. 55
( 82 .)


Ibid., pp. 72“73.
Anthony J. Ridley, “An Audit Committee Event Matrix,” Internal Auditor 57, No. 2 (April 2000), p. 54.
Ibid., p. 54.
276 Monitoring the Internal Audit Function

The Corporate Auditing Staff
The quality and training of the auditing personnel have an important influence on
the performance of the staff. If the auditing personnel™s training, skills, and edu-
cation are not compatible to their broadened responsibilities, they become preoc-
cupied with the routine checking of the accounting transactions and records. As a
result, management becomes more susceptible to unfavorable developments, such
as deficiencies in the system of internal control and potential fraudulent practices.
It is imperative that the audit committee review the selection process for the
corporate auditing personnel. In reviewing the selection process, the committee
should consult sections 1200 and 1300 of the Standards for the Professional Prac-
tice of Internal Auditing, including the related Practice Advisories. These guide-
lines enable the audit committee to review and discuss with the chief audit
executive the knowledge, skills, and other competencies collectively needed by the
internal audit group to perform its responsibilities. Likewise, the audit committee
needs assurance that the internal audit group has established policies and proce-
dures for adequate staffing, levels of supervision, and continuing education pro-
As mentioned in Chapter 2, Section 201 of the Sarbanes-Oxley Act of 2002
prohibits a registered public accounting firm from providing internal audit out-
sourcing services for an SEC audit client.27
With respect to the selection of outside service providers by the chief audit ex-
ecutive, the Institute of Internal Auditors has issued a Practice Advisory as shown
in Exhibit 9.8.
In order to facilitate discussion, the audit committee should review the inde-
pendent auditor™s comments regarding the quality of auditing personnel in relation
to these three considerations:

1. The professional qualifications and educational backgrounds of the staff. For
example, the Conference Board found that audit managers are attempting to
“elevate the professionalism” of the internal audit staff by employing “more
CPA™s, certified internal auditors or MBA™s.”28
2. Professional training and development programs for the corporate audit staff
are available through several professional accounting societies and especially
the Institute of Internal Auditors. Also, in-house professional development pro-
grams of the independent accounting firm may be a possible source of training.
For example, to increase the professionalism of the internal audit staff, the In-
stitute of Internal Auditors sponsors the Certified Internal Auditor (CIA) Pro-
gram. As John D. Marquardt and John F. Bussman report, “The number of
candidates sitting for the CIA Exam has increased from 654 in 1974, the year

Sarbanes-Oxley Act of 2002, H.R. Rep. No. 107-610 (2002). For an expanded discussion, see An-
thony J. Ridley and Lew Burnham, “Where Are the Auditors?” Directors and Boards 22, No. 2 (Win-
ter 1998), pp. 61“63.
Macchiaverna, Internal Auditing, p. 75.
Appraising the Quality of the Auditing Staff 277

Exhibit 9.8 Practice Advisory 1210.A-1: Obtaining Services to Support or Com-
plement the Internal Audit Activity

Related Standard
1210.A1 The chief audit executive should obtain competent advice and assistance if the in-
ternal audit staff lacks the knowledge, skills, or other competencies needed to perform all
or part of the engagement.

Nature of This Practice Advisory: Internal auditors should consider the following sug-
gestions when contemplating acquiring additional services to support the internal audit
activity. This guidance is not intended to represent all the considerations that may be nec-
essary, but simply a recommended set of items that should be addressed. Compliance with
Practice Advisories is optional.
1. The internal audit activity should have employees or use outside service providers
who are qualified in disciplines such as accounting, auditing, economics, finance,
statistics, information technology, engineering, taxation, law, environmental affairs,
and such other areas as needed to meet the internal audit activity™s responsibilities.
Each member of the internal audit activity, however, need not be qualified in all
2. An outside service provider is a person or firm, independent of the organization, who
has special knowledge, skill, and experience in a particular discipline. Outside service
providers include, among others, actuaries, accountants, appraisers, environmental
specialists, fraud investigators, lawyers, engineers, geologists, security specialists,
statisticians, information technology specialists, the organization™s external auditors,
and other audit organizations. An outside service provider may be engaged by the
board, senior management, or the chief audit executive.
3. Outside service providers may be used by the internal audit activity in connection
with, among other things:
• Audit activities where a specialized skill and knowledge are required such as
information technology, statistics, taxes, language translations, or to achieve the
objectives in the engagement work schedule.
• Valuations of assets such as land and buildings, works of art, precious gems, invest-
ments, and complex financial instruments.
• Determination of quantities or physical condition of certain assets such as mineral
and petroleum reserves.
• Measuring the work completed and to be completed on contracts in progress.
• Fraud and security investigations.
• Determination of amounts by using specialized methods such as actuarial determi-
nations of employee benefit obligations.
• Interpretation of legal, technical, and regulatory requirements.
• Evaluating the internal audit activity™s quality improvement program in accordance
with Section 1300 of the Standards.
• Mergers and acquisitions.
4. When the chief audit executive intends to use and rely on the work of an outside
service provider, the chief audit executive should assess the competency, indepen-
dence, and objectivity of the outside service provider as it relates to the particular
assignment to be performed. This assessment should also be made when the outside
service provider is selected by senior management or the board, and the chief audit
executive intends to use and rely on the outside service provider™s work. When the

278 Monitoring the Internal Audit Function

Exhibit 9.8 (Continued)

selection is made by others and the chief audit executive™s assessment determines that
he or she should not use and rely on the work of an outside service provider, the
results of the assessment should be communicated to senior management or the
board, as appropriate.
5. The chief audit executive should determine that the outside service provider possesses
the necessary knowledge, skills, and other competencies to perform the engagement.
When assessing competency, the chief audit executive should consider the following:
• Professional certification, license, or other recognition of the outside service
provider™s competency in the relevant discipline.
• Membership of the outside service provider in an appropriate professional organi-
zation and adherence to that organization™s code of ethics.
• The reputation of the outside service provider. This may include contacting others
familiar with the outside service provider™s work.
• The outside service provider™s experience in the type of work being considered.
• The extent of education and training received by the outside service provider in
disciplines that pertain to the particular engagement.
• The outside service provider™s knowledge and experience in the industry in which
the organization operates.
6. The chief audit executive should assess the relationship of the outside service
provider to the organization and to the internal audit activity to ensure that indepen-
dence and objectivity are maintained throughout the engagement. In performing the
assessment, the chief audit executive should determine that there are no financial,
organizational, or personal relationships that will prevent the outside service provider
from rendering impartial and unbiased judgments and opinions when performing or
reporting on the engagement.
7. In assessing the independence and objectivity of the outside service provider, the
chief audit executive should consider:
• The financial interest the provider may have in the organization.
• The personal or professional affiliation the provider may have to the board, senior
management, or others within the organization.
• The relationship the provider may have had with the organization or the activities
being reviewed.
• The extent of other ongoing services the provider may be performing for the orga-
• Compensation or other incentives that the provider may have.
8. If the outside service provider is also the organization™s external auditor and the
nature of the engagement is extended audit services, the chief audit executive should
ascertain that work performed does not impair the external auditor™s independence.
Extended audit services refers to those services beyond the requirements of audit
standards generally accepted by external auditors. If the organization™s external
auditors act or appear to act as members of senior management, management, or as
employees of the organization, then their independence is impaired. Additionally,
external auditors may provide the organization with other services such as tax and
consulting. Independence, however, should be assessed in relation to the full range of
services provided to the organization.
9. The chief audit executive should obtain sufficient information regarding the scope of
the outside service provider™s work. This is necessary in order to ascertain that the
Appraising the Quality of the Auditing Staff 279

scope of work is adequate for the purposes of the internal audit activity. It may be
prudent to have these and other matters documented in an engagement letter or con-
tract. The chief audit executive should review with the outside service provider:
• Objectives and scope of work.
• Specific matters expected to be covered in the engagement communications.
• Access to relevant records, personnel, and physical properties.
• Information regarding assumptions and procedures to be employed.
• Ownership and custody of engagement working papers, if applicable.
• Confidentiality and restrictions on information obtained during the engagement.
10. Where the outside service provider performs internal audit activities, the chief audit
executive should specify and ensure that the work complies with the Standards for
the Professional Practice of Internal Auditing. In reviewing the work of an outside
service provider, the chief audit executive should evaluate the adequacy of work
performed. This evaluation should include sufficiency of information obtained to
afford a reasonable basis for the conclusions reached and the resolution of signifi-
cant exceptions or other unusual matters.
11. When the chief audit executive issues engagement communications, and an outside
service provider was used, the chief audit executive may, as appropriate, refer to
such services provided. The outside service provider should be informed and, if
appropriate, concurrence should be obtained prior to such reference being made in
engagement communications.

Source: Institute of Internal Auditors, The Professional Practice Framework (Altamonte Springs,
FL: IIA, 2002), pp. 71“75.

it was first offered, to 2,091 in 1978.”29 More recently, according to the Certi-
fication Department of the Institute of Internal Auditors, as of November 1992,
the number of certified internal auditors has increased to 19,264. Clearly, the
trend is toward professionalizing the internal audit staff in order to enhance
their professional auditing integrity and objectivity in the corporate structure.
3. The performance appraisal and evaluation system. “These typically evaluate:
(1) an auditor™s technical knowledge; (2) compliance with audit policies and
procedures; (3) administrative skills and work habits; and (4) effectiveness in
interpersonal relationships.”30

The audit committee™s appraisal of the quality and training of the corporate au-
diting staff provides assurance to the board of directors that the internal auditing
function is adequately staffed. Such assurance to the board indicates that this au-
diting staff is used wisely and responsibly in the interests of the board™s outside
As previously noted, the Auditing Standards Board has issued SAS No. 65,
“The Auditor™s Consideration of the Internal Audit Function in an Audit of Finan-
cial Statements.” This auditing standard is designed to provide expanded guidance

John D. Marquardt and John F. Bussman, “The CIA Examination: A Topical Profile and Index Up-
date,” The Internal Auditor 36, No. 2 (April 1979), p. 41.
Macchiaverna, Internal Auditing, p. 89.
280 Monitoring the Internal Audit Function

to independent auditors when considering the work performed by internal audi-
tors. Recognizing that both the audit committee and the independent auditors have
cross-purposes in understanding and assessing the internal audit functions, Ex-
hibits 9.9 and 9.10 compare the SAS No. 65 requirements with a model response
from the director of internal auditing. These responses are not intended to be all-
inclusive. However, such model responses will enable the audit committee to gain
reasonable assurance on the effective interaction between the internal audit group
and the independent auditors.
In addition to the model responses in Exhibits 9.9 and 9.10, the reader
may wish to review Exhibit 9.11, which contains a list of questions dealing with
internal auditing activities, as well as Exhibit 9.12, regarding quality program

Exhibit 9.9 Representative Responses for Understanding the Internal Audit Function

SAS No. 65 Requirements Internal Auditors™ Documented Response
• Organizational status • Presentation and discussion of a written charter or
with the entity mission statement of the internal audit function and
free access to the entity™s audit committee.
• Application of professional • Adherence to high professional standards as
standards promulgated by the IIA™s Standards for the Profes-
sional Practice of Internal Auditing, official pro-
nouncements, and Code of Ethics.
• Audit plans • Discussion, coordination, and implementation of
the planned external and internal audit scope and
related joint planning memos relative to audit risk
assessment (e.g., small divisions and subsidiaries
that have undergone recent management changes or
other material changes in their business activities
may need additional audit work).
• Discussion of proposed scope of any special inves-
tigations relative to the potential impact on the
financial statements and the opinion of general
• Review on the follow-up of the external auditor™s
management letter and nonaudit services.
• Access to records and • Review of unrestricted access to records and
any scope limitations departments as disclosed in the written charter of
on activities the internal audit function and approved by the
audit committee.


. 55
( 82 .)