CHAPTER 9

Managing the Internal Audit function

Chief Audit executive

A senior position within the organization responsible for internal audit activities. The term also includes titles such as general auditor, head of internal audit, chief internal auditor, internal audit director and inspector general.

CAE IIA standard 2000

The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization

The internal audit function is effectively managed when:

The results of internal audit function’s work achieve the purpose and responsibility included in the internal audit charter

It conforms the definition of internal auditing and the standards

The individuals who are part of the internal audit function demonstrate conformance with the Code of ethics and standards.

Internal Audit Charter

A formal written document that defines the internal audit function’s purpose, authority and responsibility. It is subordinate to the audit committee’s charter.

Individual objectivity

An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgement on audit matters that of others.

Organizational Independence

The chief audit executive’s line of reporting within the organization that allows the internal audit function to fulfill its responsibilities free from interference.

Proficiency

The knowledge, skills, and other competencies internal auditors need to perform their individual responsibilities

Due professional Care

Internal auditors must apply the care and skill expected of a reasonable prudent internal auditor, however internal auditors are not expected to be infallible.

IIA requirements regarding impairments to independence and

objectivity

Standard 1130.A1 Internal auditors must refrain from assessing specific

operations for which they were previously responsible.

Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.

Standard 1130.A2

Assurance engagements for functions over which the executive has responsibility must be overseen by a party outside the internal audit activity.

Standard 1130.C1

Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

Standard 1130.C2

If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

Planning

The planning process should include the establishment of goals, engagement schedules, staffing schedules, and financial budgets. Additionally, effective planning should reflect the internal audit charter and be consistent with organizational objectives.

Assurance services

The IA activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in the process. (Standard 2010.A1)

Consulting Services

The Chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve the management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan. (standard 2010.c1)

Communication and Approval

After the internal audit plan has been established, it is incumbent upon the CAE to present it to senior management and the board (typically the audit committee) to be approved. Resource requirements, significant interim changes, and the potential implications of resource limitations should all be included in the communication to senior management and the board (IIA Standard 2020: Communication and approval)

Internal Audit Plan

An outline of the specific assurance and consulting engagements scheduled for a period of time (typically one year) based on an assessment of the organization’s risks.

Resource management

A significant consideration in implementing an internal audit function’s plan is how to allocate resources.

It is the CAE’s responsibility to ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan (IIA standard 2030: Resource management)

This is achieved by carefully orchestrating a umber of factors as discussed below.

Organizational structure and staffing strategy

IA functions must be structured in a way that it consistent with the needs and culture of the organization.

The CAE may choose to employ a flat organizational structure in which most of the Internal auditors have more or less the same level of skills, experience and seniority.

Typically, this type creates an internal audit function that is stable, highly knowledgeable and very collaborative.

Typical hierarchical internal audit function

Staff auditorSenior auditorAudit managerAudit directorChief audit executive

The internal auditor competency framework

Interpersonal skillsTools and techniquesInternal audit standardsKnowledge areas

Right Sizing

An important concept in the staffing and scheduling of an IA function. It is important to achieve and maintain a balance of knowledgeable and skilled staff to complete the IA plan, without putting undue stress on the staff by creating oppressive work loads, while simultaneously maintaining a reasonable financial budget.

Staffing plans/ Human resources

The CAE must assign human resources effectively, meaning that internal auditors are assigned to engagements that they are qualified and capable to perform .

In some instances, individuals with specialized knowledge and/or skills from elsewhere in the organization may assist with an internal audit engagement when the necessary competencies are not present within the IA function.

Hiring practices

The CAE is responsible for hiring associates to fill the organizational structure of the internal audit function in a way that maximizes efficiency, effectively, provides the necessary skill base and makes good use of the financial budget.

Strategic sourcing

Supplements in the house, internal audit function through the use of third party vendor services for the purposes of gaining subject matter expertise for a specific engagement or filling a gap in needed resources to complete the internal audit plan.

Financial Budget

Driven primarily by the audit plan, organizational structure, and staffing strategy. The CAE must carefully evaluate the financial resources necessary to accomplish the objectives set forth.

Independent outside auditor

A registered public accounting firm, hired by the organization’s board or executive management, to perform a financial statement audit.

Board

An organization’s governing body such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of nonprofit organization, or any other designated body of the organization including the audit committee to whom the chief audit executive may functionally report.

Management and the CAE coordinate efforts to routinely report in various risk and control activities performed by either, in accordance with roles and responsibilities set by the board an the audit committee. It includes: Business unit monitoring and risk monitoring reports Independent outside auditor activity reports Key financial activity reports Risk management activity reports Legal and compliance monitoring reports

Governance

The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

Risk Management

The process conducted by the management to understand and deal with the uncertainties (risks and opportunities) that could affect the organization’s ability to achieve its objectives.

Control

Any action taken by the management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide the reasonable assurance that objectives and goals will be achieved.

Quality assurance

The process if assuring that an internal audit function operates according to a set of standards defining the specific elements that must be present to ensure that the finding of the internal audit function are legitimate.

Noncorformance with the standards

Occurs when the internal audit function is found to be deficient to the point that it impacts the overall scope or operation of the internal audit function and it must be disclosed.

Quality assurance and improvement program

An ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the internal audit function.

Control Self- assessment

A facilitated process whereby control owners provide a self assessment of the design adequacy and operating effectiveness of controls for which they are responsible.

Continuous auditing

The use of computerized techniques to perpetually audit processing of business transactions