libro como establecer una funcion de auditoria interna manual

8/13/2019 Libro Como Establecer Una Funcion de Auditoria Interna Manual

1/193


2/193

DisclosureCopyright 2003 by The Institute of Internal Auditors, 247 Maitland Avenue, AltamonteSprings, Florida 32701-4201. All rights reserved. Printed in the United States of America.

No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form by any means electronic, mechanical, photocopying,recording, or otherwise without prior written permission of the publisher.

The IIA publishes this document for informational and educational purposes. Thisdocument is intended to provide information, but is not a substitute for legal oraccounting advice. The IIA does not provide such advice and makes no warranty as toany legal or accounting results through its publication of this document. When legal oraccounting issues arise, professional assistance should be sought and retained.

The Professional Practices Framework for Internal Auditing (PPF) was designed by TheIIA Board of Directors Guidance Task Force to appropriately organize the full range of

existing and developing practice guidance for the profession. Based on the definition ofinternal auditing, the PPF comprises Ethics and Standards, Practice Advisories, andDevelopment and Practice Aids, and paves the way to world-class internal auditing.

This guidance fits into the Framework under the heading Development and PracticeAids.

ISBN 0-89413-499-X02412 01/03First Printing


3/193

Dedication

To

Rosalie

Without whom nothing would be worthwhile.


4/193

Table of Contents vii

The Institute of Internal Auditors

Table of Contents

List of Exhibits...................................................................................................... ix

About the Author.................................................................................................. xi

Acknowledgements.............................................................................................xiii

IIA Overview ....................................................................................................... xv

GAIN Information ...............................................................................................xvii

Introduction ...........................................................................................................1

Chapter 1: Governance........................................................................................5

Chapter 2: Expectations.....................................................................................11

Chapter 3: Planning ...........................................................................................17

Chapter 4: Organizing.........................................................................................29

Chapter 5: Staffing.............................................................................................35

Chapter 6: Directing ...........................................................................................51

Chapter 7: Monitoring ........................................................................................61

Footnotes............................................................................................................67

Bibliography ........................................................................................................69

Resources offered by The Institute of Internal Auditors ......................................71

Exhibits ...............................................................................................................75

Use links below to navigatehrough the document or turn onookmarks on the left side ofour screen.


5/193

Exhibits List ix


Exhibits List

Exhibit Exhibit PageNumber Title Number

1-1 Table of Attribute and Performance Standards with ...........75Related Practice Advisories

1-2 Code of Ethics .....................................................................93

1-3 The Standards& Glossary...................................................97

2-1 Model Audit Committee Charter...........................................113

3-1 Position Description: Chief Audit Executive / Director of .....117

Internal Audit

3-2 Internal Audit Activity Charter .............................................119

3-3 Mission Statements .............................................................123

3-4 Executive Endorsement of Internal Auditing Charter ...........125

3-5 Internal Audit Operating Policy ............................................127

3-6 Corporate Audit Policy .........................................................133

5-1 Position Description: Staff Auditor........................................137

5-2 Position Description: Senior Auditor.....................................139

5-3 Position Description: Manager of Internal Auditing ..............141

5-4 Position Description: Information Technology Auditor.......... 143

5-5 Knowledge Level: IT Auditor Level I.....................................145

5-6 Knowledge Level: IT Auditor Level 2....................................147

5-7 Knowledge Level: IT Auditor Level 3....................................149

6-1 Risk Sampling Strategy........................................................151

6-2 Risk Assessment Model.......................................................153

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Word

Exce

Use links below to get to Exhibitswithin this PDF document

ORClick on the file type in the right

column to get to the Exhibits in Wordor Excelfiles.
http://exhibit%201-1.doc/http://exhibit%201-2.doc/http://exhibit%201-3.doc/http://exhibit%202-1.doc/http://exhibit%203-1.doc/http://exhibit%203-2.doc/http://exhibit%203-3.doc/http://exhibit%203-4.doc/http://exhibit%203-5.doc/http://exhibit%203-6.doc/http://exhibit%205-1.doc/http://exhibit%205-2.doc/http://exhibit%205-3.doc/http://exhibit%205-4.doc/http://exhibit%205-5.doc/http://exhibit%205-6.doc/http://exhibit%205-7.doc/http://exhibit%206-1.doc/http://exhibit%206-2.xls/http://exhibit%206-2.xls/http://exhibit%206-1.doc/http://exhibit%205-7.doc/http://exhibit%205-6.doc/http://exhibit%205-5.doc/http://exhibit%205-4.doc/http://exhibit%205-3.doc/http://exhibit%205-2.doc/http://exhibit%205-1.doc/http://exhibit%203-6.doc/http://exhibit%203-5.doc/http://exhibit%203-4.doc/http://exhibit%203-3.doc/http://exhibit%203-2.doc/http://exhibit%203-1.doc/http://exhibit%202-1.doc/http://exhibit%201-3.doc/http://exhibit%201-2.doc/http://exhibit%201-1.doc/


6/193

x Establishing An Internal Audit Activity Manual


Exhibit Exhibit PageNumber Title Number

6-3 Policies and Procedures Manual Index................................155

6-4 Workpaper Samples ............................................................157

6-5 Project Time Report.............................................................179

6-6 Staff Time Report.................................................................181

6-7 Monthly Management Report...............................................183

7-1 Quality Assurance and Improvement ...................................185

7-2 Audit Productivity Measurement: Auditors ...........................187

7-3 Audit Productivity Measurement: Auditors-in-Charge ......... 189

7-4 Compliance Checklist ..........................................................191

7-5 Audit Customer Survey.......................................................197

7-6 Audit Process Questionnaire ..............................................201

Word

Word

Exce

Exce

Exce

Word

Word

Word

Word

Word

Word
http://exhibit%206-3.doc/http://exhibit%206-4.doc/http://exhibit%206-5.xls/http://exhibit%206-6.xls/http://exhibit%206-7.xls/http://exhibit%207-1.doc/http://exhibit%207-2.doc/http://exhibit%207-3.doc/http://exhibit%207-4.doc/http://exhibit%207-5.doc/http://exhibit%207-6.doc/http://exhibit%207-6.doc/http://exhibit%207-5.doc/http://exhibit%207-4.doc/http://exhibit%207-3.doc/http://exhibit%207-2.doc/http://exhibit%207-1.doc/http://exhibit%206-7.xls/http://exhibit%206-6.xls/http://exhibit%206-5.xls/http://exhibit%206-4.doc/http://exhibit%206-3.doc/


7/193

About the Author xi


ABOUT THE AUTHOR

Richard H. Tarr, CIA, CISA, MBA, is an audit and information systems consultant and

President of Richard Tarr and Associates, a consulting practice that specializes in bothconducting Quality Assurance Reviews; and developing and conducting training for theprivate and public sectors in integrated internal auditing activities. He is a CertifiedInternal Auditor as well as a Certified Information Systems Auditor. He was the pastManager of Quality Assurance Review for The IIA and was an advisor to the Quality

Assurance Committee of the Association of College and University Auditors, Inc. (ACUA)on the development of their Quality Assurance Review Handbook. He wrote the IIAs 1991publication Establishing an Internal Audit Function and is the author of Built to Last, anarticle on developing an internal audit shop from scratch, that was published in theDecember 2002 issue of the Internal Auditor.

Richard Tarr resides in Orlando, Florida and can be contacted directly by email at

[email protected].
mailto:%[email protected]:%[email protected]


8/193

Acknowledgements xiii


Acknowledgements

Thank you for the many people who provided their expertise and support throughout thisentire project.

Richard F. Chambers, CIA, CGAP, Institute of Internal AuditorsP. Dean Bahrman, CIACynthia Summers, CIA, CGAP, CCSA, CFSA, PPS World Medical, Inc.Susan B. Lione, CIA, CGAP, CCSA, Institute of Internal AuditorsJohanna S. Swauger, CIA, CGAP, CCSA, Institute of Internal AuditorsDonald E. Sparks, Institute of Internal AuditorsJo-El LaBorde, Institute of Internal AuditorsStacy M. Mantzaris, CIA, CGAP CCSA, Institute of Internal AuditorsMichelle Entzminger, Institute of Internal AuditorsEvy Acevedo-Gonzlez, Institute of Internal AuditorsBrian E. Kruk, CIA, CCSA, Institute of Internal AuditorsLee Ann Campbell, Institute of Internal AuditorsTrish Harris, Institute of Internal Auditors


9/193

IIA Overview xv


IIA Overview

INSTITUTE OF INTERNAL AUDITORS (IIA)

William G. Bishop III, President

247 Maitland AvenueAltamonte Springs, FL 32701-4201 U.S.A+1-407-937-1100FAX +1-407-937-1101Web site: www.theiia.org

IIA Organization: The primary international professional association, organized on aworldwide basis, dedicated to the promotion and development of the practice of internalauditing. The IIA is the recognized authority, chief educator, and acknowledged leader instandards, education, certification, and research for the profession worldwide. The Instituteprovides professional and executive development training, educational products, researchstudies, and guidance to more than 80,000 members in more than 100 countries. Foradditional information about The Institute, visit their Web site, www.theiia.org.

IIA Products & IIA Research Foundation Reports: Contact The IIA Distribution Center atC.S. 1616, Alpharetta, Georgia 3009-1616 U.S.A. Phone +1-877-867-4957 (toll free in U.S.and Canada only) or +1-770-442-8633, Ext. 275 FAX +1-770-442-9742 [email protected]

Certification Programs: For information about the CIA program please visit the IIA Web siteor contact Customer Service Center at the address above For further information pleasevisit the IIA Web site or contact Customer Service Center at the address above Phone(407) 937-1111 FAX (407) 937-1101 E-mail [email protected].

Certified Internal Auditor Program - IIA's premier certification. The CIA designation isconferred by the IIA upon qualified candidates who successfully complete a written

exam and meet the necessary character, experience, and education requirements.All candidates must hold a bachelors degree or its equivalent from an accreditedcollege-level institution and must have 24 months of internal auditing (or equivalent)experience (a masters degree can be substituted for one years work experience).

Certification in Control Self-Assessment (CCSA). The IIAs first specialty certificationprogram, will be conferred upon the IIA qualified candidates who successfullycomplete a computer-administered exam and meet the necessary education andexperience requirements. The CCSA certification program identifies the skill setsneeded by successful practitioners of CSA, measures understanding of CSA, andprovides guidance for CSA initiatives.

Certified Government Auditing Professional (CGAP). The IIA recognizes theimportant contributions of government auditors and has developed a certification

program that distinguishes leaders in public sector auditing - the CertifiedGovernment Auditing Professional or CGAP. Auditors from various levels ofgovernment who recognize that auditing in the public sector has unique challengesdeveloped the program. Attaining the CGAP designation provides you the ability todifferentiate yourself. Since individuals obtaining the CGAP are obliged to completeeducation, work experience and meet ethical standards, the CGAP credentialshowcases your commitment to government auditing.
http://www.theiia.org/mailto:%[email protected]:%[email protected]:%[email protected]:%[email protected]://www.theiia.org/


10/193

xvi Establishing An Internal Audit Activity Manual


Certified Financial Services Auditor (CFSA). The CFSA demonstrates competency infinancial-services audit practices and methodologies. The 150-question pilot will testcandidates knowledge on financial services auditing, banking, insurance, andsecurities.

IIA Programs & Services: Contact The Institute of Internal Auditors Customer Service Centerat the address above For further information please visit the IIA Web site or contactCustomer Service Center at the address above Phone (407) 937-1111 FAX (407) 937-1101 [email protected].

Internal Auditor magazine: Award-winning journal of the profession and flagship publicationproduced by the IIA.

The IIA Professional Development Catalog: This biannual catalog includes schedules anddescriptions of all IIA seminars (educational, executive development, audit-specialty, andcustomized on-site) and industry-specific and professional development conferences;certification programs; and educational products on such topics as audit committees andgovernance, audit management, auditing skills, certification; fraud, ethics, and law; industry,

service, and sector specialties; information technology; risk and control; and standards andguidance.

Tone at the Top: This quarterly newsletter provides executive management, boards ofdirectors, and audit committee members with information on such issues as ethics, internalcontrol, governance, and the changing role of internal auditing; and guidance relative tointernal auditing's roles, responsibilities, and relationships with corporate governanceentities.

Standards for the Professional Practice of Internal Auditingrepresent the practice of internalauditing as it should be and are the benchmark against which any internal auditing functionshould be measured. Visit the Web site for information on the Professional PracticesFramework.

Global Auditing Information Network (GAIN) Reports provide internal audit executives withbenchmarks for comparing their audit departments with those of other organizations, anopportunity to network with peers in their industry and to discuss challenges and sharesuccessful practices.

IIA Quality Assurance Reviews (QARs) will come to your location to help ensure that yourinternal auditing is the best it can be.

CSA Center: The CSA Center offers guidance, training, and communications opportunitiesto individuals engaged in the practice of Control Self-Assessment (CSA). The IIAs CSACenter provides its participants with: A unique forum for sharing new information, professional guidance, innovative

techniques and successful practices The CSA Sentinel, an exclusive tri-annual newsletter Five CSA-related seminars, and upon satisfactory completion, the CSA Qualification Priority invitation to The IIAs CSA Conference and workshop An annual directory of CSA Center participants IIA member prices on CSA-related products and services

For additional information, contact the CSA Center at +1-407-937-1362.
mailto:%[email protected]:%[email protected]


11/193

GAIN Information xvii


GAIN Global Auditing Information Network

A Benchmarking Service Offered by The IIA

The charts and graphs in this manual were extracted from the Global AuditingInformation Network (GAIN), the largest, most complete comparative database availablefor the internal auditing profession. GAIN's baseline comparisons serve as acomprehensive instrument for measuring audit department practices and provides a pathfor improvement. Subscribers receive:

Low-cost slide-show graphic reports packed with valuable information. Reportscompare a subscribers internal audit department to subscribers in relatedindustries, to those of similar staff size, and to all subscribers in the program.

Annual updates to help the subscribers organization measure its improvement. Benchmarking information, including:

o General organizational statistics

o Internal audit department costso Audit committee informationo Customer satisfaction factorso Staff development intelligenceo Planning informationo Audit life cycle approaches and related resource statistics

Networking opportunities with a worldwide professional network of internal auditexecutives including participation in Flash Surveys.

For more information, contact the GAIN department at: +1-407-937-1365 or +1-407-937-1367; e-mail [email protected]; or fax +1-407-937-1101.

www.gain2.org
mailto:%[email protected]:%[email protected]:%[email protected]


12/193

Introduction 1


Introduction

Establishing an Internal Auditing Activity Manual is a guide for those who areimplementing an internal auditing activity within their organizations for the first time,those who have recently been given responsibility for an internal auditing activity alreadyin place, and those who want to improve their existing activity.

Internal auditing plays different roles in different organizations. In some it takes on themore historical role of verifier or checker to detect errors or fraud; in others it has a moreexpanded role that includes providing consulting services in addition to performingassurance reviews. Whatever the role, the internal auditing activity must be wellplanned, organized, staffed, directed, and monitored. It also must have in place policiesand procedures that implement professional standards and systems that can ensure thatthe standards are followed in performing the work. This also includes ensuring that thework performed meets the expectations and the needs of internal auditing customers.The customer base for internal auditing is typically comprised of two groups, the board,senior management, and external third parties on one hand and operating and linemanagement on the other.

It is the goal of this book to provide information and understanding on how an internalauditing activity should operate and enable an organization to initially establish theactivity and begin functioning. Once a new internal auditing activity has been establishedthe chief audit executive (CAE) will be able to identify any number of opportunities forimprovement on an ongoing basis. While it would take many more pages to completelycover everything relating to establishing an internal auditing activity, what follows are theessentials. Spend the time and resources necessary to implement the steps outlined inthis manual and the internal auditing activity will be able to assist the organization byimproving the effectiveness of risk management, control, and governance.

Chapter 1: Why an Internal Auditing Activity? This chapter begins with a discussion ofwhat corporate governance is and why it has recently been put under the spotlight. Oncethe meaning of corporate governance is understood, it is then easy to understand theimportance of internal auditings link to the establishment of an effective corporategovernance structure.

The Institute of Internal Auditors (IIA) is the leader and the principal voice of the internalauditing profession. As such, The IIA has defined the role and the scope of the practiceof internal auditing. This first chapter concludes with an introduction to the structure ofThe IIAs Professional Practices Framework, the Standards for the Professional Practiceof Internal Auditing (Standards), and The IIAs Code of Ethics.

Chapter 2: Expectations If an internal auditing activity is going to be successful, then allthe stakeholders need to understand their expectations. What the board expects of theaudit committee, senior management, the internal auditing activity, and what eachshould expect of the other is the focus of this chapter. Understanding the expectations ofthe stakeholders is the first step in establishing an internal auditing activity. The successof the next step planning will be driven by what the various stakeholders expectof internal auditing.


13/193

2 Establishing An Internal Audit Activity Manual


Chapter 3: Planning This chapter first addresses the identification and selection of theCAE and then the development of the Audit Charter. The charter documents andcommunicates the purpose, authority, and responsibility of the internal auditing activity.This is important because the charter establishes the independence of the internal

auditing activity. Without independence, auditors will be unable to perform their workobjectively and provide the stakeholders with the impartial and unbiased assurance andconsulting activities that are expected.

Chapter 4: OrganizingThis chapter discusses the development of an organizational planfor the internal auditing activity. To whom the CAE will report to in the organizationshould be carefully planned. The CAEs relationship with the board and seniormanagement will determine whether it can operate objectively. The chapter identifiesseveral best practices that can help ensure independence and objectivity for the internalauditing activity.

Chapter 5: Staffing The CAE has been chosen and the purpose, authority, and

responsibility of the internal auditing activity have been established. The next step is todecide how to staff the activity. Based on information provided by The IIAs GlobalAuditing Information Network (GAIN), this chapter starts off by providing somebenchmarks from GAIN surveys on the size, education, experience, and professionalcertifications of internal auditing staff for a number of industries. It then continues with adiscussion of the pros and cons of in-house, outsourcing, and co-sourcing staffingstrategies and sources.

Chapter 6: Directing Once the staffing resources are in place the challenge becomeshow to best use them. This chapter discusses the development of a simple riskassessment methodology and the building of an annual audit plan. While the riskassessment methodology is simplistic, it enables a CAE to quickly develop an audit plan

based on risk. The chapter also includes discussions on the importance of managingproject budgets and schedules. Examples of project and staff tracking spreadsheets areincluded in the Exhibits section of the manual.

Chapter 7: Monitoring This chapter outlines the seven IIA Standardsthat identify specificactivities that must be part of every Quality Assurance (QA) program of every auditingactivity. Quality assurance reviews are required by The IIAs Standards. Quality meansthat the appropriate policies and procedures are in place and the quality assuranceprogram will provide reasonable assurance to management and the board that the workis being performed in accordance with the Standardsand is adding value by improvingan organizations operations.

The Exhibits The Exhibits contain examples of various items that are helpful in setting upthe policies and procedures for a new internal auditing activity. These include anInternal Audit Charter, a Corporate Audit Policy, staff position descriptions, and otheritems that should provide the CAE with a good start toward establishing or improving aninternal auditing activity.

Additional information includes a bibliography of resources used in developing thismanual, information about The Institute of Internal Auditors,and an extensive resource


14/193

Introduction 3


list of products and services offered by The IIA that can provide additional guidance andeducation for helping establish an effective internal auditing activity.

Those responsible for the internal auditing activity play an integral role in good corporategovernance for their organization. This manual is designed to help organizations

establish an effective internal auditing activity or improve their existing activity. It isimportant to remember that the responsibilities of the internal auditing activity areconstantly changing. The IIA has been instrumental in keeping internal auditorsapprised of the constant changes, and those reading and using this manual areencouraged to visit The IIAs Web site atwww.theiia.org often for information impactingthe dynamic profession of internal auditing.
http://www.theiia.org/http://www.theiia.org/


15/193

Governance 5


Chapter 1: Governance

Why Have an Internal Auditing Activity?

According to recent statistics from the international news and information organizationBloomberg News, in more than half of the 673 largest bankruptcies of publiccorporations since 1996, external auditors provided no cautions in annual financialstatements in the months before bankruptcy. Five of the seven largest bankruptcies inhistory, including Enron, Global Crossing Ltd., and Kmart Corp., followed annual reportswith clean audit opinions from external auditors.1.1 From 1995 to 2001, corporatefinancial restatements have increased from 50 a year to more than 150 or a total of722 public corporations admitted that their audited numbers were so wrong that they hadto be redone. These statistics demonstrate that the larger and more complex thecompany, the more difficult it is for external auditors, management, and boards to havean accurate picture of risks and controls.1.2

Corporate governance is being examined more closely than ever before. Mediacoverage of corporate crises increasingly focuses on the board; what are directors doingand do the relationships they have with the company weaken the effectiveness of theiroversight?

The need for internal auditing as an element of corporate governance has never beenmore clearly demonstrated than by recent events. Take, for example, WorldCom, wherethe internal auditor, who called the matter to the attention of the audit committeechairman after the then-chief financial officer resisted taking corrective action,discovered $3.8 billion of dubious accounting.

Internal auditors, by having an objective view from inside the organization, can play avital role in the governance process by keeping management, the board, and externalauditors aware of risk and control issues and by assessing the effectiveness of riskmanagement.

Corporate Governance

Exactly what is governance? More specifically, what is corporate governance, and howcan an internal auditing activity be used to improve corporate governance?

We frequently use the term corporate governance and many of us understand that oneof the main responsibilities of boards is to ensure that the governance processes areeffective; however, the term is rarely defined. The Toronto Stock Exchange DeyCommittee developed a robust definition.

Corporate governance means the process and structure used to directand manage the business and affairs of the corporation with the objectiveof enhancing shareholder value. The process and structure define thedivision of power and establish mechanisms for achieving accountability


16/193

6 Establishing An Internal Auditing Activity Manual


among shareholders, the board of directors and management. Thedirection and management of business should take into account theimpact on other stakeholders such as employees, customers, suppliersand communities.1.3

Effective corporate governance requires a system of checks and balances, assuring thatthe right questions get asked of the right people. An effective system of corporategovernance will establish a link among management, the board, the external auditor,and the internal auditor in a way that creates a structure (with incentives anddisincentives) that enables people with overlapping but not entirely congruent intereststo have a sufficient level of confidence in each other and the organization as a whole.This structure should be a system of checks and balances designed to permit theappropriate scope of authority (power) and limit the abuse of that authority(accountability).

Effective corporate governance is based upon strong working relationships among fourgroups: management, the board, external auditors, and internal auditors. Internal

auditing is integral to good corporate governance. The internal audit activitys unique full-time focus on risks and controls is vital to a sound governance process.

Financial reporting is not the only important responsibility of boards. Other areasrelating to safeguarding of corporate assets, operational efficiency and economy, andcompliance with rules, regulations, and policies are also extremely important. Whileeffective internal controls are managements responsibility, it requires the participation ofeveryone in an organization, the board, management, external auditors, and internalauditors to be effective. Given the current environment it is surprising that boards ofdirectors or management would choose to operate without internal auditing. Allorganizations should have a fully resourced, independent internal auditing activity that isprofessionally staffed and chartered to evaluate the risk management, control, and

governance processes.

The IIAs Professional Practices Framework

Founded in 1941, The Institute of Internal Auditors (IIA) is the principal voice of theinternal auditing profession and has over 80,000 members worldwide. In 1976, The IIAfounded The Institute of Internal Auditors Research Foundation to provide and expandresearch and education for the benefit of the internal auditor, the internal auditingprofession, the business and government communities, and the general public. TheFoundation is the recognized leader in sponsoring and disseminating research to assistand guide internal auditors and the internal auditing profession.

The IIA originally published its Standards for the Professional Practice of InternalAuditing (Standards) in 1978. In June of 1999, The IIA Board of Directors approved anew definition of internal auditing and a new Professional Practices Framework. Bothwere based on research conducted by The IIA Research Foundation and the GuidanceTask Force (GTF), a special committee of The IIA charged with examining the adequacyof current standards and guidance for the practice of internal auditing. The GTFconcluded that a significant gap existed between available guidance and current


17/193

Governance 7


practices. In order to close the gap, The IIA developed the Professional PracticesFramework.

The Professional Practices Framework consists of three types of instruction: 1)Mandatory Guidance, 2) Practice Advisories, and 3) Development and Practice Aids.

The Framework includes the Definition of Internal Auditing, the Code of Ethics,Standards for the Professional Practice of Internal Auditing (Standards), Practice

Advisories, and Development and Practice Aids. The Definition of Internal Auditing, theStandards, and the Code of Ethicscomprise the mandatory elements of the Framework,and were revised in the last three years. A new Code of Ethics and the new officialdefinition were approved in June 1999, with the new Standards following in December2000.

These documents delineate the characteristics, procedures, and activities that areconsidered essential to the professional practice of internal auditing. All IIA membersand Certified Internal Auditors (CIAs), as well as anyone providing internal auditingservices, are expected to adhere to these guidelines. 1.4

Practice Advisories (PAs) are pronouncements that represent best practices and,although not mandatory, are strongly recommended and endorsed by The IIA. They aredesigned to help interpret or explain particular Standards or apply them in specificinternal auditing environments. Currently there are more than 60 PAs, with new onesbeing added all the time. A list of current PAs and the Standardsthey relate to can befound in Exhibit 1-1. IIA membershave access to all the PAs through the IIAs websiteatwww.theiia.orgunder Guidance. 1.5

Development and Practice Aids consist of a variety of materials, including researchstudies, books, seminars, conferences, and other products and services. These areitems developed or endorsed by The IIA, and generally describe best practices or

provide ideas for implementing the Standardsand Practice Advisories. 1.6 Developmentand Practice Aids are available to IIA members and nonmembers on the IIAs website atwww.theiia.orgunder guidance.

The Code of Ethics

The Code of Ethics, revised in June 2000, identifies four core values or principlesconsidered essential to the effective practice of internal auditing: 1) integrity, 2)objectivity, 3) confidentiality, and 4) competency. These rules are accompanied by 12rules of conduct describing specific behaviors expected of internal auditors. The rulesserve as practical applications of the four principles and are intended to guide the ethical

conduct of internal auditors.1.7

The purpose of the Code is to promote an ethical culturein the profession of internal auditing. A code of ethics is necessary and appropriate forthe profession of internal auditing, founded as it is on the trustplaced in its objectiveassurance about risk management, control, and governance.1.8 The Code of Ethicscanbe found in Exhibit 1-2 and on the IIAs web site atwww.theiia.orgunder Guidance.
http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/http://www.theiia.org/


18/193

8 Establishing An Internal Auditing Activity Manual


The Definition of Internal Auditing

The IIA approved a revised definition of internal auditing in June 1999 with input from IIAmembers around the world. The new definition is the cornerstone for the ProfessionalPractices Framework, which was also approved in June 1999 by The IIA Board of

Directors.

The definition establishes the boundaries of the profession, while the Code of Ethicsrepresents the professions conscience and calls for self-discipline and behavior that gobeyond that required by laws and regulations.

Internal auditing is an independent, objective assurance and consultingactivity designed to add value and improve an organizations operations.It helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance processes.

The new definition of internal auditing is different from the one that was first developedover 60 years ago as part of the then Statement of Responsibilities of Internal Auditing.

According to research conducted by The IIA Research Foundation and The GuidanceTask Force (GTF) responsible for examining the value of IIA guidance, the oldterminology failed to adequately reflect the evolution of practice {or} effectively promotethe internal audit profession in the competitive marketplace. The new definition recaststhe image of internal auditing in two significant ways.

1) The previous Statement of Responsibilities of Internal Auditingcharacterized the profession as an independentfunction establishedwithin an organization. The new definition describes internal auditing asan independent, objective activity. By using the term activity instead of

function and eliminating the phrase within an organization, the reviseddefinition allows for internal auditing services to be provided by individualsnot employed by the organizations that they serve. This new definitionacknowledges that outsourcing has become a viable alternative fororganizations seeking quality internal auditing services.

2) The definition of internal auditing as an appraisal function did notaccurately reflect the type of services that are provided by most internalauditing departments, nor did it allow for internal auditings increasinglyinfluential role in organizations. By focusing on assurance and consultingwork instead, the new definition conveys a more proactive, customer-oriented approach with a role to play in the control, risk management, and

governance activities of an organization.1.9

The Standards for the Professional Practice of Internal Auditing

The Standards consist of three components: 1) Attribute, 2) Performance, and 3)Implementation Standards. The Attribute Standards address the attributes oforganizations and individuals performing internal auditing services. The PerformanceStandards describe the nature of internal auditing services and provide quality criteria


19/193

Governance 9


against which the performance of these services can be measured. The Attribute andPerformance Standards apply to all internal auditing services. The implementationStandards expand upon the Attribute and Performance Standards, providing guidanceapplicable in specific types of engagements. These standards may be expanded toultimately address industry-specific, regional, or specialty types of audits.

Compliance with the concepts enunciated in the Mandatory Guidance is essential beforethe responsibilities of internal auditors can be met. As stated in the Code of Ethics,internal auditors shall perform internal audit services in accordance with the Standards.

All members of The Institute and all Certified Internal Auditors agree to abide by theStandardsand the Code of Ethics, and this guidance is intended to be applicable to allmembers of the internal audit profession, whether or not they are members of The IIA.1.10

A complete list of the Standardscan be found in Exhibit 1-3 and under the Guidance tabof the IIAs web site at www.theiia.org.
http://www.theiia.org/http://www.theiia.org/


20/193

Expectations 11


Chapter 2: Expectations

Boards, audit committees, senior management and the internal auditors have commongoals. Good working relationships are necessary if everyone is going to be successful inaccomplishing their goals and meeting their responsibilities. Good working relationshipsstart with an understanding of the expectations of the parties in that relationship. Whatthe board expects of the audit committee, senior management, and the internal auditactivity, and what each expects of the other, is important if the stakeholders they serveare to have confidence in the organizations ability to succeed.

The Board

At the top tier of the governance ladder is the board. The board has the responsibility tolook after and protect the interests of all the stakeholders in the organization. Inprotecting those interests the number one topic on the minds of most board members isthe subject of risk. Directors have seen firsthand how unanticipated risk destroy asuccessful growing organization and send it into bankruptcy. While risk has long beenassociated with catastrophic insurable events, financial exposure, credit, and liquidityand other negative events, the perception of risk has now evolved to cover a muchbroader range of threats. Environmental issues, sophisticated financial transactions,legal and regulatory compliance, emerging technologies, political and economic issues,competition, and others have all been added to the list of risks that organizations face intodays business environment. While the board is not directly responsible for riskmanagement, management has the responsibility; the stakeholders expect the to becertain that the responsibility is carried out. In ensuring that the stakeholders interestsare being protected, the board should:

Establish an audit committee and adopt an audit committee charter describing its

duties and responsibilities and its relationship with internal and external auditorsand management in the context of its oversight responsibilities of theorganizations financial reporting process and internal controls. Exhibit 2.1 is anexample of a Model Audit Committee Charter.

Maintain a majority of board directors that have no ties to organization or seniormanagement.

Create board nominating, corporate governance, and compensation committeescomposed of independent directors.

Ensure that directors appointed to the audit committee are independent ofmanagement and have an understanding of generally accepted accountingprinciples, financial statements, and experience with internal accounting controls.

Adopt and disclose corporate governance guidelines addressing director:

o Qualificationso Responsibilitieso Access to managemento Compensationo Orientation and continuing education, ando Annual performance evaluations of the board.


21/193



Adopt and support an organizational code of ethics.

Note: All of the above are required for SEC corporations by either the Sarbanes-OxleyAct of 2002, or the New York Stock Exchange listing standards.

The Audit Committee

Generally, the audit committee is responsible to the board for overseeing: the reliabilityof financial reporting, the effectiveness of internal controls over financial reporting, theprocesses for monitoring compliance with regulatory requirements, and the processesfor monitoring compliance with the organizations code of conduct. The committee nowhas a broader responsibility for overseeing the effectiveness of the organizations riskmanagement and control processes. These broader responsibilities are intended toprovide reasonable assurance that an organization will be able to achieve its objectivesas they relate to: the effectiveness and efficiency of operations; the reliability of financialand operational information; and compliance with applicable laws and regulations. The

audit committee should:

Evaluate whether management is setting the appropriate tone at the top bycommunicating the importance of internal control and the management of risk,and that employees have an understanding of their roles and responsibilities.

Consider how management is being held accountable for the security ofinformation technology and the business continuity plans for processing financialinformation in the event of a system breakdown.

Be informed as to whether the internal control recommendations, made by eitherthe internal and external auditors, are implemented by management.

Inquire of management about the areas of greatest financial risk and howmanagement is managing that risk.

Be made aware of significant accounting and reporting issues, including recentprofessional and regulatory pronouncements, and understand their impact on theorganizations financial statements.

Be involved in the hiring of the external auditors, and in the evaluation of theirperformance.

Be informed by management and the internal and external auditors aboutsignificant financial and operational risks and exposures and managementsplans to minimize such risks.

Be made aware of any legal matters that could significantly impact theorganizations financial statements.

Review and approve the internal audit charter and ensure its compatibility withthe audit committee charter.

Ensure that the internal auditing activity can independently plan audit projectsand conduct and report the results objectively.

Meet frequently with the chief audit executive (CAE) and have open and honestdiscussions on the results of internal auditing activities as well as currentbusiness issues.

Meet privately with the CAE, without management being present.


22/193

Expectations 13


Be involved in the hiring, replacement, reassignment, or termination of the CAE,and in the evaluation of his/her performance.

Review and approve the annual internal audit plan.

Ensure that the internal audit activity has adequate staffing and budget resourcesto accomplish the plan. 2.1

Management

Management has the responsibly for risk management and should establish effectiveprocesses to manage risk. An effective risk management process will not only identifyexisting risks but also identify new risks as they emerge. Management will typicallyintegrate their risk management processes into the way it runs the business. Seniormanagement should:

Identify by strategic initiative or business segment the major objectives that willenable the organization to achieve its targeted operational and financial goals.

Identify for the major objectives the risks and critical success factors that must beachieved if the strategic initiatives or business segments are to be successful.

Identify processes, programs, or actions needed to manage the risks.

Implement appropriate monitoring and measuring activities to ensure thatprocesses, programs, or actions are implemented.

Implement a culture that rewards the recognition, communication, andmanagement of risks.

Communicate to the organization that internal auditors are part of the riskmanagement process.

Work with internal auditing to identify an appropriate risk model for theorganization.

Help internal auditing identify appropriate risk factors for their risk assessment

methodology. Identify for the audit committee and internal auditing significant financial and

operational risks and exposures and their plans to minimize such risks.

Meet frequently with the CAE and have open and honest discussions on theresults of internal auditing activities as well as current business issues.

Support the internal audit activity by ensuring that it has adequate staffing andbudget resources to accomplish its responsibilities.

Support the establishment of a strong and competent professional internal auditactivity.

Endorse and support the internal audit charter.

Ensure the timely implementation of audit recommendations.

Set the appropriate tone at the top by communicating the importance of internal

control and the management of risk and the role and responsibilities employeeshave in managing risks.

Enable the CAE to participate in key management and project meetings.


23/193



Internal Auditors

Internal auditors, and particularly the CAE, are important to an organizations success intodays business environment. In addition to their responsibility for assessing andrecommending internal controls, their skill in risk management and their broad-based

perspective of the organization uniquely position them as a valuable resource for strongcorporate governance. They are the primary resource for the audit committee incarrying out its responsibilities. An active, informed, vigilant, and effective auditcommittee provides the ultimate independent and objective oversight of theorganizations control environment. Internal auditors should:

Embrace The IIAs definition of internal auditing and the Standards for theProfessional Practice of Internal Auditing(Standards)and be familiar with what isrequired.

Build a rapport with senior management and the audit committee chair to ensurethat they have a clear understanding of the role of internal auditing.

Quickly learn and address what management and the board view as the greatest

risks to the organization. Understand the responsibilities and duties identified in the audit committee

charter.

Identify whom senior management considers the leaders in the organizationsmarket/industry.

Obtain and understand written policies and procedures that pertain tomanagements responsibility to management risk and control in the organization.

Develop, along with management, an organization model that can be used tomap major processes/operations for the purpose of identifying the organizationsauditable entities.

Develop a risk assessment methodology for the auditable entities identified in themodel of major processes/operations.

Develop an audit plan based on the risk assessment and requests frommanagement and get it approved by the board.

Develop a staffing plan for the internal auditing activity and staff the activity.

Build an internal audit activity budget and have it approved by the auditcommittee.

Develop an audit charter, approved by both senior management and the auditcommittee, for the internal auditing activity.

Ensure that senior management adequately communicates to the organizationthe internal audit activitys authority and responsibilities, and calls for theircomplete cooperation.

Work with senior management and the audit committee to establish a reporting

relationship that will ensure that audit recommendations receive appropriateattention.

Stay current on technology advances and trends and keep the audit committeeappropriately informed.

Encourage the staff to work toward certification and participate in professionaldevelopment programs.

Develop a timely procedure to monitor the disposition of audit recommendations.


24/193

Expectations 15


Establish a quality assurance and improvement program for the internal auditingactivity that provides assurance that the internal auditing activity: 1) performs inaccordance with its charter, 2) adheres to the Standardsand the Code of Ethics,3) operates in an effective and efficient manner, and 4) is perceived by the boardand management as adding value and improving an organizations operations.2.2


25/193

Planning 17


Chapter 3: Planning

Identify the Chief Audit Executive (CAE)

The chief audit executives (CAEs) role is to provide advice, council, and opinionsregarding the organizations efficiency and effectiveness in risk management, internalcontrol, and corporate governance. To be effective in this role, the CAE should besomeone who can be viewed and accepted as a member of the organizations seniormanagement team. The CAE should manage the internal audit activity, attend andparticipate in key management meetings, and offer appropriate comments and insights.The CAE should be continuously involved in aiding management in identifying risksthrough participation on oversight committees and monitoring activities.

The CAE should be someone who can gain both managements trust and the boardsrespect. This is why audit committees should play an active role in the hiring of the CAE.The right candidate should have an understanding of:

Internal auditings relationships with the audit committee, the board, and seniorand operating management.

Internal auditings role in evaluating and improving the effectiveness of riskmanagement, control and governances processes.

The Institute of Internal Auditors (IIA) Professional Practices Framework,especially the Standards for the Professional Practice of Internal Auditing(Standards), and the Code of Ethics, and be familiar with the Practice Advisoriesthat are endorsed by The IIA.

How to serve as a consultant by supporting and setting an ethical standard andadvising management and the board on best practices.

How to audit financial, operational, and information technology functions. How to review for compliance, evaluate controls, and formulate control

recommendations that support an organizations objectives.

Audit activity practices.

Understand and address organizational trends, changes, and risks both insideand outside the organization and be able to make recommendations tomanagement and the board concerning these.

CAE Position Background

Primarily General Auditing 55.2

Primarily IT/IS Auditing 1.0

Combination of above 24.6

Non-auditing 19.2


26/193



Add to this the need to be an effective communicator, demonstrate good judgment, showstrength of character in the face of adversity, and have an abilityto bring forth issues in away that is balanced and objective. It becomes apparent that the right candidate for theCAE should be carefully chosen.

An example of a position description for the chief audit executive can be found in Exhibit3-1.

The Charter

Planning for an effective internal auditing activity starts with the development of an internalauditing charter that complements and supports the audit committee charter. The charteridentifies and communicates to the organization the purpose, authority, responsibility, andscope of the internal audit activity. The charter is an important document because itestablishes what senior management and the board expect from the CAE and the internal

audit staff. The charter should be in writing and approved by the board, or the auditcommittee on behalf of the board, and endorsed by management.

An Audit Charter Example can be found in Exhibit 3-2. An example of two MissionStatements for an internal auditing activity can be found in the Exhibit 3-3.An example ofan Executive Endorsement of the Internal Auditing Charter can be found in Exhibit 3-4.

The purpose, authority, and responsibility of the internal audit activity should be formallydefined in a charter, consistent with the Standards, and approved by the Board.(Standard 1000)

Within the context of the Standards, board refers to the board of directors, the auditcommittee of a board, the head of an agency or legislative body to whom internalauditors report, the board of governors or trustees of a nonprofit organization, or anyother governing body of an organization.

Purpose

The purpose of an internal auditing activity is best described by the definition that wasapproved by The IIA in June 1999:

CAE Average Years of Service

Internal Audit 12.1

Public Accounting 2.4

Non-Audit 7.1

Total Average Years of Services 24.1

Source: GAIN Report pages ca3


27/193

Planning 19


Internal auditing is an independent, objective assurance and consulting activitydesigned to add value and improve an organizations operations. It helps anorganization accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk management, control,

and governance processes.

Statements of policy on the purpose of internal auditing activities should emphasize thatinternal audit is an independent, objective activity that is intended to add value and improvean organizations operations. It is important for this purpose to be widely communicatedthroughout an organization so that it is clear why the internal auditing activity exists to helpdispel the "cop" image with which internal auditors have been labeled in the past. Bycarefully wording the purpose for internal auditing, a positive image of internal auditactivities and the profession can be communicated. This can further nurture the acceptanceand cooperation of the departments and personnel that will be the activitys customers.

An example of a Corporate Audit Policy can be found in Exhibit 3-6.

The internal audit activity should be independent, and internal auditors should be objectivein performing their work. (Standard 1100)

Authority

The overall authority of the internal audit activity and the CAE should come from the boardand should be specifically spelled out in the charter. The charter should clearly establishthe activitys position within the organization and define the scope, or nature, of internalauditing activities. It should authorize, among other things, access to all records,personnel, and property needed to accomplish audit projects. It should give the CAE theauthority for full and unrestricted access to the audit committee. It should grant the CAE the

authority to allocate resources, establish schedules, determine the scope of audit work, andset audit objectives without interference from management.

Responsibility

The charter should communicate that the overall responsibility of the internal auditactivity is to serve the organization by evaluating the effectiveness of risk managementcontrol, and governance processes in a manner that is consistent with the Standardsand the Code of Ethics. This also includes coordinating internal audit activities withothers so that the most effective and efficient results can be achieved.

The charter should delineate the specific responsibilities of the CAE and the staff. These

responsibilities should include:

Providing an annual assessment on the adequacy and effectiveness of theorganizations processes for controlling its activities and managing its risks in theareas included in the scope of work authorized by the charter.

Creating and submitting an annual audit plan that has been developed using anappropriate risk-based methodology to the board for their review and approval.


28/193



Implement the annual audit plan, as approved, including any appropriate specialprojects requested by management and/or the audit committee.

Maintaining a professional audit staff with sufficient knowledge, skills,experience, and professional certifications to perform the audit work identified inthe charter.

Issuing periodic reports to the audit committee and management summarizingthe results of audit activities.

Keeping the audit committee informed of emerging trends and best practices ininternal auditing.

Developing and maintaining a quality assurance and improvement program thatcovers all aspects of the internal audit activity and continuously monitors itseffectiveness.

As appropriate, providing consulting services to management that add value andpromote the best interests of the organization.

Above all the internal auditing charter needs to articulate the independence of theinternal auditing activity. Internal auditors are independent when they can carry out theirwork freely and objectively. Achieved through organizational status and objectivity,independence permits internal auditors and the internal auditing activity to renderimpartial and unbiased judgments. Internal auditors need to maintain an independent,objective mental attitude, not subordinating their judgment on audit matters to others.They need the support of senior management and the board so that they can gaincooperation of the audit customers and perform their work free from interference. Thefollowing items comprise a checklist for determining whether the internal auditing charterwill ensure that the internal auditing activity is independent.

The CAE is responsible to an individual in the organization with sufficientauthority to:

o Promote independence.o Ensure broad audit coverage.o Ensure adequate consideration of audit reports.o Ensure appropriate action on audit recommendations.

The CAE has direct communication with the board, regularly attends andparticipates in board meetings, and meets privately with the board at leastannually without the chief executive officer (CEO).

Frequency of Meetings

With the Audit Committee

Monthly 3.80%

Quarterly 52.80%

Semi-annual 14.80%

Annual 3.50%

Other 13.30%

Never 1%

No AC 10.00%

Source: GAIN Report pages a2


29/193

Planning 21


The board concurs in the appointment or removal of the CAE.

The purpose, authority, and responsibility of the internal auditing activity aredefined in the charter, and the charter has been approved by the board andendorsed by senior management.

The charter should also communicate the following:o Authorize auditors access to records, personnel, and physical properties

relevant to the performance of audit projects.o Define the scope of internal auditing activities.

The charter should require the CAE to annually submit the following informationto senior management for approval and to the board for their information:

o Summary of the audit work scheduleo Staffing plano Financial budgeto Activity reports highlighting significant findings and recommendations

3.1

The scope or nature of internal auditing under the old Standardswas narrowly focusedaround internal control assurance and compliance. The domain of internal auditing workhas been expanded considerably in the new Standards. The nature of internal auditingnow includes consulting activities in addition to assurance activities that are intended toevaluate and contribute to the improvement of risk management, control, andgovernance systems. These activities are intended to focus on whether theorganizations risk management, control, and governance processes, as represented bymanagement, are adequate and functioning as intended.

Because the new definition of internal auditing requires the internal audit activity to addvalue and improve an organizations operations, adding value is now an expected resultof audit activities. By recognizing that auditors can provide both assurance and

consulting services, there are now more opportunities for internal auditing to make asignificant contribution to an organization

The nature of assurance services provided to the organization should be defined in theaudit charter. (Standard 1000.A1)

Information usually submitted to theAudit Committee

Percent of audit plan completed 78.10%

Department expense budget 40.90%

Actual expenses vs. budget 31.50%

Department productivity measures 46.50%

Benchmark comparisons with others 36.20%

Organizational structure 68.01%Source: GAIN Report pages a5


30/193



Assurance work should be designed to meet the fiduciary needs of senior managementand the board. Assurance engagements need to include steps and obtain specificinformation that will enable senior management and the board to establish a level ofcomfort regarding the organizations risk management, governance, and internal controlsystems.

The nature of consulting services should be defined. (Standard 1000.C1)

Consulting services, however, usually focus on pure problem-solving activities and areabout adding value to operating management. The charter should include the authorityand responsibilities for consulting activities.

It is important that management and the board understand and agree with the idea ofproviding consulting services, and approve polices and procedures under whichconsulting services will be performed by the internal auditing activity. The CAE shouldidentify the types of consulting activities to be offered and develop appropriate policies

and procedures for performing this type of work. By clarifying the difference betweenassurance work and consulting work, internal auditors, on a consulting engagement, canfocus on the concerns of operating management without compromising their assuranceresponsibilities to senior management and the board. This gives internal auditors theopportunity to get involved up-front in projects rather than having to wait until after thecompletion of the project.


31/193

Planning 23


The nature of consulting and assurance work is compared and contrasted in the chartbelow:

ASSURANCE OR CONSULTING3-2

Assurance

Assurance involves

The auditor, the operating customer,

and the third party to whom

assurance is being provided.

Assurance assesses:

Adequacy of entity internal control.

Adequacy of process or sub-entityinternal control.

Adequacy of enterprise riskmanagement.

Adequacy of governance process. Compliance with laws or

regulations.The client may be:

Internal the board, seniormanagement, the audit committee.

External customers, shareholders,regulators, stakeholders.

Results are:

An opinion.

Formal and explicit.

Reported to the third party(mandatory).

Followed up on (mandatory).Assurance work is:

Mandatory for the internal auditactivity Full competence is eitherpresent in the audit staff or acquiredfrom outside parties.

Consulting

Consulting involves:

The auditor and the client.Consulting provides:

Improvement of efficiency oreffectiveness.

Assistance in design of correctiveactions.

Controls needed for new systemsdesign.

Benchmarking.The client usually is:

Operating management.Results are:

A recommendation.

Often formal.

Reported as agreed upon withclient.

Followed up on to the extentspecified in the consultingarrangement.

Consulting work is:

Optional The engagement can bedeclined if competencies required toperform the engagement are notpresent in the audit staff.


32/193



Issues that should be considered when undertaking consulting work can be found inPractice Advisories 1000.C1-1 and 1000.C1-2. Sample categories that can be used byorganizations to describe the types of consulting services that may be offered are shownbelow.

TYPES OF CONSULTING WORK3-3

Sample categories used by organizations to describe the types of consulting work theyprovide include:

Formal engagements those that are planned and subject to written agreement.

Informal engagements routine activities such as participation on standingcommittees, limited-life projects, ad-hoc meetings, and routine informationexchange.

Special engagements participation on dedicated teams such as a merger andacquisition team or system conversion team.

Emergency engagements participation on a team established for recovery ormaintenance of operations after a disaster or other extraordinary business eventor a team assembled to supply temporary help to meet a special request orunusual deadline.*

Assessment services the timely examination of a past, present, or future aspectof operations that renders information to assist management in making decisions.Examples include estimating savings from outsourcing processes or assessingthe adequacy of internal controls over proposed systems.

Facilitations services assistance to management in the examination oforganizational performance for the purpose of promoting change by helpingmanagement to identify organizational strengths and opportunities for

improvement. Examples include control self-assessment, benchmarking,strategic planning support, and business process reengineering support.

Remediation services the assumption of a direct role designed to prevent orremediate known or suspected problems on behalf of the client. Examplesinclude developing and delivering training courses on risk management, internalcontrols, regulatory compliance, etc; drafting proposed policies; and augmentingoperating personnel.**

*From Practice Advisory 100.C1-2

**From the U.S. Department of Agriculture Graduate School Model.


33/193

Planning 25


Several policies governing how consulting services would be provided by an internalaudit activity are shown below:

SAMPLE POLICIES FOR CONSULTING SERVICES3-4

The internal audit activity at a state agency developed the following draft policystatement for consulting services. The policy provides a useful model for other auditactivities attempting to codify their approach to consulting work.

Acceptance of Projects

1. Some consulting projects are specifically identified in the board-approved annualplan. For these projects, the CAE will collaborate with appropriate manager todevelop a preliminary statement of work to be performed. This statement willinclude a general description of work, estimated hours, and projected time frame.

2. Most consulting projects are initiated by managers communicating directly withthe CAE. For these requests, the CAE will:

Collaborate with managers to develop a preliminary statement of work to beperformed. The statement will include a general description of work,estimated hours, and projected time frame.

Evaluate whether the internal audit team can perform the work.Considerations include:

o Knowledge, skills, and disciplines of auditors.o Expected resource commitment.o Risk of activities.o Impact on the audit activitys independence and objectivity.o Other appropriate considerations.

If the evaluation reveals that the audit activity can perform the work, the CAEwill seek the executive directors approval for the request.

If the evaluation reveals that the audit activity should not perform the work,the CAE will notify the appropriate managers. The CAE will also discussoptions, such as assisting with the selection of outside consultants.

Determining the Approach

Using the preliminary statement of work, the CAE will determine the model that will beused to conduct the work. There are two possible models:

Audit Model Using this model, the consulting project will be performed usingthe already established standards, policies, and procedures that apply to anyaudit. The decision to use the audit model is based on several factors,including:

o Will project objectives or sub-objectives be determined using arisk/vulnerability assessment?

o Are resources for the project primarily under the internal auditactivitys control?


34/193



o Will at least 80 hours of internal auditings time be required for theproject?

o Will preparing the report primarily be the responsibility of the CAE?o Does the work easily fit into the survey/fieldwork/reporting paradigm?

Review Model The review model is used for requests that do not fit the

audit model. Under the review model, the consulting project is performedusing policies and procedures that differ from those used in a traditional audit.

Procedures for the Review Model

1. When the audit commitment totals 40 or more hours:

A project file will be maintained. This file should contain documents such asthe preliminary statement of work, meeting agendas, status reports, note, andother pertinent information.

Internal auditing staff assigned to the project should document their work asappropriate.

Internal auditing staff will obtain background information concerning the areain which the work will be performed.

Internal auditing staff assigned to the project will prepare a memo, whichrequires the signatures of the assigned staff and the CAE. The memo shouldprovide a general description of the project, including:

o A revised statement of work, if necessary.o Summary of background information.o Revised estimates of hours and time frame, if necessary.o Description of methodologies and types of evidence to be used.o Expected impact of work; for example, expected impact on control

activities.o Other information as appropriate.

Periodic status reports will be prepared according to a schedule agreed uponby the assigned staff and CAE. However, status reports will be prepared atleast every three months.

At the end of the project, internal auditing staff assigned to the project willprepare a closeout memo. The memo will be reviewed by the CAE. Thememo should contain:

o Discussion of the actual objective if significantly different from thepreliminary description of work.

o Description of scope and methodologies used.o Discussion of benefits that resulted from the project.o Discussion of any information that can be used in the annual risk

assessment.o Conclusions, if any, that can be based on work performed.o Impact of the project on internal auditings independence and

objectivity.o Impact on the objectivity of the staff assigned to the project.o Other information as appropriate.

If issued, any final report or memo will be included in the project file.

When completed, the project file will be stored in the internal audit activitysworkpaper files in order of its assigned project number.


35/193

Planning 27


2. When the audit commitment totals less than 40 hours:

A project file will be maintained. This file should contain documents such asthe preliminary statement of work, meeting agendas, notes, and otherpertinent information.

Internal auditing staff assigned to the project should document their work asappropriate.

At the end of the project, internal auditing staff assigned to the project willprepare a closeout memo which includes:

o Discussion of the original and actual objectives, if significantlydifferent.

o Discussion of benefits that resulted from the project.o Discussion of any information that can be used in the annual risk

assessment.o Impact on the objectivity of the staff assigned to the project.o Other information as appropriate.

The closeout memo will be reviewed by the CAE and included in the project

file.

If issued, any final report or memo will be included in the project file.

When completed, the project file will be stored in the internal audit activitysworkpaper files in order of its assigned project number.


36/193

Organizing 29


Chapter 4: Organizing

Once the chief audit executive (CAE) has been identified, the next step is to develop an

organizational plan for the internal auditing activity. The internal auditing charter willestablish where the internal auditing activity will fit into the overall organizationalstructure of the organization. The charter will also put into place the elements that will beneeded to establish the internal auditing activity as an independent activity that iscapable of performing its work objectively, as discussed in the 1100 series of theStandardsfor the Professional Practice of Internal Auditing (Standards) .

The internal audit activity should be independent, and internal auditors should beobjective in performing their work. (Standard 1100)

Independence means the unimpeded determination of scope of work and theunhindered ability to carry out that work.4.1The most critical element for ensuring auditor

objectivity is the organizational independence of the internal audit activity. There is noguarantee that an auditor wont choose to act inappropriately and be influenced in spiteof the evidence obtained during an engagement. However, a lack of organizationalindependence will undermine the appearance, if not the fact, of objectivity. The key toindependence is the appropriate placement and status of the internal auditing activity.

The chief audit executive should report to a level within the organization that allows theinternal audit activity to fulfill it responsibilities. (Standard 1110)

While the Standards do not identify specific reporting structures for the CAE, it onlymakes sense that the higher the reporting level, the more independent the internalauditing activity will be. In some organizations, the CAE reports to the chief executive

officer. In organizations where this is not the case, the CAE should have direct andunrestricted access to the chief executive officer, and should include periodic meetingsto discuss important findings or issues.

The Practice Advisories related to Standard 1110, along with a research study from TheIIA Research Foundation, Independence and Objectivity: A Framework for InternalAuditors, offer some specific guidance on the effective positing of the internal auditactivity:

The Minimum

The CAE should report to an individual in the organization withsufficient authority to promote independence and to ensure broadaudit coverage, adequate consideration of engagementcommunications, and appropriate action on engagementrecommendations. (PA 1110-1)


37/193



The Ideal

Preferably the CAE should report functionally to the auditcommittee, board of directors, or other appropriate governingauthority, and administratively to the chief executive officer of the

organization. (PA 1110-1)

It is also preferable that the CAE have direct communication withthe board. Direct communication occurs when the CAE regularlyattends and participates in meetings of the board. The CAEshould meet privately with the board at least annually. (PA 1110-1)

The internal audit activity should be free from interference in determining the scope ofinternal auditing, performing work, and communicating results. (Standard 1110.A1)

As a general rule, the internal audit activity should be organized in a way that affords ahigher organizational status as its role expands and more parties inside and outside theorganization derive assurance from its work. Internal auditing activities with a narrowlydefined role may report to an appropriate lower level of management, as long as theplacement assures the audit staff will obtain cooperation from the activity being reviewedand have unrestricted access to required information.

For example, an internal audit activity with broad assurance and consulting role shouldreport directly to the governing board of the organization and more specifically to theaudit committee of the board or other similar body. However, if the internal audit activityprovides assurance only to top management, it requires an organizational status that

ensures cooperation by and autonomy from lower-level management. In thesesituations, the CAE can report to the chief executive officer with little or no direct accessto the organizations board or governing body.

CAE Reporting RelationshipsPercent of Asset Size in Billions


38/193

Organizing 31


Further Enhancing Independence

The independence and the objectivity of the internal audit activity is further enhancedwhen:

The CAE has unrestricted access to the board.

The board is involved in decisions to hire or remove the CAE. The board takes part in drafting the internal audit charter.

The board influences the budget for and scope of internal audit activities.

The board is actively involved in oversight, review, and monitoring of auditactivities.

Maintaining/Preserving Objectivity

The Standards now define the customer base for audit activity services as beingcomprised of two groups: the board, senior management, and external third parties onthe one hand, and operating and line management on the other. As a result, internalauditors can no longer rely solely on their reporting relationship to the first group tosatisfy the expectations of their customers in the second group. Operating and linemanagement need to be assured that internal auditors can be objective. The Standardsdefine objectivity as an unbiased mental attitude that requires internal auditors toperform engagements in such a manner that they have an honest belief in their workproduct and in the fact that no significant quality compromises have been made. It alsostates that objectivity requires internal auditors not to subordinate their judgment onaudit matters to that of others. Objectivity means that given appropriate audit scopeand professionalism, relevant and sufficient evidential matter will be effectively analyzedand results will be completely and honestly reported to the appropriate parties, withoutthe auditors judgment being skewed.

Maintaining an impartial state of mind and avoiding conflicts of interest are requirements

if any value is going to be gained from internal audit work. Without them, internal auditservices will fail to deliver the reliable and trustworthy information customers need.

There are several steps that can be taken to ensure objectivity: (PA 1120-1)

The CAE should query the internal audit staff periodically concerningpotential conflicts of interest and biases.

Staff assignments should be periodically rotated.

Audit work should be reviewed by supervision to assure that the work wasperformed objectively before communicating results.

Internal auditors should not accept fees or gifts from employees,customers, suppliers, or business associates.

Internal auditors should not be placed in situations were they may feelunable to provide objective, professional judgments.4.2


39/193



Dealing with Impairments

The Standards recognize that the expectations and demands that are put upon theinternal auditing activity may at times result in organizational independence andindividual objectivity not being achieved, at least in appearance if not in fact. For

example, internal auditors from small shops who have been involved in problem-solvingor process improvement projects with line management may have no choice but toreview areas where they may have had prior operational input. Auditors may be askedto develop operating policies and procedures in areas where controls have been foundto be weak during an audit. Auditors might, because of some expertise or experience, beasked to temporarily assume an operations role. Article 4-1 provides several guidelinesfrom Practice Advisory 1130.A1-2 that should be considered by internal auditors whenthey are asked to accept responsibility for non-audit functions.

Article 4-1 Internal Audit Responsibility for Non-Audit Functions4-3As a general rule, internal auditors should not assume operating

responsibilities or oversee other non-audit functions or duties that aresubject to periodic internal audit assessments. However, asorganizations are pressured to develop more efficient and effectiveoperations using fewer resources, internal auditors cannot always avoidsuch situations. The following guidelines from Practice Advisory1130.A1-2 present several factors that internal auditors might want toconsider when asked to accept responsibility for a non-audit function:

If management directs internal auditors to perform non-audit work,it should be understood that they are not functioning as internalauditors.

Expectations of stakeholders, including regulatory or legalrequirements, should be evaluated and assessed in relation to thepotential impairment. In other words, the third parties who relyupon internal auditings objective assurance should be aware ofthe audit activitys participation in non-audit work.

If the internal audit charter contains specific restrictions or limitinglanguage regarding the assignment of non-audit functions to theinternal auditor, then these restrictions should be disclosed anddiscussed with management, and subsequently with the auditcommittee or other governing body if management insists on theassignment anyway.

The impact of the assignment of non-audit work on independenceand objectivity should be discussed with management, the audi

libro como establecer una funcion de auditoria interna manual

Documents