On the left, a menu displays the course topic headings.
The Transcript tab displays a text version that is identical to the spoken narration.
Full-text search is available at the bottom of the menu tab.
Volume controls are at the bottom of the screen.
On the timeline bar, you can pause audio and animation, monitor your progress on the current screen, and re-watch the current screen.
The Previous button takes you back one screen. Once you have completed the screen, click the Next button.
Many courses will provide additional references, including a glossary of terms relevant to the course. These can be accessed in the Resources menu on the top-right, when applicable.
If you need to break up your learning into several sessions, the lesson player remembers where you left off and returns you to that point when you click “Yes.”
By the end of this course, you should be able to:
• Identify the roles of the internal auditor
• Identify the phases and corresponding activities of an internal audit review
• Identify ways that information technology (IT) relates to the audit process
• Identify the roles of the audit committee and the relationship with internal audit
• Recall the IIA's definition of internal audit
• Identify requirements and guidance provided by the IIA's Professional Practices Framework
Introduction
The Institute of Internal Auditors (or IIA) has defined internal auditing as an, “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
The profession traces its origins back more than 5000 years to the ancient dynasties of Egypt and the Mesopotamian kingdoms. The Internal Audit profession today is indeed an independent appraisal and evaluation process, and is currently employed in thousands of businesses around the world.
In recent years throughout the world, governments and regulating entities have issued initiatives designed to create specific operational standards for public companies and corporations. These new initiatives were often imposed as the result of uncontrolled growth, fraud, or significant deviations from accepted business practices.
In the U.S., for example, a major change to the internal audit requirement was mandated through the Securities and Exchange Commission and the New York Stock Exchange. Effective October 31, 2004, NYSE companies are required to maintain an up-and-running fully functional internal audit capability. The decision as to whether this function is performed by an internal or independent external organization is left entirely to the individual company.
The objective of this course, Introduction to the Internal Audit Profession, is to explain the role and significance of internal audit in today’s business environment and to clarify its purpose, procedures, and benefits. The course is divided into 5 lessons as follows:
Lesson 1: The role of internal auditors.
Lesson 2: The process of internal auditing.
Lesson 3: Internal audit and information technology
Lesson 4: Internal audit and the audit committee.
Lesson 5: Internal audit and the global workplace.
Comprehensive guidance to the benefits of internal audit is an important and pragmatic process which can be of significant value to all commercial enterprises.
This course will provide answers and insight to company board members, audit committees and management, and will serve as a roadmap to the understanding and efficient operation of the internal audit profession.
Throughout this training module, you will be asked to complete a number of review questions. On completion of the course, you will be tested with a short exam.
Please use the navigation buttons at the bottom of the screen to move between sections.
Click on the ‘NEXT’ button when you’re ready to begin.
Lesson 1: The Role of Internal Auditors.
It was once a simple, straightforward process. A business owner hired an accountant to check the accuracy of the company’s financial records by comparing entries in the ledger to the documentary evidence. Discrepancies were identified. Corrections were made. A sense of fiscal accord was shared by accountant and business owner alike.
Today, there is a new reality and an expanded role for internal auditors. Contemporary corporations and companies have become multi-layered and enormously complex. Because of their size and organizational density, processes are often redundant, controls can become lax, and standards once firmly anchored in a vision statement may begin a subtle and often undetectable drift away from the company’s founding principles. Recent history has clearly demonstrated that the resulting loss of adhesion to sound, fundamental business practices can run the downhill gamut from problematic to catastrophic.
In response, the internal auditing profession under the leadership of the Institute of Internal Auditors (or IIA) has adapted and evolved to meet the enormous challenge of applying risk management processes and internal controls to today’s highly sophisticated business operations.
While the Sarbanes-Oxley Act passed by the U.S. Congress in 2002 affected the listing requirements of the New York Stock Exchange and the rules and regulations of the Securities and Exchange Commission, both private and listed companies began to recognize that developing an internal audit function would assist them in maintaining, validating and improving the health of their overall business structure. Often the results were significantly reduced costs, improved processes, and enhanced internal controls.
The Sarbanes-Oxley Act and similar acts about to become law in Canada and other countries do not establish minimum requirements for a company’s internal audit function, or any specific parameters for maintaining an auditing role or department. As in any business sector, the size, budget and structure of an added function such as internal audit depends on many factors resulting from risk-based assessment. Organizations vary greatly. One size rarely fits all. There are, nevertheless, universal standards recommended for the United States by the Public Company Accounting Oversight Board, or PCAOB, which can be applied to any business entity engaged in commerce anywhere in the world.
In all of its many forms both subtle and blatant, fraud is one of the primary targets of internal audit and thus requires an extremely high standard of vigilance, independence, competence and objectivity. Because even the perception of fraud can be damaging to a company’s image, nothing surpasses the obligation for independent status and public confidence in a company’s internal audit operation.
While they are not expected to function as fraud investigators, internal auditors must have the knowledge and expertise to recognize the indicators of fraud. This means that they have the means to evaluate the adequacy and effectiveness of the system of internal controls necessary to expose risk within the organization’s operations.
Written policies should be in place clearly explaining prohibited activities and the actions that must follow the discovery of violations. Mechanisms must be established to detect potential fraudulent conduct, especially in high-risk areas. Direct, open channels of communications between the auditor and the highest levels of management including the audit committee and or the board of directors must be in place to enable timely, reliable reporting of suspected illegal activities. And finally, recommendations must be advanced for the establishment of cost-effective controls for fraud deterrence.
One of the major concepts in understanding the role and purpose of internal auditing is awareness of its self-governing and self-directed status in the business environment. The internal audit profession is not regulated by external government agencies. Industry guidelines are established by the Institute of Internal Auditors which is an autonomous professional organization charged with evaluating and developing practice standards.
These standards and the supporting implementation guides are international both in flavor and applicability and transcend national boundaries. They require technical competence and training that can be demonstrated by a variety of certifications such as the:
• Certified Internal Auditor (or CIA)
• Certified Public Accountant (or CPA)
• Chartered Accountant (or CA)
• Certified Information Systems Auditor (or CISA)
• Certified Fraud Examiner (or CFE)
• Certified Financial Services Auditor (or CFSA)
• Certified Government Auditing Professional (or CGAP), and others.
Internal audit professionals are often required to maintain at least one certification by the organizations they serve. All the certifications listed previously require annual continuing professional education (CPE) training.
Qualified auditors must exhibit skills ranging from specialized industry and technical knowledge to seasoned business insight and expertise. Often they have degrees in business administration, finance and even law. Since internal auditors may be required to examine all aspects of a business, there is a legitimate need to have professional knowledge from other disciplines beyond accounting.
Internal auditors possess qualities of professionalism, integrity, and efficiency.
They are motivated to make objective assessments regarding best practices, improved controls, processes and procedures, as well as evaluating performance and risk management.
Sometimes they function as stakeholder advocates, efficiency experts and problem solvers. Other times they may act as coaches and guides. They are, in a phrase, the safety nets of the organization.
It is important that we recognize and understand the critical distinctions between the roles of internal and external auditors. Although internal and external auditors may interact and consult with one another in the normal course of business, each has separate functions and independent objectives.
Throughout the globe, the external auditor is responsible for affirming the accuracy of financial reports to all outside parties including investors and regulatory agencies. In the U.S. external auditors also provide an evaluation of publicly-held company’s internal control over financial reporting as required by Section 404 of the Sarbanes-Oxley Act. Other countries have similar requirements.
In contrast, the primary role of the internal auditor is to review in-house business practices and accounting and process controls. Internal auditors assist management and the audit committee in identifying and evaluating key business risks and performing audits in recognized high-risk areas, completing special investigations for the board of directors and management, and assisting external auditors as required.
A certain amount of collaboration between internal and external auditors is also necessary to prevent duplication of effort. In addition, internal and external auditors working together can create a synergy that will more effectively ensure that a company’s financial reports are accurate and its system of internal controls is functioning properly.
For internal auditors, the term “independence” has a different meaning in degree and context than for an external auditor. Independence for an internal auditor refers to an environment free from peer persuasion or other undue internal influence. It surrounds the reporting structure of the internal audit function in a virtual pressure-free zone, ensuring open and clear access equally to the audit committee, the board of directors, or the company CEO.
The internal auditing function may be a departmental company task, or it may be outsourced or co-sourced to a private company. Whether or not the internal auditor is outsourced or co-sourced or is a wholly-owned internal company function, the IIA Standards define the internal auditor as an independent, objective consulting agent whose role is to be free to perform independently to add value and improve company operations.
The IIA Standards define the internal auditor as an independent, objective assurance and consulting agent whose role is to be free to perform independently to add value and improve company operations.
External auditors, on the other hand, perform under various regulatory standards such as strict adherence to direct reporting to an audit committee. In the U.S. there are prohibitions and restrictions on external auditors enforced by the SEC, the PCAOB and by the American Institute of Certified Public Accountants (or AICPA). These prohibitions and restrictions limit the nature and extent of services that can be provided to an audit client; among these are internal audit outsourcing, valuation services, financial consulting, bookkeeping, design of financial systems and other services that could undermine and conflict with the independence of the external auditor.
Also, under current auditing standards, external auditors are required to confirm their autonomy in writing to the audit committee of the company by whom they are contracted. Violations of these rules can result in severe penalties. Rules similar in purpose and intent exist in many countries today.
Another important role of the internal audit profession is to defend and safeguard organizational resources. By reviewing company practices for protection of assets, internal audit can evaluate and recommend improvements within the company for securing cash, receivables, inventories and capital equipment and property against financial loss from theft, fire, improper or nonexistent controls, and mismanagement.
Intangible resources such as information technology, knowledge management, as well as proprietary data and intelligence are also valuable resources which must be protected with equal diligence. These and other continuously emerging issues including product support, advisory and consulting roles and organizational restructuring can benefit from creative input by skilled internal auditors.
The ultimate role of internal auditing is to help a company accomplish its productivity and business objectives. This it achieves by applying a continuous discipline of systematic measurements to all areas of company operations, from risk management to fiscal controls and standard business practices.
Whether the audit function is performed internally or externally contracted, it is an independent, objective activity. Its purpose is to add value by helping the company remain aligned with ethical business principles, as well as government regulations and guidelines, thereby raising the operating level and profit potential of the organization to peak efficiency.
Companies have a range of freedom in the manner in which they can choose to fulfill their internal auditing responsibilities. Outsourcing the audit function to a service provider can have several advantages, including achieving rapid compliance with accelerated startup, potentially greater independence and objectivity, and access to a higher skill-level and experience than may be available in-house.
Outsourcing can also mean increased flexibility by allowing a company to ramp audit activities up or down to correspond to changing risks and conditions. Outsourcing can include utilizing auditors with specialized knowledge such as that required for audits in the Information Technology arena.
Additionally, outsourcing allows a company to limit or halt internal audit work at certain times of the year when there may be conflicting priorities such as plant closings, mandatory vacations, downsizings, upper management realignments, year-end reporting or annual budget processes.
Many companies may already have an internal audit function. In this case, the company simply needs to evaluate that function’s adequacy and effectiveness. Has it been properly resourced? How does the company’s audit capability benchmark with comparable companies in comparable industries? Has the company’s audit function been aligned with IIA standards? Has it undergone a quality assurance or peer review recently? These and other questions should be raised in the evaluation process.
Many companies find that a “rotation” plan to bring employees into and out of internal auditing on a regular schedule can be beneficial both to employees and to the organization. Using this approach, a company may utilize full-time professional employees with specialized knowledge and experience in the company’s business sectors.
As “temporary” auditors these individuals can gain valuable experience through a program of in-depth exposure to a wide range of business operations. By evaluating and helping to improve organizations inside the company, they will gain practical knowledge and background regarding internal controls and business risks in areas of the company with which they may not have been previously familiar.
An important question regarding a company’s previously established internal audit function concerns its perception within the company. Is it regarded as a value-added activity within the organization by management and board members, by audit committees and key process owners? If the answer is in doubt, then how can the function be improved to achieve a favorable perception? Such questions, if valid, should be immediately elevated to a level requiring responsive, insightful, and deliberate analysis. This doubt must be reduced through appropriate action plans.
Every company has responsibilities beyond its production goals. These include the establishment of high ethical standards and the continuous monitoring of managerial competency. There are also fundamental obligations to the company’s investors and shareholders, employees, customers and the community to guarantee organizational transparency and a wide-open window into company operations.
One of the chief roles of the internal audit profession is to work diligently to ensure that window remains open. By establishing structural strength in company operations, and stability throughout the organization, and by helping to project to the outside investment community a sense of well-grounded confidence in the company’s basic honesty, fairness and integrity, internal audit provides a valuable and wholly indispensable service.
The fundamental requirement of the internal auditor remains the same as in the past, but the profession today is called upon to operate in an additional variety of roles. While spanning a growing spectrum of organizational issues and requirements, the goal of internal auditing is to enable a company to maintain healthy, vibrant business operations based on sound operating principles designed to achieve its maximum potential.
We will now test your understanding of the role of an internal auditor with a few review questions.
Lesson 2: The Process of Internal Auditing
In 1999, the Institute of Internal Auditors, charged by its Board of Directors, formulated revised definitions for internal audit and created a new Professional Practices Framework based on the guidance of a special committee of the IIA. At that time current standards for the practice of internal auditing received a thorough scrutiny. The result was the development of a new, streamlined Professional Practices Framework designed to prepare the audit profession for the challenges of the 21st century and which should be applied throughout the world.
In nautical terms, the revised internal auditing Professional Practices Framework, the Red Book, is a state-of-the-art navigational aid employed to steer auditors safely and accurately through the expanding body of knowledge comprising the internal audit process. This navigational aid, essentially a system for initiating and executing internal audit projects, includes instruments created to enable the auditing entity to pre-position its resources to be able to precisely define the area, schedule, purpose and scope of the audit process prior to beginning the task.
The International Professional Practices Framework is comprised of mandatory guidance and recommended guidance. Within the mandatory guidance are the core principles, the definition of internal auditing, the Code of Ethics and the Standards. Within the recommended guidance are Implementation Guides and Supplemental Guidance.
The International Professional Practices Framework is comprised of mandatory guidance and strongly recommended guidance. Within the mandatory guidance are the definition, code of ethics and Standards. Within the strongly recommended guidance are practice advisories, position papers and practice guides.
The Standards, as described by the IIA, are the criteria by which an internal audit function is evaluated and measured. They are meant to be applied universally to the global profession of internal auditing. Beyond the Standards, the IIA's Code of Ethics is intended to foster an environment that acknowledges the trust implicit in the responsibility to promote fair and ethical recommendations concerning a company’s risk management, control, and governance.
The Core Principles articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively.
Implementation Guides represent the area of “best practices.” Implementation Guides help interpret the Standards and apply them in specific audit situations. All Implementation Guides are submitted to a formal review process within the IIA.
Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables. Generally, these materials provide internal auditors with the insight and experience of various experts in the techniques and processes related to the profession.
With its vast range of applicable materials, resources, accessible expert knowledge and experience base, the process of internal auditing is above all a highly flexible discipline that can be scoped and designed for specific applications in a variety of environments and under a multitude of conditions.
An audit may be conducted on a regular or ad hoc schedule, subject to the requirements of the company. At times it may be appropriate and necessary to conduct unscheduled audits, unannounced and wholly unexpected. Regardless of whether the audit is scheduled or unscheduled, it is the auditors’ responsibility to prepare a complete and comprehensive audit plan well in advance of execution.
Planning should include but not necessarily be limited to the following:
• Establishing goals; work schedules; staffing and budgets; and activity reports.
• Establishing objectives that can be accomplished within specified operating plans and budgets, and to the extent possible, that are measurable.
• Establishing activities to be performed; when they will be performed; time required for performance; and nature and extent of related work performed by others.
• Summarizing dates and results of past audits;
• Updating assessments of risks and effectiveness of risk management and control processes;
• Considering requests by board and senior management;
• Current issues related to organizational governance; major changes in business, operations, programs, systems and controls;
• Opportunities to achieve operating benefits; and
• Changes in capabilities of the audit staff.
In planning, a review should be conducted of all prior audits in the proposed area, including those completed by external or internal auditors, regulators or consultants. This reference to a previous baseline can provide extremely valuable information regarding past deviations, shifts in policy, course corrections and adherence to previously mandated or recommended changes in policies and procedures.
Joint planning discussions to define specific issues of interest and concern should be conducted with management and process owners of the area under review. These discussions should include any proposed self-assessment activities and a list of best practices to be employed in the audit. Pre-activity discussions should also include identification and review of the proposed internal manpower resources assigned to the audit as well as an evaluation of their experience level and competency. Determination should be made if outside resources or auditors should be used to supplement the review team.
Once under way, the course of the actual audit should include appropriate test methods including inquiry, observation, examination and re-performance. An ongoing report or other appropriate dynamic communication tool should be used to summarize completed work and findings for notation and clearance with management and process owners.
This report normally includes an executive summary, background, objectives and scope, audit information, analysis and appendices. While the format of an internal audit report may vary between companies, the content should reflect an approach communicating key topics, critical steps recommended, and resolution of reported issues. A draft report for preliminary circulation to management and process owners may be an appropriate and effective approach to refine language and ensure accuracy.
Ultimately, the internal audit report is the creative instrument by which management, the audit committee and the process owners implement the results of the audit to bring about positive change for improving controls and verifying the accuracy of information emerging from the audit process.
A well-written report should answer the following questions:
1. Why was the area selected for audit? Were there inherent or perceived areas of high risk, known problems, a history of past issues, management changes or other factors?
2. What was the scope of the work and when was it performed? What time period and business units did the work cover and which facets of their operations? What were the key risks to be addressed?
3. What were the overall findings of the audit? Were issues severe or minor?
4. What actions and recommendations need to be taken by management to address the findings? By when should they be completed?
5. Is there an action plan clearly defined to correct deficiencies? Who takes responsibility for corrective action? How should corrections be implemented?
6. Who takes responsibility for tracking and confirming resolution of management action plans?
Another key element in the process is to develop an effective method for tracking and follow-up on findings and actions by management. This can be accomplished by gathering all audit information into an easily accessible database, scheduling follow-up audits, conducting conference calls and requesting post-audit status from the audited entity. Internal audit should also be diligent in determining the extent to which resolution of audit findings are independently validated.
There is no one-size-fits-all template for the execution and completion of an audit. Internal audit leadership, management, and the audit committee should work as a team to customize the most effective approach for their respective organization. The IIA Standards and Practice Advisories are the most important and the most readily available tools in the development of guidance and framework for the audit process.
Now it’s time for a few review questions.
Lesson 3: Internal Audit and Information Technology
Information technology (or IT) in today’s business environment has a direct relation to risk, and this acknowledgement of risk should be an important driver in the internal audit process. IT enables key controls in the business process, but it also brings inherent vulnerabilities. Autonomy of responsibility and the isolation of the decision-making process to remote levels of management can have both intended and unintended consequences.
IT makes such processes possible by providing critical controls through programmed logic, automated transaction validation and accurate calculations through error and reasonableness checks. But the risks inherent in IT include the possible compromise of a company’s internal information and data, its computer networks, its proprietary information and its private records by individuals both inside and outside the company. Viruses and other damaging programs may be introduced into the system causing interruption in business processes by corrupting data and networks. Furthermore, IT risks are in a state of continuous evolution. New challenges such as wi-fi, remote access and global networks emerge with unpredictable regularity and pose an ever-changing and dynamic risk profile. Thus, IT considerations must be integral to internal audit’s focus and scope.
IT Controls can be divided into two groups: general controls, and application controls.
General Controls typically impact a number of individual applications and data in the technology environment. As a rule these controls support the integrity of processing and data.
There are several significant individual areas of general IT controls including:
1. Change Management – Controls that help to ensure the accuracy, completeness, and authorization over program and code changes to the business applications that support the business.
2. Logical Security (including Security Administration) – Controls that help to ensure that only authorized individuals can enter, approve, and monitor systems transactions and business data.
3. Physical Security – Controls that help protect computer hardware and infrastructure operating the systems that house business data.
4. Computer operations – Controls that monitor transactions and data processing to help ensure that batch postings and reports are completed in a timely manner and include all appropriate business information.
5. Data Back-Up and Recovery – Controls that ensure business data and applications are available to end users and customers in the event of system breakdown.
6. IT Asset Management – Controls pertaining to the tracking and managing of IT assets, including hardware and software inventory.
Application Controls encompass two important areas: (a) Controls and processes designed and implemented in the business areas by the respective data and application owners; and (b) programmed controls within the application that perform specific control-related activities such as error-checking or validation of key fields.
An example of Application Controls is segregation of incompatible duties. Data owners are responsible for designing and logically determining the responsibilities and duties that should be segregated. The Applications Programming Group is responsible for designing and developing the application so as to provide reasonable assurance that transactions are executed through programmed and other controls in accord with the application owner’s design addressing the financial reporting assertions.
Specific skills required for an IT audit may differ from business to business, but there are a number of general IT capabilities required for an IT audit group. There should be competency in applications functions. Applications have programmed procedures and logic that provide for control and operations. Critical programmed controls include data validation and error-checking routines, reasonableness checks in key processing areas, logical segregation of responsibilities, and limitations on who is allowed to initiate and view transactions. Skills are required in understanding how programmed controls interact with manual procedures. There are also specific industry application skills as well as ERP specific skills needed to audit industry-specific and ERP applications.
IT component skills are required including knowledge of critical IT infrastructure such as networks, databases and platforms. Many of these skills are directly related to security issues. In addition, there are requirements for understanding IT operational procedures such as backup, recovery, and performance concerns.
A number of additional process skills are important to the proper function of internal audit within IT areas. These include security administration in both application and IT component or hardware areas. Business continuity, disaster recovery planning, data center operations, application change management, infrastructure change management, and asset and service management are some of the additional knowledge areas needing a high level of skill and experience. To a certain extent, all internal auditors should have base-level capabilities related to IT risks and controls.
In some cases, more extensive specialties are required in specific applications such as ERP systems and atypical technologies. In these cases many companies elect to develop an IT specialty practice within their audit department specifically targeting recurring IT-related issues and risks. Internal audit functions should be able to evaluate the depth, breadth and frequency of their IT audit needs and consider when and how external resources and organizations can be of use to achieve the best balance of people and skills to address IT risks and issues. This function may be outsourced to gain the appropriate level of experience and expertise.
Before moving on to the next lesson, we’ll test your understanding with a few review questions.
Lesson 4: Internal Audit and the Audit Committee
Internal audit is one of management’s most valuable resources in meeting business objectives, especially as the objectives relate to comprehensive and effective internal controls. The quality of operational efficiency, the reliability of financial reporting, the degree of compliance with laws and regulations, and the success of implemented programs for safeguarding assets – all are major business elements directly responsive to internal audit.
Every company’s internal audit function is characterized by a concentration of individual skills and competencies. These skills and competencies represent valuable resources that need to be thoroughly understood by both management and the audit committee, but internal audit should never be seen as an exclusive tool of the audit committee on temporary loan to management. An internal audit function by its very nature is an organizational asset and management needs to determine how best to leverage audit resources to achieve effective risk management, control and governance.
This can be accomplished in several ways:
1. By utilizing audit resources as part of the company’s enterprise risk assessment to identify, source, measure, prioritize and develop an action plan to address and manage the most significant business risk potentially blocking the achievement of its objectives.
2. By providing critical input to the audit entity in the development of the scheduled internal audit plan, including focusing on risk and other areas of greatest importance.
3. By discussing and generating strategies to assist in the company’s efforts to achieve compliance with the Sarbanes-Oxley Act.
4. By supporting the key findings of the audit and the resulting plan for process owners to make the changes and improvements to correct process issues and deficiencies.
While internal audit functions may vary widely between companies, the audit committee plays an important role in supporting and providing oversight to key aspects of internal audit activities.
As a general rule, the audit committee should be involved in the following issues:
1. Providing input and approving the written charter for the scope and purpose of the internal audit, including periodic review and ongoing modernization and upgrading of internal audit processes and procedures.
2. Understanding, reviewing and approving the enterprises annual and long term risk assessment and internal audit plans.
3. Evaluating, at least annually, the audit function and ensuring it is in compliance with requirements of the company, the audit committee and its written charter.
4. Conducting executive sessions on a regular schedule with the company’s Chief Audit Executive (or CAE).
5. Providing input and direction concerning the appropriate escalation protocols in critical findings and issues.
6. Reviewing and approving CAE status, including all matters concerning hiring compensation and termination.
7. Discussing and approving the funding level for internal audit activities.
8. Directing the internal audit function to ensure the integrity of special reviews and fraud investigations.
9. Working with internal audit to design and establish control, governance, risk management, and ethics training for employees.
This listing is not intended to be all-inclusive, but rather to provide reasonable guidance.
The audit committee should work with management to provide a clear understanding of its role with respect to the internal audit function. The primary goal is clarity. It is vital that any areas of uncertainty or doubt between the audit committee and management concerning their relationship and areas of responsibility should receive full and comprehensive attention until the issues are resolved to the mutual satisfaction of both entities.
Executive sessions, without the presence of management, are recommended as beneficial to the audit committee and the company in furthering effective corporate governance. Experience shows that executive sessions both for internal and external auditors is a “best practice”. Additionally, executive sessions are found to be most effective when they are listed as a standing item on the audit committee agenda, whether or not specific issues or concerns are at hand. As a regularly scheduled agenda business item, the executive session may then be held freely without the pressure or preconceived prejudicial influence that may arise from an unscheduled meeting being called.
Internal audit reporting may vary considerably with different companies based on many factors. Charter and scope of the audit function, frequency and length of audit committee meetings, quantity of reporting material provided as well as communications between meetings will all affect the schedule and method of audit reporting.
As a general guide, the following issues may be considered significant in internal audit reporting:
1. Activities and audits completed during the last business quarter.
2. Presentation and discussion of the Executive Summaries from recent audit reports.
3. Status of past audit recommendations and Management Action Plans.
4. Planned internal audit activities for the next business quarter.
5. Reported instances of fraud and internal audit’s role in investigation.
6. Reported hotline calls and related follow up of them by the appropriate person.
7. Risks, issues and legal matters generated since the last internal audit meeting.
8. Matters specifically requested of management or the audit committee.
9.
Each audit committee meeting should be considered an opportunity for internal audit to provide insight to the audit committee on current issues and concerns, and may include educational materials, articles and white papers. In addition, the audit committee should be briefed as to the scope, schedule, objectives, and targets of upcoming audits.
As a matter of course, frequent in-depth and informal communications between internal audit and company management should be encouraged.
These discussions and communications should pose the following questions:
1. Is the company audit function meeting the terms of its written charter?
2. Is the audit function assisting the company in identifying and addressing its most significant risks?
3. Is the audit function sufficiently objective and impersonal in its audit activities, and is the audit committee helping to create and maintain objectivity?
4. Are members of the internal audit function technically competent and proficient, and does the function have the necessary resources?
5. Is the audit function being led by a competent Chief Audit Executive (CAE) who has the respect of management, the audit committee and the internal audit staff?
6. Is the audit function efficient in its efforts, methods and approach?
7. Is the audit function adding value, improving operations, and bringing a systematic, disciplined approach to risk management, control and governance processes?
8. Is feedback requested from the audited party?
9. Are Internal Audit Scorecards completed and submitted?
10.
Appraisal and assessment of the internal audit function ranges from informal evaluations to formal written documentation including input from outside advisors and the completion of a Quality Assurance Review (or QAR) every five years, in accordance with IIA Standards. Determining the scope and formality of the evaluation is the sole purview of the audit committee. IIA Standards recommend the Quality Assurance Review be conducted by an independent review team from outside the organization. Let’s review.
Lesson 5: Internal Audit and the global Workplace
Companies and corporations operating around the world can and often do have discrete variations in standards and practices that are distinctive to a country’s culture, financial markets, and legal framework. Studies show, however, that the primary focus of internal audit and risk management is universal. Wherever the company is based and however intramural or international its scope and ambition, managing risk and improving internal controls are common objectives. The means may involve different strategies, using special methodologies and unique tools, but the ends remain constant: full compliance with government regulations; continuous improvements in the precision and veracity of financial reporting; and the assurance of due diligence in all fiscal transactions.
Unlike other professions operating around the world, internal audit is unique in the globalization of its principles and values. The Standards, promulgated by the IIA, are characterized by their relevance across the spectrum of international business. The European-based Basel II regulations on banking supervision, the UK’s Turnbull Guidance on internal controls and corporate governance, the U.S. Sarbanes-Oxley Act – all are efforts to regulate and mandate compliance with commercial standards to protect international business and the millions of customers, investors, corporate entities, employees and multitudes of other members and participants across the far-flung global business community.
To learn how different companies around the world operate their internal audit function, click on the links below. When you are ready to continue, click the ‘NEXT’ button.
Whatever the nature of the business enterprise, the goals and objectives of internal auditors are universal: risk management, internal control, and compliance.
By addressing problems and improving performance, internal auditors can help the organization function at the highest, most ethical levels while constantly scanning the business horizon for potential problems that may represent tomorrow’s difficult challenge. In doing so, they bring to the organization a sense of safety and well-being without compromise, and without fear.
This concludes the Introduction to the Internal Audit Profession training. You will now be presented with a short exam.
Glossary