<<

. 50
( 82 .)



>>

lines. In view of the trend toward increased communication between external audi-
tors and the board, internal auditors may well wish to reexamine the reporting
threshold they use to inform the board of their activities. The public is demanding
more effective performance by internal auditors, thereby offering the profession an
even greater opportunity for service.4

Finally, the Committee of Sponsoring Organizations of the Treadway Com-
mission stated:

Internal auditors play an important role in evaluating the effectiveness of control sys-
tems, and contribute to ongoing effectiveness. Because of organizational position and
authority in an entity, an internal audit function often plays a significant monitoring
role.5

Karen N. Horn, former chairman and CEO of Bank One and a member of several
audit committees, summarizes the relationship between the audit committee and
internal auditors:

Our joint responsibilities to our companies are now defined much more broadly. Any
type of change this far reaching must become part of the corporate culture. As a
senior manager and director, my obligation is to provide you with what the Com-
mittee of Sponsoring Organizations calls integrity, ethical values, a control environ-
ment, and clear management objectives”in short, to nurture a culture that allows
you to do the things described in this article. Internal auditors are then the champi-
ons of this new control culture.
The activities are as complex and changing as our organizations; and I believe they
have never been more important.6

4
Curtis C. Verschoor and Joseph P. Liotta, “Communication with Audit Committees,” Internal Auditor
47, No. 2 (April 1990), p. 47. Statement on Internal Auditing Standards No. 7, “Communications with
the Board of Directors,” is now codefaced in The Professional Practices Framework and discussed in
the corporate auditing independence section of this chapter. For an interesting discussion on the per-
ceptions of audit committee members and chief internal auditors, see Lawrence P. Kalbers, “Audit
Committees and Internal Auditors,” Internal Auditor 49, No. 6 (December 1992), pp. 37“44. See also
Jerry Strawser and Barbara Apostolou, “The Role of Internal Auditor Communication with the Audit
Committee,” Internal Auditing 6, No. 2 (Fall 1990), pp. 35“42; and Curtis Verschoor, “Internal Audit-
ing Interactions with the Audit Committee,” Internal Auditing 7, No. 4 (Spring 1992), pp. 20“23.
5
Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-Integrated
Framework (New York: AICPA, 1992), p. 5. For additional emphasis, see pp. 84“85 of the “Frame-
work” volume.
6
Karen N. Horn, “An Audit Committee Member Looks at Internal Auditing,” Internal Auditor 49, No.
6 (December 1992), p. 36. For an expanded discussion of the relationship between the audit commit-
tee and internal auditors, see William E. Chadwick, “Tough Questions, Tough Answers,” Internal Au-
ditor 52, No. 6 (December 1995), pp. 63“65; Dwight L. Allison, Jr., “Internal Auditors and Audit
Committees,” Internal Auditor 51, No. 1 (February 1994), pp. 50“55. A recent study of chief internal
auditors of 72 Canadian manufacturing companies (sales > $50 million), found that “while there were
no significant differences with respect to involvement in decisions to dismiss the chief internal audi-
tor, audit committees consisting of solely nonemployee directors were more likely, than audit com-
mittees with one or more insiders, to (1) have frequent meetings with the chief internal auditor, and (2)
review the internal auditing program and results of internal auditing” (p. 51). See D. Paul Scarbrough,
Dasaratha V. Rama, and K. Raghunandan, “Audit Committee Composition and Interaction with Inter-
nal Auditing: Canadian Evidence,” Accounting Horizons 12, No. 1 (March 1998), pp. 51“62.
252 Monitoring the Internal Audit Function


More recently, the New York Stock Exchange proposed an amendment to its
Listed Company Manual to implement a listing standard, Section 303A(7)(e),
which states:
(e) Each listed company must have an internal audit function.
Commentary: Listed companies must maintain an internal audit function to provide
management and the audit committee with ongoing assessments of the company™s
risk management processes and system of internal control. A company may choose
to outsource this function to a firm other than its independent auditor.7
In an effort to close the gap between available guidance and current practice,
the Institute of Internal Auditors has issued Standards for the Professional Prac-
tice of Internal Auditing, which are contained in The Professional Practices
Framework. These standards are shown in Exhibit 9.1.
In order to monitor the internal audit function effectively, the agenda for the
audit committee should include a review of:

• The objectives, plans, and policy of the corporate internal auditing group (dis-
cussed in Chapters 6 and 7 in relation to the planning activities of both the
committee and the internal audit group)
• The organization of the internal auditing group
• The quality of the auditing personnel and training as well as the use of outside
service providers
• The operational activities of the staff in the context of achieving their goals and
objectives (see Chapters 2 and 3)

Such an approach to the monitoring function of the committee enhances its abil-
ity to meet the expectations of the board of directors. As discussed in Chapter 1,
the audit committee has a critical role in helping the board fulfill its corporate
stewardship accountability.


REVIEWING THE ORGANIZATION
OF THE CORPORATE AUDIT STAFF
Organizational Structure
Of particular importance to the audit committee is the organizational status of the
internal auditing staff in the corporate structure. Structure and organization should
be designed to carry out effectively an independent appraisal of management™s ac-
tivities. In view of the Foreign Corrupt Practices Act and the Sarbanes-Oxley Act
of 2002, an effective and efficient internal auditing staff can assist management
with its implementation of a sound system of internal control. Thus it behooves the
audit committee to monitor the organizational framework of the corporate audit-
ing group to ensure a comprehensive scope.

7
Securities and Exchange Commission, Release No. 34-47672, Self-Regulatory Organizations; Notice
of Filing of Proposed Rule Change and Amendment No. 1 Thereto by the New York Stock Exchange,
Inc. Relating to Corporate Governance (Washington, DC: SEC, April 11, 2003), p. 12.
Reviewing the Organization of the Corporate Audit Staff 253



Exhibit 9.1 Standards for the Professional Practice of Internal Auditing

Attribute Standards
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity should be for-
mally defined in a charter, consistent with the Standards, and approved by the board.1
1000.A1 The nature of assurance services provided to the organization should be
defined in the audit charter. If assurances are to be provided to parties outside the
organization, the nature of these assurances should also be defined in the charter.
1000.C1 The nature of consulting services should be defined in the audit charter.
1100 Independence and Objectivity
The internal audit activity should be independent, and internal auditors should be objec-
tive in performing their work.
1110 Organizational Independence
The chief audit executive should report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities.
1110.A1 The internal audit activity should be free from interference in deter-
mining the scope of internal auditing, performing work, and communicating
results.
1120 Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of
interest.
1130 Impairments to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the
impairment should be disclosed to appropriate parties. The nature of the disclosure
will depend upon the impairment.
1130.A1 Internal auditors should refrain from assessing specific operations
for which they were previously responsible. Objectivity is presumed to be
impaired if an auditor provides assurance services for an activity for which the
auditor had responsibility within the previous year.
1130.A2 Assurance engagements for functions over which the chief audit
executive has responsibility should be overseen by a party outside the internal
audit activity.
1130.C1 Internal auditors may provide consulting services relating to opera-
tions for which they had previous responsibilities.
1130.C2 If internal auditors have potential impairments to independence or
objectivity relating to proposed consulting services, disclosure should be
made to the engagement client prior to accepting the engagement.
1200 Proficiency and Due Professional Care
Engagements should be performed with proficiency and due professional care.
1210 Proficiency
Internal auditors should possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity
collectively should possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities.
1210.A1 The chief audit executive should obtain competent advice and
assistance if the internal audit staff lacks the knowledge, skills, or other com-
petencies needed to perform all or part of the engagement.
1210.A2 The internal auditor should have sufficient knowledge to identify the
indicators of fraud but is not expected to have the expertise of a person whose
primary responsibility is detecting and investigating fraud.


(continued)
254 Monitoring the Internal Audit Function



Exhibit 9.1 (Continued)

1210.C1 The chief audit executive should decline the consulting engagement
or obtain competent advice and assistance if the internal audit staff lacks the
knowledge, skills, or other competencies needed to perform all or part of the
engagement.
1220 Due Professional Care
Internal auditors should apply the care and skill expected of a reasonably prudent
and competent internal auditor. Due professional care does not imply infallibility.
1220.A1 The internal auditor should exercise due professional care by con-
sidering the:
• Extent of work needed to achieve the engagement™s objectives.
• Relative complexity, materiality, or significance of matters to which assur-
ance procedures are applied.
• Adequacy and effectiveness of risk management, control, and governance
processes.
• Probability of significant errors, irregularities, or noncompliance.
• Cost of assurance in relation to potential benefits.
1220.A2 The internal auditor should be alert to the significant risks that
might affect objectives, operations, or resources. However, assurance proce-
dures alone, even when performed with due professional care, do not guaran-
tee that all significant risks will be identified.
1220.C1 The internal auditor should exercise due professional care during a
consulting engagement by considering the:
• Needs and expectations of clients, including the nature, timing, and commu-
nication of engagement results.
• Relative complexity and extent of work needed to achieve the engagement™s
objectives.
• Cost of the consulting engagement in relation to potential benefits.
1230 Continuing Professional Development
Internal auditors should enhance their knowledge, skills, and other competencies
through continuing professional development.
1300 Quality Assurance and Improvement Program
The chief audit executive should develop and maintain a quality assurance and improve-
ment program that covers all aspects of the internal audit activity and continuously moni-
tors its effectiveness. The program should be designed to help the internal audit activity
add value and improve the organization™s operations and to provide assurance that the
internal audit activity is in conformity with the Standards and the Code of Ethics.
1310 Quality Program Assessments
The internal audit activity should adopt a process to monitor and assess the overall
effectiveness of the quality program. The process should include both internal and
external assessments.
1311 Internal Assessments
Internal assessments should include:
• Ongoing reviews of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within
the organization, with knowledge of internal audit practices and the Standards.
1312 External Assessments
External assessments, such as quality assurance reviews, should be conducted at
least once every five years by a qualified, independent reviewer or review team
from outside the organization.
Reviewing the Organization of the Corporate Audit Staff 255



1320 Reporting on the Quality Program
The chief audit executive should communicate the results of external assessments
to the board.
1330 Use of “Conducted in Accordance with the Standards”
Internal auditors are encouraged to report that their activities are “conducted in
accordance with the Standards for the Professional Practice of Internal Auditing.”
However internal auditors may use the statement only if assessments of the quality
improvement program demonstrate that the internal audit activity is in compliance
with the Standards.
1340 Disclosure of Noncompliance
Although the internal audit activity should achieve full compliance with the Stan-
dards and internal auditors with the Code of Ethics, there may be instances in
which full compliance is not achieved. When noncompliance impacts the overall
scope or operation of the internal audit activity, disclosure should be made to senior
management and the board.

Performance Standards
2000 Managing the Internal Audit Activity
The chief audit executive should effectively manage the internal audit activity to ensure
it adds value to the organization.
2010 Planning
The chief audit executive should establish risk-based plans to determine the priori-
ties of the internal audit activity, consistent with the organization™s goals.
2010.A1 The internal audit activity™s plan of engagements should be based on
a risk assessment, undertaken at least annually. The input of senior manage-
ment and the board should be considered in this process.
2010.C1 The chief audit executive should consider accepting proposed
consulting engagements based on the engagement™s potential to improve
management of risks, add value, and improve the organization™s operations.
Those engagements that have been accepted should be included in the plan.
2020 Communication and Approval
The chief audit executive should communicate the internal audit activity™s plans
and resource requirements, including significant interim changes, to senior man-
agement and to the board for review and approval. The chief audit executive should
also communicate the impact of resource limitations.
2030 Resource Management
The chief audit executive should ensure that internal audit resources are appropri-
ate, sufficient, and effectively deployed to achieve the approved plan.
2040 Policies and Procedures
The chief audit executive should establish policies and procedures to guide the
internal audit activity.
2050 Coordination
The chief audit executive should share information and coordinate activities with
other internal and external providers of relevant assurance and consulting services
to ensure proper coverage and minimize duplication of efforts.
2060 Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior man-
agement on the internal audit activity™s purpose, authority, responsibility, and
performance relative to its plan. Reporting should also include significant risk

<<

. 50
( 82 .)



>>