Chapter 9 Notes: Managing the Internal Audit Function

Chapter 9: Managing the Internal Audit Function

Positioning the Internal Audit (IA) Function

  • Placing the IA function in a senior management position maximizes its effectiveness in evaluating risk management, control, and governance processes.
  • The Chief Audit Executive (CAE) is pivotal to a successful internal audit function.
  • IA function is successfully managed (Standard 2000):
    • IA work achieves its purpose and responsibility as per its charter.
    • IA conforms with the Standards.
    • Individuals conform with the Code of Ethics and the Standards.
    • IA considers trends and emerging issues impacting its effectiveness.
  • CAE's senior management position and direct access to the audit committee enhance objectivity.
  • Audit committee participation in CAE selection, evaluation, and dismissal maintains organizational independence.
  • The CAE should create the Charter.

Responsibilities of the CAE

  • Sets the charter.
  • Sets formal vision and mission statements.
  • Sets operating policies and procedures.
  • Maintains organizational independence.
  • Ensures proficiency and due professional care.
  • Plans audit work.
  • Communicates and obtains approval from the Audit Committee.
  • Manages resources.
  • Coordinates assurance efforts.
  • Communicates results to the Audit Committee and senior management.

The IA Charter

  • A formal written document defining the IA function’s purpose, authority, and responsibility.
  • Subordinate to the audit committee’s charter.
  • Approved by the Audit Committee.
  • Establishes:
    • Position of Function
    • Authorizes access to records, personnel, and physical properties
    • Defines scope of IA activity
  • The CAE periodically assesses whether the charter requires an update.
  • The charter and its updates must be approved by the audit committee.

Independence and Objectivity

  • The CAE must report to a level that allows the IA to fulfill its responsibilities.
  • The IA must be free from interference in determining audit scope, performing work, and communicating results.
  • Interferences must be disclosed to the board, and their implications discussed.
  • Internal auditors must have an impartial, unbiased attitude and avoid conflicts of interest.
  • Conflict of interest: A situation where an internal auditor has competing professional or personal interests, making it difficult to fulfill duties impartially.
  • A conflict of interest exists even if no unethical or improper act results.
  • If independence or objectivity is impaired, the details of the impairment must be disclosed to appropriate parties.
Impairment to Organizational Independence and Individual Objectivity
  • May include, but is not limited to:
    • Personal conflict of interest
    • Scope limitations
    • Restrictions on access to records, personnel, and properties
    • Resource limitations such as funding
  • When the impairment results from a scope limitation, the CAE must report such limitation to the audit committee – in writing.
  • Auditors cannot accept fees, gifts, or entertainment from an employee, client, supplier, or business associate.
Definitions
  • Individual objectivity: An unbiased mental attitude that allows internal auditors to perform engagements with an honest belief in their work product without significant quality compromises.
  • Organizational independence: The CAE’s line of reporting within the organization that allows the IA function to fulfill its responsibilities free from interference.

Proficiency and Due Professional Care

  • Proficiency: The knowledge, skills, and other competencies internal auditors need to perform their individual responsibilities.
  • Due professional care: Internal auditors must apply the care and skill expected of a reasonably prudent internal auditor; however, internal auditors are not expected to be infallible.
  • Proficiency (collective term): Refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities.
  • Encompasses consideration of current activities, trends, and emerging issues to enable relevant advice and recommendations.
  • Encourages internal auditors to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications such as the CIA designation.

Planning Audit Objectives

  • The CAE is required to create an operating budget and allocate resources to accomplish the annual internal audit plan.
  • Involves determining which units or activities need to be audited to achieve the plan.
    • I.e., compiling the Audit Universe: A compilation of subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks
  • Understanding how these units contribute to the mitigation of key strategic, operational, reporting, and compliance risks to levels acceptable by senior management and the board.
  • This will result in the identification (by senior management but corroborated by the IA) of key risks.
  • These risks should be monitored and controlled for the organization to achieve its objectives.
  • The CAE will accordingly prioritize and rank the processes taking into consideration which of them significantly contribute to the mitigation of the risks.

The Audit Plan

  • Prioritization results in the annual plan
  • Audit plan: An outline of the specific assurance and consulting engagements scheduled for a period of time (typically one year) based on assessment of the organization
  • Review on a quarterly basis

Communication and Approval

  • The annual audit plan is submitted to Senior Management and the Audit Committee for Approval
  • It should include:
    • A list of proposed audit engagements (and specification regarding whether the engagements are assurance or consulting in nature)
    • Rationale for selecting each proposed engagement (for example, risk rating, time since last audit, change in management, etc.)
    • Objectives and scope of each proposed engagement
    • A list of initiatives or projects that result from the internal audit strategy but may not be directly related to an audit engagement

Resource Management

  • Organization Structure & Staffing Strategy
    • Flat Organizational Structure
    • Hierarchical Organizational Structure
  • Right Sizing
    • Balance between knowledgeable and skilled staff
    • Basis to decide:
      • Organizational structure
      • Networking and benchmarking
      • Market studies
      • Other consultative venues
    • Staff must be appropriate, sufficient, and effectively deployed to achieve approved plan
    • Assigns independent and objective resources to tasks
    • The knowledge and expertise needed are considered
    • Succession planning is considered
    • Robust staff evaluation and development
    • Reports impact of temporary shortages of vacancies, educational and training activities and changes to specific skill needs based on changes in business, operations, programs, systems, controls and others
  • Staffing Plans/ Human Resources
  • Hiring practices
    • Balance between necessary skill base and good use of the financial budget
    • Expertise in varieties of areas:
      • Financial accounting & reporting
      • IT
      • Business operations
      • Applicable laws and regulations
      • Organization’s industry
  • Strategic sourcing
    • Also referred to as co-sourcing or outsourcing
    • Supplements the in-house internal audit function through the use of third-party vendor services for the purposes of gaining subject matter expertise for a specific engagement or filling a gap in needed resources to complete the internal audit plan.
    • Used when specific skills or expertise is needed for a specific project or task
    • Also used when the hours needed to complete the plan are more than the available hours.
Training and Mentoring
  1. On-the-job training
  2. Instructor-led training
  3. E-learning and learning the flow.
  4. Professional Development requirements
  5. Coaching & Mentoring
  6. Regular measurement and analysis of impact and drawing conclusions
Career Planning & Professional Development
  • A good internal audit function will have a process in place for
    • Career development
    • Succession planning
  • Auditors can develop and implement an overall plan to reach long-term career goals while remaining a contributing member of the internal audit function
  • The CAE can assign specific engagements and projects to the personnel best suited to perform them
  • Good hiring practices and right-sizing affect scheduling
  • The CAE takes into consideration the development needs of the staff and works on scheduling.
Financial Budget
  • Driven by the internal audit plan, organizational structure, and staffing strategy.
Use of Professional Practice Groups
  • The specific activities that are typically centralized within the Professional Practices Group include:
    • Formalizing, documenting, and maintaining policies and procedures
    • Managing the issue tracking and follow-up process
    • Performing internal quality assurance reviews and facilitating external quality reviews
    • Managing requests for information from other assurance groups in the organization and regulatory bodies external to the organization
    • Facilitating recruiting activities
    • Creation and maintenance of onboarding activating
    • Developing and delivering training
    • Maintaining performance metrics on the function’s activities
    • Managing the department schedule
    • Facilitating and documenting the risk assessment process and creation of the annual audit plan
    • Preparing materials reporting the internal audit function’s activities to senior management and the audit committee
    • Performing data analytics work
  • Responsible for the smooth operation of the IA function
  • Serves as a centralized team
  • Team no longer performs audits regularly - typically were once high performers

Policies and Procedures

  • The CAE must establish policies and procedures to guide the internal audit activity.
  • The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work
  • Sample contents of P&P:
    • Introduction
    • Objective & Scope
    • Annual Strategic Work Plan & Risk Assessment
    • Defining the audit Universe
    • Assessing Corporate Governance
    • Conducting the Risk Assessment
    • Preliminary Assessing Internal Control.
    • Preparing the Annual Strategic Audit Plan
    • Presenting the Annual Strategic Audit Plan.
    • Types of Engagement
    • Assurance Services
    • Consulting Services
    • Work Papers
    • Contents
    • Elements of Work papers
    • Specimen
    • Administrative Procedures & Forms
    • Audit Process
      • Planning
      • Field Work
      • Reporting
    • Engagement Quality Assessment
    • Follow Up
    • Quality Assurance & Administration
    • QA & Improvement Program
    • Annual Review of Audit Charter & Organization Independence.
    • Fraud
    • Auditing Fraud

Coordinating Assurance Efforts

  • First line of defense
    • Management owns and takes responsibility for assessing and mitigating risk and for maintaining effective internal controls.
    • This internal line of defense is non-independent of management.
  • Second Line of Defense
    • Different areas within the organization work together to assist in risk mitigation by facilitating and monitoring the risk management efforts of the organization. These areas are also involved in the communication of applicable risk-related information.
    • This internal line of defense also is non-independent of management.
  • The internal audit function coordinates with these areas by partnering on risk assessments, soliciting and providing feedback on changing areas of the organization, etc. These coordination efforts do not compromise the independence or objectivity of the internal audit function.
  • Third line of defense
    • The internal audit function is the third line of defense
    • The key different between this line of defense and the first two is that it is independent of management
  • Combined Assurance
    • Begins by creating an assurance map
  • Assurance Map
    • Assists in enabling you to understand which risks are covered by other assurance providers within the organization.
    • Could decrease the level of inherent risks.
    • Impacts the development of the Internal Audit Plan
    • Assists in the coordination and reliance on the work of others.

Additional lines of defense

  • External Auditors
  • Regulators
  • Industry bodies

The CAE determines if reliance can be placed on the work of the external auditors:

  • Evaluate objectivity by considering whether the provider has, or may appear to have, any conflicts of interest and whether they have been disclosed
  • Consider independence by examining the provider’s reporting relationships and the impact of this arrangement
  • Confirm competency by verifying whether the provider’s professional experience, qualifications, certifications, and affiliations are appropriate and current
  • Assess due professional care by examining elements of the practice the provider applies to complete the work (that is, the provider’s methodology and whether the work was appropriately, planned, supervised, documented, and reviewed)

Reporting to the Board and Senior Management

Matters to report to the Board and Senior Management
  • The audit activity’s purpose, authority, responsibility
  • Performance relative to the plan
  • Conformance with the standards
  • Significant risk and control issues including fraud risks, governance issues, and other matters for attention
  • Results of the ongoing internal audit activities to senior management and audit committee
  • Deviations from approved engagement schedules, staffing plans, and financial budgets and reason for deviation
  • Significant observations and recommendations
  • Assumed risk
  • Results of management’s self-assessment
Other matters reviewed by the audit committee
  • Business unit monitoring and risk monitoring reports
  • Independent outside auditor activity reports
  • Key financial activity reports
  • Risk management activity reports
  • Legal and compliance monitoring reports

Governance

  • The combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives
Role of IA in Governance
  • Evaluating whether the various risk management activities are designed adequately to manage the risks associated with unacceptable outcomes.
  • Testing and evaluating whether the various risk management activities are operating as designed.
  • Determining whether the assertions made by the risk owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of risk management effectiveness.
  • Determining whether the assertions made by senior management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of risk management effectiveness.
  • Evaluating whether risk tolerance information is communicated timely and effectively from the board to senior management and from senior management to the risk owners
  • Assessing whether there are any other risk areas that are currently not included in the governance process but should be (for example, a risk for which risk tolerance and reporting expectations have not been delegated to a specific risk owner).

Risk Management

  • A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives
Role of IA in Risk Management

Control

  • Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
  • Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Role of IA in Control
  • Evaluating the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:
    • Achievement of the organization’s strategic objectives
    • Reliability and integrity of financial and operational (nonfinancial) information
    • Effectiveness and efficiency of operations
    • Safeguarding of assets
    • Compliance with laws, regulations, and controls

Quality Assurance and Improvement Program (Quality Program Assessments)

  • Quality Assurance
    • The process of assuring that an internal audit function operates according to a set of standards defining the specific elements that must be present to ensure that the findings of the internal audit function are legitimate.
  • Quality Assurance and Improvement Program
    • An ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the internal audit function.
  • Requirement
    • The CAE must develop and maintain a Quality Assurance & Improvement Program that covers all aspects of the IA activity
      • Internal Assessments
      • External Assessments
    • The IA functions are required to successfully complete an external assessment periodically- at least every 5 years.

Non-conformance with the standard

  • Occurs when the internal audit function is found to be deficient to the point that it impacts the overall scope or operation of the internal audit function. Nonconformance must be disclosed.
    • Disclosure must be made to Senior Management and the Board.
    • A determination will be made regarding
      • A. The noncompliance is intentional
      • B. The noncompliance is inadvertent
      • C. Corrective action will be taken
    • Shall Senior Management and the Board decide not to take corrective action- The IA will no longer be able to state that its internal assurance and consulting services conform “with the International Standards for the Professional Practice of Internal Auditing”

Performance Measurement for the Internal Audit Function

  • IA function should develop and implement a system of performance indicators to measure its own performance (KPIs).
  • Provide the criteria against which the internal audit function judges its performance in key areas.
  • Provide a gauge for how well the internal audit function is accomplishing its mission/goals.
  • The CAE considers many factors when creating performance measurements:
    • Size of the internal audit function
    • The specific services offered
    • Industry-specific regulations
    • The operating environment
    • The organization’s culture.
  • Indicators used for measuring IA performance should be linked to the company’s mission and objectives.
  • KPIs should be linked to the audit mission and objectives and should be based on outcomes.
  • Indicators should ensure that the IA Function provides a value-added service relevant to the needs of the company.
Service Delivery Benchmarks:
  • The percentage of Internal Audits actually completed in comparison to the original audit plan for the period.
  • The number of recommendations implemented as a percentage of the total number of recommendations made in Internal Audit reports, presented both as an accumulated total, or as a current figure for the period under review.
  • The average number of days between the date of the conclusion of the fieldwork and the date of issuing the final internal audit report.
  • Number of risk/governance/internal control awareness sessions conducted.
  • Number of training weeks per year.
  • How many recommendation points raised addressing efficiency and effectiveness of operations versus reliability of information versus safeguarding of assets versus compliance with laws.
  • Quantification of the efficiency and effectiveness points raised.
  • Number of points raised by regulators & external auditor not included in IA report.
  • Number of investigations conducted during the period.
  • Number of consulting assignments conducted during the period.
  • Results of internal and external QA (minimum - satisfactory).
Cost Control Benchmarks:
  • The actual costs of the Internal Audit Function as a percentage of the total budgeted costs for the Internal Audit Function for the period.
  • The number of direct hours spent on Internal Auditing (excluding hours spent on administrative matters) as a percentage of total hours available (% utilization).
  • Percentage of individual audit projects completed on time and budget.

Use of Technology to Support the Internal Audit Process

  • Risk and Control Self-Assessment
  • Data Analysis
  • Automated Monitoring
  • Automated Working Papers
  • Department Administration & Management
  • The Internet
Technological tools:
  • Enable increased productivity and efficiency
  • Allow for less time to be spent on administrative responsibilities
  • Provide for more time on assurance and consulting services
  • Should enhance an internal audit function’s productivity
  • Should not divert attention away from the task of auditing
  • Allow for less time spent documenting, retaining, and accessing supporting documentation

Management Steps/ Process - Summary

  • Planning stage
  • Communication & Approval
  • Resource Management
  • Establishing Policies & Procedures
  • Coordinating Assurance Efforts
  • Reporting to the board & senior management
  • Assess Governance
  • Assess Risk Management Process
  • Assess Internal Control
  • Quality Assurance & Improvement Program
  • Performance Measurements for the IA function
  • Use of technology to support the IA Process.
  • Executing the Work.
  • Reporting to Board & Senior management.
  • Follow-up.

Opportunities for Internal Audit to Provide Insight

  1. Create a charter to provide independent, objective feedback to improve operations by enhancing risk management, control, and governance processes.
  2. Coordinate assurance services with other internal and external providers to ensure proper coverage and minimize duplication of efforts and cost.
  3. Assist the organization in developing and implementing effective risk management strategies that help management achieve business objectives by reducing the impact and/or likelihood of potential risk events.
  4. Assist the organization in establishing and maintaining effective controls by evaluating their effectiveness and efficiency and promoting continuous improvement.
  5. Partner with management to establish self-assessment activities designed to support an organization's risk management efforts.
  6. Collaborate with second-line assurance functions to develop shared taxonomies and protocols up to and including combined assurance activities.