The Internal Audit Handbook - The Business Approach to Driving Audit Value

The Internal Audit Handbook

THE BUSINESS APPROACH

TO DRIVING AUDIT VALUE

HANS BEUMER

ALSO AVAILABLE FROM HANS BEUMER

Driving Audit Value (Vol. III): Audit Engagement Strategy

Driving Audit Value (Vol. II): Audit Risk Management

Driving Audit Value (Vol. I): Audit Function Strategy

Success for Everyone

Happiness for Everyone

Kumano Kodo

Thailand

20’000 km by Train

Visit www.hansbeumer.com

COPYRIGHT

HB Publications

Zug, Switzerland

www.hansbeumer.com

Text Copyright © Hans Beumer 2017

Figures and Tables Copyright © Hans Beumer 2017

-       Parts I, II and III have been published as a separate book in January 2017 with the title Audit Function Strategy (Driving Audit Value, Vol. I), ISBN 978-3-906861-13-5 and ISBN 978-3-906861-14-2, Copyright © Hans Beumer 2017.

-       Parts IV, V and VI have been published as a separate book in July 2017 with the title Audit Engagement Strategy (Driving Audit Value, Vol. III), ISBN 978-3-906861-18-0 and ISBN 978-3-906861-19-7, Copyright © Hans Beumer 2017.

-       Parts VII, VIII, IX and X have been published as a separate book in March 2017 with the title Audit Risk Management (Driving Audit Value, Vol. II), ISBN 978-3-906861-15-9 and ISBN 978-3-906861-17-3, Copyright © Hans Beumer 2017.

Cover Stock Media Copyright © Shutterstock 2017

International Professional Practices Framework and International Standards for the Professional Practice of Internal Auditing, available at: https://global.theiia.org/standards-guidance. Lake Mary, FL: Copyright © 2017 by The Institute of Internal Auditors, Inc. All rights reserved.

All rights reserved. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise be copied for public or private use without the express written permission of the publisher, except for the use of brief quotations in a book review.

First edition published in July 2017

This book is available as:

-Hardcover:      ISBN 978-3-906861-20-3

-EBook:            ISBN 978-3-906861-21-0

Printed and distributed by Lulu Press, Inc.

This book is not intended to provide personalised business advice. It offers the viewpoints and extensive experience of the Author, but the views expressed should not be taken as instructions or commands. The reader is responsible for his or her decisions and actions for the business of internal audit and related topics. The Author and Publisher expressly disclaim any liability, loss, damage, or risk, business, personal or otherwise, that is incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this book

CONTENTS

FOREWORD

BOOK STRUCTURE

PART I - AUDIT FUNCTION STRATEGIC MODEL

Where were the Auditors?

Where were the internal auditors?

Risks, mitigations, monitoring

No risk, no reward

Focus, focus, focus

Audit Added Value

Audit Function Strategic Models

Audit Added Value Tree©

Increasing Audit Value Tree©

Decreasing Audit Cost Tree©

Annual Audit Planning Model©

PART II - AUDIT FUNCTION VALUE DRIVERS

Audit Function Value Driver 1: Audit Value

IPPF’s audit value requirements

Understanding customer expectations

Measuring actual audit value

Customer value proposition

Managing customer expectations

Customer expectations as value driver

Audit Function Value Driver 2: Audit Cost

IPPF’s audit cost requirements

Cost efficiency: reducing the cost of the internal audit function

Planning efficiency: reducing the cost per audit person-day

Audit efficiency: reducing the cost per audit engagement

Right-sizing the internal audit function

Audit cost as value driver

PART III - AUDIT FUNCTION VALUE ENABLERS

Audit Function Value Enabler 1: Internal Audit Charter

IPPF’s requirements for the internal audit charter

Organisation

Authority

Independence

Objectivity

Responsibility

Compliance

CAE roles beyond the boundaries of the internal audit charter

Internal audit charter as value enabler

Audit Function Value Enabler 2: Understanding the Business and Company

IPPF’s requirements for understanding the business and company

Industry

Business model

Business process maturity

Product life cycle

Regulatory environment

Financial statements

Goals, strategies and objectives

Structure and organisation

Business operations

Management tools, technologies and reporting systems

History of significant issues

Management style, turnover, incentive schemes, pressure, culture and ethics

Understanding the business and company as value enabler

Audit Function Value Enabler 3: Annual Audit Plan

IPPF’s annual audit planning requirements

Time coverage

COSO-ERM framework

Coordination

Audit resources

Understanding the business and company

Business objectives

Audit universe

Risk assessments

Progress reporting and follow-up audit work

Putting the plan together

Plan review and approval

Why it matters to perform strategy-related audit work

Annual audit plan as value enabler

Audit Function Value Enabler 4: Coordination

IPPF’s coordination requirements

Audit committee/board

Management

Audit team

External audit

Risk Management

Other corporate functions

Audit assurance strategy of the audit committee

Coordination as value enabler

Audit Function Value Enabler 5: Reporting

IPPF’s reporting requirements

Generic value enablers

Audit committee reporting

Annual audit plan report

Audit engagement report

Knowledge sharing report

Performance reporting

Progress reporting

Annual report of the internal audit function

Reporting as value enabler

Audit Function Value Enabler 6: Performance Management

IPPF’s performance management requirements

Performance management cycle

Performance targets

People

Price

Product

Process

Audit function balanced scorecard

Performance management as value enabler

PART IV - AUDIT ENGAGEMENT STRATEGIC MODEl

Soll and Ist

Process and Project

Audit Engagement Strategic Models

Beumer Audit Engagement Strategic Model©

Audit Engagement Value Drivers Model©

Audit Engagement Value Enablers Model©

PART V - AUDIT ENGAGEMENT VALUE DRIVERS

Audit Engagement Value Driver 1: Identifying Significant Risks

IPPF’s requirements for identifying significant risks

Standardisation

Process for identifying significant risks

Step 1: What are the key enablers for identifying significant risks?

Step 2: What is significant?

Step 3: Is it a process or substance issue?

Step 4: How to scope for identifying significant risks?

Step 5: How to develop the work programme for identifying significant risks?

Step 6: How to report the identified significant risks?

Identifying significant risks as value driver

Audit Engagement Value Driver 2: Agreeing on Risk Mitigations

IPPF’s requirements for agreeing on risk mitigations

Standardisation

Process for agreeing on risk mitigations

Step 1: What are the key enablers for agreeing on the risk mitigations?

Step 2: What are the appropriate risk mitigation measures?

Step 3: To what level must the risks be reduced?

Step 4: Who should be responsible for the risk mitigations?

Step 5: How to determine the appropriate due dates of the risk mitigations?

Step 6: How to resolve disagreements?

Agreeing on risk mitigations as value driver

Audit Engagement Value Driver 3: Monitoring Progress of Agreed Risk Mitigations

IPPF’s requirements for monitoring progress of agreed risk mitigations

Standardisation

Process for monitoring progress of agreed risk mitigations

Step 1: What are the key enablers for monitoring progress?

Step 2: What assurance needs to be provided?

Step 3: What is the appropriate type of progress monitoring?

Step 4: How to do the progress monitoring?

Step 5: How to handle cancelled, delayed, changed or incomplete mitigations?

Step 6: How to report the results of progress monitoring?

Monitoring progress of agreed risk mitigations as value driver

PART VI - AUDIT ENGAGEMENT VALUE ENABLERS

Audit Engagement Value Enabler 1: Resource Planning

IPPF’s requirements for resource allocation

Standardisation

Process for engagement resource planning

Step 1: What is the management activity to be audited?

Step 2: What type of audit work must be performed?

Step 3: What are the available audit resources?

Step 4: How to handle resource shortfalls?

Step 5: What are the audit resources at the time of the audit engagement?

Step 6: How to do the annual time-scheduling of the engagements?

Step 7: How to do the time-scheduling within the engagements?

Example

Resource planning as value enabler

Audit Engagement Value Enabler 2: Engagement Planning

IPPF’s requirements for engagement planning

Standardisation

Process for engagement planning coordination and logistics

Step 1: What needs to be coordinated with management?

Step 2: What needs to be organised logistically?

Example

Engagement planning coordination and logistics as value enabler

Audit Engagement Value Enabler 3: Audit Objective

IPPF’s requirements for engagement objective

Standardisation

Process for determining audit objective

Step 1: Why to audit?

Step 2: What is the required level of assurance?

Step 3: What is the subject matter of assurance?

Step 4: What are the objectives of assurance?

Example

Engagement objective as value enabler

Audit Engagement Value Enabler 4: Understanding the Subject Matter

IPPF’s requirements for understanding the subject matter

Standardisation

Process for understanding the subject matter

Step 1: What are the process characteristics?

Step 2: What are the sources of information?

Step 3: Why understand two levels?

Example

Understanding the subject matter as value enabler

Audit Engagement Value Enabler 5: Subject Matter Risk Assessment

IPPF’s requirements for risk assessment

Standardisation

Process for subject matter risk assessment

Step 1: What are the subject matter’s inherent risks?

Step 2: What are the subject matter’s control risks?

Subject Matter Risk Indicators Model

Step 3: What are the risks in the 2nd lines of defence relating to the subject matter?

Step 4: How to use the results from the risk assessment?

Example

Risk assessment as value enabler

Audit Engagement Value Enabler 6: Audit Scoping

IPPF’s requirements for engagement scoping

Standardisation

Process for engagement scoping

Step 1: What to audit?

Step 2: Where to audit?

Step 3: Who to audit?

Step 4: What period to audit?

Example

Engagement scoping as value enabler

Audit Engagement Value Enabler 7: Work Programme

IPPF’s requirements for engagement work programme

Standardisation

Process for developing work programme

Step 1: What are the objectives that need to be tested?

Step 2: What types of audit tests are available?

Step 3: What audit tests are allocated to the objectives?

Step 4: What items from the population need to be tested?

Step 5: What time is allocated to each audit test?

Example

Engagement work programme as value enabler

Audit Engagement Value Enabler 8: Audit Execution

IPPF’s requirements for engagement execution

Standardisation

Process for engagement execution

Step 1: What are the execution objectives?

Step 2: How to achieve the execution objectives?

Step 3: What audit evidence is needed?

Step 4: What are the working paper requirements?

Engagement execution as value enabler

Audit Engagement Value Enabler 9: Audit Report

IPPF’s requirements for engagement reporting

Standardisation

Process for the final audit engagement reporting

Step 1: What is the structure of the report body?

Step 2: What audit results are included in the report body?

Step 3: What is the structure of the executive summary?

Step 4: What audit results are included in the executive summary?

Step 5: How to word the audit opinion?

Step 6: How to resolve disagreements?

Step 7: Who needs to receive the report?

Example

Audit report as value enabler

Audit Engagement Value Enabler 10: Performance Management

IPPF’s requirements for performance management

Standardisation

Process for performance management

Step 1: What are the engagement performance targets?

Step 2: How to achieve the performance targets?

Step 3: What are the engagement detection risks?

Audit Engagement Detection Risk Indicators Model

Step 4: How to mitigate the engagement detection risks?

Audit Engagement Detection Risk Mitigations Model

Example

Performance management as value enabler

PART VII - AUDIT RISK MANAGEMENT STRATEGIC MODEL

Audit Risk Management Strategic Models

Beumer Audit Risk Management Model©

Audit Assurance Risk Management Model©

Audit Process Risk Management Model©

Risk Appetite

CAE’s risk appetite

Board’s risk appetite

3rd Line of Defence

Audit function inherent risk

Audit function control risk

Audit Function Risk Indicators Model

Audit risk mitigation

PART VIII - AUDIT OBJECTIVES

Audit Function Objectives

Audit Objectives Catalogue©

Audit Objectives Tree©

PART IX - AUDIT RISKS

Audit Risks

IPPF’s audit risk definitions

Audit added value risk definition

Audit risk categories

Audit Risks Catalogue©

Audit Risks Portfolio©

Audit Assurance Risks

Audit Assurance Risk Tree©

Audit Process Risks

Audit Process Risk Tree©

Audit Risk 1: Value Risks

Risk of low support

Risk of low approved resources

Risk of low use of the audit products

Audit Risk 2: Focus Risks

Audit Risk 3: Execution Risks

Risk of poor execution

Risk of overlooking significant issues

Risk of agreeing no or wrong audit issue risk mitigation measures

Risk of wrong audit engagement conclusions

Risk of over-valuing small issues

Risk of overlooking scope limitations

Audit Risk 4: Performance Risks

Risk of high audit costs

Risk of low effectiveness

Risk of low efficiency

Audit Risk 5: Reporting Risks

Risk of low reporting quality

Risk of insufficient reporting tailoring

Risk of insufficient reporting

Audit Risk 6: Compliance Risks

Risk of non-compliance with audit charter and policies

Risk of non-compliance with IIA requirements

Risk of non-compliance with company policies

PART X - AUDIT RISK MITIGATIONS

Audit Risk Mitigations

Audit risk mitigation categories

Audit Risk Mitigation Catalogue©

Audit Assurance Risk Mitigations

Audit Assurance Risk Mitigations Tree©

Audit Process Risk Mitigations

Audit Process Risk Mitigations Tree©

Audit Risk Mitigation 1: Value Risk Mitigations

Risk mitigation of low support

Risk mitigation of low approved resources

Risk mitigation of low use of the audit products

Audit Risk Mitigation 2: Focus Risk Mitigations

Risk mitigation of focus of annual audit plan

Risk mitigation of focus of audit engagements

Audit Risk Mitigation 3: Execution Risk Mitigations

Risk mitigation of poor execution

Risk mitigation of overlooking significant issues

Risk mitigation of agreeing no or wrong audit issue risk mitigation measures

Risk mitigation of wrong audit engagement conclusions

Risk mitigation of over-valuing small issues

Risk mitigation of overlooking scope limitations

Audit Risk Mitigation 4: Performance Risk Mitigations

Risk mitigation of high audit costs

Risk mitigation of low effectiveness

Risk mitigation of low efficiency

Audit Risk Mitigation 5: Reporting Risk Mitigations

Risk mitigation of low reporting quality

Risk mitigation of insufficient reporting tailoring

Risk mitigation of insufficient reporting

Audit Risk Mitigation 6: Compliance Risk Mitigations

Risk mitigation of non-compliance with audit charter and policies

Risk mitigation of non-compliance with IIA requirements

Risk mitigation of non-compliance with company policies

VOL. I OF DRIVING AUDIT VALUE: AUDIT FUNCTION STRATEGY

VOL. II OF DRIVING AUDIT VALUE: AUDIT RISK MANAGEMENT

VOL. III OF DRIVING AUDIT VALUE: AUDIT ENGAGEMENT STRATEGY

ABOUT THE AUTHOR

FOREWORD

The Internal Audit Handbook differs from all the other books about internal audit, in the way it combines the theoretical knowledge with the practical experiences of a seasoned CAE:

This is the first and only handbook that develops a focused strategy for achieving the highest level of audit added value of the internal audit function. The handbook reflects on the internal audit activities from an entirely new perspective by defining the added value and how this added value can be attained through value drivers and value enables.

The internal audit strategic models provide transparency for the main success principles for the key internal audit activities, presenting a unique new frame of reference for understanding, deploying and realising the internal audit strategies.

No other professional internal audit literature covers the topic of internal audit risk management as this handbook. Just like your company’s management needs to manage their risks, the internal audit function needs to manage its risks in achieving the internal audit strategies and objectives. The Beumer Audit Risk Management Model© provides a ground-breaking new approach to understand, identify, measure and mitigate the internal audit risks at both the audit function level and the audit engagement level.

On 740 pages, this handbook follows the business approach to internal auditing based on the practical experiences, examples, tips and foremost solutions, from an experienced CAE. The content of this book draws upon 28 years of business experience, of which 16 years as leader of internal audit functions of globally operating corporations.

The Internal Audit Handbook is the best practice guide for implementing a value-added internal audit strategy. Follow the strategic principles and become successful in achieving the highest objectives of the internal audit department. Apply the fundamental success principles described in this handbook and your audit function will generate the desired added value.

Figure 1 – Beumer Internal Audit Strategy Model©

This is the fourth book of the series on internal audit best practices called Driving Audit Value. The first three books in the series are:

1.      Audit Function Strategy: Driving Audit Value Volume I. Volume I was published in January 2017. See the book preview and the global endorsements on pages 731 to 734.

2.      Audit Risk Management: Driving Audit Value Volume II. Volume II was published in March 2017 See the book preview on pages 735 and 736.

3.      Audit Engagement Strategy: Driving Audit Value Volume III. Volume III was published in July 2017 See the book preview on pages 737 and 738.

The Internal Audit Handbook combines the Volumes I, II and III of Driving Audit Value in a comprehensive internal audit handbook. This Driving Audit Value Bundle integrates the best practice strategies of the internal audit function, internal audit engagement and the internal audit risk management into one definitive and extensive reference manual.

Read to advance your life,

drs. Hans Beumer

July 2017

BOOK STRUCTURE

There is a certain way to organise, plan, direct and execute the internal audit activities that lets the audit function achieve its added value. The best practice methodologies and strategies for attaining the highest level of added value are presented in three distinct sections:

Internal Audit Function Strategy

Internal Audit Engagement Strategy

Internal Audit Risk Management

Managing internal audit function strategy

Figure 2 - Book structure of PART I, II, III

PART I: Audit Function Strategic Model

Part I determines the reasons for needing an internal audit function strategy and shows how the chapters and elements of the audit value drivers and the audit value enablers fit together. These are summarised in the Audit Added Value Tree©, Increasing Audit Value Tree©, Decreasing Audit Cost Tree© and Annual Audit Planning Model©. These models connect all 48 individual elements of the value enablers and the two value drivers, and shows the relationships between the individual building blocks in the audit function strategy models.

PART II: Audit Function Value Drivers

Part II proves that Audit Value and Audit Cost are the primary audit added value drivers of the audit function. In two chapters, efficient, effective and practical guidance is provided to maximise the added value of each subject.

PART III: Audit Function Value Enablers

Part III presents the six most significant value enablers for the audit function: Audit Charter, Understanding the Business and Company, the annual audit plan, coordination, reporting, and performance management. In six chapters, practical guidance is provided to maximise the value of each subject.

Managing internal audit engagement strategy

Figure 3 - Book structure of PART IV, V, VI

PART IV: Audit Engagement Strategic Model

Part IV presents the Beumer Audit Engagement Strategic Model©. This model shows the comprehensive audit engagement framework for maximising the added value of the audit engagements. The model connects 3 value drivers to 10 value enablers. The Audit Engagement Value Drivers Model© shows how the 3 key value drivers can be achieved in 18 defined and focused steps. The Audit Engagement Value Enablers Model© shows how the 10 key value enablers can be achieved in 39 steps.

PART V: Audit Engagement Value Drivers

Part V shows why identifying the significant risks, agreeing on the risk mitigation, and monitoring the progress of this risk mitigation, are the three primary value drivers of the audit function. Everything the audit function does must ultimately result in providing assurance that management knows the significant risks to their business, and are appropriately reducing the impact of these risks to a level that is within the risk appetite of the board. The chapter Identifying Significant Risks explains how this can be achieved in 6 defined steps. A further 6 clear steps result in Agreeing on Risk Mitigations, and Monitoring Progress of Agreed Risk Mitigations is achieved in 6 steps.

PART VI: Audit Engagement Value Enablers

Part VI presents the 10 most significant value enablers for the internal audit engagements: resource planning (2 steps); engagement planning (2 steps); engagement objectives (4 steps); understanding the subject matter (3 steps); risk assessment of the subject matter (4 steps); engagement scoping (4 steps); engagement work programme (5 steps); engagement execution (fieldwork) (4 steps); engagement report (7 steps); engagement performance management (4 steps). In 10 chapters, these topics are analysed and efficient, effective and practical guidance is provided to maximise the value enabling capacity of each subject, by following the defined steps.

Managing internal audit risks

Figure 4 - Book structure of PART VII, VIII, IX, X

PART VII: Audit Risk Management

Part VII presents the Beumer Audit Risk Management Model©. This model provides the comprehensive audit risk management framework for driving the audit risk identification, measurement and mitigation. The model connects 60 audit risks, in 6 audit risk categories, to 30 audit objectives. Depending on the risk appetite and the audit risk prevention, the CAE can choose from 66 audit risk mitigation measures for reducing the audit risks to an acceptable level. The Audit Assurance Risk Management Model© and the Audit Process Risk Management Model© show the relationships between the objectives, the risks and the risk mitigation, as the individual building blocks of the strategy model. The Audit Function Risk Indicators Model© enables the CAE to quickly grasp the risk profile of the audit function.

PART VIII: Audit Objectives

Part VIII describes the 6 main audit objective categories for value, focus, execution, performance, reporting, and compliance. The Audit Objectives Catalogue© captures the 30 audit objectives in the structure of the 6 audit objective categories, split into the audit assurance objectives and the audit process objectives.

PART IX: Audit Risks

Part IX defines the audit risk and explains the nature and details of the 60 individual audit risks, captured in the 6 main audit risk categories: value risk, focus risk, execution risk, performance risk, reporting risk, and compliance risk. The Audit Assurance Risk Tree© shows the 33 audit assurance related risks, whereas the Audit Process Risk Tree© presents the 27 audit process related risks. For each of the 6 audit risk categories, a risk matrix matches the audit risks from the Audit Risks Catalogue© to the audit objectives from the Audit Objectives Catalogue©. Additionally, a risk map matches the audit risks from the Audit Risks Catalogue© to the audit function’s customer value proposition.

PART X: Audit Risk Mitigation

Part X presents the Audit Risk Mitigation Catalogue©, listing the 66 risk mitigation measures, divided into the Audit Assurance Risk Mitigation Tree© (36 measures), and the Audit Process Risk Mitigation Tree© (30 measures). Part X elaborately describes the 66 individual risk mitigation measures and matches the risk mitigations to the risk categories in a risk mitigation matrix.

PART I - AUDIT FUNCTION STRATEGIC MODEL

Figure 5 – PART I: Audit function strategic model

Where were the Auditors?

Major corporate scandals 2010-2016

VOLKSWAGEN EMISSIONS SCANDAL

September 2015 – The US Environmental Protection Agency caught VW cheating on diesel emissions tests to falsely pass the maximum allowed levels. Diesel models had software installed to fraudulently show that the cars were more environmental friendly than they actually were. More than 11 million cars had to be refitted, regulatory fines amounted to more than $15 billion, civil and criminal suits cost further billions. High profile managers and the CEO were dismissed.

FIFA CORRUPTION SCANDAL

May 2015 – The FBI indicted the FIFA organisation and officials with racketeering, fraud, corruption, and with paying millions of dollars in bribes to influence FIFA elections, locations for hosting the World Cup, sponsorship contracts, broadcasting rights, and more.

BP OIL SPILL SCANDAL

April 2010 – The Deepwater Horizon rig explosion caused the largest environmental disaster of the 21st Century. Oil and gas producer BP had the worst health, safety and environment practices, which caused damages and cost by far exceeding $25 billion, and destructed shareholder value by more than $100 billion.

YAHOO HACKING SCANDAL OF 1 BILLION USER ACCOUNTS

December 2016 – Yahoo disclosed that a data breach exposed the private information of more than 1 billion user accounts. It related to a theft of names, email addresses, telephone numbers, birthdates, and unrecognisable passwords, as well as encrypted and non-encrypted security questions and answers.

WELLS FARGO SCANDAL OF FAKE ACCOUNTS

September 2016 – Over the period 2011-2016, Retail Banking employees created 1.5 million phoney deposit accounts and issued 0.5 million fake credit cards, without the knowledge or permission of the related customers. Employees resorted to fraud in order to meet challenging growth quotas. The bank paid $185 million in fines and fired 5’300 employees.

OLYMPUS ACCOUNTING AND BRIBERY SCANDAL

October 2011 - Olympus hid $1.7 billion in losses over a period of 13 years and admitted to paying kickbacks and foreign bribery.

The company paid more than $0.5 billion to settle criminal and civil investigations.

PETROBRAS CORRUPTION SCANDAL

March 2014 – Executives and key management of Brazil’s state-owned Oil & Gas Company were accused of bribery of officials as well as siphoning off money for their own use. In criminal investigations, more than 80 managers and politicians were charged with money laundering and bribery of more than $8 billion.

LIBOR RIGGING SCANDAL

June 2012 – Criminal investigations into the manipulation of interest rates spread to 10 countries and involved more than 20 major banks. Total fines reached more than $10 billion.

Where were the internal auditors?

These eight examples represent some of the major scandals, bribery, corruption, fraud, and non-compliance cases in the period 2010-2016. In each of these cases, you can rightfully ask Where were the internal auditors? The answers to this question can be manifold:

during the planning of the audit engagement, the auditors insufficiently coordinated with the board and executive management about their business, risk and control concerns: BP, Petrobras, Yahoo.

The audit function did not have the topics in their audit universe, as other assurance providers covered these topics:

External Audit: Olympus

Compliance and EHS departments: BP, VW

IT security: Yahoo

The audit function did have the topics in their audit universe, but:

did not assess the risks correctly: VW, BP, Petrobras, Wells Fargo, Yahoo

did not have an appropriate focus: Petrobras, FIFA, BP, Yahoo

did not have the right auditor skills: could be all of them

had scope limitations or insufficient support: FIFA, Petrobras

The audit function did audit the related topics, but:

the work programme was not focusing on the right key controls or risks: Libor, Olympus, Wells Fargo, Yahoo

insufficiently skilled auditors were allocated to the audit: Libor, Wells Fargo, Yahoo

the auditors did not have access to the staff, systems or information they needed to achieve the audit objective: FIFA, Petrobras, Olympus

the auditors did not understand the transactions: Libor, Wells Fargo

the auditors relied too much on single audit tests, such as interviews and other tests with a very weak evidence: Libor, Wells Fargo, BP, FIFA

did not identify the issues: Libor, Wells Fargo, Yahoo

did not have management agree on effective risk mitigation: BP, Yahoo

did not follow-up to ascertain that their recommended risk mitigation actions were indeed implemented by management: Yahoo, BP, Libor

management hid the problems: Olympus, Petrobras

The audit function did raise the relevant issues, but:

management did not support the audit function: FIFA

management did not implement risk mitigation: BP, Yahoo

We will never know the real reasons for these companies’ audit functions inability to successfully identify these issues and have management mitigate those risks. For the internal audit functions of these companies, it is already too late. Their effectiveness will probably have been seriously questioned, and this might have resulted in the dismissal of the CAE, downsizing or upsizing of the audit function, combined with a refocus of the audit function’s and audit engagement’s strategies and objectives. However, for your company’s audit function a similar scandal can be avoided by applying the key success principles contained in this Internal Audit Handbook.

Risks, mitigations, monitoring

When you analyse the issues of these eight cases, a clear trend can be identified. In all these scandals three engagement related topics stand out:

1.      The audit engagements did not have the appropriate focus and as a result were not able to identify the significant risks.

2.      If the audit engagements did identify the significant risks, they were ineffective in agreeing with management on the appropriate risk mitigating measures and their urgency of implementation.

3.      An ineffective monitoring of the progress of the risk mitigations resulted in the materialisation of the risks before they could have been prevented or reduced.

The boards of these organisations must have expected their internal audit functions to do their jobs: identify the significant risks, agree with management on the appropriate risk mitigations, and monitor management’s implementation of the risk reductions.

Meeting these three expectations are the key value drivers for any audit engagement and represent the core of the audit strategic models.

No risk, no reward

The primary objective of the audit function must be to add value. This means that the CAE must be value driven, as she aims to mitigate the business risks that may keep the company from reaching its objectives. Some CAEs’ first objective, however, is to limit the risks of the audit function. They are driven by their personal risk-aversion, by creating a comfort zone, and not do anything that may antagonise management or put them in the spotlight (low risk-appetite). However, the CAE needs to be willing to take some risks to achieve bigger audit results. Had the internal audit functions in the above examples taken some bigger risks in addressing the scandalous topics, perhaps they could have prevented these from occurring, or they could have been timely mitigated before being exposed. The CAE needs to understand her audit risks and manage them, to achieve big audit results.

The CAE can provide significant added value to the company, while at the same time reducing her audit risks. She can create a win-win (for the company and herself), but she needs to follow the guidance in this handbook to realise this. Her appetite for the added value of the internal audit function must lead the way, as the audit risks are a result of the selection of the audit engagements that add to that value. It should not be done the other way around, by letting her appetite for the audit risks determine which added value audits are going to be undertaken. The CAE must find the appropriate trade-off between the level of the audit risk and the potential for generating audit value.

Focus, focus, focus

To be able to add value to the organisation, the CAE must ensure that she does not have:

a lack of support from the process owners, local management, executive management and the board, as a result of which the board limits the approved resources and the audit products are not utilised.

a mismatch between the risk profile and the main business strategies and objectives of the company or subject matter, and the focus of the annual audit plan or the audit engagement.

a negative input – output ratio, if the costs of the audit function and the audit engagements are considered to be too high compared to the value generated.

To be able to add value to the organisation, the CAE must ensure that she does not issue:

an unqualified, satisfactory, audit opinion/report, without reporting any significant issues, whereas significant issues do exist in the audited subject matter.

a qualified, unsatisfactory, audit opinion/report, pointing out significant issues, whereas the issues are either not significant, or do not exist in the audited subject matter.

a full scope audit opinion/report on the audited subject matter, whereas she should not issue such an opinion/report based on significant limitations in the audit scope or the audit execution.

Understanding, identifying, measuring, and proactively managing the audit strategy, objectives and risks are necessary for ensuring the audit function’s and the CAE’s success in the company. The Internal Audit Handbook creates an innovative framework for managing the internal audit function and preventing your company’s name to be included in the listing of where were the auditors?.

Audit Added Value

The internal audit function should be run as a business. In a simplified formula, business value creation has two components: the input it needs to create value, and the output generated by the input, being the value:

Figure 6 – Business value creation

Value Destruction = Input > Output

Value Creation = Output > Input

When substituting input with cost, and output with value, and where the difference between the two is the reduced or added value, then the simple formula looks as follows:

Figure 7 - Audit value creation

Audit Value Destruction = Audit Cost > Audit Value

Audit Value Creation = Audit Value > Audit Cost

This formula shows that the added value component has two levers: audit cost and audit value. Decreasing the audit cost will lead to a larger added value, just as increasing the audit value will.

Figure 8 - Audit Added Value Drivers

The added value of the internal audit function can be maximised by minimising the cost of audit (as input factor), while at the same time maximising the quality and quantity of the value (as output factor).

Audit Function Strategic Models

Audit Added Value Tree©

The Audit Added Value Tree© shows the link between the 2 audit value drivers described in PART II and the 6 audit value enablers analysed in PART III.

Figure 9 – Audit Added Value Tree©

Increasing Audit Value Tree©

The Increasing Audit Value Tree© shows that the 47 individual elements of the 6 value enablers drive the increase of the audit value. Five of these elements relating to the customer value proposition are explored in PART II; the other 42 elements are described and analysed in the six chapters of Part III.

Figure 10 – Increasing Audit Value Tree©

Decreasing Audit Cost Tree©

The Decreasing Audit Cost Tree© shows how the 17 individual elements of the value enablers drive the reduction of the audit cost. These are described in PART II.

Figure 11 – Decreasing Audit Cost Tree©

Annual Audit Planning Model©

The complete Annual Audit Planning Model© shows how the 48 individual elements of the 6 value enablers contribute to the value-added focus at the internal audit function level. Each of these elements is elaborately analysed and discussed in the six chapters of Part III in this book.

Figure 12 – Annual Audit Planning Model©

PART II - AUDIT FUNCTION VALUE DRIVERS

Figure 13 – PART II: Audit function value drivers

Audit Function Value Driver 1: Audit Value

Figure 14 - Six elements of audit function value driver 1: audit value

This chapter that audit value is the most important added value driver of the internal audit function.

The audit function does not perform its duties for itself, but for its customers. Therefore, only the customers of the internal audit function can define the value of the internal audit activities. This means that the target audit value is based on their expectations, and the actual, realised, audit value is the extent to which those targets (expectations) have been met.

The chapter starts with analysing the IPPF’s (International Standards for the Professional Practice of Internal Auditing) requirements for adding value. This is followed by an elaborate analysis of the customers’ expectations, ways to measure the audit value, the formulation of a customer value proposition, the topic of managing the target audit value, and a summary of audit value being a direct value driver.

IPPF’s audit value requirements

The IPPF makes strong statements about the added value of the internal audit function. Performance standard 2000 – Managing the Internal Audit Activity clearly states that the CAE must make sure that the audit function adds value to the company. Adding value can be achieved by:

taking into account the company’s strategies, objectives, and risks. According to the standard 2010 – Planning, this can be accomplished by developing risk-based annual audit plans (but also risk-based engagement plans) for which the CAE needs to obtain an understanding of the company’s strategies, key business objectives, associated risks, and risk management processes. The Implementation Guides and Supplemental Guidance relating to the standards 2100 – Nature of Work, 2110 – Governance, 2120 - Risk Management and 2130 – Control frequently refer to these topics.

enabling the improvement of the efficiency and effectiveness of governance, risk management, and control processes. Performance standard 2100 – Nature of Work continues to describe that this must be based on a systematic, disciplined, and risk-based approach and that the internal audit function must be proactive and the results of their work should offer management and the board new insights and consider future impact. Standard 2110 – Governance, 2120 - Risk Management and 2130 – Control further detail each of the three topics.

providing assurance for the relevant topics, with objectivity. The standards also allow the internal audit function to add value through consulting engagements. The Implementation Guides and Supplemental Guidance elaborate on independent, objective and relevant assurance. The IPPF defines the assurance services as an internal auditor’s objective assessment of evidence to provide opinions or conclusions.

The above points are reflected in the definition of internal auditing as promulgated by The IIA (Institute of Internal Auditors), and reflect their description of the value proposition of the Internal audit function:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Understanding customer expectations

Customers’ expectations need to be derived from understanding who the customers are and then obtaining information from these customers about their expectations of the internal audit function. Internal audit’s customers are usually:

the board of directors, its audit committee,

corporate executive management,

divisional/business unit management,

local management and process owners,

other corporate functions,

outside customers.

The primary expectations of each of these key customer groups are described in the following sections.

Expectations of the audit committee/board

Expectations of the audit committees and boards may vary from company to company. Some will have high expectations of the internal audit function, while others will have more modest expectations. A complete set of high expectations can be as follows:

The internal audit function must have all the required competencies (quality) and resources (quantity) for fulfilling its strategy and role.

The internal audit function must be efficient and effective in executing its audit work.

The internal audit function must apply best practice processes and procedures and have the professional attitude of objectivity, independence and respect when conducting the audit work. The internal audit function must be innovative and continuously improve its services, products and processes.

All plans and work results must be coordinated and agreed with management before they are brought to the attention of the board.

The internal audit function should provide risk-based assurance that the company has efficient and effective processes and procedures in place for: achieving its objectives; identifying and managing its risks; controlling its operations; governing compliance with the internal policies and directives, and external laws and regulations. The board expects the internal audit function to identify and cover the emerging risks and appropriately handle the changing business risks and priorities.

The board expects the internal audit function to closely coordinate and cooperate with the other assurance providers, such as external audit, but also with the legal, compliance and risk management functions.

The internal audit function should support the board by monitoring that management is timely and completely implementing the strategic initiatives.

The internal audit function should ensure that all identified issues are supported by timely, adequate and effective risk mitigation. They expect the internal audit function to follow-up and provide assurance that the risks have indeed been mitigated as expected.

The board expects the CAE to have a good understanding of the business and operations, to be communicative, to be critical and analytical in his thinking, and have good relationships with management. The CAE must be a leader and speak the language of the board, management and business.

The internal audit function is their ear on the ground. Because the board is not involved in the affairs of the daily operations in headquarters and the businesses, the CAE is expected to be a good information source during the formal and informal communications.

In summary, the internal audit function can add value to the board by:

ensuring competent and a sufficient level of resources;

having efficient and effective internal audit function processes;

maintaining a best practice internal audit function, compliant with the IPPF of The IIA, and ensuring a high acceptance and good reputation with executive management and the businesses;

coordinating all the plans and work results with management before bringing them to the attention of the board;

providing assurance on the effectiveness and efficiency of the businesses’ risk management, internal controls, governance and compliance to achieve the business objectives;

closely coordinating the audit work with the other assurance providers;

supporting the board in their supervision over the implementation of the strategic initiatives;

ensuring that all the audit issues are supported by risk mitigation, and providing assurance that these risks have indeed been mitigated as expected;

speaking the language of management and the board;

being a source of information for the board in better understanding the company’s management, culture, atmosphere, challenges, operations and businesses.

Expectations of executive management

The expectations of corporate executive management (such as the CEO and CFO) will also vary from company to company. They will have two main expectations of the internal audit function: no surprises, and audit assurance over risk management and internal control processes, to help them achieve the company’s objectives (whether at low-level or high-level). A complete set of high expectations can be as follows:

Executive management does not like surprises. It implies that whenever the internal audit function raises significant audit issues in their draft reports (which are likely going to attract the attention of the board), they will want to be informed before the audit report is formally issued. This enables them to: assess whether the auditor’s opinions and ratings indeed reflect the proper perspective (on impact and significance of the issues); call lower management into responsibility; and prepare for questioning by the board.

They also expect that the internal audit function has its focus on those topics which provide them with the biggest levers to make improvements to the control systems and the businesses. This means that the annual audit plan should focus on those topics where executive management has the biggest worries. Risks that matter, together with emerging risks, must be in focus.

The internal audit function must provide assurance that the businesses have efficient and effective processes and procedures in place for achieving its objectives, identifying and managing its risks, controlling its operations, and governing compliance with the internal policies and directives, and external laws and regulations.

All identified issues should be supported by timely, adequate and effective risk mitigation. They expect the internal audit function not only to identify the topics for improvement but also to ensure that responsible management has agreed to the necessary risk mitigation measures. Executive management expects the internal audit function to follow-up and provide assurance that the risks have indeed been mitigated as expected.

They expect the internal audit function to stay within their financial and FTE budget and comply with all the corporate policies, procedures and practices (e.g., for travel and hiring of staff).

They expect the internal audit function to be efficient and effective and make use of technology to increase the cost-efficiency and audit effectiveness.

Executive management may also expect the internal audit function to be a talent pool and training ground for the future managers and executives. They may expect a two-year rotational cycle for business managers to gain experience through best practice auditing, or the internal audit function could offer management-trainees a 6-month programme. This could work both ways: the auditors rotating into the business and the business managers switching into the internal audit function.

In summary, the internal audit function can add value to executive management by:

coordinating the audit focus to match their priorities;

providing assurance on the effectiveness and efficiency of the businesses’ risk management, internal controls, governance and compliance, to help them achieve their business objectives;

ensuring that all the audit issues are supported by risk mitigation, and providing assurance that these risks have indeed been mitigated as expected;

having efficient and effective internal audit function processes;

timely discussing the significant audit issues before formally releasing the audit reports to the board;

staying within the budget and complying with all relevant corporate policies;

providing training in project management, analytical thinking, report writing, and other experiences for the high potentials.

Expectations of divisional/business unit management

Divisional/business unit management also have expectations:

They want the internal audit function to have a focus on the key entities in their division/business unit, to make suggestions to improve the controls over and in their businesses and to ensure that the identified weaknesses have effective actions for improvement.

They want to be able to influence where and when the auditors are going, already during the annual audit planning phase. Usually, the business units cannot see how much audit time is spent in their unit compared to the other business units. It is difficult for them to assess whether the audit efforts are fairly spread over the divisions of the company. However, the CAE can see this, and he will need to measure, monitor, and manage this. He needs to make sure that the audit efforts are allocated commensurate the risk profile and size of the units.

Business unit management expects that the audit results are discussed with them before they are passed on to executive management and the board. They want to make sure that they understand the reasoning of the internal audit function when it comes to the solutions and conclusions. They will ensure that the solutions and conclusions are consistent with the business unit perspectives on the subject matters. Furthermore, business unit management will usually quickly consider whether a problem in one entity may also exist in their other entities.

In summary, the internal audit function can add value to divisional/business unit management by:

coordinating the audit focus and timing for all the entities within the business unit, and ensuring that the audit efforts are commensurate the risk profile and size of entities;

providing assurance on the effectiveness and efficiency of their risk management and internal controls, to help them achieve their business objectives;

coordinating the audit conclusions and risk mitigating actions before passing the draft reports to higher management levels.

Expectations of local management and process owner

Local management and the process owner expect the internal audit function to make recommendations to improve their internal control systems and their risk management processes.

Generally speaking, local management wants to receive a positive audit rating and often they will do everything to avoid a negative audit report. This means that they may become tough negotiators on the wording of the conclusions and the audit rating. Sometimes they will discuss at lengths to prevent a negative message. This means that politics quite often plays an important role. The internal audit function must find an appropriate way to handle this, without reducing its objectivity and independence.

Local management expects that internal audit points out the weaknesses in the processes, while they also expect to be able to avoid a negatively worded audit report. They expect that the internal audit function not only identifies the weaknesses but also offers the practical, cost-efficient and concrete solutions for remediating the weaknesses.

Further, they expect to be treated fairly and with respect. This means that, during the regular audit engagements, the representatives of the internal audit function cannot act as police officers, walking around the local office with a facial expression of disapproval. The auditors cannot project the image of a know-it-all. They might know certain internal control, governance and risk management technical aspects better than the local employees, but they should not believe (or create the perception) that they know the business better than them.

Local management expects to be able to review and comment on the draft audit report before it is sent to the higher echelons in the organisation.

Local management will want the audit efforts to be reasonable with respect to the process, unit or department that is audited. For example, doing a financial audit at the time of a month-end closing is usually not appreciated. Allocating three audit resources to review a department consisting of four people is not appreciated either. Their expectation is being able to continue to perform their operational duties while the audit work is ongoing. Significant hindrance of their operational work during busy times can have a severe negative impact on the reputation of the Internal audit function and is value destructing.

In summary, the internal audit function can add value to local management and the process owner by:

finding an appropriate balance between the audit efforts and the capacities and availability of local staff and management;

providing assurance on the effectiveness and efficiency of their risk management and internal controls, to help them achieve their local business objectives;

reporting the facts and keeping opinions to a minimum in the audit reports;

agreeing on the audit reports and risk mitigating actions before passing the draft reports to higher management levels.

Expectations of other corporate functions

There are also other assurance providers, inside the organisation, that have expectations. You can think of the company’s compliance function, the forensic investigations team (in the case that they are not part of the Internal audit function responsibility), the tax compliance, the EHS and the trade control function.

There may be more internal corporate customers such as Risk Management, Group Accounting and Reporting, Treasury, Legal, IT department, Project Management Office, and Controlling. All these functions may have certain expectations of the internal audit function as well. The list may seem endless, but it is crucial for the CAE to enter into a dialogue with all these functions about the interfaces of internal audit with their teams.

The internal audit function can add value to the other corporate functions by:

reviewing compliance (within local businesses and operations) with the corporate governance policies and directives issued by each of these functions;

providing assurance on the roll-out of specific projects, or the effectiveness and efficiency of their internal controls and processes;

supporting the functions with the development of governance policies and procedures, as well as the design of control systems.

Expectations of outside customers

Other assurance providers, outside the company, will also have expectations, for example, the external auditor. Additionally, the stakeholders such as the shareholders, the legislators, the regulators and the public interest groups could also have specific expectations.

For example, the internal audit function can add value to the external auditor by:

discussing the scoping and coverage with the external auditor to avoid duplications or gaps in the audit assurance;

reviewing the financial statements, and the internal control systems over the financial reporting, for those entities that are outside the coverage of the external auditor.

The regulators may have particular expectations of and influence on the scope of work and the responsibilities of the Internal audit function, as well. This happens foremost in the financial services or banking industry.

Measuring actual audit value

Theoretical

Objectively quantifying the target or actual audit value is difficult. Hitherto, no efficient and objective models or methodologies have been developed for this purpose. For the support of cost reallocation (transfer-pricing) models, some companies calculate the benefits based on the value of the risk mitigation. However, how to assess the value of an assurance outcome when the audit work identified no significant issues? It becomes very judgemental to measure this value and use it as an objective performance indicator. I am intentionally refraining from developing, designing and presenting such a quantitative model in this book. Such a model would be extremely theoretical and would probably find very few followers in the real business world. Academically it might be interesting, but without a practical application it is useless. The content of this book provides best practice and practical guidance for driving the audit value. A purely theoretical calculation model has no place here.

Practical

Many tools are available for measuring the target and actual audit value:

satisfaction and quality surveys

the annual audit plan

management or board requests

implementation of the risk mitigating

the contribution to the business

realisation of the personal bonus objectives of the CAE