Topic 11: Prepare Engagement Work Program

Engagement work program is a document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.

For assurance engagement - work programs must include the procedures for identifying, analyzing, evaluating and documenting information during the engagement. The work program must be approved prior to its implementation and any adjustments approved promptly.

For consulting engagement - work programs may vary in form and content depending upon the nature of the engagement.

Engagement work plan should be approved in writing by the CAE or designee prior to the commencement of engagement work, where practicable.

Topic 10: Establish Adequate Planning and Supervision of the Engagement

The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The CAE has over responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.

Supervision is a process that begins with planning and continues throughout the engagement. The process includes:

• Ensuring designated auditors collectively possess the required knowledge, skills, and other competencies to perform the engagement.
• Providing appropriate instructions during the planning of the engagement and approving the engagement program.
• Ensuring the approved engagement program is completed unless changes are justified and authorized.
• Determining engagement working papers adequately support engagement observations, conclusions and recommendations.
• Ensuring engagement communications are accurate, objective, clear, concise, constructive and timely.
• Ensuring engagement objectives are met
• Providing opportunities for developing internal auditors' knowledge skills and other competencies. 

On tactical level, planning and supervision also involves:

• Deadlines
• Travel arrangements
• On-site logistics
• Assignments
• Team communication and supervision
• Team development

Topic 9: Determine the Level of Staff and Resources for the Engagement

Internal auditors must determine appropriate and sufficient resource to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and availability of resources.

The success of an engagement is often judged by:

• Achievement to the level of standards
• Fulfillment of engagement objectives
• Completion within budget

Topic 8: Determine Engagement Procedures

Engagement procedures are drafted to ensure successful attainment of engagement objectives, Engagement procedures must be relevant to the selected objectives. A procedure may be applicable to the internal audit as a whole, but if it is erroneously applied to an objective, the result will be irrelevant.

Audit evidence refers to facts used to support audit opinions, conclusions and recommendations which can be physical (pictures), documentary (letters, memo), representational (testimonials) or analytical (graph comparison).

Types of legal evidence includes:

• Best evidence - also referred as primary evidence and is generally documentary
• Secondary evidence - is inferior primary evidence. Oral testimony and written summaries. 
• Direct evidence - a fact without requiring presumptions or interference. E.g eyewitness
• Conclusive evidence - leads to only one conclusions.
• Circumstantial evidence - proves an intermediate fact from which a primary fact can be logically inferred. 
• Corroborative evidence - supplements evidence already given and tends to support it.

The internal auditor should always bear in mind the mandatory injunction in the Code of Ethics honor the confidentiality requirements of the owner of audited data. 

Topic 7: Consider the Potential for Fraud When Planning an Engagement

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

The fraud triangle consist of the following elements:

• Motive - The reason why an individual acts or reacts
• Opportunity - The favorable circumstance that allows the individual to commit fraud
• Rationalization - How the individual justifies the fraudulent action

Fraud indicator denotes signs that indicate both the inadequacy of controls in place to deter fraud and the possibility that some perpetrator has already overcome these weak or absent controls to commit fraud. This can also be referred as red flags.

Risk assessment is the identification and measurement of risk and the process of prioritizing risk.

The following actions is considered as effective fraud risk assessment:

• Performed on a systematic and recurring basis
• Considers possible fraud schemes and scenarios, including consideration of internal and external factors. 
• Assesses risk at a company-wide, significant business unit and significant account level. 
• Evaluates the likelihood, significant and pervasiveness of each risk. 
• Assesses exposure arising from each category of fraud risk by identifying mitigating control activities and considering effectiveness of those control activities. 
• Is performed with the involvement of appropriate personnel
• Considers management override of controls
• Is updated when special circumstances arise

The final determination of whether or not the risk of fraud warrants special consideration when conducting the engagement involves the internal auditor's judgement skills. This mental attitude or judgment is a combination of the internal auditor's analytical skills and all information related to the organization to determine if internal control weaknesses exist and signal the potential for fraud activity. 

Topic 6: Identify or Develop Criteria for Assurance Engagements

Criteria should be consistent with audit engagement objectives and ultimately yield useful information to the client. The lack of suitable criteria may result in the internal auditor drawing inappropriate conclusions. 

Examples of generally accepted suitable criteria for assurance engagements includes:

• Acts and regulations
• Policies and procedures
• Standards or guidelines
• Risk management
• Control frameworks
• Performance information
• Client management roles and responsibilities
• Industry best practices
• Guidance provided by recognized bodies of experts
• Benchmark evidence

When there are no generally accepted criteria consistent with the audit engagement objectives, the lead internal auditor will need to discuss with client management and identify the criteria suitable for the engagement. 

Topic 5: Establish/Refine Engagement Objectives and Identify/Finalize the Scope of Engagement

Internal auditors establish engagement objectives to address the risks associated with the activity under review.

For planned engagements, the objectives proceed from which the annual audit plan is derived. For unplanned engagements, the objectives are established prior to the start of the engagement and are designed to address the specific issue that prompted the engagement.

Engagement objectives are different than management's operational objectives. Operational objectives specify what the client hopes to accomplish while engagement objectives deal with what the internal auditor hopes to accomplish.

Broad categories of engagement objectives includes:

• Effectiveness and efficiency of operations
• Reliability of reporting
• Compliance

The scope of engagement must include consideration of relevant systems, records, personnel and physical properties including those under the control of third parties. 

If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.

In performing consulting engagements, internal auditors must ensure that the scope of the management is sufficient to address the agreed upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement. 

Any restriction placed on the internal audit activity that thwarts it from fulfilling the intended scope should be communicated, preferably in writing to the board, audit committee or other appropriate governing authority. 

Topic 4: Coordinate Audit Engagement Efforts

Collaboration can improve internal and external auditor's competency in other ways. Both parties generally benefited from the interchange of new/different auditing techniques, procedures, ideas and information. External auditors gain better insights into client operations, control systems and so on, typically much more quickly than when left to independent discovery.

Much of the work that internal audit performs is not relevant to the efforts of external auditors. For example, internal audit engagement objectives intended to assess compliance, efficiency and effectiveness of operation have little application to external audits focused on the fairness of presentation of financial statements. But when synergies are possible, everyone stands to gain from coordination and cooperation. Proper planning provides the foundation for the success.

Topic 3: Complete a Detailed Risk Assessment of the Area

In planning the engagement, internal auditors must consider:

• The objectives of the activity being reviewed and the means by which the activity controls its performance
• The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. 
• The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model
• The opportunities for making significant improvements to the activity's risk management and control processes. 

Audit engagements are chosen largely in response to enterprise-wide risk assessment. Assessing risk in an engagement area furthers organizational risk management by helping to ensure that:

• The engagement planning is aligned with the entity-level risk assessment
• The engagement planning leverages information from the entity-level risk assessment
• The engagement is focused on risk

"Internal auditors must conduct a preliminary assessment of the risk relevant to the activity under review. Engagement objectives must reflect the results of this assessment".

A risk control matrix is a useful tool to help ensure that internal control adequately account for risk at the engagement level and ensure that all significant risks identified are addressed in subsequent fieldwork.

Risk Control Matrix Features:

• Step 1: Identify business objectives
• Step 2: Identify risks to business objectives
• Step 3: Rate each risk in terms of likelihood and significance
• Step 4: Identify the controls e.g. Avoid, Share, Accept, Reduce and Increase
• Step 5: Evaluate the adequacy of controls
• Step 6: Test the effectiveness of controls
• Step 7: Arrive at the final opinion on adequacy and effectiveness of controls.

Topic 2: Conduct a Preliminary Survey of the Area of Engagement

During engagement planning process, preliminary surveys are one of the most important tools internal auditors can employ. They help an internal auditor to accumulate relevant information about the operation to be audited - the objectives, the people, the processes and the systems involved.

Realistic outcomes from a preliminary survey include clarification of the:

• Purpose of the internal audit
• Engagement objectives, scope and timing
• Processes to be audited
• Area objectives, related risks, and controls
• Internal audit resources to be used
• Relevant standards

Analytical reviews examine relationships among information. In particular, examining relationships among information that is often overlooked can provide valuable insights. The goal of an analytical review is to identify discrepancies in information.

Unexpected deviations or the lack of expected changes may result from any of the following factors, alone or in combination:

• Errors or omissions by the organization, operations or the internal auditors
• Non-compliance
• Illegal acts
• Unusual events or transactions
• The accounting method used.

Types of Analytical reviews:

• Variance analysis - analysis on the factors that have caused a difference between a planned or standard amount and the actual results.
• Trend analysis - The charting of historical financial or operational data over time to identify a tendency or direction. 
• Ratio analysis - Mathematical relationships among several numbers often stated in the form of percentages, time or days.

Benchmarking is another activity that can help to refine an engagement plan during the planning phase. Levels of benchmarking:

• Internal benchmarking - Comparing similar information within an entity. 
• Competitive benchmarking - Comparing measures with similar measures of direct competitors, locally, nationally or worldwide.
• Functional benchmarking - Comparing processes to those of organizations with similar processes in the same function but in a different industry.
• Generic benchmarking - Comparing measures with those of organizations that are best in class. 

During the engagement planning process, interviews are often conducted to:

• Facilitate a high-level client discussion about the planned internal audit
• Secure the perspective of management responsible for the activity being examined.
• Clarify information about the area to be audited
• Collect additional necessary information
• Provide an observation of the activities in the organization to be audited.

Interview Techniques and Tips

• Preparation - Be prepared and organized 
• Introductions - Take time for appropriate introductions
• Opening - Explain the purpose of the interview and timing
• Rapport - Build rapport
• Questioning - Ask appropriate questions
• Listening/talking - Listen carefully and then speak
• Note-taking - Take notes unobtrusively and minimize extensive silences and pauses while writing
• Non-verbal communication - Use non-verbal signs sparingly
• Closing - Bring the interview to a formal close

4 Cs' of effective communication - Clear, Concise, Complete & Correct

Permanent files is a record of consistent, rarely changing documents

Review of prior audit documentation is important because it:

• Provides familiarity with the area to be audited
• Overviews what to expect on the activity being audited
• Shows how other internal auditors approached the assignment
• Identifies specific problems found previously and areas likely to have continuing or repeat problems
• Reveals the status of promises or actions taken to correct any non-conformance
• Reveals strengths that were previously identified that should be verified to ensure that they have been sustained. 
• May identify additional activities for evaluation during the audit

Flowcharting a process helps to provide a complete picture of what is happening in the process from beginning to end, including the control points. A flowchart eliminates abstractions about how work flows through a system. During the planning phase of an engagement, internal auditors may review existing flowcharts or they may prepare new flowcharts. 

Alternative to flowchart are narratives, internal control questionnaires and block diagrams.

Narratives are step-by-step picture of a process in a single documents without the use of detailed symbols or keys. Narrative are flexible and facilitate open-ended questioning. However, there is no inherent discipline or standardization in how to prepare a narrative. 

An internal control questionnaires is a pre-constructed array of questions used to elicit key information about internal control.ICQs are efficient and easy to administer. Basic constraints is that they are limited to questions with yes/no answers about procedures and do not provide for in-depth investigation. 

A block diagram is a pictorial presentation of a process or activity, typically including a series of boxes and connecting lines to indicate association and direction/order. 

A checklist is a tool internal auditors use to establish and maintain order during the audit engagement. They allow an internal auditor to work in an organized and efficient manner. Checklists are developed during the planning phase, typically at the end of the preliminary survey. " Checklists may be considered a reminder list". 

Topic 1: Initiate Preliminary Communication with Engagement Client

Internal Auditor must develop and document a plan for each engagement which states:

• States the objectives of the engagement
• Identifies technical requirements, objectives, risks, processes and transactions that are to be examined
• States the nature and extent of testing required
• Documents the internal auditor's procedures for collecting, analyzing, interpreting and documenting information during the engagement
• Is modified, as appropriate, during the engagement with the approval of the CAE 

The CAE determines how, when and to whom engagement results will be communicated. The internal auditor documents this and communicates it to management, to the extent deemed appropriate, during the planning phase of the engagement. The internal auditor communicates to management subsequent changes that affect the timing or reporting of engagement results. 

During initial client meeting, practical considerations that may impact the engagement should be addressed. Items to cover includes:

• Identification of key contracts and their availability
• Documents and records needed
• Complexity of operations to be examined
• Access to necessary facilities and site locations
• Security clearances
• Distance between site locations and travel time
• Escorts
• Tours
• Vacation schedules

Section 4: Plan Engagements

This section focuses on the engagement planning process. We consider the:

• Preliminary communication with the engagement client
• Preliminary survey of the area of engagement
• Detailed risk assessment of the engagement efforts
• Engagement objectives and scope
• Criteria for assurance engagements
• Potential for fraud
• Engagement procedures
• Level of staff and resources required
• Engagement planning and supervision requirements
• Engagement work program

Topic 5: Select Engagements

Risk analysis and assessment are not foolproof but the processes are better than relying on intuition. Educated decisions can be made about the selection of internal audit engagements.

A risk assessment process should be conducted annually. But the resulting engagement plan cannot be static. Changes in management direction, objectives, emphasis and focus as well as other evolving factors such as emerging trends should be reflected by changes to the audit universe and related engagement plan. Frequent (quarterly) updating may be required and any significant changes should be submitted to the oversight entities for review and approval.

Topic 4: Coordinate the Internal Audit Activity's Efforts

Efficient use of internal audit resources implies that attempts should be made to maximize audit coverage and minimize redundancies. This requires coordinating the internal audit coverage with external auditors, regulatory oversight bodies and other internal assurance functions.

Internal Auditors vs External Auditors

Internal auditors

• Apply a systematic, disciplined approach to evaluate and improve the effectiveness of organizational risk management, control and governance process.
• Concerned with all aspects of the organization
• Focus on future events as a result of their continuous review and evaluation of controls and processes.

External auditors

• Ordinary examination is designed to obtain sufficient evidential matter to support an opinion on the overall fairness of the annual financial statement. 
• Approach is historical in nature.

The CAE is responsible for regular evaluations of the coordination between internal and external auditors. Such evaluations may also include assessments of the overall efficiency and effectiveness of internal and external audit activities. The CAE communicates the results of these evaluations to senior management and the board, including relevant comments about the performance of external auditors. 

CAE must ensure proper coverage and minimize duplication of efforts.

Practical examples demonstrating the coordination of internal audit activity efforts with the external auditors include:

• Comparing annual internal and external audit plans to eliminate duplication and encourage cooperation in performance of an audit activity where appropriate
• Enterprise-wide agreement so that results of activities are shared to help the organization achieve objectives and eliminate risks
• Communication/sharing of the external audit perspective on risk management, control and governance process with the internal audit activity to help with the internal audit planning. 

Topic 3: Identify Internal Audit Resource Requirements

The Chief Audit Executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan.

"Appropriate refers to the mix of knowledge, skills and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan".

Resource management involves consideration of:

• Staffing plans
• Financial budgets
• The number of auditors required
• The knowledge of skills and other competencies required to perform the engagements.

It is the CAE's responsibility to communicate to senior management and the board what resources are available as well as any resource limitation that could potentially affect the scope of proposed engagements or execution of the engagement work schedule. 

The elimination of the proposed engagement is the least desirable course of action. 

Topic 2: Use of the Framework

The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the CAE uses his/her judgment of risks after consultation with senior management and the board.

Management and Staff Information-Gathering Techniques

Interviews

• A structured discussion between 2 parties: one representing internal auditing and other representing a potential engagement client of information source about business risks.
• Intended to solicit and unbiased view from the individual being interviewed.
• Typically a precursor to focus groups and surveys.

Focus group

• Small group of current managers or employees are invited to participate in a structured discussion facilitated by a representative of the internal audit function.

Questionnaires & Surveys

• A way to quantify management and employee attitudes and perceptions. 

Qualitative date are subjective or soft measures focusing on perceptions and attitudes. Can be derived from interviews, focus groups, observations and meetings. 

Quantitative data are measures derives from concrete, objective criteria which can be derived from studies, reports and surveys.

Types of Organizational Risks 

• Strategic risks
• Project/program/process risks
• Operations risks

Risk measurement evaluates the potential impact of the risks based on the probability of risk occurrence - the likelihood the risk will result in a consequence that could materially impact the organization's ability to achieve goals and objectives. Risk measurement approaches includes:

• Probability estimates
• Risk factor measures
• Weighed matrices

Risk prioritization uses various ranking methods to rank risks and establish the relative strength of each risk and the potential consequence of each. Methods include:

• Absolute ranking - ranks risk management scores and places them in order of magnitude.
• Relative ranking - group risk measurement scores into natural clusters and assigns relative values such as low, medium or high.
• Matrices ranking - further analyzes the matrices used to measure risks and consequences and places them in quadrants of low, medium or high. 

Risk can be managed in a number of different ways including:

• Acceptance - identifying ways to manage the risk such as establishing contingency plans.
• Avoidance - identifying ways to prevent risk exposure
• Transfer - sharing or transferring the risk to insurance or to other parties
• Control - establishing internal controls for reducing the potential negative impact of risk and uncertainty or training employees in how to recognize potential risks and respond to prevent damage and reduce the effect. 

The CAE needs to make decisions for applying relative resources based on the significance of risk and exposure. In validating the risk priorities, factors to establish the priority of engagements include financial impact, asset liquidity, management competence, quality of internal controls, degree of change or stability, time of last audit engagement, complexity, employee and government relations. 

Topic 1: Establish a Framework for Assessing Risk

It is impossible for Internal auditors to evaluate every possible risk facing an organization. A risk assessment framework provides a systematic way for the CAE and the internal audit function to assess internal and external risk factors and develop an annual audit plan.

Risk-based Assessment Framework for Internal Auditing:

Determine the audit universe

• Identifies all organizational sources of potential engagements and all potential auditable activities; not limited to functions such as payroll or accounting but also considers specific activities within the function that pose potential risk.
• Varies depending on the industry or nature of the organization, for example, locations, processes, products, or divisions may be considered.

Examine Organizational Risk Factors

• Assesses internal and external organizational risks viewed more from the perspective of their impact on organizational goals and objectives rather than the extent of change within specific functions. 
• Consider potential engagement sources
• Involves discussing the audit universe with organizational senior managers to identify level of risk, planned new activities, and/or process changes.
• Incorporates enterprise risk management (ERM) results if the organization has an ERM process.

Prioritize Audits

• Evaluates proposed engagements
• Establishes criteria and ranks the risks based on their significance to organizational success and the organization's risk appetite
• Considers if the internal audit staff is sufficient to cover all the primary risks and whether some can be delayed and/or handled by external auditors. 
• Leads to the annual audit plan.

Section 3: Establish a Risk-based Plan to Determine the Priorities of the Internal Audit Activity

The internal audit activity assists both management and the oversight body in risk management by:

• Helping management to understand internal controls and risk management processes.
• Developing and implementing a framework for assessing risk
• Bringing a systematic, disciplined auditing approach to assessing the effectiveness of internal controls and risk management processes. 
• Providing objective and independent assurance that the organization's risks have been appropriately mitigated
• Making recommendations for improvement, as warranted.
  

Topic 3: Control Elements

Internal controls helps and organization mitigate risk and ensure that management strategies and objectives are carried out.

Examples of Control tools:

• Ethical "tone at the top", communicated in words and deeds
• Organizational structure that promotes the flow of information
• Clear definition of responsibilities
• delegation of authority commensurate with responsibility
• Mechanisms to hold people accountable for results
• Reward mechanism 
• Qualified and well-trained personnel, particularly in key positions
• Positive, motivating work environment
• Effective empowerment of employees
• An atmosphere of mutual trust
• Frequent interaction between senior and operating management
• Appropriate policies and procedures for hiring, training, promoting, compensating employees
• Written policies and procedures
• Performance standards
• Procedures for authorizing and processing transactions
• Independent verification of performance
• Reconciliations

Types of controls:

• Preventive controls - These are proactive controls that deter undesirable event from occurring
• Detective controls - These are controls that detect undesirable events that have occurred
• Directive controls - Proactive controls that cause or encourage a desirable event to occur
• Mitigating or compensating controls - These are controls that compensate for the lack of an expected control. Close supervisory can replace segregation of duties. 

Active control implies a task that prevents or detects a deviation from the approved procedure.

Passive control operates without human intervention.

The process in a control loop is:

• Determine the objective that management has established for the function and the company as a whole
• Establish the acceptable standard prior to beginning the evaluation of the controls.
• Compare actual findings against the standards that were previously established. 
• Determine appropriate corrective action. 

Characteristic of effective controls:

• Timely identification of potential or actual deviations so as to limit costly exposures
• Reasonable assurance of achieving intended objectives at a minimum cost with the fewest undesirable side effects
• Clear accountability that helps personnel to meet their assigned responsibilities
• Effective placement
• Root cause identification so corrective action is appropriate
• Alignment to management strategies and business objectives. 

Limitations of controls:

• Excessive or redundant controls can lead to confusion and frustration
• Over-reliance on controls may cost more than the exposure they are intended to guard against
• Overemphasis on controls can lead people to focus merely in satisfying the controls and cause them to lose sight of business objectives.
• Changes and time may make controls obsolete

Topic 2: Risks Elements

Inherent Risk - The risk derived from the environment without the mitigating effects of internal controls

Residual Risk - The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.

Topic 1: Risk and Control Terminology

Risk - the possibility of an event occurring that will have an impact on the achievement of objectives. It is measured using likelihood and impact.

Control - is any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Points to note regarding risks:

• Risks begins with strategy formulation and objective setting
• Risk does not present a single point estimate, it represents a range of possibilities
• Risk may relate to preventing bad things from happening or failing to ensure good things happen
• Risk are inherent in all aspects of life, risks associated with conducting a form of business are considered business risk.

Section 2: Risk and Control Knowledge Elements

Internal auditors must be proficient in each of the three activities namely, risk, control and governance.

Risk

• Identifying and evaluating significant exposures to risk
• Contributing to the improvement of risk management and control systems
• Monitoring and evaluating the risk management system

Control

• Evaluating the effectiveness and efficiency of controls
• Promoting the continuous improvement of the control environment

Governance

• Promoting appropriate ethics and values within the organization
• Ensuring effective organizational performance management and accountability
• Effective communicating risk and control information to appropriate areas of the organization
• Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management

Topic 8: Abide by and Promote Compliance with The IIA's Code of Ethics

For internal auditors, a formal code of ethics provides a window into generally accepted standards of conduct useful to an organization and its customers. Internal auditors are expected to apply and upheld the following principles:

• Integrity - The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment
• Objectivity - Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
• Confidentiality - Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
• Competency - Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services. 

Topic 7: Promote Quality Assurance and Improvement of the Internal Audit Activity

To ensure consistent quality of internal audit activities, the internal audit function is required to have a quality assurance and improvement program (QA & IP) in place.

Even for those internal audit departments that are fully outsourced, the department, itself is still required to have a QA & IP regardless of of whether the outsource provider has completed one of their overall activities.

QA & IP include evaluation of:

• Conformance with the Definition, Code of Ethics and Standards including timely corrective actions to remedy any significant instances of non-conformance
• Adequacy of the internal audit activity's charter, goals, objectives, policies and procedures.
• Contribution to the organization's governance, risk management and control processes.
• Compliance with applicable laws, regulations and government or industry standards.
• Effectiveness of continuous improvement activities and adoption of best practices.
• The extent to which the internal audit activity adds value and improves the organization's operations.

Ongoing internal assessments are practices out into place by the CAE to do routine evaluations of the practices and policies of performing individual audits. Scope of internal assessments:

• Routine and continuous supervision and testing of the performance of audit and consulting work
• Ongoing measurements and analyses of performance metrics, plan accomplishment, cycle time, recommendations accepted
• Periodic validations of compliance with applicable laws, regulations and government or industry standards
• Periodic validations of compliance with the Standards and Code of Ethics

External reviewers should be independent of the organization and of the internal audit activity. The review team should be competent in the professional practice of internal auditing and the external assessment process. Scope of external assessments:

• Conformance with the Definition of Internal Auditing; the Code of Ethics and the Standards
• Expectation of the internal audit activity expressed by the board, senior management and operational managers
• Integration of the internal audit activity into the organization's governance process, including the relationships between and among the key groups involved in the process
• Tools and techniques employed by the internal audit activity
• Mix of knowledge, experience and disciplines within the staff

For internal assessments, the CAE should share the results, necessary action plans and their successful implementation with stakeholders such as senior management, the board and external auditors.

For external assessments, the preliminary results of the review should be discussed with the CAE during and at the conclusion of the assessment process. Final results should be communicated in a formal report to the CAE or other official who authorized the review for the organization, preferably with copies sent directly to appropriate members of senior management and the board. 

The use of compliance phrase requires an external assessment at least once during each five-year period, along with ongoing and periodic internal assessments that have concluded that the internal audit activity is in compliance with the Standards and the Code of Ethics. 

Topic 6: Promote Continuing Professional Development

Continuing professional development is the means by which members of a profession maintain, improve, and broaden the knowledge, skills, and competence required in their professional lives. "Internal Auditors are responsible for continuing their education to enhance and maintain their proficiency".

Development may be accomplished through a variety of actions such as:

• Occupational assignments
• Mentoring
• Networking
• Training
• Participation in research projects
• Collective wisdom derived from analyzing information, synthesizing information
• Formal education
• Attendance at conferences
• Membership and participation in professional societies
• Certification and re certification

The primary benefits in certification and re-certification:

• Demonstrate mastery of a defined body of knowledge
• Enhance professional credibility and prestige.
• Demonstrate mastery of professional practice standards.
• Facilitate professional development
• Stay current in practice area.

Topic 5: Exercise Due Professional Care

Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Internal auditors are expected to act responsibly in all professional situations. This includes taking appropriate actions when confronted with challenges such as investigating suspicious activities rather than ignoring them.

In exercising due professional care during assurance engagements, auditors need to consider the probability of significant errors, irregularities and noncompliance as well as the cost of assurance in relation to potential benefits.

Examples of due professional care principles for assurance engagement include:

• Working knowledge if The IIA's standards
• Understanding of the Committee of Sponsoring Organization of the Treadway Commission (COSO) framework of internal control
• Awareness of organizational objectives, goals and strategies

Example of not exercising appropriate due professional care:

• Failure to recognize and indicator or red flag
• Performing an internal audit of each department in every 3 years regardless relative risk or importance of the department.

Examples of due professional care in consulting engagements:

• A working knowledge of The IIA's standards
• An understanding of the organizational objectives for consulting engagement.
• Providing objective comments about the proposed process or activity.

Topic 4: Develop /Procure necessary Knowledge, Skill and Competencies required by Internal Audit Activity

Co-sourcing and out-sourcing are necessary when unique competencies and specialty skills are not available to fulfill an internal audit activity. It is incumbent upon the CAE to obtain assistance from experts outside the internal audit activity to support or complement areas where the activity is not fully proficient.

Advantages of co-sourcing and outsourcing:

• Frees internal resources for other activities
• Provides flexibility (by allowing internal resources to complete other projects).
• Can improve efficiency and effectiveness
• Can reduce expenses
• Can provide coverage of remote locations
• May improve the quality and timeliness of internal audit activity
• Can provide additional skill sets not currently within the department

Disadvantages of co-sourcing and outsourcing:

• Can cost more to go outside for specific expertise
• Results in a loss of in-house capabilities and process control
• Has potential for poor staff morale
• Requires a learning curve and continual oversight and coordination to manage the relationship
• Has potential for privacy and confidentiality issues.
• Can create a loss of internal auditing activities as a training ground for internal promotions

The CAE must ensure that the external service provider that he appointed possess the necessary knowledge, skills and other competencies to perform the engagement. 

The CAE need to assess the relationship of the external service provider to the organization and to the internal audit activity to ensure that independence and objectivity are maintained throughout the engagement. 

Fraud is "any illegal acts characterized by deceit, concealment or violation of trust".

The internal auditor's responsibilities for detecting fraud during engagement includes:

• Consider fraud risks in the assessment of control design and determination of audit steps to perform
• Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed. 
• Be alert to opportunities that could allow fraud, such as control weaknesses
• Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended.
• Notify the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation. 

Topic 3: Determine Availability of Required Knowledge, Skills and Competencies

CAE must ensure that auditors assigned to an internal audit activity have the requisite ability to proficiently execute an independent, objectivity assurance or consulting activity.

Distinction among proficiency, understanding and appreciation:

• Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them appropriately without extensive recourse to technical research and assistance.
• An understanding means the internal auditor is able to apply broad knowledge to situations likely to be encountered.
• An appreciation means the ability to recognize the existence of problems or potential problems and to identify the additional research to be undertaken or the assistance to be obtained. 

Topic 2: Maintain Independence and Objectivity

Internal auditors are responsible for assuring that the controls in place are adequate to mitigate the risks to achieve the organization's objectives. In providing such assurance and consulting activities, internal audit organization must maintain independence and objectivity.

• Independence is " the freedom from conditions that threaten objectivity or the appearance of objectivity".
• Objectivity is an " unbiased mental attitude that allows internal auditors to perform engagement in such a manner that they have an honest belief in their work product and that no significant quality compromises are made".

Best way to foster independence is through dual reporting lines to the senior management level and the audit committee. Functionally to the board and administratively to the organizational senior management. 

Functional reporting - Provides the ultimate source of independence and authority. This includes:

• Approving the internal audit activity's overall charter
• Approving internal audit risk assessment and related audit plan
• Approving the annual compensation and salary adjustment of the CAE

Administrative reporting - facilitation of the day-to-day operations of the internal audit functions. This includes:

• Budgeting and management accounting
• Human resource administration
• Internal communication and information flow

Following are the ways to achieve organizational independence:

• Have regular and direct communication with the board
• Report to an individual at the senior management level with sufficient authority to promote independence and to ensure broad audit coverage
• Report directly to the audit committee

Policies to promote objectivity:

• Internal auditors should have no operational responsibility or no assurance review of any activity for which they had any authority or responsibility within the past year or a period significant enough to influence their judgement or opinion
• A policy should be in place that endorses the internal auditor's commitment to abiding by the code of ethics, avoiding conflicts of interest, and disclosing any activity that could result in a possible conflict of interest.
• Internal auditors should not subordinate their judgment on audit matters to that of others.
• Internal auditors should perform engagements in such a manner that they have an honest belief ion their work product and that no significant quality compromises are made.

Ongoing assessment of individual objectivity can be done through by CAE or another individual in supervisory capacity for the internal audit activity to review the results of the internal audit work before the related engagement communications are released. 

Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations. Upon recognition or doubts, refer to the CAE. If required, staff reassignment is necessary. 

Topic 1: Continue

Nature of engagements for internal auditing can be primarily classifies into assurance or consulting. Assurance and consulting are not mutually exclusive, so an audit activity can have both assurance and consultative components.

Internal auditors may conduct consulting services as part of their normal or routine activities or in response to management requests. The following are examples of consulting categories:

• Formal consulting engagements - planned and subject to written agreement
• Informal consulting engagements - routine activities such as participation on standing committees 
• Special consulting engagements - participation on a merger or acquisition team
• Emergency consulting engagements - participation on a team established for recovery or maintenance operation. 

In all situations, a consulting engagement should not be conducted in an attempt to circumvent assurance engagement requirement.

Key documents to communicate the purpose, authority and responsibility of the internal audit activity to engagement clients includes the followings:

• Internal audit charter
• Function and responsibility statement (F&R)
• Statement of policy - This policy identifies the different missions of the audit activity and assists management and the board in the effective discharge of their responsibility.
• Audit manual - Includes written policies and procedures intended to provide guidance to the audit staff as they perform their duties.
• Staff job descriptions

Thorough understanding on the purpose, authority and responsibility of the internal audit activity:

• Purpose - Provide an independent objective assurance and consulting activity
• Authority - Provide appropriate unfettered access to records, personnel and physical properties
• Responsibility - Document the objectives and scope of the engagement as well as the methodology to be used.

Topic 1: Define Purpose, Authority, and Responsibility of Internal Audit Activity

The Chief Audit Executive (CAE) is the " top position within the organization responsible for internal audit activities. In the case where internal audit activities are obtained form outside service providers, the CAE is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow up of engagement results.

A key component setting the stage for internal auditing activities is the audit charter. The charter of the internal audit activity is " a formal document that defines the internal audit activity's purpose, authority, and responsibility. The charter establishes the internal audit activity's position within the organization; authorizes access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.

The CAE develops a charter that defines the nature of services for assurance and consulting engagement. The audit charter must be consistent with the standards and approved by the board.


Typical elements of audit charter:

• Mission and scope of the work of the internal auditing department
• Accountability of the CAE to management and the audit committee in discharge of his or her duties.
• Independence of the internal auditing function
• Responsibilities of the CAE and internal auditing staff
• Range of authority of the CAE and internal auditing staff
• Standards of audit practice to be met or exceeded

The charter provides a a recognized statement for review and acceptance by management and for approval, as documented in the minutes by the board. It also facilitates a periodic assessment of the adequacy of the internal audit activity's purpose, authority and responsibility which establishes the role of the internal audit activity. If a question should arise, the charter provides a formal, written agreement with management and the board about the organization's internal audit activity. 

Section 1: Comply with The IIA's Attribute Standards

According to The Institute of Internal Auditors, "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process.

Internal auditing is performed by professionals with an in-depth understanding of the business culture, systems and processes. Internal audit activities may be performed by people within the organization or from outside the organization.