Vous êtes sur la page 1sur 193

Disclosure Copyright 2003 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201.

. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission of the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Professional Practices Framework for Internal Auditing (PPF) was designed by The IIA Board of Directors Guidance Task Force to appropriately organize the full range of existing and developing practice guidance for the profession. Based on the definition of internal auditing, the PPF comprises Ethics and Standards, Practice Advisories, and Development and Practice Aids, and paves the way to world-class internal auditing. This guidance fits into the Framework under the heading Development and Practice Aids. ISBN 0-89413-499-X 02412 01/03 First Printing

Dedication
To

Rosalie
Without whom nothing would be worthwhile.

Use links below to navigate through the document or turn on Bookmarks on the left side of your screen.

Table of Contents vii

Table of Contents

List of Exhibits...................................................................................................... ix About the Author .................................................................................................. xi Acknowledgements.............................................................................................xiii IIA Overview ....................................................................................................... xv GAIN Information ...............................................................................................xvii Introduction ........................................................................................................... 1 Chapter 1: Governance........................................................................................ 5 Chapter 2: Expectations..................................................................................... 11 Chapter 3: Planning ........................................................................................... 17 Chapter 4: Organizing......................................................................................... 29 Chapter 5: Staffing ............................................................................................. 35 Chapter 6: Directing ........................................................................................... 51 Chapter 7: Monitoring ........................................................................................ 61 Footnotes............................................................................................................ 67 Bibliography ........................................................................................................ 69 Resources offered by The Institute of Internal Auditors ...................................... 71 Exhibits ............................................................................................................... 75

The Institute of Internal Auditors

Use links below to get to Exhibits within this PDF document OR Click on the file type in the right column to get to the Exhibits in Word or Excel files. Exhibit Number 1-1 1-2 1-3 2-1 3-1 3-2 3-3 3-4 3-5 3-6 5-1 5-2 5-3 5-4 5-5 5-6 5-7 6-1 6-2 Exhibit Title

Exhibits List ix

Exhibits List
Page Number Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Excel

Table of Attribute and Performance Standards with ...........75 Related Practice Advisories Code of Ethics .....................................................................93 The Standards & Glossary...................................................97 Model Audit Committee Charter...........................................113 Position Description: Chief Audit Executive / Director of .....117 Internal Audit Internal Audit Activity Charter .............................................119 Mission Statements .............................................................123 Executive Endorsement of Internal Auditing Charter ...........125 Internal Audit Operating Policy ............................................127 Corporate Audit Policy .........................................................133 Position Description: Staff Auditor........................................137 Position Description: Senior Auditor.....................................139 Position Description: Manager of Internal Auditing ..............141 Position Description: Information Technology Auditor..........143 Knowledge Level: IT Auditor Level I.....................................145 Knowledge Level: IT Auditor Level 2....................................147 Knowledge Level: IT Auditor Level 3....................................149 Risk Sampling Strategy........................................................151 Risk Assessment Model.......................................................153

The Institute of Internal Auditors

x Establishing An Internal Audit Activity Manual Exhibit Number 6-3 6-4 6-5 6-6 6-7 7-1 7-2 7-3 7-4 7-5 7-6 Exhibit Title Page Number Word Word Excel Excel Excel Word Word Word Word Word Word

Policies and Procedures Manual Index................................155 Workpaper Samples ............................................................157 Project Time Report .............................................................179 Staff Time Report.................................................................181 Monthly Management Report...............................................183 Quality Assurance and Improvement ...................................185 Audit Productivity Measurement: Auditors ...........................187 Audit Productivity Measurement: Auditors-in-Charge .........189 Compliance Checklist ..........................................................191 Audit Customer Survey .......................................................197 Audit Process Questionnaire ..............................................201

The Institute of Internal Auditors

About the Author xi

ABOUT THE AUTHOR


Richard H. Tarr, CIA, CISA, MBA, is an audit and information systems consultant and President of Richard Tarr and Associates, a consulting practice that specializes in both conducting Quality Assurance Reviews; and developing and conducting training for the private and public sectors in integrated internal auditing activities. He is a Certified Internal Auditor as well as a Certified Information Systems Auditor. He was the past Manager of Quality Assurance Review for The IIA and was an advisor to the Quality Assurance Committee of the Association of College and University Auditors, Inc. (ACUA) on the development of their Quality Assurance Review Handbook. He wrote the IIAs 1991 publication Establishing an Internal Audit Function and is the author of Built to Last, an article on developing an internal audit shop from scratch, that was published in the December 2002 issue of the Internal Auditor. Richard Tarr resides in Orlando, Florida and can be contacted directly by email at rtarr@racar.com.

The Institute of Internal Auditors

Acknowledgements xiii

Acknowledgements

Thank you for the many people who provided their expertise and support throughout this entire project. Richard F. Chambers, CIA, CGAP, Institute of Internal Auditors P. Dean Bahrman, CIA Cynthia Summers, CIA, CGAP, CCSA, CFSA, PPS World Medical, Inc. Susan B. Lione, CIA, CGAP, CCSA, Institute of Internal Auditors Johanna S. Swauger, CIA, CGAP, CCSA, Institute of Internal Auditors Donald E. Sparks, Institute of Internal Auditors Jo-El LaBorde, Institute of Internal Auditors Stacy M. Mantzaris, CIA, CGAP CCSA, Institute of Internal Auditors Michelle Entzminger, Institute of Internal Auditors Evy Acevedo-Gonzlez, Institute of Internal Auditors Brian E. Kruk, CIA, CCSA, Institute of Internal Auditors Lee Ann Campbell, Institute of Internal Auditors Trish Harris, Institute of Internal Auditors

The Institute of Internal Auditors

IIA Overview xv

IIA Overview
INSTITUTE OF INTERNAL AUDITORS (IIA)
William G. Bishop III, President 247 Maitland Avenue Altamonte Springs, FL 32701-4201 U.S.A +1-407-937-1100 FAX +1-407-937-1101 Web site: www.theiia.org IIA Organization: The primary international professional association, organized on a worldwide basis, dedicated to the promotion and development of the practice of internal auditing. The IIA is the recognized authority, chief educator, and acknowledged leader in standards, education, certification, and research for the profession worldwide. The Institute provides professional and executive development training, educational products, research studies, and guidance to more than 80,000 members in more than 100 countries. For additional information about The Institute, visit their Web site, www.theiia.org. IIA Products & IIA Research Foundation Reports: Contact The IIA Distribution Center at C.S. 1616, Alpharetta, Georgia 3009-1616 U.S.A. Phone +1-877-867-4957 (toll free in U.S. and Canada only) or +1-770-442-8633, Ext. 275 FAX +1-770-442-9742 E-mail iiapubs@pbd.com Certification Programs: For information about the CIA program please visit the IIA Web site or contact Customer Service Center at the address above For further information please visit the IIA Web site or contact Customer Service Center at the address above Phone (407) 937-1111 FAX (407) 937-1101 E-mail custserv@theiia.org. Certified Internal Auditor Program - IIA's premier certification. The CIA designation is conferred by the IIA upon qualified candidates who successfully complete a written exam and meet the necessary character, experience, and education requirements. All candidates must hold a bachelors degree or its equivalent from an accredited college-level institution and must have 24 months of internal auditing (or equivalent) experience (a masters degree can be substituted for one years work experience). Certification in Control Self-Assessment (CCSA). The IIAs first specialty certification program, will be conferred upon the IIA qualified candidates who successfully complete a computer-administered exam and meet the necessary education and experience requirements. The CCSA certification program identifies the skill sets needed by successful practitioners of CSA, measures understanding of CSA, and provides guidance for CSA initiatives. Certified Government Auditing Professional (CGAP). The IIA recognizes the important contributions of government auditors and has developed a certification program that distinguishes leaders in public sector auditing - the Certified Government Auditing Professional or CGAP. Auditors from various levels of government who recognize that auditing in the public sector has unique challenges developed the program. Attaining the CGAP designation provides you the ability to differentiate yourself. Since individuals obtaining the CGAP are obliged to complete education, work experience and meet ethical standards, the CGAP credential showcases your commitment to government auditing.

The Institute of Internal Auditors

xvi Establishing An Internal Audit Activity Manual

Certified Financial Services Auditor (CFSA). The CFSA demonstrates competency in financial-services audit practices and methodologies. The 150-question pilot will test candidates knowledge on financial services auditing, banking, insurance, and securities.

IIA Programs & Services: Contact The Institute of Internal Auditors Customer Service Center at the address above For further information please visit the IIA Web site or contact Customer Service Center at the address above Phone (407) 937-1111 FAX (407) 9371101 E-mail custserv@theiia.org. Internal Auditor magazine: Award-winning journal of the profession and flagship publication produced by the IIA. The IIA Professional Development Catalog: This biannual catalog includes schedules and descriptions of all IIA seminars (educational, executive development, audit-specialty, and customized on-site) and industry-specific and professional development conferences; certification programs; and educational products on such topics as audit committees and governance, audit management, auditing skills, certification; fraud, ethics, and law; industry, service, and sector specialties; information technology; risk and control; and standards and guidance. Tone at the Top: This quarterly newsletter provides executive management, boards of directors, and audit committee members with information on such issues as ethics, internal control, governance, and the changing role of internal auditing; and guidance relative to internal auditing's roles, responsibilities, and relationships with corporate governance entities. Standards for the Professional Practice of Internal Auditing represent the practice of internal auditing as it should be and are the benchmark against which any internal auditing function should be measured. Visit the Web site for information on the Professional Practices Framework. Global Auditing Information Network (GAIN) Reports provide internal audit executives with benchmarks for comparing their audit departments with those of other organizations, an opportunity to network with peers in their industry and to discuss challenges and share successful practices. IIA Quality Assurance Reviews (QARs) will come to your location to help ensure that your internal auditing is the best it can be. CSA Center: The CSA Center offers guidance, training, and communications opportunities to individuals engaged in the practice of Control Self-Assessment (CSA). The IIAs CSA Center provides its participants with: A unique forum for sharing new information, professional guidance, innovative techniques and successful practices The CSA Sentinel, an exclusive tri-annual newsletter Five CSA-related seminars, and upon satisfactory completion, the CSA Qualification Priority invitation to The IIAs CSA Conference and workshop An annual directory of CSA Center participants IIA member prices on CSA-related products and services For additional information, contact the CSA Center at +1-407-937-1362.

The Institute of Internal Auditors

GAIN Information xvii

GAIN Global Auditing Information Network A Benchmarking Service Offered by The IIA
The charts and graphs in this manual were extracted from the Global Auditing Information Network (GAIN), the largest, most complete comparative database available for the internal auditing profession. GAIN's baseline comparisons serve as a comprehensive instrument for measuring audit department practices and provides a path for improvement. Subscribers receive:

Low-cost slide-show graphic reports packed with valuable information. Reports compare a subscribers internal audit department to subscribers in related industries, to those of similar staff size, and to all subscribers in the program. Annual updates to help the subscribers organization measure its improvement. Benchmarking information, including: o General organizational statistics o Internal audit department costs o Audit committee information o Customer satisfaction factors o Staff development intelligence o Planning information o Audit life cycle approaches and related resource statistics Networking opportunities with a worldwide professional network of internal audit executives including participation in Flash Surveys.

For more information, contact the GAIN department at: +1-407-937-1365 or +1-407-9371367; e-mail gain@theiia.org; or fax +1-407-937-1101.

www.gain2.org

The Institute of Internal Auditors

Introduction 1

Introduction
Establishing an Internal Auditing Activity Manual is a guide for those who are implementing an internal auditing activity within their organizations for the first time, those who have recently been given responsibility for an internal auditing activity already in place, and those who want to improve their existing activity. Internal auditing plays different roles in different organizations. In some it takes on the more historical role of verifier or checker to detect errors or fraud; in others it has a more expanded role that includes providing consulting services in addition to performing assurance reviews. Whatever the role, the internal auditing activity must be well planned, organized, staffed, directed, and monitored. It also must have in place policies and procedures that implement professional standards and systems that can ensure that the standards are followed in performing the work. This also includes ensuring that the work performed meets the expectations and the needs of internal auditing customers. The customer base for internal auditing is typically comprised of two groups, the board, senior management, and external third parties on one hand and operating and line management on the other. It is the goal of this book to provide information and understanding on how an internal auditing activity should operate and enable an organization to initially establish the activity and begin functioning. Once a new internal auditing activity has been established the chief audit executive (CAE) will be able to identify any number of opportunities for improvement on an ongoing basis. While it would take many more pages to completely cover everything relating to establishing an internal auditing activity, what follows are the essentials. Spend the time and resources necessary to implement the steps outlined in this manual and the internal auditing activity will be able to assist the organization by improving the effectiveness of risk management, control, and governance. Chapter 1: Why an Internal Auditing Activity? This chapter begins with a discussion of what corporate governance is and why it has recently been put under the spotlight. Once the meaning of corporate governance is understood, it is then easy to understand the importance of internal auditings link to the establishment of an effective corporate governance structure. The Institute of Internal Auditors (IIA) is the leader and the principal voice of the internal auditing profession. As such, The IIA has defined the role and the scope of the practice of internal auditing. This first chapter concludes with an introduction to the structure of The IIAs Professional Practices Framework, the Standards for the Professional Practice of Internal Auditing (Standards), and The IIAs Code of Ethics. Chapter 2: Expectations If an internal auditing activity is going to be successful, then all the stakeholders need to understand their expectations. What the board expects of the audit committee, senior management, the internal auditing activity, and what each should expect of the other is the focus of this chapter. Understanding the expectations of the stakeholders is the first step in establishing an internal auditing activity. The success of the next step planning will be driven by what the various stakeholders expect of internal auditing.

The Institute of Internal Auditors

2 Establishing An Internal Audit Activity Manual

Chapter 3: Planning This chapter first addresses the identification and selection of the CAE and then the development of the Audit Charter. The charter documents and communicates the purpose, authority, and responsibility of the internal auditing activity. This is important because the charter establishes the independence of the internal auditing activity. Without independence, auditors will be unable to perform their work objectively and provide the stakeholders with the impartial and unbiased assurance and consulting activities that are expected. Chapter 4: Organizing This chapter discusses the development of an organizational plan for the internal auditing activity. To whom the CAE will report to in the organization should be carefully planned. The CAEs relationship with the board and senior management will determine whether it can operate objectively. The chapter identifies several best practices that can help ensure independence and objectivity for the internal auditing activity. Chapter 5: Staffing The CAE has been chosen and the purpose, authority, and responsibility of the internal auditing activity have been established. The next step is to decide how to staff the activity. Based on information provided by The IIAs Global Auditing Information Network (GAIN), this chapter starts off by providing some benchmarks from GAIN surveys on the size, education, experience, and professional certifications of internal auditing staff for a number of industries. It then continues with a discussion of the pros and cons of in-house, outsourcing, and co-sourcing staffing strategies and sources. Chapter 6: Directing Once the staffing resources are in place the challenge becomes how to best use them. This chapter discusses the development of a simple risk assessment methodology and the building of an annual audit plan. While the risk assessment methodology is simplistic, it enables a CAE to quickly develop an audit plan based on risk. The chapter also includes discussions on the importance of managing project budgets and schedules. Examples of project and staff tracking spreadsheets are included in the Exhibits section of the manual. Chapter 7: Monitoring This chapter outlines the seven IIA Standards that identify specific activities that must be part of every Quality Assurance (QA) program of every auditing activity. Quality assurance reviews are required by The IIAs Standards. Quality means that the appropriate policies and procedures are in place and the quality assurance program will provide reasonable assurance to management and the board that the work is being performed in accordance with the Standards and is adding value by improving an organizations operations. The Exhibits The Exhibits contain examples of various items that are helpful in setting up the policies and procedures for a new internal auditing activity. These include an Internal Audit Charter, a Corporate Audit Policy, staff position descriptions, and other items that should provide the CAE with a good start toward establishing or improving an internal auditing activity. Additional information includes a bibliography of resources used in developing this manual, information about The Institute of Internal Auditors, and an extensive resource

The Institute of Internal Auditors

Introduction 3
list of products and services offered by The IIA that can provide additional guidance and education for helping establish an effective internal auditing activity. Those responsible for the internal auditing activity play an integral role in good corporate governance for their organization. This manual is designed to help organizations establish an effective internal auditing activity or improve their existing activity. It is important to remember that the responsibilities of the internal auditing activity are constantly changing. The IIA has been instrumental in keeping internal auditors apprised of the constant changes, and those reading and using this manual are encouraged to visit The IIAs Web site at www.theiia.org often for information impacting the dynamic profession of internal auditing.

The Institute of Internal Auditors

Governance 5

Chapter 1: Governance
Why Have an Internal Auditing Activity? According to recent statistics from the international news and information organization Bloomberg News, in more than half of the 673 largest bankruptcies of public corporations since 1996, external auditors provided no cautions in annual financial statements in the months before bankruptcy. Five of the seven largest bankruptcies in history, including Enron, Global Crossing Ltd., and Kmart Corp., followed annual reports with clean audit opinions from external auditors.1.1 From 1995 to 2001, corporate financial restatements have increased from 50 a year to more than 150 or a total of 722 public corporations admitted that their audited numbers were so wrong that they had to be redone. These statistics demonstrate that the larger and more complex the company, the more difficult it is for external auditors, management, and boards to have an accurate picture of risks and controls.1.2 Corporate governance is being examined more closely than ever before. Media coverage of corporate crises increasingly focuses on the board; what are directors doing and do the relationships they have with the company weaken the effectiveness of their oversight? The need for internal auditing as an element of corporate governance has never been more clearly demonstrated than by recent events. Take, for example, WorldCom, where the internal auditor, who called the matter to the attention of the audit committee chairman after the then-chief financial officer resisted taking corrective action, discovered $3.8 billion of dubious accounting. Internal auditors, by having an objective view from inside the organization, can play a vital role in the governance process by keeping management, the board, and external auditors aware of risk and control issues and by assessing the effectiveness of risk management. Corporate Governance Exactly what is governance? More specifically, what is corporate governance, and how can an internal auditing activity be used to improve corporate governance? We frequently use the term corporate governance and many of us understand that one of the main responsibilities of boards is to ensure that the governance processes are effective; however, the term is rarely defined. The Toronto Stock Exchange Dey Committee developed a robust definition. Corporate governance means the process and structure used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value. The process and structure define the division of power and establish mechanisms for achieving accountability

The Institute of Internal Auditors

6 Establishing An Internal Auditing Activity Manual


among shareholders, the board of directors and management. The direction and management of business should take into account the impact on other stakeholders such as employees, customers, suppliers and communities.1.3 Effective corporate governance requires a system of checks and balances, assuring that the right questions get asked of the right people. An effective system of corporate governance will establish a link among management, the board, the external auditor, and the internal auditor in a way that creates a structure (with incentives and disincentives) that enables people with overlapping but not entirely congruent interests to have a sufficient level of confidence in each other and the organization as a whole. This structure should be a system of checks and balances designed to permit the appropriate scope of authority (power) and limit the abuse of that authority (accountability). Effective corporate governance is based upon strong working relationships among four groups: management, the board, external auditors, and internal auditors. Internal auditing is integral to good corporate governance. The internal audit activitys unique fulltime focus on risks and controls is vital to a sound governance process. Financial reporting is not the only important responsibility of boards. Other areas relating to safeguarding of corporate assets, operational efficiency and economy, and compliance with rules, regulations, and policies are also extremely important. While effective internal controls are managements responsibility, it requires the participation of everyone in an organization, the board, management, external auditors, and internal auditors to be effective. Given the current environment it is surprising that boards of directors or management would choose to operate without internal auditing. All organizations should have a fully resourced, independent internal auditing activity that is professionally staffed and chartered to evaluate the risk management, control, and governance processes. The IIAs Professional Practices Framework Founded in 1941, The Institute of Internal Auditors (IIA) is the principal voice of the internal auditing profession and has over 80,000 members worldwide. In 1976, The IIA founded The Institute of Internal Auditors Research Foundation to provide and expand research and education for the benefit of the internal auditor, the internal auditing profession, the business and government communities, and the general public. The Foundation is the recognized leader in sponsoring and disseminating research to assist and guide internal auditors and the internal auditing profession. The IIA originally published its Standards for the Professional Practice of Internal Auditing (Standards) in 1978. In June of 1999, The IIA Board of Directors approved a new definition of internal auditing and a new Professional Practices Framework. Both were based on research conducted by The IIA Research Foundation and the Guidance Task Force (GTF), a special committee of The IIA charged with examining the adequacy of current standards and guidance for the practice of internal auditing. The GTF concluded that a significant gap existed between available guidance and current

The Institute of Internal Auditors

Governance 7
practices. In order to close the gap, The IIA developed the Professional Practices Framework. The Professional Practices Framework consists of three types of instruction: 1) Mandatory Guidance, 2) Practice Advisories, and 3) Development and Practice Aids. The Framework includes the Definition of Internal Auditing, the Code of Ethics, Standards for the Professional Practice of Internal Auditing (Standards), Practice Advisories, and Development and Practice Aids. The Definition of Internal Auditing, the Standards, and the Code of Ethics comprise the mandatory elements of the Framework, and were revised in the last three years. A new Code of Ethics and the new official definition were approved in June 1999, with the new Standards following in December 2000. These documents delineate the characteristics, procedures, and activities that are considered essential to the professional practice of internal auditing. All IIA members and Certified Internal Auditors (CIAs), as well as anyone providing internal auditing services, are expected to adhere to these guidelines. 1.4 Practice Advisories (PAs) are pronouncements that represent best practices and, although not mandatory, are strongly recommended and endorsed by The IIA. They are designed to help interpret or explain particular Standards or apply them in specific internal auditing environments. Currently there are more than 60 PAs, with new ones being added all the time. A list of current PAs and the Standards they relate to can be found in Exhibit 1-1. IIA members have access to all the PAs through the IIAs website at www.theiia.org under Guidance. 1.5 Development and Practice Aids consist of a variety of materials, including research studies, books, seminars, conferences, and other products and services. These are items developed or endorsed by The IIA, and generally describe best practices or provide ideas for implementing the Standards and Practice Advisories. 1.6 Development and Practice Aids are available to IIA members and nonmembers on the IIAs website at www.theiia.org under guidance. The Code of Ethics The Code of Ethics, revised in June 2000, identifies four core values or principles considered essential to the effective practice of internal auditing: 1) integrity, 2) objectivity, 3) confidentiality, and 4) competency. These rules are accompanied by 12 rules of conduct describing specific behaviors expected of internal auditors. The rules serve as practical applications of the four principles and are intended to guide the ethical conduct of internal auditors.1.7 The purpose of the Code is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance.1.8 The Code of Ethics can be found in Exhibit 1-2 and on the IIAs web site at www.theiia.org under Guidance.

The Institute of Internal Auditors

8 Establishing An Internal Auditing Activity Manual


The Definition of Internal Auditing The IIA approved a revised definition of internal auditing in June 1999 with input from IIA members around the world. The new definition is the cornerstone for the Professional Practices Framework, which was also approved in June 1999 by The IIA Board of Directors. The definition establishes the boundaries of the profession, while the Code of Ethics represents the professions conscience and calls for self-discipline and behavior that go beyond that required by laws and regulations. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The new definition of internal auditing is different from the one that was first developed over 60 years ago as part of the then Statement of Responsibilities of Internal Auditing. According to research conducted by The IIA Research Foundation and The Guidance Task Force (GTF) responsible for examining the value of IIA guidance, the old terminology failed to adequately reflect the evolution of practice {or} effectively promote the internal audit profession in the competitive marketplace. The new definition recasts the image of internal auditing in two significant ways. 1) The previous Statement of Responsibilities of Internal Auditing characterized the profession as an independentfunction established within an organization. The new definition describes internal auditing as an independent, objective activity. By using the term activity instead of function and eliminating the phrase within an organization, the revised definition allows for internal auditing services to be provided by individuals not employed by the organizations that they serve. This new definition acknowledges that outsourcing has become a viable alternative for organizations seeking quality internal auditing services. 2) The definition of internal auditing as an appraisal function did not accurately reflect the type of services that are provided by most internal auditing departments, nor did it allow for internal auditings increasingly influential role in organizations. By focusing on assurance and consulting work instead, the new definition conveys a more proactive, customeroriented approach with a role to play in the control, risk management, and governance activities of an organization.1.9 The Standards for the Professional Practice of Internal Auditing The Standards consist of three components: 1) Attribute, 2) Performance, and 3) Implementation Standards. The Attribute Standards address the attributes of organizations and individuals performing internal auditing services. The Performance Standards describe the nature of internal auditing services and provide quality criteria

The Institute of Internal Auditors

Governance 9
against which the performance of these services can be measured. The Attribute and Performance Standards apply to all internal auditing services. The implementation Standards expand upon the Attribute and Performance Standards, providing guidance applicable in specific types of engagements. These standards may be expanded to ultimately address industry-specific, regional, or specialty types of audits. Compliance with the concepts enunciated in the Mandatory Guidance is essential before the responsibilities of internal auditors can be met. As stated in the Code of Ethics, internal auditors shall perform internal audit services in accordance with the Standards. All members of The Institute and all Certified Internal Auditors agree to abide by the Standards and the Code of Ethics, and this guidance is intended to be applicable to all members of the internal audit profession, whether or not they are members of The IIA.1.10 A complete list of the Standards can be found in Exhibit 1-3 and under the Guidance tab of the IIAs web site at www.theiia.org.

The Institute of Internal Auditors

Expectations 11

Chapter 2: Expectations
Boards, audit committees, senior management and the internal auditors have common goals. Good working relationships are necessary if everyone is going to be successful in accomplishing their goals and meeting their responsibilities. Good working relationships start with an understanding of the expectations of the parties in that relationship. What the board expects of the audit committee, senior management, and the internal audit activity, and what each expects of the other, is important if the stakeholders they serve are to have confidence in the organizations ability to succeed. The Board At the top tier of the governance ladder is the board. The board has the responsibility to look after and protect the interests of all the stakeholders in the organization. In protecting those interests the number one topic on the minds of most board members is the subject of risk. Directors have seen firsthand how unanticipated risk destroy a successful growing organization and send it into bankruptcy. While risk has long been associated with catastrophic insurable events, financial exposure, credit, and liquidity and other negative events, the perception of risk has now evolved to cover a much broader range of threats. Environmental issues, sophisticated financial transactions, legal and regulatory compliance, emerging technologies, political and economic issues, competition, and others have all been added to the list of risks that organizations face in todays business environment. While the board is not directly responsible for risk management, management has the responsibility; the stakeholders expect the to be certain that the responsibility is carried out. In ensuring that the stakeholders interests are being protected, the board should: Establish an audit committee and adopt an audit committee charter describing its duties and responsibilities and its relationship with internal and external auditors and management in the context of its oversight responsibilities of the organizations financial reporting process and internal controls. Exhibit 2.1 is an example of a Model Audit Committee Charter. Maintain a majority of board directors that have no ties to organization or senior management. Create board nominating, corporate governance, and compensation committees composed of independent directors. Ensure that directors appointed to the audit committee are independent of management and have an understanding of generally accepted accounting principles, financial statements, and experience with internal accounting controls. Adopt and disclose corporate governance guidelines addressing director: o o o o o o Qualifications Responsibilities Access to management Compensation Orientation and continuing education, and Annual performance evaluations of the board.

The Institute of Internal Auditors

12 Establishing An Internal Audit Activity Manual


Adopt and support an organizational code of ethics.

Note: All of the above are required for SEC corporations by either the Sarbanes-Oxley Act of 2002, or the New York Stock Exchange listing standards. The Audit Committee Generally, the audit committee is responsible to the board for overseeing: the reliability of financial reporting, the effectiveness of internal controls over financial reporting, the processes for monitoring compliance with regulatory requirements, and the processes for monitoring compliance with the organizations code of conduct. The committee now has a broader responsibility for overseeing the effectiveness of the organizations risk management and control processes. These broader responsibilities are intended to provide reasonable assurance that an organization will be able to achieve its objectives as they relate to: the effectiveness and efficiency of operations; the reliability of financial and operational information; and compliance with applicable laws and regulations. The audit committee should: Evaluate whether management is setting the appropriate tone at the top by communicating the importance of internal control and the management of risk, and that employees have an understanding of their roles and responsibilities. Consider how management is being held accountable for the security of information technology and the business continuity plans for processing financial information in the event of a system breakdown. Be informed as to whether the internal control recommendations, made by either the internal and external auditors, are implemented by management. Inquire of management about the areas of greatest financial risk and how management is managing that risk. Be made aware of significant accounting and reporting issues, including recent professional and regulatory pronouncements, and understand their impact on the organizations financial statements. Be involved in the hiring of the external auditors, and in the evaluation of their performance. Be informed by management and the internal and external auditors about significant financial and operational risks and exposures and managements plans to minimize such risks. Be made aware of any legal matters that could significantly impact the organizations financial statements. Review and approve the internal audit charter and ensure its compatibility with the audit committee charter. Ensure that the internal auditing activity can independently plan audit projects and conduct and report the results objectively. Meet frequently with the chief audit executive (CAE) and have open and honest discussions on the results of internal auditing activities as well as current business issues. Meet privately with the CAE, without management being present.

The Institute of Internal Auditors

Expectations 13
Be involved in the hiring, replacement, reassignment, or termination of the CAE, and in the evaluation of his/her performance. Review and approve the annual internal audit plan. Ensure that the internal audit activity has adequate staffing and budget resources to accomplish the plan. 2.1

Management Management has the responsibly for risk management and should establish effective processes to manage risk. An effective risk management process will not only identify existing risks but also identify new risks as they emerge. Management will typically integrate their risk management processes into the way it runs the business. Senior management should: Identify by strategic initiative or business segment the major objectives that will enable the organization to achieve its targeted operational and financial goals. Identify for the major objectives the risks and critical success factors that must be achieved if the strategic initiatives or business segments are to be successful. Identify processes, programs, or actions needed to manage the risks. Implement appropriate monitoring and measuring activities to ensure that processes, programs, or actions are implemented. Implement a culture that rewards the recognition, communication, and management of risks. Communicate to the organization that internal auditors are part of the risk management process. Work with internal auditing to identify an appropriate risk model for the organization. Help internal auditing identify appropriate risk factors for their risk assessment methodology. Identify for the audit committee and internal auditing significant financial and operational risks and exposures and their plans to minimize such risks. Meet frequently with the CAE and have open and honest discussions on the results of internal auditing activities as well as current business issues. Support the internal audit activity by ensuring that it has adequate staffing and budget resources to accomplish its responsibilities. Support the establishment of a strong and competent professional internal audit activity. Endorse and support the internal audit charter. Ensure the timely implementation of audit recommendations. Set the appropriate tone at the top by communicating the importance of internal control and the management of risk and the role and responsibilities employees have in managing risks. Enable the CAE to participate in key management and project meetings.

The Institute of Internal Auditors

14 Establishing An Internal Audit Activity Manual


Internal Auditors Internal auditors, and particularly the CAE, are important to an organizations success in todays business environment. In addition to their responsibility for assessing and recommending internal controls, their skill in risk management and their broad-based perspective of the organization uniquely position them as a valuable resource for strong corporate governance. They are the primary resource for the audit committee in carrying out its responsibilities. An active, informed, vigilant, and effective audit committee provides the ultimate independent and objective oversight of the organizations control environment. Internal auditors should: Embrace The IIAs definition of internal auditing and the Standards for the Professional Practice of Internal Auditing (Standards) and be familiar with what is required. Build a rapport with senior management and the audit committee chair to ensure that they have a clear understanding of the role of internal auditing. Quickly learn and address what management and the board view as the greatest risks to the organization. Understand the responsibilities and duties identified in the audit committee charter. Identify whom senior management considers the leaders in the organizations market/industry. Obtain and understand written policies and procedures that pertain to managements responsibility to management risk and control in the organization. Develop, along with management, an organization model that can be used to map major processes/operations for the purpose of identifying the organizations auditable entities. Develop a risk assessment methodology for the auditable entities identified in the model of major processes/operations. Develop an audit plan based on the risk assessment and requests from management and get it approved by the board. Develop a staffing plan for the internal auditing activity and staff the activity. Build an internal audit activity budget and have it approved by the audit committee. Develop an audit charter, approved by both senior management and the audit committee, for the internal auditing activity. Ensure that senior management adequately communicates to the organization the internal audit activitys authority and responsibilities, and calls for their complete cooperation. Work with senior management and the audit committee to establish a reporting relationship that will ensure that audit recommendations receive appropriate attention. Stay current on technology advances and trends and keep the audit committee appropriately informed. Encourage the staff to work toward certification and participate in professional development programs. Develop a timely procedure to monitor the disposition of audit recommendations.

The Institute of Internal Auditors

Expectations 15
Establish a quality assurance and improvement program for the internal auditing activity that provides assurance that the internal auditing activity: 1) performs in accordance with its charter, 2) adheres to the Standards and the Code of Ethics, 3) operates in an effective and efficient manner, and 4) is perceived by the board and management as adding value and improving an organizations operations.2.2

The Institute of Internal Auditors

Planning 17

Chapter 3: Planning
Identify the Chief Audit Executive (CAE) The chief audit executives (CAEs) role is to provide advice, council, and opinions regarding the organizations efficiency and effectiveness in risk management, internal control, and corporate governance. To be effective in this role, the CAE should be someone who can be viewed and accepted as a member of the organizations senior management team. The CAE should manage the internal audit activity, attend and participate in key management meetings, and offer appropriate comments and insights. The CAE should be continuously involved in aiding management in identifying risks through participation on oversight committees and monitoring activities. The CAE should be someone who can gain both managements trust and the boards respect. This is why audit committees should play an active role in the hiring of the CAE. The right candidate should have an understanding of: Internal auditings relationships with the audit committee, the board, and senior and operating management. Internal auditings role in evaluating and improving the effectiveness of risk management, control and governances processes. The Institute of Internal Auditors (IIA) Professional Practices Framework, especially the Standards for the Professional Practice of Internal Auditing (Standards), and the Code of Ethics, and be familiar with the Practice Advisories that are endorsed by The IIA. How to serve as a consultant by supporting and setting an ethical standard and advising management and the board on best practices. How to audit financial, operational, and information technology functions. How to review for compliance, evaluate controls, and formulate control recommendations that support an organizations objectives. Audit activity practices. Understand and address organizational trends, changes, and risks both inside and outside the organization and be able to make recommendations to management and the board concerning these.

CAE Position Background


Primarily General Auditing Primarily IT/IS Auditing Combination of above Non-auditing 55.2 1.0 24.6 19.2

The Institute of Internal Auditors

18 Establishing An Internal Audit Activity Manual


Add to this the need to be an effective communicator, demonstrate good judgment, show strength of character in the face of adversity, and have an ability to bring forth issues in a way that is balanced and objective. It becomes apparent that the right candidate for the CAE should be carefully chosen. An example of a position description for the chief audit executive can be found in Exhibit 3-1.

CAE Average Years of Service


Internal Audit Public Accounting Non-Audit Total Average Years of Services
Source: GAIN Report pages ca3

12.1 2.4 7.1 24.1

The Charter Planning for an effective internal auditing activity starts with the development of an internal auditing charter that complements and supports the audit committee charter. The charter identifies and communicates to the organization the purpose, authority, responsibility, and scope of the internal audit activity. The charter is an important document because it establishes what senior management and the board expect from the CAE and the internal audit staff. The charter should be in writing and approved by the board, or the audit committee on behalf of the board, and endorsed by management. An Audit Charter Example can be found in Exhibit 3-2. An example of two Mission Statements for an internal auditing activity can be found in the Exhibit 3-3. An example of an Executive Endorsement of the Internal Auditing Charter can be found in Exhibit 3-4. The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the Board. (Standard 1000) Within the context of the Standards, board refers to the board of directors, the audit committee of a board, the head of an agency or legislative body to whom internal auditors report, the board of governors or trustees of a nonprofit organization, or any other governing body of an organization. Purpose The purpose of an internal auditing activity is best described by the definition that was approved by The IIA in June 1999:

The Institute of Internal Auditors

Planning 19

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Statements of policy on the purpose of internal auditing activities should emphasize that internal audit is an independent, objective activity that is intended to add value and improve an organizations operations. It is important for this purpose to be widely communicated throughout an organization so that it is clear why the internal auditing activity exists to help dispel the "cop" image with which internal auditors have been labeled in the past. By carefully wording the purpose for internal auditing, a positive image of internal audit activities and the profession can be communicated. This can further nurture the acceptance and cooperation of the departments and personnel that will be the activitys customers. An example of a Corporate Audit Policy can be found in Exhibit 3-6. The internal audit activity should be independent, and internal auditors should be objective in performing their work. (Standard 1100) Authority The overall authority of the internal audit activity and the CAE should come from the board and should be specifically spelled out in the charter. The charter should clearly establish the activitys position within the organization and define the scope, or nature, of internal auditing activities. It should authorize, among other things, access to all records, personnel, and property needed to accomplish audit projects. It should give the CAE the authority for full and unrestricted access to the audit committee. It should grant the CAE the authority to allocate resources, establish schedules, determine the scope of audit work, and set audit objectives without interference from management. Responsibility The charter should communicate that the overall responsibility of the internal audit activity is to serve the organization by evaluating the effectiveness of risk management control, and governance processes in a manner that is consistent with the Standards and the Code of Ethics. This also includes coordinating internal audit activities with others so that the most effective and efficient results can be achieved. The charter should delineate the specific responsibilities of the CAE and the staff. These responsibilities should include: Providing an annual assessment on the adequacy and effectiveness of the organizations processes for controlling its activities and managing its risks in the areas included in the scope of work authorized by the charter. Creating and submitting an annual audit plan that has been developed using an appropriate risk-based methodology to the board for their review and approval.

The Institute of Internal Auditors

20 Establishing An Internal Audit Activity Manual


Implement the annual audit plan, as approved, including any appropriate special projects requested by management and/or the audit committee. Maintaining a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to perform the audit work identified in the charter. Issuing periodic reports to the audit committee and management summarizing the results of audit activities. Keeping the audit committee informed of emerging trends and best practices in internal auditing. Developing and maintaining a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. As appropriate, providing consulting services to management that add value and promote the best interests of the organization.

Above all the internal auditing charter needs to articulate the independence of the internal auditing activity. Internal auditors are independent when they can carry out their work freely and objectively. Achieved through organizational status and objectivity, independence permits internal auditors and the internal auditing activity to render impartial and unbiased judgments. Internal auditors need to maintain an independent, objective mental attitude, not subordinating their judgment on audit matters to others. They need the support of senior management and the board so that they can gain cooperation of the audit customers and perform their work free from interference. The following items comprise a checklist for determining whether the internal auditing charter will ensure that the internal auditing activity is independent. The CAE is responsible to an individual in the organization with sufficient authority to: o Promote independence. o Ensure broad audit coverage. o Ensure adequate consideration of audit reports. o Ensure appropriate action on audit recommendations. The CAE has direct communication with the board, regularly attends and participates in board meetings, and meets privately with the board at least annually without the chief executive officer (CEO).
Frequency of Meetings With the Audit Committee Monthly 3.80% Quarterly 52.80% Semi-annual 14.80% Annual 3.50% Other 13.30% Never 1% No AC 10.00%
Source: GAIN Report pages a2

The Institute of Internal Auditors

Planning 21
The board concurs in the appointment or removal of the CAE. The purpose, authority, and responsibility of the internal auditing activity are defined in the charter, and the charter has been approved by the board and endorsed by senior management. The charter should also communicate the following: o Authorize auditors access to records, personnel, and physical properties relevant to the performance of audit projects. o Define the scope of internal auditing activities. The charter should require the CAE to annually submit the following information to senior management for approval and to the board for their information: o Summary of the audit work schedule o Staffing plan o Financial budget o Activity reports highlighting significant findings and recommendations 3.1

Information usually submitted to the Audit Committee


Percent of audit plan completed Department expense budget Actual expenses vs. budget Department productivity measures Benchmark comparisons with others Organizational structure
Source: GAIN Report pages a5

78.10% 40.90% 31.50% 46.50% 36.20% 68.01%

The scope or nature of internal auditing under the old Standards was narrowly focused around internal control assurance and compliance. The domain of internal auditing work has been expanded considerably in the new Standards. The nature of internal auditing now includes consulting activities in addition to assurance activities that are intended to evaluate and contribute to the improvement of risk management, control, and governance systems. These activities are intended to focus on whether the organizations risk management, control, and governance processes, as represented by management, are adequate and functioning as intended. Because the new definition of internal auditing requires the internal audit activity to add value and improve an organizations operations, adding value is now an expected result of audit activities. By recognizing that auditors can provide both assurance and consulting services, there are now more opportunities for internal auditing to make a significant contribution to an organization The nature of assurance services provided to the organization should be defined in the audit charter. (Standard 1000.A1)

The Institute of Internal Auditors

22 Establishing An Internal Audit Activity Manual


Assurance work should be designed to meet the fiduciary needs of senior management and the board. Assurance engagements need to include steps and obtain specific information that will enable senior management and the board to establish a level of comfort regarding the organizations risk management, governance, and internal control systems. The nature of consulting services should be defined. (Standard 1000.C1) Consulting services, however, usually focus on pure problem-solving activities and are about adding value to operating management. The charter should include the authority and responsibilities for consulting activities. It is important that management and the board understand and agree with the idea of providing consulting services, and approve polices and procedures under which consulting services will be performed by the internal auditing activity. The CAE should identify the types of consulting activities to be offered and develop appropriate policies and procedures for performing this type of work. By clarifying the difference between assurance work and consulting work, internal auditors, on a consulting engagement, can focus on the concerns of operating management without compromising their assurance responsibilities to senior management and the board. This gives internal auditors the opportunity to get involved up-front in projects rather than having to wait until after the completion of the project.

The Institute of Internal Auditors

Planning 23
The nature of consulting and assurance work is compared and contrasted in the chart below: ASSURANCE OR CONSULTING 3-2
Assurance Assurance involves The auditor, the operating customer, and the third party to whom assurance is being provided. Assurance assesses: Adequacy of entity internal control. Adequacy of process or sub-entity internal control. Adequacy of enterprise risk management. Adequacy of governance process. Compliance with laws or regulations. The client may be: Internal the board, senior management, the audit committee. External customers, shareholders, regulators, stakeholders. Results are: An opinion. Formal and explicit. Reported to the third party (mandatory). Followed up on (mandatory). Assurance work is: Mandatory for the internal audit activity Full competence is either present in the audit staff or acquired from outside parties. Consulting Consulting involves: The auditor and the client. Consulting provides: Improvement of efficiency or effectiveness. Assistance in design of corrective actions. Controls needed for new systems design. Benchmarking. The client usually is: Operating management. Results are: A recommendation. Often formal. Reported as agreed upon with client. Followed up on to the extent specified in the consulting arrangement. Consulting work is: Optional The engagement can be declined if competencies required to perform the engagement are not present in the audit staff.

The Institute of Internal Auditors

24 Establishing An Internal Audit Activity Manual


Issues that should be considered when undertaking consulting work can be found in Practice Advisories 1000.C1-1 and 1000.C1-2. Sample categories that can be used by organizations to describe the types of consulting services that may be offered are shown below. TYPES OF CONSULTING WORK 3-3 Sample categories used by organizations to describe the types of consulting work they provide include:

Formal engagements those that are planned and subject to written agreement. Informal engagements routine activities such as participation on standing committees, limited-life projects, ad-hoc meetings, and routine information exchange. Special engagements participation on dedicated teams such as a merger and acquisition team or system conversion team. Emergency engagements participation on a team established for recovery or maintenance of operations after a disaster or other extraordinary business event or a team assembled to supply temporary help to meet a special request or unusual deadline.* Assessment services the timely examination of a past, present, or future aspect of operations that renders information to assist management in making decisions. Examples include estimating savings from outsourcing processes or assessing the adequacy of internal controls over proposed systems. Facilitations services assistance to management in the examination of organizational performance for the purpose of promoting change by helping management to identify organizational strengths and opportunities for improvement. Examples include control self-assessment, benchmarking, strategic planning support, and business process reengineering support. Remediation services the assumption of a direct role designed to prevent or remediate known or suspected problems on behalf of the client. Examples include developing and delivering training courses on risk management, internal controls, regulatory compliance, etc; drafting proposed policies; and augmenting operating personnel.**

* **

From Practice Advisory 100.C1-2 From the U.S. Department of Agriculture Graduate School Model.

The Institute of Internal Auditors

Planning 25
Several policies governing how consulting services would be provided by an internal audit activity are shown below: SAMPLE POLICIES FOR CONSULTING SERVICES 3-4 The internal audit activity at a state agency developed the following draft policy statement for consulting services. The policy provides a useful model for other audit activities attempting to codify their approach to consulting work. Acceptance of Projects

1. Some consulting projects are specifically identified in the board-approved annual


plan. For these projects, the CAE will collaborate with appropriate manager to develop a preliminary statement of work to be performed. This statement will include a general description of work, estimated hours, and projected time frame. 2. Most consulting projects are initiated by managers communicating directly with the CAE. For these requests, the CAE will: Collaborate with managers to develop a preliminary statement of work to be performed. The statement will include a general description of work, estimated hours, and projected time frame. Evaluate whether the internal audit team can perform the work. Considerations include: o Knowledge, skills, and disciplines of auditors. o Expected resource commitment. o Risk of activities. o Impact on the audit activitys independence and objectivity. o Other appropriate considerations. If the evaluation reveals that the audit activity can perform the work, the CAE will seek the executive directors approval for the request. If the evaluation reveals that the audit activity should not perform the work, the CAE will notify the appropriate managers. The CAE will also discuss options, such as assisting with the selection of outside consultants. Determining the Approach Using the preliminary statement of work, the CAE will determine the model that will be used to conduct the work. There are two possible models: Audit Model Using this model, the consulting project will be performed using the already established standards, policies, and procedures that apply to any audit. The decision to use the audit model is based on several factors, including: o Will project objectives or sub-objectives be determined using a risk/vulnerability assessment? o Are resources for the project primarily under the internal audit activitys control?

The Institute of Internal Auditors

26 Establishing An Internal Audit Activity Manual


Will at least 80 hours of internal auditings time be required for the project? o Will preparing the report primarily be the responsibility of the CAE? o Does the work easily fit into the survey/fieldwork/reporting paradigm? Review Model The review model is used for requests that do not fit the audit model. Under the review model, the consulting project is performed using policies and procedures that differ from those used in a traditional audit. o

Procedures for the Review Model 1. When the audit commitment totals 40 or more hours: A project file will be maintained. This file should contain documents such as the preliminary statement of work, meeting agendas, status reports, note, and other pertinent information. Internal auditing staff assigned to the project should document their work as appropriate. Internal auditing staff will obtain background information concerning the area in which the work will be performed. Internal auditing staff assigned to the project will prepare a memo, which requires the signatures of the assigned staff and the CAE. The memo should provide a general description of the project, including: o A revised statement of work, if necessary. o Summary of background information. o Revised estimates of hours and time frame, if necessary. o Description of methodologies and types of evidence to be used. o Expected impact of work; for example, expected impact on control activities. o Other information as appropriate. Periodic status reports will be prepared according to a schedule agreed upon by the assigned staff and CAE. However, status reports will be prepared at least every three months. At the end of the project, internal auditing staff assigned to the project will prepare a closeout memo. The memo will be reviewed by the CAE. The memo should contain: o Discussion of the actual objective if significantly different from the preliminary description of work. o Description of scope and methodologies used. o Discussion of benefits that resulted from the project. o Discussion of any information that can be used in the annual risk assessment. o Conclusions, if any, that can be based on work performed. o Impact of the project on internal auditings independence and objectivity. o Impact on the objectivity of the staff assigned to the project. o Other information as appropriate. If issued, any final report or memo will be included in the project file. When completed, the project file will be stored in the internal audit activitys workpaper files in order of its assigned project number.

The Institute of Internal Auditors

Planning 27

2. When the audit commitment totals less than 40 hours: A project file will be maintained. This file should contain documents such as the preliminary statement of work, meeting agendas, notes, and other pertinent information. Internal auditing staff assigned to the project should document their work as appropriate. At the end of the project, internal auditing staff assigned to the project will prepare a closeout memo which includes: o Discussion of the original and actual objectives, if significantly different. o Discussion of benefits that resulted from the project. o Discussion of any information that can be used in the annual risk assessment. o Impact on the objectivity of the staff assigned to the project. o Other information as appropriate. The closeout memo will be reviewed by the CAE and included in the project file. If issued, any final report or memo will be included in the project file. When completed, the project file will be stored in the internal audit activitys workpaper files in order of its assigned project number.

The Institute of Internal Auditors

Organizing 29

Chapter 4: Organizing
Once the chief audit executive (CAE) has been identified, the next step is to develop an organizational plan for the internal auditing activity. The internal auditing charter will establish where the internal auditing activity will fit into the overall organizational structure of the organization. The charter will also put into place the elements that will be needed to establish the internal auditing activity as an independent activity that is capable of performing its work objectively, as discussed in the 1100 series of the Standards for the Professional Practice of Internal Auditing (Standards). The internal audit activity should be independent, and internal auditors should be objective in performing their work. (Standard 1100) Independence means the unimpeded determination of scope of work and the unhindered ability to carry out that work.4.1 The most critical element for ensuring auditor objectivity is the organizational independence of the internal audit activity. There is no guarantee that an auditor wont choose to act inappropriately and be influenced in spite of the evidence obtained during an engagement. However, a lack of organizational independence will undermine the appearance, if not the fact, of objectivity. The key to independence is the appropriate placement and status of the internal auditing activity. The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill it responsibilities. (Standard 1110) While the Standards do not identify specific reporting structures for the CAE, it only makes sense that the higher the reporting level, the more independent the internal auditing activity will be. In some organizations, the CAE reports to the chief executive officer. In organizations where this is not the case, the CAE should have direct and unrestricted access to the chief executive officer, and should include periodic meetings to discuss important findings or issues. The Practice Advisories related to Standard 1110, along with a research study from The IIA Research Foundation, Independence and Objectivity: A Framework for Internal Auditors, offer some specific guidance on the effective positing of the internal audit activity: The Minimum The CAE should report to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations. (PA 1110-1)

The Institute of Internal Auditors

30 Establishing An Internal Audit Activity Manual


The Ideal Preferably the CAE should report functionally to the audit committee, board of directors, or other appropriate governing authority, and administratively to the chief executive officer of the organization. (PA 1110-1) It is also preferable that the CAE have direct communication with the board. Direct communication occurs when the CAE regularly attends and participates in meetings of the board. The CAE should meet privately with the board at least annually. (PA 11101)

CAE Reporting Relationships


Audit Committee CEO President CFO Controller Other
Source: GAIN Report pages ca5

<1 42.0 13.8 19.2 17.0 0.9 7.1

Percent of Asset Size in Billions 1 to <5 5 to<10 10 to <20 46.8 45.5 55.8 14.3 17.0 14.0 6.3 8.0 3.5 20.6 25.0 18.6 3.2 1.1 4.7 8.7 3.4 3.5

20 + 54.9 9.8 5.3 15.8 0.8 13.5

The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. (Standard 1110.A1) As a general rule, the internal audit activity should be organized in a way that affords a higher organizational status as its role expands and more parties inside and outside the organization derive assurance from its work. Internal auditing activities with a narrowly defined role may report to an appropriate lower level of management, as long as the placement assures the audit staff will obtain cooperation from the activity being reviewed and have unrestricted access to required information. For example, an internal audit activity with broad assurance and consulting role should report directly to the governing board of the organization and more specifically to the audit committee of the board or other similar body. However, if the internal audit activity provides assurance only to top management, it requires an organizational status that ensures cooperation by and autonomy from lower-level management. In these situations, the CAE can report to the chief executive officer with little or no direct access to the organizations board or governing body.

The Institute of Internal Auditors

Organizing 31
Further Enhancing Independence The independence and the objectivity of the internal audit activity is further enhanced when: The CAE has unrestricted access to the board. The board is involved in decisions to hire or remove the CAE. The board takes part in drafting the internal audit charter. The board influences the budget for and scope of internal audit activities. The board is actively involved in oversight, review, and monitoring of audit activities. Maintaining/Preserving Objectivity The Standards now define the customer base for audit activity services as being comprised of two groups: the board, senior management, and external third parties on the one hand, and operating and line management on the other. As a result, internal auditors can no longer rely solely on their reporting relationship to the first group to satisfy the expectations of their customers in the second group. Operating and line management need to be assured that internal auditors can be objective. The Standards define objectivity as an unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and in the fact that no significant quality compromises have been made. It also states that objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Objectivity means that given appropriate audit scope and professionalism, relevant and sufficient evidential matter will be effectively analyzed and results will be completely and honestly reported to the appropriate parties, without the auditors judgment being skewed. Maintaining an impartial state of mind and avoiding conflicts of interest are requirements if any value is going to be gained from internal audit work. Without them, internal audit services will fail to deliver the reliable and trustworthy information customers need. There are several steps that can be taken to ensure objectivity: (PA 1120-1) The CAE should query the internal audit staff periodically concerning potential conflicts of interest and biases. Staff assignments should be periodically rotated. Audit work should be reviewed by supervision to assure that the work was performed objectively before communicating results. Internal auditors should not accept fees or gifts from employees, customers, suppliers, or business associates. Internal auditors should not be placed in situations were they may feel unable to provide objective, professional judgments.4.2

The Institute of Internal Auditors

32 Establishing An Internal Audit Activity Manual


Dealing with Impairments The Standards recognize that the expectations and demands that are put upon the internal auditing activity may at times result in organizational independence and individual objectivity not being achieved, at least in appearance if not in fact. For example, internal auditors from small shops who have been involved in problem-solving or process improvement projects with line management may have no choice but to review areas where they may have had prior operational input. Auditors may be asked to develop operating policies and procedures in areas where controls have been found to be weak during an audit. Auditors might, because of some expertise or experience, be asked to temporarily assume an operations role. Article 4-1 provides several guidelines from Practice Advisory 1130.A1-2 that should be considered by internal auditors when they are asked to accept responsibility for non-audit functions. Article 4-1 Internal Audit Responsibility for Non-Audit Functions 4-3 As a general rule, internal auditors should not assume operating responsibilities or oversee other non-audit functions or duties that are subject to periodic internal audit assessments. However, as organizations are pressured to develop more efficient and effective operations using fewer resources, internal auditors cannot always avoid such situations. The following guidelines from Practice Advisory 1130.A1-2 present several factors that internal auditors might want to consider when asked to accept responsibility for a non-audit function: If management directs internal auditors to perform non-audit work, it should be understood that they are not functioning as internal auditors. Expectations of stakeholders, including regulatory or legal requirements, should be evaluated and assessed in relation to the potential impairment. In other words, the third parties who rely upon internal auditings objective assurance should be aware of the audit activitys participation in non-audit work. If the internal audit charter contains specific restrictions or limiting language regarding the assignment of non-audit functions to the internal auditor, then these restrictions should be disclosed and discussed with management, and subsequently with the audit committee or other governing body if management insists on the assignment anyway. The impact of the assignment of non-audit work on independence and objectivity should be discussed with management, the audit committee, and other appropriate stakeholders. A determination should be made regarding a number of issues, some of which affect one another:

The Institute of Internal Auditors

Organizing 33
o o o o The significance of the operational function to the organization (in terms of revenue, expenses, reputation, and influence) should be evaluated. The length or duration of the assignment and scope of responsibility should be evaluated. Adequacy of separation of duties should be evaluated. The potential impairment to objectivity or independence or the appearance of such impairment should be considered when reporting audit results.

When the time comes to audit the operation, impairment to objectivity can be minimized by asking a contracted, third-party entity or external auditors to conduct the review. If the internal audit activity performs the review, individual auditors with operational responsibility for the area should not participate in the audit of the operation. Whenever possible, auditors conducting the assessment should be supervised by and report the results of the assessment to those whose independence and objectivity is not impaired. Disclosure should be made regarding the operational responsibilities of the auditor, the significance of the operation to the organization (in terms of revenue, expenses, or other pertinent information), and the relationship of those who audited the function to the auditor assuming an operational role. Disclosure of the auditors operational responsibilities should be made in the related audit report and in the auditors standard communication to the audit committee or other governing body.

While these pronouncements are in no way mandatory or exhaustive, they should provide useful advice for auditors grappling with the issue of assuming operational responsibilities.

The Institute of Internal Auditors

Staffing 35

Chapter 5: Staffing
One of the most significant challenges in establishing an effective internal audit activity is the need to attract, develop, and retain highly specialized and qualified staff. The internal audit activity must be staffed with qualified and competent individuals. This chapter will discuss different staffing strategies, knowledge skills, and academic disciplines that the audit staff should have, the importance of staff training and development, and the Code of Ethics. Engagements should be performed with proficiency and due professional care. (Standard 1200) Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. (Standard 1210) Position Descriptions/Staffing Levels While the audit charter or policy statement establishes the role and responsibility of the internal audit activity, a capable staff is necessary to carry out these responsibilities. The first step in getting the right staff is to develop position descriptions. Position descriptions simplify recruiting efforts by communicating specific requirements and expectations and by establishing what is desired of the best candidates. Initially there may be a small staff of auditors reporting to the CAE, or the CAE may be the only auditor. As the audit function gains greater acceptance by management, the audit coverage desired will expand necessitating an increase in staff. The IIA has a program called the Global Auditing Information Network (GAIN) that is recognized as the leader in benchmarking services for the internal auditing profession. In its database, GAIN has information on almost 600 internal auditing departments and activities across 13 different industry groups. The GAIN staff uses this database to research and publish reports on a wide variety of internal auditing subjects for its subscribers. Subscribers can get reports by industry, specialty groups, and custom groupings and the results of Flash Surveys on current topics. Financial size (assets or revenues) and the number of employees are two elements that were found that appear to most frequently correlate with the staffing size of an internal audit activity by industry. While making decisions on staffing levels based on averages from all the organizations in the GAIN database should be used with caution, the following ratios might serve as a starting point on establishing initial staffing levels.

The Institute of Internal Auditors

36 Establishing An Internal Auditing Activity Manual

Average Audit Staff & Costs By:


US $ Billions <1 1 to <2 2 to <3 3 to <4 4 to <5 5 to <10 10 to <40 40 or more Revenue Auditors Cost % 4 0.1215 10 0.0655 11 0.0481 16 0.0556 14 0.0394 25 0.0391 53 0.0346 172 0.0271 Assets Auditors 9 38 28 41 13 69 97 171 Cost % 0.1544 0.0802 0.0672 0.0789 0.0305 0.0741 0.0539 0.0288

Cost % = Annual Internal Audit total costs as a % of revenue or asset size.

Source: GAIN Report pages P7a & P8a

There are many things that can influence the size of an audit staff. The data in the GAIN database supports the fact that there can be large differences in staff sizes between industries, and whether the organization is in the public or private sector of the economy. These and other factors, including what management believes is appropriate, will affect the staffing decisions for an internal auditing activity. Sufficient time needs to be included in the plan for securing and training competent staff. Even experienced auditors, when new to an organization, need a period of orientation and training before they can become fully effective. As the staff size increases, the organizational structure of the activity will need to change. When the number of people reporting directly to the CAE becomes too large to effectively supervise, a reporting hierarchy will need to be established. The size of the activity will determine the hierarchy of the department that will need to be staffed. The typical position levels found in an internal audit activity include the CAE, manager, supervisor, senior, and staff auditors. (Exhibits 3-1, 5-1, 5-2, 5-3, and 5-4 are examples of position descriptions for these positions.) One of the keys to competent and reliable audit work is supervision. For this reason it is important that there be an appropriate supervisory span of control established. Supervisors should not be expected to supervise more than four to six staff professionals. Supervisors are an important part of ensuring that the staff conducts quality assurance work and competent consulting engagements.

The Institute of Internal Auditors

Staffing 37
Staff Knowledge and Skills The broad scope of internal auditing work makes it almost impossible for any one individual to be knowledgeable and competent in all areas. However, the audit staff as a whole needs to have the knowledge, skills, and discipline necessary to carry out whatever audit engagements it undertakes. Individual auditors should be proficient or have a working knowledge of certain subjects and an understanding of others. The Standards describe what is applicable in Practice Advisory 1201-1: Proficiency 1. Each internal auditor should possess certain knowledge skills and other competencies: Proficiency in applying internal auditing standards, procedures, and techniques is required in performing internal audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. Proficiency in accounting principles and techniques is required of auditors who work extensively within financial records and reports. An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practices. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. An appreciation is required of the fundamentals of such subjects as accounting, economics, commercial law, taxation, finance, quantitative methods, and information technology. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.

2. Internal auditors should be skilled in dealing with people and in communicating effectively. Internal auditors should understand human relations and maintain satisfactory relationships with engagement clients. 3. Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations. 4. The chief audit executive should establish suitable criteria of education and experience for filling internal audit positions, giving due consideration to scope of work and level of responsibility. Reasonable assurance should be obtained as to each prospective auditors qualifications and proficiency. 5. The internal audit staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization.

The Institute of Internal Auditors

38 Establishing An Internal Auditing Activity Manual


For internal auditors, education is important in developing the knowledge, skills, and disciplines necessary for establishing and maintaining technical proficiency. These are then sharpened by actual audit experience. Education and experience in the fundamental subjects outlined in Practice Advisory 1210-1 above are important.

Auditor Education Levels by Industry


Associates 7 1 7 2 0 1 5 22 9 3 8 3 3 Percentages Bachelor Master 63 24 84 15 73 19 87 11 59 39 67 29 65 30 53 21 54 25 69 26 69 21 70 22 64 28 PhD 2 0 1 0 2 1 1 6 3 1 0 0 4 None 4 0 1 0 0 2 1 2 10 2 1 4 2

Agri/Mining/construct Petroleum Wholesale/Retail Chemical/Drug Manufacturing Educational Institution Transportation Communications Bank/Financial Utilities Insurance Services Government

Source: GAIN Report pages st1

Auditor Experience Levels by Industry


Total Years Professional* Agri/Mining/construct Petroleum Wholesale/Retail Chemical/Drug Manufacturing Educational Institution Transportation Communications Bank/Financial Utilities Insurance Services Government
Source: GAIN Report pages st4 *Professional experience includes internal audit, public accounting, and other.

17.7 15.7 12.9 12.5 14.3 18.6 14.4 14.0 15.9 17.1 14.4 15.8 22.4

The Institute of Internal Auditors

Staffing 39
A third indicator of technical proficiency is whether an individual possesses, or is working toward, an accreditation. The broadest and most applicable certification to the practice of internal auditing is the Certified Internal Auditor (CIA) certification. The accreditation, sponsored by The IIA, is awarded to individuals who meet specific educational, experience, and character requirements. Individuals must also pass a written examination designed specifically to test a broad area of technical knowledge and related skills. The IIA also offers specialty certifications that include Certification in Control Self-Assessment (CCSA), Certified Government Auditing Professional (CGAP), and Certified Financial Services Auditors (CFSA). These certifications test more specialized knowledge areas and are a complement to the CIA. The other certifications that have been recognized as showing technical proficiency useful in internal auditing include: Certified Public Accountant (CPA), sponsored by the American Institute of Certified Public Accounts and Certified Management Accountant (CMA) sponsored by the Institute of Management Accounts. Although more narrowly focused, the list also should include Certified Information Systems Auditor (CISA), sponsored by the Information Systems Audit and Control Association and the Certified Fraud Examiner (CFE), sponsored by the Association of Certified Fraud Examiners.

Professional Designation Mix For all staff


CBA/CFSA/CFE CIA/MIIA CISA/QiCA CMA/CIMA CPA/CA Other 7.6 16.4 12.4 2.8 26.4 18.7

Source: GAIN Report pages st7

Besides the educational fundamentals outlined in the Standards, adaptability, determination, integrity and communication should also be considered when hiring staff. These are characteristics that will serve the staff well as they work to develop the activitys integrity and credibility. Internal auditors must be able to deal successfully with diversity. Each audit assignment will require the auditor to interact with different groups of people; different terminology and jargon; varying operating management attitudes; and different levels of cooperation and understanding from audit customers. Internal auditors need to be determined and disciplined. They must be willing to work long and hard to establish the facts and support their opinions and recommendations with documented, relevant, and sufficient evidence that has been effectively analyzed and completely and honestly reported.

The Institute of Internal Auditors

40 Establishing An Internal Auditing Activity Manual


The integrity of an internal auditor must be above question. A reputation for dealing only in facts, placed in perspective and viewed objectively, is an absolute requirement for any staff member. Personal opinions based on individual experience or gut feeling should never be the basis for findings and recommendations. These qualities must be linked with the ability to communicate both orally and in writing. The staff communications must display a strong positive mental attitude that sells both audit recommendations and the audit process. The efforts of the most technically proficient auditor are lost if audit findings and recommendations cannot be effectively communicated. Individuals at progressively higher levels of responsibility within the internal audit activity should have an appropriate level of experience that includes supervisory, administrative, and leadership skills and experience. The staff should be comprised of a blend of individuals with progressive levels of experience. This helps to ensure adequate supervision, effective leadership, and attention to staff development. All are necessary if internal auditors are going to be looked upon as having the credibility needed to evaluate and make recommendations to management on risk management, control, and governance processes. Staffing Strategies There are two broad approaches to staffing the internal audit activity. The first approach is the traditional in-house staffing model where the internal audit activity is performed by an independent entity that is an integral part of the organization and which functions under the policies established by senior management and the board. The second is the outsourcing or partnering agreement model, where an outside provider performs a significant amount of internal auditing work, while management retains overall responsibility for the risk analysis, scope, and frequency of audit work. It is important to remember that internal auditing is designed to serve the organization. Whether it is staffed internally or through an outside provider, it is the responsibility of management and the board to provide effective oversight and management of the internal auditing activity. There are a number of arguments supporting the use of in-house staffing as well as a number of arguments supporting the use of outsourcing. While there is no right answer, there are a number of factors that need to be considered by management and the CAE in deciding which direction to take. In-house Staffing 5.1 The IIAs perspective has consistently been that a professionally competent staff, housed internally within the organization, provides a unique and valuable service to the organization. The IIA also believes that legitimate challenges to prove the performance of value-added services by external providers can be effective in improving the overall performance of auditing just as market forces improve other activities. When analyzing

The Institute of Internal Auditors

Staffing 41
the strategic advantages of an internally housed internal audit activity, The IIA believes the following arguments need to be considered: Over Time, Outsourcing Providers May Command an Ever-greater Premium for Their Services. The argument is that an organization becomes dependent on the outside provider as the external auditor gains more institutional knowledge about the organization. The counterargument is that (a) there are other outside providers, (b) long-term pricing agreements can be reached, and (c) there is evidence that internal auditing can be reintroduced into an organization. However, management should consider both long run and short-run costs when making a sourcing decision. An External Provider Wont Know the Business as Well as an Internal Auditing Activity. Internal auditors develop a unique perspective of the organization. An internal auditing activity is often staffed with individuals from other parts of the organization who have developed a broad perspective of the organization and have an institutional knowledge of the organizations culture. The internal auditing activity (as well as individual staff members) retains individual accountability for actions and recommendations. A Valuable Management Training Ground is Lost. Many internal auditing activities have served as a significant source of future managers in their organizations. Internal auditing exposes talented individuals to significant strategic operations and controls of the organization. This breadth and depth of knowledge prepares them for future management positions. The Outsourcing Employees Allegiance is to the Outsourcing Provider, not the Client. The internal auditors primary allegiance is with the organization. In-house auditors must consider the ramifications of findings and recommendations on the total organization since he or she must live with the recommendations. Corporate Governance is a Management Function that Cannot be Outsourced. Management must provide oversight of the internal auditing activity whether housed internally or externally. Many believe that a fundamental part of management is the oversight of the organizations internal control system, which in turn is seen as an integral part of the corporate governance structure. Thus, it is argued, since internal auditing is a key element of an effective internal control system, some believe that it cannot be outsourced. The counterarguments are that management must always retain oversight of the activity, even if outsourced, and therefore they are not outsourcing a key control. Institutional Knowledge May be Lost. Internal auditors have a unique perspective gained through their ability to see all parts of an organization. In fact, it is this broad integration that offers the profession its uniqueness and enhances its ability to effectively add value to the organization whether that value is in the improvement of the control system or through the identification of operational risks and potential solutions. Even with audit staff turnover, much of the institutional knowledge is saved within the organization.

The Institute of Internal Auditors

42 Establishing An Internal Auditing Activity Manual


Management and the Audit Committee Lose an Objective Source of Information. Both internal and external auditors fill valuable roles in providing information to management and the audit committee. However, when one firm fills both of these functions, it is argued that management and the audit committee loses a second unbiased viewpoint. Even worse, it is argued that the audit committee potentially loses another objective set of eyes looking at management. Structure May Replace Internal Knowledge. The outsourcing providers have major challenges, one of which is to provide consistent training to staff personnel with varied backgrounds and abilities. There is a danger that organizational knowledge gained by an in-house internal auditor will be lost when an external provider, who has been trained in a particular approach, attempts to analyze all problems in the same way. For example, one external providers risk analysis approach may not fit a particular organizational climate. Optimum Internal Auditing Activity May Work Best. A properly sized internal auditing activity with the ability to employ outside service providers, as needed, may be more economical, efficient, effective, and responsive to organization needs than one that is totally outsourced. Staff Advancement Models In-house staffing strategies will need to provide the staff an opportunity to either advance within the auditing activity, or within the organization. The approach that is used will also have an impact on from what sources staff candidates can best be recruited. The two most common staff advancement models are the core competency model and the management migration model. There are advantages and disadvantages to each of these models. Before deciding which to use, the CAE will need to assess which of these models best meets the needs of the organization, and which model management is willing to provide support. Core Competency Model The Core Competency Model requires organizations to carefully identify and define the essential core competencies that will provide their professionals with the opportunities to create value in their organizations. Advantages: 1. 2. Specific audit skills can be identified and highly developed within the staff. The high experience level of the staff allows a broad range of audit services to be available to management.

The Institute of Internal Auditors

Staffing 43
3. Audit management gets firsthand experience with the capabilities of staff members before assigning them progressively higher levels of responsibilities. As individual staff members progress up the internal auditing hierarchy, they can teach others. The application of audit methods and techniques can be consistent.

4. 5.

Disadvantages: 1. The audit activity must be large enough to provide career growth to higher levels of skill and responsibility. If advancement opportunities are not available, the work becomes uninteresting, or the staff no longer feels challenged, they will become bored and leave. Audit staff may become too specialized, even within the activity. If staff members become too specialized, they may find their skills are not readily adaptable to higher levels of responsibility. The staff may become in-bred with audit methods and techniques making it difficult to introduce new approaches and ideas to the activity. Audit staff may become complacent as repetitive reviews begin to foster a "lets get along and not rock the boat" attitude with audit customers.

2.

3.

4.

A core competency strategy can have all the advantages and few of the disadvantages noted if the CAE could provide challenging audit assignments and clear opportunities to advance within the activity based on demonstrated performance. Small audit activities in small to medium-size organizations in slow growth industries will find this difficult to accomplish. Management Migration Model The Management Migration Model is a rotational model built on the premise that talented professionals will migrate to line management positions. Advantages: 1. The audit activity does not have to be large to provide career paths to higher levels of skill and responsibility. Turnover keeps the work from becoming uninteresting and boring. The audit staff receives a broad general exposure to different areas of the organization in a short period of time.

2.

The Institute of Internal Auditors

44 Establishing An Internal Auditing Activity Manual


3. 4. 5. The rotation of people through the activity allows the interjection of fresh viewpoints into routine/recurring audit procedures. The staff is able to identify areas in the organization where they have a strong career interest. The audit staff focuses on demonstrating to audit customer management what they can contribute.

Disadvantages: 1. 2. 3. 4. 5. There is a constant need for staff training and development. The need for supervision is greater to ensure that the work is consistent and effective. Objectivity may be impaired as audit staff may be partial toward audit customers in areas where they have a career interest. The range of audit services is limited because of the low overall experience level of the staff. Audit management will not have much firsthand experience with the skills of individual auditors.

The disadvantages of the management migration strategy can be mitigated if audit management provides higher levels of quality supervision and invests heavily in constant training and staff development. The advantages of this approach are dependent upon the ability to attract talented, capable people that can consistently be placed in other areas of the organization. Each CAE must assess the approach that best suits the staffing needs of the organization. In industries where management is dominated by specialized disciplines, such as engineering, medicine, education, or government, the skill set of internal auditors may not be transferable to other areas. These organizations will want to adopt the core competency model. In other industries where internal audit skills are more closely aligned, such as banking, insurance, and finance, the management migration model would work well. However, these two strategies do not have to be mutually exclusive. Many organizations have leveraged elements of both models into their staffing plans. One approach has been to staff manager and supervisor positions with individuals who want to pursue a professional internal audit career path within the organization. This provides a stable and experienced level of professional internal audit supervision within the activity. The audit staff and audit senior positions could then be staffed from either inside or outside the organization with the intention that these people would be placed in other positions within the organization after 18 months to two years. There are challenges to this approach, but the benefits are clear. Probably the biggest challenge is to create and maintain the image of internal audit as an activity that can

The Institute of Internal Auditors

Staffing 45
provide career development opportunities. Another challenge is to successfully market the internal audit activity to management as a source of talented people for filling positions in other areas. Whatever the approach to staffing, management will need to support the staffing level and provide competitive salary levels if the people with the right kind of skills and experience are going to be obtained. Too few staff will provide no available time for training and development and no opportunities for advancement. Outsourcing staff 5.2 Outsourcing Allows Management to Focus on Core Competencies. The argument is that outsourcing frees audit management to focus on pursuing more strategic objectives instead of focusing on the day-to-day activities that tend to take a great deal of time with lower payback. Economies of Scale Should Result in Cost Savings for the Same Services, or Improved Services for the Same Costs. Some outsourcing providers can bring geographic coverage and improved technology to assist organizations in dealing with increasingly complex and diverse business issues. The outsourcers argue that they develop products and computerized audit approaches that can be spread across many clients, thereby keeping costs below that which an inhouse internal auditing activity would incur in developing the same service. Research shows that the actual evidence on cost savings is mixed and should be carefully evaluated by management. Flexibility in Staffing Leads to Better Resource Allocation. It is argued that outsourcing allows the organization to take advantage of help when it is needed without having to pay for it when it is not needed. The counterargument is that existing internal auditing activities could accomplish the same objective with a flexible budget. Access to Leading Practices. The argument is that the outside provider has access to a broad array of other company practices and can bring those best practices into the organization. They are also in a position to perform benchmarking and give advice on best practices. A Clear Customer Focus. The introduction of market discipline creates a customer focus that may be lacking within existing internal activities. Even if not outsourced, the discipline of having internal activities compete to retain the function in-house should improve cost effectiveness. It is further argued that management may make better decisions because they consider the cost of each service rather than viewing internal auditing as a fixed cost. Better International and Cultural Coverage. Large international firms have locations around the world staffed by individuals from the host country. Use of these firms to provide internal auditing coverage, either in conjunction with the internal auditing function, or under a full outsourcing agreement,

The Institute of Internal Auditors

46 Establishing An Internal Auditing Activity Manual


should lead to efficiencies due to (a) savings in travel costs, (b) improved language skills, and (c) better understanding of the existing culture. Better Access to, and Use of, Specialized Skills. One of the hallmarks of world-class companies is that they invest heavily in personnel training. It is argued that the outsourcing provider can invest in training to develop expertise that can be used across a number of clients. The expert should be more efficient and the outside provider funds the continuing investments in training. Organizational Size. Virtually every organization will attain value from an internal auditing function. However, smaller organizations find it difficult to build sufficient expertise in a one- or two-person internal auditing activity. An outsourcing provider can effectively analyze risks and provide management with a menu of risk items to address in a particular year. The organization can purchase whatever specialized skills it needs from the outsourcing provider. Information Systems Audit Skills. Technology is an integral part of most organizations. External providers have been effective in building expertise in techno niches and can provide these services to organizations at competitive rates. Co-sourcing Co-sourcing differs from outsourcing in that its purpose is to extend the activitys core competencies, not outsource them. This can be an effective strategy if the projects are carefully chosen, and the vendors have the right skills and can fit into the culture of the organization with a minimum of disruption. Typically the best candidates for co-sourcing are the projects that require skills and expertise that are not available in-house. There also may be some added assurance to co-sourcing with prestigious national accounting or consulting firms on high-profile projects. Choosing the right vendor is as important as choosing the right project. Some of the questions that should be asked in selecting the right vendor are: Can the vendor provide the skills that are required for the project? Is the vendor really knowledgeable of the industry? Can the vendor and his or her people move in and out of the organizations culture with a minimum of disruption? What is the vendors reputation? Is the vendor interested in doing a good job on this project or more interested in selling additional services?

Usually a single vendor will not always have all the skills that a particular project may demand, so it pays to shop around and compare. Like other staffing strategies, cosourcing comes with advantages and disadvantages.

The Institute of Internal Auditors

Staffing 47
Advantages: Vendors frequently have the skills and experience that are not practical for many organizations to develop in-house. Outsiders can bring a fresh new perspective to projects. Partnering co-source staff with in-house staff can broaden the knowledge and skills of the in-house staff and be important for career development. If the project gets off track or the vendor does not appear to have the necessary skills to complete the project, it is easier to remove a vendor than it is to remove an employee. Disadvantages: It may be difficult to be sure of the quality of the people who will be working on the project until there has been some experience with their work. The in-house staff may resent the use of high-cost vendors on a project they feel they could perform. The time and effort to plan, identify, and supervise a vendor on a project may be costly. The vendors staff may not fit well with the unique culture of the organization and may do more harm than good to the activitys image and reputation with its customers. 5.3 Above all it is important to remember that when an internal audit activity hires a cosource vendor, it needs to be specific about what the vendor is expected to deliver and be prepared to supervise the work. Internal auditing activities that plan and manage cosourcing projects will be able to add value to their organizations by broadening the range of services they can offer to their organizations.

Extent of Co-sourcing
100% >50% >25% Some None
Source: GAIN Report pages P9

Audit Areas: General IT/IS 1.00% 4.40% 2.70% 5.60% 6.70% 7.00% 44.60% 36.30% 42.10% 43.20%

Staff Sources There are many sources for qualified internal audit staff candidates. Some sources provide experienced individuals; others provide raw, basic-skilled individuals who will need training.

The Institute of Internal Auditors

48 Establishing An Internal Auditing Activity Manual


Colleges & Universities These institutions can provide the talent upon which an internal audit activity can build. The IIA sponsors Endorsed Internal Auditing Programs (EIAP) at colleges and universities that offer quality internal audit undergraduate and/or graduate level programs on a continuing basis. There are EIAP schools throughout the United States, plus additional EIAP schools in France, Jordan, Lebanon, the Netherlands, Norway, Saudi Arabia, South Africa, Switzerland, Thailand, and the United Kingdom. EIAP schools offer a curriculum of study in internal-audit-related disciplines with at least two courses in internal auditing, each offered at least once a year. There are two approaches to identifying college and university candidates. One is through direct recruiting by building a relationship between the organization and the business school of a local college or university. Educational institutions are frequently looking for support from business organizations that are willing to make presentations on career opportunities in various industries and professions and possibly provide summer job opportunities for their students. This kind of support gives organizations an opportunity to identify graduates in whom they may have an interest. The second method is through internship programs. Some institutions participate in internship programs with local organizations. These internships are an excellent means of identifying bright capable students who may become good candidates for internal audit positions upon graduation. Internship programs may also be an ideal low-cost way for organizations to increase their audit resources. While student interns require more supervision because they do not have fully developed skills, their use for less complex audit work frees experienced audit staff for more complex audit tasks. Certified Public Accountants (CPAs) Frequently strong candidates can be found among individuals serving an apprenticeship with a public accounting firm. If a career potential for individuals joining the internal audit activity can be shown, advertisements in professional accounting journals may attract the attention of CPAs ready to move into industry. Sometimes an organizations external auditing firm can recommend people from their own staffs that are looking to move into industry. Usually organizations can benefit from the investment that most CPA firms have made in the training and development of their own staffs. Clearly not everyone can nor wants to become a partner in a CPA firm, so firms expect that they will have staff turnover; being able to place people into other opportunities helps their future recruiting efforts. Within the Organization Working with management and the personnel/human resource activity of an organization may also help identify sources of internal audit candidates. This recruiting approach frequently affords a first-hand look at a prospective candidate within a working environment. These candidates are already familiar with the organization, its policies and procedures, and management structure. This familiarity can reduce initial training time and costs and help build credibility with other areas.

The Institute of Internal Auditors

Staffing 49
Professional Associations Local chapters of The Institute of Internal Auditors, The American Institute of Certified Public Accountants, the National Association of Accountants, the Information Systems Audit and Control Association, and the Financial Executives Institute are all sources for internal audit candidates. If there are local chapters of these organizations, they will usually have a newsletter that will accept advertisements for open positions. The national organizations of these groups also have professional journals that will accept advertisements for position openings. Internal Auditor, the professional journal of The Institute of Internal Auditors, is delivered to over 35,000 internal auditors throughout the world. Attendance at regional and national conferences sponsored by The IIA can also serve as an opportunity to identify candidates. Placement and Recruiting Firms. There are several firms, some with national affiliations that specialize in locating and recruiting candidates for specific professions. These firms have various fee structures, the majority usually charging between 15 percent and 25 percent of the candidate's starting salary. There may be firms that your organization already uses for recruiting for other positions that may be helpful in locating internal audit candidates. It is a good idea to ask about fee rebates for employees who do not stay beyond an initial period, usually six months. Also obtain some assurance that your activity's current staff will not become the target of recruiting for other organizations. Continuing Education Every auditor should have the opportunity to advance his/her level of skill and responsibility. Continuing education is good for both the audit staff and the internal audit activity. This is why the internal auditing activity needs to have a training program that will provide the staff with the means to learn new methods and develop new skills. Training programs should have as their main goal the achievement of both individual staff goals and objectives and the goals and objectives of the internal audit activity. To achieve this training should be a continuing program, not just an occasional seminar. A continuing program should provide for senior auditors to be assigned for a period of time to supervisory positions, and for supervisors to be assigned a managers responsibilities. This promotes staff learning firsthand the skills and responsibilities required of the positions above them. The skills and experience of each staff member should be formally assessed and training objectives established and reviewed at least annually. The attainment of these training objectives should be part of a staff members performance review and evaluation. It is important to any continuing training program that the staff be aware that the CAE supports it. The staff needs to believe that the CAE expects them to continue to improve their skills and abilities. The CAE can encourage this by: Setting aside, within the annual audit plan, specific hours for staff training.

The Institute of Internal Auditors

50 Establishing An Internal Auditing Activity Manual


Budgeting an appropriate amount of money to be spent on training seminars and courses each year and spending the money. Asking staff members to document their plan to improve their skills and knowledge each year. Supporting and promoting opportunities for people who continue to improve and develop their knowledge and skills. Maintaining catalogs of seminars and extension courses for both in-house and outside training. Developing recognition programs with incentives for the staff who are working on or who have obtained advanced degrees and professional certifications.

The IIA, as do other professional organizations mentioned previously, provides numerous training seminars and conferences each year. Internal Auditor is a source of information through its many articles on internal auditing. The IIA has available many publications and study courses relating to internal auditing at www.theiia.org. Joining the local IIA chapter and attending meetings also can provide opportunities to hear speakers on auditing and related topics. The Code of Ethics New members of an internal audit staff should be made aware of their ethical responsibilities. Internal auditors and the auditing profession have a special relationship with management and the board. This relationship requires the highest standards of competency, morality, and dignity. In June 2000, The IIA Board of Directors adopted a new Code of Ethics. (Exhibit 1-2) Compliance with the concepts enunciated in the Mandatory Guidance is essential before the responsibilities of internal auditors can be met. As stated in the Code of Ethics, internal auditors shall perform internal audit services in accordance with the Standards.

The Institute of Internal Auditors

Directing 51

Chapter 6: Directing
Once the internal audit activity has been planned, organized and staffed the chief audit executive (CAE) needs to direct and manage the activities. This means dealing with administrative issues like audit planning, resources management, operating policies and procedures, coordination of work, and quality assurance. This chapter provides guidance on how the (CAE) can effectively manage the internal audit activity. The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. (Standard 2000) The Audit Plan Establishing a plan for performing internal audit work is a primary responsibility of the CAE. The planning process includes establishing goals, developing work schedules, establishing staffing plans and financial budgets, and distributing status reports on the progress of activities. The audit plan should be consistent with the internal audit charter and with the goals of the organization. The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organizations goals. (Standard 2010) The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process. (Standard 2010.A1) The chief audit executive should consider accepting proposed consulting engagement based on the engagements potential to improve management of risks, add value, and improve the organizations operations. Those engagements that have been accepted should be included in the plan. (Standard 2110.C1) The Audit Planning Process Audit planning should be based on an assessment of risks and exposures that may affect the organization, and should be done annually in order to reflect the most current strategies and direction of the organization. The best way to add value to an organization is to make sure the risk assessment and the plan developed from the assessment reflect the overall objectives of the organization. Risk assessments need to include input from management. One way to accomplish this is to study the organizations strategic plan and then discuss with management where the risks are in obtaining the objectives in the plan. The overall objective of an internal audit activity is to provide management with information to lessen the negative consequences associated with accomplishing an organizations objectives. Implementing control activities in areas where the risks are high can mitigate the risks of an organization not accomplishing its goals. A risk-based audit plan ensures that audit activities are effectively focused on those areas where the risks or materiality of exposure is greatest.

The Institute of Internal Auditors

52 Establishing An Internal Auditing Activity Manual

There are a number of risk models that can help the CAE prioritize potential audit projects. The basic audit planning process consists of two phases: the assessment of business risk and the allocation of audit resources. The first phase, assessing business risk, focuses on: Defining an auditable unit. Establishing the audit universe. Establishing the risk criteria. Constructing the risk model. Ranking the audit universe. The annual audit plan can then be developed reflecting the results of the risk assessment model and the selection policy. The risk assessment model and the selection policy will enable the internal audit activity to define, identify, and set priorities for audit risk annually, or more frequently if business conditions dictate. Procedures will need to be established to update the model after each audit so that it can be the foundation for an integrated approach to audit projects. Risk Assessment Risk assessment is the process of identifying the possibility that events will occur that, will be harmful to the organization and/or will be detrimental to the achievement of the organizations goals. Risk assessment is the most critical phase of audit planning. The task of collecting the data can also be very time consuming. But the benefits to be gained are usually in direct proportion to the effort expended. Keep in mind that audit plans are subjective. A risk assessment and audit planning methodology is a structured approach to a subjective process. Even the most sophisticated risk assessment and planning models is the product of value judgments. The key to good audit planning is to develop a methodology that will produce a plan that reflects managements' concerns. Defining an Auditable Unit The first step in the risk assessment process is to define the auditable units. An auditable unit is simply the subject/business process that becomes the audit entity. The business process is any combination of transactions, systems, processes, or interfaces that constitutes a logical process. Example: payroll, purchasing, accounts payable, etc. While auditable units can be defined as individual applications, companies, or business units, each of these approaches either limits the scope of an audit project or broadens it beyond what can reasonably be managed. Defining the audit universe, as a group of business processes, is the same view management takes in identifying where they typically have concerns. Establishing the Audit Universe To provide flexibility, and to limit to a manageable size the scope of an audit project, subunits can be identified. While there may be a motivation to identify audit units by the specialized skills necessary to do the work, this should be avoided. Determine the skill set

The Institute of Internal Auditors

Directing 53
needed for an audit project after the individual objectives for an audit are defined. Business processes that are heavily dependent upon information technology will require auditors performing the work to examine the controls that that technology depends upon. After compiling a list of major auditable units and subunits, identify a number for planning purposes that represents the hours that will be allocated for auditing each auditable unit. Do not spend much time trying to refine the estimated hours for each auditable unit. The hours estimated for each unit should include time for conducting the preliminary survey, developing the audit program, performing the fieldwork, and communicating the results of the review to management. It is appropriate for planning purposes to pick a number that best reflects what the average audit will take. A better estimate can be developed after the preliminary survey work is completed for individual audit projects. Keep in mind that audit projects should be able to be completed within a time frame that allows the reports to be presented at each audit committee meeting. Based on a 40-hour workweek there are 2080 total staff hours available per year. After subtracting out 25% of the hours for holiday, sick, training, staff meetings, etc., that leaves 1560 staff hours available per year for audit projects. Dividing this by four gives us 390 staff hours per quarter for audit projects. If the audit committee meets quarterly, then 350 hours per project would be a good planning number to use. The longer an audit project goes on the harder it is to manage. The more hours that an audit project consumes the higher the expectations from management and the audit committee that it will add value. This in turn increases the pressure on the auditors to find something of value on which to make a recommendation. It is more effective to do two 350-hour audits than it is to do one 700-hour audit. Remember, the work will expand to fill the time allocated for the project. Defining the Risk Criteria The most workable model is one that uses enough items to be descriptive of risk without being cumbersome. Keep the model simple. The following eight criteria (six subjective and two objective) should give an adequate assessment of risk for audit planning purposes. While the following approach may be adequate for some organizations, other criteria may be better suited to other organizations. It is important that management and the audit committee understand and concur with the criteria used in defining risk. Subjective/qualitative criteria: Control Environment Weight = 3 Based on the knowledge/experience of internal audit with considerable input from management. Prior Audit Findings Weight = 3 Based on prior external and internal audit work. Management/Interest Concern Weight = 4 Based upon specific requests from management.

The Institute of Internal Auditors

54 Establishing An Internal Auditing Activity Manual


Comfort with Operations Management Weight = 2 Based on the experience with the management in place. Changes Weight = 2 Based on whether a new business system/process.

Asset Sensitivity Weight = 1 Based on whether assets are high turnover, mobile, easily convertible to cash, etc. Objective/quantitative criteria: Size Weight = 2 Size may be revenues, assets, expenses, or whatever is appropriate for the process. Weight = 2

Date Last Audited

Each criterion is assigned a weight that establishes its importance relative to the other criteria being used. Weighting them as much as three times more heavily than the weights assigned to quantitative criteria frequently emphasizes qualitative criteria. In the example above, Management/Interest Concern (Weight = 4) is twice as important as size (Weight = 2) in determining risk. The weights assigned to each of the criteria are purely subjective and like the criteria used to define the risk attributes, management and the board should understand and concur with them. Additional criteria may be needed at some point to further tailor the model to a specific environment. However, adding additional criteria to the model can quickly complicate the evaluation and make the evaluation appear to be convoluted. Every effort should be made to keep the number of criteria to fewer than 10. Constructing the Risk Model The last step in constructing the risk model is ranking all the auditable items in the universe. Each auditable unit should be evaluated using risk criteria similar to those outlined above. Each of the criteria should be rated according to a scale. The scale does not have to be complicated. The scale could be as simple as; 1 = Low risk 2 = Medium risk 3 = High risk

Exhibit 6-1 is an example of a Risk Sampling Strategy.


Exhibit 6-2 is an example of how a risk model spreadsheet would be used to set up this methodology.

The Institute of Internal Auditors

Directing 55
Ranking the Audit Universe The total rating is the sum of the individual criteria weights multiplied by their scale. As with any model, the results should be analyzed to see if they are consistent with what professional judgment would expect. At this point management input is strongly recommended. Allowing management to understand the process and to participate will encourage their "buying into" the plan. The audit universe could then be risk ranked by sorting the units from highest to lowest risk. The chief audit executive should communicate the internal audit activitys plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations. (Standard 2020) Allocating Audit Resources The second phase, the allocation of audit resources, focuses on establishing a strategy or selection approach that optimizes the available audit resources. This requires establishing a risk strategy or selection policy. While the simplest approach would be to start at the top of the list with the high-risk audits, this approach would make the audit coverage narrow. The chief audit executive should ensure that audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. (Standard 2030) A risk sampling strategy would be one way of getting broader audit coverage. Divide the risk-ranked audit universe into high-risk (10%), sensitive (20%), moderate (40%), and lowrisk (30%) segments based on the total auditable units. Plan to audit 100% of the high-risk segment and 50% of the sensitive segment using a random sample technique. Automatically selecting any unit not audited in the last two years. For the moderate segment select 10%, automatically selecting units not audited in the last four years. Select 5% from the low-risk segment, automatically selecting units that have never been audited. This strategy provides for annual audit coverage of about 25% of the total audit universe. It also focuses most audit resources on areas of highest risk. The number of risk segments and the percentage of those segments covered may vary each planning period depending upon the size of the audit universe and the resources available. Getting management and the audit committee to identify the percentage of the universe they want included into the various risk segments allows them to see what level of staffing is going to be necessary to implement a given strategy. For example: If there are 10 auditable units in the high-risk (10%) segment, and each audit project averages about 350 hours, then it is going to take at least two full-time auditors to cover just the high-risk segment each planning period. Another approach is to build more flexibility into the allocation of audit resources so that risks can be addressed as they develop throughout the year. One approach is to leave 30% to 40% of staff time unallocated so that it can be used for engagements that could not have been foreseen, like management and board special requests. Another approach is to commit to spending a certain amount of time in a functional area, but not identifying specific projects. Projects are only committed to after a preliminary survey is completed to determine whether a specific project has any potential to add value to the control

The Institute of Internal Auditors

56 Establishing An Internal Auditing Activity Manual


environment. These approaches give the CAE the versatility to respond to changes and avoid wasting time on audits that appear unnecessary based of what was learned during the preliminary control survey, or because of changes in the current business environment.
6-1

Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity. (Standard 2040) The size and structure of the activity will normally dictate if written policies and procedures are needed and what will be the form and content. When staffs are small and centrally located, directors can provide guidance and direction orally. Written guidance is needed to establish administrative practices, to guide audit work, and to ensure a consistent approach as the staff grows and turnover occurs. Each CAE must develop policies and procedures that address the particular needs of the department and the organization. Exhibit 6-3 is an example of a generic index for a policy and procedures manual. While the full text of this document is too lengthy to include, the index should provide some guidance on what topics may be included in a policy and procedures manual. It may be appropriate to develop checklists for detailed written procedures in a manual. When used as reminders and guides instead of strict steps to be rigorously followed, checklists have certain advantages over procedure manuals. Checklists can easily be changed when needed and copies included in working papers can serve to document the steps performed. Exhibit 6-4 is an example of the forms and checklists that can be used as a guide for preparing audit workpapers. Implementing the Audit Plan One major yardstick that management uses to evaluate the internal audit function is how well the activity accomplishes the audit plan. Audit plans are accomplished by effectively managing each audit project. Audit projects that are not properly managed do not use resources effectively. Projects seem to run over time budgeted and most importantly they impair the credibility of the audit activity. Just as we would expect a production department to maintain production schedules and labor budgets, the same should be expected of the internal audit activity. The administrative tasks associated with managing audit resources can be aided by using automated office systems and other applications available on personal computers. Many activities use automated spreadsheet and word processing effectively for budgeting and scheduling of projects, as well as recording and summarizing staff hours. Internal audit activities should explore new and expanded uses of this technology whenever possible.

The Institute of Internal Auditors

Directing 57
Project Budgets and Schedules The chief audit executive should report periodically to the board and senior management on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. (Standard 2060) Individual project schedules and budgets are essential and should become the norm for every audit project. To be effective, budgets and schedules must be integrated with a project reporting system. The reporting system should: Enable the lead auditor on each project to budget and allocate time to individual segments and to track actual time. Provide individual audit staff the ability to report how they spent their time; both project time and non-project time, usually weekly.

Aid audit management in accounting for all of the staff hours and to report to management and the audit committee the status of the audit plan and all audit projects.

Exhibit 6-5 is an example of a spreadsheet for budgeting and controlling the hours for individual projects. This work sheet should be included in the working papers to enable audit supervision to evaluate the effectiveness of the hours used. It also may serve as a guide to budgeting similar projects in the future. Exhibit 6-6 is an example of a staffs spreadsheet time. The report requires staff to account for both project and non-project hours each week, including vacation, holiday, and sick leave. Exhibit 6-7 is an example of a spreadsheet that can be used for the monthly management report. The report would list each active project, the time budgeted, the actual hours to date, and an estimated completion date and other information that reflects how staff resources are being utilized. While schedules and budgets are essential to properly manage audit resources, these should not be self-defeating. Audit projects should always have an initial budget. This figure would typically be the planning number referred to earlier or the actual hours from the last review for recurring audits. After the preliminary survey phase of the project, the lead auditor should revise the budget based on an evaluation of controls and an assessment of testing needed to be done to establish reliance. Budgets should be adjusted whenever the scope of the work changes. However, audit management should review changes in budgets and the reasons for the adjustments should be documented in the work papers.

The Institute of Internal Auditors

58 Establishing An Internal Auditing Activity Manual


Communicating Results Internal auditors should communicate the engagement results promptly. (Standard 2400) The internal audit activitys product is the audit report. The report has three audiences, the audit customer, management, and the audit committee. Each will have a different level of interest and different concerns. Audit Customers While the final written report is the principal form of communication with the audit customer, there are others that should not be overlooked. Auditors should hold entrance and exit conferences with their audit customers. Entrance conferences should be used to discuss the purpose, objectives, and scope of the work to be undertaken, the schedule to be followed, and to identify the key people. At the exit conference, auditors should discuss their conclusions and recommendations. If there are disagreements or misunderstandings, these should be discussed and resolved, if possible. Both parties should agree on who will receive the final report and what will be the audit customers response. Every finding by an auditor is an implied criticism that audit customers will sometimes to one extent or another take personally. They may react with attitudes of defensiveness, fear and resentment. Some may even behave openly antagonistic toward the auditors. A mistake many audit reports make is to cast the audit customer as the bad guy for having the problem and the auditor as the good guy for uncovering the problem and making the recommendation to correct it. To head off this perception, the focus of audit reports should be on the condition. Focusing on the condition allows the audit customer to appear to be in control and the finding can be worded to indicate what the audit customer did to correct the condition. When issued, final audit reports should be objective, clear, concise, constructive, and timely. The purpose, scope, and results of the audit engagement, and the auditors opinion, if appropriate, should be contained in the report. The format of audit reports varies widely. Some may contain background information about the area audited, including the status of prior recommendations, and why the audit was conducted. Frequently this information is included in the executive summary of the report. The final communication of results should, where appropriate, contain the internal auditors overall opinion. (Standard 2410.A1) Engagement communications should acknowledge satisfactory performance. (Standard 2410.A2) Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. (Standard 2410.C1)

The Institute of Internal Auditors

Directing 59
Audit reports and findings are the result of a process of comparing what should be with what is. Whether there is a difference or not the internal auditor has a basis upon which to form an opinion. Opinions should always be in the context of the overall implications to the organization and the area reviewed. When audit work finds that conditions meet what is expected, acknowledging this in the report is important to provide the appropriate balance. Audit findings in reports should be based on an analysis of the following attributes: A. B. C. D. Criteria: The standards, measures, or expectations used in making an evaluation and/or verification (what should exist). Condition: The factual evidence that the internal auditor found in the course of the examination (what does exist). Cause: The reason for the difference between the expected and actual conditions (why the difference exists). Effect: The risk or exposure the audit customer organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference). Recommendation: That which the audit customer can implement, change, or undertake to move from what does exist to what should exist. (PA 24101)

E.

Management and the Audit Committee The last couple of years have seen increased interest in requiring public organizations to establish audit committees and internal auditing activities. Audit committees are under a lot more pressure to be accountable for their role as financial stewards. Recent studies, articles, commentaries, laws (Sarbanes-Oxley Act of 2002), and regulations continue to focus on the audit committees role in corporate governance. Clearly an audit committee cannot meet its obligations alone. The responsibility of audit committee members to know more about an organization's financial reporting, corporate governance, and control has increased dramatically. Regulators have shifted from a passive to a more proactive accountability of board committees, especially the audit committee. Reporting requirements, disclosures, assertions, and other information about the workings of the audit committee continue to expose members to potential scrutiny as to overall due diligence being exercised. Members of audit committees now more than ever have to rely more and more on internal auditors to keep them aware of significant risk management, control, and governance problems. Audit committees do not like to see management or their organizations embarrassed. Neither do they like confrontations between auditors and management. Audit committees like to know that the internal audit activity has a competent and professional staff that does a professional job of working with management to identify opportunities to improve business performance and reduce business risk.

The Institute of Internal Auditors

60 Establishing An Internal Auditing Activity Manual


CAEs need to focus on reporting to audit committees those items that give the committee comfort that management is properly assessing risks and, where appropriate, are addressing improvements in internal controls. The relationship between the CAE and the audit committee should be characterized by openness, frequency of interaction, focus on issues important to the audit committees scope of responsibility, and an action orientation. The chairperson of an audit committee and the CAE should interact on a routine basis outside of the regular meetings. Open discussions should be undertaken concerning what areas internal auditing is involved in and what attention is being given to avoid future risks and issues. Senior management and the audit committee usually will not have an interest in detailed findings and recommendations. In the absence of anything material, the summary of findings normally contained in the executive summary of each report should meet their needs. Periodically they should receive summary activity reports highlighting significant audit findings and recommendations and information on the status of the annual audit plan. They should also receive information on audit schedules, staffing plans, and the activitys financial budget. This information when presented properly should have sufficient detail to enable management and the audit committee to determine whether the internal auditing activity is achieving its objectives and plans. This should also include feedback on whether appropriate action was taken on prior reported audit findings by management. The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. (Standard 2500) External Auditors CAEs should develop a positive working relationship with the external firm. The objective of the work performed by external auditors is to obtain sufficient evidence to support an opinion on the overall fairness of the annual financial statements. The objectives of the internal audit activity are much broader. Coordination ensures that work performed by the internal audit staff does not duplicate the work of the external auditors. Because the work performed by the external auditors and the internal auditors is of concern to senior management and the audit committee, it is in the interest of both that they work together. Working together involves: Meeting periodically to discuss matters of mutual interest. Having access to each others work papers. Exchanging audit reports and management letters. Developing a common understanding of each groups audit techniques, methods, and terminology.

The Institute of Internal Auditors

Monitoring 61

Chapter 7: Monitoring
Of all the changes that were made to the Standards beginning in 2002, the section on quality assurance represents a fundamental change for the practice of internal auditing. There are now seven standards that dictate specific activities that must be part of the quality assurance (QA) program of every internal audit activity. When an internal audit activity is established, it must include an ongoing quality assurance and improvement program. This requirement is broadly covered in Standard 1300 which states: The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program should be designed to help the internal audit activity add value and improve the organizations operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. (Standard 1300) A quality assurance program will need to provide reasonable assurance to management and the board that it: 1) performs in accordance with The IIAs Standards and the Code of Ethics; 2) is perceived by all as adding value and improving the organizations operations; and 3) operates in an effective and efficient manner. Exhibit 7-1 is an example of an outline for a Quality Assurance and Improvement Program. The new standards require that any quality assurance program: 1. 2. 3. 4. Cover all aspects of the internal audit activity. (Standard 1300) Continually monitor the internal audit activitys effectiveness. (Standard 1300) Assure compliance with the Standards and the Code of Ethics. (Standard 1300) Help the internal audit activity add value and improve organizational operations. (Standard 1310) 5. Include both periodic and ongoing internal assessments. (Standard 1311) 6. Include an external assessment at least once every five years, the results of which are communicated to the board. (Standard 1312, and 1320)

Failure to have any of these six elements in a quality assurance program represents noncompliance with the Standards. Quality assurance programs must include examinations of all types of audit engagements. Developing quality assurance programs for only measuring performance while conducting traditional assurance engagements is not sufficient. The program must also measure performance in conducting other services like consulting engagements. The quality of all work performed must be assessed. Assurance activities that focus specifically on workpaper reviews are not all that is necessary for a quality assurance program. Workpaper review is certainly an important quality assessment tool, but needs to be used in conjunction with additional QA tools and methodologies in implementing an effective quality assurance program. Further information and examples of these tools and

The Institute of Internal Auditors

62 Establishing An Internal Auditing Activity


methodologies can be found in the Quality Assessment Manual 4th Edition published in 2002 by The Institute of Internal Auditors. Along with various routine review procedures, implementing appropriate performance measures (key metrics) that are designed to emphasize continuous improvement is also necessary for an effective quality assurance program. Measuring the number of audits finished on time, the percentage of the audits completed from the annual audit plan, and the achievement of certain ratings on customer satisfaction surveys and others are examples of key metrics that can be used to determine how well internal audit activities are meeting the expectations of management and the board. Exhibits 7-2 and 7-3 are examples of Audit Productivity Measurement Questionnaires. Quality means meeting standards. The primary purpose of any quality assurance program should be to assess compliance with The IIAs Standards and the Code of Ethics. A checklist can be a useful tool for assessing compliance. Exhibit 7-4 is an example of a Compliance Checklist based on the Standards that includes more than a 100 questions. However, quality should be more than complying solely with policies and procedures that implement a standard. The quality assurance process must also assess the degree to which the internal audit activity is adding value and improving an organizations operations. This is the most challenging requirement. An effective quality assurance program needs to measure the value, effectiveness, and efficiency of the internal audit activity from the perspective of management and the board. To assess the contributions of the internal audit activity, the chief audit executive (CAE) will have to determine how best to measure the value of the work that is being performed. One way to accomplish this is through Audit Customer surveys. Exhibit 7-5 and 7-6 provide examples of Audit Customer Surveys. Another way is to track the number of management requests for internal auditing services and the number of recommendations that are implemented. If no one asks for services, and recommendations are not implemented, it may be because audit services are not seen as useful to management in accomplishing the organizations objectives. As previously noted, it isnt enough to provide evidence of the policies and procedures that demonstrate the elements of a quality assurance program. There must also be a test or assessment of the effectiveness of the quality assurance program. The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. (Standard 1310) Further guidance on what an assessment should evaluate is provided in PA 1310-1.3, which states that a quality assessment program should assess: Compliance with the Standards and the Code of Ethics. The adequacy of the internal audit activitys charter, goals, objectives, policies, and procedures. The contribution to the organizations risk management, governance, and control processes.

The Institute of Internal Auditors

Monitoring 63
Compliance with applicable laws, regulations, and government or industry standards. The effectiveness of the continuous improvement activities and adoption of best practices. Whether the internal audit activity adds value and improves the organizations operations.

Internal Assessment While ongoing reviews are primarily achieved through the continuous monitoring activities already discussed, the most effective method for continuously assessing quality is supervision and management oversight. Adequate supervision and management oversight will be the foundation of any quality assurance program that assures conformity with the Standards and actives that add value and improve an organizations operations. Recognizing the importance of effective and continuous supervision and management oversight the Standards have taken the additional step of requiring a formal internal assessment process. Internal assessments should include: Ongoing reviews of the performance of the internal audit activity. Periodic reviews performed through self-assessment or by other persons within the organization who have knowledge of internal auditing practices and the Standards. (Standard 1311)

Ongoing review and monitoring activities should be periodically reviewed. One way to accomplish this is to routinely conduct a self-evaluation. Known as an internal assessment, they are conducted by members of the staff or a team of reviewers employed by the organization, but working in other areas. Former members of the audit staff or other employees with prior auditing experience could be used. If the internal audit activity is large enough, it may establish a formal quality assessment staff position or group that could be responsible for all quality assurance activities. This function should report its findings and conclusions directly to the CAE to ensure adequate credibility and objectivity. External Assessment Another strong statement of the professions commitment to quality came with the enactment of Standard 1312, requiring a periodic external quality assurance review. A qualified, independent reviewer or review team from outside the organization should conduct external assessments, such as quality assurance reviews, at least once every five years. (Standard 1312) There are several ways an internal audit activity can obtain an external assessment. The first option is to contract for a formal quality assessment review (QAR) with The IIA, other industry associations, accounting firms, or consultants. These reviews usually involve a team of qualified reviewers who spend several days to several weeks interviewing the

The Institute of Internal Auditors

64 Establishing An Internal Auditing Activity


board, management, and the audit staff while conducting a review of an internal audit activitys workpapers, procedures, and methodologies. At the end of the review a formal written report is provided that contains an overall opinion on the compliance with the Standards and any recommendations that the team feels would improve the effectiveness of the internal audit activity. Further information on internal and external quality assurance reviews, including the methodology for conducting an external review, can be found in The IIAs Quality Assessment Manual Fourth Edition. This manual contains guidance and tools for assessing various aspects of an internal audit activity. When selecting an external reviewer, the CAE should consider the following: The individual or group conducting the review should be independent of the organization and the audit activity being reviewed. (PA 1312-1) The review team should be made up of individuals who are competent in the professional practice of internal auditing and the external review process. Individuals should: Be competent, certified audit professionals who know the Standards. o Be well acquainted in the best practices of the profession. o Have at least three years of recent experience in the practice of internal auditing at the management level. The team should include members that have information technology experience. The team members should have industry audit experience, or at least QAR experience in the industry under review. o

Self-Assessment with Independent Validation An alternative to conducting an external assessment is for the audit staff to conduct a selfassessment quality review and submit the findings and supporting documentation to an outside consultant for validation. This approach allows the internal audit staff, under the direction of the CAE, to perform and document the self-assessment. The objective of the self-assessment process is to document a set of conclusions about the internal audit activitys compliance with the Standards, the charter, and other relevant criteria in the same fashion that would be provided by an external reviewer. The team and the CAE also develop recommendations and implementation plans for improving the activity. After the self-assessment is completed, a qualified, independent evaluator performs limited tests of the self-assessment and the report recommendations to validate the results and express an opinion as to the level of compliance with the Standards. The independent evaluator should have the same qualifications as those of the reviewers for formal QAR external reviews shown above. It should be noted that using this approach does limit the opportunity to gain valuable input from an external review team with respect to alternative methods and best practices.

The Institute of Internal Auditors

Monitoring 65
Communication of Results Another strengthening of the quality improvement methodology established by the Standards is the requirement to communicate the results of external assessment to the board. The chief audit executive should communicate the results of external assessments to the board. (Standard 1320) Whether a CAE conducts a self-assessment with independent validation or chooses to have an external review, the results of the review and particularly the opinion on compliance with the Standards, must be communicated to the board. Additional Guidance It is worth noting two other important quality assurance Standards that addresses use of language (Standard 1330) and partial compliance (Standard 1340). Both Standards are listed below. Internal auditors are encouraged to report that their activities are conducted in accordance with the Standards for the professional Practice of Internal Auditing. However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards. (Standard 1330) Practice Advisory (PA) 1330-1 provides further guidance on implementing this Standard. Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal auditing activity, disclosure should be made to senior management and the board. (Standard 1340) By implementing and maintaining a comprehensive quality assurance and improvement program, management and the board are ensured of having an internal audit activity that will add value, improve operations, and operate in an effective and efficient manner.

The Institute of Internal Auditors

Footnotes 67 Footnotes
1.1

Internal Auditors: Integral to Good Corporate Governance, Progress Through Sharing, Internal Auditor, August 2002, pp 46. Restoring Trust in Corporate America, Business Week, June 24, 2002, p. 32. Steinberg, Richard M., and Bromilow, Catherine L., The Role of Internal Audit in Corporate Governance, PricewaterhouseCoopers LLP, TansMISsion Online, Audit Edition, Vol. 2, Issue 1, February 2001. Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework, (Altamonte Springs, FL: The Institute of Internal Auditors, 2002), p. 1. Ibid., p. 1. Ibid, p. 1. Ibid., p. 2. Ibid., pp. 193-195. Ibid., pp. 2-3. The Professional Practices Framework (Altamonte Springs, FL: Internal Auditors, January 2002), pp. iii-vi.

1.2 1.3

1.4

1.5 1.6 1.7 1.8 1.9 1.10

The Institute of

2.1

Governance, Position Paper Presented by The Institute of Internal Auditors to the United States Congress, April 2002. Internal Auditing: In Your Best Interests, Tone at the Top (Altamonte Springs, FL: The Institute of Internal Auditors, October 2002). Internal Audit Independence Checklist, Issues & Answers (Altamonte Springs, FL: The Institute of Internal Auditors). Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors, 2002), p. 14. Ibid., p. 21. Ibid., pp. 22-24. Krogstad, Jack, et al., Where Were Growing, Internal Auditor, October 1999, p. 31. Internal Audit Independence Checklist, Issues & Answers (Altamonte Springs, FL: The Institute of Internal Auditors).

2.2

3.1

3.2

3.3 3.4 4.1 4.2

The Institute of Internal Auditors

68 Establishing An Internal Audit Activity Manual


4.3

Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors, 2002), pp. 4243. A Perspective on Outsourcing of the IA Function, Professional Practices Pamphlet 98-1 (Altamonte Springs, FL: The Institute of Internal Auditors), pp. 3-4. Ibid., pp. 2-3. Smith, Paul J. Jr., Win-Win Co-Sourcing, Internal Auditor, October 2002, pp. 37-41.

5.1

5.2 5.3

The Institute of Internal Auditors

Bibliography 69 Bibliography
A Perspective on Outsourcing of the IA Function, Professional Practices Pamphlet 98-1 (Altamonte Springs, FL: The Institute of Internal Auditors).

Apostolou, Barbara, and Jeffords, Raymond, Working with the Audit Committee (Altamonte Springs, FL: The Institute of Internal Auditors, 1990). Boritz, J. Efrim, Planning for the Internal Audit Function, (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 1983). Chapman, Christy, and Anderson, Urton, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors, 2002). Committee of Sponsoring Organizations of the Treadway Commission, Fraudulent Financial Reporting 1987-1997, March 1999. Committee of Sponsoring Organizations of the Treadway Commission, Internal Control Integrated Framework, 1992. Committee on Corporate Governance Final Report, January 1998. Global Auditing Information Network GAIN (www.gain2.org) (Altamonte Springs, FL: The Institute of Internal Auditors). Governance Position Paper Presented by The Institute of Internal Auditors to the United States Congress, April 2002. Internal Audit Independence Checklist, Issues & Answers (Altamonte Springs, FL: The Institute of Internal Auditors). Internal Auditing: In Your Best Interests, Tone at the Top (Altamonte Springs, FL: The Institute of Internal Auditors, October 2002). Internal Auditing Manual Shell on CD-ROM, Second Addition (Altamonte Springs, FL: The Institute of Internal Auditors, 2000). Internal Auditors: Integral to Good Corporate Governance, Progress Through Sharing (Altamonte Springs, FL: The Institute of Internal Auditors). Krogstad, Jack, et al., Where Were Growing, Internal Auditor, October 1999. Listing Requirements, New York Stock Exchange, revised August 2002. National Association of Corporate Directors, The NACD Board Guidelines, 1999. National Association of Corporate Directors and The Center for Board Leadership, Report of the NACD Blue Ribbon Commission on Audit Committees A Practical Guide, 2000.

The Institute of Internal Auditors

70 Establishing An Internal Audit Activity Manual

New York Stock Exchange and National Association of Securities Dealers, Report on Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees,1999. Quality Assessment Manual, Fourth Edition (Altamonte Springs, FL: The Institute of Internal Auditors, 2002). Restoring Trust in Corporate America, Business Week, June 24, 2002, pp. 30-35. Sarbanes-Oxley Act of 2002, One Hundred Seventh Congress of the United States of America, Second Session, January 23, 2002. Smith, Paul J. Jr., Win-Win Co-Sourcing, Internal Auditor, October 2002, pp. 37-41. Steinberg, Richard M., and Bromilow, Catherine L., Audit Committee Effectiveness What Works Best, 2nd Edition (Altamonte Springs, FL: The Institute of Internal Auditors, 2000). Steinberg, Richard M., and Bromilow, Catherine L., Corporate Governance and the Board What Works Best, 2nd Edition (Altamonte Springs, FL: The Institute of Internal Auditors, 2000). Steinberg, Richard M., and Bromilow, Catherine L., The Role of Internal Audit in Corporate Governance (PricewaterhouseCoopers LLP). The Audit Committee: A Briefing on Roles and Responsibilities Springs, FL: The Institute of Internal Auditors, 1994). (Altamonte

The Best & Worst Boards, Business Week, October 7, 2002, pp. 104-114. The Professional Practices Framework (Altamonte Springs, FL: Internal Auditors, January 2002). The Institute of

The Institute of Internal Auditors

Resources Offered by The Institute of Internal Auditors 71

Resources Offered by The Institute of Internal Auditors


For the most up to date information visit the Establishing an Internal Audit Shop section of the IIAs web site at www.theiia.org. PUBLICATIONS/TOOLS Publications/Tools available through the Institute of Internal Auditors. For ordering information visit the Bookstore under the Publications Section www.theiia.org. 21st Century Audit Management Opportunities and Challenges Pleier & Associates CDRom - Audit professionals and audit consultants share their thoughts in an attempt to provide some insight into 21st Century Audit Management Opportunities and Challenges. A Balanced Scorecard Framework for Internal Auditing Departments Mark L. Frigo, Ph.D., DPA, CMA Book - The balanced scorecard is an effective tool for finetuning and implementing strategy and for showcasing the value of an internal audit department. The scorecard methodology in this research report will help you refine and translate your departmental strategy into positive action. Audit Committee Briefing Understanding the 21st Century Audit Committee and its Governance Roles Curtis C. Verschoor, Ed.D., CIA, CPA, CFE, CMA Book Provides a broad understanding of audit committees and their governance roles in various organizations, primarily publicly owned corporations. The book's global comprehensiveness and historical overview outline global sources of information for those concerned with aspects of corporate governance related to compliance with laws and regulations, risk management, internal control, safeguarding assets, and reliable information flow. Audit Committee Briefing 2001: Facilitating New Audit Committee Responsibilities Curtis C. Verschoor, Ed.D., CIA, CPA, CFE, CMA Book This supplement to the handbook Audit Committee Briefing: Understanding the 21st Century Audit Committee and Its Governance Roles outlines the audit committee's role and responsibilities for auditor independence, interaction with external auditors, and oversight of risk management practices. Audit Committee Effectiveness What Works Best, 2nd Edition Sponsored by The Institute of Internal Auditors Research Foundation and prepared by PricewaterhouseCoopers Book The updated version outlines audit committee practices from some of the world's most progressive organizations and documents innovative approaches to defining and satisfying responsibilities of audit committees. It focuses on current and future issues and illustrates how the role of the audit committee will evolve over the next few years. Control Model Implementation: Best Practices James Roth, Ph.D., CIA Book The study by the IIA Research Foundation presents a collection of successful practices

The Institute of Internal Auditors

72 Establishing An Internal Audit Activity Manual


upon which readers can draw to fashion the approaches that are truly "best" in their own organization. Groundwork for the research of this project was laid by Internal Control Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and to a lesser extent, by Guidance on Control by the Criteria of Control Board of the Canadian Institute of Chartered Accountants (CoCo). Offering a conceptual framework, both were considered control models in this best practices report. Corporate Governance and the Board What Works Best Sponsored by The Institute of Internal Auditors Research Foundation and prepared by PricewaterhouseCoopers Book Presenting the best ideals for the highest level of board effectiveness, this publication astutely guides board members in their role of enhancing shareholder value. A must-read for all directors, regardless of their organization' s size or industry, this practical resource is sure to become the board beacon for years to come. Implementing the Professional Practices Framework Christy Chapman and Urton Anderson, CIA, CCSA, CGAP, Ph.D. Book This handbook provides instruction, information, and tools for implementing the Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing. It takes the theoretical concepts and instructions presented in the Standards and provides practical ways for putting those concepts into practice. Internal Auditing Manual Shell on CD CD-ROM This CD-ROM provides the tools needed to develop or update an internal audit department manual, a valuable an important component of any internal audit function. It includes forms, samples, and procedures identified through quality assurance reviews and other sources. Users can add, delete, or edit various practices to tailor them to meet individual organizations' needs. Internal Auditor Job Market 2002: A Comprehensive Review of Salaries, Staff Sizes, Director Statistics, and Attitudes Jimmie Kusel and Thomas H. Oxner Book or CDRom This biennial study surveys internal audit directors in the United States and Canada to obtain valuable information on current employment conditions and trends in the internal auditing profession. Learn about current staff sizes, hiring trends, sources of new hires, turnover rates, number of years auditors remain on staff, genderrelated statistics, desirable background in education and experience, correlation of staff size to salaries, attitudes of audit directors, and the impact of outsourcing and cosourcing. Quality Assessment Manual, 4th Edition Book with CD-ROM This is the principal guidance and set of practical tools to assess conformity to the Standards for the Professional Practice of Internal Auditing, and to reveal opportunities for enhancing the effectiveness and value of internal audit activities. Sawyers Internal Auditing 5th Edition Lawrence B. Sawyer, JD, CIA, PA; and Mortimer Dittenhofer, Ph.D., CIA Book A revised and enlarged version of the book that changed internal auditing, The Practice of Modern Internal Auditing. It is divided into parts, covering a wide range of topics such as: internal control, auditing tools and

The Institute of Internal Auditors

Resources Offered by The Institute of Internal Auditors 73


techniques, scientific methods, risk assessment, sampling, analytical tools, computerassisted auditing, administrative reports to management, administration, fraud, dealing with people, relationships with external auditors and boards of directors, and the Standards. . Strategies for Small Audit Shops David O'Regan Book There is no question about it small audit shops are uniquely challenged. Thin resources, tight budgets, and the scope of modern-day internal audit activities make delivery of such services more than difficult at times. This handbook is a must for improving the efficiency, effectiveness, and professionalism of a small audit department. Video Learning Series: Professional Practices Framework Video This series of videos will help audit staff better understand the IIAs Professional Practices Framework that includes the Standards for the Professional Practice of Internal Auditing. Learn how to integrate the Professional Practices Framework into your daily audit activities, implement innovative methodologies for keeping internal auditing challenging, utilize leading-edge tools and techniques for improving audit activities, and acquire key information on governance, risk, assurance, and control. IIA SERVICES/TRAINING Audit Career Center The IIAs Audit Career Center is available to help match organizations that have position openings with IIA members seeking new opportunities. The IIA is dedicated to equal opportunity employment. CAE Services Program The IIAs CAE Services Program is designed to help Chief Audit Executives (CAEs) respond to today's business challenges, demands, and opportunities. As a member of this unique group, the IIA keeps you up to speed on news and guidance, links you to other CAEs, and gives you a direct pipeline to resources at The IIA. Certified Internal Auditor (CIA) program The IIA's premier certification that reflects competence in the principles and practices of internal auditing and has served as the only internationally accepted designation for internal auditors. Consulting and Advisory Services The IIA's professional advisory staff offers a variety of consulting services including starting or reengineering an internal audit activity, improving relationships with the audit committee, partnering with management, performing risk assessments, managing the internal audit staff, as well as other valuable services. General Audit Management Conference (GAM) Annual conference offered by the IIA designed specifically for chief audit executives (CAEs) to help increase their knowledge of current issues, understand their expanded roles and responsibilities, and enhance their skills for leading a world-class audit shop. This conference offers excellent networking opportunities with CAEs from all over the world, from different size audit shops, and representing a large variety of various industries.

The Institute of Internal Auditors

74 Establishing An Internal Audit Activity Manual


Global Audit Information Network (GAIN) The IIAs state of the art benchmarking service that provides a means for comparison to help identify strengths and weaknesses of audit departments. Quality Assurance Reviews The IIA can provide experts to help evaluate your company's internal audit staff's compliance with The IIA's Standards (as well as government auditing standards and various regulations), recommend changes to policies and procedures, improve the way your staff functions, and offer comments on "best practices." Small Audit Shops: Formulas for Success Conference Annual conference offered by the IIA designed to address the unique problems of small audit shops and present opportunities for doing big things in a small (audit shop) way. .See web site for details on the next conference. Vision University Seminar This four-day seminar offered by the IIA is designed exclusively for chief audit executives or senior level managers preparing to become chief audit executives. Vision University prepares audit leaders for building and leading a world-class audit team. See web site for schedule.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 1-1 75

Table of Attribute and Performance Standards with Related Practice Advisories


ATTRIBUTE STANDARDS General Standard
1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board. 1000.A1 - The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter. 1000.C1 - The nature of consulting services should be defined in the audit charter. 1100 Independence and Objectivity The internal audit activity should be independent, and internal auditors should be objective in performing their work. 1110 Organizational Independence The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. 1110.A1- The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. 1120 Individual Objectivity Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

Specific Standard

Implementation Standard

Practice Advisory
1000-1: Internal Audit Charter

1000.C1-2: Additional Considerations for Formal Consulting Engagements 1100-1 independence and Objectivity

1110-1 Organizational Independence

1110.A1-1 Disclosing Reasons for Information Requests

1120-1- Individual Objectivity

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

76 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard
1130 - Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. 1130.A1 - Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year. 1130.A2 - Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity. 1130.C1 - Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement. 1200 - Proficiency and Due Professional Care Engagements should be performed with proficiency and due professional care. 1210 - Proficiency Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities

Implementation Standard

Practice Advisory
1130-1- Impairments to Independence or Objectivity

1130.A1-2- Internal Audit Responsibility for Other (Non-audit) Functions

1200-1- Proficiency and Due Professional Care 1210-1 - Proficiency

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 77 Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard Implementation Standard
1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.A2 - The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.C1 The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies. 1220 Due Professional Care Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 - The internal auditor should exercise due professional care by considering the: Extent of work needed to achieve the engagements objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of risk management, control, and governance processes. Probability of significant errors, irregularities, or noncompliance. Cost of assurance in relation to potential benefits.

Practice Advisory
1210.A1-1- Obtaining Services to Support or Complement the Internal Audit Activity

1210.A2-1Identification of Fraud 1210A2-2Responsibility for Fraud Detection

1220-1- Due Professional Care

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

78 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard Implementation Standard
1220.A2 - The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C2 - The internal auditor should exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results. Relative complexity and extent of work needed to achieve the engagements objectives. Cost of the consulting engagement in relation to potential benefits. 1230 - Continuing Professional Development Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development. 1300 - Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program should be designed to help the internal audit activity add value and improve the organizations operations and to provide assurance that the internal audit activity is in conformity with the Standards and Code of Ethics. 1230-1-Continuing Professional Development

Practice Advisory

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 79 Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard
1310 - Quality Program Assessments The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. 1311 - Internal assessments Internal assessments should include: Ongoing reviews of the performance of the internal audit activity; and Periodic reviews performed through selfassessment or by other persons within the organization, with knowledge of internal audit practices and the Standards. 1312 - External Assessments External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer, or review team from outside the organization. 1320 - Reporting on the Quality Program The chief audit executive should communicate the results of external assessments to the board. 1330 - Use of Conducted in Accordance with the Standards. Internal auditors are encouraged to report that their activities are conducted in accordance with the Standards for the Professional Practice of Internal Auditing. However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards.

Implementation Standard

Practice Advisory
1310-1 - Quality Program Assessments

1311-1- Internal Assessments

1312-1- External Assessments

1320-1- Reporting on the Quality Program

1330-1 - Use of Conducted in Accordance with the Standards

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

80 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
ATTRIBUTE STANDARDS General Standard Specific Standard
1340 - Disclosure of Noncompliance Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.

Implementation Standard

Practice Advisory

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 81 Table of Attribute and Performance Standards with Related Practice Advisories

PERFORMANCE STANDARDS General Standard


2000 - Managing the Internal Audit Activity The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. 2010 - Planning The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organizations goals. 2010.A1 - The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process. 2010.C1 -The chief audit executive should consider accepting proposed consulting engagements based on the engagements potential to improve management of risks, add value, and improve the organizations operation. Those engagements that have been accepted should be included in the plan. 2020 - Communication and Approval The chief audit executive should communicate the internal audit activitys plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations. 2020-1- Communication and Approval

Specific Standard

Implementation Standard

Practice Advisory
2000-1- Managing the Internal Audit Activity

2010-1- Planning 2010-2- Linking the audit Plan to Risk and Exposures

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

82 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2030 - Resource Management The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. 2040 - Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity, 2050 - Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts. 2060 - Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. 2100 - Nature of Work The internal audit activity evaluates and contributes to the improvement of risk management, control, and governance systems.

Implementation Standard

Practice Advisory
2030-1- Resource Management 2030-2- SEC External Auditor Independence Requirements for Providing Internal Audit Services 2040-1-Policies and Procedures

2050-1- Coordination 2050-2- Acquisition of External Audit Services

2060-1-Reporting to Board and Senior Management

2100-1- Nature of Work 2100-2- Information Security 2100-3- Internal Audits Role in the Risk Management Process 2100-4- Internal Audits Role in Organizations Without a Risk Management Process 2100-5- Legal Considerations in Evaluating Regulatory Compliance Programs

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 83 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2110 - Risk Management The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. 2110A1 - Internal audit activity should monitor and evaluate the effectiveness of the organizations risk management system. 2110.,A2 - The internal audit activity should evaluate risk exposures relating to the organizations governance, operations, and information systems regarding the : Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts. 2110.C1 - During consulting engagements, internal auditors should address risk consistent with the engagements objectives and should be alert to the existence of other significant risks. 2110.C2 - Internal auditors should incorporate knowledge of risks gained from consulting into the process of identifying and evaluating significant risk exposures of the organization. 2120 - Control The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

Implementation Standard

Practice Advisory
2110-1- Assessing the Adequacy of Risk Management Processes

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

84 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2120.A1 -Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organizations governance, operations, and information system. This should include: Reliability and integrity of financial and operations information. Effectiveness and efficiency of operation. Safeguarding of assets. Compliance with laws, regulations, and contract. 2120A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.

Practice Advisory
2120.A1-1- Assessing and Reporting on Control Processes 2120.A1-2- Using Control Self-assessment for Assessing the Adequacy of Control Processes

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 85 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2120A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. 2120.C1-During consulting engagement, internal auditors should address controls consistent with the engagements objectives and should be alert to the existence of any significant control weaknesses. 2120.C2 - Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2130 - Governance The internal audit activity should contribute to the organizations governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) valued are preserved. 2130.A1-Internal auditors should review operations and programs to ensure consistency with organizational valued. 2130C1-Consulting engagement objectives should be consistent with the overall values and goals of the organization.

Practice Advisory
2120.A4-1-Control Criteria

2130-1- Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

86 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard
2200 - Engagement Planning Internal auditors should develop and record a plan for each engagement. 2201 - Planning Considerations In planning the engagement, internal auditors should consider: The objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activitys risk management and control systems compared to a relevant control framework or model. The opportunities for making significant improvements to the activitys risk management and control systems. 2201.C1 -Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.

Specific Standard

Implementation Standard

Practice Advisory
2200-1-Engagement Planning

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 87 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2210 - Engagement Objectives The engagements objectives should address the risks, controls, and governance processes associated with the activities under review. 2210.A1 -When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. 2210.A2 -The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. 2210.C1-Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client. 2200- Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. 2220.A1- The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

Implementation Standard

Practice Advisory
2210-1-Engagement Objectives

2210.A1-Risk Assessment in Engagement Planning

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

88 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2220.C1 -In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement. 2230 - Engagement Resource Allocation Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 2240 - Engagement Work Program Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded. 2240.A1 -Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved promptly. 2240.C1- Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. 2230-1-Engagement Resource Allocation

Practice Advisory

2240-1- Engagement Work Program

2240.A1-1- Approval of Work Programs

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 89 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard
2300 - Performing the Engagement Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagements objectives. 2310 - Identifying Information Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagements objectives. 2320 - Analysis and Evaluation Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations. 2330-Recording Information Internal auditors should record relevant information to support the conclusions and engagement results. 2330.A1 - The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. 2330.A2 - The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organizations guidelines and any pertinent regulatory or other requirements. 2330.C1 - The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organizations guidelines and any pertinent regulatory or other requirements. 2310-1-Identifying Information

Specific Standard

Implementation Standard

Practice Advisory

2320-1-Analysis and Evaluation

2330-1- Recording Information

2330.A1-1- Control of Engagement Records 2330.A1-2-Legal Considerations in Granting Access to Engagement Records

2330A2-1- Retention of Records

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

90 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2340 - Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed 2400 - Communicating Results Internal auditors should communicate the engagement results promptly. 2410 - Criteria for Communicating Communications should include the engagements objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1- The final communications of results should, where appropriate, contain the internal auditors overall opinion. 2410.A2-Engagement communications should acknowledge satisfactory performance. 2410.C1-Communications of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. 2420 - Quality of Communications Communications should be accurate, objective, clear, concise, constructive, complete, and timely. 2421 -Errors and Omissions If a final communication contains a significant error or omission, the chief executive should communicate corrected information to all individuals who received the original communication.

Implementation Standard

Practice Advisory
2340-1- Engagement Supervision

2400-1-Legal Considerations in Communicating Results 2410-1- Communication Criteria

2410-1- Communication Criteria

2420-1-Quality of Communications

2421-1-Errors and Omissions

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Exhibit 1-1 91 Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard
2430 - Engagement Disclosure of Noncompliance with the Standards When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the: Standard(s) with which full compliance was not achieved, Reason(s) for non compliance, and Impact of noncompliance on the engagement. 2440 - Disseminating Results The chief audit executive should disseminate results to the appropriate individuals. 2440.A1 -Thechief audit executive is responsible fore communicating the final results to individuals who can ensure that the results are given due consideration. 2440.C1 - Thechief audit executive is responsible for communicating the final results of consulting engagements to clients. 2440.C2 - During consulting engagements, management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board. 2500 - Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2500-1- Monitoring progress

Implementation Standard

Practice Advisory

2440-1- Disseminating Results 2440-2Communications Outside the Organization

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

92 Establishing An Internal Audit Activity Manual Table of Attribute and Performance Standards with Related Practice Advisories
PERFORMANCE STANDARDS General Standard Specific Standard Implementation Standard
2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 2500.C1 - The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 2600 - Managements Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

Practice Advisory
2500.A1-1-Follow-up Process

2600-1- Managements Acceptance of Risks

Source: Institute of Internal Auditors Professional Practices Framework

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 1-2 93

Click here to go to reference in Chapter 5

The Institute of Internal Auditors Code of Ethics


Introduction The purpose of The Institutes Code of Ethics is to promote an ethical culture in the profession of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The Institutes Code of Ethics extends beyond the definition of internal auditing to include two essential components: 1. Principles that are relevant to the profession and practice of internal auditing; 2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors. The Code of Ethics together with The Institutes Professional Practices Framework and other relevant Institute pronouncements provide guidance to internal auditors serving others. "Internal auditors" refers to Institute members, recipients of or candidates for IIA professional certifications, and those who provide internal auditing services within the definition of internal auditing. Applicability and Enforcement This Code of Ethics applies to both individuals and entities that provide internal auditing services. For Institute members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institutes Bylaws and Administrative Guidelines. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action. Principles Internal auditors are expected to apply and uphold the following principles: Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

The Institute of Internal Auditors

94 Establishing An Internal Audit Activity Manual


Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services. Rules of Conduct 1. Integrity Internal auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization. 2. Objectivity Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. 3. Confidentiality Internal auditors: 3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.

The Institute of Internal Auditors

Exhibit 1-2 95
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. Competency Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2 Shall perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing. 4.3 Shall continually improve their proficiency and the effectiveness and quality of their services. Adopted by The IIA Board of Directors, June 17, 2000.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 1-3 97

Standards for the Professional Practice of Internal Auditing


Introduction Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, and structure; and by persons within or outside the organization. These differences may affect the practice of internal auditing in each environment. However, compliance with the Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met. The purpose of the Standards is to: 1. Delineate basic principles that represent the practice of internal auditing as it should be. 2. Provide a framework for performing and promoting a broad range of value-added internal audit activities. 3. Establish the basis for the measurement of internal audit performance. 4. Foster improved organizational processes and operations. The Standards consist of Attribute Standards (the 1000 Series), Performance Standards (the 2000 Series), and Implementation Standards (nnnn.Xn). The Attribute Standards address the characteristics of organizations and individuals performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. The Attribute and Performance Standards apply to internal audit services in general. The Implementation Standards apply the Attribute and Performance Standards to specific types of engagements (for example, a compliance audit, a fraud investigation, or a control self-assessment project). There is one set of Attribute and Performance Standards, however there may be multiple sets of Implementation Standards: a set for each of the major types of internal audit activity. Initially, the Implementation Standards are being established for assurance activities (noted by an A following the Standard number, e.g., 1130.A1) and consulting activities (noted by a C following the Standard number, e.g., nnnn.C1). The Standards are part of the Professional Practices Framework. This framework was proposed by the Guidance Task Force and approved by The IIA's Board of Directors in June 1999. This framework includes the Definition of Internal Auditing, the Code of Ethics, the Standards, and other guidance. The Standards incorporate the guidance previously contained in the The Red Book, recasting it into the new format proposed by the Guidance Task Force and updating it as recommended in the Task Forces report, A Vision for the Future.
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

98 Establishing An Internal Audit Activity Manual

The Standards employ terms that have been given specific meanings that are included in the Glossary. The Internal Auditing Standards Board is committed to extensive consultation in the preparation of the Standards. Prior to issuing any document, the Standards Board issues exposure drafts internationally for public comment. The Standards Board also seeks those with special expertise or interests for consultation where necessary. The development of standards is an ongoing process. The Standards Board welcomes input from IIA members and other interested parties to identify emerging issues requiring new standards or revision to current standards. Suggestions should be sent to: Institute of Internal Auditors Senior Manager Technical Services 247 Maitland Ave. Altamonte Springs, Florida 32701 USA E-mail: standards@theiia.org Additional guidance regarding how the Standards might be put into practice can be found in Practice Advisories that are issued by the Professional Issues Committee.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 99
ATTRIBUTE STANDARDS 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.1 1000.A1 - The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter 1000.C1 - The nature of consulting services should be defined in the audit charter. 1100 Independence and Objectivity The internal audit activity should be independent, and internal auditors should be objective in performing their work. 1110 Organizational Independence The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. 1110.A1 - The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. 1120 Individual Objectivity Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. 1130 Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. 1130.A1 Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year.

When used in these Standards, the term board is defined as a board of directors, audit committee of such boards, head of an agency or legislative body to whom internal auditors report, board of governors or trustees of a nonprofit organization, or any other designated governing bodies of an organization.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

100 Establishing An Internal Audit Activity Manual


1130.A2 Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity. 1130.C1 - Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement. 1200 Proficiency and Due Professional Care Engagements should be performed with proficiency and due professional care. 1210 Proficiency Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. 1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.A2 The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.C1 - The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1220 - Due Professional Care Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 - The internal auditor should exercise due professional care by considering the: Extent of work needed to achieve the engagement's objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of risk management, control, and governance processes. Probability of significant errors, irregularities, or noncompliance. Cost of assurance in relation to potential benefits.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 101


1220.A2 The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C1 - The internal auditor should exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results. Relative complexity and extent of work needed to achieve the engagements objectives. Cost of the consulting engagement in relation to potential benefits. 1230 Continuing Professional Development Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development. 1300 Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program should be designed to help the internal auditing activity add value and improve the organizations operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. 1310 Quality Program Assessments The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. 1311 Internal Assessments Internal assessments should include: Ongoing reviews of the performance of the internal audit activity; and Periodic reviews performed through self-assessment or by other persons within the organization, with knowledge of internal auditing practices and the Standards. 1312 External Assessments External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. 1320 Reporting on the Quality Program The chief audit executive should communicate the results of external assessments to the board.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

102 Establishing An Internal Audit Activity Manual


1330 Use of Conducted in Accordance with the Standards Internal auditors are encouraged to report that their activities are conducted in accordance with the Standards for the Professional Practice of Internal Auditing. However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards. 1340 Disclosure of Noncompliance Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board. PERFORMANCE STANDARDS 2000 Managing the Internal Audit Activity The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. 2010 Planning The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals. 2010.A1 - The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process. 2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based on the engagements potential to improve management of risks, add value, and improve the organizations operations. Those engagements that have been accepted should be included in the plan. 2020 Communication and Approval The chief audit executive should communicate the internal audit activitys plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations. 2030 Resource Management The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. 2040 Policies and Procedures

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 103


The chief audit executive should establish policies and procedures to guide the internal audit activity. 2050 Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts. 2060 Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. 2100 Nature of Work The internal audit activity evaluates and contributes to the improvement of risk management, control and governance systems. 2110 Risk Management The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. 2110.A1 - The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system. 2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts. 2110.C1 - During consulting engagements, internal auditors should address risk consistent with the engagements objectives and should be alert to the existence of other significant risks. 2110.C2 Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2120 Control The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

104 Establishing An Internal Audit Activity Manual

2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include: Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts. 2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. 2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. 2120.C1 - During consulting engagements, internal auditors should address controls consistent with the engagements objectives and should be alert to the existence of any significant control weaknesses. 2120.C2 Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2130 Governance The internal audit activity should contribute to the organization's governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved. 2130.A1 - Internal auditors should review operations and programs to ensure consistency with organizational values. 2130.C1 Consulting engagement objectives should be consistent with the overall values and goals of the organization. 2200 Engagement Planning
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 105


Internal auditors should develop and record a plan for each engagement. 2201 - Planning Considerations In planning the engagement, internal auditors should consider: The objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activitys risk management and control systems compared to a relevant control framework or model. The opportunities for making significant improvements to the activitys risk management and control systems. 2201.C1 - Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented. 2210 Engagement Objectives The engagements objectives should address the risks, controls, and governance processes associated with the activities under review. 2210.A1 - When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. 2210.A2 - The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. 2210.C1 Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client. 2220 Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. 2220.A1 - The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. 2220.C1 In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

106 Establishing An Internal Audit Activity Manual


discussed with the client to determine whether to continue with the engagement. 2230 Engagement Resource Allocation Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 2240 Engagement Work Program Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded. 2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved promptly. 2240.C1 - Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. 2300 Performing the Engagement Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives. 2310 Identifying Information Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagements objectives. 2320 Analysis and Evaluation Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations. 2330 Recording Information Internal auditors should record relevant information to support the conclusions and engagement results. 2330.A1 - The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. 2330.A2 - The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organizations guidelines and any pertinent regulatory or other requirements.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 107


2330.C1 - The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organizations guidelines and any pertinent regulatory or other requirements. 2340 Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. 2400 Communicating Results Internal auditors should communicate the engagement results promptly. 2410 Criteria for Communicating Communications should include the engagements objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1 - The final communication of results should, where appropriate, contain the internal auditors overall opinion. 2410.A2 - Engagement communications should acknowledge satisfactory performance. 2410.C1 Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. 2420 Quality of Communications Communications should be accurate, objective, clear, concise, constructive, complete, and timely. 2421 Errors and Omissions If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all individuals who received the original communication. 2430 Engagement Disclosure of Noncompliance with the Standards When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the: Standard(s) with which full compliance was not achieved, Reason(s) for noncompliance, and Impact of noncompliance on the engagement. 2440 Disseminating Results The chief audit executive should disseminate results to the appropriate individuals.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

108 Establishing An Internal Audit Activity Manual


2440.A1 - The chief audit executive is responsible for communicating the final results to individuals who can ensure that the results are given due consideration. 2440.C1 - The chief audit executive is responsible for communicating the final results of consulting engagements to clients. 2440.C2 During consulting engagements, risk management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board. 2500 Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 2500.C1 The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 2600 Managements Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 109


Glossary Add Value Organizations exist to create value or benefit to their owners, other stakeholders, customers, and clients. This concept provides purpose for their existence. Value is provided through their development of products and services and their use of resources to promote those products and services. In the process of gathering data to understand and assess risk, internal auditors develop significant insight into operations and opportunities for improvement that can be extremely beneficial to their organization. This valuable information can be in the form of consultation, advice, written communications, or through other products all of which should be properly communicated to the appropriate management or operating personnel. Adequate Control Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization's risks have been managed effectively and that the organizations goals and objectives will be achieved efficiently and economically. Assurance Services An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Board A board of directors, audit committee of such boards, head of an agency or legislative body to whom internal auditors report, board of governors or trustees of a nonprofit organization, or any other designated governing bodies of organizations. Charter The charter of the internal audit activity is a formal written document that defines the activitys purpose, authority, and responsibility. The charter should (a) establish the internal audit activitys position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities. Chief Audit Executive (CAE) Top position within the organization responsible for internal audit activities. In a traditional internal audit activity, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and followup of engagement results. The term also includes such titles as general auditor, chief internal auditor, and inspector general. Code of Ethics The purpose of the Code of Ethics of The Institute of Internal Auditors (IIA) is to promote an ethical culture in the global profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk, control, and governance. The Code of Ethics applies to both individuals and entities that provide internal audit services.
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

110 Establishing An Internal Audit Activity Manual

Compliance The ability to reasonably ensure conformity and adherence to organization policies, plans, procedures, laws, regulations, and contracts. Conflict of Interest Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individuals ability to perform his or her duties and responsibilities objectively. Consulting Services Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organizations operations. Examples include counsel, advice, facilitation, process design, and training. Control Any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Environment The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: Integrity and ethical values. Managements philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel.

Control Processes The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Engagement A specific internal audit assignment, task, or review activity, such as an internal audit, Control Self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement Objectives Broad statements developed by internal auditors that define intended engagement accomplishments. Engagement Work Program A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. External Service Provider A person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline. Outside service
Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Exhibit 1-3 111


providers include, among others, actuaries, accountants, appraisers, environmental specialists, fraud investigators, lawyers, engineers, geologists, security specialists, statisticians, information technology specialists, external auditors, and other auditing organizations. The board, senior management, or the chief audit executive may engage an outside service provider. Fraud Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by individuals and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Governance Process The procedures utilized by the representatives of the organizations stakeholders (e.g., shareholders, etc.) to provide oversight of risk and control processes administered by management. Impairments Impairments to individual objectivity and organizational independence may include personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding). Internal Audit Activity A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Objectivity An unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Risk The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.

Source: Professional Practices Framework, Institute of Internal Auditors, Altamonte Springs, FL, January 2002

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 2-1 113

Model Audit Committee Charter


The following sample charter captures many of the best practices used today. Of course, no sample charter encompasses all activities that might be appropriate to a particular audit committee, nor will all activities identified in a sample charter be relevant to every committee. Accordingly, this charter must be tailored to each committee's needs and governing rules. Audit Committee Charter PURPOSE To assist the board of directors in fulfilling its oversight responsibilities for the financial reporting process, the system of internal control, the audit process, and the company's process for monitoring compliance with laws and regulations and the code of conduct. AUTHORITY The audit committee has authority to conduct or authorize investigations into any matters within its scope of responsibility. It is empowered to:

Appoint, compensate, and oversee the work of any registered public accounting firm employed by the organization. Resolve any disagreements between management and the auditor regarding financial reporting. Pre-approve all auditing and non-audit services. Retain independent counsel, accountants, or others to advise the committee or assist in the conduct of an investigation. Seek any information it requires from employeesall of whom are directed to cooperate with the committee's requestsor external parties. Meet with company officers, external auditors, or outside counsel, as necessary.

COMPOSITION The audit committee will consist of at least three and no more than six members of the board of directors. The board or its nominating committee will appoint committee members and the committee chair. Each committee member will be both independent and financially literate. At least one member shall be designated as the financial expert, as defined by applicable legislation and regulation. MEETINGS The committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require. All committee members are expected to attend each meeting, in person or via tele- or video-conference. The committee will invite

The Institute of Internal Auditors

114 Establishing An Internal Audit Activity Manual


members of management, auditors or others to attend meetings and provide pertinent information, as necessary. It will hold private meetings with auditors (see below) and executive sessions. Meeting agendas will be prepared and provided in advance to members, along with appropriate briefing materials. Minutes will be prepared. RESPONSIBILITIES The committee will carry out the following responsibilities: Financial Statements

Review significant accounting and reporting issues, including complex or unusual transactions and highly judgmental areas, and recent professional and regulatory pronouncements, and understand their impact on the financial statements. Review with management and the external auditors the results of the audit, including any difficulties encountered. Review the annual financial statements, and consider whether they are complete, consistent with information known to committee members, and reflect appropriate accounting principles. Review other sections of the annual report and related regulatory filings before release and consider the accuracy and completeness of the information. Review with management and the external auditors all matters required to be communicated to the committee under generally accepted auditing Standards. Understand how management develops interim financial information, and the nature and extent of internal and external auditor involvement. Review interim financial reports with management and the external auditors before filing with regulators, and consider whether they are complete and consistent with the information known to committee members.

Internal Control

Consider the effectiveness of the company's internal control system, including information technology security and control. Understand the scope of internal and external auditors' review of internal control over financial reporting, and obtain reports on significant findings and recommendations, together with management's responses.

Internal Audit

Review with management and the chief audit executive the charter, plans, activities, staffing, and organizational structure of the internal audit function. Ensure there are no unjustified restrictions or limitations, and review and concur in the appointment, replacement, or dismissal of the chief audit executive. Review the effectiveness of the internal audit function, including compliance with The Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing.

The Institute of Internal Auditors

Exhibit 2-1 115

On a regular basis, meet separately with the chief audit executive to discuss any matters that the committee or internal audit believes should be discussed privately.

External Audit

Review the external auditors' proposed audit scope and approach, including coordination of audit effort with internal audit. Review the performance of the external auditors, and exercise final approval on the appointment or discharge of the auditors. Review and confirm the independence of the external auditors by obtaining statements from the auditors on relationships between the auditors and the company, including non-audit services, and discussing the relationships with the auditors. On a regular basis, meet separately with the external auditors to discuss any matters that the committee or auditors believe should be discussed privately.

Compliance

Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of management's investigation and follow-up (including disciplinary action) of any instances of noncompliance. Review the findings of any examinations by regulatory agencies, and any auditor observations. Review the process for communicating the code of conduct to company personnel, and for monitoring compliance therewith. Obtain regular updates from management and company legal counsel regarding compliance matters.

Reporting Responsibilities

Regularly report to the board of directors about committee activities, issues, and related recommendations. Provide an open avenue of communication between internal audit, the external auditors, and the board of directors. Report annually to the shareholders, describing the committee's composition, responsibilities and how they were discharged, and any other information required by rule, including approval of non-audit services. Review any other reports the company issues that relate to committee responsibilities.

Other Responsibilities

Perform other activities related to this charter as requested by the board of directors. Institute and oversee special investigations as needed.

The Institute of Internal Auditors

116 Establishing An Internal Audit Activity Manual

Review and assess the adequacy of the committee charter annually, requesting board approval for proposed changes, and ensure appropriate disclosure as may be required by law or regulation. Confirm annually that all responsibilities outlined in this charter have been carried out. Evaluate the committee's and individual members' performance on a regular basis.

Extracted from IIA Web site www.theiia.org on 12/19/2002.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 3.1 117

Click here to go to Chapter 5 refernce.

Position Description: Chief Audit Executive / Director of Internal Audit


DEPARTMENT: WORKING TITLE: Internal Audit Chief Audit Executive / Director of Internal Audit

REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Serves as the organizations chief audit executive and as a member of the executive management team. Performs advanced level professional internal auditing work as a key component of the corporate governance structure. Work involves directing a comprehensive audit program including performance, financial, and compliance audit projects; providing consulting services to the organizations management and staff; providing direction to development of the annual audit plan; and providing ongoing training, coaching and supervision to internal audit staff. Maintains organizational and professional ethical standards. Works independently with extensive latitude for initiative and independent judgement. Other essential duties include, but are not limited to: Directs audit staff in the planning, organizing, directing and monitoring of internal audit operations, including assisting in hiring, training and evaluating staff; and taking corrective actions to address performance problems. Directs the identification and evaluation of the organizations risk areas and oversees the development of the annual audit plan. Directs the overall performance of audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Directs the audit staff in conducting interviews, reviewing documents, developing and administering surveys, composing summary memos, and preparing working papers. Directs the audit staff in the identification, development, and documentation of audit issues and recommendations. Communicates the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client, staff, management, and board relationships through individual contacts and group meetings. Pursues professional development opportunities, including internal and external training and professional association memberships, and shares information gained with co-workers. Represents internal audit at management and board meetings and with external organizations. Performs related work as assigned by the audit committee of the board of directors. Chairman, Audit Committee, Board of Directors or Chief Executive Officer or Chief Financial Officer Chief Executive Officer, Chief Financial Officer, Senior Management, Division and Department Management, External and Contract Auditors, Other Industry Organizations Audit Managers, Staff and Project Teams

The Institute of Internal Auditors

118 Establishing An Internal Audit Activity Manual


MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university. Certification as a CIA or CPA. Eight years of full-time experience in auditing, accounting, business analysis, or program evaluation, including four years of supervisory or project management experience. A graduate degree in business administration, public administration, or a related field, or a second certification (CIA, CPA, or CISA) may substitute for one year of required experience. The combination of a graduate degree and a second certification may substitute for two years of required experience. Must also have the following demonstrated knowledge, skills, and abilities: Extensive knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Considerable knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Considerable knowledge of industry program policies, procedures, regulations, and laws. Considerable skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Extensive skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Considerable skill in negotiating issues and resolving problems. Skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff, and external contacts, and to work effectively in a professional team environment.

PREFERRED QUALIFICATIONS Experience in industry auditing or accounting, and in supervising and conducting audits in information systems and other areas pertinent to the industry. Graduate degree in business administration, public administration, or a related field.

This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 3-2 119

Sample Internal Audit Activity Charter


Activity MISSION AND SCOPE OF WORK The mission of the internal audit activity is to provide independent, objective assurance and consulting services designed to add value and improve the organization's operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The scope of work of the internal audit activity is to determine whether the organizations network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:

Risks are appropriately identified and managed. Interaction with the various governance groups occurs as needed. Significant financial, managerial, and operating information is accurate, reliable, and timely. Employees actions are in compliance with policies, standards, procedures, and applicable laws and regulations. Resources are acquired economically, used efficiently, and adequately protected. Programs, plans, and objectives are achieved. Quality and continuous improvement are fostered in the organizations control process. Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately.

Opportunities for improving management control, profitability, and the organizations image may be identified during audits. They will be communicated to the appropriate level of management. ACCOUNTABILITY The chief audit executive, in the discharge of his/her duties, shall be accountable to management and the audit committee to:

Provide annually an assessment on the adequacy and effectiveness of the organizations processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work. Report significant issues related to the processes for controlling the activities of the organization and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution. Periodically provide information on the status and results of the annual audit plan and the sufficiency of activity resources. Coordinate with and provide oversight of other control and monitoring functions (risk management, compliance, security, legal, ethics, environmental, external audit).

The Institute of Internal Auditors

120 Establishing An Internal Audit Activity Manual


INDEPENDENCE To provide for the independence of the internal auditing activity, its personnel report to the chief audit executive, who reports functionally to the audit committee and administratively to the chief executive officer in a manner outlined in the above section on Accountability. It will include as part of its reports to the audit committee a regular report on internal audit personnel. RESPONSIBILITY The chief audit executive and staff of the internal audit activity have responsibility to:

Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the audit committee for review and approval as well as periodic updates. Implement the annual audit plan, as approved, including as appropriate any special tasks or projects requested by management and the audit committee. Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter. Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion. Issue periodic reports to the audit committee and management summarizing results of audit activities. Keep the audit committee informed of emerging trends and successful practices in internal auditing. Provide a list of significant measurement goals and results to the audit committee. Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the audit committee of the results. Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.

AUTHORITY The chief audit executive and staff of the internal audit activity are authorized to:

Have unrestricted access to all functions, records, property, and personnel. Have full and free access to the audit committee. Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives. Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.

The Institute of Internal Auditors

Exhibit 3-2 121


The chief audit executive and staff of the internal audit activity are not authorized to:

Perform any operational duties for the organization or its affiliates. Initiate or approve accounting transactions external to the internal auditing activity. Direct the activities of any organization employee not employed by the internal auditing activity, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.

STANDARDS OF AUDIT PRACTICE The internal audit activity will meet or exceed the Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. _________________________________ Chief Audit Executive _________________________________ Chief Executive Officer ________________________________ Audit Committee Chair Dated ___________________________

This sample internal audit activity charter is one example of how the mission, accountabilities, independence, responsibilities, authority, and standards of audit practice may be summarized.

Extracted from IIA Web site www.theiia.org on 12/19/2002

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 3-3 123

Mission Statements
MISSION STATEMENT # 1 Our mission is to provide a wide range of quality audit services to our customers. We will accomplish our mission by: Performing independent assessments of systems controls and efficiency, guided by professional standards and using innovative approaches. Supporting our customers' efforts to achieve their objectives. Maintaining a dynamic, team-oriented environment which encourages personal and professional growth, and challenges and rewards our employees for excelling and reaching their full potential. -OrMISSION STATEMENT # 2 Our mission is to assist members of management and the board of directors (or audit committee of the board of directors) in the effective discharge of their responsibilities. To this end internal audit will furnish them with analysis, recommendations, counsel, and information concerning activities reviewed.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 3-4 125

EXECUTIVE ENDORSEMENT OF THE INTERNAL AUDITING CHARTER


The enterprise's team of internal audit professionals is an essential tool of management, complementing other elements of management control by performing independent appraisals of all company activities and other consulting activities. The role of the internal audit activity is to provide an independent, objective assurance and consulting activity designed to add value and improve the organizations operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Management retains full control over the implementation of these recommendations. Internal auditing is a staff and advisory function. The internal audit activity assures senior management and the board of directors, through the audit committee, that all reviewed functions are working in a manner that is consistent with established policies and procedures. Hence, full and confidential access to company facilities, records, and personnel is necessary for internal auditors to fulfill their responsibilities. Everyone's full cooperation during an audit is essential. Our desire is that management in the enterprise look to the internal audit activity to provide: Independent and impartial review of operational and administrative controls. Enterprise-wide exchange of ideas concerning good methods and techniques, as observed throughout the enterprise by the audit staff. A source of future enterprise managers-managers who have been exposed to the enterprises people, practices, philosophies, and key interrelationships. The internal audit activity charter is the formal document that specifies the internal auditors' authority and responsibilities. The charter is important to management, the people being audited, and the audit staff. Our endorsement of the internal audit activity charter underscores the importance of the internal audit function in enterprise operations. We ask for your continued cooperation as our auditors fulfill their important responsibility to the corporation.

Chairman and Chief Executive Officer

Exec. Vice President and Chief Financial Officer

President and Chief Operating Officer

The Institute of Internal Auditors

See Chapter 3 for related material.

Click here to go to Word file.

Exhibit 3-5 127

INTERNAL AUDITING OPERATING POLICY


NATURE Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a disciplined approach to evaluating and improving the effectiveness of its risk management, control, and governance processes. The department activities are to be performed in a manner which provides reasonable assurance that audit work conforms with the Standard for the Professional Practice of Internal Auditing, the corporate internal audit charter, and effectiveness and efficiency procedures designed to control audit work. Management, external auditors, the audit committee of the board of directors, government/regulatory agencies and company shareholders all rely on performance consistent with the reasonable assurance guidelines. ACTIVITY The activity of internal auditing is primarily one of information gathering, review, analysis, evaluation, appraisal, and testing for the degree of compliance with and the adequacy of managerial systems and controls put in place to mitigate risks that exist in achieving organizational objectives. It is a staff advisory function and, therefore, does not exercise authority over other persons in the organization or establish and implement policies and procedures. The internal audit activity is free to review and appraise policies, plans, procedures, and other internal controls in any area of the company, and to report audit observations and recommendations for improvement to the people who have managerial responsibility. This review and appraisal in no way relieves other persons in the organization of responsibilities assigned to them. ORGANIZATION The chief audit executive reports to the company's senior vice president, finance, and to the board of directors/audit committee thereby insuring the degree of independence essential to the effectiveness of internal auditing. The managers of the individual audit groups report to the chief audit executive. Staff members report to their respective managers unless otherwise directed. The audit staff shall normally be headquartered at the company's corporate headquarters; however, individual or groups of auditors may be headquartered at various locations of the company. PERSONNEL The department will be primarily staffed with individuals who have the necessary knowledge, skills, and core competencies to complete the assigned work. Such persons shall possess professional attributes that qualify them to excel in interpersonal relationships. They shall be inquisitive, self-motivated, and have a desire to develop their ability to identify problems and convincingly present recommendations through written reports, oral presentations, and personal discussions. There are generally two career tracks available to internal auditors: progressing to levels of greater responsibility

The Institute of Internal Auditors

128 Establishing An Internal Audit Activity Manual


within internal audit or moving into another operating area. The choice to move into another operating area may be done at any point in ones career. The length of time each internal auditor spends in auditing depends on several factors, including work experience, the individual's rate of development, the need for competent individuals in other departments, and the desires of the individual. Generally the time spent in internal auditing will be from two to three years. To move to another area, the individual must have a performance level at least meeting the individuals position accountabilities. Staff members may consist of individuals promoted from within the company as well as those recruited from outside sources. Persons having special talents may on occasion be obtained on a loan basis from other functions within the company to assist on a project basis. AUDIT OBJECTIVE The objective of internal auditing is to assist management in the effective discharge of their responsibilities by furnishing them with reports setting forth independent and objective analyses, appraisals, recommendations, and pertinent comments concerning the activities audited. Internal auditing shall, therefore, be concerned with any phase of business activity in which it can be of service to management. In the course of audit examinations, internal auditing shall: 1. Review and appraise the adequacy, soundness, and application of accounting, financial, management reporting, and other operating controls and make recommendations for improved practices and techniques where appropriate. Determine that policies and procedures are being interpreted properly and carried out as established, and are adequate and effective, and make recommendations for revision where changes in operating conditions have made them cumbersome, obsolete, or inadequate. Determine the reliability, effectiveness, and efficiency of procedures designed to ensure the organization is compliant with applicable laws and regulations. Determine whether appropriate procedures exist within operations for self-assessment and continuous improvements.

2.

3.

4.

In carrying out these objectives, the internal auditors work should be performed with proficiency and due professional care. The staff shall: Proficiency Possess the knowledge, skills, and competencies needed to perform their individual responsibilities. The internal audit activity collectively should have the knowledge, skills, and competencies needed to perform its responsibilities (PPF Section 1210).

The Institute of Internal Auditors

Exhibit 3-5 129


The chief audit executive will obtain competent advice and assistance if the individual internal audit staff lacks the knowledge, skills, or competencies needed to perform all or part of an engagement. (PPF Section 1210.A1) The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. (PPF Section 1210.A2)

Due Professional Care Should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. (PPF Section 1220) 1. The internal auditor should exercise due professional care by considering the: (PPF Section 1220.A1) 2. Extent of work needed to achieve the engagement objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of risk management, control, and governance processes. Probability of significant errors, irregularities, or noncompliance. Cost of assurance in relation to potential benefits.

The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. (PPF Section 1220.A2)

Continuing Professional Development Shall enhance their knowledge, skills, and other competencies through continuing professional development. (PPF Section 1230) All activities of the department shall be carefully planned by the chief audit executive, managers and auditors to ensure consistency with the department's charter and procedures and with the goals of thecorporation. RELATIONS WITH MANAGEMENT It is the policy of internal auditing to conduct internal audits in a constructive manner. Whenever possible, the assistance of division personnel will be solicited in the planning and performance of the assignment. A spirit of collaborative teamwork between the auditor and those audited will be adhered to. This attitude shall not alter the fact that internal auditing personnel have full access to all records, personnel, properties, and any other sources of information needed in the performance of an audit. When necessary, special arrangements will be made for the examination of confidential or classified information.

The Institute of Internal Auditors

130 Establishing An Internal Audit Activity Manual


Prior to the start of each audit, the division head or appropriate department head will be advised concerning the tentative time schedule and general scope of the audit. A confirming memo signed by the chief audit executive, shall be sent to appropriate management, who in turn are responsible for conveying the audit schedule to persons affected. RELATIONS WITH PUBLIC ACCOUNTANTS The audit committee of the board of directors oversees the work of the external auditors. The chief audit executive is the primary management official responsible for coordinating the external audit relationship. An attitude of cooperation and collaboration best describes the relationship of internal auditing to the company's public accountants. This relationship, rather than one which recognizes internal auditing merely as an extension of the public accountants, is necessary due to the difference in objectives. The public accountants are primarily concerned with the annual examination which takes the form of a verification of assets and liabilities as of a certain date and such analysis of the income statement as will enable them to express an opinion as to the fairness of the financial statements. The scope of their examination includes a review of internal controls concerned mainly with the safeguarding of assets and reliability of financial records. In contrast, internal auditing is concerned with a comprehensive continuing program of audits which places emphasis on risk management, control, governance processes, and efficient profitable operations. The scope of this program includes the COSO control model framework to include environmental controls, risk assessment, control activities, information and communication and monitoring. Coordination of internal audit activities with the public accountants principally involves checking and working with each other to insure: (1) maximum audit coverage is obtained, (2) there is an exchange of information, and (3) a minimum duplication of effort and expense on routine phases of audit work. Ongoing, direct communication between the chief audit executive and the external auditors is maintained to foster coordination of audit work. Annual meetings are conducted with the chief audit executive and external auditors to determine appropriate areas of mutual reliance or potential sharing of specific objectives (joint teams). Coordinated or integrated audit programs are developed as appropriate. Prior to meetings with the audit committee of the board of directors, the chief audit executive meets with the external auditors to discuss the presentation of control issues, which may include significant control weaknesses, errors and irregularities, illegal acts, management judgments and accounting estimates, significant audit arrangements, disagreements with management, or difficulties encountered in performing audits. Discussion may also cover audit techniques, methods, and sampling approaches. Internal audit work product review/sharing is subject to the chief audit executive and chief financial officer and general counsel authorization. Internal or external audit work product sharing is carefully performed to ensure proper safeguarding, confidentiality and interpretation of audit results. Supplemental discussion is conducted as needed. External auditors request and review selected internal audit reports. The chief audit executive receives copies of all external audit management letters which are used for annual audit plan risk analysis input and as a preliminary survey reference item.

The Institute of Internal Auditors

Exhibit 3-5 131

From time to time, members of the audit staff may be assigned to work under the direction of the public accountants if such assignment is deemed to be in the best interest of the company (e.g., noteworthy savings in audit fees, beneficial staff training, etc.). During such assignment, the auditor will report to the public accountants for direction concerning work assignments. In other administrative matters, he or she will continue to look to the chief audit executive for direction. SPECIAL ASSIGNMENTS From time to time, members of the audit staff may, upon request, be assigned to work directly for other company divisions and departments on special projects which are in no way connected with internal auditing's program. During such assignments, the auditor will report to the requesting organization concerning work assignment; however, in other administrative matters, the auditor will look to the chief audit executive for direction. REVIEW, ACKNOWLEDGMENT AND RESPONSE TO INTERNAL AUDIT REPORTS It is the policy of internal auditing to reach agreement with affected personnel concerning the correctness of the facts surrounding the audit findings prior to distribution of the final report. Where appropriate, corrective action to be taken should be ascertained and included in the report. The individual responsible for the corrective action and the key milestone dates for corrective action completion should also be included. On occasion the internal audit staff may work with audit customers to seek the best solution to deficiencies noted during the audit. To assure that agreement is reached as to statements of facts, the audit results to be included in the report are reviewed with the division head, controller, or their designee who are later furnished a draft copy of the audit report for review prior to distribution. After the chief audit executive is satisfied that the audit report is appropriate in the circumstances, final distribution of the report is made. Copies of the report are issued to the appropriate division personnel. When appropriate, excerpts from audit reports are forwarded to the functional corporate staff head. If responses (action taken or planned and the estimated date of implementation) to recommendations have not been included in the final report, the applicable audit manager and the chief audit executive will work with the division head to obtain mutually agreeable responses to audit points. These action plans will be forwarded to original report recipients. The chief audit executive is ultimately responsible for evaluating division responses. The internal audit department will work with division management and corporate executives as appropriate to resolve any inadequate response. On corporate audits, the audit report is issued to the functional corporate staff head who reviews and responds to the report.

The Institute of Internal Auditors

132 Establishing An Internal Audit Activity Manual


Audit reports are company confidential and therefore have limited distribution. They shall not be reproduced or transmitted to others without the express permission of the chief audit executive. FOLLOW-UP ON MATTERS REPORTED BY INTERNAL AUDIT The appropriate operating senior management is responsible for the timely implementation of corrective action for items reported by internal audit, and is to keep the chief audit executive advised of the status. If there are delays in implementing corrective action, the chief audit executive should be notified immediately as to the nature and reason for the delay. The chief audit executive will report to senior management and the board of directors/audit committee on progress the organization is making on those matters previously reported by internal audit. Where progress is not satisfactory, the chief audit executive should consider inviting the responsible management to discuss the matter with senior management and the board of directors/audit committee.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 3-6 133

CORPORATE AUDIT POLICY


(Approved by the Board of Directors 1/27/XX) (Approved by the Executive Committee 2/20/XX) The audit function plays an essential and useful role in the conduct of successful operations. It serves to examine and evaluate financial, administrative and operational activities of the enterprise, supplying management personnel at all levels with information to assist in their control of the assets and operations for which they are responsible. This policy applies to auditing's relationship with all enterprise organizations and sets forth the guidelines by which this function will be carried on. Independent Public Accountants The audit committee of the board of directors will recommend the appointment of the enterprise's independent public accountants to the board of directors to assure the conduct of audits as required by statutory regulations and financial community considerations. The independent public accountants can be requested to perform special non-audit services as deemed necessary by management and approved by the chief audit executive to the extent that such services do not in any way affect the independence of the independent public accountants nor limit the scope of their independent examination. The audit committee of the board of directors will review the extent of such non-audit services on an annual basis to assure that such independence is not impaired. The independent public accountants will also periodically meet privately with the audit committee of the board of directors to express any major concerns they may have encountered in their work. Internal Auditors A comprehensive internal audit program will be pursued to provide management with evaluations of the effectiveness of internal controls over accounting, operational, and administrative functions. The auditors will take into consideration that our activity is always to be conducted with the highest standards of business ethics, integrity, and honest dealings in all areas and functions within the enterprise and with all outside parties. The chief audit executive will develop and carry out the internal audit program and assure its coordination with the activities of all external auditors, including independent public accountants, governmental, contract and joint venture auditors. The internal auditors and the independent auditors shall have direct access to the audit committee of the board of directors without censorship by internal management. At least annually, the audit committee of the board of directors shall have a private meeting with the chief audit executive during which the committee shall ask for comments on a) management support of the audit function, b) quality of the audit effort, c) quality of the internal controls, and d) other areas of concern that the chief audit executive feels appropriate.

The Institute of Internal Auditors

134 Establishing An Internal Audit Activity Manual


The internal suditors shall, to the maximum extent possible, have no authority over, or responsibility for, any of the activities audited, and shall not perform accounting or other operational functions outside their organization that might require subsequent audit. The internal suditing activity is the sole organization which will perform, or sanction others to perform, internal audits within the Enterprise. Also, the internal auditing activity will generally sanction audits within subsidiaries. Only personnel assigned to the internal auditing activity will be referred to as auditors and only their work will be referred to as audit activities. Others performing other work involving normal review and verification of various aspects of the enterprise's operations will not be referred to as auditors and their work will not be referred to as audit activities. Scope of the Internal Audit Function The chief audit executive will direct a broad, comprehensive program of internal auditing within the enterprise. The internal audit program will primarily examine and evaluate the adequacy of effectiveness of the system of management control and those policies, procedures, and plans the enterprise and its subsidiaries have adopted to guide their activities. The chief audit executive and the staff of auditors shall have full, free and unrestricted access to all operations, records, property, and personnel within the enterprise and its subsidiaries. All employees shall cooperate fully in making available any material or information requested by an auditor. Further, all employees are expected to bring to the attention of the chief audit executive any suspected situation involving improper activity or noncompliance with applicable policies, plans, procedures, laws, or regulations of which they have knowledge. The board of directors expects that managers will be candid with the auditors and higher management at all times and not conceal information which could be interpreted by subordinates as a signal that enterprise policies and rules including accounting and control rules, can be ignored whenever they are inconvenient. Internal Auditing Responsibilities Responsibilities of the chief audit executive include, but are not necessarily limited to, the following: a. Audit of the means used to identify, measure, classify, and report financial and operating information to ensure its integrity and conformance to generally accepted accounting principles. Appraise internal controls giving attention to both financial and operating controls. Promote effective internal control subject to reasonable cost benefit considerations.

The Institute of Internal Auditors

Exhibit 3-6 135


Evaluate the accuracy, reliability, and completeness of management data developed within all organizations. Call to the attention of the board of directors any indication of a deviation in implementing an approved policy or decision of the board of directors or executive committee.

b.

Determine the degree of compliance with those policies, plans, procedures, laws, and regulations which have or could have a significant impact on operations and reports except as qualified by (f) below. Evaluate compliance with enterprise policies and procedures. Review compliance with governmental laws. Review compliance with new accounting rules and standards.

c.

Assess the economy and efficiency with which resources are employed and assets are safeguarded. Provide counsel in implementing new systems and procedures. Advise on internal control matters.

d.

Determine whether operating and financial objectives, goals, associated control procedures, and reported results are accurately and effectively prepared. Assess compliance with established standards of business ethics and the procedures for reporting violations or probable violations of enterprise policies. Report all potential conflicts of interest that come to his/her attention to the board of designated board committee. Many specialized activities of the enterprise can be more effectively reviewed by organizations other than the internal auditing activity. The responsible corporate officer will collaborate with thechief audit executive to reasonably ensure that adequate alternative compliance coverage is available for these selected activities. However, it will remain the responsibility of auditing to review and report on any matters of deficiency that may come to their attention in these specialized areas during the course of their regular audit coverage. Examples of these specialized compliance areas are: Environmental law and regulation. Adequacy of personnel records and quality of documentation.

e.

f.

The Institute of Internal Auditors

136 Establishing An Internal Audit Activity Manual


Compliance with domestic and foreign income tax laws and regulations. Restrictive trade practices laws and regulations. Equal employment opportunity laws and regulations.

Internal Auditing Functions The chief audit executive will insure that: a. Organizations within the enterprise and its subsidiaries are audited at appropriate intervals. These audits will review the adequacy of operational and administrative procedures used to carry out responsibilities of planning, custody, control, and accounting in accordance with policies and instructions, and to determine that: These procedures are consistent with enterprise objectives and high standards of administrative practice. All echelons of management are providing higher management with accurate and properly prepared accounting and operating data, budget proposals, etc.

b.

Audits of contracts are conducted in keeping with management's evaluation of risks associated with large project expenditures. Contract audits will also be conducted as needed to insure compliance with enterprise policies. The findings of the examinations by auditors, their opinions and recommendations are reported promptly to management. Reports of such matters are to be designed to promote expeditious action by those concerned.

c.

Internal Audit Reports Internal audit reports will be issued for each regular audit performed in the format specified and in accordance with the procedures established in the auditing activity. Accordingly, management will be held responsible for insuring that corrective action is taken or planned within a reasonable period after a deficiency is reported. Management will also be required to continuously report on a quarterly basis their actions taken for each such deficiency until it is corrected. In this regard the chief audit executive will report to the audit committee of the board of directors any instance where a significant deficiency is not closed in such a manner, within a reasonable time, by the concerned management. Additionally, management will receive a quarterly summary of the audit activities and major findings reported within his/her administrative area for his/her review.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 5-1 137

Position Description Staff Auditor


DEPARTMENT: WORKING TITLE: Internal Audit Staff Auditor

REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs professional internal auditing work. Work involves conducting performance, financial and compliance audit projects; providing consulting services to the organizations management and staff; and providing input to development of the annual audit plan. Maintains all organizational and professional ethical standards. Works under limited supervision with moderate latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Assists in identifying and evaluating the organizations risk areas and provides input to the development of the annual audit plan. Performs audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Conducts interviews, reviews documents, develops and administers surveys, composes summary memos, and prepares working papers. Identifies, develops, and documents audit issues and recommendations using independent judgement concerning areas being reviewed. Communicates or assists in communicating the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client and staff relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams and at management meetings. Performs related work as assigned by audit management. Audit Manager, Audit Supervisor or Senior Auditor Audit Management, Senior Management, All Divisions and Departments, External and Contract Auditors None

MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university. Two years of full-time experience in auditing, accounting, business analysis, or program evaluation. A graduate degree in business administration, public administration, or a related field, or certification as a CIA, CPA, or CISA may substitute for one year of required experience. The combination of a graduate degree and a certification may substitute for two years of required experience.

The Institute of Internal Auditors

138 Establishing An Internal Audit Activity Manual

Must also have the following demonstrated knowledge, skills, and abilities: Knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Skill in negotiating issues and resolving problems. Skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, agency staff, and external contacts, and to work effectively in a professional team environment.

PREFERRED QUALIFICATIONS Experience in industry auditing and accounting. Certification as a CIA, CPA, or CISA.

This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 5-2 139

Position Description: Senior Auditor


DEPARTMENT: WORKING TITLE: REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs complex level professional internal auditing work. Work involves leading or conducting performance, financial, and compliance audit projects; providing consulting services to the organizations management and staff; providing key input to development of the annual audit plan; and providing training and coaching to internal audit staff. Maintains all organizational and professional ethical standards. Works independently under general supervision with considerable latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Identifies and evaluates the organizations risk areas and provides key input to the development of the annual audit plan. Performs audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Conducts interviews, reviews documents, develops and administers surveys, composes summary memos, and prepares working papers. Identifies, develops, and documents audit issues and recommendations using independent judgement concerning areas being reviewed. Communicates or assists in communicating the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client and staff relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams, at management meetings, and with external organizations. Provides or assists in providing training, coaching, and guidance to internal audit staff in conducting audits and other audit-related issues. Performs related work as assigned by audit management. Audit Manager or Audit Supervisor Audit Management, Senior Management, All Divisions and Departments, External and Contract Auditors Project Teams Internal Audit Senior Auditor

MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university, certification as a CIA, CPA, or CISA, and four years of full-time experience in auditing, accounting, business analysis, or program evaluation.

The Institute of Internal Auditors

140 Establishing An Internal Audit Activity Manual


A graduate degree in business administration, public administration, or a related field, or a second certification (CIA, CPA, or CISA) may each substitute for one year of required experience (for a maximum substitution of two years). Two years supervisory or project management experience.

Must also have the following demonstrated knowledge, skills, and abilities: Considerable knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Considerable skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Skill in negotiating issues and resolving problems. Considerable skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment. PREFERRED QUALIFICATIONS Experience in industry auditing and accounting. Certification as a CIA, CPA, or CISA.

This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 5-3 141

Position Description: Manager of Internal Auditing


DEPARTMENT: WORKING TITLE: Internal Audit Manager of Internal Auditing

REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs advanced level and/or managerial professional internal auditing work. Work involves managing or conducting performance, financial, and compliance audit projects; providing consulting services to organizational management and staff; providing major input to development of the annual audit plan; and providing training, coaching, and supervision to internal audit staff. Maintains all organizational and professional ethical standards. Works independently under general direction with extensive latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Assists the director of internal audit/chief audit executive in managing audit staff and in the planning, organizing, directing, and monitoring of internal audit operations, including assisting in hiring, training, and evaluating staff; taking corrective actions to address performance problems. Manages the identification and evaluation of the organizations risk areas and provides major input to the development of the annual audit plan. Manages the performance of audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Manages the audit staff in conducting interviews, reviewing documents, developing and administering surveys, composing summary memos, and preparing working papers. Manages the audit staff in the identification, development, and documentation of audit issues and recommendations. Communicates the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client, staff, and management relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams, at management and board meetings and with external organizations. Performs related work as assigned by the director of internal audit/chief audit executive. MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university. Certification as a CIA, CPA, or CISA. Chief Audit Executive /Director of Internal Audit Senior Management, All Divisions and Departments, External and Contract Auditors Assigned Audit Staff and Project Teams

The Institute of Internal Auditors

142 Establishing An Internal Audit Activity Manual


Six years of full-time experience in auditing, accounting, business analysis, or program evaluation, including three years of supervisory or project management experience. A graduate degree in business administration, public administration, or a related field or a second certification (CIA, CPA, or CISA) may substitute for one year of required experience. The combination of a graduate degree and a second certification may substitute for two years of required experience.

Must also have the following demonstrated knowledge, skills, and abilities: Extensive knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Considerable knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Considerable knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Extensive skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Considerable skill in negotiating issues and resolving problems. Skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment. PREFERRED QUALIFICATIONS Experience in industry auditing or accounting, and in supervising and conducting audits in information systems and other areas pertinent to the industry. Graduate degree in business administration, public administration, or a related field.

This job description is intended only to describe the general nature of the position and does not constitute an all-inclusive list of duties, nor of the knowledge, skills, and abilities required to perform the job.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 5-4 143

Position Description: Information Technology Auditor


DEPARTMENT: WORKING TITLE: REPORTING RELATIONSHIPS REPORTS TO: COORDINATES WITH: Audit Manager or Audit Supervisor Audit Management, Senior Management, All Divisions and Departments, External and Contract Auditors Project Teams Internal Audit Information Technology Auditor

SUPERVISES: JOB FUNCTIONS Range of Responsibility: Performs complex level professional internal auditing work. Work involves leading or conducting performance, financial, compliance, and information technology audit projects; providing consulting services to the organizations management and staff; providing key input to development of the annual audit plan; and providing training and coaching to internal audit staff. Responsible for identifying technology risks, and independently evaluating the efficiency and effectiveness of information technology infrastructure and application controls, including security and internal controls. Maintains all organizational and professional ethical standards. Works independently under general supervision with considerable latitude for initiative and independent judgment. Other essential duties include, but are not limited to: Identifies and evaluates the organizations risk areas and provides key input to the development of the annual audit plan. Performs audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures. Conducts interviews, reviews documents, develops and administers surveys, compose summary memos, and prepares working papers. Identifies, develops, and documents audit issues and recommendations using independent judgment concerning areas being reviewed. Communicates or assists in communicating the results of audit and consulting projects via written reports and oral presentations to management and the board of directors. Develops and maintains productive client and staff relationships through individual contacts and group meetings. Pursues professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers. Represents internal audit on organizational project teams, at management meetings, and with external organizations. Provides or assists in providing training, coaching, and guidance to internal audit staff in conducting audits and other audit-related issues. Plans and executes audits of client/server technology platforms (Novell, NT, Unix, Sysbase, mainframe) and evaluates IT internal controls and works collaboratively with management to identify actions needed. Conducts data extraction, analysis, and security reviews utilizing software tools. Supports audits and consulting engagements related to programming, mainframe batch and online processes, client-server architecture, Internet and intranet functionality, database extraction, technology strategy, and data communication and network security. Acts as liaison with IT business partners to ensure full understanding of data flow, data integrity, and system security. Assesses information technology control elements to mitigate IT risks regarding the confidentiality, integrity, and availability of business information. Performs related work as assigned by audit management.

The Institute of Internal Auditors

144 Establishing An Internal Audit Activity Manual

MINIMUM QUALIFICATIONS Education and Experience: Bachelors degree from an accredited college or university, certification as a CISA, and four years of full-time experience in auditing, accounting, business analysis, or program evaluation, including two years experience conducting information technology audits. A graduate degree in business administration, public administration or a related field, or a second certification (CIA, CPA, or CISA) may each substitute for one year of required experience (for a maximum substitution of two years). Must also have the following demonstrated knowledge, skills, and abilities: Considerable knowledge of and skill in applying internal auditing and accounting principles and practices, and management principles and preferred business practices. Knowledge of the Standards for the Professional Practice of Internal Auditing and the Code of Ethics developed by The Institute of Internal Auditors. Knowledge of management information systems terminology, concepts, and practices. Knowledge of industry program policies, procedures, regulations, and laws. Skill in conducting quality control reviews of audit work products. Skill in collecting and analyzing complex data, evaluating information and systems, and drawing logical conclusions. Considerable skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines. Skill in negotiating issues and resolving problems. Considerable skill in using a computer with word processing, spreadsheet, and other business software to prepare reports, memos, summaries, and analyses. Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations. Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment. Considerable knowledge of distributed technology (i.e., Unix/Sybase and Windows NT), Webbased technology, and basic infrastructure control issues. Considerable skill in assessing the effectiveness of internal controls over key IT risks, identifying significant exposures, analyzing transactions and other management information, and detecting changes in key risks and/or control effectiveness. Skill in developing appropriate recommendations to address exposures. Knowledge of generally accepted IS audit standards, statements and practices, and IS security and control practices. Ability to learn new operations quickly and work independently a must. PREFERRED QUALIFICATIONS Experience in industry auditing or accounting and in conducting audits in information systems and other areas pertinent to the industry. Exposure to CAAT (Computer Assisted Applications Testing). Experience with networking (Novell, Windows NT). Exposure to system security packages (RACF). Possess detailed technical skills in at least one platform (Unix/Sybase, Windows NT). High level of proficiency in information technology control concepts and systems development methodologies. Experience in performing new systems development audits, or related work experience.

The Institute of Internal Auditors

See Chapter 5 for related material.

Click here to go to Word file.

Exhibit 5-5 145

KNOWLEDGE/SKILL LEVELS FOR INFORMATION SYSTEMS AUDITORS LEVEL 1


In addition to the audit skills and principal duties/responsibilities outlined in Procedure D7, the knowledge/skills required for a Level 1 Information Systems (IS) Auditor are defined as follows: 1. Requires a conceptual knowledge of aspects of IS auditing within all types of PCbased, end-user computing/departmental systems, and mid-range and mainframe systems. Requires the ability to execute any audit program related to information systems, recognize control weaknesses, and assess the materiality of these control weaknesses back to the scope and objectives of the audit.

2.

The Institute of Internal Auditors

See Chapter 5 for related material.

Click here to go to Word file.

Exhibit 5-6 147

KNOWLEDGE/SKILL LEVELS FOR INFORMATION SYSTEMS AUDITORS LEVEL 2


In addition to the audit skills and principal duties/responsibilities outlined in Procedure D7, the knowledge/skills required for a Level 2 Information Systems (IS) Auditor are defined as follows: 1. 2. Fully conversant with the conceptual knowledge of all aspects of IS auditing. Has the knowledge and practical experience (i.e., skill) to set the scope and objectives for individual audits, prepare the audit programs, lead the audit, and approve the overall results. Has the ability to relate symptoms back to the originating cause and determine if the scope of the audit needs to be expanded. Meets the requirements of the Level 1 Information Systems Auditor. Has at least two years of practical audit experience.

3. 4. 5.

The Institute of Internal Auditors

See Chapter 5 for related material.

Click here to go to Word file.

Exhibit 5-7 149

KNOWLEDGE/SKILL LEVELS FOR INFORMATION SYSTEMS AUDITORS LEVEL 3


In addition to the audit skills and principal duties/responsibilities outlined in Procedure D7, the knowledge/skills required for a Level 3 Information Systems (IS) Auditor are defined as follows: 1. 2. Fully conversant with specific vendor hardware and software products. Able to formulate an audit program with appropriate testing mechanisms, execute the audit program, recognize control weaknesses, assess the materiality of these weaknesses, and relate them back to the scope and objectives of the audit. Qualified at least as a Level 1 Information Systems Auditor in terms of overall audit knowledge and experience. The depth of technical knowledge may come from a systems background, and the Level 3 IS Auditor may be seriously challenged to perform at Level 2 for many areas of technical (non-computer) audit responsibility.

3.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 6-1 151

Risk Sampling Strategy


Audit Plan Total Coverage

Audit Universe 10% High Risk

100%

10%

20%

Sensitive Risk Moderate Risk Low Risk

50% Sampled 10% Sampled 5% Sampled

10%

40%

4%

30%

1%

100%

25% of Universe 4-Year Cycle

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Excel file.

Exhibit 6-2 153

Risk Assessment Model


WEIGHTS: PROJ HRS CTRL ENVR PRE FIND CON MGT SYS ASST UNIT LAST TOTAL CHGS SENT SIZE AUDIT RATE 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

AUDIT UNITS/SUBS

MGT INT

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.


Policies and Procedures Manual Index

Exhibit 6-3 155

ABC Company, Inc. Corporate Internal Audit Policies and Procedures Manual Index Introduction Audit Activity Charter Purpose Authority Independence Scope of Work Reporting Audit Activity Organization Organization Chart Job Descriptions Code of Conduct Confidentiality Audit Planning Audit Universe Risk Criteria Risk Evaluation Administration A. Training On-the-job Formal Training Professional Organizations Professional Certifications Tuition Reimbursement B. Time Reporting Holidays Vacations Illness Project time C. Staff Evaluations Project Performance Reviews Annual Performance Reviews Performance Evaluation Guidelines D. Travel Credit Cards Cash Advances Ground Transportation Air Travel Lodging and Meal Expenses Other Travel Expense Guidelines E. Office Files Physical Security Reference Library Office Supplies Mail Telephone

The Institute of Internal Auditors

156 Establishing An Internal Audit Activity Manual


Messages Business Use Personal Use F. Quality Control Supervision Peer Reviews Audit Customer Survey Questionnaires Audit Projects A. Staff Assignment B. Permanent Audit Files C. Project Control Budget Estimates Budget Revisions Project Status Reports D. Work papers Safeguarding Identification Indexing Tick Marks E. Form Hard Copy Electronic F. Content Planning Opening Conference Administration Audit Program Testing Selection Results/Conclusions Analytical Review Source Documentation Results/Conclusions G. Closing Conference H. Reporting Interim Audit Findings Report Format/Content Draft Reports Management Responses Final Reports Distribution Follow-up I. Supervisory Review Workpaper Review Report Review Professional Standards Definition of internal Auditing Code of Ethics Standards for the Professional Practice of Internal Audit Practice Advisories

The Institute of Internal Auditors

Click here to go to reference in text.


YOUR COMPANY, INC. Corporate Internal Audit Audit Title:

Click here to go to Word file.

Exhibit 6-4 157

Workpaper Samples
Audit Number:

TABLE OF CONTENTS
Description Audit Project Initiation Final Audit Audit Report Audit Customer Responses to Audit Report Audit Report Cross-Referenced to Workpapers Audit Report Review Checklist Audit Findings & Interim Audit Memos Items for Discussion Audit Administration Program Audit Planning Documentation Audit Project Time Summary Matters to be Considered in Subsequent Audit Audit Program Used during this Audit Reference* 1 2 3 4 5 6 7 8 9 10 11 12 13

Other (Identify each item consecutively beginning with 14): ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ * Use reference numbers as shown for each item.

The Institute of Internal Auditors

158 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

AUDIT PROJECT INITIATION


Previous Audit Number: Auditor-In-Charge: Auditors Assisting: Audit Period:

Planning:__________________ (Date Started) Fieldwork:_________________ (Date Started) Closeout Date: ___________ Report Date: _____________

______________________ (Date Completed) ______________________ (Date Completed)

NOTE: One of Internal Auditing's goals is to issue the audit report within 60 days of the closing meeting or within 15 days of resolution of external delays precluding report release, whichever comes last. Provide an explanation when the report is issued subsequent to 60 days to the closing meeting, including discussion of external delays, if any. Workpaper Approvals: ____________________________________ Supervisor ____________________________________ Manager Page 1 of 1 W/P Ref. 1

The Institute of Internal Auditors

Exhibit 6-4 159

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

FINAL AUDIT CHECKLIST Instructions: The Project Supervisor is to complete this checklist prior to release of the final audit report, ensuring completion of all technical and administrative responsibilities. Supervisor Initials 1 2. 3. 4. 5. 6. 7. 8. .All working paper schedules reviewed and initialed by Supervisor. All significant computations recalculated and initialed by Supervisor, including those supporting reported findings. All W/Ps are free of inaccurate, misleading, irrelevant, or gratuitous comments or worksheets. Conclusions reached by auditor(s) on individual tests are adequately supported and initialed by Supervisor. Disposition of all potential audit findings, however significant or insignificant, adequately explained in W/Ps. All program steps completed or an explanation for scope changes documented in the W/Ps and approved by Supervisor. W/Ps comply with department W/P guidelines. Actual time incurred compared to budget. Explanations provided for (a) deviations from departmental goals relative to completion within budget and on schedule and (b) other significant individual variances. "Matters to be Considered in Subsequent Audit" filed in W/Ps. __________ 10. 11. Continuing audit file updated and all irrelevant data removed. __________ Previous draft of report reviewed by Manager, and all subsequent changes. Pg. 1 of 2 W/P Ref. 2 __________ __________ __________ __________ __________ __________ __________

__________ __________

9.

The Institute of Internal Auditors

160 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: FINAL AUDIT CHECKLIST (continued) Audit Number:

Supervisor Initials 12. 13. 14. 15. "Independent Audit Report Review Checklist," and Review notes completed. Completed workpapers. Project Supervisor and AIC review notes, for Manager review completed. Completed Evaluation of AIC and assisting auditors unless previously submitted. __________ __________ __________ __________

Supervisor ______________________

Date ________________

Manager ________________________ Date _________________

Pg. 2 of 2 W/P Ref. 2

The Institute of Internal Auditors

Exhibit 6-4 161

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

INDEPENDENT AUDIT REPORT REVIEW CHECKLIST Instructions: The Project Supervisor is responsible for arranging for the completion of this checklist by an individual independent of the audit, prior to the review of the initial audit report draft by the Audit Manager. The audit report must be cross-referenced to the audit working papers prior to submitting for an Independent Review. The person completing the checklist should be familiar with IIA Standard No. 430 and Statement on Internal Auditing Standards No. 2, both titled, Communicating Results. I. Title Page 1. II. Audit title and as of date or period covered is consistent with body of report and "Audit Planning Documentation." Independent Reviewer Initials __________ Distribution Page 1. III. Planned distribution is appropriate and in compliance with "Audit Planning Documentation." __________ Introduction 1. Information presented is factual, supported by working papers, consistent with "Audit Planning Documentation," and prior audit report, where applicable. __________ IV. Objectives 1. V. Scope 1. 2. 3. 4. Reflects audit location and timing. __________ Tests performed are supported by "Audit Program" and "Audit Planning Documentation." __________ Scope limitations, explained. restrictions, or expansions are __________ Project Supervisor and AIC are identified. __________ Pg. 1 of 2 W/P Ref. 6 Are consistent with "Audit Planning Documentation." __________

The Institute of Internal Auditors

162 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

INDEPENDENT AUDIT REPORT REVIEW CHECKLIST (Continued) VI. Opinion 1. 2. 3. Addresses and is consistent with audit objectives. Clearly presents findings and recommended actions. Actions taken or pending are clearly stated with identification of responsibility and are supported by responses documented in the working papers. Necessity of response indicated. Findings are consistent with working paper "Audit Findings" sheet(s).

Independent Reviewer Initials __________ __________

__________ __________

4. VII.

Attachments, Exhibits, or Details of Audit 1. 2. 3. 4. Are referred to in and consistent with body of report. Information presented is factual and supported by working papers. Schedules footed and all amounts recomputed, as appropriate. Coordinates of graphs and charts agree with working papers. __________ __________ __________ __________ __________

VIII.Other 1. 2. 3. 4. Individuals involved in closeout meeting are identified. Signature space identifies Manager. All dates, amounts, references, abbreviations, titles, etc., are consistent throughout. Report is appropriately clear and concise and void of grammatical and spelling errors. __________ __________ __________ __________ Pg. 2 of 2 W/P Ref. 6

The Institute of Internal Auditors

Exhibit 6-4 163

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

AUDIT FINDINGS This is a preliminary listing of items considered to need corrective action, adjustment, and/or clarification. These items are considered preliminary and are subject to change based upon input from responsible management concerning the correctness of the facts as stated.

FINDINGS DISCUSSED WITH:

NAME _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________

POSITION/TITLE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________

COMPANY _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________

DATE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________

Page ___ of ___ W/P Ref. 7

The Institute of Internal Auditors

164 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

W/P REF.

IAM No.

AUDIT FINDINGS

Page ___ of ___ W/P Ref. 7

The Institute of Internal Auditors

Exhibit 6-4 165

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

INTERIM AUDIT MEMORANDUM (No. _____) Audit Customer Manager ________________________________ Auditor ____________ Audit of _______________________________________ W.P. Ref. __________ Response Due Date ______________________________ Concern: Cause

Criteria/Standard:

Consequence (Effect

Recommendation:

Management Comments: Agree Disagree

Manager Signature: Date:

Page ___ of ___ W/P Ref. 7

The Institute of Internal Auditors

166 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

ITEMS FOR DISCUSSION This is a listing of items, which the auditors believe should be brought to the attention of responsible management for informational or decisional purposes. These are not audit findings. FINDINGS DISCUSSED WITH: NAME _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ POSITION/TITLE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ COMPANY _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ DATE _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________

Page ___ of ___ W/P Ref. 8

The Institute of Internal Auditors

Exhibit 6-4 167

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

ITEMS FOR DISCUSSION (Continued) W/P Ref. ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ Page ___ of ___ W/P Ref. 8 Item for Discussion

The Institute of Internal Auditors

168 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

AUDIT ADMINISTRATION PROGRAM Planning and Preliminary Survey 1. Discuss the general objectives of the audit with the Project Supervisor and Manager. Determine the specific approach to take in preparing for the preliminary survey, if necessary, and in completing the "Audit Planning Documentation" (workpaper ref. 10). Prepare and obtain approval Documentation," as follows: a. of the "Audit Planning

Work Done By

2.

Discuss the planning approach with the Project Supervisor and Manager. Determine how communications will be made with audit customer. Review any applicable financial data in Internal Auditing's library such as Operating Reports, Annual Reports, 10K's, etc. Review prior audit workpapers and reports including related reports from other departments. Include a copy of the "Matters to be Considered in Subsequent Audit" from the prior audit in the present planning documentation. Indicate the disposition of each item. Perform a preliminary survey, if necessary, to identify specific risks and the audit approach to these risks. The preliminary survey should include a review of any existing Internal Accounting Control Documentation. Include copies of pertinent sections of the documentation in the working papers and ensure key control techniques relative to the audit are tested. Utilize available, assisting auditors to the extent possible. Review the current system documentation, to determine the availability of data using audit software. Document the approach to be used and arrange for technical support if necessary.

__________

b.

__________ __________

c. d.

__________

e.

__________

g.

__________ Pg. 1 of 4 W/P Ref. 9

The Institute of Internal Auditors

Exhibit 6-4 169

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

Planning and Preliminary Survey (Continued) h. i. j. k. Prepare or update detail audit programs. Determine what information is needed for the audit that is to be produced by the audit customer. Determine staffing requirements. Complete a budget, setting out estimated time to complete work (will not necessarily agree with the time allocated in annual audit plan). Document planning in the "Audit Planning Documentation" format and submit for approval. accommodation and working space

Work Done By __________ __________ __________

__________ __________ __________ __________ __________ __________ __________

l. 3.

Make transportation, arrangements. a. b. c. d.

Obtain approval of transportation and accommodation arrangements and times of departure. Secure approved transportation and accommodations. Ensure all members of the audit team are aware of Travel Policies. Arrange for working space with audit customer.

Administration of Field Work 1. 2. 3. 4. Meet briefly with audit customer personnel to introduce audit staff and to discuss audit objectives. Discuss and fix responsibility for any requests of audit customer personnel. During the audit (at least weekly) inform audit customer management of the status of the audit. Maintain control over workpapers during the audit. __________ __________ __________ __________ Pg. 2 of 4 W/P Ref. 9

The Institute of Internal Auditors

170 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Administration of Field Work (Continued) 5. 6. Ensure the daily work is planned to achieve maximum efficiency. Review systematically work performed by assisting auditors. Ensure applicable program steps have been satisfactorily completed; conclusions are properly stated; and workpapers are well documented, support the conclusions, and are well organized. Keep the Project Supervisor informed of the progress of the audit, i.e., time, needed changes to audit scope, problems with audit customer, audit findings, etc. Daily ensure actual time is posted to the "Audit Project Time Report." Draft "Audit Findings" for closing meeting. Reference findings to the working papers. Schedule Project Supervisor and Manager review. Clear review notes. Discuss staff evaluations with Project Supervisor. The AIC is responsible for preparing the staff evaluation forms for the assisting auditors. Schedule closing meeting as soon as possible after field work (goal is 10 workdays). Audit Number:

Work Done By __________

__________

7.

__________ __________ __________ __________

8. 9. 10. 11.

__________ __________

12.

Prior Audit Findings 1. Determine whether audit findings from prior audits have been adequately resolved. Document your review in current working papers and place a copy in the working papers of the prior audit.

__________

Report 1. Attend the closing meeting and establish a due date for audit customer responses, if required, to the audit findings. _________ Pg. 3 of 4 W/P Ref. 9

The Institute of Internal Auditors

Exhibit 6-4 171

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Report (Continued) 2. 3. Draft the report (during field work, if possible) and submit to Project Supervisor in good form for approval. Have the report draft referenced to the workpapers by an auditor independent of the current audit. a. b. Referencer to complete the "Independent Audit Report Review Checklist." Project Supervisor to approve all changes to the report and approve clearance of all referencer review notes. Audit Number:

Work Done By __________ __________ __________ __________ __________ __________

Note: The final report is to be approved by the AIC and Project Supervisor prior to being signed by the Manager, or his designee. 4. Final report filed (W/P Ref. 3).

Wrap-up 1. 2. Ensure all review notes have been adequately cleared in the working papers. Summarize the "Audit Project Time Summary" W/P Ref. 11, and tie in to the EIS records. Explain significant variations of actual versus budgeted time. Complete the Audit Project Initiation for the working papers (W/P Ref. 1.) Bind working papers and submit to Project Supervisor. Ensure all applicable matters in the "Table of Contents" are included in the working papers. __________

__________ __________

3. 4.

__________

AIC ______________________________ Date ___________________ Pg. 4 of 4 W/P Ref. 9

The Institute of Internal Auditors

172 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

AUDIT PLANNING DOCUMENT I. GENERAL INFORMATION Audit Location(s): Planned Start Date: Audit Type: First Time Audit? II. yes ( ) no ( ) Cyclical Review Yes ( ) No ( ) Est. Completion Date:

AUDIT OBJECTIVES AND SCOPE OF WORK OBJECTIVES (Attach any schedules necessary to support objectives; see standard attachments list, page 3 of this document.) The objectives of this audit are to determine whether:

SCOPE (Summarize below, and attach Audit Program for details.)

Pg. 1 of 4 W/P Ref. 10

The Institute of Internal Auditors

Exhibit 6-4 173

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: III. BACKGROUND INFORMATION REASON FOR REVIEW Scheduled Audit ( ) Special Request ( ) Other ( )( Describe) Audit Number:

Concerns of Audit customer Describe:

PRIOR AUDIT Report Number: __________________ Significant Prior Findings? Yes ( ) Summary Findings: Report Date: __________________ No ( )

(Attach Excerpt from prior report if appropriate.)

OTHER BACKGROUND INFORMATION

IV.

RESOURCES NECESSARY STAFF AIC: ______________________________________________________ Assistants: ________________________________________________ _________________________________________________________ Pg. 2 of 4 W/P Ref. 10

The Institute of Internal Auditors

174 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: STAFF HOUR INFORMATION Budget (Internal Audit Plan)_______ Estimate ________ (See Audit Staff Budget, Attachment A) Audit Number:

Prior Audit ______ Joint Participation: _______________________________________ (For groups external to Internal Auditing - identify extent & nature.) Explanation of Difference of 10 Staff days or 10 Percent (Whichever is Greater) Between Estimate and Budget of Prior Audit.

V.

COMMUNICATION OF AUDIT PLANS Arranged With: Audit customer: _______________________________________ External Auditors: ______________________________________ Special Problems Discussed, etc.: __________________________________ ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ (See Contact List - Attachment B)

VI.

ONSITE SURVEY (Describe scope, who discussed with, and pertinent comments.) ______________________________________________________________ ______________________________________________________________ ______________________________________________________________

VII.

AUDIT PROGRAM See W/P Ref. 13.

VIII.

COMMUNICATION OF AUDIT RESULTS See Proposed Distribution List - Attachment C. Pg. 3 of 4 W/P Ref. 10

The Institute of Internal Auditors

Exhibit 6-4 175

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

IX.

APPROVAL OF WORK PLAN PREPARED BY AIC/Preparer APPROVED BY Project Supervisor ___________________________ Manager ______________________________________ Director _____________________________________ __________ __________ __________ _______________________________ DATE __________

ATTACHMENTS ( ( ( ( ) ) ) ) Audit Staff Budget Contact List Proposed Audit Report Distribution Prior Findings (if applicable) Attachment No. __A__ __B__ __C__ _____

(List others as appropriate.)

Pg. 4 of 4 W/P Ref. 10

The Institute of Internal Auditors

176 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

AUDIT PROJECT TIME SUMMARY ACTUAL VS. ESTIMATED


Auditor Assigned Planning Fieldwork: _____________________ _____________________ _____________________ _____________________ _____________________ _____________________ _____________________ _____________________ W/P Review Administrative Work Travel Estimated ________ Actual Estimate _________ _________ Over/ Under

_________

________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________

_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________

_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________

Contingency Total Fieldwork Report/Follow-up Totals Supervisory Time

________ ________ ________ ________ ________

_________ _________ _________ _________ _________

(NOTE: Explain any significant time variances on Page 2 of this form.)


Pg. 1 of 2 W/P Ref. 11

The Institute of Internal Auditors

Exhibit 6-4 177

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

AUDIT PROJECT TIME Notes and Comments: ______________________________________________________

Pg. 2 of 2 W/P Ref. 11

The Institute of Internal Auditors

178 Establishing An Internal Audit Activity Manual

Workpaper Samples
YOUR COMPANY, INC. Corporate Internal Audit Audit Title: Audit Number:

MATTERS TO BE CONSIDERED IN SUBSEQUENT AUDIT List below any items left pending that need to be followed up during the next audit. Also, list significant changes to take effect before the next audit, suggestions on what audit techniques might be helpful in performing audit tasks, and any areas not covered on the current Audit Findings sheet that might warrant special attention during the next month.

Pg. ___ of ___ W/P Ref. 12

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Excel file.

Exhibit 6-5 179

Project Time Report


Project:

W/E Date

Auditor

Planning Fieldwk Report 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0% 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0% 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0%

% (Total Hrs Period Total / Total Hrs. Project) 0.0 0.00 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0% 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0%

Tot Curr Period Tot Prev Period Total to Date Est to Complete Total Project Budget Budget Variance % Budget

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Excel file.

Exhibit 6-6 181

Staff Time Report


Auditor's Name: Period Total % of Total Period Hrs.

Week 1 W/Ending Date Direct Hours: Project Name Project Name Project Name Project Name Project Name

Week 2

Week 3

Week 4

Week 5

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0% 0% 0% 0% 0%

Total Direct Indirect Hours: Holiday Vacation Illness Training Admin Other Total Indirect Total Hours

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0% 0% 0% 0% 0% 0%

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Excel file.

Exhibit 6-7 183

Monthly Management Report

Month Ending

Project Report Days Actual 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Project Name

Prev 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Curr 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

YTD 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Hours Est 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Total 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Budget 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Var 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Schd

Var 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Total Direct Total Indirect Grand Total Tot Wks Stf Wkd Tot Wks Period Curr Staff Size Aver Staff Size Aver Hrs/Staff

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 7-1 185

Quality Assurance and Improvement


The Chief Audit Executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitor its effectiveness. The program should be designed to help the internal audit activity add value and improve the organizations operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. Internal assessments should include ongoing reviews of the performance of the internal audit activity and periodic reviews performed through selfassessment or by others in the organization with knowledge of internal auditing practices and the Standards. To meet this goal there are three things to do. First, we must determine what our audit clients want and need. Second, we must meet those needs on time. Finally, and perhaps most important, we must continuously refine the process (our audit practices) of conducting our audit examination. To continue to improve our audit performance and our contribution to the overall company performance, we have adopted the practice of: Evaluating the technical aspects of each audit project. Nine specific criteria have been established for grading audit performance (see Exhibit 7-2). These cover work paper preparation, soundness of findings and recommendations, and the communication of audit results. Requiring supervisors and managers to evaluate and grade work papers in several areas including: (1) how well audit scopes and programs address risk areas and risk mitigation activities, (2) how well auditors expand their scope in response to problems noted, (3) clarity of the documentation of audit results, and (4) how well the findings address the cause of the deficiency being reported (see Exhibit 7-3). Requesting that senior management respond to a questionnaire about the audit process (see Exhibit 7-6). Seventeen of the nineteen questions cover such topics as (1) how well we communicated audit objectives before the audit, (2) how well auditors solicited and responded to the audit client's ideas, and (3) the breadth of the updates during the audit. And the last question asks for three specific changes that we could make to improve the overall audit process. Exhibits 7-2, 7-3, and 7-6 are from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.

The Institute of Internal Auditors

186 Establishing An Internal Audit Activity Manual

External assessments, such as quality assurance reviews, should be conducted at least once every 5 years by a qualified, independent reviewer (team) from outside the organization. The following steps outlined by the IIA will assist us in getting started on the external assessment: 1. Read the new Standards and the Code of Ethics and think about them in light of our organization. Are any immediate changes needed? An advance review of the Standards can help us get started on improvements before a review team arrives. 2. Review the Practice Advisories, especially advisories related to quality assurance. 3. Talk with internal auditors from other organizations about their experiences with quality assurance reviews. Obtain an understanding of how the review process might work, how to best prepare for one and review team selection process. IIA Chapter meetings are a good forum for this step. 4. Contact organizations that might be willing to perform the quality assurance review. Consider organizations like the IIA, accounting firms, or other consultants. 5. Obtain a proposal from at least 2 of these organizations and then select the one that provides the best value. The Chief Audit Executive will communicate the results of the internal and external assessments to the Board of Directors/Audit Committee.

Extracted from The Internal Audit Manual Shell on CD-ROM, Institute of Internal Auditors, Altamonte Springs, FL, March 2002, Procedure B-6 The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 7-2 187

Audit Productivity Measurement: Auditors


Project Number: Project Name: Date: Grading Element 1. Scope sections of summary workpapers and audit programs developed/tailored as required within assigned time frames. (15 points) Scope sections of summary workpapers and audit programs effectively address known risk areas developed in the survey and are adequate to measure effectiveness of applicable internal control systems. (10 points) Planned audit work was appropriately expanded/curtailed based on actual conditions encountered. (15 points) Workpapers clearly support/explain results and conclusions for each audit program. (15 points) Workpapers correctly headed, numbered, and cross-referenced. (5 points) Audit work completed and all workpapers finalized/turned in on time. (15 points) Findings include condition, standard, cause, effect; recommendations address the cause(s). (10 points) Findings thoroughly validated and briefed with all applicable levels of management. (10 points) Supervisor is satisfied that written materials (programs, workpapers, reports, etc.) communicate clearly to the intended audience. (5 points) Totals: Average Score: Auditor: Auditor-in-Charge: Audit Manager: Auditor-inCharge Audit Manager

2.

3.

4. 5. 6. 7.

8. 9.

The Institute of Internal Auditors

188 Establishing An Internal Audit Activity Manual

Exhibits 7-5 was extracted from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 7-3 189

Audit Productivity Measurement: Auditors-in-Charge


Project Number: Project Name: Date: Auditor: Auditor-in-Charge: Audit Manager: Audit Manager

Grading Element 1. Survey work papers, project management form, engagement announcement letter, audit workpapers, and other applicable documents are completed on schedule. Travel requests, orders, country clearances, passport visas, and lodging arrangements pursued sufficiently in advance to ensure minimum lost time on the audit. (5 points) 2. 3. For each audit objective was an audit program developed for its attainment. (10 points) Was management given interim progress reports during the audit; entrance and exit interviews with appropriate management officials were scheduled in advance, adjusted as necessary, and held when agreed. (5 points) All workpapers are reviewed to ensure that they are complete, correct, and fully support the conclusions of the discussion draft findings and are turned in to the audit manager with the issuance of the response draft. (15 points) Discussion draft addresses all audit objectives. All discussion draft findings are fully validated and cross-referenced to the conclusion portion of the summary workpapers; the conclusion portion is fully cross-referenced to the appropriate detailed workpapers. (15 points) Met approved time frames (discussion and response drafts) and cost goals. (10 points) Quality of the written product (discussion and response draft reports of audit). (20 points) The audit provided added value to the organization. (20 points)

4.

5.

6. 7. 8.

Exhibit 7-3 was extracted from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 7-4 191

Compliance Checklist
The following questions were derived from The IIAs Standards for the Professional Practice of Internal Auditing (Standards), including the Glossary that accompanies the Standards. The Charter 1. Do we have a written charter? 2. Has the board or other governing body approved it? 3. Does it clearly describe internal auditings purpose, authority, and responsibility? 4. Does it describe internal auditings role in risk management, governance, and control processes? 5. Does it include adding value and improving the organizations operations as part of the responsibility of the function? 6. Does it establish the internal audit function at a level within the organization that allows the internal audit activity to fulfill its responsibilities? 7. Does it authorize access to records, personnel, and physical properties relevant to the performance of engagements? 8. Does it clearly describe the scope of internal audit activities? 9. Does it define the nature of consulting and assurance services to be provided to the organization? 10. Does it define the nature of assurances that are to be provided to parties outside the organization? 11. Have we reviewed the elements of our charter and considered whether or not they are consistent with the various descriptions and requirements of internal auditing as presented in the revised definition and Standards for the Professional Practice of Internal Auditing? Independence and Objectivity 12. Is our internal audit activity organizationally independent? 13. Does the chief audit executive report to a level in the organization that allows us to fulfill our responsibilities without interference? 14. When providing assurance to third parties, such as senior management or the board, are we able to determine the scope of internal auditing, perform our work, and communicate the results without interference? 15. Are our internal auditors objective? 16. Do we value and require individual auditor objectivity as essential to effective internal audit services? 17. Do we refuse to make quality compromises or subordinate our judgment on audit matters to others? 18. Do we have a policy and procedure for disclosing apparent or actual impairments to independence and objectivity? 19. Do we make every effort to keep internal auditors from assessing operations for which they were previously responsible if the engagement is designed to provide assurance? 20. Do we require auditors to wait at least one year before providing assurance in areas for which they were previously responsible? 21. Do we note an impairment to objectivity if an auditor provides assurance services for an activity for which the auditor was responsible during the previous year? 22. Do we employ someone outside the audit activity (a manager from another organizational area, for example) to oversee assurance engagements for functions over which the chief audit executive has responsibility? 23. If there are potential impairments to independence or objectivity relating to proposed consulting engagements, do we disclose those impairments to the engagement client prior to accepting the engagement?

The Institute of Internal Auditors

192 Establishing An Internal Audit Activity Manual


Proficiency and Professionalism 24. Do we know what knowledge, skills, and other competencies are necessary to fulfill our responsibilities? 25. Do we ensure that our audit staff, as individuals and as a function, possess these capabilities? 26. Do we have a method for acquiring the necessary capabilities that we may lack? 27. Have we made sure that our audit methods and procedures are in line with other professional internal auditors? 28. Do we make continuing professional development a priority? 29. When performing assurance services, do we obtain advice and assistance if needed to perform the audit? 30. When performing assurance services, are we able to identify the indicators of fraud? 31. When performing assurance services, do we exercise due professional care by considering the: Extent of the work needed to achieve the engagements objectives? Relative complexity, materiality, or significance of matters to which assurance procedures are applied? Adequacy and effectiveness of risk management, control, and governance processes? The probability of significant errors, irregularities, or noncompliance? The cost of assurance in relation to potential benefits? 32. When performing assurance services, are we alert to any significant risks that might affect objectives, operations, or procedures? 33. Do we recognize that due care does not imply infallibility and that assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified? 34. If we lack the knowledge, skills, or other competencies needed to perform all or part of a proposed consulting engagement, do we either decline the engagement or obtain competent advice and assistance? 35. Do we exercise due professional care in consulting engagements by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results? Relative complexity and extent of work needed to achieve the engagements objectives? Cost of the consulting engagement in relation to potential benefits? Quality Assurance 36. Do we have a quality assurance and improvement program in place? 37. Does it address each of the various types of engagements we perform and cover all aspects of the internal audit activity? 38. Do we continuously monitor our effectiveness? 39. Does our QA program help us add value and improve the organizations operations? 40. Does it measure our compliance with the Standards? 41. Do we conduct internal quality assessments, including ongoing reviews of our performance and periodic reviews through self-assessment or by others in the organization with knowledge of internal auditing and the Standards? 42. Does a qualified, independent review team from outside the organization conduct an external assessment of our activity once every five years? 43. Do we communicate the results of the external review to the board? 44. Is our use of the phrase conducted in accordance with the Standards for the Professional Practice of Internal Auditing justified by the QA programs confirmation of our compliance with the Standards?

The Institute of Internal Auditors

Exhibit 7-4 193


45. If the external review notes incidences of noncompliance that affect the overall scope or operation of the internal audit activity, do we disclose that information to the board and senior management? The Chief Audit Executive 46. Is there someone employed within the organization who has ultimate responsible for internal audit activities and serves as chief audit executive (CAE)? 47. Does the CAE report to a level in the organization that allows us to fulfill our responsibilities without interference? 48. Does the CAE manage the internal audit activity so that it adds value to the organization? 49. Does the CAE ensure that our resources are appropriate, sufficient, and effectively deployed to achieve the audit plan? 50. If our staff lacks the knowledge, skills, or other competencies needed to perform all or part of an assurance engagement, does the CAE obtain competent advice and assistance? 51. If we lack the knowledge, skills, or other competencies needed to perform all or part of a proposed consulting engagement, does the CAE either decline the engagement or obtain competent advice and assistance? 52. Has the CAE established policies and procedures for the internal audit activity? 53. Does the CAE provide for the sharing of information and the coordination of activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts? 54. Has the CAE developed and does he or she continue to maintain a quality assurance and improvement (QA) program? 55. Does the CAE determine our priorities by establishing risk-based plans that are consistent with the organizations goals and approved by the board? 56. Are audit plans regarding assurance engagements based upon an annual risk assessment? Is that risk assessment based upon input from senior management and the board? 57. Does the CAE consider proposed consulting engagements based on the engagements potential to improve management of risks, add value, and improve the organizations operations? 58. Are accepted consulting engagements included in the audit plan? 59. Does the CAE communicate our plans and resource requirements, including significant interim changes and the impact of resource limitations, to senior management and the board for review and approval? 60. Does the CAE report periodically to the board and senior management on our purpose, authority, responsibility, and performance relative to our plan? Do these reports also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management? 61. Does the CAE communicate the results of external quality assessments to the board? 62. Does the CAE disseminate audit engagement results to the appropriate individuals? If a final communication contains a significant error or omission, does the CAE communicate corrected information to all individuals who received the original communication? 63. When disseminating the final results of an assurance engagement, does the CAE make sure he or she communicates those results to individuals who can ensure they are given due consideration? 64. Does the CAE communicate the final results of consulting engagements to the client? 65. If significant risk management, control, and governance issues are identified during a consulting engagement, does the CAE communicate them to senior management and the board? 66. In instances where the CAE believes that senior management has accepted a level of residual risk that is unacceptable to the organization, does the CAE discuss the matter with senior management? If the decision regarding residual risk is not resolved, does the CAE, along with senior management, report the matter to the board for resolution?

The Institute of Internal Auditors

194 Establishing An Internal Audit Activity Manual


67. Has the CAE established and does he or she continue to maintain a system to monitor the disposition of results communicated to management? 68. Has the CAE developed a follow-up process for assurance engagements that monitors and ensures that management actions have been effectively implemented or that senior management has accepted the risk of not taking action? 69. Has the CAE developed a follow-up process that allows the disposition of consulting engagement results to be monitored to the extent agreed upon with the client? 70. If the CAE has responsibility for an area that is the subject of an assurance engagement, is the engagement overseen by someone outside the internal audit activity? 71. Does the CAE control access to assurance engagement records? Does the CAE obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties? 72. Has the CAE developed retention requirements for assurance engagement records? Are these requirements consistent with organizational guidelines and any pertinent regulatory or other requirements? 73. Has the CAE developed policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties? Are these policies consistent with the organizations guidelines and any pertinent regulatory or other requirements? Nature of Audit Work 74. Do we evaluate and contribute to the improvement of risk management, control, and governance systems in all types of engagements? 75. Do we identify and evaluate significant exposures to risk in all types of engagements? 76. Does our risk assessment in an assurance engagement cover risks relating to governance, operations, and information systems, including risks to the reliability and integrity of financial and operational information; the effectiveness and efficiency of operations; the safeguarding of assets; and the compliance with laws, regulations, and contracts? 77. In consulting engagements, do we address risk consistent with the engagements objectives? Are we also alert to the existence of other significant risks? 78. Do we incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization? 79. Do we monitor and evaluate the risk management system? 80. Do we help maintain effective controls by evaluating their effectiveness and efficiency in all types of engagements? 81. Do we promote continuous improvement of internal controls in all our engagements? 82. During consulting engagements, do we address controls consistent with the engagements objectives? Are we also alert to the existence of any significant control weaknesses? 83. Do we incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization? 84. Do we provide assurance to the board and senior management by evaluating the adequacy and effectiveness of controls encompassing the organizations governance, operations, and information systems? 85. Are these evaluations based on the results of our risk assessment? 86. Do our assurance engagements address whether controls ensure the reliability and integrity of financial and operational information; the effectiveness and efficiency of operations; the safeguarding of assets; and compliance with laws, regulations, and contracts? 87. Do our assurance engagements ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization? 88. Do our assurance engagements determine whether operations and programs are being implemented or performed as intended by ascertaining the extent to which results are consistent with established goals and objectives?

The Institute of Internal Auditors

Exhibit 7-4 195


89. Do we ascertain the extent to which management has established adequate criteria for determining whether objectives and goals have been accomplished? 90. If these criteria are adequate, do we use them in our own assessments? 91. If they are not, do we work with management to develop appropriate evaluation criteria? 92. Do we contribute to the organizations governance process by evaluating and improving the processes for: Establishing and communicating values and goals? Monitoring the accomplishment of goals? Ensuring accountability? Preserving values? 93. As part of our effort to provide assurance to senior management and the board, do we review operations and programs to ensure consistency with organizational values? 94. Do we ensure that consulting engagement objectives are consistent with the overall values and goals of the organization? Engagement Planning 95. Do we develop and record a plan for each engagement? 96. In developing our plans, do we consider: The objectives of the activity being reviewed? The means by which the activity controls it performance relative to meeting its objectives? The significant risks to the activity, its objectives, its resources, and its operations? The means by which the potential impact of risk is kept to an acceptable level? The adequacy and effectiveness of the activitys risk management and control systems compared to a relevant control framework or model? The opportunities for making significant improvements to the activitys risk management and control systems? 97. Do our engagement objectives address the risks, controls, and governance processes associated with the activities under review? 98. When planning an assurance engagement, do we identify and assess risks relevant to the activity to be reviewed? 99. Do our objectives for the assurance engagement reflect the results of this risk assessment? 100. When developing objectives for an assurance engagement, do we consider the probability of significant errors, irregularities, noncompliance, and other exposures? 101. When planning a consulting engagement, do we establish an understanding with the client about objectives, scope, respective responsibilities, and other client expectations? If the engagement is a significant one, do we document this understanding? 102. Do the objectives of our consulting engagements address risks, controls, and governance processes to the extent agreed upon with the client? 103. Are the scope statements of our engagements sufficient to satisfy the stated objectives? 104. Do we make sure that the scope of any assurance engagement includes consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties? 105. Do we ensure that the scope of our consulting engagements is sufficient to address the agreed-upon objectives? 106. If we develop reservations about the scope of a consulting engagement, do we discuss these reservations with the client to determine whether to continue with the engagement? 107. Do we determine appropriate resources to achieve engagement objectives? 108. Is this determination based upon an evaluation of the nature and complexity of each engagement, the time constraints associated with the engagement, and the resources available at the time of the engagement? 109. Do we develop and record work programs that achieve the objectives of engagements?

The Institute of Internal Auditors

196 Establishing An Internal Audit Activity Manual


110. Do our work programs for assurance engagements establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement? 111. Are our work programs for assurance engagements approved prior to the commencement of audit work, and are any adjustments approved promptly? 112. Do our work programs for consulting engagements vary in form and content depending upon the nature of the engagement? Performing the Engagement 113. Do we identify, analyze, evaluate, and record sufficient information to achieve the engagements objectives? 114. Is the information we identify sufficient, reliable, relevant, and useful to the achievement of the engagements objectives? 115. Are conclusions and engagement results based on appropriate analyses and evaluations? 116. Do we record relevant information to support the conclusions and engagement results? 117. Is there proper supervision of each engagement so that objectives are achieved, quality is assured, and staff is developed? Communicating Results 118. Do we communicate engagement results promptly? 119. Do our engagement communications include the engagements objectives and scope, as well as applicable conclusions, recommendations, and action plans? 120. In communications resulting from assurance engagements, do we include our overall opinion, when appropriate? 121. Does our communication of the progress and results of consulting engagements vary in form and content depending upon the nature of the engagement and the needs of the client? 122. When communicating the results of assurance work, do we acknowledge satisfactory performance? 123. Do we provide our customers with quality communications, meaning that the communication of engagement results is: Accurate Objective Clear Concise Constructive Complete And timely? 124. When we are unable to comply fully with the Standards and the noncompliance impacts a specific engagement, do we disclose the: Standard with which full compliance was not achieved; The reasons for noncompliance; and The impact of noncompliance on the engagement?

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 7-5 197

AUDIT CUSTOMER SURVEY


Dear CAE: Enclosed is a sample Audit Customer Survey to be sent to your customers as input to the quality assessment (QA), along with a suggested accompanying letter. After reviewing these two documents, you are encouraged to personalize them so that your organization will receive the greatest benefit from the QA process. Although confidentiality is top priority, former customers have found that coding the survey is helpful if more than one operating location is involved or if you wish to summarize by work group, e.g., all officers. By handwriting a letter or number on the survey form, we can summarize for each category and provide an overall summary. If the optional electronic version is used, provide the grouping to us when you provide the e-mail addresses. If you decide to revise this survey form and/or cover letter, let me know as soon as possible as recipients are usually selected and the surveys distributed well in advance of our on-site dates. This allows time to receive replies and have cumulative statistics available prior to the assessment. We will provide the results of the Survey to you during the first day of the QA. Well also provide a summary of all prior clients for your comparison. A cover letter, survey form, and business reply envelope will be sent to you for distribution to every customer you want to include in the survey. The larger the survey universe the better. The reply envelopes are addressed to The IIA and should be sent directly to Quality Auditing Services (Q&S) by your customers. The survey can be distributed electronically. In fact, we recommend it. You would need to distribute the survey forms to your customers and ask them to complete them and email them to The IIA at QAR@theiia.org. Note that we request that the audit customers have their responses in our offices two weeks before the first day on-site. Sincerely,

The Institute of Internal Auditors QAS

The Institute of Internal Auditors

198 Establishing An Internal Audit Activity Manual

SAMPLE LETTER TO A COMPANY CUSTOMER SURVEY


To: From: Date: The internal audit activity at XYZ Company is undergoing a Quality Assessment (QA) by The Institute of Internal Auditors (IIA). The purposes of the QA are to: assess the efficiency and effectiveness of the activity; identify opportunities and offer ideas and counsel for improving the performance of the internal audit activity; and provide an opinion as to whether the activity conforms with the Standards for the Professional Practice of Internal Auditing. The QA team will develop recommendations for improvements in the internal auditing function at XYZ Company. Your candid response to the enclosed survey will assist the QA team in assessing strengths and identifying areas for improvement. Since this questionnaire is being sent to a selected sample, please return your comments on the original form so that we may maintain the integrity of that sample. You may of course incorporate the comments of your staff on the original response form. When completed, send the survey to The IIA in the enclosed return address envelope on or before (date). Your response will be kept entirely confidential. Without identifying specific respondents, a summary of the responses will be shared with the internal auditing management of XYZ Company. (Optional in place of above paragraph, as appropriate.) Since this questionnaire is being sent electronically to a selected sample, please respond electronically with your comments in the original format so that we may maintain the integrity of the sample. You may of course incorporate the comments of your staff in your reply. When completed, send the results directly to The IIA at QAR@theiia.org on or before (date). Your response will be kept entirely confidential. Without identifying specific respondents, a summary of the responses will be shared with the internal auditing management of XYZ Company. Thank you for your constructive comments.

Name of CAE Title Organization Name

The Institute of Internal Auditors

Exhibit 7-5 199

INTERNAL AUDITING ACTIVITY: AUDIT CUSTOMER SURVEY


Please rate the internal audit activity at XYZ Company in the following areas. If you cannot respond to a question, simply draw a line through it. Please circle only one number per response.
Evaluation Criteria Relationships with Management 1. Internal auditing as a valued member of the management team. 2. Organizational placement of the internal auditing function to ensure unhampered activity and achieve their internal auditing objectives 3. Auditors have free and unrestricted access to records, information, locations, and employees to perform their audits. 4. The internal audit activity promotes a customer orientation by providing quality work. Audit Staff 5. Objectivity of the internal auditors. 6. Professionalism of auditors. 7. Knowledge of your business process/success factors. 8. Quality of relationship and rapport between auditors and your department. Scope of Audit Work 9. Selection of important operating areas for audit. 10. Pre-audit notification to you of audit purpose and scope. 11. Inclusion of your suggestions for areas to audit. Audit Process and Report 12. Feedback to you on emerging issues during audits. 13. Duration of the audit. 14. Timeliness of the audit report. 15. Accuracy of the audit findings. 16. Clarity of the audit report. 17. Usefulness of the audit in improving business process and controls. 18. Internal audit follow-up on corrective action. Management of the Internal Audit Activity 19. Your understanding of the internal audit activitys purpose. 20. Effectiveness of internal auditing management. 21. Quality of staff development for subsequent transfer to/from operating departments. Value Added 22. Assistance to management in risk assessment. 23. Partnership with management on control issues. 24. Degree of impact on corporate governance. E G F P

4 4 4 4

3 3 3 3

2 2 2 2

1 1 1 1

4 4 4 4

3 3 3 3

2 2 2 2

1 1 1 1

4 4 4

3 3 3

2 2 2

1 1 1

4 4 4 4 4 4 4

3 3 3 3 3 3 3

2 2 2 2 2 2 2

1 1 1 1 1 1 1

4 4 4

3 3 3

2 2 2

1 1 1

4 4 4

3 3 3

2 2 2

1 1 1

The Institute of Internal Auditors

200 Establishing An Internal Audit Activity Manual


KEY: 4 = Excellent, 3 = Good, 2 = Fair, 1 = Poor

25. Was there anything about the audit(s) and/or other audit services such as consulting that you especially liked? (Include new or existing areas where you think audits should be increased and/or consulting services received or which would be helpful.) ___________________________________________________________

________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________


26. Was there anything about the audit(s) or other audit activities that you especially disliked? (Include areas where you think audits should be decreased and/or suggestions for how audit services could be improved.)_______________________

________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________


27. Specifically, how might the internal audit activity better add value to XYZ Company?

________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________


28. Additional comments: _________________________________________________

_________________________________________________________________ _________________________________________________________________ _________________________________________________________________

Signature (optional): _____________________________________________________

The Institute of Internal Auditors

Click here to go to reference in text.

Click here to go to Word file.

Exhibit 7-6 201

Audit Process Questionnaire


Audit: Project Number: Yes 1. Did you receive a letter announcing the audit at least XXX weeks in advance of the audit start date? Was an entrance interview held with you prior to, or concurrent with, the start of the audit? Were the audit goals, objectives, and locations to be audited discussed with you during the entrance interview? Were your ideas and/or concerns about the audit solicited during the interview? Were the auditors responsive to your ideas and/or concerns regarding the audit? Were you kept informed of audit itinerary changes? Was a tentative time frame for an exit briefing set during the entrance interview? Were the auditors responsive to any unique operational situations your facilities may present? Were you promptly informed of changes to the audit itinerary during the audit? Were you periodically briefed or otherwise kept adequately and promptly informed on major issues as they developed during the audit? Were you given a copy of all reports at least XXX days before the exit briefing? No

2.

3.

4. 5. 6. 7. 8.

9. 10.

11.

The Institute of Internal Auditors

202 Establishing An Internal Audit Activity Manual

12.

Were you or key members of your staff previously informed of all major issues contained in the draft report? Was the exit briefing held on the date and at the time agreed? At the exit briefing, were all findings discussed with you in the level of detail you desired? At the exit briefing, were the auditors flexible in addressing issues of word changes, style, and perspective of findings? Were all issues of fact (not interpretation) resolved during the exit interview? Were replies (or reply instructions) discussed during the exit briefing? How much value do you feel this audit added to the organization? High Value 9 10

13. 14.

15.

16. 17. 18.

No Value 0 1 19.

What three specific changes can we make to best improve our audit process? A. B. C.

Exhibits 7-3 was extracted from an article titled "When Good Isn't Good Enough" by F. Lloyd Chester, reprinted with permission from the August 1993 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc. and modified to reflect current Standards and practices.

The Institute of Internal Auditors