<<

. 57
( 82 .)



>>


1. General Considerations: External assessments of an internal audit activity should
appraise and express an opinion as to the internal audit activity™s compliance with
the Standards for the Professional Practice of Internal Auditing and, as appropriate,
should include recommendations for improvement. These reviews can have
considerable value to the chief audit executive (CAE) and other members of the
internal audit activity. Only qualified persons (paragraph 4 below) should perform
such reviews.
2. An external assessment is required within five years of January 1, 2002. Earlier
adoption of the new Standard requiring an external assessment is highly
recommended. Organizations that have had external reviews are encouraged to have
their next external review within five years of their last review.
3. On completion of the review, a formal communication should be provided to the
board (as defined in the Glossary to the Standards) and to senior management.
4. Qualifications for External Reviewers: External reviewers, including those who
validate self-assessments (paragraph 13 below), should be independent of the
organization and of the internal audit activity. The review team should consist of
individuals who are competent in the professional practice of internal auditing and
the external assessment process. To be considered as external assessment candidates,
qualified individuals could include IIA Quality Assurance reviewers, regulatory
examiners, consultants, external auditors, other professional service providers, and
internal auditors from outside the organization.
5. Independence: The organization that is performing the external assessment, the
members of the review team, and any other individuals who participate on the
assessment should be free from any obligation to, or interest in, the organization that
is the subject of the review or its personnel. Individuals who are in another
department of that organization, although organizationally separate from the internal
audit activity, are not considered independent for purposes of conducting an external
assessment.
6. Reciprocal peer review arrangements between three or more organizations can be
structured in a manner that alleviates independence concerns. Reciprocal peer
reviews between two organizations generally should not be performed.
7. External assessments should be performed by qualified individuals who are
independent of the organization and who do not have either a real or apparent
conflict of interest. “Independent of the organization” means not a part of, or under
the control of, the organization to which the internal audit activity belongs. In the
Appraising the Quality of the Auditing Staff 287



selection of an external reviewer, consideration should be given to a possible real or
apparent conflict of interest that the reviewer may have due to present or past
relationships with the organization or its internal audit activity.
8. Integrity and Objectivity: Integrity requires the review team to be honest and
candid within the constraints of confidentiality. Service and the public trust should
not be subordinated to personal gain and advantage. Objectivity is a state of mind
and a quality that lends value to a review team™s services. The principle of
objectivity imposes the obligation to be impartial, intellectually honest, and free of
conflicts of interest.
9. Competence: Performing and communicating the results of an external assessment
requires the exercise of professional judgment. Accordingly, an individual serving as
a reviewer should:
• Be a competent, certified audit professional, e.g., CIA, CPA, CA, or CISA, who
possesses current knowledge of the Standards,
• Be well versed in the best practices of the profession, and
• Have at least three years of recent experience in the practice of internal auditing at
a management level.
10. The review team should include members with information technology expertise
and relevant industry experience. Individuals with expertise in other specialized
areas may assist the external review team. For example, statistical sampling
specialists or experts in control self-assessment may participate in certain segments
of the review.
11. Approval by Management and the Board: The CAE should involve senior
management and the board in the selection process for an external reviewer and
obtain their approval.
12. Scope of External Assessments: The external assessment should consist of a broad
scope of coverage that includes the following elements of the internal audit activity:
• Compliance with the Standards, the IIA™s Code of Ethics, and the internal audit
activity™s charter, plans, policies, procedures, practices, and applicable legislative
and regulatory requirements,
• The expectations of the internal audit activity expressed by the board, executive
management and operational managers,
• The integration of the internal audit activity into the organization™s governance
process, including the attendant relationships between and among the key groups
involved in that process,
• The tools and techniques employed by the internal audit activity,
• The mix of knowledge, experience, and disciplines within the staff, including staff
focus on process improvement, and
• The determination whether the audit activity adds value and improves the
organization™s operations.
13. Self-assessment with Independent Validation: An alternative process is for the
CAE to undertake a self-assessment with independent external validation with the
following features:
• A comprehensive and fully documented self-assessment process.
• An independent on-site validation by a qualified reviewer (paragraph 4 above).
• Economical time and resource requirements.
14. A team under the direction of the CAE should perform the self-assessment process.
The IIA™s Quality Assessment Manual contains an example of the process, including


(continued)
288 Monitoring the Internal Audit Function



Exhibit 9.12 (Continued)

guidance and tools for the self-assessment. A qualified, independent reviewer should
perform limited tests of the self-assessment to validate the results and express an
opinion about the indicated level of the activity™s conformity to the Standards.
15. Communicating the results of the self-assessment should follow the process outlined
below (paragraph 17).
16. While a full external review achieves maximum benefit for the activity and should
be included in the activity™s quality program, the self-assessment with independent
validation provides an alternative means of complying with this Standard 1312.
17. Communicating Results: The preliminary results of the review should be discussed
with the CAE during and at the conclusion of the assessment process. Final results
should be communicated to the CAE or other official who authorized the review for
the organization.
18. The communication should include the following:
• An opinion on the internal audit activity™s compliance with the Standards based
on a structured rating process. The term “compliance” means that the practices of
the internal audit activity, taken as a whole, satisfy the requirements of the
Standards. Similarly, “noncompliance” means that the impact and severity of the
deficiency in the practices of the internal audit activity are so significant that it
impairs the internal audit activity™s ability to discharge its responsibilities. The
expression of an opinion on the results of the external assessment requires the
application of sound business judgment, integrity, and due professional care.
• An assessment and evaluation of the use of best practices, both those observed
during the assessment and others potentially applicable to the activity.
• Recommendations for improvement, where appropriate.
• Responses from the CAE that include an action plan and implementation dates.
19. The CAE should communicate the results of the review and necessary action plan to
senior management, as appropriate, and to the board.


Source: Institute of Internal Auditors, The Professional Practice Framework (Altamonte Springs,
FL: IIA, 2002), pp. 89“99.




While each audit committee may develop its own approach to monitoring the
activities of the corporate auditing staff, the following recapitulation of the seven
salient points should be helpful.31

1. Assist in the overall internal auditing policy determination, and approve
such policies to ensure that the staff has authority commensurate with their
responsibilities.

31
The reader should review the questions in the checklist in Chapter 3. It should be reemphasized that
the audit directors are reviewing and assessing this function in their oversight and advisory capacity.
They are not assuming the day-to-day operations of this particular group. For additional discussion,
see Joseph Mchugh and K. Raghunandan, “Hiring & Firing the Chief Internal Auditor,” Internal Au-
ditor 54, No. 4 (August 1994), pp. 34“39; Wanda A. Wallace and G. Thomas White, “Reporting on In-
ternal Control,” Internal Auditor 51, No. 4 (August 1994), pp. 40“42.
Appraising the Quality of the Auditing Staff 289


2. Review the scope of the internal and external auditing plans to maximize on
the resources allocated to the audit function and minimize the outside auditing
fees.
3. Review copies of the internal auditing reports and critically evaluate the find-
ings, recommendations, management™s response, and courses of action taken.
Also, review the disposition of the recommendations in the independent audi-
tor™s management letter.
4. Review and appraise the staff™s organization regarding their auditing philoso-
phy, independence, and logistical operations.
5. Assess the quality of the auditing personnel and training to ensure that the in-
ternal auditing function is adequately staffed. Also, the auditing work should
be properly planned, supervised, and reviewed.
6. Assure the director of internal auditing that the committee supports his or her
function in the corporate structure and the director has access to the commit-
tee and the functional areas within the entity. Also, obtain assurance that the
staff is receiving the proper cooperation from management.
7. Determine the need for special assignments, such as investigating computer se-
curity and other methods for the protection of the assets (e.g., cases of man-
agement disagreements with the auditors).

An example of the audit committee™s oversight involvement is reflected in the
Audit Committee Charter of Wal-Mart™s Stores.
Oversight of the Company™s Internal Audit Function
• Ensure that the Company has an internal audit function.
• Review and concur in the appointment, replacement, reassignment or dismissal
of the senior internal auditing executive, and the compensation package for such
person.
• Review the significant reports to management prepared by the internal auditing
department and management™s responses.
• Communicate with management and the Internal Auditors to obtain information
concerning internal audits, accounting principles adopted by the Company, inter-
nal controls of the Company, management, and the Company™s financial and ac-
counting personnel, and review the impact of each on the quality and reliability
of the Company™s financial statements.
• Evaluate the internal auditing department and its impact on the accounting prac-
tices, internal controls and financial reporting of the Company.
• Discuss with the Outside Auditor the internal audit department™s responsibilities,
budget and staffing and any recommended changes in the planned scope of the in-
ternal audit.32

It is evident that the internal audit function is extremely important in the cor-
porate structure because it assists corporate management, including the board and
its audit committee, in fulfilling its responsibilities for corporate accountability.
The audit directors have a critical role in monitoring the activities of the internal

32
Wal-Mart Stores, Inc., Audit Committee Charter, www.walmartstores.com, p. 6.
290 Monitoring the Internal Audit Function


auditing staff as well as preserving the board™s independence in the corporate au-
diting process.


SOURCES AND SUGGESTED READINGS
Bacon, Jeremy, The Audit Committee: A Broader Mandate, Report No. 914 (New York: The
Conference Board, Inc., 1988).
Barrett, Michael J., and P. Tiessen, “Organizational Support for Internal Auditing.” Internal
Auditor 5, No. 2 (Fall 1989), pp. 39“53.
Braiotta, Louis, Jr., and Hugh L. Marsh, “Developing a Constructive Relationship Under
the Guidance of SAS No. 65.” Internal Auditing 8, No. 2 (Fall 1992), pp. 3“11.
Castellano, Joseph, Harper Roehm, and John P. Walker, “Status & Quality.” Internal Audi-
tor 49, No. 3 (June 1992), pp. 49“52.
Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-
Integrated Framework (New York: AICPA, 1992).
Horn, Karen N., “An Audit Committee Member Looks at Internal Auditing.” Internal Au-
ditor 49, No. 6 (December 1992), pp. 32“36.
Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: IIA, 2002).
Jepsen, Edward G., “Internal Auditors Move into the Spotlight.” Internal Auditor 36, No. 2
(April 1979), pp. 26“32.
Kalbers, Lawrence P., “Audit Committees and Internal Auditors.” Internal Auditor 49, No.
6 (December 1992), pp. 37“44.
Macchiaverna, Paul, Internal Auditing, Report No. 748 (New York: The Conference Board,
Inc., 1978).
Marquardt, John D., and John F. Bussman, “The CIA Examination: A Topical Profile and
Index Update.” Internal Auditor 36, No. 2 (April 1979), pp. 41“47.
National Commission on Fraudulent Financial Reporting, Report of the National Commis-
sion on Fraudulent Financial Reporting (Washington, D.C.: National Commission on
Fraudulent Financial Reporting, 1987).
Ridley, Anthony J., “An Audit Committee Event Matrix,” Internal Auditor 57, No. 2 (April
2000), pp. 53“56.
Sarbanes-Oxley Act of 2002, H.R. Rep. No. 107-610 (2002).
Statement on Auditing Standards No. 65, “The Auditor™s Consideration of the Internal Audit
Function in an Audit of Financial Statements” (New York: AICPA, 1991).
Statement on Auditing Standards No. 78, “Consideration of Internal Control in a Financial
Statement Audit: An Amendment to SAS No. 55” (New York: AICPA, 1995).
Strawser, Jerry, and Barbara Apostolou, “The Role of Internal Auditor Communication
with the Audit Committee.” Internal Auditing 6, No. 2 (Fall 1990), pp. 35“42.
Verschoor, Curtis, “Internal Auditing Interactions with the Audit Committee.” Internal Au-
diting 7, No. 4 (Spring 1992), pp. 20“23.
Verschoor, Curtis, and Joseph P. Liotta, “Communication with Audit Committees.” Internal
Auditor 47, No. 2 (April 1990), pp. 42“47.
Wal-Mart Stores, Inc., Audit Committee Charter, www.walmartstores.com.
Chapter 10
Reviewing Accounting
Policy Disclosures

The purpose of this chapter is to introduce accounting policy disclosures in the fi-
nancial statements. Through a review of the significant accounting policies and
critical accounting policies and estimates, the audit committee can obtain assur-
ance on behalf of the board of directors that management is fulfilling its financial
accounting reporting responsibilities. Such a review will be conducted with the in-
dependent public accountants in order to determine the integrity and objectivity of
the financial statements based on management™s formulation and implementation
of the corporate accounting policies. Although this chapter will discuss account-
ing pronouncements concerning accounting disclosures (APB No. 22) and ac-
counting changes (APB No. 20), it makes no attempt to discuss in detail the
technical pronouncements applicable to APB No. 22, since such a discussion is be-
yond the scope of the text. As indicated in Chapter 2, the purpose of the audit com-
mittee is to oversee and monitor the accounting and auditing processes; technical
accounting matters are management™s responsibility. The reader may wish to con-
sult any standard accounting text for detailed information regarding the technical
subjects as outlined in APB No. 22.


AUDIT COMMITTEE™S REVIEW OBJECTIVE
A Look Back and an Overview
As indicated in Chapters 1 and 3, the audit committee has a critical role in re-
viewing the disclosures in the financial statements. The committee represents an

<<

. 57
( 82 .)



>>