How do internal and external auditors differ and how should they relate?
Although they are independent of the activities they audit, internal auditors are integral to the organization and provide ongoing monitoring and assessment of all activities. On the contrary, external auditors are independent of the organization, and provide an annual opinion on the financial statements. The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency.
Internal and external auditors have mutual interests regarding the effectiveness of internal financial controls. Both professions adhere to codes of ethics and professional standards set by their respective professional associations. There are, however, major differences with regard to their relationships to the organization, and to their scope of work and objectives.
Internal auditors are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board. External auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and their primary client — the board of directors.
The internal auditor's scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization — both financial and non-financial — the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. They also are concerned with the prevention of fraud in any form.
The primary mission of external auditors is to provide an independent opinion on the organization's financial statements, annually. Their approach is historical in nature, as they assess whether the statements conform with generally accepted accounting principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period of time are accurately represented, and whether the financial statements have been materially affected.
The internal and external auditors should meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other's scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk. In fulfilling its oversight responsibilities for assurance, the board should require coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.
How does internal auditing maintain its independence and objectivity?
INDEPENDENCE: The audit charter should establish independence of the internal audit activity by the dual reporting relationship to management and the organization's most senior oversight group. Specifically, the CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
OBJECTIVITY: To maintain objectivity, internal auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements.
Independence and objectivity are two critical components of an effective internal audit activity.
"The internal auditor occupies a unique position. He or she is employed by the management but is also expected to review the conduct of management which can create significant tension since the internal auditor's independence from management is necessary for the auditor to objectively assess the management's action, but the internal auditor's dependence on the management for employment is very clear."
Therefore, the internal audit activity should have a mandate through a written audit charter that establishes its purpose, authority, and responsibility to support its independence and objectivity within an organization.
Internal auditors are independent when they render impartial and unbiased judgment in the conduct of their engagement. To ensure this independence, best practices suggest the CAE should report directly to the audit committee or its equivalent. For day-to-day administrative purposes, the CAE should report to the most senior executive (i.e., the chief executive officer [CEO]) of the organization. The CAE should have direct communication with the audit committee, which reinforces the organizational status of internal auditing, enables full support and unrestricted access to organizational resources, and ensures that there is no impairment to independence. This provides sufficient authority to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on recommendations. Independence is further enhanced if the CAE reports to the board through its audit committee on the planning, execution, and results of audit activities. The audit committee is also responsible for the appointment, removal, and fixation of compensation of the CAE. The committee should safeguard the independence by approving the internal audit charter and mandate periodically.
Objectivity is a mental attitude that internal auditors should maintain while performing engagements. The internal auditor should have an impartial, unbiased attitude and avoid conflict-of-interest situations, as that would prejudice his/her ability to perform the duties objectively. The results of internal audit work should be reviewed before they are released in order to provide a reasonable assurance that the work has been performed objectively.
Internal auditors should not assume any operational responsibility. Objectivity can be presumed to be impaired when internal auditors perform an assurance review of any activity for which they had any authority or responsibility within the past year or a period significant enough to influence their judgment or opinion. Internal auditors should not accept gifts or favors from others such as employees, clients, or business associates.
The internal auditors should adopt a policy that endorses their commitment to abiding by the Code of Ethics, avoiding conflicts of interest, disclosing any activity that could result in a possible conflict of interest. Staff assignment of internal auditors should be rotated periodically whenever it is practicable.
References: The IIA International Professional Practices Framework; 20 Questions Directors should ask about Internal Audit by Fraser and Lindsa; ECIIA Position Paper on Internal Auditing in Europe; and Practice Advisories 1000-1,1100-1,1110-1,1120-1.
How does the internal audit activity go about prioritizing its resources?
Effective prioritization involves staying in sync with the organization's risk priorities and taking a risk-based approach to internal audit planning. By continuously monitoring organizational changes that might alter the plan, the CAE should be well equipped and positioned to make informed and educated recommendations to management and the board on the most effective use of internal audit resources.
Given the potential size of the audit universe, the related scope of work, and the need for efficient use of limited internal audit resources, it is critical to prioritize and plan audit engagements based on an annual risk assessment that is viewed from the perspective of organizational goals and objectives.
Most models used by CAEs for prioritization of their audit work take into consideration such factors as financial impact, asset liquidity, management competence, quality of internal controls, degree of change or stability, time of last audit engagement, complexity, and strategic risks. In conducting audit engagements, methods and techniques for testing and validating exposures should consider the risk materiality and likelihood of occurrence.
Although the annual audit plan's subject areas will vary as a result of the internal audit activity's risk assessment and related drivers, it should always address two critical areas:
- Throughout the year, the CAE should perform a sufficient amount of audit work and gather enough information to form an educated judgment about the adequacy and effectiveness of the organization's risk management and control processes.
- The internal audit activity should review the organization's regulatory compliance programs.
Once a risk-based audit plan is developed, the CAE should communicate the internal audit activity's plans, resource requirements, and related limitations to senior management and to the appropriate governing body for review and approval.
Changes in management direction, objectives, emphasis, and focus should be reflected by changes to the audit universe and related audit plan, which might require frequent (quarterly) updating. All significant changes should be submitted to the oversight entities for review and approval.
Ultimately, the audit plan should address and support the most effective use of internal audit resources. Aligning internal audit activities with the organization's operational and strategic goals and objectives through a risk assessment will ensure efficient utilization of internal audit resources while providing management with valuable insights on risk management activities.
References: PA 2010-1: Planning; PA 2010-2: Linking the Audit Plan to Risk and Exposures; PA 2020-1: Communication and Approval; PA 2120.A1-1: Assessing and Reporting on Control Processes
How should an organization go about sourcing its internal audit activity?
The IIA believes that:
The responsibility for establishing and overseeing the scope and performance of internal auditing cannot be outsourced.
Internal auditing is the responsibility of an organization's board — or equivalent governing body — and senior management.
Internal auditing should be managed within the organization by a chief audit executive who is accountable to the organization's board and chief executive officer.
If an internal audit activity is outsourced, the chief audit executive within the organization should be responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and following up on engagement results.
Internal auditors may be internal employees, external resources, or a combination thereof based on the specific needs of the organization.
Internal auditing should be performed by competent professionals in full compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) and Code of Ethics.
Is it mandatory to have an internal audit activity?
Whether an organization is required to have an internal audit activity or not depends on the respective regulatory requirements that govern the organization. In the United States, the New York Stock Exchange (NYSE) requires publicly traded companies to "maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company's risk management processes and system of internal controls." This requirement was effective October 31, 2004. Stock exchanges throughout the world have their own norms governing such companies, and some have implemented requirements similar to those of the NYSE.
Although private companies — those not publicly listed — are not required to have internal auditing, many of them have established an internal audit activity as one of its core organizational governance elements.
A well functioning, adequately resourced internal audit activity that works collaboratively with management and the board is a key resource in identifying risks and recommending improvements to an organization's governance, risk management, internal controls, and operations. The internal auditors' unique perspective of independence and objectivity, knowledge of the organization, and understanding and application of sound consulting and audit principles make them ideal for this role.
Helpful IIA References: Guidance on "Internal Auditing's Role in Section 302 and 404 of the US Sarbanes Oxley Act of 2002" "Establishing an Internal Audit Shop" "The Role of Internal Audit in Corporate Governance and Management"
What are the critical skills and attributes of a chief audit executive (CAE)?
CAEs must have strong skills in business processes and management, leadership, and communication to effectively reinforce an organization's commitment to strong internal controls. They must focus on quality, improvement effectiveness, and efficiency; and model independence, objectivity, ethics, integrity, and professionalism.
In order to perform proficiently in the role of chief audit executive, an internal audit practitioner must possess many admirable personal traits and professional competencies. Below are some of the more critical attributes and skills necessary for a CAE to be effective in today's global business, technology, and audit environments.
- Independent, Objective, and Ethical — The CAE must be both a partner to management in monitoring the organization's ethical and operational environment and an independent and objective professional in assessing the results of management's work on behalf of the board of directors or audit committee. The CAE must balance these two responsibilities and deliver an unbiased and equitable assessment of all circumstances. Uncompromising ethics, the ability to listen with an open mind, and the strength and integrity to be firm under pressure will enable the CAE to stand up to the audit committee and senior management, and sometimes tell them what they do not want to hear.
- Intellectually Curious — The CAE must be a curious explorer, investigative reporter, and avid analyst, whose role it is to always discover, interpret, and question. This enables the CAE to provide objective, independent assurance and professional advice to all levels of management, as well as pave the path toward an organization's continuous improvement.
- Change Agent — A key CAE attribute is an innate desire and commitment to improve (change) anything within the organization found to be deficient. Further, the CAE also must influence and persuade others to improve.
- Focus on Quality — The CAE should be quality-oriented, with a strong focus on the internal audit activity achieving the highest level of professionalism. This includes adhering to the International Professional Practices Framework, establishing a Quality Assurance and Improvement Program, and undergoing internal and external quality assessments.
- Solid Business, Technical and Process Skills — In order to effectively evaluate risk, assess sufficiency of controls, identify process improvement opportunities, and effectively communicate with management, the CAE must have a good understanding of the organization's industry, products, services, and methods of doing business.
- Basic IT Knowledge — Because of the rapid-fire changes in information technology, CAEs are not expected to be IT experts. It is critical, however, that they have a basic understanding of an organization's IT environment in order to fully appreciate the magnitude of technology issues and to effectively assess and communicate technology risks to organizational management and the audit committee.
- Communication and Listening Skills — The CAE must communicate in a concise, professional manner in order to be effective in articulating risks and opportunities to a broad range of stakeholders, including the audit committee, management, external auditors, and regulatory agencies. The CAE also must demonstrate excellent listening skills in all exchanges with the board and audit committee, executive management, operating management, and the audit staff.
- People Management — In order to build and sustain a successful audit team, which increasingly includes co-sourced professionals, the CAE must be an effective leader and exhibit expert management skills. The CAE should have the ability to bring out the best in people, while balancing their differing needs of professional growth, travel, and work-life balance.
What are the skill sets and staffing needs of an internal audit activity?
A broad range of skills and expertise and ongoing professional development are critical to the formation and maintenance of an effective internal audit activity. Essential elements include in-depth knowledge of the organization's industry and internal audit standards and best practices; technical understanding and expertise; knowledge of skills for implementing and improving processes in both financial and operational areas; strong communication and presentation skills; and professional certification, e.g. CIA.
Although some co-sourcing and outsourcing might be necessary when unique competencies and specialty skills are not affordable or available, the oversight and responsibility for the internal audit activity cannot be outsourced.
Today's internal auditors must provide to their audit committees explicit assurance on organizational governance, as well as meet ever-increasing demands of management and other stakeholders. They must excel as internal control and risk management experts to ensure the controls over key systems and business processes are robust and effective. To meet these high expectations, a solid staffing strategy is essential. It is the responsibility of the CAE to establish an effective program for selecting and developing the internal audit team.
The skill mix, depth, and size of the audit team should be determined by the services expected by the audit committee and management in order to meet organizational needs. The resulting audit plan should be based on an assessment and ranking of risks, critical systems, and processes across the organization, and should consider the organization's long-term business objectives, expansion plans, and growth strategies; as well as short-term changes in the control environment such as M&A activities, major system implementations, and reengineering of business processes.
The maturity of the control environment, level of management accountability, and extent to which the organization depends on internal auditing to drive improvements will affect the resourcing outcome. Benchmarking against comparable organizations can provide useful insights into appropriate staffing.
When staffing an internal audit activity, management s options include:
- Establishing a dedicated audit team with requisite resources.
- Cosourcing, by which an external provider supports the CAE and the dedicated audit team with supplementary specialist skills that might be too costly to maintain in-house. This option affords flexibility that enables the team to upsize or downsize according to the needs of the business.
- Maintaining a dedicated audit team. supported by rotations that provide the opportunity for business-unit personnel to gain valuable, broad-based knowledge of the business as well as education on issues regarding internal control and risk management. In some Fortune 1000 companies, an internal audit assignment is a pre-requisite for senior financial or general management positions.
- Outsourcing the internal audit activity to an external provider. This option may be cost-effective for smaller organizations, geographically dispersed entities, or organizations with specific technical expertise.
NOTE: The IIA believes the internal audit activity should never be fully outsourced, but should be managed from within the organization, preferably by a competent CAE.
The staffing option taken should result in an internal audit team that possesses the skills necessary to meet the group's objectives. Ideally, the audit activity should comprise individuals with diverse backgrounds, skill sets, and experience to provide adequate control assurance to support the business on a broad range of risk and internal control matters.
Increasingly, internal audit activities are performed by multi-disciplinary teams that include engineers, accountants, management graduates, and even environmental specialists who reflect a broad range of today s assurance needs. Also, information technology audit experts are a core component of modern-day internal audit activities. It very well might not be possible to accommodate all the requisite technical skills in-house. Therefore, the CAE should be empowered to obtain assistance and support from experts outside the organization as needed.
Control self-assessment, facilitation, and risk and internal-control training are increasingly falling under the purview of internal auditors. As such, to be their most effective, they must demonstrate:
- Strong interpersonal skills.
- Effective oral and written communications skills.
- Good coaching and group leadership skills.
- The ability to influence at all levels.
An annual review of the staffing strategy by the CAE should be based on defined parameters such as the audit committee's assurance needs, management's expectations, business growth and strategies, dispersion of operations, achievement of audit objectives, compliance to regulations, and staff turnover. The CAE should assess the skills and requirements of team members and promote continuing professional development to maintain professional designations and enhance knowledge, skills, and competencies in all relevant areas.
Not having adequate and competent staff in the internal audit activity is a risk that exposes the organization to inadequate evaluation of the effectiveness of risk management, control, and governance processes.
Finally, The IIA's Certified Internal Auditor® (CIA®) is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competence and professionalism in the internal audit field. The IIA also offers several specialty certification programs, including Certification in Control Self-Assessment® (CCSA®); Certified Government Auditing Professional® (CGAP®); and Certified Financial Services Auditor® (CFSA®). ISACA offers the Certified Information Systems Auditor (CISA) certification; the Association of Certified Fraud Examiners offers the Certified Fraud Examiner (CFE) certification; and the Board of Environmental, Health and Safety Auditor Certifications (BEAC) offer the Certified Professional Environmental Auditor (CPEA).
References: 20 Questions Directors should ask about Internal Audit, The IIA Research Foundation; Internal Auditor, Oct 03, Staffing today's internal audit function: Audit executives need a realistic strategy for obtaining top talent to handle growing demands by Paul McDonald; The International Professional Practices Framework, January 2004, The IIA Research Foundation; Guide to Internal Audit — Frequently Asked Questions about the NYSE Requirements; Developing an Effective Internal Audit Function, Protiviti, 2004
What is Enterprise Risk Management (ERM) and what role in it does internal auditing play?
ERM is a structured and coordinated, entity-wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. Implemented by management, ERM is evaluated by the internal auditors for effectiveness and efficiency.
The practice of managing risk, which is a key element of governance, traditionally has been within individual business units and/or parts of business units; and to a lesser extent across the organization. ERM takes a broader portfolio approach and deals with risks and opportunities affecting the creation or preservation of organizational value.
ERMis defined as a process, effected by an entity's board of directors, management, and other personnel; applied in a strategy setting and across the enterprise; designed to identify potential events that may affect the entity; and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives.
Everyone in the organization plays a role in ensuring successful enterprise-wide risk management but management bears the primary responsibility for identifying and managing risk and for implementing ERM in a structured, consistent, and coordinated approach. The board, or its equivalent, has an overall responsibility for monitoring the risks and for gaining assurance that they are managed at an acceptable level. Internal auditors, in both their assurance and consulting roles, contribute to the management of risk in a variety of ways. They play a key role in evaluating the effectiveness of — and recommending improvements to — ERM. IIA Standards specify that the scope of internal auditing should encompass risk management and control systems.
The internal auditors' varied roles in and emphasis on ERM are dependent on the maturity of the ERM process in the organization. The safeguard that should be put in place before the internal auditors carry out their ERM-related roles is to ensure that the entire organization fully understands management's responsibility for risk management.
The internal auditors' core ERM role is to provide objective assurance to the board and senior management on the effectiveness of the ERM activities in helping ensure key business risks are managed appropriately and the system of internal control is operating effectively.
Internal auditing's key ERM-related roles and assurance activities include:
- Providing assurance on the design and effectiveness of risk management processes.
- Providing assurance that risks are correctly evaluated.
- Evaluating risk management processes.
- Evaluating the reporting on the status of key risks and controls.
- Reviewing the management of key risks, including the effectiveness of the controls and other responses to them.
Additional legitimate internal audit roles and consulting activities may help to protect the internal auditors independence and objectivity when accompanied by adequate safeguards. They include:
- Championing the establishment of ERM within the organization.
- Developing risk management strategy for board approval.
- Facilitating the identification and evaluation of risks.
- Coaching management on responding to risks.
- Coordinating ERM activities.
- Consolidating the reporting on risks.
- Maintaining and developing the ERM framework.
The roles the internal auditors should NOT undertake are:
- Setting the risk appetite.
- Imposing risk management processes.
- Providing assurance to the board and management
- Making decisions on risk responses. This is management's responsibility.
- Implementing risk responses on management s behalf.
- Accountability for risk management.
References: Executive Summary of ERM Integrated Framework, issued by COSO - Sept 2004; IIA Position Paper — The Role of Internal Audit in Enterprise-wide Risk Management, Sept 2004; IIA UK: "Position Statement on Risk-Based Internal Auditing"
What is internal auditing?
Performed by professionals with an in-depth understanding of the business culture, systems, and processes, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.
The IIA has developed the globally accepted definition of internal auditing as follows:
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Independence is established by the organizational and reporting structure. Objectivity is achieved by an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the organization's governance, operations and information systems, in relation to:
- Effectiveness and efficiency of operations.
- Reliability and integrity of financial and operational information.
- Safeguarding of assets.
- Compliance with laws, regulations, and contracts.
Based on the results of the risk assessment, the internal auditors evaluate the adequacy and effectiveness of how risks are identified and managed in the above areas. They also assess other aspects such as ethics and values within the organization, performance management, communication of risk and control information within the organization in order to facilitate a good governance process.
The internal auditors are expected to provide recommendations for improvement in those areas where opportunities or deficiencies are identified. While management is responsible for internal controls, the internal audit activity provides assurance to management and the audit committee that internal controls are effective and working as intended. The internal audit activity is led by the chief audit executive (CAE). The CAE delineates the scope of activities, authority, and independence for internal auditing in a written charter that is approved by the audit committee.
An effective internal audit activity is a valuable resource for management and the board or its equivalent, and the audit committee due to its understanding of the organization and its culture, operations, and risk profile. The objectivity, skills, and knowledge of competent internal auditors can significantly add value to an organization's internal control, risk management, and governance processes. Similarly, an effective internal audit activity can provide assurance to other stakeholders such as regulators, employees, providers of finance, and shareholders.
As the primary body for the internal audit profession, The IIA maintains the International Standards for the Professional Practice of Internal Auditing (Standards) and the profession's Code of Ethics. IIA members are required to adhere to the Standards and Code of Ethics.
References: The International Professional Practices Framework, The IIA Research Foundation, January 2004
What is internal auditing's role in preventing, detecting, and investigating fraud?
Internal auditors support management's efforts to establish a culture that embraces ethics, honesty, and integrity. They assist management with the evaluation of internal controls used to detect or mitigate fraud, evaluate the organization's assessment of fraud risk, and are involved in any fraud investigations.
Although it is management's responsibility to design internal controls to prevent, detect, and mitigate fraud, the internal auditors are the appropriate resource for assessing the effectiveness of what management has implemented. Therefore, depending on directives from management, the board, audit committee, or other governing body, the internal auditors might play a variety of consulting, assurance, collaborative, advisory, oversight, and investigative roles in an organization's fraud management process.
Competent professional internal auditors are highly proficient in techniques used to evaluate internal controls. That proficiency, coupled with their understanding of the indicators of fraud, enables them to assess an organization's fraud risks and advise management of the necessary steps to take when indicators are present.
Establishing a culture of integrity is a critical component of fraud control. Executive management must set the tone at the top and model the highest level of integrity. The internal auditors may advise management on methods to ensure integrity and may become involved in communicating or interpreting those methods. They also may help develop training related to integrity policies and fraud.
As a part of their assurance activities, internal auditors watch for potential fraud risks, assess the adequacy of related controls, and make recommendations for improvement. They also can help benchmark statistics related to the probability of occurrence and consequences of fraud.
Because the internal auditors are exposed to key processes throughout the organization and have open lines of communication with the executive board and staff, they are able to play an important role in fraud detection. In many organizations, the chief audit executive (CAE) is responsible for responding to issues raised on the ethics hotline or through another process that may lead to detection of fraud.
When developing their annual audit plan, the internal auditors consider the organization's assessment of fraud risk, and periodically might make assessments of management's fraud detection capabilities. They design tests that use audit techniques like data mining to ensure the controls in place are effective.
Internal audit skills relate to gathering evidence, analysing the breakdown in controls that could enable a fraud, and making recommendations for improvement. And reporting directly to the board or governing body provides the internal auditors with a level of independence and objectivity necessary for them to undertake investigations of a sensitive nature.
Although the internal auditors may either have a direct role in investigating fraud incidents, or act as a resource to those responsible, they generally are not expected to have the expertise of those whose primary responsibility is detecting and investigating fraud.
When the internal auditors have the primary responsibility for fraud they must have the key competencies for this work — typically obtained through specialized training and related experiences. They also may be certified as fraud or forensic investigators.
References: International Professional Practices Framework: Practice Advisories on Fraud
What services can the internal auditors provide for the audit committee?
The internal auditors provide to the audit committee objective assessment on the state of the organization's risk, control, governance, and monitoring activities.
The internal auditors should regularly report to the audit committee significant risk exposures and control issues, corporate governance issues, and other requested information. Additionally, the internal auditors can act as an advisor and provide critical services that are integrated into each of the audit committee's activities and processes. To accomplish this, a strong working relationship, mutual trust, and robust dialogue between the internal auditors and the audit committee is essential.
The internal auditors should provide the following to the audit committee on a regular basis:
- Independent, objective assurance and consulting activities related to assessing the effectiveness of the organization's risk management, control, and governance processes. As a part of these services, the internal auditors should communicate significant engagement observations, information on fraud management, and recommendations to the board whether or not the issues have been satisfactorily resolved. When appropriate, the audit committee should meet privately with the CAE to discuss sensitive issues related to these assessments.
- Gathering of information, and/or arranging discussions with subject matter experts to address audit committee questions and information needs related to risk management, control, and governance processes. Additionally, the internal auditors should review related information submitted to the audit committee to help ensure completeness and accuracy.
- Confirmation on the adequacy of the audit staff and budget requirements, as well as the scope and result of internal audit activities. The intent of this review is to help ensure there are no budgetary or scope limitations impeding the ability of the internal audit activity to execute its responsibilities.
- Information on the coordination and oversight of other control and monitoring functions (e.g., risk management, compliance, security, business continuity, legal, ethics, environmental). This activity should help ensure that there is effective and efficient coordination of activities within the organization. The internal auditors also should coordinate its activities with the external auditors where appropriate and feasible.
- Information on emerging trends and successful practices in internal auditing.
Further references: Practice Advisory 2060-2: Relationship with Audit the Committee, February 12, 2004
What should be the reporting lines for the chief audit executive (CAE)?
To ensure transparency and thwart collusion and conflicts of interest, best practice indicates that the internal audit activity should have a dual reporting relationship. The CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and to the organization's most senior oversight group — typically, the audit committee — for strategic direction, reinforcement, and accountability.
Appropriate reporting relationships are absolutely critical if internal auditing is to achieve the independence, objectivity, and organizational stature necessary to fulfill its obligations and mandate to effectively assess internal controls, risk management, and governance. As the independent eyes and ears of the audit committee or equivalent, it is important that the internal audit activity is structurally independent, and free from coercion by management. The requirement for the CAE to be truly independent is endorsed globally, and companies are working to bring reporting lines into line with The IIA s International Standards for the Professional Practice of Internal Auditing (Standards).
The Standards require that the CAE report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. To achieve necessary independence, best practices suggest the CAE should report directly to the audit committee or its equivalent. For day-to-day administrative purposes, the CAE should report to the most senior executive (i.e., the chief executive officer [CEO]) of the organization.
According to The IIA's 2004 GAIN survey, 70 percent of CAEs report to the audit committee, an increase from 53 percent in the prior year. As the internal audit profession's role as one of the pillars of good corporate governance is increasingly understood, the trend of the CAE reporting to the audit committee for direction and accountability, and to the CEO for administrative interface and support, is increasingly becoming the norm.
Direction and Accountability Reporting Line
This reporting line for the internal audit activity is the ultimate source of its independence and authority. As such, best practice recommends that the CAE directly report to the audit committee, board of directors, or other appropriate governing authority. When this is achieved, the governing authority:
- Approves the internal audit charter.
- Approves the audit team s risk assessment, audit plan, and budget.
- Receive communications from the CAE on the results of internal audit activities or other matters that the CAE determines necessary, including private meetings without management present.
- Approves the appointment, removal, evaluation, and compensation of the CAE.
- Determines whether there are scope or budgetary limitations that impede the ability of the internal audit activity to execute its responsibilities.
Administrative Reporting Line
Administrative reporting is the relationship within the organization's management structure that facilitates day-to-day operations of the internal audit activity and provides appropriate interface and support for effectiveness. Administrative reporting typically includes:
- Budgeting and management accounting.
- Human resource administration.
- Internal communications and information flows.
- Administration of the organization's internal policies and procedures (expense approvals, leave approvals, floor space, etc.).
Exclusively reporting to management might appear to work well when companies are prosperous and have no issues. This reporting line quickly becomes untenable, however, when there are serious issues that need to be elevated to the audit committee or other governing body. If a dual reporting structure is not in place, management may be able to unduly influence the audit plan, scope, and whether issues are reported appropriately. This presents a serious conflict, limits the scope, and compromises the effectiveness of the internal audit activity.
Any reporting relationship that impedes independence and effective operations of internal auditing should be viewed as a serious scope limitation, and should be brought to the attention of the board, the audit committee, or equivalent.
References: Practice Advisory 1110-2; Auditwire Volume 25, IIA Inc.
What standards guide the work of internal audit professionals?
As part of The IIA's International Professional Practices Framework (IPPF), the International Standards for the Professional Practice of Internal Auditing (Standards) outline the tenets of the internal audit profession. Other applicable guidance, pronouncements, and regulations also may have an impact on how internal auditing is performed; and may provide clarification and delineation of acceptable and recommended processes.
The IIA is the internal audit profession's acknowledged leader, recognized authority, and principal educator. Although the practice of internal auditing is not regulated, The IIA provides comprehensive guidance for the profession through its International Professional Practices Framework (IPPF). The IPPF comprises the official definition of internal auditing, the International Standards for the Professional Practice of Internal Auditing (Standards), the Code of Ethics, Practice Advisories, Position Papersm and Practice Guides, developmental and practice aids. Conformance with the Standards and the Code of Ethics is mandatory for all members of The IIA and Certified Internal Auditors (CIAs). The IIA also provides guidance on assessing, maintaining, and improving quality within the internal audit activity.
Public sector auditors are required to comply with specific governmental guidelines. For example, in the U.S., government audits are performed in accordance with the General Accounting Office's Government Auditing Standards (the Yellow Book); government auditors in the United Kingdom comply with the HM Treasury's Government Internal Audit Standards; and in Canada, government auditors perform in accordance with the Office of the Auditor General's Comprehensive Auditing Manual. In addition, many public sector audit groups are members of the International Organization of Supreme Audit Institutions (INTOSAI), and thus adhere to the auditing standards promulgated by INTOSAI.
Several professional organizations offer certification programs. The IIA s Certified Internal Auditor® (CIA®) is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competence and professionalism in the internal audit field. The IIA also offers several specialty certification programs, including Certification in Control Self-Assessment® (CCSA®); Certified Government Auditing Professional® (CGAP®); and Certified Financial Services Auditor® (CFSA®). ISACA offers the Certified Information Systems Auditor (CISA) certification; the Association of Certified Fraud Examiners offers the Certified Fraud Examiner (CFE) certification; and the Board of Environmental, Health and Safety Auditor Certifications (BEAC) offer the Certified Professional Environmental Auditor (CPEA).
What is the appropriate relationship between the internal audit activity and the audit committee?
The audit committee of the board of directors and the internal auditors are interdependent and should be mutually accessible, with the internal auditors providing objective opinions, information, support, and education to the audit committee; and the audit committee providing validation and oversight to the internal auditors.
The IIA recognizes that audit committees and internal auditors have interlocking goals. A strong working relationship is essential for each to fulfill its responsibilities to senior management, the greater board of directors, shareholders, and other stakeholders. Appropriate reporting lines for the internal auditors are critical if they are to achieve their requisite independence, objectivity, and organizational stature needed to effectively assess the organization's internal control, risk management, and governance processes. Best practice recommends that, to achieve necessary independence, the internal auditor should report directly to the audit committee or its equivalent.
Five activities are integral to an effective relationship between the audit committee and the internal auditors. The CAE should:
- Send to the audit committee periodic communications on risks faced by the organization. This should be consistent with what the CAE sends to senior management.
- Help the audit committee ensure that the committee's charter, activities, and processes are appropriate.
- Ensure that internal auditing's charter, role, and activities are clearly understood and responsive to the needs of the audit committee and the board.
- Maintain open and effective communications with the audit committee and the chair.
- Provide training, when appropriate, to the members of the audit committee on the topics of risk and internal control.
A direct channel of communication between the CAE and the audit committee is essential. This typically includes provisions for the CAE to have access to the audit committee chair and to attend audit committee meetings to present the audit plan, report on the results of major audits and key audit findings or other matters, and discuss internal auditing's observations on risk and internal controls within the organization. The relationship can further be strengthened through explicitly allowing out-of-session communications between the CAE and the audit committee chairperson, particularly in the case of critical circumstances such as serious fraud and other material risk events.
The CAE and the audit committee should meet at regular frequencies without management and the external auditors present. These discussions should focus on assurance that internal auditing's scope is not being limited, concerns the CAE might have about a member of senior management, any necessary administrative matters, and other items either party wishes to bring to the table.
Further references: Practice Advisory 2060-2: Relationship with Audit the Committee, Dec. 3, 2002; Practice Advisory 1110-2: Chief Audit Executive (CAE) Reporting Lines, Dec. 3, 2002
Why should an organization have an audit committee?
The audit committee, or other appropriate independent oversight subset of the board of directors, the key oversight group of the internal auditors, is critical to ensuring the organization has strong and effective processes relating to independence, internal control, risk management, compliance, ethics, and financial disclosures.
An audit committee typically serves as the liaison among the board of directors, external auditors, internal auditors, and financial management. Generally, the audit committee's purpose is to assist the board in overseeing the:
- Reliability of the entity's financial statements and disclosures.
- Effectiveness of the entity's internal control and risk management systems.
- Compliance with the entity's code of business conduct, and legal and regulatory requirements.
- Independence, qualifications, and performance of the external auditors and the performance of the internal audit activity.
To foster and encourage this type of oversight, The IIA recommends that every public company have an audit committee organized as a standing subcommittee of the board of directors. This is also recommended for other types of organizations, including not-for-profit and governmental entities.
The role of the audit committee is expanding globally to include oversight of whistle-blowing mechanisms, enterprise risk management, related party transactions, and interaction with the entity's legal function. It serves to improve the board's oversight of company management by allowing for:
- Increased independence from company management, as members are normally required to be independent non-executive directors.
- Improved financial expertise and focus. Irrespective of legislative requirements, it is considered good practice for least one audit committee member to have financial management or accounting knowledge/expertise.
- Increased focus on defined critical tasks. Normally, an audit committee adopts a written charter to formalize its oversight responsibilities.
- Increased Independence. When only non-executive directors are appointed and audit committee independence is achieved, the financial reporting process, corporate governance, and internal control are all enhanced. An audit committee is normally granted the authority to conduct investigations within the scope of its responsibilities and to retain legal, accounting and other advisors. This status and authority plays an important role in resolving disagreements between management and the external auditors in regard to financial reporting and other issues.
- Audit committee independence benefits corporate governance and internal control. Internal audit independence is enhanced when the audit committee concurs on the appointment or removal of the CAE. Independence is further strengthened when the internal auditors directly report to the audit committee. This reporting relationship helps ensure the internal auditors have adequate recourse in cases of misconduct or fraud involving senior management, and also may improve their stature within the organization.
- Improved Financial Expertise. Making effective oversight decisions in the financial reporting, corporate governance, and control arena normally requires specialized expertise. As a result, the audit committee should comprise independent non-executive directors, at least one of whom has significant accounting or related financial management expertise. Having specialized skills in the areas of financial reporting, corporate governance, and internal control helps to ensure more effective management oversight, fosters financial statement accuracy and transparency, and places an appropriate focus on business risks and internal controls.
- Increased Focus on Critical Topics Defined in the Charter. An appropriate audit committee charter specifically defines important financial reviews, reporting relationships, and other matters. A charter helps ensure appropriate focus by defining the scope of the committee s responsibilities and how it carries out those responsibilities, including structure, processes, and membership requirements.
References: Practice Advisory 2060-2, Relationship with the Audit Committee; Internal Auditing and the Audit Committee: Working Together Toward Common Goals; IIA Article; Position Paper on Internal Auditing in Europe (ECIIA); Basel Committee: Regarding Audit Committee Charter
Why should organizations have internal auditing?
A cornerstone of strong governance, internal auditing bridges the gap between management and the board, assesses the ethical climate and the effectiveness and efficiency of operations, and serves as an organization's safety net for compliance with rules, regulations, and overall best business practices.
Management is responsible for establishing and maintaining a system of internal controls within an organization. Internal controls are those structures, activities, processes, and systems that help management effectively mitigate the risks to an organization's achievement of objectives. Management is charged with this responsibility on behalf of the organization's stakeholders and is held accountable for this responsibility by an oversight body (e.g. board of directors, audit committee, elected representatives).
Organizations that do not have an internal audit function are therefore missing out on the valuable benefits that professional internal auditors provide. In addition, they are also running the risk of relying on management who may not be in the best position to provide skilled, independent, and objective opinions on internal controls.
Some organizations assign internal auditing on a part-time basis to an existing staff member who has other responsibilities. When this occurs, the person does not have the professional internal audit training or experience necessary for optimal effectiveness. Such organizations run the risk of poorly performed audits and reviews, and this individual, who may be relatively junior in the organization, may lack the organizational status and stature to achieve positive results. In this environment, high-risk processes may not be identified for reviews and serious internal control deficiencies may be overlooked.
A primary lesson from the financial failure and collapse of numerous organizations is that good governance, risk management, and internal controls are essential to corporate success and longevity. Because of its unique and objective perspective, in-depth organizational knowledge, and application of sound audit and consulting principles, a well-functioning, fully resourced and independent internal audit activity is well positioned to provide valuable support and assurance to an organization and its oversight entities.