<<

. 53
( 82 .)



>>


Exhibit 9.4 Practice Advisory 1110-2: Chief Audit Executive Reporting Lines

Related Standard:
1110”Organizational Nature of This Practice Advisory
Independence Internal auditors should consider the following
The chief audit executive should guidance when establishing or evaluating the
report to a level within the reporting lines and relationships with organiza-
organization that allows the internal tional officials to whom the CAE reports. This
audit activity to accomplish its guidance is not intended to represent all the con-
responsibilities. siderations that may be necessary during such an
evaluation, but simply a recommended set of
items that should be considered. Compliance
with Practice Advisories is optional.

1. The IIA™s Standards for the Professional Practice of Internal Auditing (Standards)
require that the chief audit executive (CAE) report to a level within the organization
that allows the internal audit activity to fulfill its responsibilities. The Institute be-
lieves strongly that to achieve necessary independence, the CAE should report func-
tionally to the audit committee or its equivalent. For administrative purposes, in most
circumstances, the CAE should report directly to the chief executive officer of the
organization. The following descriptions of what The IIA considers “functional
reporting” and “administrative reporting” are provided to help focus the discussion in
this practice advisory.
• Functional Reporting”The functional reporting line for the internal audit function
is the ultimate source of its independence and authority. As such, The IIA recom-
mends that the CAE report functionally to the audit committee, board of directors,
or other appropriate governing authority. In this context, report functionally means
that the governing authority would”
• approve the overall charter of the internal audit function.
• approve the internal audit risk assessment and related audit plan.
• receive communications from the CAE on the results of the internal audit activi-
ties or other matters that the CAE determines are necessary, including private
meetings with the CAE without management present
• approve all decisions regarding the appointment or removal of the CAE.
• approve the annual compensation and salary adjustment of the CAE.
• make appropriate inquiries of management and the CAE to determine whether
there are scope or budgetary limitations that impede the ability of the internal
audit function to execute its responsibilities.
• Administrative Reporting”Administrative Reporting is the reporting relationship
within the organization™s management structure that facilitates the day-to-day opera-
tions of the internal audit function. Administrative reporting typically includes:
• budgeting and management accounting.
• human resource administration including personnel evaluations and compensation.
• internal communications and information flows.
• administration of the organization™s internal policies and procedures.

2. This advisory focuses on considerations in establishing or evaluating CAE reporting
lines. Appropriate reporting lines are critical to achieve the independence, objectivity,
and organizational stature for an internal audit function necessary to effectively fulfill
its obligations. CAE reporting lines are also critical to ensuring the appropriate flow
Reviewing the Organization of the Corporate Audit Staff 267



of information and access to key executives and managers that are the foundations of
risk assessment and reporting of results of audit activities. Conversely, any reporting
relationship that impedes the independence and effective operations of the internal
audit function should be viewed by the CAE as a serious scope limitation, which
should be brought to the attention of the audit committee or its equivalent.
3. This advisory also recognizes that CAE reporting lines are impacted by the nature of
the organization (public or private as well as relative size); common practices of each
country; growing complexity of organizations (joint ventures, multinational corpora-
tions with subsidiaries); and the trend towards internal audit groups providing value-
added services with increased collaboration on priorities and scope with their clients.
Accordingly, while the IIA believes that there is an ideal reporting structure with
functional reporting to the Audit Committee and administrative reporting to the CEO,
other relationships can be effective if there are clear distinctions between the func-
tional and administrative reporting lines and appropriate activities are in each line to
ensure that the independence and scope of activities is maintained. Internal auditors
are expected to use professional judgement to determine the extent to which the
guidance provided in this advisory should be applied in each given situation.
4. The Standards stress the importance of the chief audit executive reporting to an
individual with sufficient authority to promote independence and to ensure broad
audit coverage. The Standards are purposely somewhat generic about reporting
relationships, however, because they are designed to be applicable at all organizations
regardless of size or any other factors. Factors that make “one size fits all” unattain-
able include organization size, and type of organization (private, governmental,
corporate). Accordingly, the CAE should consider the following attributes in evaluat-
ing the appropriateness of the administrative reporting line.
• Does the individual have sufficient authority and stature to ensure the effectiveness
of the function?
• Does the individual have an appropriate control and governance mindset to assist
the CAE in their role?
• Does the individual have the time and interest to actively support the CAE on audit
issues?
• Does the individual understand the functional reporting relationship and support it?
5. The CAE should also ensure that appropriate independence is maintained if the
individual responsible for the administrative reporting line is also responsible for
other activities in the organization, which are subject to internal audit. For example,
some CAEs report administratively to the Chief Financial Officer, who is also respon-
sible for the organization™s accounting functions. The internal audit function should
be free to audit and report on any activity that also reports to its administrative head if
it deems that coverage appropriate for its audit plan. Any limitation in scope or re-
porting of results of these activities should be brought to the attention of the audit
committee.
6. Under the recent move to a stricter legislative and regulatory climate regarding finan-
cial reporting around the globe, the CAE™s reporting lines should be appropriate to
enable the internal audit activity to meet any increased needs of the audit committee
or other significant stakeholders. Increasingly, the CAE is being asked to take a more
significant role in the organization™s governance and risk management activities. The
reporting lines of the CAE should facilitate the ability of the internal audit activity to
meet these expectations.


(continued)
268 Monitoring the Internal Audit Function



Exhibit 9.4 (Continued)

7. Regardless of which reporting relationship the organization chooses, several key
actions can help assure that the reporting lines support and enable the effectiveness
and independence of the internal auditing activity.
• Functional Reporting:
• The functional reporting line should go directly to the Audit Committee or its
equivalent to ensure the appropriate level of independence and communication.
• The CAE should meet privately with the audit committee or its equivalent, with-
out management present, to reinforce the independence and nature of this report-
ing relationship.
• The audit committee should have the final authority to review and approve the
annual audit plan and all major changes to the plan.
• At all times, the CAE should have open and direct access to the chair of the audit
committee and its members; or the chair of the board or full board if appropriate.
• At least once a year, the audit committee should review the performance of the
CAE and approve the annual compensation and salary adjustment.
• The charter for the internal audit function should clearly articulate both the
functional and administrative reporting lines for the function as well as the princi-
ple activities directed up each line.
• Administrative Reporting:
• The administrative reporting line of the CAE should be to the CEO or another
executive with sufficient authority to afford it appropriate support to accomplish
its day-to day activities. This support should include positioning the function and
the CAE in the organization™s structure in a manner that affords appropriate
stature for the function within the organization. Reporting too low in an organiza-
tion can negatively impact the stature and effectiveness of the internal audit
function.
• The administrative reporting line should not have ultimate authority over the
scope or reporting of results of the internal audit activity.
• The administrative reporting line should facilitate open and direct communica-
tions with executive and line management. The CAE should be able to communi-
cate directly with any level of management including the CEO.
• The administrative reporting line should enable adequate communications and
information flow such that the CAE and the internal audit function have an
adequate and timely flow of information concerning the activates, plans and
business initiatives of the organization.
• Budgetary controls and considerations imposed by the administrative reporting
line should not impede the ability of the internal audit function to accomplish its
mission.
8. CAEs should also consider their relationships with other control and monitoring
functions (risk management, compliance, security, legal, ethics, environmental,
external audit) and facilitate the reporting of material risk and control issues to the
audit committee.




Source: Institute of Internal Auditors, visit the web site at www.theiia.org.
Reviewing the Organization of the Corporate Audit Staff 269



Exhibit 9.5 Practice Advisory 2060-1: Reporting to the Board and Senior
Management

Related Standard
B2060 Reporting to Board and Senior Management
The chief audit executive should report periodically to the board and senior management
on the internal audit activity™s purpose, authority, responsibility, and performance relative
to its plan. Reporting should also include significant risk exposures and control issues, cor-
porate governance issues, and other matters needed or requested by the board and senior
management.
Nature of This Practice Advisory: Internal auditors should consider the following sug-
gestions when reporting to the board and senior management. This guidance is not in-
tended to represent all the considerations that may be necessary, but simply a
recommended set of items that should be addressed. Compliance with Practice Advisories
is optional.
1. The chief audit executive should submit activity reports to senior management and to
the board at least annually. Activity reports should highlight significant engagement ob-
servations and recommendations and should inform senior management and the board
of any significant deviations from approved engagement work schedules, staffing plans,
and financial budgets, and the reasons for them.
2. Significant engagement observations are those conditions that, in the judgment of the
chief audit executive, could adversely affect the organization. Significant engagement
observations may include conditions dealing with irregularities, illegal acts, errors, in-
efficiency, waste, ineffectiveness, conflicts of interest, and control weaknesses. After re-
viewing such conditions with senior management, the chief audit executive should
communicate significant engagement observations and recommendations to the board,
whether or not they have been satisfactorily resolved.
3. Management™s responsibility is to make decisions on the appropriate action to be taken
regarding significant engagement observations and recommendations. Senior manage-
ment may decide to assume the risk of not correcting the reported condition because of
cost or other considerations. The board should be informed of senior management™s de-
cisions on all significant observations and recommendations.
4. The chief audit executive should consider whether it is appropriate to inform the board
regarding previously reported, significant observations and recommendations in those
instances when senior management and the board assumed the risk of not correcting the
reported condition. This may be particularly necessary when there have been organiza-
tion, board, senior management, or other changes.
5. In addition to subjects covered above, activity reports should also compare (a) actual
performance with the internal audit activity™s goals and audit work schedules, and (b)
expenditures with financial budgets. Reports should explain the reason for major vari-
ances and indicate any action taken or needed.




Source: Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: IIA, 2002), pp. 135“136.
270 Monitoring the Internal Audit Function



Exhibit 9.6 Practice Advisory 2060-2: Relationship with the Audit Committee

Related Standard:
2060”Independence Nature of this Practice Advisory
and Objectivity Internal auditors should consider the following
The chief audit executive should suggestions regarding the relationship between the
report periodically to the board and internal audit activity and the audit committee of
senior management on the internal the governing body. This guidance is not intended
audit activity™s purpose, authority, to represent all necessary considerations, but
responsibility, and performance merely summarizes key information concerning
relative to its plan. Reporting appropriate relationships between audit commit-
should also include significant risk tees and internal auditing.
exposures and control issues, Compliance with Practice Advisories is
corporate governance issues, and optional.
other matters needed or requested
by the board and senior management.

1. The term “audit committee,” as used in this document, refers to the governance body
that is charged with oversight of the organization™s audit and control functions. Al-
though these fiduciary duties are often delegated to an audit committee of the board
of directors, the information in this Practice Advisory is also intended to apply to
other oversight groups with equivalent authority and responsibility, such as trustees,
legislative bodies, owners of an owner-managed entity, internal control committees,
or full boards of directors.
2. The Institute of Internal Auditors recognizes that audit committees and internal
auditors have interlocking goals. A strong working relationship with the audit com-
mittee is essential for each to fulfill its responsibilities to senior management, board
of directors, shareholders, and other outside parties. This Practice Advisory summa-
rizes The Institute™s views concerning the aspects and attributes of an appropriate
relationship between an audit committee and the internal audit function. The Institute
acknowledges that audit committee responsibilities encompass activities that are
beyond the scope of this advisory, and in no way intends it to be a comprehensive
description of audit committee responsibilities.
3. There are three areas of activities that are key to an effective relationship between the
audit committee and the internal audit function, chiefly through the Chief Audit
Executive (CAE):
• Assisting the audit committee to ensure that its charter, activities, and processes are
appropriate to fulfill its responsibilities.
• Ensuring that the charter, role, and activities of internal audit are clearly understood
and responsive to the needs of the audit committee and the board.
• Maintaining open and effective communications with the audit committee and the
chairperson.

Audit Committee Responsibilities
4. The CAE should assist the committee in ensuring that the charter, role and activities
of the committee are appropriate for it to achieve its responsibilities. The CAE can
play an important role by assisting the committee to periodically review its activities
and suggesting enhancements. In this way, the CAE serves as a valued advisor to the
committee on audit committee and regulatory practices. Examples of activities that
the CAE can undertake are:
Reviewing the Organization of the Corporate Audit Staff 271



• Review the charter for the audit committee at least annually and advise the commit-
tee whether the charter addresses all responsibilities directed to the committee in

<<

. 53
( 82 .)



>>