<<

. 56
( 82 .)



>>

Source: Louis Braiotta, Jr., and Hugh L. Marsh, “Developing a Constructive Relationship Under the
Guidance of SAS No. 65,” Internal Auditing 8, No. 2 (Fall 1992), p. 7. Reprinted with permission
from Internal Auditing, copyright © 1992, Warren Gorham Lamont, 31 St. James Avenue, Boston,
MA 02116. All rights reserved.
Appraising the Quality of the Auditing Staff 281



Exhibit 9.10 Representative Responses for Assessing Competency and Objectiv-
ity of the Internal Auditors

SAS No. 65 Requirements Internal Auditors™ Documented Response
• Educational level and • Presentation and discussion of the current vitas of the
professional experience internal audit group and their organization and
of internal auditors composition (e.g., generalists with operational
backgrounds versus financial auditing personnel).
Demonstrate a mix of auditing skills and education.
• Professional certification • Advisement of the number of CIAs, MBAs, CPAs,
and continuing education CMAs, and CISAs on the staff
• Advisement of the number of professional training
and development opportunities for the staff and the
budgeted dollar amount.
• Audit policies, programs, • Presentation of audit policies and procedures relative
and procedures to financial, operational, and compliance audits,
including quality control, rotation practices, and
corporate conduct.
• Practices regarding • Discussion of work schedules, time budgets, and
assignment of internal costs.
auditors
• Supervision and review • Discussion of the level of knowledge required for the
of internal auditors™ entity and the industry.
activities • Review of the ratio of staff assistants to supervisors
relative to the scope and responsibilities for the audit.
• Discussion of supervisory review procedures of staff
assistants™ work and note disagreements.
• Review of audit risk assessment methodologies.
• Quality of working-paper • Review of the reports issued with a response from the
documentation, reports, auditee and reasons for management disagreements,
and recommendations including the timeliness of both.
• Review of the timetable for implementing
recommendations.
• Evaluation of internal • Discussion of the most recent peer review reports on
auditors™ performance the internal audit function.
relative to SAS No. 65 • Discussion of prior year™s review of the internal audit
requirements function by the external auditors and any response or
changes made as a result.




Source: Louis Braiotta, Jr., and Hugh L. Marsh, “Developing a Constructive Relationship Under the
Guidance of SAS No. 65,” Internal Auditing 8, No. 2 (Fall 1992), p. 9. Reprinted with permission
from Internal Auditing, Copyright © 1992, Warren Gorham & Lamont, 31 St. James Avenue,
Boston, MA 02116. All rights reserved.
282 Monitoring the Internal Audit Function



Exhibit 9.11 Vital Checkpoints: Internal Audit Questions for the Audit Committee

Mission Statement. Each company should develop and disseminate an annual policy
statement re the objectives of internal audit.
“ Does a mission statement exist for the internal audit function?
“ Is this mission statement approved by the chief executive officer or senior
management?
“ Are the internal audit objectives known and understood by all levels of
management?
Annual Internal Audit Plan. The senior internal auditor should prepare an annual plan
setting forth goals and objectives such as:
• Planned level of audit coverage
• Staffing
• Areas of audit risk
• Degree of coordination with external audit function
• Special projects
• Annual cost
• Compliance with corporate codes of conduct
“ Is this plan reviewed and approved by appropriate levels of management?
“ Was this plan reviewed with the external auditors?
“ Were their comments and/or recommendations incorporated in the plan?
“ Did they note any deficiencies in the plan that were not incorporated in the final
plan?
“ Has management placed any scope restrictions on the extent of audit coverage?
“ Does the plan provide coverage of the Company™s computer control functions?
“ Do you have the necessary human resources in terms of trained experienced staff
to achieve the annual plan?
Progress Reports. The internal auditor should report annually on progress in meeting the
previously approved annual plan:
“ Has management adequately addressed the comments and recommendations set
forth in your reports?
“ Who receives copies of your reports?
“ Are copies of your recent reports made available to the external auditor?
“ Do they receive appropriate management support?
“ Were there any significant recommendations relating to control weaknesses or
company policy that have not been adequately addressed and corrected?
“ Do you monitor that the necessary corrective action has in fact been
implemented?
“ Did your audit procedures uncover any instances of employee fraud, questionable
or illegal payments, or violations of laws or regulations? (Follow-up questions, as
appropriate).
“ Were any limitations placed on the phase of your audit plan during this period?
Appraising the Quality of the Auditing Staff 283



“ Did you receive appropriate management support and cooperation?
“ In connection with the audit functions completed during this period, did you
review all the related computer control functions? Were they deemed adequate?
“ Is the computer security system reviewed in connection with these audit
procedures? Are they adequate?
“ Does each computer system reviewed have an adequate backup system and
disaster contingency plan?
Other Areas. Additional areas can be covered in private meetings with internal auditors
as appropriate:
“ Are you satisfied with the adequacy and competence of financial management in
the areas subject to audit review?
“ Does the internal audit function receive the appropriate level of support from
senior management and operating management?
“ Are you satisfied with the level of cooperation and support from the external
auditors?
“ Are the internal and external audit functions coordinated to maximize the
effectiveness of both groups and to minimize any unnecessary duplication of
effort?
“ Have there been any material changes in the internal audit staff that would
adversely impact your ability to complete your objective for the current period?
“ To what extent, if any, have you been assigned special projects that have adversely
impacted your ability to achieve your goals?
“ Are you satisfied that the “tone at the top” is appropriate?
“ Has the company taken the appropriate action with respect to management
comments submitted by the external auditors?
Further Questions. Additional internal auditing questions can be addressed privately to
financial personnel, senior management, or the external auditor, as appropriate:
“ Are you satisfied with respect to the level of performance of the internal audit
function?
“ Do the internal auditors perform their duties and responsibilities objectively and
professionally?
“ Do they perform their audits effectively?
“ Are they considered constructive and effective by operating management?
“ Do they receive the appropriate level of management support and cooperation?
“ Does an appropriate degree of mutual respect exist between the internal and
external auditors?
“ Is there an effective working relationship between the internal and external
auditors to maximize effectiveness and minimize cost?


Source: Richard S. Hickok and Jules Zimmerman, Vital Checkpoints: Internal Audit Questions for
the Audit Committee (New York: Hickok Associates, Inc., 1990). Copyright © 1990 by Hickok
Associates, Inc. Reprinted with permission.
284 Monitoring the Internal Audit Function



Exhibit 9.12 Practice Advisory 1310-1: Quality Programs Assessments;
Practice Advisory 1311-1: Internal Assessments; and Practice Advisory 1312-1:
External Assessments

Related Standard
1310 Quality Program Assessments
The internal audit activity should adopt a process to monitor and assess the overall
effectiveness of the quality program. The process should include both internal and
external assessments.
Nature of this Practice Advisory: Internal auditors should consider these suggestions
when implementing and assessing quality programs within the internal audit activity.
This guidance is not intended to represent all the procedures necessary for
comprehensive quality programs or their assessment, but simply is a recommended set of
quality assessment practices. Compliance with Practice Advisories is optional.
1. Implementing Quality Programs: The chief audit executive (CAE) should be
accountable for implementing processes that are designed to provide reasonable
assurance to the various stakeholders of the internal audit activity that it:
• Performs in accordance with its charter, which should be consistent with the
Standards for the Professional Practice of Internal Auditing and Code of Ethics,
• Operates in an effective and efficient manner, and
• Is perceived by those stakeholders as adding value and improving the
organization™s operations.
These processes should include appropriate supervision, periodic internal assessment
and ongoing monitoring of quality assurance, and periodic external assessments.
2. Monitoring Quality Programs: Monitoring should include ongoing measurements
and analyses of performance metrics, e.g., cycle time and recommendations accepted.
3. Assessing Quality Programs: Assessments should evaluate and conclude on the
quality of the internal audit activity and lead to recommendations for appropriate
improvements. Assessments of quality programs should include evaluation of:
• Compliance with the Standards and Code of Ethics,
• Adequacy of the internal audit activity™s charter, goals, objectives, policies, and
procedures,
• Contribution to the organization™s risk management, governance, and control processes,
• Compliance with applicable laws, regulations, and government or industry standards,
• Effectiveness of continuous improvement activities and adoption of best practices, and
• Whether the audit activity adds value and improves the organization™s operations.
4. Continuous Improvement: All quality improvement efforts should include a communi-
cation process designed to facilitate appropriate modification of resources, technology,
processes, and procedures as indicated by monitoring and assessment activities.
5. Communicating Results: To provide accountability, the CAE should share the
results of external, and, as appropriate, internal quality program assessments with the
various stakeholders of the activity, such as senior management, the board, and
external auditors.

Related Standard
1311 Internal Assessments
Internal assessments should include:
• Ongoing reviews of the performance of the internal audit activity; and
Appraising the Quality of the Auditing Staff 285



• Periodic reviews performed through self-assessment or by other persons within the
organization, with knowledge of internal audit practices and the Standards.
Nature of this Practice Advisory: Internal auditors should consider these suggestions
when performing internal assessments within the internal audit activity. This guidance is
not intended to represent all the procedures necessary for comprehensive internal
assessments, but is simply a recommended set of internal assessment practices.
Compliance with Practice Advisories is optional.

1. Ongoing Renews: Ongoing assessments may be conducted through:
• Engagement supervision as described in Practice Advisory 2340-1: Engagement
Supervision,
• Checklists and other means to provide assurance that processes adopted by the
audit activity (e.g., in an audit and procedures manual) are being followed,
• Feedback from audit customers and other stakeholders, and
• Analyses of performance metrics, (e.g., cycle time and recommendations
accepted),
• Project budgets, time keeping systems, audit plan completion, cost recoveries, and
so forth.
2. Conclusions should be developed as to the quality of ongoing performance, and
follow-up action should be taken to assure appropriate improvements are
implemented.
3. Periodic Reviews: Periodic assessments should be designed to assess compliance
with the activity™s charter, the Standards for the Professional Practice of Internal
Auditing, the Code of Ethics, and the efficiency and effectiveness of the activity in
meeting the needs of its various stakeholders. The IIA™s Quality Assessment Manual
includes guidance and tools for internal reviews.
4. Periodic assessments may:
• Include more in-depth interviews and surveys of stakeholder groups,
• Be performed by members of the internal audit activity (self-assessment),
• Be performed by CIAs, or other competent audit professionals, currently assigned
elsewhere in the organization,
• Encompass a combination of self-assessment and preparation of materials
subsequently reviewed by CIAs, or other competent audit professionals, from
elsewhere in the organization, and
• Include benchmarking of the internal audit activity™s practices and performance
metrics against relevant best practices of the internal audit profession.
5. Conclusions should be developed as to the quality of performance and appropriate
action initiated to achieve improvements and conformity to the Standards, as
necessary.
6. The chief audit executive (CAE) should establish a structure for reporting results of
periodic reviews that maintains appropriate credibility and objectivity. Generally,
those assigned responsibility for conducting ongoing and periodic reviews should
report to the CAE while performing the reviews and should communicate their results
directly to the CAE.
7. Communicating Results: The CAE should share the results of internal assessments
and necessary action plans with appropriate persons outside the activity, such as
senior management, the board, and external auditors.



(continued)
286 Monitoring the Internal Audit Function



Exhibit 9.12 (Continued)

Related Standard
1312 External Assessments
External assessments, such as quality assurance reviews, should be conducted at least
once every five years by a qualified, independent reviewer or review team from outside
the organization.
Nature of This Practice Advisory: Internal auditors should consider these suggestions
when planning and contracting for an external assessment of their internal audit
activity. This guidance is not intended to represent all the considerations necessary for
an external assessment but simply a recommended set of high-level considerations with
respect to the external assessment. Compliance with Practice Advisories is optional.

<<

. 56
( 82 .)



>>