internal audit roles

8/11/2019 Internal Audit Roles

1/20


2/20

2. Developingassessments and reportson the organizations risk managementprocesses is normally a high audit priority. Evaluating managements riskprocesses is different from the requirement that auditors use risk analysis toplan audits. However, information from acomprehensive risk managementprocess, including the identification of management and board concerns, canassist the internal auditor inplanning audit activities.

3. The chief audit executive should obtain anunderstandingof managementsand the boardsexpectations of the internal audit activityin theorganizations risk management process. This understanding should becodifiedin the charters of the internal audit activity and audit committee.

4. Responsibilities and activitiesshould becoordinatedamong all groups andindividuals with a role in the organizations risk management process. Theseresponsibilities and activities should be appropriatelydocumentedin theorganizations strategic plans, board policies, management directives, operatingprocedures, and other governance-type instruments. Examplesof some of theactivities and responsibilities that should be documented include:

Setting strategic direction may reside with the board or a committee;

Ownership of risks may be assigned at the senior management level; Acceptance of residual risk may reside at the executive management

level;

Identifying, assessing, mitigating, and monitoring activities on acontinuous basis may be assigned at the operating level; and

Periodic assessment and assurance to others should reside with theinternal audit activity.

5. Internal auditors are expected toidentify and evaluate significant riskexposuresin thenormal courseof their duties.

6. The internal audit activitys rolein the risk management process of anorganization can change over time and may be found at somepoint along acontinuumthat ranges from

No role, to

Auditing the risk management process as part of the internal audit plan, to

Active, continuous support and involvement in the risk managementprocess, such as participation on oversight committees, monitoringactivities, and status reporting, to

Managing and coordinating the risk management process.

7. Ultimately, it is the role ofexecutive management and the audit committeetodetermine the role of internal auditin the risk management process.Managements view on internal audits role is likely to be determined by suchfactors as the culture of the organization, ability of the internal auditing staff, andlocal conditions and customs of the country.

8. Additional guidancecan be found in the following Practice Advisories:

PA 2100-4 Internal Audits Role in Organizations without a RiskManagement Process

PA 1130.A1-2 Internal Audit Responsibility for Other (Non-Audit)Functions (Study Unit 2)

PA 2110-1 Assessing the Adequacy of Risk Management Processes

PA 2010-2 Linking the Audit Plan to Risk and Exposures (Study Unit 8)

2 SU 4: Internal Audit Roles II

Copyright 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
http://www.gleim.com/http://www.gleim.com/


3/20

PA Summary

Risk management is the responsibilityof management. Managementshouldensure that a sound risk management process (RMP) is in place and functioning.Oversight bodiesensure that processes are in place, adequate, and effective.Internal auditorsexamine, evaluate, report, and recommend improvements.They also play aconsultingrole in identifying, evaluating, and implementing riskmanagement methods and controls.

Assessing and reportingon the RMP has a high priority. Evaluating theseprocesses differs from using risk analysis to plan audits. But, information from acomprehensive RMPaids in planning audits.

The CAE must understand managements and the boards expectationsof the IAAin risk management. The understanding should be codified in the chartersof theIAA and the audit committee.

Responsibilities and activitiesshould be coordinated and documented. Forexample, (1) setting strategy may reside with the board; (2) ownership of risksmay be assigned to senior management; (3) acceptance of residual risk mayreside at the executive management level; (4) identifying, assessing, mitigating,and monitoring activities continuously may be assigned at the operating level; and(5) periodic assessment and assurance to others should reside with the IAA.

Internal auditors normallyidentify and evaluatesignificant risk exposures.

Executive management and the audit committee determineinternal audits roleinrisk management. That role may range from no role, to auditing the process aspart of the audit plan, to active, continuous support and involvement in theprocess, to managing and coordinating the process.

b. PRACTICE ADVISORY 2100-4: INTERNAL AUDITS ROLE IN ORGANIZATIONSWITHOUT A RISK MANAGEMENT PROCESS

1.-3. Same as PA 2100-3, paragraphs 1. through 3.

4. If an organization has not established a risk management process,the internalauditor should bring this to managements attentionalong with suggestionsfor establishing such a process. The internal auditor should seek direction frommanagement and the board as to theinternal audit activitys rolein the riskmanagement process. The charters for the internal audit activity and auditcommittee shoulddocumentthe role of each in the risk management process.

5. If requested, internal auditors can play aproactive role in assisting with theinitial establishmentof a risk management process for the organization. Amore proactive role supplements traditional assurance activities with aconsultative approach to improving fundamental processes. If such

assistance exceeds normal assurance and consulting activities conducted byinternal auditors,independencecould be impaired. In these situations, internalauditors should comply with thedisclosurerequirements of the Standards.Additional guidance can also be found in Practice Advisory 1130.A1-2: InternalAudit Responsibility for Other (Non-Audit) Functions (Study Unit 2).

6. A proactive role in developing and managing a risk management process is notthe same as an ownership of risks role. To avoid an ownership of risk role,internal auditors should seek confirmation frommanagementas to itsresponsibilityfor identification, mitigation, monitoring, and ownership of risks.

SU 4: Internal Audit Roles II 3



4/20

7. In summary, internal auditors can facilitate or enable risk managementprocesses, but they should not own or be responsible for the management ofthe risks identified.

PA Summary

The internal auditor should providesuggestionsfor establishing the RMP and seekdirection from management and the board as to the IAAs role.

Aproactive auditor rolein establishing the process may include a consultativeas well as anassurancefunction. If such assistance exceeds normal assuranceand consulting activities by internal auditors, independencecould be impaired. Inthese situations, internal auditors should comply with the disclosurerequirementsof the Standards.

A proactive auditor role isnot an ownership-of-risk role. Internal auditors shouldseek confirmation frommanagementas to its responsibilityfor identification,mitigation, monitoring, and ownership of risks.

c. PRACTICE ADVISORY 2100-7: THE INTERNAL AUDITORS ROLE INIDENTIFYING AND REPORTING ENVIRONMENTAL RISKS

Potential Risks

1. The Chief Audit Executive (CAE) should include theenvironmental, health,and safety (EH&S) risksin any entity-wide risk management assessment andassess the activities in a balanced manner relative to other types of riskassociated with an entitys operations. Among therisk exposures that shouldbe evaluatedare: organizational reporting structures; likelihood of causingenvironmental harm, fines, and penalties; expenditures mandated bygovernmental agencies; history of injuries and deaths; record of losses of

customers, and episodes of negative publicity and loss of public image andreputation.

2. The majority of environmental audit functions report to their organizationsenvironmental component or general counsel, not to the CAE. Thetypicalorganizational models for environmental auditingfall into one of thefollowing scenarios:

The CAE and environmental audit chief are in separate functional unitswith little contact with each other.

The CAE and environmental audit chief are in separate functional unitsand coordinate their activities.

The CAE has responsibility for auditing environmental issues.

3. If the CAE finds that the management of the EH&S risks largely depends on anenvironmental audit function, the CAE needs to consider the implicationsof that organizational structure and its effects on operations and the reportingmechanisms. If the CAE finds that the exposures are not adequately managedand residual risks exist, that conclusion would normally result in changes to theinternal audit activitys plan of engagements and further investigations.

4. According to an IIA flashreport on environmental auditing issues:

About one-half of the environmental auditors seldom meet with acommittee of the governing board and only 40 percent have some contactwith the CAE.




5/20

Seventy percent of the organizations reported that environmental issuesare not regularly included on the agenda of the governing board.

About 40 percent of the organizations reported that they had paid fines orpenalties for environmental violations in the past three years. Two-thirdsof the respondents described their environmental risks as material.

5. The Environmental, Health and Safety Auditing Roundtable (new name is TheAuditing Roundtable) commissioned Richard L. Ratliff of Utah State Universityand a group of researchers to perform a study of environmental, health, andsafety auditing. Theresearchers findingsrelated to therisk andindependenceissues are as follows:

The EH&S audit function is somewhatisolated from otherorganizational auditing activities. It is organized separately frominternal auditing, only tangentially related to external audits of financialstatements, andreports to an EH&S executive, rather than to thegoverning board or to senior management. This structure suggests thatmanagement believes EH&S auditing to be a technical field that is bestplaced within the EH&S function of the organization.

With that organizational placement, EH&S auditors could beunable tomaintain their independence, which is considered one of the principalrequirements of an effective audit function. EH&S audit managerstypically report administratively to the executives who are responsible forthe physical facilities being audited. Thus, poor EH&S performance wouldreflect badly on thefacilities management team, who would therefore tryto exercise their authority and influence over what is reported in auditfindings, how audits are conducted, or what is included in the audit plan.This potential subordination of the auditors professional judgment, evenwhen only apparent, violates auditorindependence and objectivity.

It is also common forwritten audit reportsto be distributed no higher inthe organization than tosenior environmental executives. Those

executives may have a potential conflict of interest, and they may curtailfurther distribution of EH&S audit findings to senior management and thegoverning board.

Audit information is often classified as (a) subject to the attorney-clientprivilege or the attorney-work-product privilege (in countries where suchprivileges are recognized), (b) secret and confidential, or (c), if notconfidential, then closely held. These classifications severely restrictaccess to EH&S audit information.

Suggestions for the Chief Audit Executive

6. The CAE should foster aclose working relationship with the chief environ-mental officerandcoordinate activitieswith the plan for environmentalauditing. When the environmental audit function reports to someone other thanthe CAE, the CAE should offer toreview the audit plan and the performanceof engagements. Periodically, the CAE should schedule aquality assurancereviewof the environmental audit function if it is organizationally independent ofthe internal audit activity. That review should determine if the environmentalrisks are being adequately addressed. AnEH&S audit programcould beeither (a) compliance-focused (i.e., verifying compliance with laws, regulations,and the entitys own EH&S policies, procedures, and performance objectives) or(b) management-systems-focused (i.e., providing assessments of managementsystems intended to ensure compliance with legal and internal requirementsand the mitigation of risks), or (c) a combination of both approaches.




6/20

7. The CAE shouldevaluate whether the environmental auditors, who are notpart of the CAEs organization, are incompliancewith recognized professionalauditing standardsand a recognizedcode of ethics. For example, The IIApublishes practice standards and ethical codes.

8. The CAE shouldevaluate the organizational placement and independence

of the environmental audit functionto ensure that significant matters resultingfrom serious risks to the enterprise are reported up the chain of command to theaudit or other committee of the governing board. The CAE should alsofacilitatethereportingof significantEH&S risk and control issuesto theaudit (or other board) committee.

PA Summary

The entity-wide risk management assessment includesenvironmental, health,and safety (EH&S) risks. Risk exposures to be evaluated are (1) faulty reportingstructures; (2) likelihood of causing environmental harm, fines, and penalties;(3) expenditures mandated by regulators; (4) history of injuries and deaths;(5) loss of customers; and (6) negative publicity and loss of public reputation.

Thetypical organization model for environmental auditing is one of thefollowing: (1) the CAE and environmental audit chief are in separate functions andhave little contact, (2) they are in separate functions and coordinate their activities,or (3) the CAE has responsibility for auditing environmental issues.

Given anenvironmental audit function, the CAE considers the implicationsfororganizational structure, operations, reporting, and the audit plan.

Researchers findings related torisk and independencefor the EH&S auditfunction include the following:

1) It isisolated from other organizational auditing activities and usuallyreports to an EH&S executive, not the board or senior management.

2) Thus, EH&S auditors could beunable to maintain their independence.EH&S audit managers typically report administratively to executivesresponsible for the facilities audited. Poor EH&S performance would reflectbadly on the facilities management team, who might influence auditfindings, how audits are conducted, or the audit plan.

3) Written audit reportsare commonly distributed no higher than to seniorenvironmental executives. Those executives may have a conflict ofinterest and curtail further distribution of findings.

4) Access to EH&S audit information is restricted when classified as (a) subjectto the attorney-client privilege or the attorney-work-product privilege (wheresuch privileges are recognized); (b) secret and confidential; or (c) if notconfidential, then closely held.

The CAE should have aclose relationshipwith the chief environmental officer andcoordinate activities. The CAE may offer toreviewthe environmental auditfunctionsplan and performance. The CAE also should schedule aqualityassurancereview of the function and evaluate its organizational placement andindependence and compliance with standards.

1) AnEH&S audit programcould be (a) compliance-focused, (b) management-systems-focused, or (c) a combination of both approaches.

2) The CAE should facilitatethe reportingof significantEH&S risk andcontrol issuesto the audit (or other board) committee.




7/20

3. 2110 Risk Management The internal audit activity should assist the organization byidentifying and evaluating significant exposures to risk and contributing to theimprovement of risk management and control systems.

a. PRACTICE ADVISORY 2110-1: ASSESSING THE ADEQUACY OF RISKMANAGEMENT PROCESSES

1.-2. Same as PA 2100-3, paragraphs 1. and 2.

3. Each organization may choose aparticular methodology to implement itsrisk management process. The internal auditor should determine that themethodology isunderstood by key groups or individualsinvolved incorporate governance, including the board and audit committee. Internalauditors must satisfy themselves that the organizations risk managementprocesses address key objectives to formulate an opinion on the overalladequacy of the risk management processes. Thekey objectivesof a riskmanagement process are:

Risksarising from business strategies and activities areidentifiedandprioritized.

Management and the board have determined thelevel of risksacceptable to the organization, including the acceptance of risksdesigned to accomplish the organizations strategic plans.

Risk mitigation activitiesare designed and implemented to reduce orotherwise managerisk at levelsthat were determined to beacceptableto management and the board.

Ongoing monitoring activitiesare conducted to periodically reassessrisk and the effectiveness of controls to manage risk. The board andmanagement receiveperiodic reports of the resultsof the riskmanagement processes. The corporate governance processes of theorganization should provide periodic communication of risks, riskstrategies, and controls to stakeholders.

4. Internal auditors should recognize that there could be significant variations inthe techniques used by various organizations for their risk managementpractices. Risk managementprocesses should be designed for the natureof an organizations activities. Depending on the size and complexity of theorganizations business activities, risk management processes may be

Formal or informal Quantitative or subjective Embedded in the business units or centralized at a corporate level

The specific process used by an organization must fit that organizationsculture, management style, and business objectives. For example, the useofderivativesor other sophisticated capital markets products by theorganization would require the use ofquantitative risk management tools.Smaller, less complex organizations may use an informal risk committee todiscuss the organizations risk profile and to initiate periodic actions. Theauditor should determine that the methodology chosen is both comprehensiveand appropriate for the nature of the organizations activities.




8/20

5. Internal auditors should obtainsufficient informationto satisfy themselves thatthe key objectives of the risk management processes are being met in order toform anopinion on the adequacy of risk management processes. Ingathering such information, the internal auditor should consider the followingtypes of engagement procedures:

Research and reviewreference materials and background informationon risk management methodologiesas a basis to assess whether ornot the process used by the organization is appropriate and representsbest practices for the industry.

Research and review current developments, trends, industry information,and otherappropriate sources of informationtodetermine risks andexposuresthat may affect the organization and relatedcontrolproceduresused to address, monitor, and reassess those risks.

Reviewcorporate policies and minutes of board and audit committeemeetingsto determine the organizations business strategies, riskmanagement philosophy and methodology, appetite for risk, andacceptance of risks.

Reviewprevious risk evaluation reportsby management, internalauditors, external auditors, and any other sources that may have issuedsuch reports.

Conductinterviews with line and executive managementto determinebusiness unit objectives, related risks, and managements risk mitigationand control monitoring activities.

Assimilate information toindependently evaluatetheeffectivenessofrisk mitigation, monitoring, and communication of risks and associatedcontrol activities.

Assess theappropriateness of reporting linesfor risk monitoringactivities.

Review theadequacy and timeliness of reportingon risk management

results. Review the completeness of managementsrisk analysis, actions taken

to remedy issues raised by risk management processes, and suggestimprovements.

Determine the effectiveness of managementsself-assessmentprocessesthrough observations, direct tests of control and monitoringprocedures, testing the accuracy of information used in monitoringactivities, and other appropriate techniques.

Review risk-related issues that may indicateweakness in riskmanagement practicesand, as appropriate, discuss with management,the audit committee, and the board of directors. If the auditor believes thatmanagement has accepted a level of risk that is inconsistent with the

organizations risk management strategy and policies or that is deemedunacceptable to the organization, the auditor should refer toStandard2600, Managements Acceptance of Risks, and any related guidance foradditional direction (see Subunit 3.2).




9/20


10/20

b. PRACTICE ADVISORY 2110-2: THE INTERNAL AUDITORS ROLE IN THEBUSINESS CONTINUITY PROCESS

1. Business interruptioncan result from natural occurrences and accidental ordeliberate criminal acts. Those interruptions can have significant financial andoperational ramifications. Auditors should evaluate the organizations readiness

to deal with business interruptions. Acomprehensive planwould provide foremergency response procedures, alternative communication systems and sitefacilities, information systems backup, disaster recovery, business impactassessments and resumption plans, procedures for restoring utility services,and maintenance procedures for ensuring the readiness of the organization inthe event of an emergency or disaster.

2. Internal auditing activity should assess the organizationsbusiness continuityplanningprocess on a regular basis to ensure that senior management isaware of the state of disaster preparedness.

3. Many organizations do not expect to experience an interruption or lengthy delayof normal business processes and operations due to a disaster or otherunforeseen event. Many business experts say that it is notifa disaster willoccur, butwhen it will occur. Over time, an organization will experience anevent that will result in the loss of information, access to properties (tangible orintangible), or the services of personnel. Exposure to those types of risks andthe planning for business continuity is an integral part of an organizations riskmanagement process. Advance planning is necessary to minimize the loss andensure continuity of an organizationscritical business functions. It mayenable the organization to maintain anacceptable level of serviceto itsstakeholders.

4. A crucial element of business recovery is the existence of a comprehensive andcurrentdisaster recovery plan. The internal auditors can play a role in theorganizations planning for disaster recovery. The internal audit activity can(a) assist with the risk analysis, (b) evaluate the design and comprehensiveness

of the plan after it has been drawn up, and (c) perform periodic assuranceengagements to verify that the plan is kept up to date.

Planning

5. Organizations rely upon internal auditors for analysis of operations andassessment of risk management and control processes. Internal auditorsacquire an understanding of the overall business operations and the individualfunctions and how they interrelate with one another. This positions the internalaudit activity as a valuable resource inevaluating the disaster recovery planduring its formulationprocess.

6. The internal audit activity can help with an assessment of an organizationsinternal and external environment. Internal factors that may be considered

include the turnover of management and changes in information systems,controls, and major projects and programs. External factors may includechanges in outside regulatory and business environment and changes inmarkets and competitive conditions, international financial and economicconditions, and technologies. Internal auditors can helpidentify risksinvolvingcritical business activities andprioritize functionsfor recovery purposes.




11/20

Evaluation

7. Internal auditors can make a contribution as objective participants when theyreviewthe proposed business continuity and disaster recovery plan fordesign,completeness, and overall adequacy. The auditor can examine the plan todetermine that it reflects the operations that have been included and evaluated

in the risk assessment process and contains sufficient internal control concernsand prescriptions. The internal auditors comprehensive knowledge of theorganizations business operations and applications enables it to assist duringthedevelopment phaseof the business continuity plan by evaluating itsorganization, comprehensiveness, and recommended actions to manage risksand maintain effective controls during a recovery period.

Periodic Assurance Engagements

8. Internal auditors should periodically audit the organizations business continuityand disaster recovery plans. The audit objective is to verify that theplans areadequateto ensure the timely resumption of operations and processes afteradverse circumstances and that they reflect thecurrent business operatingenvironment.

9. Business continuity and disaster recovery plans can become outdated veryquickly. Coping with and responding to changes is an inevitable part of the taskof management. Turnover of managers and executives and changes in systemconfigurations, interfaces, and software can have a major impact on theseplans. The internal audit activity should examine the recovery plan to determinewhether (a) it is structured toincorporate important changesthat could takeplace over time and (b) the revised plan will becommunicated to theappropriate peopleinside and outside the organization.

10. During the audit, internal auditors should consider:

Are all plans up to date? Do procedures exist for updating the plans?

Are all critical business functions and systems covered by the plans? If

not, are the reasons for omissions documented? Are the plans based on the risks and potential consequences of business

interruptions?

Are the plans fully documented and in accordance with organizationalpolicies and procedures? Have functional responsibilities been assigned?

Is the organization capable of and prepared to implement the plans?

Are the plans tested and revised based on the results?

Are the plans stored properly and safely? Is the location of and access tothe plans known to management?

Are the locations of alternate facilities (backup sites) known to employees?

Do the plans call for coordination with local emergency services?




12/20

Internal Audits Role After a Disaster

11. There is an important role for the internal auditors to play immediately after adisaster occurs. An organization is more vulnerable after a disaster hasoccurred, and it is trying to recover. During thatrecovery period, internalauditors shouldmonitortheeffectivenessof the recovery and control of

operations. The internal audit activity should identify areas where internalcontrols and mitigating actions should be improved andrecommendimprovementsto the entitys business continuity plan. The internal auditactivity can also provide support during the recovery activities.

12. After the disaster, usually within several months, internal auditors can assist inidentifying the lessons learnedfrom the disaster and the recovery opera-tions. Those observations and recommendations may enhance activities torecover resources and update the next version of the business continuity plan.

13. In the final analysis, it issenior managementwho will determine the degree oftheinternal auditors involvementin the business continuity and disasterrecovery processes, considering their knowledge, skills, independence, andobjectivity.

PA Summary

Business interruptioncan have significant financial and operational effects. Theorganization should have acomprehensive disaster recovery planto cope withbusiness interruptions. It should provide for emergency response, alternativecommunications and site facilities, systems backup, disaster recovery, impactassessments, resumption plans, restoration of utility service, and readinessprocedures.

Auditorsshould regularly assess continuity planning.

Interruptions and losses are inevitable. Thus,planningis integral to the RMP so

that losses may be minimized, continuity of critical business functionsensured,and anacceptable level of service maintained.

Internal auditors analyze operations, assess the RMP and controls, and understandhow functions interrelate. Thus, the IAA can help assess an organizationsinternal and external environment, identify risks involving critical businessactivities, andprioritize functionsfor recovery purposes.

Internal auditorsreviewthe proposed plan fordesign, completeness, and overalladequacy. The plan should reflect the operations included and evaluated in therisk assessment and contain sufficient control.

Internal auditors should performperiodic assurance engagementsto verify thattheplan is adequate and reflects the current business operatingenvironment. The IAA should examine the plan to determine whether (1) it is

structured toincorporate important changes, and (2) the revised plan will becommunicated to the appropriate people inside and outside the organization.




13/20

During the audit, internal auditors should consider whether the plan

1) Is kept up to date.

2) Covers all critical business functions and systems and documents thereasons for omissions.

3) Is based on risks and consequences.4) Is fully documented in accordance with policies and procedures and assignsfunctional responsibilities.

5) Can be implemented.

6) Is tested and revised based on results.

7) Is stored properly and safely.

8) States locations of backup sites that are known to employees.

9) Calls for coordination with emergency services.

During therecovery period, internal auditorsmonitor the effectivenessofrecovery and control of operations andidentify improvements. Afterward, theymay identifylessons learned.

Senior managementdeterminesauditor involvementin the continuity andrecovery processes.

4. 2110.A1 The internal audit activity should monitor and evaluate the effectiveness of theorganizations risk management system.

5. 2110A.2 The internal audit activity should evaluate risk exposures relating to theorganizations governance, operations, and information systems regarding the

Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts.

6. 2110.C1 During consulting engagements, internal auditors should address risk consistentwith the engagements objectives and should be alert to the existence of other significantrisks.

7. 2110.C2 Internal auditors should incorporate knowledge of risks gained from consultingengagements into the process of identifying and evaluating significant risk exposures of theorganization.

a. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FORFORMAL CONSULTING ENGAGEMENTS

The following is the portion of this comprehensive Practice Advisory relevant toStandards 2110.C1 and 2110.C2:

11. Internal auditors should reach anunderstandingabout theobjectives andscopeof the consulting engagement with those receiving the service. Anyreservations about the value, benefit, or possible negative implications of theconsulting engagement should be communicated to those receiving the service.Internal auditors should design the scope of work to ensure thatprofessionalism, integrity, credibility, and reputationof the internal auditactivity will be maintained.




14/20

12. In planningformal consulting engagements, internal auditors should designobjectives to meet the appropriate needs of managementofficials receivingthese services. In the case ofspecial requestsby management, internalauditors may consider the following actions if they believe that theobjectivesthat should be pursued gobeyond those requestedby management:

Persuade management to include the additional objectives in theconsulting engagement; or

Document the fact that the objectives were not pursued and disclose thatobservation in the final communication of consulting engagement results;and

Include the objectives in a separate and subsequent assuranceengagement.

13. Work programsfor formal consulting engagements should document theobjectives and scope of the engagement, as well as the methodology to be usedin satisfying the objectives. Theform and contentof the program may varydepending on the nature of the engagement. In establishing thescope of theengagement, internal auditors may expand or limit the scope to satisfy

managements request. However, the internal auditor should be satisfied thatthe projected scope of work will beadequate to meet the objectivesof theengagement. The objectives, scope, and terms of the engagement should beperiodically reassessedand adjusted during the course of the work.

14. Internal auditors should be observant of theeffectiveness of riskmanagement and control processesduring formal consulting engagements.Substantial risk exposures or material control weaknesses should be brought tothe attention of management. In some situations, the auditors concerns shouldalso be communicated to executive management, the audit committee, or theboard of directors. Auditors should (a) determine thesignificanceof exposuresor weaknesses and theactionstaken or contemplated to mitigate or correctthese exposures or weaknesses and (b) ascertain theexpectationsof

executive management, the audit committee, and board in having these mattersreported.

PA Summary

Internal auditors should have an understanding about theobjectives and scopeofthe consulting engagement. They also should communicate reservations aboutthe engagement to the recipients of the service and maintain theirprofessionalism.

The objectives offormal engagementsshould meet the needs of the recipients ofservices. Forspecial requestengagements, internal auditors may consider the

following actions if they believe that the objectivesshould gobeyond thoserequested:

1) Persuade management to include the additional objectives, or

2) Document and disclose in the final communication of results that thoseobjectives were not pursued and include them in a later assuranceengagement.




15/20

Work programsshould document objectives, scope, and methods. Theform andcontentof the program may vary. The scope depends on managements request,but it should be adequate to meet the objectives. Moreover, the objectives, scope,and terms of the engagement should be periodically reassessed.

Substantial risk exposuresor material control weaknessesshould be reported

to management. In some cases, reporting to higher levels also is indicated.Auditors should determine (1) thesignificanceof these matters, (2) actionstaken or considered, and (3) expectationsof higher authorities about reporting.

4.2 INFORMATION SECURITY AND PRIVACY

1. This subunit covers the related topics of security and privacy in two Practice Advisories thatinterpret the General Performance Standard on the nature of work and one PracticeAdvisory that interprets the General Performance Standard on performing theengagement.

NOTE: Physical security, such as safeguards against environmental risks andunauthorized access to computer terminals, remains an internal auditing concern eventhough software controls now provide most protection for information.

2. 2100 Nature of Work The internal audit activity evaluates and contributes to theimprovement of risk management, control, and governance processes using asystematic and disciplined approach.

a. PRACTICE ADVISORY 2100-2: INFORMATION SECURITY

1. Internal auditors should determine that management and the board, the auditcommittee, or other governing body has a clear understanding that informationsecurity is amanagement responsibility. This responsibility includesallcritical informationof the organization, regardless of the media in which theinformation is stored.

2. The chief audit executive should determine that the internal audit activitypossesses, or has access to,competent auditing resourcesto evaluateinformation security andassociated risk exposures. This includes bothinternal and externalrisk exposures, including exposures relating to theorganizations relationships with outside entities.

3. Internal auditors should determine that the board, audit committee, or othergoverning body has sought assurance from management that informationsecuritybreaches and conditions that might represent a threatto theorganization will promptly be made known to those performing the internalauditing activity.

4. Internal auditors should assess the effectiveness ofpreventive, detective, and

mitigative measuresagainstpast attacks, as deemed appropriate, andfutureattemptsor incidents deemed likely to occur. Internal auditors should confirmthat the board, audit committee, or othergoverning bodyhas beenappropriately informedof threats, incidents, vulnerabilities exploited, andcorrective measures.




16/20

5. Internal auditors shouldperiodically assessthe organizations informationsecurity practices andrecommend, as appropriate, enhancements to orimplementation of new controls and safeguards. Following an assessment, anassurance reportshould be provided to the board, audit committee, or otherappropriate governing body. Such assessments can either be conducted asseparate stand-alone engagementsor asmultiple engagements integrated

into other audits or engagements conducted as part of the approved audit plan.

PA Summary

Information security is amanagement responsibilityfor all critical informationregardless of its form.

The IAA should havecompetent auditing resourcesfor evaluating internal andexternal risks to information security.

Internal auditors should determine that the governing body has sought assurancefrom management that the IAA will be promptly notified about security breachesand conditions that might represent a threat.

Internal auditors assess the effectiveness ofpreventive, detective, and mitigativemeasuresagainst past and future attacks. The governing body should beappropriately informed.

Internal auditors also shouldperiodically assesssecurity practices,recommendnew or improved controls, and provide an assurance report. Such assessmentscan be made asseparate engagementsor asmultiple engagementsintegratedwith other elements of the audit plan.

b. Another aspect of internal auditings role regarding information security is to evaluatecompliance with laws and regulations concerning privacy. Thus, internal auditorsdetermine the existence and content of requirements relating to privacy (afterconsulting with legal counsel). They also determine that systems are designed inaccordance with those requirements, compliance is achieved, and compliance isdocumented.

PRACTICE ADVISORY 2100-8: THE INTERNAL AUDITORS ROLE INEVALUATING AN ORGANIZATIONS PRIVACY FRAMEWORK

1. Concerns relating to the protection of personal privacy are becoming moreapparent, focused, and global as advancements ininformation technologyand communicationscontinually introduce new risks and threats to privacy.Privacy controls are legal requirementsfor doing business in most of theworld.

2. Privacy definitions vary widelydepending upon country, culture, politicalenvironment, and legal framework. Privacy can encompasspersonalprivacy

(physical and psychological); privacy ofspace(freedom from surveillance);privacy ofcommunication(freedom from monitoring); and privacy ofinformation(collection, use, and disclosure of personal information byothers). Personal informationgenerally refers to information that can beassociated with a specific individual or that has identifying characteristics thatmight be combined with other information to do so. It can include any factual orsubjective information, recorded or not, in any form or medium. Personalinformation might include, for example:

Name, address, identification numbers, income, or blood type; Evaluations, comments, social status, or disciplinary actions; and Employee files, credit records, loan records.




17/20

3. Privacy is arisk management issue. Failure to protect privacy and personalinformation with the appropriate controls can havesignificant consequencesfor an organization. For example, it can damage the reputation of individualsand the organization, lead to legal liability issues, and contribute to consumerand employee mistrust.

4. There are a variety of laws and regulations developing worldwide relating to theprotection of personal information. As well, there are generally acceptedpolicies and practices that can be applied to the privacy issue.

5. It is clear that good privacy practices contribute togood governanceandaccountability. Thegoverning body(e.g., the board of directors, head of anagency, or legislative body)is ultimately accountablefor ensuring that theprincipal risks of the organization have been identified and the appropriatesystems have been implemented to mitigate those risks. This includesestablishing the necessaryprivacy frameworkfor the organization andmonitoring its implementation.

6. The internal auditor can contribute to ensuring good governance andaccountability by playing a role in helping an organization meet its privacy

objectives. The internal auditor is uniquely positioned toevaluate the privacyframeworkin the organization andidentify the significant risksalong with theappropriaterecommendationsfor their mitigation.

7. In an evaluation of the privacy framework, the internal auditors should considerthe following:

The variouslaws, regulations, and policiesrelating to privacy in theirrespective jurisdictions (including any jurisdiction where the organizationconducts business);

Liaison within-house legal counselto determine the exact nature ofsuch laws, regulations, and other standards and practices applicable tothe organization and the country/countries in which it does business;

Liaison withinformation technology specialiststo ensure informationsecurity and data protection controls are in place and regularly reviewedand assessed for appropriateness;

The level or maturity of the organizationsprivacy practices. Dependingupon the level, theinternal auditor may have differing roles. Theauditor mayfacilitatethe development and implementation of theprivacyprogram, conduct aprivacy risk assessmentto determine the needsand risk exposures of the organization, or may review and provideassuranceon the effectiveness of the privacy policies, practices, andcontrols across the organization. If the internal auditor assumes a portionof the responsibility for developing and implementing a privacy program,the auditorsindependencemay be impaired.

8. Typically, the internal auditors could be expected toidentifythe types andappropriateness ofinformation gatheredby the organization that is deemedpersonal or private, thecollection methodologyused, and whether theorganizations use of the information so collected is in accordance with itsintended useand thelaws.

9. Given thehighly technical and legal nature of the topic, the internal auditorshould ensure that the appropriate in-depthknowledge and capacitytoconduct any such evaluation of the privacy framework is available, usingthird-party experts, if necessary.




18/20

PA Summary

Privacy controls arelegally required in most countries because advances in ITand communicationscontinually create new threats.

Privacy definitions vary: (1)personalprivacy (physical and psychological);(2) privacy ofspace(freedom from surveillance); (3) privacy of communication(freedom from monitoring); and (4) privacy ofinformation(collection, use, anddisclosure of personal information by others).

1) Personal informationis any information that can be associated with aspecific individual or that might be combined with other information to do so.

Privacy is arisk management issue. Failing to protect privacy and personalinformation has significant legal and business consequences for an organization.

Good privacy practices contribute togood governanceand accountability. Thegoverning bodyof an organization isultimately accountablefor managingprivacy risk, e.g., by establishing and monitoring a privacy framework.

The internal auditorevaluates the privacy framework, identifies significant risks,

and makes recommendations. The internal auditor also considers (1) laws,regulations, and practices in relevant jurisdictions; (2) the advice of legal counsel;and (3) the security efforts of IT specialists.

Depending on the level or maturity of the organizationsprivacy practices, the roleof the internal auditor may be to (1) facilitate the privacy program, (2) do a privacyrisk assessment, or (3) perform an assurance service. However, assumption ofresponsibility may impair independence.

The internal auditor identifies (1) personalinformation gathered, (2)collectionmethods, and (3) whether use of the information is in accordance with itsintended useand applicable law.

Given the difficulty of the technical and legal issues, the internal auditor shouldhave or obtain the knowledge and capacityto evaluate the privacy framework,

using outside service providers if needed.

3. 2300 Performing the Engagement Internal auditors should identify, analyze,evaluate, and record sufficient information to achieve the engagementsobjectives.

a. Laws and regulations concerning privacy also apply to internal auditors.

b. PRACTICE ADVISORY 2300-1: THE INTERNAL AUDITORS USE OF PERSONALINFORMATION IN CONDUCTING AUDITS

1. Concerns relating to the protection ofpersonal privacy and informationarebecoming more apparent, focused, and global as advancements in information

technology and communications continually introduce new risks and threats toprivacy. Privacy controlsare legal requirements for doing business in most ofthe world.

2. Personal information generally refers to information that can be associated withaspecific individual, or that has identifying characteristics that might becombined with other information to do so. It can include any factual orsubjective information, recorded or not, in any form or media. Personalinformation might include, for example:

Name, address, identification numbers, income, or blood type; Evaluations, comments, social status, or disciplinary actions; and Employee files, credit records, loan records.




19/20

3. For the most part,lawsrequire organizations toidentify the purposesforwhich personal information is collected, at or before the time the information iscollected; and that personal information not be used or disclosed for purposesother than those for which it was collected, except with the consent of theindividual or as required by law.

4. It is important that the internal auditorunderstands and complies with alllawsregarding the use of personal information in the auditors jurisdiction andthose jurisdictions where the organization conducts business.

5. The internal auditor must understand that it may beinappropriate, and in somecases illegal, to access, retrieve, review, manipulate, or use personalinformation in conductingcertain internal audit engagements.

6. The internal auditor shouldinvestigate issuesbefore initiating audit effort andseek advice from in-house legal counsel if there are any questions or concernsin this respect.

PA Summary

Threats topersonal privacy and information have increased because of IT andcommunications advances. Thus, laws requireprivacy controls.

Personal information identifies aspecific individual. Examples are identificationnumbers, income, blood type, evaluations, disciplinary actions, employee files,credit records, and loan records.

The law usually requires organizations toidentify the purposesfor which personalinformation is collected, at or before the time it is collected. Its use or disclosurefor other purposes is generally prohibited, except with consent or as required bylaw.

The internal auditor mustunderstand and comply with all lawsregarding the useof personal information.

Access to or use of personal information may be inappropriate or illegal incertainengagements.

The internal auditor shouldinvestigate issuesbefore initiating audit effort andseek advice from counsel if issues arise regarding use of personal information.




20/20

4.3 STUDY UNIT 4 SUMMARY

1. Risk management is the responsibility of management. Oversight bodies ensure thatprocesses are in place, adequate, and effective. Internal auditors examine, evaluate,report, and recommend improvements. They also play a consulting role.

2. The entity-wide risk management assessment includes EH&S risks. Given an

environmental audit function, the CAE considers the implications for organizationalstructure, operations, reporting, and the audit plan.

3. The internal audit activity should assist the organization by identifying and evaluatingsignificant exposures to risk and contributing to the improvement of risk management andcontrol systems.

a. To form an opinion on the adequacy of the process, the internal auditor mustdetermine that (1) the implementation method is understood by key stakeholders and(2) five key objectives are addressed.

4. The organization should have a comprehensive plan to cope with business interruptions.Auditors should assess continuity planning.

5. Information security is a management responsibility for all critical information. The IAA

should have competent auditing resources for evaluating internal and external risks toinformation security.

6. Privacy controls are legally required in most of the world. The governing body of anorganization is ultimately accountable for managing privacy risk, e.g., by establishing andmonitoring a privacy framework. The internal auditor evaluates the framework, identifiesrisks, and makes recommendations. The internal auditor considers laws, regulations, andpractices; the advice of legal counsel; and the security efforts of IT specialists.

7. Internal auditors must understand and comply with laws protecting personal information.


internal audit roles

Documents