. 54
( 82 .)


any terms of reference or mandates from the board of directors.
• Review or maintain a planning agenda for the audit committee™s meeting that details
all required activities to ascertain whether they are completed and that assists the
committee in reporting to the board annually that it has completed all assigned duties.
• Draft the audit committee™s meeting agenda for the chairman™s review and facilitate
the distribution of the material to the audit committee members and write up the
minutes of the audit committee meetings.
• Encourage the audit committee to conduct periodic reviews of its activities and
practices compared with current best practices to ensure that its activities are con-
sistent with leading practices.
• Meet periodically with the chairperson to discuss whether the materials and infor-
mation being furnished to the committee are meeting their needs.
• Inquire from the audit committee if any educational or informational sessions or
presentations would be helpful, such as training new committee members on risk
and controls.
• Inquire from the committee whether the frequency and time allotted to the commit-
tee are sufficient.

Internal Audit Activity™s Role
5. The CAE™s relationship to the audit committee should revolve around a core role of
the CAE ensuring that the audit committee understands, supports, and receives all
assistance needed from the internal audit function. The IIA supports the concept that
sound governance is dependent on the synergy generated among the four principal
components of effective corporate governance systems: boards of directors, manage-
ment, internal auditors, and external auditors. In that structure, internal auditors and
audit committees are mutually supportive. Consideration of the work of internal
auditors is essential for the audit committee to gain a complete understanding of an
organization™s operations. A primary component of the CAE™s role with the commit-
tee is to ensure this objective is accomplished and the committee views the CAE as
their trusted advisor. The chief audit executive can perform a number of activities to
accomplish this role:
• Request that the committee review and approve the internal audit charter on an
annual basis. (A model internal audit department charter is available on The Insti-
tute™s Web site at http://www.theiiaorg/ecm/guide-ia.cfm?doc_id=383)
• Review with the audit committee the functional and administrative reporting lines
of internal audit to ensure that the organizational structure in place allows adequate
independence for internal auditors. (Practice Advisory 1110-2: Chief Audit Execu-
tive (CAE) Reporting Lines)
• Incorporate in the charter for the audit committee the review of hiring decisions, in-
cluding appointment, compensation, evaluation, retention, and dismissal of the CAE.
• Incorporate in the charter for the audit committee to review and approve proposals
to outsource any internal audit activities.
• Assist the audit committee in evaluating the adequacy of the personnel and budget,
and the scope and results of the internal audit activities, to ensure that there are no
budgetary or scope limitations that impede the ability of the internal audit function
to execute its responsibilities.
• Provide information on the coordination with and oversight of other control and
monitoring functions (e.g. risk management, compliance, security, business conti-
nuity, legal, ethics, environmental, external audit).

272 Monitoring the Internal Audit Function

Exhibit 9.6 (Continued)

• Report significant issues related to the processes for controlling the activities of the
organization and its affiliates, including potential improvements to those processes,
and provide information concerning such issues through resolution.
• Provide information on the status and results of the annual audit plan and the
sufficiency of department resources to senior management and the audit committee.
• Develop a flexible annual audit plan using an appropriate risk-based methodology,
including any risks or control concerns identified by management, and submit that
plan to the audit committee for review and approval as well as periodic updates.
• Report on the implementation of the annual audit plan, as approved, including as
appropriate any special tasks or projects requested by management and the audit
• Incorporate into the internal audit charter the responsibility for the internal audit
department to report to the audit committee on a timely basis any suspected fraud
involving management or employees who are significantly involved in the internal
controls of the company. Assist in the investigation of significant suspected fraudu-
lent activities within the organization and notify management and the audit com-
mittee of the results.
• Audit committees should be made aware that quality assessment reviews of the inter-
nal audit activity be done every five years in order for the audit activity to declare that
it meets The IIA™s Standards for the Professional Practice of Internal Auditing (Stan-
dards). Regular quality assessment reviews will provide assurance to the audit com-
mittee and to management that internal auditing activities conform to Standards.

Communications with the Audit Committee
6. While not to diminish any of the activities noted above, in a large part the overall
effectiveness of the CAE and audit committee relationship will revolve around the
communications between the parties. Today™s audit committees expect a high level of
open and candid communications. If the CAE is to be viewed as a trusted advisor by
the committee, communications is the key element. Internal auditing, by definition,
can help the audit committee accomplish its objectives by bringing a systematic,
disciplined approach to its activities, but unless there is appropriate communications,
it is not possible for the committee to determine this. The chief audit executive should
consider providing communications to the audit committee in the following areas.
• Audit committees should meet privately with the CAE on a regular basis to discuss
sensitive issues.
• Provide an annual summary report or assessment on the results of the audit activi-
ties relating to the defined mission and scope of audit work.
• Issue periodic reports to the audit committee and management summarizing results
of audit activities.
• Keep the audit committee informed of emerging trends and successful practices in
internal auditing.
• Together with external auditors, discuss fulfillment of committee information needs.
• Review information submitted to the audit committee for completeness and accuracy.
• Confirm there is effective and efficient work coordination of activities between
internal and external auditors. Determine if there is any duplication between the
work of the internal and external auditors and give the reasons for such duplication.

Source: Institute of Internal Auditors, visit the web site at www.theiia.org.
Reviewing the Organization of the Corporate Audit Staff 273

permanently located at various subsidiaries or divisions.”18 Furthermore, the
Board™s study disclosed a number of internal auditing staffs have made changes in
their organizational structure. They are:

Reporting of subsidiary and divisional audit staffs in some companies has been cen-
tralized. These units now report to corporate auditing, instead of to subsidiary or di-
vision management. Typically, this has been due to bolster the independence of
resident audit staffs, and to increase corporate control over decentralized operations.
Decentralizing audit operations on a geographical basis”moving auditors formerly
based at corporate headquarters to other company locations. This has been done so
that auditing can better cover far-flung company operations. It also reduces the
amount of travel required of auditors”a major cause of dissatisfaction which can re-
sult in high staff turnover.
Creating special sections”to focus on individual corporate functions, or specialist
groups, which assist the main audit group. For example, most EDP audit sections
perform specialized data processing audits, as well as assist financial or operational
auditors in their duties.19

Moreover, Jepsen notes that although there is no definitive criterion for relat-
ing the size of the staff with “corporate sales or total assets,” consideration should
be given to the quality of the system of internal control.20 Clearly, the size and lo-
cation of the internal auditing staff should be a function of the adequacy of the in-
ternal accounting and administrative controls. Thus the committee should assess
the potential opportunity cost and related degree of risk management is willing to
assume. For example, the committee should discuss with both the internal and in-
dependent auditing executives the potential opportunity cost of not auditing spe-
cific locations in light of the internal control conditions. One large corporation
reported that “15 major locations are audited once a year, while the remaining 185
minor locations are scheduled for visits once every two years.”21 The selection of
the major areas is ordinarily based on the concept of materiality and relative risk
(discussed in Chapter 5) for the financial audit. Conversely, in connection with the
operational audits, “it should be possible to develop some estimates of the profit
contribution resulting from the operational audits compared to the related audit
costs.”22 Consequently, the committee should review the budget of the internal au-
diting staff as well as the outside auditing fees in relation to the entity™s auditing
needs and potential auditing benefits. Obviously, if the system of internal control
is strong, based on the opinions of both the independent and internal auditors, then
the high costs of such auditing services should be curtailed.
Equally important, the committee should review the organization chart of the
internal auditing function to determine that it is balanced in accordance with the
corporate audit plan. An illustrative organization chart in Exhibit 9.7 shows how

Macchiaverna, Internal Auditing, p. 68.
Ibid., pp. 68“69.
Jepsen, “Internal Auditors,” p. 28.
Macchiaverna, Internal Auditing, p. 71.
Jepsen, “Internal Auditors,” p. 31.
274 Monitoring the Internal Audit Function

Exhibit 9.7 Sample Organization Chart of an Internal Audit Operation

Audit Board of
committee directors

Chief executive

Chief financial

Director of
internal auditing

Assitant director Assistant director
of international of U.S. audit
audit operations operations

Manager of Manager of
foreign subsidiary financial/EDP
resident audits* audits

Manager of
operational audits

Manager of
compliance and
special audits

*By country or geographic region.
Reviewing the Organization of the Corporate Audit Staff 275

the internal audit function might be organized on a centralized basis for a multi-
national enterprise. Because the chart is simplified, the organizational arrange-
ments will vary and contain more detail in actual practice. The major objective is
to show the reporting and functional relationships of the internal auditing function.
Moreover, the scope of the international auditing operations also will involve fi-
nancial, operational, and compliance audits at the resident audit staff level. For ex-
ample, the Conference Board found that the organizational arrangements
regarding the international auditing operations vary whereby “some companies
base their international auditors at corporate headquarters in the U.S.,” and others
are centrally located overseas.23 If the enterprise is highly diversified, it may de-
cide to decentralize its internal auditing function for such reasons as “increased
travel costs,” increased “staff dissatisfaction” with traveling, and “more frequent
audit coverage.”24 In short, the organizational arrangement should be designed to
maximize the corporate auditing services and minimize the economic cost of such
services without sacrificing the quality of the auditing work.
In performing a review of the logistical matters, the audit committee should
discuss with the chief audit executive the performance standards of the Standards
for the Professional Practice of Internal Auditing. The objective of the audit com-
mittee is to ensure that the internal audit group is positioned to provide the requi-
site auditing coverage. Such professional standards enable boards of directors and
their audit committees to benchmark and align the wide range of internal audit ser-
vices that encompasses both financial and nonfinancial control areas, including
risk management and internal governance.
In addition to logistical matters, Anthony J. Ridley, retired general auditor of
the Ford Motor Company and past chairman of the Institute of Internal Auditors,
recommends that chief audit executives consider an audit committee event matrix
for important events that occur outside regularly scheduled meetings. Ridley
points out: “The easiest way to resolve this quandary is to ask your audit commit-
tee in advance about the things they want to know”and when”and then capture
their preferences in an event matrix for ongoing use. The matrix can eliminate
much of the guesswork related to providing information to your audit commit-
tee.”25 Some of the generic events are:

• Defalcations and ethics violations
• Litigation
• Regulatory concerns and adverse publicity
• Financial reporting
Independence and effectiveness of auditors26

Macchiaverna, Internal Auditing, p. 71.


. 54
( 82 .)