SlideShare a Scribd company logo
1 of 43
Download to read offline
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Managing the
Internal Audit Function
CHAPTER 9
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
LEARNING OBJECTIVES
Understand the importance of proper positioning of the
internal audit function within the organization.
Identify the benefits of various organizational structures
for an internal audit function.
Identify the roles and responsibilities of the key
positions in an internal audit function.
Understand the policies and procedures of internal
auditing and how they guide the internal audit function.
Understand the attributes of a well-executed risk
management model (process) and reflect on what role
the internal audit function should have in the
organization’s risk management processes.
Understand quality assurance, how it operates, and why
it is important to the internal audit function.
Understand how technology is used in the management
of the internal audit function
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
STANDARDS RELEVANT TO MANAGING
THE INTERNAL AUDIT FUNCTION
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
POSITIONING THE INTERNAL AUDIT FUNCTION
IN THE ORGANIZATION
Organizations that recognize the importance of placing the internal audit function in a position that
maximizes its effectiveness and ability to evaluate the efficacy of the risk management, control, and
governance processes that are in place often do so through a senior management position described
in the Standards as a chief audit executive (CAE). IIA Standard 2000: Managing the Internal Audit
Activity states that “the chief audit executive must effectively manage the internal audit activity to
ensure it adds value to the organization.” Recognizing that the CAE is pivotal to a successful internal
audit function, the interpretation of Standard 2000 goes on to state that “the internal audit [function]
is effectively managed when:
q It achieves the purpose and responsibility included in the internal audit charter.
q It conforms with the Standards.
q Its individual members conform with the Code of Ethics and the Standards.
q It considers trends and emerging issues that could impact the organization.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
THE INTERNAL AUDIT FUNCTION
CHARTER
q A necessary condition for the CAE to fulfill the
responsibilities to effectively manage the internal
audit function is to create a charter that “establishes
the internal audit [function’s] position within the
organization; authorizes access to records, personnel,
and physical properties relevant to the performance
of engagements; and defines the scope of internal
audit activities” (Interpretation to IIA Standard 1000:
Purpose, Authority, and Responsibility).
q The charter should also take into consideration
assurance and consulting services.
q It is important to recognize that the internal audit
function and the audit committee have separate
charters delineating the specific and separate
obligations to the organization of each, while
considering and reflecting the inherent
interdependencies of the two.
q The internal audit function’s charter is subordinate to
the audit committee’s charter and must support it.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
INDEPENDENCE AND OBJECTIVITY
The IPPF also indicates that internal auditors must have an impartial, unbiased attitude and avoid any conflict of
interest (objectivity). The IPPF further outlines these requirements by setting forth guidance on individual objectivity,
which suggests the following:
q Individual objectivity means the internal auditors must perform engagements in an honest way ensuring the work
product is free of significant quality compromises. Internal auditors should avoid being placed in situations that
could impair their ability to make objective professional judgments.
q Individual objectivity requires the chief audit executive (CAE) to make staff assignments that prevent potential
and actual conflicts of interest and bias.
q Internal audit work results must be reviewed before engagement communications are released, which helps
provide reasonable assurance that the work was performed objectively.
q The internal auditor’s objectivity is not negatively affected when the internal auditor recommends enhancements
to standards of control or reviews management’s operating procedures before implementation. The internal
auditor’s objectivity is considered negatively affected (impaired) if the auditor designs, installs, drafts procedures
for, or operates such systems.
q The occasional performance of non-audit work by the internal auditor, with full disclosure in the reporting
process, would not necessarily impair objectivity. However, it would require careful consideration by
management. The internal auditor must be careful when accepting such temporary assignments to avoid
adversely affecting the internal auditor’s objectivity.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
IMPAIRMENT TO INDEPENDENCE OR
OBJECTIVITY
If independence or objectivity is impaired in fact or appearance, the details of the
impairment must be disclosed to appropriate parties. The nature of the disclosure will
depend upon the impairment.
q Impairment to organizational independence and individual objectivity may
include, but is not limited to, personal conflict of interest, scope limitations,
restrictions on access to records, personnel, and properties, and resource
limitations, such as funding.
q The determination of appropriate parties to which the details of an impairment to
independence or objectivity must be disclosed is dependent upon the
expectations of the internal audit activity’s and the chief audit executive’s
responsibilities to senior management and the board as described in the internal
audit charter, as well as the nature of the impairment.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
IMPAIRMENT TO INDEPENDENCE
OR OBJECTIVITY
Additional IIA requirements regarding
impairments to independence or
objectivity are included in exhibit 9-3:
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
PROFICIENCY AND
DUE PROFESSIONAL CARE
q IIA Standard 1200: Proficiency and Due Professional Care states simply that “engagements must
be performed with proficiency and due professional care.” IIA Standard 1210: Proficiency goes
into more detail, stating that “internal auditors must possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities. The internal audit activity
collectively must possess or obtain the knowledge, skills, and other competencies needed to
perform its responsibilities.” Furthermore, IIA Standard 1220: Due Professional Care states that
“internal auditors must apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.”
q It is important to note that the interpretation of Standard 1210 defines “proficiency [as] a
collective term that refers to the knowledge, skills, and other competencies required of internal
auditors to effectively carry out their professional responsibilities.” This interpretation goes on to
say that “it encompasses consideration of current activities, trends, and emerging issues, to
enable relevant advice and recommendations” and further encourages internal auditors to
“demonstrate their proficiency by obtaining appropriate professional certifications and
qualifications, such as the Certified Internal Auditor designation and other designations offered by
The Institute of Internal Auditors and other appropriate professional organizations.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
PLANNING
q The annual internal audit plan should be completed at the beginning of, or just prior to the organization’s
fiscal year.
q The process can be comprehensive whereby senior management and the internal audit function
collaborate to complete a formal risk assessment on an organization-wide basis to establish a prioritized list
of key risk scenarios facing the organization that must be appropriately managed by the organization to
achieve key business objectives or informal and much less collaborative in nature.
q The CAE aligns audit resources for the upcoming year with the conclusions drawn by management during
the risk assessment process.
q Providing the CAE with a definitive list of audit entities related to the prioritized risks allows for the creation
of an internal audit plan using a top-down, risk-based approach.
q The planning process should include the establishment of:
• Goals,
• engagement schedules,
• staffing schedules, and
• financial budgets.
q Additionally, effective planning should reflect the internal audit charter and be consistent with
organizational objectives.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
COMMUNICATION AND APPROVAL
After the internal audit plan has been established, it is incumbent upon the
CAE to present it to senior management and the board (typically the audit
committee) to be approved. Resource requirements, significant interim
changes, and the potential implications of resource limitations should all be
included in the communication to senior management and the board (IIA
Standard 2020: Communication and Approval).
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
RESOURCE MANAGEMENT
A significant consideration in implementing an internal audit function’s plan is
how to allocate resources. It is the CAE’s responsibility to “ensure that internal
audit resources are appropriate, sufficient, and effectively deployed to achieve
the approved plan” (IIA Standard 2030: Resource Management). This is achieved
by carefully orchestrating a number of factors, including the following:
q Training and Mentoring
q Career Planning and Professional
Development
q Scheduling
q Financial Budget
q Use of Professional Practice Groups
q Organizational Structure and Staffing
Strategy
q Right Sizing
q Staffing Plans/Human Resources
q Hiring Practices
q Strategic Sourcing
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
POLICIES AND PROCEDURES
q The standard regarding the implementation of policies and procedures simply
states, “the chief audit executive must establish policies and procedures to guide
the internal audit activity” (IIA Standard 2040: Policies and Procedures).
q The IPPF goes on to suggest keeping the policies and procedures consistent with
the size of the internal audit function. The CAE is ultimately responsible for
developing policies and procedures.
q Formal administrative and technical audit manuals may not be needed by all
internal audit functions. A small internal audit function may be managed
informally. Its audit staff may be directed and controlled through daily, close
supervision, and memoranda that state policies and procedures to be followed. In
a large internal audit function, more formal and comprehensive policies and
procedures may be needed to guide the internal audit staff in the execution of the
internal audit plan.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
COORDINATING ASSURANCE EFFORTS
q According to IIA Standard 2050: Coordination and Reliance, “The chief audit
executive should share information and coordinate activities, and consider relying on
the work of other internal and external assurance and consulting service providers to
ensure proper coverage and minimize duplication of efforts.” Coordinating the efforts
of the internal audit function with those of other internal and external providers of
assurance and consulting services is important because of the increase in
effectiveness and efficiencies that can be gained.
q Many organizations have multiple avenues for ensuring that they operate within
their risk appetite. Organizations operating in a highly regulated environment in
particular have a need to demonstrate that they have mitigated the many risks that
threaten them to a reasonable level. To do so, they implement a technique of
assurance layering to get the risk mitigation they need or desire. One common
example of this strategy is the “three lines of defense model.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
COORDINATING ASSURANCE
EFFORTS
q In the three lines of defense model, the
organization layers the avenues through which
they get assurance that the risks facing them are
mitigated to a level within their risk appetite.
Although it is referred to as three lines of
defense, depending on the organization and how
it is structured, there may be more than three
defined lines (layers) of assurance.
q Exhibit 9-4 is a popular depiction of the three
lines of defense model that places the external,
independent assurance providers outside the
model. As indicated, this model can be adapted
by organizations to depict their particular
approach or philosophy.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REPORTING TO THE BOARD AND
SENIOR MANAGEMENT
q The CAE has the responsibility to “report periodically to senior management and the board on
the internal audit activity’s purpose, authority, responsibility, and performance relative to its
plan, and on its conformance with the Standards. Reporting must also include significant risk
and control issues, including fraud risks, governance issues, and other matters that require
the attention of senior management and/or the board” (IIA Standard 2060: Reporting to
Senior Management and the Board).
q More specifically, consider communicating the following items:
• Significant deviations from approved engagement work schedules and the reasons for such.
• Staffing plans, and financial budgets.
• Action taken or needed.
• Significant engagement observations and recommendations.
• Instances of senior management and/or the audit committee acceptance of the risk of not
correcting a significant engagement observation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REPORTING TO THE BOARD AND
SENIOR MANAGEMENT (CONT’D)
Management and the CAE coordinate efforts to routinely report on various risk and
control activities performed by either, in accordance with roles and responsibilities set
by the board and the audit committee. This typically includes reports covering:
• Business unit monitoring and risk monitoring reports.
• Independent outside auditor activity reports.
• Key financial activity reports.
• Risk management activity reports.
• Legal and compliance monitoring reports.
In addition to this information, a report is typically submitted to the audit committee
by either senior management or the CAE outlining the results of management’s self-
assessment regarding the design adequacy and operating effectiveness of the
organization’s internal controls.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
GOVERNANCE
Governance is defined as “a process conducted by the board of
directors to authorize, direct, and oversee management toward
the achievement of the organization’s objectives.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
GOVERNANCE
IIA Standard 2110: Governance requires the internal audit function to “assess and
make appropriate recommendations to improve the organization’s governance
processes for:
q Making strategic and operational decisions;
q Overseeing risk management and control;
q Promoting appropriate ethics and values within the organization;
q Ensuring effective organizational performance management and accountability;
q Communicating risk and control information to appropriate areas of the
organization; and
q Coordinating the activities of, and communicating information among, the board,
[independent outside] and internal auditors, other assurance providers, and
management.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
RISK MANAGEMENT
Risk Management is a participatory process designed to identify, document,
evaluate, communicate, and monitor the most significant uncertainties facing
an organization requiring risk mitigation or exploitation of opportunities to
successfully achieve business objectives. In other words, risk management is
a process conducted by management to understand and deal with
uncertainties (that is, risk and opportunities) that could affect the
organization’s ability to achieve its business objectives.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
RISK MANAGEMENT
q Risk management historically focused on avoiding potential danger and preventing harmful
actions.
q Risk management has evolved to focus additionally on identifying opportunities that can be
exploited.
• In these models, risk management efforts are designed to facilitate the management of both risk and
opportunity within a predefined risk appetite set by the board and senior management.
q Properly executed risk management assists the board and senior management implement
appropriate risk responses:
• Avoiding
• Reducing
• Sharing
• Accepting risks
• Exploiting opportunities
q Effective risk management provides reasonable (not absolute) assurance that the business
objectives of an organization will be achieved.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
INTERNAL AUDIT ROLE IN
ENTERPRISE RISK MANAGEMENT
Internal auditing is an independent, objective assurance and consulting activity.
Assurance on ERM: Its core role with regard to ERM is to provide objective
assurance to the board on the effectiveness of risk management. At minimum, the
internal audit function should evaluate the design adequacy and operating
effectiveness of the organization’s risk management processes by providing input
and feedback through a periodic review (audit).
Consulting on ERM: It is also appropriate for the internal audit function to facilitate
the identification and evaluation of risks and opportunities, coach management on
appropriate ways to respond to risk events and opportunities, and help an
organization coordinate enterprise-wide risk management activities.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
INTERNAL AUDIT ROLE IN ENTERPRISE
RISK MANAGEMENT (CONT’D)
According to IIA Standard 2120: Risk Management, “The internal audit activity must evaluate the
effectiveness and contribute to the improvement of risk management processes.” The
interpretation for this standard states:
Determining whether risk management processes are effective is a judgment resulting from the
internal auditor’s assessment that:
q Organizational objectives support and align with the organization’s mission;
q Significant risks are identified and assessed;
q Appropriate risk responses are selected that align risks with the organization’s risk appetite;
and
q Relevant risk information is captured and communicated in a timely manner across the
organization, enabling staff, management, and the board to carry out their responsibilities.
Risk management processes are monitored through ongoing management activities, separate
evaluations, or both.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
INTERNAL AUDIT ROLE IN ENTERPRISE
RISK MANAGEMENT (CONT’D)
Exhibit 9-5 shows a range of activities that an internal audit function might be asked to perform,
detailing which activities are appropriate and which should be avoided.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
CONTROL
IIA Standard 2130: Control states, “The internal audit function must assist the organization in
maintaining effective controls by evaluating their effectiveness and efficiency and by promoting
continuous improvement.”
In terms of providing assurance services, the information that comes out of the risk assessment
should drive the internal audit function’s direction when evaluating “the adequacy and effectiveness
of controls in responding to risks within the organization’s governance, operations, and information
systems regarding the:
q Achievement of the organization’s strategic objectives;
q Reliability and integrity of financial and operational [nonfinancial] information;
q Effectiveness and efficiency of operations and programs
q Safeguarding of assets; and
q Compliance with laws, regulations, policies, procedures, and contracts.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
QUALITY ASSURANCE AND
IMPROVEMENT PROGRAM
The IIA has established formal quality assurance standards that must be followed for
internal audit functions to be considered in compliance with The IIA Standards.
q Quality Assurance is the process of assuring that an internal audit function
adheres to a set of standards defining the specific elements that must be present
to ensure that the function operates appropriately.
q IIA Standard 1300: Quality Assurance and Improvement Program states that “the
chief audit executive must develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
QUALITY ASSURANCE AND
IMPROVEMENT PROGRAM (CONT’D)
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
QUALITY ASSURANCE AND
IMPROVEMENT PROGRAM (CONT’D)
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
QUALITY ASSURANCE AND
IMPROVEMENT PROGRAM (CONT’D)
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
QUALITY ASSURANCE AND
IMPROVEMENT PROGRAM (CONT’D)
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
PERFORMANCE MEASUREMENTS FOR
THE INTERNAL AUDIT FUNCTION
Performance Measures:
q Provide the criteria against which the internal audit function judges its performance in key areas.
q Provide a gauge for how well the internal audit function is accomplishing its mission/goals.
The CAE considers many factors when creating performance measurements:
q Size of the internal audit function
q The specific services offered
q Industry-specific regulations
q The operating environment
q The organization’s culture.
Performance measurements should be aligned with the internal audit function’s charter, and
all significant services addressed in the charter should be considered when establishing
performance measurements. The customized measurement process should outline activities
that contribute to the achievement of the goals identified in the charter.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
USE OF TECHNOLOGY TO SUPPORT THE
INTERNAL AUDIT PROCESS
Technological tools
q Enable increased productivity and efficiency
q Allow for less time to be spent on administrative responsibilities
q Provide for more time on assurance and consulting services
q Should enhance an internal audit function’s productivity
q Should not divert attention away from the task of auditing
q Allow for less time spent documenting, retaining, and accessing supporting
documentation
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 1. According to the IPPF, the independence of the internal
audit activity is achieved through:
a. Staffing and supervision.
b. Continuing professional development and due professional care.
c. Human relations and communications.
d. Organizational status and objectivity.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 2. Who is ultimately responsible for determining that the
objectives for an internal audit engagement have been met?
a. The individual internal audit staff member.
b. The CAE.
c. The audit committee.
d. The internal audit engagement supervisor.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 3. The Standards requires policies and procedures to guide
the internal audit staff. Which of the following statements is false
with respect to this requirement?
a. A small internal audit function may be managed informally
through close supervision and written memos.
b. Formal administrative and technical audit manuals may not be
needed by all internal audit functions.
c. The CAE should establish the function's policies and
procedures.
d. All internal audit functions should have a detailed policies and
procedures manual.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 4. Which of the following is not a responsibility of the CAE?
a. To communicate the internal audit function's plans and resource
requirements to senior management and the board for review
and approval.
b. To oversee the establishment, administration, and assessment of
the organization's system of internal controls and risk management
processes.
c. To follow up on whether appropriate management actions have
been taken on significant issues cited in internal audit reports.
d. To establish a risk-based plan to accomplish the objectives of the
internal audit function consistent with the organization's goals.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 5. Audit committees are most likely to participate in the
approval of:
a. Audit staff promotions and salary increases.
b. The internal audit report observations and recommendations.
c. Audit work schedules.
d. The appointment of the CAE.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 6. Which of the following activities undertaken by the internal
auditor might be in conflict with the standard of independence?
a. Risk management consultant.
b. Product development team leader.
c. Ethics advocate.
d. External audit liaison.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 7. Senior management has requested that the internal audit function perform
an operational review of the telephone marketing operations of a major division and
recommend procedures and policies for improving management control over the
operation. The internal audit function should:
a. Accept the audit engagement because independence would not be
impaired.
b. Accept the engagement, but indicate to management that recommending
controls would impair audit independence so that management knows that future
audits of the area would be impaired.
c. Not accept the engagement because internal audit functions are presumed to
have expertise on accounting controls, not marketing controls.
d. Not accept the engagement because recommending controls would impair future
objectivity of the department regarding this client.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 8. Which of the following best describes an auditor's
responsibility after noting some indicators of fraud?
a. Expand activities to determine whether an investigation is
warranted.
b. Report the possibility of fraud to senior management and ask
how to proceed.
c. Consult with external legal counsel to determine the course of
action to be taken.
d. Report the matter to the audit committee and request
funding for outside specialists to help investigate the possible
fraud.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 9. Which of the following activities are designed to provide
feedback on the effectiveness of an internal audit activity?
I. Proper supervision.
II. Proper training.
III. Internal assessments.
IV. External assessments.
a. I, II, and III only.
b. I, II, and IV only.
c. I, III, and IV only.
d. All of these.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 9: Managing the Internal Audit
Function
REVIEW
Question 10. Organizational independence exists if the CAE reports
<List A> to some other organizational level than the CEO or similar
head of the organization as long as the internal audit activity <List B>
without interference:
a. List A: administratively; List B: controls the scope and performance of
work and reporting of results.
b. List A: administratively; List B: approved the internal audit budget
and risk-based internal audit plan.
c. List A: functionally; List B: controls the scope and performance of
work and reporting of results.
d. List A: functionally; List B: approves the internal audit budget and risk-
based internal audit plan.

More Related Content

Similar to Chapter 9 PPT 4th edition.pdf internal audit

The Objectives Of Internal Audit
The Objectives Of Internal AuditThe Objectives Of Internal Audit
The Objectives Of Internal Audit
Sonia Sanchez
 
Managing An Internal Audit Department
Managing An Internal Audit DepartmentManaging An Internal Audit Department
Managing An Internal Audit Department
Amanda Brady
 
Internal Auditor as Consultant
Internal Auditor as ConsultantInternal Auditor as Consultant
Internal Auditor as Consultant
Scott White
 
17129338 internal-audit-manual
17129338 internal-audit-manual17129338 internal-audit-manual
17129338 internal-audit-manual
KiLLeRKn19hT
 
24201843 studdy-note-8
24201843 studdy-note-824201843 studdy-note-8
24201843 studdy-note-8
Akash Saxena
 
Audit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationAudit Report And Internal Control Evaluation
Audit Report And Internal Control Evaluation
Rochelle Schear
 

Similar to Chapter 9 PPT 4th edition.pdf internal audit (20)

International Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdfInternational Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdf
 
Sri lanka auditing standard
Sri lanka auditing standardSri lanka auditing standard
Sri lanka auditing standard
 
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditingCIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
 
AUDITING_INTERNAL_AUDIT_PRESENTATION.pptx
AUDITING_INTERNAL_AUDIT_PRESENTATION.pptxAUDITING_INTERNAL_AUDIT_PRESENTATION.pptx
AUDITING_INTERNAL_AUDIT_PRESENTATION.pptx
 
Overview of Internal Audit
Overview of Internal AuditOverview of Internal Audit
Overview of Internal Audit
 
Audit and Assurance Hand Note
Audit and Assurance Hand NoteAudit and Assurance Hand Note
Audit and Assurance Hand Note
 
Suggested Answers-Certificate Level (May-June 2017)
Suggested Answers-Certificate Level (May-June  2017)Suggested Answers-Certificate Level (May-June  2017)
Suggested Answers-Certificate Level (May-June 2017)
 
The Objectives Of Internal Audit
The Objectives Of Internal AuditThe Objectives Of Internal Audit
The Objectives Of Internal Audit
 
Value based internal auditing - Nilai Dasar Internal Audit
Value based internal auditing - Nilai Dasar Internal AuditValue based internal auditing - Nilai Dasar Internal Audit
Value based internal auditing - Nilai Dasar Internal Audit
 
Managing An Internal Audit Department
Managing An Internal Audit DepartmentManaging An Internal Audit Department
Managing An Internal Audit Department
 
cia certification
cia certification cia certification
cia certification
 
cia certification
cia certification cia certification
cia certification
 
Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)
 
Internal Auditor as Consultant
Internal Auditor as ConsultantInternal Auditor as Consultant
Internal Auditor as Consultant
 
17129338 internal-audit-manual
17129338 internal-audit-manual17129338 internal-audit-manual
17129338 internal-audit-manual
 
24201843 studdy-note-8
24201843 studdy-note-824201843 studdy-note-8
24201843 studdy-note-8
 
internal-audit-competency-framework (1).pdf
internal-audit-competency-framework (1).pdfinternal-audit-competency-framework (1).pdf
internal-audit-competency-framework (1).pdf
 
Audit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationAudit Report And Internal Control Evaluation
Audit Report And Internal Control Evaluation
 
How to plan an audit engagement
How to plan an audit engagementHow to plan an audit engagement
How to plan an audit engagement
 
Steps for setting up Internal Audit Function / Department in Small / Medium S...
Steps for setting up Internal Audit Function / Department in Small / Medium S...Steps for setting up Internal Audit Function / Department in Small / Medium S...
Steps for setting up Internal Audit Function / Department in Small / Medium S...
 

Recently uploaded

Presentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelledPresentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelled
CaitlinCummins3
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Dubai Multi Commodity Centre
 
Jual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg Pfizer
Jual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg PfizerJual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg Pfizer
Jual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg Pfizer
Pusat Herbal Resmi BPOM
 
A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...
A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...
A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...
prakheeshc
 
Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.
Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.
Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.
daisycvs
 

Recently uploaded (20)

stock price prediction using machine learning
stock price prediction using machine learningstock price prediction using machine learning
stock price prediction using machine learning
 
Presentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelledPresentation4 (2) survey responses clearly labelled
Presentation4 (2) survey responses clearly labelled
 
Global Internal Audit Standards 2024.pdf
Global Internal Audit Standards 2024.pdfGlobal Internal Audit Standards 2024.pdf
Global Internal Audit Standards 2024.pdf
 
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptxBlinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
 
How to refresh to be fit for the future world
How to refresh to be fit for the future worldHow to refresh to be fit for the future world
How to refresh to be fit for the future world
 
Progress Report - UKG Analyst Summit 2024 - A lot to do - Good Progress1-1.pdf
Progress Report - UKG Analyst Summit 2024 - A lot to do - Good Progress1-1.pdfProgress Report - UKG Analyst Summit 2024 - A lot to do - Good Progress1-1.pdf
Progress Report - UKG Analyst Summit 2024 - A lot to do - Good Progress1-1.pdf
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
 
Jual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg Pfizer
Jual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg PfizerJual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg Pfizer
Jual Obat Aborsi Di Sibolga wa 0851/7541/5434 Cytotec Misoprostol 200mcg Pfizer
 
Innomantra Viewpoint - Building Moonshots : May-Jun 2024.pdf
Innomantra Viewpoint - Building Moonshots : May-Jun 2024.pdfInnomantra Viewpoint - Building Moonshots : May-Jun 2024.pdf
Innomantra Viewpoint - Building Moonshots : May-Jun 2024.pdf
 
Raising Seed Capital by Steve Schlafman at RRE Ventures
Raising Seed Capital by Steve Schlafman at RRE VenturesRaising Seed Capital by Steve Schlafman at RRE Ventures
Raising Seed Capital by Steve Schlafman at RRE Ventures
 
Top^Clinic ^%[+27785538335__Safe*Women's clinic//Abortion Pills In Harare
Top^Clinic ^%[+27785538335__Safe*Women's clinic//Abortion Pills In HarareTop^Clinic ^%[+27785538335__Safe*Women's clinic//Abortion Pills In Harare
Top^Clinic ^%[+27785538335__Safe*Women's clinic//Abortion Pills In Harare
 
Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...
Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...
Pay after result spell caster (,$+27834335081)@ bring back lost lover same da...
 
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptxGoal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
 
Unlocking Growth The Power of Outsourcing for CPA Firms
Unlocking Growth The Power of Outsourcing for CPA FirmsUnlocking Growth The Power of Outsourcing for CPA Firms
Unlocking Growth The Power of Outsourcing for CPA Firms
 
A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...
A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...
A BUSINESS PROPOSAL FOR SLAUGHTER HOUSE WASTE MANAGEMENT IN MYSORE MUNICIPAL ...
 
hyundai capital 2023 consolidated financial statements
hyundai capital 2023 consolidated financial statementshyundai capital 2023 consolidated financial statements
hyundai capital 2023 consolidated financial statements
 
Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.
Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.
Abortion pills in Muscut<Oman(+27737758557) Cytotec available.inn Kuwait City.
 
How Do Venture Capitalists Make Decisions?
How Do Venture Capitalists Make Decisions?How Do Venture Capitalists Make Decisions?
How Do Venture Capitalists Make Decisions?
 
Beyond Numbers A Holistic Approach to Forensic Accounting
Beyond Numbers A Holistic Approach to Forensic AccountingBeyond Numbers A Holistic Approach to Forensic Accounting
Beyond Numbers A Holistic Approach to Forensic Accounting
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdfDaftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdf
 

Chapter 9 PPT 4th edition.pdf internal audit

  • 1. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Managing the Internal Audit Function CHAPTER 9
  • 2. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function LEARNING OBJECTIVES Understand the importance of proper positioning of the internal audit function within the organization. Identify the benefits of various organizational structures for an internal audit function. Identify the roles and responsibilities of the key positions in an internal audit function. Understand the policies and procedures of internal auditing and how they guide the internal audit function. Understand the attributes of a well-executed risk management model (process) and reflect on what role the internal audit function should have in the organization’s risk management processes. Understand quality assurance, how it operates, and why it is important to the internal audit function. Understand how technology is used in the management of the internal audit function
  • 3. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function STANDARDS RELEVANT TO MANAGING THE INTERNAL AUDIT FUNCTION
  • 4. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function POSITIONING THE INTERNAL AUDIT FUNCTION IN THE ORGANIZATION Organizations that recognize the importance of placing the internal audit function in a position that maximizes its effectiveness and ability to evaluate the efficacy of the risk management, control, and governance processes that are in place often do so through a senior management position described in the Standards as a chief audit executive (CAE). IIA Standard 2000: Managing the Internal Audit Activity states that “the chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.” Recognizing that the CAE is pivotal to a successful internal audit function, the interpretation of Standard 2000 goes on to state that “the internal audit [function] is effectively managed when: q It achieves the purpose and responsibility included in the internal audit charter. q It conforms with the Standards. q Its individual members conform with the Code of Ethics and the Standards. q It considers trends and emerging issues that could impact the organization.”
  • 5. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function THE INTERNAL AUDIT FUNCTION CHARTER q A necessary condition for the CAE to fulfill the responsibilities to effectively manage the internal audit function is to create a charter that “establishes the internal audit [function’s] position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities” (Interpretation to IIA Standard 1000: Purpose, Authority, and Responsibility). q The charter should also take into consideration assurance and consulting services. q It is important to recognize that the internal audit function and the audit committee have separate charters delineating the specific and separate obligations to the organization of each, while considering and reflecting the inherent interdependencies of the two. q The internal audit function’s charter is subordinate to the audit committee’s charter and must support it.
  • 6. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function INDEPENDENCE AND OBJECTIVITY The IPPF also indicates that internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest (objectivity). The IPPF further outlines these requirements by setting forth guidance on individual objectivity, which suggests the following: q Individual objectivity means the internal auditors must perform engagements in an honest way ensuring the work product is free of significant quality compromises. Internal auditors should avoid being placed in situations that could impair their ability to make objective professional judgments. q Individual objectivity requires the chief audit executive (CAE) to make staff assignments that prevent potential and actual conflicts of interest and bias. q Internal audit work results must be reviewed before engagement communications are released, which helps provide reasonable assurance that the work was performed objectively. q The internal auditor’s objectivity is not negatively affected when the internal auditor recommends enhancements to standards of control or reviews management’s operating procedures before implementation. The internal auditor’s objectivity is considered negatively affected (impaired) if the auditor designs, installs, drafts procedures for, or operates such systems. q The occasional performance of non-audit work by the internal auditor, with full disclosure in the reporting process, would not necessarily impair objectivity. However, it would require careful consideration by management. The internal auditor must be careful when accepting such temporary assignments to avoid adversely affecting the internal auditor’s objectivity.
  • 7. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function IMPAIRMENT TO INDEPENDENCE OR OBJECTIVITY If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. q Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding. q The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment.
  • 8. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function IMPAIRMENT TO INDEPENDENCE OR OBJECTIVITY Additional IIA requirements regarding impairments to independence or objectivity are included in exhibit 9-3:
  • 9. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function PROFICIENCY AND DUE PROFESSIONAL CARE q IIA Standard 1200: Proficiency and Due Professional Care states simply that “engagements must be performed with proficiency and due professional care.” IIA Standard 1210: Proficiency goes into more detail, stating that “internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.” Furthermore, IIA Standard 1220: Due Professional Care states that “internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.” q It is important to note that the interpretation of Standard 1210 defines “proficiency [as] a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities.” This interpretation goes on to say that “it encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations” and further encourages internal auditors to “demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations.”
  • 10. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function PLANNING q The annual internal audit plan should be completed at the beginning of, or just prior to the organization’s fiscal year. q The process can be comprehensive whereby senior management and the internal audit function collaborate to complete a formal risk assessment on an organization-wide basis to establish a prioritized list of key risk scenarios facing the organization that must be appropriately managed by the organization to achieve key business objectives or informal and much less collaborative in nature. q The CAE aligns audit resources for the upcoming year with the conclusions drawn by management during the risk assessment process. q Providing the CAE with a definitive list of audit entities related to the prioritized risks allows for the creation of an internal audit plan using a top-down, risk-based approach. q The planning process should include the establishment of: • Goals, • engagement schedules, • staffing schedules, and • financial budgets. q Additionally, effective planning should reflect the internal audit charter and be consistent with organizational objectives.
  • 11. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function COMMUNICATION AND APPROVAL After the internal audit plan has been established, it is incumbent upon the CAE to present it to senior management and the board (typically the audit committee) to be approved. Resource requirements, significant interim changes, and the potential implications of resource limitations should all be included in the communication to senior management and the board (IIA Standard 2020: Communication and Approval).
  • 12. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function RESOURCE MANAGEMENT A significant consideration in implementing an internal audit function’s plan is how to allocate resources. It is the CAE’s responsibility to “ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan” (IIA Standard 2030: Resource Management). This is achieved by carefully orchestrating a number of factors, including the following: q Training and Mentoring q Career Planning and Professional Development q Scheduling q Financial Budget q Use of Professional Practice Groups q Organizational Structure and Staffing Strategy q Right Sizing q Staffing Plans/Human Resources q Hiring Practices q Strategic Sourcing
  • 13. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function POLICIES AND PROCEDURES q The standard regarding the implementation of policies and procedures simply states, “the chief audit executive must establish policies and procedures to guide the internal audit activity” (IIA Standard 2040: Policies and Procedures). q The IPPF goes on to suggest keeping the policies and procedures consistent with the size of the internal audit function. The CAE is ultimately responsible for developing policies and procedures. q Formal administrative and technical audit manuals may not be needed by all internal audit functions. A small internal audit function may be managed informally. Its audit staff may be directed and controlled through daily, close supervision, and memoranda that state policies and procedures to be followed. In a large internal audit function, more formal and comprehensive policies and procedures may be needed to guide the internal audit staff in the execution of the internal audit plan.
  • 14. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function COORDINATING ASSURANCE EFFORTS q According to IIA Standard 2050: Coordination and Reliance, “The chief audit executive should share information and coordinate activities, and consider relying on the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.” Coordinating the efforts of the internal audit function with those of other internal and external providers of assurance and consulting services is important because of the increase in effectiveness and efficiencies that can be gained. q Many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment in particular have a need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. To do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the “three lines of defense model.”
  • 15. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function COORDINATING ASSURANCE EFFORTS q In the three lines of defense model, the organization layers the avenues through which they get assurance that the risks facing them are mitigated to a level within their risk appetite. Although it is referred to as three lines of defense, depending on the organization and how it is structured, there may be more than three defined lines (layers) of assurance. q Exhibit 9-4 is a popular depiction of the three lines of defense model that places the external, independent assurance providers outside the model. As indicated, this model can be adapted by organizations to depict their particular approach or philosophy.
  • 16. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REPORTING TO THE BOARD AND SENIOR MANAGEMENT q The CAE has the responsibility to “report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan, and on its conformance with the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board” (IIA Standard 2060: Reporting to Senior Management and the Board). q More specifically, consider communicating the following items: • Significant deviations from approved engagement work schedules and the reasons for such. • Staffing plans, and financial budgets. • Action taken or needed. • Significant engagement observations and recommendations. • Instances of senior management and/or the audit committee acceptance of the risk of not correcting a significant engagement observation.
  • 17. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REPORTING TO THE BOARD AND SENIOR MANAGEMENT (CONT’D) Management and the CAE coordinate efforts to routinely report on various risk and control activities performed by either, in accordance with roles and responsibilities set by the board and the audit committee. This typically includes reports covering: • Business unit monitoring and risk monitoring reports. • Independent outside auditor activity reports. • Key financial activity reports. • Risk management activity reports. • Legal and compliance monitoring reports. In addition to this information, a report is typically submitted to the audit committee by either senior management or the CAE outlining the results of management’s self- assessment regarding the design adequacy and operating effectiveness of the organization’s internal controls.
  • 18. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function GOVERNANCE Governance is defined as “a process conducted by the board of directors to authorize, direct, and oversee management toward the achievement of the organization’s objectives.”
  • 19. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function GOVERNANCE IIA Standard 2110: Governance requires the internal audit function to “assess and make appropriate recommendations to improve the organization’s governance processes for: q Making strategic and operational decisions; q Overseeing risk management and control; q Promoting appropriate ethics and values within the organization; q Ensuring effective organizational performance management and accountability; q Communicating risk and control information to appropriate areas of the organization; and q Coordinating the activities of, and communicating information among, the board, [independent outside] and internal auditors, other assurance providers, and management.”
  • 20. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function RISK MANAGEMENT Risk Management is a participatory process designed to identify, document, evaluate, communicate, and monitor the most significant uncertainties facing an organization requiring risk mitigation or exploitation of opportunities to successfully achieve business objectives. In other words, risk management is a process conducted by management to understand and deal with uncertainties (that is, risk and opportunities) that could affect the organization’s ability to achieve its business objectives.
  • 21. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function RISK MANAGEMENT q Risk management historically focused on avoiding potential danger and preventing harmful actions. q Risk management has evolved to focus additionally on identifying opportunities that can be exploited. • In these models, risk management efforts are designed to facilitate the management of both risk and opportunity within a predefined risk appetite set by the board and senior management. q Properly executed risk management assists the board and senior management implement appropriate risk responses: • Avoiding • Reducing • Sharing • Accepting risks • Exploiting opportunities q Effective risk management provides reasonable (not absolute) assurance that the business objectives of an organization will be achieved.
  • 22. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function INTERNAL AUDIT ROLE IN ENTERPRISE RISK MANAGEMENT Internal auditing is an independent, objective assurance and consulting activity. Assurance on ERM: Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management. At minimum, the internal audit function should evaluate the design adequacy and operating effectiveness of the organization’s risk management processes by providing input and feedback through a periodic review (audit). Consulting on ERM: It is also appropriate for the internal audit function to facilitate the identification and evaluation of risks and opportunities, coach management on appropriate ways to respond to risk events and opportunities, and help an organization coordinate enterprise-wide risk management activities.
  • 23. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function INTERNAL AUDIT ROLE IN ENTERPRISE RISK MANAGEMENT (CONT’D) According to IIA Standard 2120: Risk Management, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The interpretation for this standard states: Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that: q Organizational objectives support and align with the organization’s mission; q Significant risks are identified and assessed; q Appropriate risk responses are selected that align risks with the organization’s risk appetite; and q Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
  • 24. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function INTERNAL AUDIT ROLE IN ENTERPRISE RISK MANAGEMENT (CONT’D) Exhibit 9-5 shows a range of activities that an internal audit function might be asked to perform, detailing which activities are appropriate and which should be avoided.
  • 25. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function CONTROL IIA Standard 2130: Control states, “The internal audit function must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.” In terms of providing assurance services, the information that comes out of the risk assessment should drive the internal audit function’s direction when evaluating “the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: q Achievement of the organization’s strategic objectives; q Reliability and integrity of financial and operational [nonfinancial] information; q Effectiveness and efficiency of operations and programs q Safeguarding of assets; and q Compliance with laws, regulations, policies, procedures, and contracts.”
  • 26. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function QUALITY ASSURANCE AND IMPROVEMENT PROGRAM The IIA has established formal quality assurance standards that must be followed for internal audit functions to be considered in compliance with The IIA Standards. q Quality Assurance is the process of assuring that an internal audit function adheres to a set of standards defining the specific elements that must be present to ensure that the function operates appropriately. q IIA Standard 1300: Quality Assurance and Improvement Program states that “the chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.”
  • 27. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (CONT’D)
  • 28. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (CONT’D)
  • 29. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (CONT’D)
  • 30. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (CONT’D)
  • 31. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function PERFORMANCE MEASUREMENTS FOR THE INTERNAL AUDIT FUNCTION Performance Measures: q Provide the criteria against which the internal audit function judges its performance in key areas. q Provide a gauge for how well the internal audit function is accomplishing its mission/goals. The CAE considers many factors when creating performance measurements: q Size of the internal audit function q The specific services offered q Industry-specific regulations q The operating environment q The organization’s culture. Performance measurements should be aligned with the internal audit function’s charter, and all significant services addressed in the charter should be considered when establishing performance measurements. The customized measurement process should outline activities that contribute to the achievement of the goals identified in the charter.
  • 32. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function USE OF TECHNOLOGY TO SUPPORT THE INTERNAL AUDIT PROCESS Technological tools q Enable increased productivity and efficiency q Allow for less time to be spent on administrative responsibilities q Provide for more time on assurance and consulting services q Should enhance an internal audit function’s productivity q Should not divert attention away from the task of auditing q Allow for less time spent documenting, retaining, and accessing supporting documentation
  • 33. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function
  • 34. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 1. According to the IPPF, the independence of the internal audit activity is achieved through: a. Staffing and supervision. b. Continuing professional development and due professional care. c. Human relations and communications. d. Organizational status and objectivity.
  • 35. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 2. Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met? a. The individual internal audit staff member. b. The CAE. c. The audit committee. d. The internal audit engagement supervisor.
  • 36. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 3. The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement? a. A small internal audit function may be managed informally through close supervision and written memos. b. Formal administrative and technical audit manuals may not be needed by all internal audit functions. c. The CAE should establish the function's policies and procedures. d. All internal audit functions should have a detailed policies and procedures manual.
  • 37. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 4. Which of the following is not a responsibility of the CAE? a. To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval. b. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes. c. To follow up on whether appropriate management actions have been taken on significant issues cited in internal audit reports. d. To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organization's goals.
  • 38. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 5. Audit committees are most likely to participate in the approval of: a. Audit staff promotions and salary increases. b. The internal audit report observations and recommendations. c. Audit work schedules. d. The appointment of the CAE.
  • 39. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 6. Which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence? a. Risk management consultant. b. Product development team leader. c. Ethics advocate. d. External audit liaison.
  • 40. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 7. Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should: a. Accept the audit engagement because independence would not be impaired. b. Accept the engagement, but indicate to management that recommending controls would impair audit independence so that management knows that future audits of the area would be impaired. c. Not accept the engagement because internal audit functions are presumed to have expertise on accounting controls, not marketing controls. d. Not accept the engagement because recommending controls would impair future objectivity of the department regarding this client.
  • 41. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 8. Which of the following best describes an auditor's responsibility after noting some indicators of fraud? a. Expand activities to determine whether an investigation is warranted. b. Report the possibility of fraud to senior management and ask how to proceed. c. Consult with external legal counsel to determine the course of action to be taken. d. Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud.
  • 42. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 9. Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity? I. Proper supervision. II. Proper training. III. Internal assessments. IV. External assessments. a. I, II, and III only. b. I, II, and IV only. c. I, III, and IV only. d. All of these.
  • 43. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation. Chapter 9: Managing the Internal Audit Function REVIEW Question 10. Organizational independence exists if the CAE reports <List A> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List B> without interference: a. List A: administratively; List B: controls the scope and performance of work and reporting of results. b. List A: administratively; List B: approved the internal audit budget and risk-based internal audit plan. c. List A: functionally; List B: controls the scope and performance of work and reporting of results. d. List A: functionally; List B: approves the internal audit budget and risk- based internal audit plan.