<<

. 52
( 82 .)



>>

No. 2 (Fall 1989), pp. 52“53.
Reviewing the Organization of the Corporate Audit Staff 261


Finally, Joseph Castellano, Harper Roehm, and John P. Walker used a “focus-
group approach” to explore the relationship between external auditors (EA) and
internal auditors (IA). Their objective was to study the implications of the Tread-
way Commission™s recommendation “that the audit committee meet with the ex-
ternal auditors to discuss the performance of the internal auditors and vice versa.”
They concluded:

While many companies have already implemented this recommendation, this study
shows that external and internal auditors do not believe that audit committees give
their respective inputs equal weight. External auditors tended to be more concerned
about what the CFO reported to the committee about their performance than what the
internal auditor reported. However, the IA group indicated that they believed the EA
input to the audit committee was very important, more so than the CFO™s input.
These relative differences appear to be related to the audit committee™s perceived or-
ganizational status of the IA.
The Director of Internal Auditing should be elevated in the organizational hierarchy to
a level consistent with the CFO. This would minimize board discounting of IA input,
enhance the quality of audits, and meet the spirit of the Treadway recommendation.9

Thus it is important to recognize that the framework for the internal auditing
function should be established so that it correlates closely with the auditing seg-
ments of the corporate audit plan discussed in Chapter 6. This broad framework
also should incorporate the nature and scope of the entity™s operational activities.
For example, it is obvious that if the enterprise is operating on a multinational
basis, then the framework for the internal auditing function should be designed to
address the auditing needs of the entity in both the domestic and international are-
nas. Consequently, the organizational structure of this auditing group should be
balanced in order to provide assurance to the board that the internal auditing re-
sources are allocated properly.
Exhibit 9.2 presents the Institute of Internal Auditors™ guidance on the organi-
zational structure.
To ensure that the organizational framework for the internal auditing function
is comprehensive and balanced, the audit committee should give consideration to:

• Corporate auditing philosophy
• Corporate auditing independence
• Logistical matters, such as the size and geographic location of staff


Corporate Auditing Philosophy
Continuing developments in corporate accountability and governance necessitate
an ongoing appraisal of the entity™s auditing philosophy. The audit commit-
tee™s approach to a reexamination of such a philosophy should be based on its
understanding of the auditing group™s approaches to the internal auditing function.

9
Joseph Castellano, Harper Roehm, and John P. Walker, “Status & Quality,” Internal Auditor 49, No.
3 (June 1992), p. 52.
262 Monitoring the Internal Audit Function



Exhibit 9.2 Practice Advisory 1000-1: Internal Audit Charter

Related Standard
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity should be formally
defined in a charter, consistent with the Standards, and approved by the board.
Nature of this Practice Advisory: Internal auditors should consider the following sugges-
tions when adopting an internal audit charter. This guidance is not intended to represent all
the considerations that may be necessary when adopting a charter, but simply a recommended
set of items that should be addressed. Compliance with Practice Advisories is optional.
1. The purpose, authority, and responsibility of the internal audit activity should be de-
fined in a charter. The chief audit executive should seek approval of the charter by se-
nior management as well as acceptance by the board, audit committee, or appropriate
governing authority. The charter should (a) establish the internal audit activity™s posi-
tion within the organization; (b) authorize access to records, personnel, and physical
properties relevant to the performance of engagements; and (c) define the scope of in-
ternal audit activities.
2. The internal audit activity™s charter should be in writing. A written statement provides
formal communication for review and approval by management and for acceptance by
the board. It also facilitates a periodic assessment of the adequacy of the internal audit
activity s purpose, authority, and responsibility. Providing a formal, written document
containing the charter of the internal audit activity is critical in managing the audit func-
tion within the organization. The purpose, authority, and responsibility should be de-
fined and communicated to establish the role of the internal audit activity and to provide
a basis for management and the board to use in evaluating the operations of the func-
tion. If a question should arise, the charter also provides a formal, written agreement
with management and the board about the role and responsibilities of the internal audit
activity within the organization.
3. The chief audit executive should periodically assess whether the purpose, authority, and
responsibility, as defined in the charter, continue to be adequate to enable the internal
audit activity to accomplish its objectives. The result of this periodic assessment should
be communicated to senior management and the board.


Source: Institute of Internal Auditors, The Professional Practice Framework (Altamonte Springs,
FL: Institute of Internal Auditors, 2002), pp. 35“36.




For example, the auditing approaches may be traditional and therefore not totally
conducive to the entity™s auditing needs. Such an approach is evidenced by the
group™s preoccupation with the traditional internal financial auditing activities. Al-
though such auditing activities may reduce the outside auditing costs, it is essen-
tial that the audit committee review the auditing approaches in the operational and
compliance areas. As indicated in Chapter 6, the committee™s review of the scope
of the entity™s internal audit plans should enable it to ensure that adequate cover-
age is given to the auditing segments of the corporate audit plan. Furthermore, the
audit committee should be satisfied that the internal auditing philosophy is sup-
ported by modern approaches to the internal auditing function. For example, if the
Reviewing the Organization of the Corporate Audit Staff 263


entity has a strong computer environment, then the committee should be satisfied
that the internal auditing group has the necessary information technology exper-
tise. Also, since the independent auditors are required to study and evaluate the en-
tity™s internal audit function as part of their review of the internal accounting
controls, the committee should request a written opinion of their assessment of the
internal auditing philosophy and the organizational structure. Obviously, the com-
mittee should give strong consideration to the recommendations made by the in-
dependent auditors. Many of the salient points discussed in this text will assist the
audit committee in its assessment of the entity™s internal auditing philosophy.


Corporate Auditing Independence
Fundamental to the structure and organization of the corporate auditing staff is
their independence within the corporate framework. While it is obvious that the
members of this group are employees of the corporation, their reporting relation-
ship should be established so that the chief audit executive is responsible to an ex-
ecutive with enough authority to provide the necessary internal auditing coverage.
Such a reporting relationship has been ruled as mandatory guidance by the Insti-
tute of Internal Auditors. Historically, the Conference Board, in a 1978 study on
internal auditing, surveyed 274 companies and reported that 76 percent of the in-
ternal audit managers report to a vice presidential level or higher, whereas only 40
percent of them reported to such a level in 1963.10 Moreover, “fifteen percent of
the respondents (as against 9 percent in 1963) report to one of the top three offi-
cers (chairman, vice chairman, president) or to a board committee.”11
In 1988, the Conference Board found in a survey of 692 companies that the
audit committee has closer ties to internal auditing. The Board reported:

The survey produced further evidence of the closer working relationship between
audit committees and the internal audit function. Just as access to the audit commit-
tee by the outside auditing firm has been strengthened, so too has access by the chief
internal auditor. It is more common now for charters to require the committee to
meet in private with the internal auditor (with no members of management present),
or to state that the committee will be available to the internal auditor when necessary,
or both.
Another way companies support the independent status of the internal auditing func-
tion is to specify in writing that the audit committee must have a say”or, at a mini-
mum, must be consulted and thoroughly informed”when there is to be a change in
internal auditors. Some committees are also charged with monitoring the pay level
of the head of internal auditing. These links give the internal auditor an ally in high
places and presumably discourage management from trying to undermine or com-
promise his/her sense of independence.




10
Paul Macchiaverna, Internal Auditing, Report No. 748 (New York: The Conference Board, 1978),
p. 53.
11
Ibid., p. 54.
264 Monitoring the Internal Audit Function


Another major trend is the increasing extent to which internal auditors formally re-
port to the audit committee. In the 1978 survey, 25 percent of participating firms en-
gaged in this practice. By 1987, this was true of almost half (47 percent).12

It is apparent that the trend over the years has been to enhance the indepen-
dence and objectivity of the internal auditing staff. Although some corporate au-
diting executives are reporting to the chairman of the board or the president,
Edward G. Jepsen, former partner of Price Waterhouse & Company (now
PricewaterhouseCoopers), points out:

As a practical matter, such a person (chairman or president) may not be able to give
the department the attention it needs”and thus there is a danger that it would be-
come isolated from top management. A common organizational structure is for the
department to report directly on a day-to-day basis to the company™s senior financial
officer and have a dotted-line relationship (implying less frequent contact but clear
access) to the chairman or president.13

Also, Jepsen states that a “logical development” of the formation of the audit
committee is having the corporate auditing executive meet periodically with the
committee to discuss the corporate auditing function.14 For example, the Confer-
ence Board™s “survey shows that more than seven out of ten auditing staffs are
meeting regularly with their committees (audit) to discuss auditing affairs.”15 More
specifically, of the 258 internal auditing staffs surveyed, 55 percent discuss the in-
ternal auditing organization.16 It is clearly evident that the internal audit staff must
be “free of organizational pressures” that restrict their independence and objectiv-
ity in “selecting areas to be examined or in evaluating those areas.”17 Also, as dis-
cussed in Chapter 2, the director of internal auditing must be able to meet regularly
with the audit committee.
More recently, the Institute of Internal Auditors has issued several Practice Ad-
visories dealing with organization independence and boards of directors and audit
committees: They are:

PA 1110-1 “Organizational Independence”
PA 1110-2 “Chief Audit Executive (CAE) Reporting Lines”
PA 2060-1 “Reporting to the Board and Senior Management”
PA 2060-2 “Relationship with the Audit Committee”

Exhibits 9.3, 9.4, 9.5, and 9.6 contain information about these Practice Advisories.


12
Jeremy Bacon, The Audit Committee: A Broader Mandate, Report No. 914 (New York: The Confer-
ence Board, 1988), pp. 20“21.
13
Edward G. Jepsen, “Internal Auditors Move into the Spotlight,” Internal Auditor 36, No. 2 (April
1979), pp. 27“28.
14
Ibid.
15
Macchiaverna, Internal Auditing, p. 55.
16
Ibid., p. 57.
17
Jepsen, “Internal Auditors,” p. 27.
Reviewing the Organization of the Corporate Audit Staff 265


Logistical Matters
Depending on the nature, size, and complexity of the entity, management will
have different corporate auditing needs. Thus the particular circumstances of the
entity will govern the organizational structure of the internal auditing staff. For ex-
ample, the Conference Board reports that “corporate audit staffs are either cen-
tralized at corporate headquarters or are decentralized, with some members



Exhibit 9.3 Practice Advisory 1110-1: Organizational Independence

Related Standard
1110 Organizational Independence
The chief audit executive should report to a level within the organization that allows the in-
ternal audit activity to accomplish its responsibilities.
Nature of this Practice Advisory: Internal auditors should consider the following Sug-
gestions when evaluating organizational independence. This guidance is not intended to
represent all the considerations that may be necessary during such an evaluation, but sim-
ply a recommended set of items that should be addressed. Compliance with Practice Ad-
visories is optional.
1. Internal auditors should have the support of senior management and of the board so that
they can gain the cooperation of engagement clients and perform their work free from
interference.
2. The chief audit executive should be responsible to an individual in the organization with
sufficient authority to promote independence and to ensure broad audit coverage, ade-
quate consideration of engagement communications, and appropriate action on en-
gagement recommendations.
3. Ideally, the chief audit executive should report functionally to the audit committee,
board of directors, or other appropriate governing authority, and administratively to the
chief executive officer of the organization.
4. The chief audit executive should have direct communication with the board, audit com-
mittee, or other appropriate governing authority. Regular communication with the
board helps assure independence and provides a means for the board and the chief audit
executive to keep each other informed on matters of mutual interest.
5. Direct communication occurs when the chief audit executive regularly attends and par-
ticipates in meetings of the board, audit committee, or other appropriate governing au-
thority which relate to its oversight responsibilities for auditing, financial reporting,
organizational governance, and control. The chief audit executive™s attendance and par-
ticipation at these meetings provide an opportunity to exchange information concern-
ing the plans and activities of the internal audit activity. The chief audit executive
should meet privately with the board, audit committee, or other appropriate governing
authority at least annually.
6. Independence is enhanced when the board concurs in the appointment or removal of the
chief audit executive.


Source: Institute of Internal Auditors, The Professional Practice Framework (Altamonte Springs,
FL: IIA, 2002), pp. 53“54.
266 Monitoring the Internal Audit Function


<<

. 52
( 82 .)



>>