Chapter9PPT4thedition.pptx

Internal Auditing: Assurance & Advisory Services

4th edition

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Managing the Internal Audit Function

Chapter 9

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Learning objectives

Understand the importance of proper positioning of the internal audit function within the organization.

Identify the benefits of various organizational structures for an internal audit function.

Identify the roles and responsibilities of the key positions in an internal audit function.

Understand the policies and procedures of internal auditing and how they guide the internal audit function.

Understand the attributes of a well-executed risk management model (process) and reflect on what role the internal audit function should have in the organization’s risk management processes.

Understand quality assurance, how it operates, and why it is important to the internal audit function.

Understand how technology is used in the management of the internal audit function

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Standards Relevant to Managing the Internal audit function

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

POSITIONING THE INTERNAL AUDIT FUNCTION IN THE ORGANIZATION

Organizations that recognize the importance of placing the internal audit function in a position that maximizes its effectiveness and ability to evaluate the efficacy of the risk management, control, and governance processes that are in place often do so through a senior management position described in the Standards as a chief audit executive (CAE). IIA Standard 2000: Managing the Internal Audit Activity states that “the chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.” Recognizing that the CAE is pivotal to a successful internal audit function, the interpretation of Standard 2000 goes on to state that “the internal audit [function] is effectively managed when:

 

It achieves the purpose and responsibility included in the internal audit charter.

It conforms with the Standards.

Its individual members conform with the Code of Ethics and the Standards.

It considers trends and emerging issues that could impact the organization.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

THE INTERNAL AUDIT FUNCTION

charter

A necessary condition for the CAE to fulfill the responsibilities to effectively manage the internal audit function is to create a charter that “establishes the internal audit [function’s] position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities” (Interpretation to IIA Standard 1000: Purpose, Authority, and Responsibility).

The charter should also take into consideration assurance and consulting services.

It is important to recognize that the internal audit function and the audit committee have separate charters delineating the specific and separate obligations to the organization of each, while considering and reflecting the inherent interdependencies of the two.

The internal audit function’s charter is subordinate to the audit committee’s charter and must support it.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Add exhibit 1-1

6

Chapter 9: Managing the Internal Audit Function

Independence and Objectivity

The IPPF also indicates that internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest (objectivity). The IPPF further outlines these requirements by setting forth guidance on individual objectivity, which suggests the following:

 

Individual objectivity means the internal auditors must perform engagements in an honest way ensuring the work product is free of significant quality compromises. Internal auditors should avoid being placed in situations that could impair their ability to make objective professional judgments.

Individual objectivity requires the chief audit executive (CAE) to make staff assignments that prevent potential and actual conflicts of interest and bias.

Internal audit work results must be reviewed before engagement communications are released, which helps provide reasonable assurance that the work was performed objectively.

The internal auditor’s objectivity is not negatively affected when the internal auditor recommends enhancements to standards of control or reviews management’s operating procedures before implementation. The internal auditor’s objectivity is considered negatively affected (impaired) if the auditor designs, installs, drafts procedures for, or operates such systems.

The occasional performance of non-audit work by the internal auditor, with full disclosure in the reporting process, would not necessarily impair objectivity. However, it would require careful consideration by management. The internal auditor must be careful when accepting such temporary assignments to avoid adversely affecting the internal auditor’s objectivity.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Impairment to Independence or

Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

 

Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.

The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Impairment to Independence

or Objectivity

Additional IIA requirements regarding impairments to independence or objectivity are included in exhibit 9-3:

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Proficiency and

Due Professional Care

IIA Standard 1200: Proficiency and Due Professional Care states simply that “engagements must be performed with proficiency and due professional care.” IIA Standard 1210: Proficiency goes into more detail, stating that “internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.” Furthermore, IIA Standard 1220: Due Professional Care states that “internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.”

It is important to note that the interpretation of Standard 1210 defines “proficiency [as] a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities.” This interpretation goes on to say that “it encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations” and further encourages internal auditors to “demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

PLANNING

The annual internal audit plan should be completed at the beginning of, or just prior to the organization’s fiscal year.

The process can be comprehensive whereby senior management and the internal audit function collaborate to complete a formal risk assessment on an organization-wide basis to establish a prioritized list of key risk scenarios facing the organization that must be appropriately managed by the organization to achieve key business objectives or informal and much less collaborative in nature.

The CAE aligns audit resources for the upcoming year with the conclusions drawn by management during the risk assessment process.

Providing the CAE with a definitive list of audit entities related to the prioritized risks allows for the creation of an internal audit plan using a top-down, risk-based approach.

The planning process should include the establishment of:

Goals,

engagement schedules,

staffing schedules, and

financial budgets.

Additionally, effective planning should reflect the internal audit charter and be consistent with organizational objectives.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

COMMUNICATION AND APPROVAL

After the internal audit plan has been established, it is incumbent upon the CAE to present it to senior management and the board (typically the audit committee) to be approved. Resource requirements, significant interim changes, and the potential implications of resource limitations should all be included in the communication to senior management and the board (IIA Standard 2020: Communication and Approval).

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

RESOURCE MANAGEMENT

A significant consideration in implementing an internal audit function’s plan is how to allocate resources. It is the CAE’s responsibility to “ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan” (IIA Standard 2030: Resource Management). This is achieved by carefully orchestrating a number of factors, including the following:

Training and Mentoring

Career Planning and Professional Development

Scheduling

Financial Budget

Use of Professional Practice Groups

Organizational Structure and Staffing Strategy

Right Sizing

Staffing Plans/Human Resources

Hiring Practices

Strategic Sourcing

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

POLICIES AND PROCEDURES

The standard regarding the implementation of policies and procedures simply states, “the chief audit executive must establish policies and procedures to guide the internal audit activity” (IIA Standard 2040: Policies and Procedures).

The IPPF goes on to suggest keeping the policies and procedures consistent with the size of the internal audit function. The CAE is ultimately responsible for developing policies and procedures.

Formal administrative and technical audit manuals may not be needed by all internal audit functions. A small internal audit function may be managed informally. Its audit staff may be directed and controlled through daily, close supervision, and memoranda that state policies and procedures to be followed. In a large internal audit function, more formal and comprehensive policies and procedures may be needed to guide the internal audit staff in the execution of the internal audit plan.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

COORDINATING ASSURANCE EFFORTS

According to IIA Standard 2050: Coordination and Reliance, “The chief audit executive should share information and coordinate activities, and consider relying on the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.” Coordinating the efforts of the internal audit function with those of other internal and external providers of assurance and consulting services is important because of the increase in effectiveness and efficiencies that can be gained.

Many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment in particular have a need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. To do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the “three lines of defense model.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

COORDINATING ASSURANCE EFFORTS

In the three lines of defense model, the organization layers the avenues through which they get assurance that the risks facing them are mitigated to a level within their risk appetite. Although it is referred to as three lines of defense, depending on the organization and how it is structured, there may be more than three defined lines (layers) of assurance.

Exhibit 9-4 is a popular depiction of the three lines of defense model that places the external, independent assurance providers outside the model. As indicated, this model can be adapted by organizations to depict their particular approach or philosophy.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Add exhibit 1-2

16

Chapter 9: Managing the Internal Audit Function

REPORTING TO THE BOARD AND

SENIOR MANAGEMENT

The CAE has the responsibility to “report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan, and on its conformance with the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board” (IIA Standard 2060: Reporting to Senior Management and the Board). 

More specifically, consider communicating the following items:

Significant deviations from approved engagement work schedules and the reasons for such.

Staffing plans, and financial budgets.

Action taken or needed.

Significant engagement observations and recommendations.

Instances of senior management and/or the audit committee acceptance of the risk of not correcting a significant engagement observation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

REPORTING TO THE BOARD AND

SENIOR MANAGEMENT (cont’d)

Management and the CAE coordinate efforts to routinely report on various risk and control activities performed by either, in accordance with roles and responsibilities set by the board and the audit committee. This typically includes reports covering:

Business unit monitoring and risk monitoring reports.

Independent outside auditor activity reports.

Key financial activity reports.

Risk management activity reports.

Legal and compliance monitoring reports.

 

In addition to this information, a report is typically submitted to the audit committee by either senior management or the CAE outlining the results of management’s self-assessment regarding the design adequacy and operating effectiveness of the organization’s internal controls.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

GOVERNANCE

Governance is defined as “a process conducted by the board of directors to authorize, direct, and oversee management toward the achievement of the organization’s objectives.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

GOVERNANCE

IIA Standard 2110: Governance requires the internal audit function to “assess and make appropriate recommendations to improve the organization’s governance processes for:

 

Making strategic and operational decisions;

Overseeing risk management and control;

Promoting appropriate ethics and values within the organization;

Ensuring effective organizational performance management and accountability;

Communicating risk and control information to appropriate areas of the organization; and

Coordinating the activities of, and communicating information among, the board, [independent outside] and internal auditors, other assurance providers, and management.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

RISK MANAGEMENT

Risk Management is a participatory process designed to identify, document, evaluate, communicate, and monitor the most significant uncertainties facing an organization requiring risk mitigation or exploitation of opportunities to successfully achieve business objectives. In other words, risk management is a process conducted by management to understand and deal with uncertainties (that is, risk and opportunities) that could affect the organization’s ability to achieve its business objectives.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

RISK MANAGEMENT

Risk management historically focused on avoiding potential danger and preventing harmful actions.

Risk management has evolved to focus additionally on identifying opportunities that can be exploited.

In these models, risk management efforts are designed to facilitate the management of both risk and opportunity within a predefined risk appetite set by the board and senior management.

Properly executed risk management assists the board and senior management implement appropriate risk responses:

Avoiding

Reducing

Sharing

Accepting risks

Exploiting opportunities

Effective risk management provides reasonable (not absolute) assurance that the business objectives of an organization will be achieved.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Internal Audit Role in

Enterprise Risk Management

The role of the internal audit function varies widely and is predicated on the division of risk management responsibilities and the culture of the organization. At minimum, the internal audit function should evaluate the design adequacy and operating effectiveness of the organization’s risk management processes by providing input and feedback through a periodic review (audit). It is also appropriate for the internal audit function to facilitate the identification and evaluation of risks and opportunities, coach management on appropriate ways to respond to risk events and opportunities, and help an organization coordinate enterprise-wide risk management activities.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Internal Audit Role in Enterprise Risk Management (Cont’d)

According to IIA Standard 2120: Risk Management, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The interpretation for this standard states:

Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:

Organizational objectives support and align with the organization’s mission;

Significant risks are identified and assessed;

Appropriate risk responses are selected that align risks with the organization’s risk appetite; and

Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.

 

Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Internal Audit Role in Enterprise Risk Management (cont’d)

Exhibit 9-5 shows a range of activities that an internal audit function might be asked to perform, detailing which activities are appropriate and which should be avoided.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

CONTROL

IIA Standard 2130: Control states, “The internal audit function must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.”

 

In terms of providing assurance services, the information that comes out of the risk assessment should drive the internal audit function’s direction when evaluating “the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

Achievement of the organization’s strategic objectives;

Reliability and integrity of financial and operational [nonfinancial] information;

Effectiveness and efficiency of operations and programs

Safeguarding of assets; and

Compliance with laws, regulations, policies, procedures, and contracts.”

 

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

The IIA has established formal quality assurance standards that must be followed for internal audit functions to be considered in compliance with The IIA Standards.

Quality Assurance is the process of assuring that an internal audit function adheres to a set of standards defining the specific elements that must be present to ensure that the function operates appropriately.

IIA Standard 1300: Quality Assurance and Improvement Program states that “the chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (Cont’d)

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (cont’d)

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (Cont’d)

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

PERFORMANCE MEASUREMENTS FOR

THE INTERNAL AUDIT FUNCTION

Performance Measures:

Provide the criteria against which the internal audit function judges its performance in key areas.

Provide a gauge for how well the internal audit function is accomplishing its mission/goals.

The CAE considers many factors when creating performance measurements:

Size of the internal audit function

The specific services offered

Industry-specific regulations

The operating environment

The organization’s culture.

Performance measurements should be aligned with the internal audit function’s charter, and all significant services addressed in the charter should be considered when establishing performance measurements. The customized measurement process should outline activities that contribute to the achievement of the goals identified in the charter.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

USE OF TECHNOLOGY TO SUPPORT THE INTERNAL AUDIT PROCESS

Technological tools

Enable increased productivity and efficiency

Allow for less time to be spent on administrative responsibilities

Provide for more time on assurance and consulting services

Should enhance an internal audit function’s productivity

Should not divert attention away from the task of auditing

Allow for less time spent documenting, retaining, and accessing supporting documentation

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Chapter 9: Managing the Internal Audit Function

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.