IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
By: Andrew Cox<br />
What Is the Range<br />
of the Internal<br />
Auditor’s Work?<br />
Nowadays, Table 2 could be the best representation.<br />
Table 2: The evolution of internal auditing, 1990s–2000s<br />
Now (1990s–2000s)<br />
• Areas for internal audit identified on a functional,<br />
cross-organisational and strategic basis, may use the<br />
organisation’s risk register.<br />
• Discussed with senior management, additional<br />
internal audit areas may be added.<br />
• Set of risk factors applied, input into a model,<br />
prioritized based on risk rankings.<br />
• 3-year strategic internal audit plan based on risk<br />
rankings.<br />
• Annual internal audit plan based on available<br />
resources. Presented to the audit committee.<br />
Advantages<br />
• Well known to internal<br />
auditors.<br />
• Done in consultation with the<br />
business.<br />
• Broader scope that considers<br />
business risks.<br />
• Facilitates integration of internal<br />
audit, risk management and<br />
strategic planning.<br />
• Requires strong understanding<br />
of the business.<br />
Disadvantages<br />
• Can be challenging.<br />
• Time-consuming.<br />
• May not be timely, relevant, or<br />
responsive.<br />
Executive Summary<br />
The range of the Internal Auditor’s work is dependent on:<br />
• The mandate for internal audit contained in the internal audit charter.<br />
• What the audit committee and management want internal audit to do.<br />
• To whom the chief audit executive (head of internal audit) reports.<br />
• The capability and skills of the internal auditors.<br />
• Any legislative or regulatory requirements of internal audit.<br />
Introduction<br />
Internal auditing is an evolving profession. It has been around for a very long time, probably since<br />
the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal<br />
auditing, the Institute of Internal Auditors (<strong>IIA</strong>), was formed that internal auditing was set on its<br />
path to emerging as a profession.<br />
Subsequently, professional standards and a code of ethics for internal auditing have been established<br />
and in 1974 professional certification for internal auditing was created, with the designation<br />
Certified Internal Auditor. Over time, the scope of internal auditing has changed significantly.<br />
The Evolution of Internal Auditing<br />
The evolution of how internal audit determined what it would audit can be tracked in Table 1.<br />
Then (up to the 1990s)<br />
• Areas for internal audit identified on a functional<br />
basis from historic information.<br />
• Set of one-dimensional risk factors applied<br />
(high, moderate, low).<br />
• Input into a model and prioritization based on risk<br />
rankings.<br />
• 3 or 5-year strategic internal audit plan based on risk<br />
rankings.<br />
• Annual internal audit plan based on available<br />
resources. Presented to the audit committee (but<br />
not always).<br />
Advantages<br />
• Often cyclical (every year).<br />
• Well known to internal<br />
auditors.<br />
• Safe approach.<br />
Disadvantages<br />
• Done in isolation of the business.<br />
• Time-consuming.<br />
• Focus on functional areas.<br />
• May not be timely, relevant or<br />
responsive.<br />
• Correlation between risk rankings<br />
and internal audit plan often weak.<br />
• Assumed a static organisation.<br />
In the future Table 3 would be more accurate.<br />
Table 3: The evolution of internal auditing, 2000s onward<br />
Future (2000s onward)<br />
• Areas for internal audit identified on a functional,<br />
cross-organisational and strategic basis using the<br />
organisation’s risk register and other relevant<br />
information.<br />
• Develop base audit plan.<br />
• Discuss with senior management, including facilitated<br />
workshops - additional audit areas may be added.<br />
• Develop annual or longer-term assurance plan.<br />
• Develop flexible, rolling internal audit consulting plan<br />
to provide timely, relevant and responsive services.<br />
• Present to audit committee.<br />
The point is this: The range of an internal<br />
auditor’s work will generally be related<br />
to where he or she is currently placed in<br />
regard to these three evolutionary phases<br />
of the internal audit continuum. As we move<br />
into the more difficult methods of operating<br />
an internal audit function, the complexity<br />
of internal audit work increases, and the<br />
capability and skills of the internal auditor<br />
need to be greater. Many internal auditors<br />
are still in the early evolutionary phases of<br />
internal auditing, because the future is seen<br />
as too difficult and daunting.<br />
What do the Standards say?<br />
The internal auditing standards we will<br />
consider here are those issued by the<br />
Institute of Internal Auditors (<strong>IIA</strong>). The<br />
internationally accepted definition of<br />
internal auditing issued by the <strong>IIA</strong> is:<br />
“Internal auditing is an independent, objective<br />
Advantages<br />
• Done in consultation with the<br />
business.<br />
• Timely, relevant, and<br />
responsive.<br />
• Broader scope taking into<br />
account business risks.<br />
• Facilitates integration of internal<br />
audit, risk management, and<br />
strategic planning.<br />
assurance and consulting activity designed<br />
to add value and improve an organisation’s<br />
operations. It helps an organisation accomplish<br />
its objectives by bringing a systematic,<br />
disciplined approach to evaluate and improve<br />
the effectiveness of risk management, control<br />
and governance processes.”<br />
This was a step up from the previous<br />
definition, which concentrated on assurance.<br />
This definition expanded the role of internal<br />
audit to encompass consulting services.<br />
To understand the difference between<br />
assurance services and consulting services,<br />
we need a couple of definitions:<br />
Assurance: An objective examination<br />
of the evidence for the purpose of<br />
providing an independent assessment of<br />
risk management, control, or governance<br />
processes for an organisation. Examples<br />
may include financial, performance,<br />
Disadvantages<br />
• Requires strong commitment<br />
from senior management.<br />
• Requires discipline to ensure<br />
that the internal audit<br />
consultation process is effective.<br />
• May not be well known to<br />
internal auditors.<br />
compliance, system security and due<br />
diligence engagements.<br />
Consulting: Advisory and related client<br />
service activities, the nature and scope of<br />
which are agreed with the client, and which<br />
are intended to add value and improve an<br />
organisation’s governance, risk management,<br />
and control processes without the internal<br />
auditor assuming management responsibility.<br />
Examples include counsel, advice, facilitation<br />
and training.<br />
It should be noted that the definitions of<br />
internal auditing and the standards, focus on<br />
risk management, control and governance:<br />
Risk management: Internal audit should<br />
assist the organisation by identifying and<br />
evaluating significant exposures to risk and<br />
contributing to the improvement of risk<br />
management and control systems.<br />
16 <strong>April</strong> 2010 17 <strong>April</strong> 2010