IIA - The Institute of Internal Auditors

Reliance by Internal Audit on Other Assurance Providers

Ever-increasing compliance requirements and business complexity have driven companies to establish or procure other risk management and assurance functions. They are charged with measuring and reporting risk, identifying control gaps, tracking remediation, and concluding whether control processes are operating effectively in specific areas. Examples of some internal assurance providers are identified as environmental compliance groups, quality management functions that focus on manufacturing activities, internal control teams that assess controls over financial reporting, and IT governance groups. External assurance providers are often engaged to communicate an opinion to another auditor regarding specific control objectives operated by a service provider. These activities provide assurance on the areas they assessed and recommendations to strengthen the related controls, often in areas that are within the scope of internal audit’s work.

This practice guide provides guidance to the CAE and internal audit leadership on an approach for relying on the assurance provided by other internal or external assurance functions. A continuum of five principles determines the extent of reliance:

• Purpose
• Independence and Objectivity
• Competence
• Elements of Practice
• Communication of Results and Remediation

Interaction With The Board

The IIA has released a practice guide entitled “Interaction with the Board.”The purpose of this practice guide is to assist the Chief Audit Executive (CAE) in meeting the requirements of the International Professional Practices Framework (IPPF) as it relates to interacting and communicating with the board.Boards and internal auditors have interlocking goals. A strong working relationship between the two is essential for the internal audit activity to fulfill its responsibilities to not only the board, but also senior management, shareholders, and other stakeholders. This practice guide covers several activities, primarily accomplished through the CAE, that are key to an effective relationship between the board and the internal audit activity.

Auditing the Control Environment

The control environment is the foundation on which an effective system of internal control is built and operated in an organization that strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and regulations, and (5) safeguard its assets. Part of the blame for the 2008 financial crisis and other prominent failures of the 21st century can be appropriately attributed to failures in the control environment.

The purpose of this Practice Guide is to provide guidance to the internal auditor on the significance of the control environment; how to determine which elements of the control environment should be addressed by engagements in the periodic audit plan; how to scope, staff, and plan such engagements; and which items to consider in performing related audit work, including evaluating and reporting deficiencies.

Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing

The International Professional Practices Framework (IPPF) and underlying International Standards for the Professional Practice of Internal Auditing (Standards) provide the Chief Audit Executive (CAE) and internal audit leadership a framework and related guidance to use in evaluating and ensuring the effectiveness of the internal audit activity. The Standards also provide internal auditing’s stakeholders a basis for evaluating the activity’s effectiveness. The Standards are applicable to all internal audit departments regardless of size, level of resources, complexity, or objective and scope.This Practice Guide provides a working definition of the term small internal audit activity. The guide acknowledges the challenges that CAEs and audit leadership in small audit activities may face in implementing the Standards, provides suggestions for meeting those challenges, and discusses the benefits of using the Standards. Many of the challenges discussed in this guide are not unique to small audit activities; larger activities may face many of the same challenges. However, these challenges are more frequently encountered and more difficult to overcome in small audit activities.Although the CAE of a small internal audit activity is responsible for ensuring implementation of all Standards, the degree of challenge for conformance to each standard may vary among small activities. The chart in the Introduction provides a visual summary of the degree of challenge that the CAE may face in conforming to the Standards. The chart is based on informal discussions with small audit groups and also amongst the members of The IIA’s committees. Although conformance with the Standards may pose challenges, it is possible with the development of appropriate strategy and planning. The Standards are principles-based and are meant to be applicable to internal audit activities of all sizes.

Assessing the Adequacy of Risk Management

The use of enterprise-wide risk management frameworks has expanded as organizations recognize the advantages of coordinated approaches to risk management. The risk management framework must be designed to suit the organization: its internal and external environment. Assessing the Adequacy of Risk Management Using ISO 31000 details three approaches to assurance of the risk management process: a Process Elements approach; an approach based on Principles of Risk Management; and a Maturity Model approach. The assurance process that is used should be tailored to the organization’s needs. Internal auditors should have a means of measuring the effectiveness of risk management in an organization and forming a conclusion on the organization’s level of risk management maturity. One of the key criteria that internal auditors should consider is whether there is a suitable framework in place to advance a corporate and systematic approach to risk management. This Practice Guide uses ISO 31000 as a basis for the risk management framework. Other frameworks may be used to perform the risk assessment. This guidance does not imply implicit or explicit endorsement of this or any other framework.

CAEs - Appointment, Performance Evaluation and Termination

In today’s business environment, where there is increasing focus on governance, risk management, and control, appointing a CAE is a critical undertaking for any organization. This imperative activity is one of the key responsibilities of the organization’s board. The CAE will have a high degree of interaction with senior management and the board and thus needs to demonstrate the right attributes and skill for the position. The CAE’s unique role in the organization requires independence and objectivity while also demonstrating an ability to partner within the organization to add value to its operations. Independence and objectivity are fundamental to the CAE’s role because the individual must be willing to raise difficult issues with senior management and the board even if that proves unpopular. To maintain credibility, CAEs must demonstrate the ability to escalate difficult issues to an appropriate level to ensure they are adequately addressed. In addition, a CAE exhibits the attributes of integrity, intellectual curiosity, and a focus on audit quality. Key skill categories for a CAE include technical, business, communication, and people management skills. During the process of a CAE’s appointment and periodic evaluations, senior management and the board typically will consider those attributes and skills. A CAE may want to consider them when evaluating his or her own performance and considering his or her development needs.Generally the board would oversee the termination of the CAE. Boards will want to determine if termination is justified and appropriate. It is reasonable for the CAE to expect the board to consider terminating his or her services when there is evidence that professional performance requirements were not met, a material breach in The IIA's Code of Ethics or the organization’s internal code of conduct was committed, or there has been material non-conformance with the IPPF’s Standards.

Auditing Executive Compensation and Benefits

Auditing the structure and operation of Executive Compensation and Benefits (ECB) programs is a legitimate and appropriate role for internal auditing. If a risk assessment indicates a review is warranted, the Chief Audit Executive (CAE) should add ECB to the audit plan, which the board will review and approve. Internal auditing will choose the audit approach and design risk-based audit procedures. This Practice Guide provides discussions relating to such an audit and includes several considerations that may be relevant to an organization’s business activities or risk profile.Strong governance systems are needed for ECB programs, as management often is in the position of both designing and recommending its own compensation. There are several specific risks internal auditors should consider, including employment market, compliance, financial reporting, reputation, operating, and external business relationship risks. ECB programs also are subject to fraud risk.Due to the sensitive nature of this area, internal auditing must have an appropriate audit approach and access to the necessary information. While there can be obstacles to obtaining this information, internal audit needs to proceed in accordance with its charter.The audit scope could include a focus on the board, management, and extended business relationships. There are a number of unique aspects in audits of each of these areas of focus which should be considered before performing audit work.This guide will assist internal auditors with an explanation of the audit approach, audit considerations such as access to information and privileged communications, as well as the skills and knowledge necessary to serve on the audit team. A section on audit program development includes various concepts, potential tests, and questions to help auditors create an audit program. The appendix provides definitions relative to various types of compensation and benefits.ECB programs have risks that require effective board governance and management processes. Internal auditors have an important role in providing assurance that appropriate and effective controls are in place around ECB programs.

Evaluating Corporate Social Responsibility

Corporate Social Responsibility (CSR) presents significant risks and opportunities for many organizations. Stakeholders expect boards and management to accept responsibility and implement strategies and controls to manage their impact on society and the environment, to engage stakeholders in their endeavors, and to inform the public about their results. The proliferation of regulation and voluntary standards has made CSR management a complex endeavor.

Internal auditors should understand the risks and controls related to CSR objectives. Where appropriate, the Chief Audit Executive (CAE) should plan to audit, facilitate control self-assessments, verify results, and/or consult on the various subjects. Internal auditors should maintain the skills and knowledge necessary to understand and evaluate the governance, risks, and controls of CSR strategies.

This guide will assist internal auditors in understanding:

• The risks (operational, reputational, etc.) associated with CSR activities and how to use such knowledge in audit planning.
• The approaches to evaluating CSR activities, including auditing, facilitating, and consulting.
• Audit considerations such as use of the audit opinion, independence and objectivity, and types of resources.
• Considerations in developing the internal audit program, including whether CSR information is consistent with standards and how management communicates and sets priorities for CSR strategies.

The guide also explains detailed approaches to auditing in the following appendices:

• Auditing by Element
• Auditing by Stakeholder Group
• Stakeholder Theory
• Additional Resources (includes references to additional Practice Guides)

Internal Auditing and Fraud

This guide discusses fraud and provides general guidance to help internal auditors comply with professional standards. Because fraud negatively impacts organizations in many ways — financially, reputational, and through psychological and social implications — it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs, as well as a fraud risk assessment process to identify risks within the organization. To help organizations and internal auditors combat fraud, the guide discusses:

• Fraud awareness (e.g., reasons and examples for fraud and potential fraud indicators).
• Fraud roles and responsibilities.
• Internal audit responsibilities during audit engagements (e.g., execution responsibilities and communicating with the board).
• Fraud risk assessment (e.g., identifying relevant fraud risk factors and mapping existing controls to potential fraud schemes and identifying gaps).
• Fraud prevention and detection.
• Fraud investigation.
• Forming an opinion on internal controls related to fraud.

The guide also includes reference material, questions to consider, and a fraud risk assessment template.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.