent with theinformation known to committee members.




Internal Control

● Consider the effectiveness of the company’s internal control system, including informationtechnology security and control.

● Understand the scope of internal and external auditors’ review of internal control overfinancial reporting, and obtain reports on significant findings and recommendations,together with management’s responses.

Internal Audit

● Review with management and the chief audit executive the charter, plans, activities,staffing, and organizational structure of the internal audit function.

● Ensure there are no unjustified restrictions or limitations, and review and concur in theappointment, replacement, or dismissal of the chief audit executive.

● Review the effectiveness of the internal audit function, including compliance with TheInstitute of Internal Auditors’ Standards.

● On a regular basis, meet separately with the chief audit executive to discuss any mattersthat the committee or internal audit believes should be discussed privately.

External Audit

● Review the external auditors’ proposed audit scope and approach, including coordinationof audit effort with internal audit.

● Review the performance of the external auditors, and exercise final approval on theappointment or discharge of the auditors.

● Review and confirm the independence of the external auditors by obtaining statementsfrom the auditors on relationships between the auditors and the company, includingnon-audit services, and discussing the relationships with the auditors.

● On a regular basis, meet separately with the external auditors to discuss any matters thatthe committee or auditors believe should be discussed privately.

Compliance

● Review the effectiveness of the system for monitoring compliance with laws andregulations and the results of management’s investigation and follow-up (includingdisciplinary action) of any instances of noncompliance.

● Review the findings of any examinations by regulatory agencies, and any auditorobservations.

● Review the process for communicating the code of conduct to company personnel, and formonitoring compliance therewith.

● Obtain regular updates from management and company legal counsel regardingcompliance matters.

Reporting Responsibilities

● Regularly report to the board of directors about committee activities, issues, and relatedrecommendations.

● Provide an open avenue of communication between internal audit, the external auditors,and the board of directors.

● Report annually to the shareholders, describing the committee’s composition,responsibilities and how they were discharged, and any other information required by rule,including approval of non-audit services.

● Review any other reports the company issues that relate to committee responsibilities.

Other Responsibilities

● Perform other activities related to this charter as requested by the board of directors.● Institute and oversee special investigations as needed.● Review and assess the adequacy of the committee charter annually, requesting board

approval for proposed changes and ensure appropriate disclosure as may be required bylaw or regulation.

● Confirm annually that all responsibilities outlines in this chapter have been carried out.● Evaluate the committee’s and individual members’ performance on a regular basis.




g. In response to numerous financial reporting scandals involving large businesses,various countries have enacted laws and regulations relating to corporategovernance. These laws and regulations often include provisions addressing the roleof the audit committee or a comparable governance body. The following areexamples of such provisions:

1) Each member of the audit committee may be required to be independent ofthe board.

2) The audit committee may be required to be directly responsible for appointing,compensating, and overseeing the work of the external auditors, who shouldreport directly to the audit committee.

3) The audit committee may be required to implement procedures for the receipt,retention, and treatment of complaints about accounting and auditingmatters.

4) The audit committee also may be required to be appropriately funded by theorganization and may hire independent counsel or other advisors.

8.5 RESOURCE MANAGEMENT

1. This subunit addresses management of human resources of the internal audit activity. Itincludes one Specific Performance Standard and one Practice Advisory.

2. 2030 Resource Management – The chief audit executive should ensure that internalaudit resources are appropriate, sufficient, and effectively deployed to achieve theapproved plan.

a. PRACTICE ADVISORY 2030-1: RESOURCE MANAGEMENT

1. The chief audit executive (CAE) is primarily responsible for the sufficiencyand management of the internal audit resources in a manner that ensures thefulfillment of the internal audit’s responsibilities as detailed in the internal auditcharter. This includes effective communications and reporting of resourceneeds and status to senior management and the board. Internal auditresources may include employees, external resources, or a combinationthereof. Ensuring the adequacy of the internal audit resources is ultimately aresponsibility of the organization’s board and senior management, and theCAE should assist them in discharging this responsibility.

2. The skills, capabilities and technical knowledge of the internal auditresources must be appropriate for the planned activities. The CAE shouldconduct a periodic skills assessment or inventory to determine the specificskills required to perform the internal audit activities. The skills assessmentshould be based on and consider the various needs identified in the riskassessment and audit plan. The CAE should then determine and assignresources that possess the skills, knowledge, and competencies identified by theskills assessment. This may include assessments of technical skills, languageskills, business knowledge, fraud detection and prevention, accounting andauditing expertise. The CAE must ensure that the skills assessment is drivenby the needs of the audit coverage and that this coverage is not being deter-mined primarily by the capabilities present within the internal audit organization.

Recognizing the dynamic nature of risk, the CAE should periodically update theskills assessment. Based on these updates, the CAE may consider needs toincrease the skills, capabilities and knowledge of the existing staff. Theextent and formality of the skills assessment should be appropriate for the sizeand complexity of the internal audit function.




3. Internal audit resources, both staffing and financial, should be sufficient toexecute the audit activities in both the depth and timeliness expected by theaudit committee and management. Resourcing plans should consider carefullythe resultant audit coverage and components such as

a. The amount of the audit universe that is covered over what period of time.b. The coverage of the higher risk areas in the plan.c. The geographic coverage.d. The capacity for unplanned projects, management requests, or other

non-audit events.e. The nature and extent of the work to be performed.

4. The CAE must also ensure that resources are effectively deployed. Thisincludes assigning auditors who are competent and qualified for specificassignments. It also includes developing a resourcing approach andorganizational structure that are appropriate for the business structure,complexity, and geographical dispersion of the organization.

5. In considering the sufficiency of resourcing levels, if trade-offs are consideredfor cost or other reasons, the CAE should ensure that the decision processincludes clear communications of the impact on the timing or coverage of theobjectives stated in the internal audit plan. If the CAE believes that resourcinglevels are insufficient to accomplish the internal audit charter, that view shouldbe clearly communicated to the board and senior management for their finaldetermination.

6. From an overall resource management standpoint, the CAE should also considerother aspects such as succession planning, staff evaluation anddevelopment programs, and other human resource disciplines. The CAEmust also ensure that the resourcing needs of internal audit are appropriatelyaddressed, whether those skills are present or not within in the internal auditfunction itself. The CAE should consider other approaches to addressingresource needs including external sourcing arrangements, other companyemployees, or specialized consultants.

7. Because of the critical nature of resources, the CAE should maintain ongoingcommunications and dialogue with senior management and the board on theadequacy of resources for the internal audit function. At least annually, the CAEshould present a detailed summary of status and adequacy of resources tothe board. The CAE should ensure that the board is provided with relevant,reliable, and accurate data to demonstrate the adequacy of resources. To thatend, the CAE should develop appropriate metrics, goals, and objectives thatcould be used to monitor the overall adequacy of resources. This can include(a) comparisons of resources to the audit plan, (b) the impacts of temporaryshortages or vacancies, (c) educational and training activities, and (d) changesto specific skill needs and requirements as determined by changes in theorganization’s businesses or risk profiles and third-party arrangements.




PA Summary

● The CAE is primarily responsible for the sufficiency and management of IAAresources, including effective communication of needs and status to seniormanagement and the board. These parties ultimately must ensure the adequacyof resources. Resources may include employees, external resources, or acombination.

● The CAE conducts a periodic skills assessment (inventory) based on the auditcoverage needs identified in the risk assessment and audit plan. Audit coverageshould not be determined primarily by the capabilities present within the IAA.Updates of the skills assessment may reveal a need to increase the skills,capabilities, and technical knowledge of the staff.

● Resources should be sufficient for audit activities performed in the ways expectedby the audit committee and management. Resourcing plans address coverageissues such as (1) the amount of the audit universe covered in a given period,(2) high-risk areas, (3) geographic coverage, (4) capacity to meet unplanneddemands, and (5) nature and extent of work.

● Resources must be effectively deployed. The CAE must assign auditors qualifiedfor their tasks and develop an appropriate resourcing approach andorganizational structure.

● If cost or other tradeoffs are considered in resource decisions, the CAE shouldclearly communicate the effects on the timing or coverage of the audit plan andthe accomplishment of the IAA’s objectives. If resources are insufficient, thatview should be clearly communicated to the board and senior management.

● The CAE also considers such matters as succession planning, staff evaluation anddevelopment, and other human resource disciplines. Appropriately addressingresource needs may require consideration of the use of external sourcing,specialized consultants, or other employees of the organization.

● The CAE should have ongoing communication with senior management and theboard about resource adequacy. The CAE also should give the board, at leastannually, a detailed summary of resource status and adequacy. The CAE shouldprovide metrics and objectives appropriate for monitoring resource adequacy,for example, (1) comparisons of resources with the audit plan; (2) the effects oftemporary shortages; (3) educational and training activities; and (4) changes inskill needs because of changes in businesses, risk profiles, and third-partyarrangements.

3. Job Descriptions

a. Facilitate recruiting by stating explicit job requirementsb. Provide objective promotion criteriac. Are used to justify adequate salariesd. Express organizational expectations of employeese. Compel the internal audit activity to engage in personnel planningf. May be prepared for the chief audit executive and other administrators

1) The internal audit activity’s charter is effectively a job description for the CAE.

NOTE: The descriptions for the positions of manager, supervisor, and senior arepresented beginning on the next page (adapted from Sawyer, Dittenhofer, andScheiner, Sawyer’s Internal Auditing, pages 846, 847, and 848, respectively).




MANAGER

Purpose

● To administer the internal audit activity of an assigned location or operation.● To develop a comprehensive, practical program of engagement coverage for the assigned

location or operation.● To obtain accomplishment of the program in accordance with acceptable engagement

standards and stipulated schedules.● To maintain effective working relations with executive and operating management.

Authority and Responsibility

Within the general guidelines provided by the chief audit executive:

● Prepares a comprehensive, long-range program of engagement coverage for the locationto which assigned.

● Identifies those activities subject to engagement coverage, evaluates their significance,and assesses the degree of risk inherent in the activity in terms of cost, schedule, andquality.

● Establishes the related departmental structure.● Obtains and maintains an audit staff capable of accomplishing the internal audit function.● Assigns engagement areas, staff, and budget to supervisors.● Develops a system of cost and schedule control over engagement projects.● Establishes standards of performance and, by review, determines that performance meets

the standards.● Provides executive management within the assigned location with reports on engagement

coverage and engagement results, and interprets those results so as to improve theengagement program and the engagement coverage.

● Establishes and monitors accomplishment of objectives directed toward increasing theinternal audit activity’s ability to serve management.

SUPERVISOR

Purpose

● To develop a comprehensive, practical program of engagement coverage for assignedareas.

● To supervise the activities of staff assigned to the review of various organizational andfunctional activities.

● To ensure conformance with acceptable standards, plans, budgets, and schedules.● To maintain effective working relations with operating management.● To provide for and conduct research and develop manuals and training guides.


Under the general guidance of a manager:

● Supervises the work of staff engaged in the reviews of organizational and functionalactivities.

● Provides a comprehensive, practical schedule of annual engagement coverage withingeneral areas assigned by the manager.

● Determines areas of risk and appraises their significance in relation to operational factorsof cost, schedule, and quality. Classifies engagement projects as to degree of risk andsignificance and as to frequency of coverage.

● Provides for flexibility in engagement schedules so as to be responsive to management’sspecial needs.

● Schedules projects and staff assignments so as to comply with management’s needs,within the scope of the internal audit activity’s overall schedule.

● Coordinates the program with the organization’s public accountant.● Reviews and approves the purpose, scope, and approach of each engagement project for

assigned areas.● Directs engagement projects to see that professional standards are maintained in the

planning and execution and in the accumulation of information.● Counsels and guides staff to see that the approved engagement objectives are met and

that adequate, practical coverage is achieved.● Reviews and edits engagement communications and, in organizations with the auditor-

in-charge for the assigned project, discusses the communications with appropriatemanagement.

● Presents oral briefing to branch-level management.




● Provides for and performs research on engagement techniques.● Provides formal plans for the recruiting, selecting, training, evaluating, and supervising of

staff personnel. Develops manuals and other training aids.● Accumulates data, maintains records, and prepares reports on the administration of

engagement projects and other assigned activities.● Identifies factors causing deficient conditions and recommends courses of action to

improve the conditions, including special surveys and audits.● Provides for a flow of communication from operating management to the manager and to

the chief audit executive. Assists in evaluating overall results of the engagements.

SENIOR

Purpose

● To conduct reviews of assigned organizational and functional activities.● To evaluate the adequacy and effectiveness of the management controls over those

activities.● To determine whether organizational units are performing their planning, accounting,

custodial, risk management, or control activities in compliance with managementinstructions, applicable statements of policy and procedures, and in a manner consistentwith both organizational objectives and high standards of administrative practice.

● To plan and execute engagements in accordance with accepted standards.● To report engagement observations and to make recommendations for correcting

unsatisfactory conditions, improving operations, and reducing cost.● To perform special reviews at the request of management.● To direct the activities of assistants.


Under the general guidance of a supervisor:

● Surveys functions and activities in assigned areas to determine the nature of operationsand the adequacy of the system of control to achieve established objectives.

● Determines the direction and thrust of the proposed engagement effort.● Plans the theory and scope of the engagement, and prepares an engagement work

program.● Determines the engagement procedures to be used, including statistical sampling and the

use of information technology.● Identifies the key control points of the system.● Evaluates a system’s effectiveness through the application of a knowledge of business

systems, including financial, manufacturing, engineering, procurement, and otheroperations, and an understanding of engagement techniques.

● Recommends necessary staff required to complete the engagement.● Performs the engagement in a professional manner and in accordance with the approved

engagement work program.● Obtains, analyzes, and appraises information as a basis for an informed, objective

conclusion (opinion) on the adequacy and effectiveness of the system and the efficiency ofperformance of the activities being reviewed.

● Directs, counsels, and instructs staff assistants assigned to the engagement, and reviewstheir work for sufficiency of scope and for accuracy.

● Makes oral or written presentations to management during and at the conclusion of theengagement, discussing observations and recommending corrective action to improveoperations and reduce cost.

● Prepares formal written communications, expressing opinions on the adequacy andeffectiveness of the system and the efficiency with which activities are carried out.

● Appraises the adequacy of the corrective action taken to improve deficient conditions.




4. Selection of Staff

a. Modern internal auditing demands a superior staff.

1) Staffing provides the personnel necessary to carry on the work of the IAA.2) Mediocre personnel are incapable of carrying out progressive programs.3) Each internal auditor must have the capacity to expand his/her abilities as

management makes increasing demands for modern services.b. The CAE should set high standards for the staff.c. Professional education, ability, and certain personality traits are needed.d. Source of Staff

1) Promoting from within has many advantages:

a) The character, personality, work attitudes, and other personal qualificationsof staff members are known.

b) Internal recruits are familiar with organizational policies and practices andhave a broader perspective of operations.

c) Experience and work qualifications can be closely evaluated.d) Internal recruiting can promote staff morale.

2) Recruiting experienced personnel externally also has advantages:

a) The organization can attract specific skills needed.b) The range of possible services is broadened.c) New ideas are brought to the organization.d) Training costs are reduced.

3) Recruiting of university graduates is another possibility.

a) The organization must be able to train and develop personnel.b) Benefits include updating accounting and auditing skills.

e. Interviewing and testing techniques

1) The selection of staff is dependent on evaluating applicants.2) The interviews should be carefully planned and structured.3) Competent interviewers should be assigned.4) Supervisors of the new staff should be present at the interviews.5) Appropriate questions and forms should be prepared in advance to evaluate

a) Technical qualifications and educational backgroundb) Personal appearancec) Ability to communicated) Work experience and judgmente) Motivationf) Potential to contribute to the organization

6) Applicants who have earned the CIA designation have demonstratedqualifications in internal auditing. Other qualities can be examined by a varietyof tests that will vary with the job to be filled.

a) Writing ability. Sawyer, Dittenhofer, and Scheiner suggest requiring awritten engagement communication from the applicant based on aprescribed format and a hypothetical situation. Grading criteria forevaluation of writing ability include correctness, conciseness, clarity,organization, and vocabulary.




b) Ability to organize thoughts. Sawyer, Dittenhofer, and Scheiner suggestthe applicant arrange a series of 25 statements to describe anengagement observation.

i) The statements are mixed and given identifying numbers. Theapplicant is asked to arrange them in proper sequence.

c) Ability to distinguish between fact and speculation. The applicantmust identify the statements of undeniable fact and of mere conjecture ina brief paragraph.

5. Training of Staff

a. Staff orientation. An adequate orientation program provides reasonable assurancethat the new employee will become productive promptly. It promotes employeemorale and deters good employees from leaving.

1) The orientation program should be well designed and controlled.2) Appropriate materials should be devised.3) Employees should be familiarized with organizational policies.4) The technical orientation may extend to

a) Introductions to staff personnel and other employeesb) Discussion of engagement objectivesc) Copies of internal auditing manualsd) Discussion of duties and responsibilitiese) Control of workf) General information on the structure of the organizationg) Literature on modern internal auditingh) Working paper techniquesi) Development of engagement observationsj) Communication formatsk) Instructor’s follow-up and feedback after new staff member has performed

actual fieldworkb. Objectives of staff training are to

1) Assist internal auditing to do a better job2) Add versatility to the IAA3) Help develop supervisory skill4) Prepare the staff member for promotion5) Improve job satisfaction, organizational loyalty, and productivity6) Improve technical skills7) Update knowledge of new professional pronouncements and reporting

techniques (continuing education)c. Possible training formats include

1) Formal classroom study2) Self-study3) Attendance at formal meetings of The IIA and other groups4) Industry conferences5) University courses6) On-the-job training7) Research projects




d. Required components of a successful training program

1) The trainee’s commitment and interest2) Sufficient time and resources to permit training objectives to be met3) High-quality training materials4) Trainee participation5) Reinforcement

e. One aspect of a successful, ongoing training program is holding regular staffmeetings to explain new techniques, discuss new policies, and receive suggestionsfrom staff.

6. Evaluation of Staff

a. A written appraisal of each internal auditor’s performance is required at leastannually.

b. The evaluation provides a basis for counseling subordinates on their strong and weakattributes, opportunities for advancement, and programs for self-improvement.

c. The evaluation is a basis for promotions, transfers, and compensation adjustments.d. The evaluation is done by the person with responsibility for the particular employee.e. Criteria for evaluation are weighted and applied to performance on specific projects.

Personnel whose performance is being appraised should be notified of the criteriaand methods at the time they begin employment. The criteria include type of skillrequired, extent of responsibility, scope of effort, and nature of working conditions.

f. Each auditor should receive a full explanation of the appraisal and results of his/herevaluation.

8.6 POLICIES AND PROCEDURES

1. This subunit concerns the formal guidance to be provided by the chief audit executive. Thisguidance is discussed in one Specific Performance Standard and in one Practice Advisory.

2. 2040 Policies and Procedures – The chief audit executive should establish policiesand procedures to guide the internal audit activity.

a. PRACTICE ADVISORY 2040-1: POLICIES AND PROCEDURES

1. The form and content of written policies and procedures should beappropriate to the size and structure of the internal audit activity and thecomplexity of its work. Formal administrative and technical audit manuals maynot be needed by all internal auditing entities. A small internal audit activitymay be managed informally. Its audit staff may be directed and controlledthrough daily, close supervision and written memoranda. In a large internalaudit activity, more formal and comprehensive policies and procedures areessential to guide the audit staff in the consistent compliance with the internalaudit activity’s standards of performance.

PA Summary

● Written policies and procedures for the IAA should be appropriate to its size,structure, and work. Formal manuals may not be needed for all IAAs. A smallIAA may be managed informally. A large IAA may require more formal andcomprehensive policies and procedures.




3. Personnel manuals describe the organization and its relationship to employees, including

a. Objectives and goals (also of divisions, subsidiaries, etc.)b. Historyc. Fringe benefits (medical, pension, life insurance, etc.)d. Vacation and sick-pay policiese. Promotion policiesf. Development and training programs

4. Audit (technical) manuals provide guidance on completing specific engagements incompliance with the technical standards and policies of the IAA. They include

a. General and specific guidelines on

1) Engagement objectives (may classify types of engagements)2) Theory and purpose of internal auditing3) Scope of engagement, engagement work programs, and time budgets4) Working papers5) Engagement communications6) Internal controls7) Internal administration8) Performance standards

b. Special technical topics, such as

1) Information technology auditing2) Statistical sampling3) Procedures for suspected fraud4) Fraud investigations

c. Matters related to administration of an individual engagement, such as

1) Notification of client about a pending engagement2) Preliminary survey and engagement work program3) Engagement time budget and changes in it4) Application of engagement procedures5) Changes in engagement work programs6) Working paper preparation, review, and control7) Communication draft review with clients8) Communication format9) Communication review10) Client replies to engagement communications11) Follow-up on observations and recommendations

5. Administrative policy and procedure manuals guide the operation of the IAA. They maycontain

a. The charterb. A policy statement of the relationship of the IAA with other subunitsc. The definition of responsibilities of personneld. An IAA organizational charte. Approvals required for actionsf. Personnel policies unique to the IAAg. Personnel recordsh. Travel instructionsi. Expense reportsj. Time reportsk. Staff evaluationsl. Descriptions for permanent files, temporary files, and working paper retention




m. Communication preparation and review proceduresn. Engagement research responsibilitieso. Training and education programsp. The history of the IAA, including the relationship with management and the board, to

provide staff auditors with the activity’s philosophy and approach to internal auditing.

8.7 STUDY UNIT 8 SUMMARY

1. Planning for the IAA is subject to its charter and organizational goals. The processestablishes (a) goals, (b) work schedules, (c) staffing plans and financial budgets, and(d) activity reports.

2. The IAA’s plan is based on assessment of risk and exposure. The objective is to provideinformation to mitigate risk. The audit universe may reflect the organization’s strategicplan. Thus, it may reflect (a) the overall business objectives, (b) attitude toward risk, (c) thedifficulty of reaching objectives, and (d) the results of risk management.

3. The CAE annually submits to senior management and the board a summary of the IAA’swork schedule, staffing plan, and financial budget. They should disclose the scope of workand any limitations on it.

4. The CAE submits activity reports at least annually. They (a) highlight significantengagement observations (those adversely affecting the organization) and (b) areinformative of significant deviations from work schedules, etc., and the reasons for them.Significant observations and recommendations are reviewed with senior management andthen communicated to the board, whether or not resolved.

5. The audit committee oversees audit and control. The audit committee and the IAA musthave a strong relationship so that both may fulfill their responsibilities.

6. The principal components of the governance system are (a) the board, (b) management,(c) the IAA, and (d) external auditing. Considering the work of the IAA is essential to theaudit committee’s understanding of operations. The CAE ensures accomplishment of thisobjective and that the audit committee views the CAE as a trusted advisor.

7. The CAE’s functions include

a. Assisting the audit committee to ensure that its charter, activities, and processes areappropriate to fulfill its responsibilities.

b. Ensuring that the charter, role, and activities of internal audit are clearly understoodand responsive to the needs of the audit committee and the board.

c. Maintaining open and effective communication with the audit committee and thechairperson.

8. The CAE is primarily responsible for the sufficiency, appropriateness, and effectivedeployment of the resources of the IAA consistent with the approved audit plan. Thus, theCAE must (a) conduct a periodic skills assessment, (b) assign auditors qualified for theirtask, (c) develop an appropriate sourcing approach and organizational structure, (d) clearlycommunicate the effects of resource decisions, (e) consider staff development andevaluation, (f) consider use of resources external to the IAA, (g) have ongoingcommunication with senior management and the board about resource adequacy, and(h) provide the board at least annually with a detailed summary of resource status.

9. Written policies and procedures for the IAA should be appropriate to its size, structure, andwork. A small IAA may be managed informally.




8. managing the internal audit activity i

Documents