<<

. 51
( 82 .)



>>

exposures and control issues, corporate governance issues, and other matters
needed or requested by the board and senior management.


(continued)
256 Monitoring the Internal Audit Function



Exhibit 9.1 (Continued)

2100 Nature of Work
The internal audit activity evaluates and contributes to the improvement of risk manage-
ment, control, and governance systems.
2110 Risk Management
The internal audit activity should assist the organization by identifying and evaluat-
ing significant exposures to risk and contributing to the improvement of risk man-
agement and control systems.
2110 A1 Internal audit activity should monitor and evaluate the effectiveness
of the organization™s risk management system.
2110.A2 The internal audit activity should evaluate risk exposures relating to the
organization™s governance, operations, and information systems regarding the:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
2110.C1 During consulting engagements, internal auditors should address
risk consistent with the engagement™s objectives and should be alert to the
existence of other significant risks.
2110.C2 Internal auditors should incorporate knowledge of risks gained from
consulting engagements into the process of identifying and evaluating signifi-
cant risk exposures of the organization.
2120 Control
The internal audit activity should assist the organization in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting continu-
ous improvement.
2120.A1 Based on the results of the risk assessment, the internal audit activ-
ity should evaluate the adequacy and effectiveness of controls encompassing
the organization™s governance, operations, and information systems. This
should include:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
2120.A2 Internal auditors should ascertain the extent to which operating and
program goals and objectives have been established and conform to those of
the organization.
2120.A3 Internal auditors should review operations and programs to ascertain
the extent to which results are consistent with established goals and objectives
to determine whether operations and programs are being implemented or
performed as intended.
2120.A4 Adequate criteria are needed to evaluate controls. Internal auditors
should ascertain the extent to which management has established adequate
criteria to determine whether objectives and goals have been accomplished. If
adequate, internal auditors should use such criteria in their evaluation. If
inadequate, internal auditors should work with management to develop appro-
priate evaluation criteria.
2120.C1 During consulting engagements, internal auditors should address
controls consistent with the engagement™s objectives and should be alert to the
existence of any significant control weaknesses.
Reviewing the Organization of the Corporate Audit Staff 257



2120.C2 Internal auditors should incorporate knowledge of controls gained
from consulting engagements into the process of identifying and evaluating
significant risk exposures of the organization.
2130 Governance
The internal audit activity should contribute to the organization™s governance
process by evaluating and improving the process through which (1) values and
goals are established and communicated, (2) the accomplishment of goals is moni-
tored, (3) accountability is ensured, and (4) values are preserved.
2130.A1 Internal auditors should review operations and programs to ensure
consistency with organizational values.
2130.C1 Consulting engagement objectives should be consistent with the
overall values and goals of the organization.
2200 Engagement Planning
Internal auditors should develop and record a plan for each engagement.
2201 Planning Considerations
In planning the engagement, internal auditors should consider:
• The objectives of the activity being reviewed and the means by which the activity
controls its performance.
• The significant risks to the activity, its objectives, resources, and operations and
the means by which the potential impact of risk is kept to an acceptable level.
• The adequacy and effectiveness of the activity™s risk management and control
systems compared to a relevant control framework or model.
• The opportunities for making significant improvements to the activity™s risk
management and control systems.
2201.C1 Internal auditors should establish an understanding with consulting
engagement clients about objectives, scope, respective responsibilities, and
other client expectations. For significant engagements, this understanding
should be documented.
2210 Engagement Objectives
The engagement™s objectives should address the risks, controls, and governance
processes associated with the activities under review.
2210.A1 When planning the engagement, the internal auditor should identify
and assess risks relevant to the activity under review. The engagement objec-
tives should reflect the results of the risk assessment.
2210.A2 The internal auditor should consider the probability of significant
errors, irregularities, noncompliance, and other exposures when developing
the engagement objectives.
2210.C1 Consulting engagement objectives should address risks, controls,
and governance processes to the extent agreed upon with the client.
2220 Engagement Scope
The established scope should be sufficient to satisfy the objectives of the engagement.
2220.A1 The scope of the engagement should include consideration of rele-
vant systems, records, personnel, and physical properties, including those
under the control of third parties.
2220.C1 In performing consulting engagements, internal auditors should
ensure that the scope of the engagement is sufficient to address the agreed-
upon objectives. If internal auditors develop reservations about the scope
during the engagement, these reservations should be discussed with the client
to determine whether to continue with the engagement.
2230 Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement


(continued)
258 Monitoring the Internal Audit Function



Exhibit 9.1 (Continued)

objectives. Staffing should be based on an evaluation of the nature and complexity
of each engagement, time constraints, and available resources.
2240 Engagement Work Program
Internal auditors should develop work programs that achieve the engagement
objectives. These work programs should be recorded.
2240.A1 Work programs should establish the procedures for identifying,
analyzing, evaluating, and recording information during the engagement. The
work program should be approved prior to the commencement of work, and
any adjustments approved promptly.
2240.C1 Work programs for consulting engagements may vary in form and
content depending upon the nature of the engagement.
2300 Performing the Engagement
Internal auditors should identify, analyze, evaluate, and record sufficient information to
achieve the engagement™s objectives.
2310 Identifying Information
Internal auditors should identify sufficient, reliable, relevant, and useful informa-
tion to achieve the engagement™s objectives.
2320 Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate
analyses and evaluations.
2330 Recording Information
Internal auditors should record relevant information to support the conclusions and
engagement results.
2330.A1 The chief audit executive should control access to engagement
records. The chief audit executive should obtain the approval of senior man-
agement and/or legal counsel prior to releasing such records to external par-
ties, as appropriate.
2330.A2 The chief audit executive should develop retention requirements for
engagement records. These retention requirements should be consistent with the
organization™s guidelines and any pertinent regulatory or other requirements.
2330.C1 The chief audit executive should develop policies governing the
custody and retention of engagement records, as well as their release to inter-
nal and external parties. These policies should be consistent with the organiza-
tion™s guidelines and any pertinent regulatory or other requirements.
2340 Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved,
quality is assured, and staff is developed.
2400 Communicating Results
Internal auditors should communicate the engagement results promptly.
2410 Criteria for Communicating
Communications should include the engagement™s objectives and scope as well as
applicable conclusions, recommendations, and action plans.
2410.A1 The final communication of results should, where appropriate,
contain the internal auditor™s overall opinion.
2410.A2 Engagement communications should acknowledge satisfactory
performance.
Reviewing the Organization of the Corporate Audit Staff 259



2410.C1 Communication of the progress and results of consulting engage-
ments will vary in form and content depending upon the nature of the engage-
ment and the needs of the client.
2420 Quality of Communications
Communications should be accurate, objective, clear, concise, constructive, com-
plete, and timely.
2421 Errors and Omissions
If a final communication contains a significant error or omission, the chief
audit executive should communicate corrected information to all individuals
who received the original communication.
2430 Engagement Disclosure of Noncompliance with the Standards
When noncompliance with the Standards impacts a specific engagement, commu-
nication of the results should disclose the:
• Standard(s) with which full compliance was not achieved,
• Reason(s) for noncompliance, and
• Impact of noncompliance on the engagement.
2440 Disseminating Results
The chief audit executive should disseminate results to the appropriate individuals.
2440.A1 The chief audit executive is responsible for communicating the final
results to individuals who can ensure that the results are given due
consideration.
2440.C1 The chief audit executive is responsible for communicating the final
results of consulting engagements to clients.
2440.C2 During consulting engagements, risk management, control, and
governance issues may be identified. Whenever these issues are significant to
the organization, they should be communicated to senior management and the
board.
2500 Monitoring Progress
The chief audit executive should establish and maintain a system to monitor the disposi-
tion of results communicated to management.
2500.A1 The chief audit executive should establish a follow-up process to monitor
and ensure that management actions have been effectively implemented or that
senior management has accepted the risk of not taking action.
2500.C1 The internal audit activity should monitor the disposition of results of
consulting engagements to the extent agreed upon with the client.
2600 Management™s Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of
residual risk that is unacceptable to the organization, the chief audit executive should
discuss the matter with senior management. If the decision regarding residual risk is not
resolved, the chief audit executive and senior management should report the matter to
the board for resolution.

1
When used in these Standards, the term “board” is defined as a board of directors, audit committee
of such boards, head of an agency or legislative body to whom internal auditors report, board of
governors or trustees of a nonprofit organization, or any other designated governing bodies of an
organization.
Source: Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: IIA, 2002), pp. 7“22.
260 Monitoring the Internal Audit Function


In retrospect, Michael J. Barrett and P. Tiessen set forth these proposed rec-
ommendations with respect to organizational support for the internal audit group.

Senior Management
Internal audit must be provided with adequate resources and personnel to perform
audit examinations with appropriate frequency at all organizational levels, areas,
and activities.
Internal audit director™s reporting position should be at an administrative level that
will ensure independence.
Internal audit director™s salary and promotion possibilities should be commensurate
with his or her administrative reporting level.
Internal audit director should be free of undue influence to limit the scope of the de-
partment™s audit scope and audit assignment schedule.
All organizational levels, areas, and activities should be subject to internal audit ex-
amination. Those performed by senior management should comply with the Corpo-
rate Code of Conduct.
Internal audit recommendations should receive strong mandated attention, and there
should be appropriate follow-up to better ensure that management has taken appro-
priate remedial action.
Audit Committee
Audit committee should be composed entirely of external members of the board of
directors who are not affiliated with the company in any other capacity.
Director of internal audit should communicate directly and regularly to the audit
committee.
Audit committee should play a significant role in concurring with the salary and pro-
motion judgments of senior management for the internal audit director.
Reports or report summaries should be communicated to the audit committee on a
regular basis.
Director should meet regularly and privately with the audit committee with no other
members of management present.
Requests from the audit committee for special assignments should be considered to
be a normal and routine part of the internal audit department™s responsibilities.
Director should feel no obligation to immediately report audit committee special as-
signment requests to senior management.
Director should have the right and responsibility to communicate specific matters di-
rectly to the audit committee, and internal audit should be actively encouraged to do
so. A communication policy for internal audit should be established to indicate items
and reports that should be directly communicated to the audit committee.
A cordial, informal, routine, and trusting relationship should be established and fos-
tered between the director and the audit committee.8


8
Michael J. Barrett and P. Tiessen, “Organizational Support for Internal Auditing,” Internal Auditing 5,

<<

. 51
( 82 .)



>>