IIA April 2010.pdf - UAE IAA

Control: Internal audit should assist
the organisation in maintaining effective
controls by evaluating their effectiveness
and efficiency and by promoting continuous
improvement.
Governance: Internal audit should assess
and make appropriate recommendations
for improving the governance process
in its accomplishment of the following
objectives:
• Promoting appropriate ethics and values
within the organisation.
• Ensuring effective organisational
performance management and
accountability.
• Effectively communicating risk and
control information to appropriate
areas of the organisation.
• Effectively coordinating the activities and
communicating information among the
board, external and internal auditors
and management.
What type of work?
So, what should be the range and type
of work carried out by internal audit for
an organisation? The IIA believes that the
work and methods of internal audit should
encompass:
• Conducting enterprise risk assessment.
• Utilizing risk and control selfassessment.
• Using internal control processes based
on COSO (Committee of Sponsoring
Organisations) guidelines.
• Partnering with management.
• Integrating corporate governance into
practice.
• Increasing staff performance.
• Communicating more effectively.
• Developing staff, both personally and
professionally.
• Using technology to increase staff
efficiency.
• Establishing an assurance function.
• Providing consulting services.
• Conducting audits in emerging areas.
• Utilizing performance measures.
This leads to the types of internal audit
provided by the internal audit function, which
may include some or all of the following:
Compliance audit: The review of both
financial and operating controls and
transactions to see how they conform to
established laws, standards, regulations and
procedures.
Financial audit: The examination of the
financial records and reports of a company
to verify that the figures in the financial
reports are relevant, accurate and complete.
The general focus is on making sure that all
assets and liabilities are properly recorded
on the balance sheet and that the statement
of income and expenses is correct.
Information technology (IT) audit: A
review of the controls within an entity’s
technology infrastructure. These reviews
are typically performed in conjunction
with a financial statement audit, internal
audit review, or other form of attestation
engagement.
On-demand audit: A request for an
internal audit initiated by the board, audit
committee, or management in response
to their particular concerns, and which has
not been scheduled in the internal audit
plan of work. It may also be known as a
management-initiated review.
Operational audit: Sometimes called
program or performance audits, these
examine the use of resources to evaluate
whether those resources are being used in
the most efficient and effective way to fulfil
an organisation’s objectives. An operational
audit may include elements of a compliance
audit, a financial audit and an information
systems audit. This term is mainly used in
the private sector.
Performance audit: The independent and
systematic examination of the management
of an organisation, program, or function
for the purpose of identifying whether
the management is being carried out in
an efficient and effective manner, and
whether management practices promote
improvement. This term is mainly used
in the public sector, and a performance
audit may be the same as or similar to an
operational audit.
and evaluation of all activities related to
the quality of a product or service, to
determine the suitability and effectiveness
of the activities to meet quality goals.
Value for money (VFM) audit: An
examination of how resources are
allocated and utilized. The audit is
concerned with interrelated concepts of
efficiency, effectiveness, economy, and
organisational outcomes. VFM audits
are more common in the public sector
than the private sector since the profit
criterion is lacking in the public sector, and
they may be the same as or similar to a
performance audit.
What influences the type of work?
The range and type of the internal auditor’s
work depend on a number of factors:
The mandate for internal audit
contained in the internal audit
charter: This is what the audit committee
and the organisation want internal audit
to do. Although ideally this should include
both assurance services and consulting
services, it is true to say that some audit
committees and management believe that
internal audit should not stray from its
roots of providing assurance, so in some
organisations the internal audit charter
has focused only on the provision of
assurance services. This attitude peaked
following the corporate collapses of the
1990s. However, more enlightened audit
committees and management of today
seek a more comprehensive internal
auditing service for the organisation. This
has the potential to add a lot of value,
rather than just reporting what is wrong
in compliance and financial areas.
To whom the chief audit executive
reports: The chief audit executive should
report to the audit committee functionally
and for operations, and to the chief
executive officer for administration. Where
a chief audit executive may have other
reporting arrangements - for example to a
chief executive officer for operations and
administration, or worse, to a chief financial
officer - there is a risk that internal audit
may lose a measure of its independence.
Table 4: The chief audit executive’s risk-based annual internal audit plan
Compliance
Assurance
Consulting
Financial
Assurance
Consulting
IT
Assurance
Consulting
Audit Type
Cyclical 12
months
scheduled
hours
6,000
0
750
250
3,000
3,000
Rolling 6
months
scheduled
hours
0
0
2,500
0
0
0
Rolling 3
months
reserve hours
0
0
1,000
0
0
0
This has a potential to impact negatively on
the range and type of work to be performed
by internal audit.
The capability and skills of the internal
auditors: As the work of internal audit
moves toward more difficult methods
of operating, the complexity of internal
audit work increases. This means that the
capability and skills of the internal auditor
need to be greater, and many internal
auditors see this as a quantum leap so great
that they prefer to remain comfortable
where they are.
Any legislative or regulatory
requirements of internal audit: The work
of internal audit will nearly always have a
role to provide assurance of legislative and
regulatory compliance; this is an important
role that should never be forgotten.
Case Study
Designing a Comprehensive Internal
Audit Plan
A large public sector organisation with
Rolling 3
months
unassigned
hours
0
0
500
0
0
0
Annual total
hours
6,000
0
4,750
250
3,000
3,000
Operational / Performance
Assurance / Consulting 500 2,500 1,000 1,000 5,000
Internal audit planning 500 0 0 0 500
Audit monitor and follow-up 500 0 0 0 500
Audit committee 500 0 0 0 500
External audit co-ordination 1,500 0 0 0 1,500
Quality audit: The systematic examination
Total 25,000
18 April 2010 19 April 2010