IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
a significant commitment to internal<br />
auditing provided sufficient funds to<br />
resource an internal audit function of<br />
25,000 audit hours each year. The audit<br />
committee wanted an internal audit plan<br />
of work that provided assurance and<br />
examined how well the organisation was<br />
operating, but which was also responsive<br />
to the changing needs and risks of the<br />
organisation. The risk-based internal audit<br />
plan of work to achieve this designed by<br />
the chief audit executive is summarized<br />
in Table 4.<br />
Rather than have a static internal audit<br />
plan, the plan shown in the table was<br />
designed to cover an 18-month period<br />
with a refresher every six months so that<br />
workflows could be smoothed and work<br />
allocated to internal auditors continuously.<br />
The plan encompassed the following<br />
areas:<br />
• Cyclical 12 months scheduled: For highrisk<br />
areas worthy of annual internal<br />
audit attention.<br />
• Rolling 6 months scheduled: Higherrisk<br />
areas scheduled for periodic or<br />
one-off internal audits.<br />
• Rolling 3 months reserve: Areas held<br />
in reserve in case of postponement or<br />
cancellation of other internal audits.<br />
• Rolling 3 months unassigned: Reserved<br />
for on-demand internal audits initiated<br />
by management for emerging business<br />
issues and risks.<br />
Conclusion<br />
The range and type of the internal auditor’s<br />
work depend on a number of factors:<br />
• The mandate for internal audit<br />
contained in the internal audit charter.<br />
• What the audit committee wants<br />
internal audit to do, and how<br />
enlightened it is.<br />
• What management wants internal<br />
audit to do.<br />
• To whom the chief audit executive<br />
(head of internal audit) reports.<br />
• The capability and skills of the internal<br />
auditors.<br />
• Any legislative or regulatory<br />
requirements of internal audit.<br />
Making It Happen<br />
Chief audit executives should look to his<br />
or her audit committee and management<br />
for guidance on the range and type of<br />
work to be performed by the internal<br />
audit function. However, the chief audit<br />
executive, as an internal audit professional,<br />
should be using his or her knowledge and<br />
experience to identify and influence the<br />
formulation of a risk-based internal audit<br />
plan of work that best provides for the<br />
needs of the organisation. This is likely to<br />
be a blended plan of internal audit work<br />
that encompasses both assurance services<br />
and consulting services:<br />
Assurance Services<br />
• Part of the overall internal audit plan<br />
of work.<br />
• Annual or longer-term focus.<br />
• Risk-based.<br />
• May include cyclical internal audits of<br />
higher-risk areas.<br />
• Need to consider legislative and<br />
regulatory requirements.<br />
• Need to consider external audit to<br />
avoid duplication of audit effort.<br />
• Estimated hours for audit topics<br />
assessed from previous internal audits<br />
(structured gut feel).<br />
• Focus on compliance, financial issues<br />
and risks, financial controls, and IT<br />
reviews.<br />
Consulting Services<br />
• Part of the overall internal audit plan<br />
of work.<br />
• Flexible, rolling focus - rather than<br />
fixed in time.<br />
• Risk-based and customer-focused.<br />
• If limited previous data are available,<br />
estimate hours needed for internal<br />
audit topics on the basis of the<br />
best available information and past<br />
experience (unstructured gut feel).<br />
• Focus on current and emerging<br />
business issues and risks, and system<br />
under development reviews.<br />
Further reading:<br />
Books:<br />
• Australian National Audit Office.<br />
Public Sector Audit Committees:<br />
Having the Right People is the Key.<br />
Canberra: Australian National Audit<br />
Office, 2005.<br />
• Australian National Audit Office.<br />
Public Sector Internal Audit - An<br />
Investment in Assurance and Business<br />
Improvement. Canberra: Australian<br />
National Audit Office, 2007.<br />
• Picket, K. H. Spencer. Audit Planning:<br />
A Risk-Based Approach. Hoboken, NJ:<br />
Wiley, 2006.<br />
• Reding, Kurt F., Paul J. Sobel, Unton<br />
L. Anderson, Michael J. Head, Sridhar<br />
Ramamoorti, and Mark Salamasick.<br />
Internal Auditing: Assurance and<br />
Consulting Services. Altamonte<br />
Springs, FL: <strong>IIA</strong> Research Foundation,<br />
2007.<br />
• Sawyer, Lawrence B., Mortimer A.<br />
Dittenhofer, and James H. Scheiner.<br />
Sawyer’s Internal Auditing: The<br />
Practice of Modern Internal Auditing.<br />
5th ed. Altamonte Springs, FL: <strong>IIA</strong><br />
Research Foundation, 2003.<br />
Standards:<br />
• Institute of Internal Auditors (<strong>IIA</strong>).<br />
International Standards for the<br />
Professional Practice of Internal<br />
Auditing. Altamonte Springs, FL: <strong>IIA</strong>,<br />
2007. Online at: www.theiia.org/<br />
guidance/standards-and-guidance/<br />
ippf/standards<br />
Website:<br />
• The Institute of Internal Auditors:<br />
www.theiia.org<br />
Article originally published in “QFinance:<br />
The Ultimate Resource”, 2009. Republished<br />
by courtesy of Bloomsbury. For further<br />
details visit www.bloomsbury.com/qfinance<br />
or www.qfinance.com<br />
About the Author:<br />
Andrew Cox MBA MEC CIA CISA CFE CGAP CSQA MACS is<br />
acknowledged as a leader in quality assurance and improvement<br />
of internal audit activities in organisations. In recent times he<br />
worked for <strong>IIA</strong> - Australia and conducted 25 quality assessments<br />
of Internal Audit Departments in various organisations. Over his<br />
career he has been a senior internal audit executive in Australia<br />
and has managed 8 internal audit activities. He is now working in<br />
the United Arab Emirates.<br />
20 <strong>April</strong> 2010