An effective internal audit function can have a positive impact on the control environment of an organisation and the effective design and operation of internal control. The audit committee should regularly evaluated the effectiveness of the internal audit function to ensure that the benefits to the organisation are optimised.
The audit committee is responsible for evaluating the effectiveness of the internal audit function. This assessment should be performed on a regular basis. Any evaluation of internal audit should also include an assessment of internal audit’s objectivity and independence.
The internal audit plan should be reviewed on a regular basis and the audit committee should reflect on how internal audit has delivered against this plan, and the quality of the results of its testing. When agreeing appropriate performance measures for internal audit, the audit committee should recognise that these need to be adapted to the organisation’s circumstances and any changes.
Internal audit effectively has a dual reporting relationship, where the head of internal audit reports to executive management (ideally the CEO) for assistance in establishing direction, support, and administrative matters; and to the audit committee for strategic direction, reinforcement and accountability. The audit committee therefore also has a role to play in ensuring the effectiveness of the external audit function; it should ensure that internal audit has a direct line of communication with and the support of the committee.
The audit committee should also consider the resources dedicated to the internal audit function and whether these enable internal audit to deliver on its audit plan. Particular attention should be paid to this in times of organisational change and restructuring.
Self-assessment by the head of internal audit is a useful assessment tool, but it should not be used as the sole means of assessing the effectiveness of internal audit. The audit committee should draw its own conclusions based on its experience and contact with internal audit as well as the views of others such as the CFO, divisional heads and external audit. In evaluating the work of internal audit, the audit committee should review the annual internal audit work plan, receive periodic reports on the results of the internal auditor’s work and monitor management’s responsiveness to the internal auditor’s findings and recommendations.
The IIA and audit committees
Richard Chambers gives some insight about 5 key focus areas on the relationship between audit committees and internal auditors. The second video appeared on the “Inside the boardroom” show and provides further insight into the correlation and enhancement of the roles of internal and external auditors and the audit committee.
Audit Committee interaction with the internal auditors
An effective relationship between the audit committee and the internal auditors is fundamental to the success of the internal audit function. It has become increasingly important for audit committees to assess whether the internal auditors are evaluating critical controls and identifying and addressing emerging risks. The specific expectations for internal audit functions vary by organisation,
but should include, at least, the following elements:
- objectively monitor and report on the health of financial, operational, and compliance controls
- provide insight into the effectiveness of risk management
- offer guidance regarding effective governance
- become a catalyst for positive change in processes and controls
- deliver value to the audit committee, executives and management in the areas of controls, risk management and governance to assist in the audit committee’s assessment of the effectiveness of programs and procedures
- coordinate activities and share perspectives with the external auditor
- manage the combined assurance process effectively
In support of these objectives, audit committees should take steps to facilitate a mutually beneficial relationship with the internal auditors. These steps can include to:
- meet privately with the internal auditors on a regular basis
- encourage open communication between the chief audit executive (CAE) and the audit committee
- take responsibility for the appointment, performance assessment and dismissal of the CAE or the outsourced internal audit function
- set clear goals and evaluate the performance of the CAE (these responsibilities should not be delegated solely to the CFO or CEO)
- see that the internal auditors have appropriate stature and respect and are visibly supported by senior management throughout the organisation
- support the CAE, providing guidance if needed and assistance when he or she reports potential weaknesses in governance, risk and compliance.
Ten key questions to raise with internal audit
- What is the internal audit coverage of the organization’s risk management and governance processes?
- Internal auditors are increasing their focus on the risk management and governess processes of the organizations they audit and assess. At the same time, audit committees have stepped up their interest in risk management and governance, reflecting the heightened oversight of these areas on the parts of regulatory and supervisory bodies in both the public and private sector.
- Given the importance of these areas, the audit committee needs to evaluate the current and projected scope of internal audit coverage of risk management and governance .
- In organizations in the initial stages of risk management implementation, the role of internal audit is often that of a catalyst or facilitator to help foster development of the organization’s risk management processes. In such situations, internal auditors’ knowledge of the organization and its risks can be very helpful.
- As risk management processes mature, internal audit can serve in more of an assurance capacity, providing audit coverage of the risk practices that have been implemented.
- Internal audit also can provide advice and assurance over the organization’s governance processes – the IIA’s International Standards for the Professional Practice of Internal Auditing (the “Standards”) now require internal auditors to address both risk management and governance processes in their audit coverage.
- How responsive to change and flexible is internal audit’s risk-based audit plan?
- Internal auditors are required by the Standards to conduct a risk-based audit plan. While there is no one approach to conducting risk assessments and developing the related audit plan, many internal audit groups conduct an annual risk assessment and prepare an annual audit plan.
- Risks are complex and dynamic and more internal audit groups are updating their risk assessments and audit plans on a more frequent and timely basis than just annually. By taking a more timely approach to their audit planning, organizations are helping to ensure that their audit coverage is focused at the most critical issues in a given time period.
- The audit committee needs to understand how, and with what frequency, internal audit updates their risk assessment and how responsive and flexible they are with their audit plans. In addition to recommended changes to the audit plan, the audit committee needs to ensure that internal audit provides it with a rundown on changes to the organization’s risk profile or new emerging risks that are driving audit plan changes.
- By reviewing changes to the organization’s risk profile, the audit committee can gain comfort that the recommended audit plan changes will address current risks.
- The audit committee should have a clear understanding that the CAE’s role extends beyond audit plan execution to ensure that the internal audit process is identifying changes to the organization’s risks and addressing these risks on a timely basis.
- How does internal audit use technology to enhance its auditing and monitoring activities?
- Technology tools are increasingly being used by internal auditors to enhance both the efficiency and effectiveness of their auditing activities.
- Powerful data mining tools enable internal auditors to perform audit tests on entire populations of data as opposed to testing data samples alone. Data mining tools enable internal auditors to monitor controls, risk and fraud indicators, and performance metrics.
- Given the scope of these capabilities, many internal auditors find that such tools offer significant opportunities to improve and enhance their auditing efforts.
- Audit committees need to determine how their internal auditors are using technology, their plans for leveraging technology further, and what types of support the internal audit function needs to be successful. To make these determinations, the audit committee also needs to be aware of the specialized skills and budgetary support required by internal audit to achieve its technology objectives.
- What is the strategic vision and plan for internal audit? Does internal audit have a clearly articulated strategy (covering assurance and consultancy activities) that is reviewed periodically and approved by the audit committee? Does internal audit have a charter that is periodically reviewed and approved by the audit committee? Does internal audit operate in accordance with its charter? Are any deviance reported?
- When the risk assessment indicates a change in risk, the audit plan should be reviewed to determine whether the planned audit coverage should be increased or decreased to address the revised assessment of risk.” focus in many organizations. Internal auditing is no different.
- For internal auditors to keep current with new developments in auditing, technology and business, they must plan effectively. As the IIA Global Survey indicates, “A well-conducted strategic planning exercise will allow the CAE to develop his or her mission and various approaches and strategies to achieving that mission.” To assess the strategic orientation of their internal audit functions, audit committees should ask questions such as these:
- What is internal audit’s vision for the nearand mid-term future?
- Does internal audit have a strategic plan?
- How does internal audit plan to keep pace with the risks and processes in the business?
- Has internal audit identified gaps between where its processes and practices are today and where they need to be in the 3-5 years?
- Does the internal audit strategy align with and support the organization’s strategic plans?
- What perceived value does the organization receive from its internal audit activities?
- According to the definition of internal auditing promulgated by the IIA, internal auditing activities are designed to “add value” to an organization. How an internal audit function goes about adding value differs from one organization to another, depending on the expectations of internal audit’s key stakeholders.
- The challenge for audit committees and internal auditors alike is to define clearly what those expectations for adding value are and then to tailor their processes to meet those expectations.
- For any internal audit function, providing assurance is a core and expected value driver.
- Other types of value – some internal auditors today add value by providing high quality talent to their organizations, or assisting management by providing monitoring and data mining capabilities that contribute to improved business unit performance, or assist in enhancing risk management and governance processes.
- Irrespective of the specific value drivers of an organization, however, there should be clarity and agreement among internal audit, executive management and the audit committee as to stakeholder expectations and the specific internal audit activities to which stakeholders ascribe value. It’s then up to internal audit to address those expectations and value drivers and assess how well it is doing so. By operating in this manner, stakeholder perceptions become real and tangible and increase the likelihood that internal audit will deliver sought-after value.
- How do we strengthen communications and relationships between internal audit and the audit committee?
- Ideally, the relationship between internal audit and the audit committee will be characterized by open communications, respect and trust. To achieve and maintain such a relationship demands ongoing attention by both parties. For their part, members of the audit committee should continually ask themselves how they might enhance their relationship with internal audit, particularly with regard to informal communications.
- One way to enhance audit committee/ CAE relationships is joint training involving the audit committee chair and chief audit executive.
- CAE’s direct report and meet periodically with the audit committee chair and are invited to make presentations to the audit committee. Such interactions The IIA’s Global Internal Audit Survey in Action – The need to develop strategies and actions to meet stakeholder expectations provide opportunities for the audit committee to see key members of the internal audit staff in action, a factor contributing to effective succession planning for the CAE.
- How does internal audit ensure that its activities are in full compliance with “The International Standards for the Professional
Practice of Internal Auditing?”
- The IIA is the global standards-setting body for the internal audit profession. In this capacity, the IIA promulgates The International Standards for the Professional Practice of Internal Auditing (the “Standards”). Most internal audit functions have charters stating that internal audit conducts its activities in accordance with these Standards.
- In the same manner that the audit committee expects its external auditors to comply fully with their professional standards, it should also expect its internal auditors to comply fully with their Standards. To this end, the audit committee should request periodic confirmation from their internal auditors that they do, indeed, comply fully with the IIA Standards. Of note, the IIA Standards require an external assurance assessment of the internal audit function at least every five years.
- The audit committee should ensure that this requirement is met and that it receives the report from the external reviewer.
- How does internal audit acquire and develop top talent for the organization?
- The quality of an organization’s internal audit function is heavily dependent on the quality of its people. This is especially true today where the amount of change and complexity of risks facing most organizations create significant and varying challenges.
- Traditional auditing and accounting skills remain highly valued in today’s environment, but must be augmented with non-traditional auditing skills.
- Data-mining specialists and staff with in-depth industry knowledge are just two types of talent being sought after by today’s internal audit functions. A true measure of internal audit staff quality is the degree to which the internal audit function is perceived to be a source of talent for other parts of the organization. Some companies have formal rotational programs wherein highly talented staff members are assigned to internal audit for a specific time period to gain valuable experience that can then be taken back to the business units. At other organizations, members of the internal audit staff are recruited by other organizational entities because of their in-depth knowledge of the business and its risks and controls. It is important for audit committees to be aware of the role that internal audit either is playing or could be playing to address the broader talent needs of the organization.
- Does internal audit have a clear set of performance expectations that are aligned with the success measures of the audit committee, and that are measured and reported to the audit committee? What types and levels of training necessary for internal audit to accomplish its mission?
- For internal auditors to keep pace with the dynamic changes in business, technology and risk today, they must have access to continuous, current and robust training.
- An effective training program needs to go beyond basic accounting or auditing skills to address critical areas such as data mining and analysis, risk management, governance processes, new-product marketing and new technological applications.
- Softer skills – such as how to make good decisions, how to interview effectively, and how to think critically – also need to be stressed. In particular, the audit committee should inquire as to whether the training is adequately equipping the internal audit staff to conduct auditing activities appropriate for the organization’s current and evolving risk profile.
- Does internal audit periodically inventory and assess its skills to identify gaps and, if so, how are they being addressed?
- The dynamic nature of organization’s and their risks places a continuing demand on internal audit to periodically assess its skills inventory. In addition to audit and accounting capabilities, the organization’s risks may drive needs for specialists in languages, social media, data security, mathematics and beyond. In this environment, most internal audit functions will experience some sort of skills gap from time to time. When they do so, they are increasingly turning to third parties to supply needed skills on an “as needed” basis.
Other questions for audit committees to consider
Some of the key questions that audit committees can raise include:
- In delivering the internal audit plan, is internal audit flexible and dynamic in promptly addressing new risks and the needs of the audit committee?
- Is internal audit sufficiently independent of management?
- Is the CAE respected as an adviser to the audit committee and management on emerging risks? Does internal audit have a presence in major governance and control forums throughout the organisation, for example, any risk committee?
- Is internal audit recognised by business leaders as a function providing quality challenge (for example by telling them things that they did not already know, identifying root causes and opportunities for improving control design, and trends in risks and controls)?
- Is the level of assurance provided by internal audit and its interaction with other assurance sources clear and appropriate for the audit committee?
- Does internal audit meet regularly with the external auditors to discuss risk assessments, the scope of procedures, or opportunities to achieve greater efficiencies and effectiveness in the company’s audit services?
- Are issues identified and reported by internal audit appropriately highlighted to the audit committee, and is the progress toward effective completed management actions tracked and reported?
- Is internal audit timely and proactive in the conduct and reporting of issues and in addressing them with management? Is internal audit characterised by strong relationships at the highest levels (for example, does the head of internal audit and senior colleagues have direct and strong relationships with board members, business heads and senior management)?
- Are reports and other communications from internal audit to the audit committee of an appropriate standard and do they provide value?
Internal audit reporting
Key questions that should be asked include:
- Does internal audit produce reports for individual audits with a clear rating scale which identify both root causes and consequences of issues which are delivered on a timely basis with clarity and impact, and include credible recommendations to management?
- Does internal audit produce reports for the audit committee which present information in a clear, concise manner, including the identification of themes and trends, and their consequences for the organisation as a whole?
- Does internal audit have rapid and effective mechanisms in place for the escalation of issues requiring senior management or audit committee attention?
- Has internal audit added value to the organisation? If so, how?
- Do internal audit procedures produce many significant findings? Are these actioned by management on a timely basis?
Internal audit effectiveness
The following questions could be asked to evaluate the effectiveness of internal audit:
- Is the use of a survey or questionnaire appropriate? Who should be asked to complete this?
- Is too much reliance placed upon any self-assessment process?
- How often is internal audit effectiveness evaluated?
- Does the audit committee regularly review the quality and results of internal audit reporting and activities?
- Is internal audit’s independence and objectivity included in the assessment? How can this be incorporated?
- Does internal audit have sufficient resources to deliver on its annual plan and pick up ad hoc projects as necessary? Is the talent pool diverse, with a broad mix of skills and experience?
- Does internal audit have team members with sufficient technical knowledge to perform their role effectively?
- Does internal audit have team members with appropriate information systems auditing experience to understand and assess the level of technology used by the organisation?
- Does internal audit manage its resources effectively to maximise the value of its service to the business?
When the internal audit function’s direct reporting line is to the audit committee, it allows the internal auditors to remain structurally separate from management and enhances objectivity. This also encourages the free flow of communication on issues and promotes direct feedback from the audit committee on the performance of the CAE. There are several ways the audit committee can oversee the internal audit function. The Institute of Internal Auditors (IIA) provides the following checklist of considerations for audit committees in overseeing the internal auditors.
Institute of Internal Audit – Ten-point checklist for internal audit oversight
The IIA has developed these guidelines……
- The audit committee engages in an open, transparent relationship with the CAE.
- The audit committee reviews and approves the internal audit charter annually.
- The audit committee has a clear understanding of the strengths and weaknesses of the organisation’s internal control and risk management systems.
- The approved plan is carried out by competent, objective professionals from internal audit.
- Internal audit is empowered to be independent by its appropriate reporting relationship.
- The audit committee addresses with the CAE all issues related to independence and objectivity.
- Internal audit is quality-oriented and has a robust quality improvement programme.
- The audit committee regularly communicates with the CAE about performance and improvement opportunities.
- Internal audit reports are actionable and recommendations are implemented.
- The audit committee meets periodically with the CAE without management.
The IIA’s Standards for Professional Practice of Internal Auditing mandate that the internal auditors maintain a certain level of
independence from the work they audit. This means that an internal auditor should have no personal or professional involvement with the area being audited and should maintain an impartial perspective on all engagements. Internal auditors should have access to records and personnel when necessary, and they should be allowed to employ appropriate investigative techniques without impediment.
- IIA Inc article
- Lectures 0
- Quizzes 0
- Duration 50 hours
- Skill level All levels
- Language English
- Students 0
- Certificate No
- Assessments Yes