The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organisation.
The internal audit activity is effectively managed when:
The internal audit activity adds value to the organisation and its stakeholders when it considers strategies, objectives and risks; strives to offer ways to enhance governance, risk management and control processes; and objectively provides relevant assurance.
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation's goals.
To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organisation’s strategies, key business objectives, associated risks, and risk management processes.
The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organisation's business, risks, operations, programmes, systems, and controls.
The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value and improve the organisation's operations. Accepted engagements must be included in the plan.
The chief audit executive must communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.
The chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan.
Appropriate refers to the mix of knowledge, skills and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimises the achievement of the approved plan.
The chief audit executive must establish policies and procedures to guide the internal audit activity.
The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.
The chief audit executive should share information, coordinate activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.
In coordinating activities, the chief audit executive may rely on the work of other assurance and consulting service providers. A consistent process for the basis of reliance should be established, and the chief audit executive should consider the competency, objectivity, and due professional care of the assurance and consulting service providers.
The chief audit executive should also have a clear understanding of the scope, objectives, and results of the work performed by other providers of assurance and consulting services. Where reliance is placed on the work of others, the chief audit executive is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.
The chief audit executive must report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility and performance relative to its plan and on its conformance with the Code of Ethics and the Standards.
Reporting must also include significant risk and control issues, including fraud risks, governance issues and other matters that require the attention of senior management and/or the board.
The frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board. The frequency and content of reporting depends on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board.
The chief audit executive’s reporting and communication to senior management and the board must include information about:
These and other chief audit executive communication requirements are referenced throughout the Standards.
When an external service provider serves as the internal audit activity, the provider must make the organisation aware that the organisation has the responsibility for maintaining an effective internal audit activity.
This responsibility is demonstrated through the quality assurance and improvement programme which assesses conformance with the the Code of Ethics and the Standards.
The internal audit activity must evaluate and contribute to the improvement of the organisations governance, risk management and control processes using a systematic, disciplined and risk based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.
The internal audit activity must assess and make appropriate recommendations to improve the organisation’s governance processes for:
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organisation's risk management processes and their effectiveness.
Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organisation's governance, operations and information systems regarding the:
Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing and resource allocations. The plan must consider the organisation’s strategies, objectives, and risks relevant to the engagement.
In planning the engagement, internal auditors must consider:
When planning an engagement for parties outside the organisation, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.
Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities and other client expectations. For significant engagements, this understanding must be documented.
Objectives must be established for each engagement.
Adequate criteria are needed to evaluate governance, risk management and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished.
If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.
Types of criteria may include:
The established scope must be sufficient to achieve the objectives of the engagement.
If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.
In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement.
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources.
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement.
Sufficient refers to the quantity of resources needed to accomplish the engagement with due professional care.
Internal auditors must develop and document work programmes that achieve the engagement objectives.
Work programmes must include the procedures for identifying, analysing, evaluating and documenting information during the engagement. The work programme must be approved prior to its implementation and any adjustments approved promptly.
Internal auditors must identify, analyse, evaluate and document sufficient information to achieve the engagement's objectives.
Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement's objectives.
Sufficient information is factual, adequate and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques.
Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organisation meet its goals.
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions.
The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.
The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organisation's guidelines and any pertinent regulatory or other requirements.
The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organisation's guidelines and any pertinent regulatory or other requirements.
Engagements must be properly supervised to ensure objectives are achieved, quality is assured and staff is developed.
The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.
Internal auditors must communicate the results of engagements.
Communications must include the engagement’s objectives, scope, and results.
Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board and other stakeholders and must be supported by sufficient, reliable, relevant and useful information.
Opinions at the engagement level may be ratings, conclusions or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk or business unit. The formulation of such opinions requires consideration of the engagement results and their significance.
Communications must be accurate, objective, clear, concise, constructive, complete and timely.
Accurate communications are free from errors and distortions and are faithful to the underlying facts.
Objective communications are fair, impartial and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.
Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information.
Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy and wordiness.
Constructive communications are helpful to the engagement client and the organisation and lead to improvements where needed.
Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.
Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.
If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.
Indicating that engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing” is appropriate only if supported by the results of the quality assurance and improvement programme.
When non-conformance with the the Code of Ethics or the Standards impacts a specific engagement, communication of the engagement results must disclose the:
The chief audit executive must communicate results to the appropriate parties.
The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility.
During consulting engagements, governance, risk management and control issues may be identified. Whenever these issues are significant to the organisation, they must be communicated to senior management and the board.
When an overall opinion is issued, it must take into account the strategies, objectives and risks of the organisation; and the expectations of senior management, the board and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant and useful information.
The communication will include:
The reasons for an unfavourable overall opinion must be stated.
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organisation, the chief audit executive must discuss the matter with senior management.
If the chief audit executives determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.Download PDF