IIA - The Institute of Internal Auditors

CAEs - Appointment, Performance Evaluation and Termination

In today’s business environment, where there is increasing focus on governance, risk management, and control, appointing a CAE is a critical undertaking for any organization. This imperative activity is one of the key responsibilities of the organization’s board. The CAE will have a high degree of interaction with senior management and the board and thus needs to demonstrate the right attributes and skill for the position. The CAE’s unique role in the organization requires independence and objectivity while also demonstrating an ability to partner within the organization to add value to its operations. Independence and objectivity are fundamental to the CAE’s role because the individual must be willing to raise difficult issues with senior management and the board even if that proves unpopular. To maintain credibility, CAEs must demonstrate the ability to escalate difficult issues to an appropriate level to ensure they are adequately addressed. In addition, a CAE exhibits the attributes of integrity, intellectual curiosity, and a focus on audit quality. Key skill categories for a CAE include technical, business, communication, and people management skills. During the process of a CAE’s appointment and periodic evaluations, senior management and the board typically will consider those attributes and skills. A CAE may want to consider them when evaluating his or her own performance and considering his or her development needs.Generally the board would oversee the termination of the CAE. Boards will want to determine if termination is justified and appropriate. It is reasonable for the CAE to expect the board to consider terminating his or her services when there is evidence that professional performance requirements were not met, a material breach in The IIA's Code of Ethics or the organization’s internal code of conduct was committed, or there has been material non-conformance with the IPPF’s Standards.

Auditing Executive Compensation and Benefits

Auditing the structure and operation of Executive Compensation and Benefits (ECB) programs is a legitimate and appropriate role for internal auditing. If a risk assessment indicates a review is warranted, the Chief Audit Executive (CAE) should add ECB to the audit plan, which the board will review and approve. Internal auditing will choose the audit approach and design risk-based audit procedures. This Practice Guide provides discussions relating to such an audit and includes several considerations that may be relevant to an organization’s business activities or risk profile.Strong governance systems are needed for ECB programs, as management often is in the position of both designing and recommending its own compensation. There are several specific risks internal auditors should consider, including employment market, compliance, financial reporting, reputation, operating, and external business relationship risks. ECB programs also are subject to fraud risk.Due to the sensitive nature of this area, internal auditing must have an appropriate audit approach and access to the necessary information. While there can be obstacles to obtaining this information, internal audit needs to proceed in accordance with its charter.The audit scope could include a focus on the board, management, and extended business relationships. There are a number of unique aspects in audits of each of these areas of focus which should be considered before performing audit work.This guide will assist internal auditors with an explanation of the audit approach, audit considerations such as access to information and privileged communications, as well as the skills and knowledge necessary to serve on the audit team. A section on audit program development includes various concepts, potential tests, and questions to help auditors create an audit program. The appendix provides definitions relative to various types of compensation and benefits.ECB programs have risks that require effective board governance and management processes. Internal auditors have an important role in providing assurance that appropriate and effective controls are in place around ECB programs.

Evaluating Corporate Social Responsibility

Corporate Social Responsibility (CSR) presents significant risks and opportunities for many organizations. Stakeholders expect boards and management to accept responsibility and implement strategies and controls to manage their impact on society and the environment, to engage stakeholders in their endeavors, and to inform the public about their results. The proliferation of regulation and voluntary standards has made CSR management a complex endeavor.

Internal auditors should understand the risks and controls related to CSR objectives. Where appropriate, the Chief Audit Executive (CAE) should plan to audit, facilitate control self-assessments, verify results, and/or consult on the various subjects. Internal auditors should maintain the skills and knowledge necessary to understand and evaluate the governance, risks, and controls of CSR strategies.

This guide will assist internal auditors in understanding:

• The risks (operational, reputational, etc.) associated with CSR activities and how to use such knowledge in audit planning.
• The approaches to evaluating CSR activities, including auditing, facilitating, and consulting.
• Audit considerations such as use of the audit opinion, independence and objectivity, and types of resources.
• Considerations in developing the internal audit program, including whether CSR information is consistent with standards and how management communicates and sets priorities for CSR strategies.

The guide also explains detailed approaches to auditing in the following appendices:

• Auditing by Element
• Auditing by Stakeholder Group
• Stakeholder Theory
• Additional Resources (includes references to additional Practice Guides)

Internal Auditing and Fraud

This guide discusses fraud and provides general guidance to help internal auditors comply with professional standards. Because fraud negatively impacts organizations in many ways — financially, reputational, and through psychological and social implications — it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs, as well as a fraud risk assessment process to identify risks within the organization. To help organizations and internal auditors combat fraud, the guide discusses:

• Fraud awareness (e.g., reasons and examples for fraud and potential fraud indicators).
• Fraud roles and responsibilities.
• Internal audit responsibilities during audit engagements (e.g., execution responsibilities and communicating with the board).
• Fraud risk assessment (e.g., identifying relevant fraud risk factors and mapping existing controls to potential fraud schemes and identifying gaps).
• Fraud prevention and detection.
• Fraud investigation.
• Forming an opinion on internal controls related to fraud.

The guide also includes reference material, questions to consider, and a fraud risk assessment template.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

 

Auditing External Business Relationships

This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.

When contemplating the internal audit activity's EBR responsibilities, consider the following:

• Organizations have multiple EBRs that satisfy a variety of business needs.
• Each relationship presents risks.
• It is management’s responsibility to manage these risks and realize the benefits.
• Internal auditing plays a key role in assisting management and validating management’s efforts.

Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organization’s that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks.

Organizations’ managements are responsible for managing and monitoring their EBRs and related risks. While entering into a business relationship allows an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks.

The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships.

By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs ― the organization can receive the full benefits of the business relationship.

Internal auditors need to understand all the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate internal audit program with relevant audit objectives for internal audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.

It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Internal audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust with participants in the relationship, fostering feedback, improving relationships, and helping management improve internal and external control.

Formulating and Expressing Internal Audit Opinions

This Practice Guide provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

Background

Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

Examples of macro and micro opinions include:

• An opinion on the organization’s overall system of internal control over financial reporting (macro).
• An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
• An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
• An opinion on an individual business process or activity within a single organization, department, or location (micro).
• An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
• An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).Formulating and Expressing Internal Audit Opinions

GTAG 17 - Auditing IT Governance

La presente GTAG fornisce agli Internal Auditor, del settore pubblico e privato, le conoscenze necessarie nel fornire i servizi, di Assurance e consulenza, per l'IT Governance.

GTAG 16 - Data Analysis Technologies

The IIA has released a practice guide entitled “GTAG 16: Data Analysis Technologies.” This guide aims to help CAEs understand how to move beyond the tried and true methods of manual auditing toward improved data analysis using technology. After reading this guide, you will:

• Understand why data analysis is significant to your organization.
• Know how to provide assurance more efficiently with the use of data analysis technology.
• Be familiar with the challenges and risks that you will face when implementing data analysis technology within your department.
• Know how to incorporate data analysis at your organization through adequate planning and appropriate resource structures.
• Recognize opportunities, trends, and advantages of making use of data analysis technology.

To further assist CAEs and other individuals who use this guide, we also have included a detailed example of the application of data analytics to procurement control activities in Appendix A. Consistent with where most data analysis starts, these examples are largely focused on simple data matching and reperformance of automated system functionality used in providing assurance.

GTAG 15 - Information Security Governance

Information is a significant component of most organizations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. Some of the more obvious results of IS failures include reputational damage, placing the organization at a competitive disadvantage, and contractual noncompliance. These impacts should not be underestimated.

This GTAG will provide a thought process to assist the CAE in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organization’s ISG activity delivers the correct behaviors, practices, and execution of IS.

GTAG 15: Information Security Governance will assist efforts to:

• Define ISG.
• Help internal auditors understand the right questions to ask and know what documentation is required.
• Describe the internal audit activity’s (IAA) role in ISG.