IIA - The Institute of Internal Auditors

Auditing External Business Relationships

This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.

When contemplating the internal audit activity's EBR responsibilities, consider the following:

• Organizations have multiple EBRs that satisfy a variety of business needs.
• Each relationship presents risks.
• It is management’s responsibility to manage these risks and realize the benefits.
• Internal auditing plays a key role in assisting management and validating management’s efforts.

Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organization’s that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks.

Organizations’ managements are responsible for managing and monitoring their EBRs and related risks. While entering into a business relationship allows an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks.

The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships.

By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs ― the organization can receive the full benefits of the business relationship.

Internal auditors need to understand all the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate internal audit program with relevant audit objectives for internal audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.

It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Internal audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust with participants in the relationship, fostering feedback, improving relationships, and helping management improve internal and external control.

Formulating and Expressing Internal Audit Opinions

This Practice Guide provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

Background

Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

Examples of macro and micro opinions include:

• An opinion on the organization’s overall system of internal control over financial reporting (macro).
• An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
• An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
• An opinion on an individual business process or activity within a single organization, department, or location (micro).
• An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
• An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).Formulating and Expressing Internal Audit Opinions

GTAG 17 - Auditing IT Governance

GTAG 16 - Data Analysis Technologies

The IIA has released a practice guide entitled “GTAG 16: Data Analysis Technologies.” This guide aims to help CAEs understand how to move beyond the tried and true methods of manual auditing toward improved data analysis using technology. After reading this guide, you will:

• Understand why data analysis is significant to your organization.
• Know how to provide assurance more efficiently with the use of data analysis technology.
• Be familiar with the challenges and risks that you will face when implementing data analysis technology within your department.
• Know how to incorporate data analysis at your organization through adequate planning and appropriate resource structures.
• Recognize opportunities, trends, and advantages of making use of data analysis technology.

To further assist CAEs and other individuals who use this guide, we also have included a detailed example of the application of data analytics to procurement control activities in Appendix A. Consistent with where most data analysis starts, these examples are largely focused on simple data matching and reperformance of automated system functionality used in providing assurance.

GTAG 15 - Information Security Governance

Information is a significant component of most organizations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. Some of the more obvious results of IS failures include reputational damage, placing the organization at a competitive disadvantage, and contractual noncompliance. These impacts should not be underestimated.

This GTAG will provide a thought process to assist the CAE in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organization’s ISG activity delivers the correct behaviors, practices, and execution of IS.

GTAG 15: Information Security Governance will assist efforts to:

• Define ISG.
• Help internal auditors understand the right questions to ask and know what documentation is required.
• Describe the internal audit activity’s (IAA) role in ISG.

GTAG 14 - Auditing User-developed Applications

Almost every organization uses some form of UDAs because they can be more easily developed, are less costly to produce, and can typically be changed with relative ease versus programs and reports developed by IT personnel. However, once end users are given freedom to extract, manipulate, summarize, and analyze their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT. These risks include data integrity, availability, and confidentiality. Because management relies on UDAs, which can be a significant part of financial reporting and operational processes, as well as related decision making; the internal auditor must determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate.

GTAG 14: Auditing User-developed Applications provides:

• Direction on how to scope an internal audit of UDAs.
• Guidance for how the internal auditor’s role as a consultant can be leveraged to assist management with developing an effective UDA control framework.
• Considerations that internal auditors should address when performing UDA audits.A sample UDA process flow as well as a UDA internal audit program and supporting worksheets to help internal auditors organize and execute an audit. 

GTAG 13 - Fraud Prevention and Detection in an Automated World

As technology advances, so do schemes to commit fraud. Therefore, technology can not only be used to perpetrate fraud, but also to prevent and detect it. Using technology to implement real-time fraud prevention and detection programs will enable organizations to reduce the cost of fraud by lessening the time from which a fraud is committed to the time it is detected. Considering this, it is crucial that auditors stay ahead of fraudsters in their knowledge of technology and available tools. This GTAG focuses on IT related fraud risks and risk assessments and how the use of technology can help internal auditors and other key stakeholders within the organization address fraud and fraud risks.

Through a step-by-step process for auditing a fraud prevention program, an explanation of the various types of data analysis to use in detecting fraud, and a technology fraud risk assessment template, the GTAG aims to inform and provide guidance to chief audit executives and internal auditors on how to use technology to help prevent, detect, and respond to fraud. The GTAG also supplements The IIA’s practice guide, Internal Auditing and Fraud, and informs CAEs and internal auditors on how to use technology to help prevent, detect, and respond to fraud.

GTAG 12 - Auditing IT Projects

Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results and the accompanying benefits. They can serve as a bridge between individual business units and the IT function, point out previously unidentified risks, and recommend controls for enhancing outcomes.

Auditing IT Projects provides an overview of techniques for effectively engaging with project teams and management to assess the risks related to IT projects. This GTAG includes:

• Key project management risks.
• How the internal audit activity can actively participate in the review of projects while maintaining independence.
• Five key components of IT projects for internal auditors to consider when building an audit approach.
• Types of project audits.
• A suggested list of questions for use in the IT project assessment.

GTAG 11 - Developing the IT Audit Plan

Results from several IIA external quality assessment reviews reveal that developing an appropriate IT audit plan is one of the weakest links in internal audit activities. Many times, internal auditors simply review what they know or outsource to other companies, letting them decide what to audit.

To this end, Developing the IT Audit Plan can help CAEs and internal auditors:

• Understand the organization and how IT supports it.
• Define and understand the IT environment.
• Identify the role of risk assessments in determining the IT audit universe.
• Formalize the annual IT audit plan.

This GTAG also provides an example of a hypothetical organization to show how to execute the steps necessary to define the IT audit universe.