TIAPS ALB_Module 2D. Managing the Internal Audit Activity
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>2D</strong>. <strong>Managing</strong> <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> <strong>Activity</strong><br />
<strong>2D</strong> Learning Outcomes<br />
On completion of this section, students will be better able to:<br />
• Differentiate between <strong>the</strong> roles and responsibilities of internal audit managers and<br />
chief audit executives.<br />
• Develop a strategic plan for internal audit function.<br />
• Promote advanced professional audit practices (e.g., agile auditing, data analytics,<br />
using digital tools, alternative reporting methods, auditing ESG, and auditing<br />
cybersecurity).<br />
<strong>2D</strong>.1 <strong>Managing</strong> <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Function<br />
IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: <strong>Internal</strong> <strong>Audit</strong> Strategic Planning and<br />
Management<br />
General Awareness: Recognize <strong>the</strong> importance of aligning <strong>the</strong> internal audit strategic plan<br />
with <strong>the</strong> organization’s strategy. Differentiate various internal audit roles, including <strong>the</strong><br />
engagement supervisor and chief audit executive. Identify key activities in supervising<br />
engagements.<br />
Applied Knowledge: Create <strong>the</strong> internal audit strategic plan in alignment with <strong>the</strong><br />
organization’s strategy, risk profile, and risk management strategy; create an effective and<br />
efficient budget for <strong>the</strong> internal audit activity. Manage internal audit personnel (including<br />
recruiting, developing, motivating, managing conflict, building teams, delegating, retaining<br />
talent, and succession planning); create policies and procedures for managing internal audit<br />
operations. Supervise engagements.<br />
Expert: Assess <strong>the</strong> internal audit strategic plan; evaluate and recommend improvements to<br />
<strong>the</strong> budget for <strong>the</strong> internal audit activity. Assess <strong>the</strong> talent management efforts of <strong>the</strong> internal<br />
audit activity; appraise policies, procedures, and administrative activities of <strong>the</strong> internal audit<br />
activity. Assess engagement supervision activities to ensure <strong>the</strong> quality of <strong>the</strong> internal audit<br />
activity. 33<br />
There are many roles a manager must adopt, and <strong>the</strong>se apply to a leadership positions<br />
within <strong>the</strong> internal audit function as much as anywhere. Henry Mintzberg, for example,<br />
identified ten key roles for managers:<br />
1. Figurehead.<br />
2. Leader.<br />
3. Liaison.<br />
4. Monitor.<br />
5. Disseminator.<br />
6. Spokesperson.<br />
7. Entrepreneur.<br />
8. Disturbance handler.<br />
9. Resource allocator.<br />
10. Negotiator. 34<br />
33<br />
<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
34 Mintzberg, Henry Mintzberg on Management, Free Press, 1989.<br />
49
A manager manages tasks and activities, people, budgets, information, time, talent, and<br />
relationships by using tools like goal setting, planning, performance monitoring and<br />
evaluation, communication, training, motivation, delegation, diplomacy, and leading by<br />
example.<br />
Structures of internal audit functions can vary according to <strong>the</strong> resources available and <strong>the</strong><br />
nature of <strong>the</strong> work. In <strong>the</strong> smallest possible functions, one person acts as <strong>the</strong> chief audit<br />
executive and <strong>the</strong> sole internal auditor, perhaps supported by guest auditors or outsourced<br />
services. In this case <strong>the</strong> individual is responsible for everything, although full compliance<br />
with <strong>the</strong> requirements of <strong>the</strong> IPPF and adequate coverage of <strong>the</strong> significant risks and<br />
controls of <strong>the</strong> organization can be challenging. In larger teams <strong>the</strong> head of <strong>the</strong> function can<br />
choose to stratify roles according to an appropriate hierarchy to assist with <strong>the</strong> tasks of<br />
coordinating, directing, and leading. As <strong>the</strong> IPPF makes clear, <strong>the</strong> head of internal audit may<br />
choose to delegate but retains <strong>the</strong> ultimate responsibility (see for example Standard 2440 –<br />
Disseminating Results: “When <strong>the</strong> chief audit executive delegates <strong>the</strong>se duties, he or she<br />
retains overall responsibility.” 35 )<br />
Roles in order of ascending seniority may include:<br />
• Junior auditor.<br />
• Senior auditor.<br />
• <strong>Audit</strong> supervisor.<br />
• <strong>Audit</strong> manager or lead auditor.<br />
• <strong>Audit</strong> director.<br />
• Head of internal audit.<br />
As well as being a way of organizing activities and resources, such hierarchical structures<br />
can help with defining career paths for individuals who are ambitious. There may also be<br />
specialized positions for activities such as IT. Individuals may also be expert in key<br />
processes. Value for money (performance) audits, evaluations, and investigations are<br />
sometimes part of <strong>the</strong> audit function (although this is not required by <strong>the</strong> Standards) and in<br />
o<strong>the</strong>r situations are managed separately. The head of <strong>the</strong> function must ensure <strong>the</strong>re is<br />
sufficient expertise to cover <strong>the</strong> scope as defined in <strong>the</strong> charter and deliver <strong>the</strong> assurance<br />
engagements in <strong>the</strong> approved plan. This is stated in Standard 1210 – Proficiency:<br />
<strong>Internal</strong> auditors must possess <strong>the</strong> knowledge, skills, and o<strong>the</strong>r competencies needed to<br />
perform <strong>the</strong>ir individual responsibilities. The internal audit activity collectively must<br />
possess or obtain <strong>the</strong> knowledge, skills, and o<strong>the</strong>r competencies needed to perform its<br />
responsibilities. 36<br />
A similar point is made regarding <strong>the</strong> supervision of audit engagements in Standard 2340 –<br />
Engagement Supervision.<br />
Engagements must be properly supervised to ensure objectives are achieved, quality is<br />
assured, and staff is developed.<br />
35<br />
International Professional Practices Framework, The IIA, 2016.<br />
36<br />
International Professional Practices Framework, The IIA, 2016.<br />
50
Interpretation: The extent of supervision required will depend on <strong>the</strong> proficiency and<br />
experience of internal auditors and <strong>the</strong> complexity of <strong>the</strong> engagement. The chief audit<br />
executive has overall responsibility for supervising <strong>the</strong> engagement, whe<strong>the</strong>r performed<br />
by or for <strong>the</strong> internal audit activity, but may designate appropriately experienced<br />
members of <strong>the</strong> internal audit activity to perform <strong>the</strong> review. Appropriate evidence of<br />
supervision is documented and retained. 37<br />
In addition to <strong>the</strong> general managerial roles listed above, managers in internal auditing have<br />
specific responsibilities as defined by <strong>the</strong> International Standards for <strong>the</strong> Professional<br />
Practice of <strong>Internal</strong> <strong>Audit</strong>ing included within <strong>the</strong> IPPF, according to which <strong>the</strong> head of internal<br />
audit (<strong>the</strong> CAE) must:<br />
The CAE must<br />
Standard<br />
Periodically review <strong>the</strong> internal audit charter.<br />
Standard 1000 – Purpose,<br />
Authority, and Responsibility<br />
Discuss <strong>the</strong> mandatory elements of <strong>the</strong> IPPF with senior Standard 1010 – Recognizing<br />
management and <strong>the</strong> board.<br />
Mandatory Guidance in <strong>the</strong><br />
<strong>Internal</strong> <strong>Audit</strong> Charter<br />
Disclose interference in <strong>the</strong> work of internal audit to <strong>the</strong> Standard 1110 –<br />
board and discuss <strong>the</strong> implications.<br />
Organizational Independence<br />
Communicate and interact directly with <strong>the</strong> board. Standard 1110 –<br />
Organizational Independence<br />
Obtain competent advice and assistance if internal Standard 1210 – Proficiency<br />
auditors lack <strong>the</strong> competencies to perform planned<br />
assurance engagements and decline consulting<br />
engagements or obtain competent advice and assistance<br />
if internal auditors lack <strong>the</strong> competencies to perform<br />
planned advisory engagements.<br />
Develop and maintain a quality assurance and<br />
Standard 1300 – Quality<br />
improvement program (QAIP).<br />
Assurance and Improvement<br />
Discuss <strong>the</strong> form and frequency of external assessments<br />
and <strong>the</strong> qualifications and independence of assessors with<br />
<strong>the</strong> board and encourage board oversight of external<br />
assessments to reduce potential conflicts of interest.<br />
Communicate results of <strong>the</strong> QAIP to senior management<br />
and <strong>the</strong> board.<br />
Disclose any nonconformance with <strong>the</strong> Code of Ethics of<br />
Standards and its impact with senior management and <strong>the</strong><br />
board.<br />
Manage <strong>the</strong> internal audit function effectively.<br />
Establish, communicate, and seek approval for a riskbased<br />
plan of engagements in consultation with senior<br />
management and <strong>the</strong> board, adjusting <strong>the</strong> plan in<br />
response to organizational and situational changes as<br />
needed.<br />
Program<br />
Standard 1312 – External<br />
Assessments<br />
Standard 1320 – Reporting on<br />
<strong>the</strong> Quality Assurance and<br />
Improvement Program<br />
1322 – Disclosure of<br />
Nonconformance<br />
Standard 2000 – <strong>Managing</strong> <strong>the</strong><br />
<strong>Internal</strong> <strong>Audit</strong> <strong>Activity</strong><br />
Standard 2010 – Planning<br />
37<br />
International Professional Practices Framework, The IIA, 2016.<br />
51
Ensure sufficiency of resources to deliver <strong>the</strong> plan.<br />
Establish policies and procedures for internal auditing.<br />
Share information, coordinate activities, and consider<br />
relying on <strong>the</strong> work of o<strong>the</strong>r assurance providers.<br />
Report periodically to senior management and <strong>the</strong> board<br />
on performance relative to <strong>the</strong> plan.<br />
Set and implement policies for retention and access to<br />
engagement records.<br />
Communicate corrected information if final communication<br />
contains significant errors or omissions.<br />
Review, approve, and communicate results of audits to<br />
appropriate parties.<br />
Establish and maintain a system to monitor <strong>the</strong> disposition<br />
of results.<br />
Discuss situations with senior management where level of<br />
risk accepted by management is unacceptable and, if<br />
unresolved, communicate <strong>the</strong> matter with <strong>the</strong> board.<br />
Standard 2030 – Resource<br />
Management<br />
Standard 2040 – Policies and<br />
Procedures<br />
Standard 2050 – Coordination<br />
and Reliance<br />
Standard 2060 – Reporting to<br />
Senior Management and <strong>the</strong><br />
Board<br />
Standard 2330 – Documenting<br />
Information<br />
Standard 2421 – Errors and<br />
Omissions<br />
Standard 2440 – Disseminating<br />
Results<br />
Standard 2500 – Monitoring<br />
Progress<br />
Standard 2600 –<br />
Communicating <strong>the</strong><br />
Acceptance of Risk<br />
To carry out <strong>the</strong>se roles, <strong>the</strong> head of <strong>the</strong> function must enjoy unrestricted access to senior<br />
management and <strong>the</strong> board (Standard 1100 – Independence and Objectivity) and report to a<br />
level that allows internal audit to fulfil its responsibilities, including reporting functionally to<br />
<strong>the</strong> board (Standard 1110 – Organizational Independence). In some cases, <strong>the</strong> head of <strong>the</strong><br />
internal audit unit is <strong>the</strong> only member of <strong>the</strong> team. In such situations <strong>the</strong> head does not have<br />
responsibility for managing o<strong>the</strong>r people but is expected to plan, perform, and communicate<br />
engagements as well as fulfil <strong>the</strong> duties listed above. The most important of <strong>the</strong>se relate to<br />
<strong>the</strong> relationship with senior management and <strong>the</strong> governing body, safeguarding<br />
independence, and managing <strong>the</strong> quality assurance and improvement program.<br />
<strong>2D</strong>.1: Reflection<br />
Consider <strong>the</strong> 10 manager roles listed by Mintzberg given above.<br />
Are all <strong>the</strong>se roles appropriate for <strong>the</strong> head of an internal audit unit, and if not, why not?<br />
Of <strong>the</strong> 10 roles listed, which do you see yourself currently fulfilling as part of your job?<br />
Identify all that apply.<br />
Of <strong>the</strong> 10 roles listed, for which do currently have <strong>the</strong> necessary competency to fulfil?<br />
Of <strong>the</strong> 10 roles listed, for which do you most need to develop your competency to fulfil<br />
successfully?<br />
52
<strong>2D</strong>.2 <strong>Internal</strong> <strong>Audit</strong> Strategic Planning<br />
There are three important levels at which planning should take place:<br />
• Individual engagements (work program).<br />
• Multiple engagements (audit plan).<br />
• <strong>Internal</strong> audit strategy (strategic plan).<br />
<strong>2D</strong>.2.1 Engagement Work Program<br />
Creating <strong>the</strong> work program is usually a task for <strong>the</strong> internal auditor. It describes <strong>the</strong> process,<br />
resources, and timelines needed to fulfil <strong>the</strong> audit objectives, and it should be approved by<br />
<strong>the</strong> head of internal audit or a designee. The requirements for <strong>the</strong> work program are<br />
described in Standard 2201 – Planning Considerations and Standard 2240 – Engagement<br />
Work Program.<br />
<strong>2D</strong>.2.2 <strong>Internal</strong> <strong>Audit</strong> Plan<br />
IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: <strong>Audit</strong> Plan and Coordinating Assurance<br />
Efforts<br />
General Awareness: Identify sources of potential engagements, including industry trends<br />
and emerging risks. Describe coordination of internal audit efforts with <strong>the</strong> external auditor,<br />
regulatory oversight bodies, and o<strong>the</strong>r internal assurance functions, and potential reliance on<br />
o<strong>the</strong>r assurance providers.<br />
Applied Knowledge: Conduct a risk assessment, prioritize engagements, develop a riskbased<br />
internal audit plan, and obtain board approval. Prepare a risk assurance map.<br />
Expert: Evaluate and revise a risk-based internal audit plan to meet <strong>the</strong> organization’s<br />
evolving needs. Coordinate assurance efforts with o<strong>the</strong>r providers to ensure proper coverage<br />
and minimize duplication of efforts. 38<br />
The audit plan is often created for a 12-month period although <strong>the</strong> Standards do not require<br />
it to be an annual plan. Increasingly, internal audit functions are developing shorter plans to<br />
allow for greater flexibility and responsiveness. As part of <strong>the</strong> audit plan, resources and<br />
timelines are allocated to individual engagements. The requirements for <strong>the</strong> audit plan,<br />
including that it be risk-based, are defined in Standard 2010 – Planning. The head must also<br />
ensure sufficiency of resources (Standard 2030 – Resource Management). As part of <strong>the</strong><br />
audit plan, <strong>the</strong> head of internal audit may identify opportunities for using <strong>the</strong> findings of o<strong>the</strong>r<br />
internal and external assurance providers to avoid unnecessarily repeating work. There is<br />
also an important role to play in coordinating assurance across an entity to ensure<br />
sufficiency and efficiency of coverage (see Standard 2050 – Coordination and Reliance).<br />
However, <strong>the</strong> opportunity to use <strong>the</strong> work of o<strong>the</strong>r assurance providers may be limited if<br />
<strong>the</strong>re are no risk and compliance functions performance audits. Even where such audits<br />
have been conducted, internal audit must first determine <strong>the</strong> reliability by considering factors<br />
such as relevance, use of standards, competence, degree of independence of <strong>the</strong> provider<br />
from <strong>the</strong> activity under review, and objectivity of <strong>the</strong> auditors deployed. The due diligence<br />
required to confirm <strong>the</strong> reliability of <strong>the</strong> work of o<strong>the</strong>r providers can be time-consuming.<br />
38<br />
<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
53
A more agile approach to internal audit planning with a span shorter than 12 months requires<br />
more frequent review and updating of <strong>the</strong> plan to keep <strong>the</strong> upcoming period in view. This is<br />
possible in practical terms if <strong>the</strong> approvals process for <strong>the</strong> audit plan (by <strong>the</strong> audit committee<br />
or governing body) is similarly agile. Sometimes bureaucratic processes necessitate a more<br />
traditional approach to planning, often within an annual cycle. The head of <strong>the</strong> internal audit<br />
unit can advocate for change on <strong>the</strong> basis of <strong>the</strong> benefits an agile approach can provide in<br />
terms of greater responsiveness and relevance to changing conditions, and greater value to<br />
support management oversight and decisions.<br />
<strong>2D</strong>.2.3 <strong>Internal</strong> <strong>Audit</strong> Strategic Plan<br />
The Standards do not refer to a strategic plan for internal audit. However, Implementation<br />
Guidance for Standard 2000 – <strong>Managing</strong> <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> <strong>Activity</strong> gives a very clear<br />
direction in stating that “<strong>the</strong> CAE develops an internal audit strategy and approach that<br />
aligns with <strong>the</strong> goals and expectations of <strong>the</strong> organization’s leadership.” 39 A strategic plan is<br />
not simply a multi-year audit plan. It represents a medium- to long-term program for<br />
enhancing and improving <strong>the</strong> internal audit function and <strong>the</strong> services it delivers to better<br />
serve <strong>the</strong> current and future needs of <strong>the</strong> organization. To prepare for this, <strong>the</strong> head of <strong>the</strong><br />
function should consider <strong>the</strong> following:<br />
• The internal audit function’s purpose and responsibility as defined in <strong>the</strong> charter or by<br />
legislation.<br />
• The organization’s structure, reporting relationships, and resources.<br />
• Organizational stakeholders and <strong>the</strong>ir needs and expectations, most notably:<br />
o The governing body.<br />
o Senior management.<br />
o Unit managers.<br />
o Line ministries or equivalent where applicable as well as central government<br />
priorities.<br />
o External audit (comprising <strong>the</strong> Supreme <strong>Audit</strong> Institution and any o<strong>the</strong>r<br />
external audit service providers).<br />
o Service users (individuals, organizations).<br />
o Suppliers.<br />
• The organization’s vision, mission, goals, and strategies.<br />
• Risks in relation to <strong>the</strong> organization’s vision, mission, goals, and strategies, taking<br />
account of trends and emerging issues.<br />
• The International Professional Practices Framework.<br />
• Risk management maturity.<br />
• The current strengths and weaknesses of <strong>the</strong> internal audit function.<br />
• O<strong>the</strong>r information about <strong>the</strong> organization, its position and activities, <strong>the</strong> sector in<br />
which it operates, its culture, and so on.<br />
39<br />
International Professional Practices Framework, The IIA, 2016.<br />
54
Common tools for analyzing <strong>the</strong> internal and external environment include:<br />
• A SWOT analysis for <strong>the</strong> organization:<br />
o Strengths and weaknesses of <strong>the</strong> organization, its current performance,<br />
position, and prospects.<br />
o Opportunities and threats (which collectively may be considered as risks) that<br />
may impact future performance, position, and prospects.<br />
• A SWOT analysis for <strong>the</strong> internal audit function.<br />
• A PESTEL analysis, covering <strong>the</strong> following classes of local, regional, national, and<br />
international factors, trends, and shifts:<br />
o Political (election cycles, leadership, political factions, policies).<br />
o Environmental (natural resources, waste disposal, pollution).<br />
o Social (demographics, opinions, habits, rule of law, education, poverty).<br />
o Technological (innovation, adoption, hazards).<br />
o Economic (GDP, inflation, unemployment).<br />
o Legislation.<br />
When developing a strategy for internal audit, it is very useful to create a vision statement.<br />
This is designed to capture and communicate a succinct expression of ambition. Examples<br />
of internal audit vision statements are given below:<br />
• To be known for providing superior internal audit services and to continually<br />
challenge ourselves to provide <strong>the</strong>m in a value added, best practices manner. Fairfax<br />
County.<br />
• To be recognized by VUMC management and <strong>the</strong> Board of Directors as<br />
an independent and sought after resource that actively supports <strong>the</strong> organization’s<br />
identification, evaluation and mitigation of risks and serves as a proponent for internal<br />
controls and continuous improvement. Vanderbilt University Medical Center.<br />
• To be a valued partner with MUW management by providing assurance and<br />
consulting services that help <strong>the</strong> University meet goals through building trust,<br />
partnerships, and exhibiting a high skill level and a thorough understanding of <strong>the</strong><br />
University. Mississippi University for Women.<br />
• To be a trusted and innovative internal audit service provider to public sector<br />
management and o<strong>the</strong>r stakeholders. General Department, Republic of Kenya.<br />
A vision should define a desired future state of <strong>the</strong> internal audit function.<br />
Many internal audit strategic plans also include a mission statement to describe <strong>the</strong><br />
function’s purpose and how it will reach its vision. The IPPF includes a generic mission<br />
statement for <strong>the</strong> profession and many internal audit functions adopt and adapt this:<br />
To enhance and protect organizational value by providing risk-based and objective<br />
assurance, advice, and insight. 40<br />
Critical success factors are those essential elements on which <strong>the</strong> success of <strong>the</strong> strategic<br />
plan depends. The IIA Practice Guide: Developing <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Strategic Plan offers<br />
three questions to consider that help identify those success factors:<br />
40<br />
International Professional Practices Framework, The IIA, 2016.<br />
55
• Positioning – Is <strong>the</strong> internal audit activity strategically positioned and supported?<br />
• Processes – Are <strong>the</strong> internal audit activity’s processes enabling and dynamic in<br />
meeting business needs?<br />
• People – Does <strong>the</strong> internal audit activity have <strong>the</strong> right people strategy to deliver its<br />
mission? 41<br />
The major portion of <strong>the</strong> internal audit strategic plan should describe key initiatives to be<br />
undertaken to support <strong>the</strong> achievement of vision and mission and continue to drive <strong>the</strong><br />
performance of <strong>the</strong> function forward. As part of <strong>the</strong> strategic (and potentially developed as a<br />
separate but related strategy), <strong>the</strong> following major areas are likely to require detailed<br />
consideration:<br />
• Talent strategy, including remuneration, recruitment, onboarding, retention, training,<br />
performance monitoring and evaluation, recognition, reward, promotion, and<br />
succession planning for key individuals. (<strong>Managing</strong> people is covered in section 2B.)<br />
• Resource strategy, including digital transformation and use of digital tools for audit<br />
planning, management, monitoring, and reporting. (Use of digital tools is covered in<br />
section <strong>2D</strong>.3 and data analytics in 2E.)<br />
• Process development strategy, including continuous evolution of policies,<br />
procedures, audit manuals, and so on.<br />
• Quality assurance strategy, incorporating self-assessment, target-setting for<br />
improvement, supervision, training, peer review, and external assessments. (Quality<br />
assurance is covered in section 2C.)<br />
Many internal audit functions consciously identify and promote a coherent brand as part of<br />
<strong>the</strong>ir strategy linked to <strong>the</strong>ir mission and goals. This may be effected through consistency in<br />
communications (emails, reports, presentations, and so on).<br />
<strong>2D</strong>.2: Reflection<br />
What is <strong>the</strong> period covered by <strong>the</strong> internal audit plan (i.e., <strong>the</strong> plan of engagements)?<br />
What are <strong>the</strong> pros and cons of creating a 12-month audit plan each year compared with<br />
something longer or shorter?<br />
Does your internal audit function have a well-defined strategy and strategic plan?<br />
If your internal audit unit has a vision and/or mission statement, share and discuss <strong>the</strong>m<br />
with your fellow students. If not, or if you are not aware of <strong>the</strong>m, how you would state <strong>the</strong><br />
vision and <strong>the</strong> mission for <strong>the</strong> internal audit unit?<br />
41<br />
Practice Guide: Developing <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Strategic Plan, The IIA, 2012.<br />
56
<strong>2D</strong>.3 Advanced Professional Practices<br />
IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: Communication<br />
General Awareness: Recognize <strong>the</strong> value of advocacy and <strong>the</strong> importance of maintaining<br />
stakeholder relationships (e.g., board, senior management, audit clients, o<strong>the</strong>r assurance<br />
providers, external stakeholders). Describe appropriate communications between internal<br />
auditors and stakeholders, including key performance indicators; recognize that <strong>the</strong> chief<br />
audit executive reports on <strong>the</strong> overall effectiveness of <strong>the</strong> organization’s internal control and<br />
risk management processes to senior management and <strong>the</strong> board. Recognize <strong>the</strong><br />
importance of written and verbal communication skills, including soft skills such as conflict<br />
management, influence, and persuasion.<br />
Applied Knowledge: Manage <strong>the</strong> internal audit activity’s reputation and stakeholder<br />
expectations; demonstrate sincerity, honesty, and empathy in communications with<br />
stakeholders to build trust and maintain relationships. Prepare relevant and appropriate<br />
communications for internal audit stakeholders, including reports to senior management and<br />
<strong>the</strong> board (e.g., significant risk exposures, key performance indicators, etc.). Demonstrate<br />
soft skills (conflict management, influence, and persuasion); provide insightful consultation to<br />
contribute to <strong>the</strong> organization’s effectiveness; detect opportunities for change and facilitate<br />
change.<br />
Expert: Assess stakeholder relationships and recommend actions to achieve improvements;<br />
evaluate <strong>the</strong> advocacy efforts of <strong>the</strong> internal audit activity. Assess internal audit<br />
communications with stakeholders, including key performance indicators to evaluate <strong>the</strong><br />
success of <strong>the</strong> internal audit activity, and recommend improvements. Assess <strong>the</strong> internal<br />
audit activity’s written and verbal communication skills, soft skills, and innovation;<br />
recommend improvements. 42<br />
As a profession, internal auditing and its practices continue to evolve. This does not happen<br />
at an even rate around <strong>the</strong> world. The maturity of internal auditing depends on many factors,<br />
including leadership, resources, culture, sector, organizational objectives, legislative and<br />
regulatory requirements, and <strong>the</strong> risk management maturity of <strong>the</strong> organization. <strong>Internal</strong><br />
audit leaders have a responsibility to ensure <strong>the</strong>ir clients receive <strong>the</strong> best possible service<br />
aligned to organizational needs. They should stay informed about developments in <strong>the</strong><br />
profession as well as advancing <strong>the</strong>ir own expertise. This can be achieved through<br />
networking with peers, training, reading, listening to stakeholders, and harnessing <strong>the</strong><br />
potential within <strong>the</strong>ir own team by encouraging innovation. <strong>Audit</strong> leaders should be unafraid<br />
to experiment and to challenge perceived orthodoxy in pursuit of continuous improvement.<br />
<strong>Audit</strong> functions, especially in <strong>the</strong> public sector, can be small and fully stretched in delivering<br />
internal audit services. it is a challenge to find <strong>the</strong> time and resource to commit to innovation<br />
and improvement, including experimentation with different approaches such as agile<br />
methodologies. The support and encouragement of <strong>the</strong> Central Harmonization Unit, audit<br />
committee (where such exists), and senior leadership are crucial. The head of <strong>the</strong> internal<br />
audit unit must persuade those to whom <strong>the</strong>y are accountable of <strong>the</strong> need for continuous<br />
development. Strategic goals must be realistic, but it is imperative to establish forward<br />
42<br />
<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
57
momentum, to remain relevant, to keep up with <strong>the</strong> ever-changing internal and external<br />
environments, to serve <strong>the</strong> organization and its stakeholders successfully.<br />
How should a head of internal audit go about persuading whoever controls <strong>the</strong>ir budget (<strong>the</strong><br />
audit committee, governing body, senior management, central government). In a 2019 blog,<br />
Anand Bhakta, writing for <strong>Audit</strong>Board, provided some useful suggestions to help win <strong>the</strong><br />
argument for more resources. 43<br />
• Know your organization’s culture. <strong>Internal</strong> audit needs to be aligned with what<br />
matters most to those who control <strong>the</strong> budgets.<br />
• Consider your CFO’s communication style. The head of internal audit must appeal to<br />
<strong>the</strong> primary decision-maker regarding budgets by providing information in a way best<br />
suited to <strong>the</strong>ir personal preferences.<br />
• Start with prior wins. It always helps to highlight improvements that have resulted<br />
from internal audit recommendations and this is even more effective when <strong>the</strong>y are<br />
quantifiable in terms of costs saved, errors corrected, waste reduced, fraud<br />
discovered or averted, timelines shortened, higher levels of compliance, productivity<br />
increased, and user satisfaction improved. (<strong>Internal</strong> audit metrics are considered in<br />
<strong>Module</strong> 3.)<br />
• Make <strong>the</strong> business case. Speak <strong>the</strong> language of finance and link internal audit<br />
successes with financial performance. (Financial ratios are considered in <strong>Module</strong> 3.)<br />
• Show <strong>the</strong> cost comparison. If <strong>the</strong> head of internal audit is asking for an increase in<br />
resources, it is fair to ask for a comparison with <strong>the</strong> value this will add. Cost savings<br />
may be achieved by employing a new auditor ra<strong>the</strong>r than relying on outsourced<br />
expertise, for example, or investing in automation to reduce time and costs spent in<br />
manual tasks while increasing coverage and accuracy.<br />
• Keep an open mind. A process of negotiation is more likely to be successful if you<br />
are prepared to compromise.<br />
• Know how to follow up. The end of a conversation or a meeting usually requires<br />
follow agreements and actions where it is important for <strong>the</strong> head of internal audit to<br />
be proactive.<br />
The head of internal audit must be an advocate for change. <strong>Internal</strong> audit functions – whose<br />
purpose is to act as a catalyst for continuous improvement – should (subject to resources)<br />
set an example by embracing innovation. The following sections consider what may be<br />
regarded as “advanced professional practices,” reflecting some observed innovation<br />
happening in internal audit functions.<br />
<strong>2D</strong>.3.1 Using Digital Tools<br />
The use of computer assisted audit tools and techniques (sometimes abbreviated to<br />
CAATTs) continues to develop as <strong>the</strong> potential of technology advances. We can make a<br />
broad distinction between <strong>the</strong> two main uses internal auditors make of technology:<br />
• To manage audit processes (such as planning, documentation, and communication).<br />
• To test and analyze data.<br />
43<br />
7 Ways to Win <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Budget Argument with your CFO, <strong>Audit</strong>Board, 2019.<br />
58
For fur<strong>the</strong>r detail, see Computer Assisted <strong>Audit</strong> Techniques (CAATS): Definition, types,<br />
advantages and disadvantages 44 .<br />
There is a wide variety of audit software designed to automate <strong>the</strong> audit process, enabling:<br />
• Collaborative, participatory, continuous, comprehensive, dynamic, and anticipatory<br />
activities, seamlessly integrating multiple perspectives and systems.<br />
• Dynamic and agile planning.<br />
• Remote auditing and supervision.<br />
• Cloud-based storage for streamlined documentation, ready access, sharing,<br />
monitoring, and review.<br />
• Easy access to and manipulation of big data.<br />
• Advanced analysis and evaluation techniques.<br />
• Continuous communication and reporting.<br />
• Integration with o<strong>the</strong>r systems, including risk and control platforms, and <strong>the</strong> potential<br />
for continuous risk assessment and continuous auditing.<br />
• Ongoing monitoring for follow-up.<br />
Increasingly organizations have digital assets (such as cryptocurrency (in environments like<br />
Blockchain) and non-fungible token (NFTs)) that form part of <strong>the</strong> audit universe, although to<br />
a lesser extent in <strong>the</strong> ublic sector compared with private sector organizations. In addition,<br />
technological innovations such as robotic process automation (RPA), machine learning (ML),<br />
natural language programming (NLP), artificial intelligence (AI) and data analytics tools offer<br />
huge potential for internal auditors, including:<br />
• Reduced costs and time.<br />
• Increased efficiency, speed, agility, accuracy, and quality.<br />
• Ability to automate mundane, laborious tasks.<br />
• Ability to evaluate much larger volumes of data.<br />
• Potential to deliver greater insights and value.<br />
• Opportunities for real-time and continuous auditing.<br />
• Improved processes for planning, creating work papers, retaining documents, testing,<br />
evaluating results, reporting, and monitoring for follow up.<br />
• Enhanced experiences for <strong>the</strong> internal auditor and <strong>the</strong> client.<br />
Many of <strong>the</strong> agile auditing practices described in <strong>the</strong> next section (<strong>2D</strong>.3.2) are enabled or<br />
greatly assisted by <strong>the</strong> use of technology.<br />
Adoption of digital tools has generally been slower in <strong>the</strong> public sector and is proportionate<br />
to internal audit maturity and available economic resources. Progress can be made<br />
incrementally, starting with small steps. Excel offers huge potential beyond offering a useful<br />
grid for holding data. IDEA is an example of a commonly used audit software with options to<br />
implement on a modular basis. Without seizing such opportunities, <strong>the</strong>re is a real danger<br />
internal auditing will be regarded as outmoded and irrelevant. However, when planning for<br />
44<br />
Computer Assisted <strong>Audit</strong> Techniques (CAATS): Definition, types, advantages and disadvantages, Accounting Hub.<br />
59
<strong>the</strong> introduction of CAATTs, internal audit managers should be clear about <strong>the</strong>ir objectives<br />
for doing so and consider <strong>the</strong> potential pitfalls.<br />
• There is likely to be a license cost for <strong>the</strong> desired app, software, platform, or system,<br />
plus installation and integration with existing IT.<br />
• It is very important to ensure users receive <strong>the</strong> necessary training.<br />
CAATTs can be a distraction and <strong>the</strong>re should be a plan for <strong>the</strong> introduction of additional<br />
capabilities to ensure <strong>the</strong>y genuinely improve <strong>the</strong> quality of internal audit services and meet<br />
<strong>the</strong> needs of audit clients. You can be seduced by <strong>the</strong> sophisticated modeling and<br />
visualizations but that is no guarantee <strong>the</strong> findings are relevant. There will always be a need<br />
for human judgment and insight.<br />
These tools can be used to enable automated controls testing, as described in <strong>Module</strong> 1<br />
<strong>Audit</strong> and Assurance section 1C.3.2.<br />
<strong>2D</strong>.3.2 Agile <strong>Audit</strong>ing<br />
The term “agile auditing” can be used informally to describe professional practices that are<br />
flexible and responsive. A more technical use refers to <strong>the</strong> application of <strong>the</strong> Agile manifesto<br />
and principles to internal auditing.<br />
The Agile manifesto was developed by software engineers in 2001 to define principles to<br />
optimize <strong>the</strong> value of work produced for clients with <strong>the</strong> utmost efficiency. The 12 principles<br />
are:<br />
1. Our highest priority is to satisfy <strong>the</strong> customer through early and continuous delivery of<br />
valuable software.<br />
2. Welcome changing requirements, even late in development. Agile processes harness<br />
change for <strong>the</strong> customer’s competitive advantage.<br />
3. Deliver working software frequently, from a couple of weeks to a couple of months,<br />
with a preference to <strong>the</strong> shorter timescale.<br />
4. Business people and developers must work toge<strong>the</strong>r daily throughout <strong>the</strong> project.<br />
5. Build projects around motivated individuals. Give <strong>the</strong>m <strong>the</strong> environment and support<br />
<strong>the</strong>y need, and trust <strong>the</strong>m to get <strong>the</strong> job done.<br />
6. The most efficient and effective method of conveying information to and within a<br />
development team is face-to-face conversation.<br />
7. Working software is <strong>the</strong> primary measure of progress.<br />
8. Agile processes promote sustainable development. The sponsors, developers, and<br />
users should be able to maintain a constant pace indefinitely.<br />
9. Continuous attention to technical excellence and good design enhances agility.<br />
10. Simplicity – <strong>the</strong> art of maximizing <strong>the</strong> amount of work not done – is essential.<br />
11. The best architectures, requirements, and designs emerge from self-organizing<br />
teams.<br />
12. At regular intervals, <strong>the</strong> team reflects on how to become more effective, <strong>the</strong>n tunes<br />
and adjusts<br />
its behavior accordingly. 45<br />
45<br />
www.agilemanifesto.org<br />
60
This can also be expressed as choosing to value:<br />
• Individuals and interactions over processes and tools.<br />
• Working software over comprehensive documentation.<br />
• Customer collaboration over contract negotiation.<br />
• Responding to change over following a plan.<br />
From <strong>the</strong> focus on reflective, self-organizing teamwork – especially in principles 11 and 12 –<br />
<strong>the</strong> idea of scrums and sprints was also developed. A daily scrum is a 15-minute team<br />
meeting to review and plan. A sprint is a session in which short term plans are created by <strong>the</strong><br />
team through which priorities and goals are set and agreed. A scrum board is a simple<br />
display providing a quick visualization of actions divided into:<br />
• To do.<br />
• Doing.<br />
• Done.<br />
Kanban is a similar framework for implementing Agile principles, relying on real-time<br />
communication of capacity and progress.<br />
The Agile approach can be applied to internal auditing. Deloitte, for example, has developed<br />
an internal audit agile manifesto.<br />
1. Outcome-driven | Value-driven.<br />
2. Just-in-time | Proactive approach to <strong>the</strong> “right projects at <strong>the</strong> right depth/focus.”<br />
3. One size does not fit all – customized project focused on value and risk.<br />
4. Collaborative approach – take <strong>the</strong> journey with our clients.<br />
5. Mix it up a little bit, break some eggs – challenge “that’s <strong>the</strong> way we’ve always done<br />
it.”<br />
6. Decisioning “as you go” with transparency and alignment.<br />
7. Continuous communication with all stakeholders.<br />
8. Be quick and iterative versus confined to a plan.<br />
9. Impact over thoroughness – “good enough” (80/20 rule). 46<br />
In practice this means:<br />
• <strong>Managing</strong> a flexible and responsive audit plan ra<strong>the</strong>r than a rigid 12-month schedule<br />
of engagements. Often an initial plan is created, perhaps with firm dates for <strong>the</strong> next<br />
period (three or six months), while <strong>the</strong> subsequent period is considered provisional<br />
so that changes can be made as circumstances, risks, and priorities evolve. (See, for<br />
example, “Planning for uncertainty: <strong>the</strong> rise of <strong>the</strong> flexible audit plan.” 47 )<br />
• Customizing processes and formats to meet <strong>the</strong> needs of <strong>the</strong> client ra<strong>the</strong>r than<br />
sticking with a standard approach and templates.<br />
• Communicating with <strong>the</strong> client continuously, sharing findings and agreeing<br />
management responses during <strong>the</strong> engagement as far as possible.<br />
• Blending assurance and advisory engagements.<br />
46<br />
Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017.<br />
47<br />
“Planning for uncertainty: <strong>the</strong> rise of <strong>the</strong> flexible audit plan,” <strong>Audit</strong>Board, 2022.<br />
61
• Adopting innovative styles of report, focusing on <strong>the</strong> truly essential, and dispensing<br />
with superfluous details. (See, for example, “One page audit report: maximizing<br />
efficiency, elevating impact.” 48 )<br />
<strong>2D</strong>.3.3 Lean <strong>Audit</strong>ing<br />
A close relative of agile auditing is lean auditing, as described by James Paterson in his<br />
2015 book Lean <strong>Audit</strong>ing: Driving Added Value and Efficiency in <strong>Internal</strong> <strong>Audit</strong>. 49 Lean<br />
production methods were developed in <strong>the</strong> 1980s by car manufacturer Toyota. The<br />
philosophy is a combination of just-in-time and right-first-time thinking, using only as much<br />
resource as is needed to deliver quality services. We sometimes get bogged down in<br />
following time-honored practices that we fail to see that some of <strong>the</strong> inputs are unnecessary.<br />
<strong>Internal</strong> audit’s deliverable is not <strong>the</strong> audit report but <strong>the</strong> impact on <strong>the</strong> organization. The aim<br />
of lean approaches is to reduce defects, lead times, costs, and waste while improving<br />
capacity productivity, responsiveness, and customer satisfaction.<br />
The key aims can be expressed as follows:<br />
• Understand value from <strong>the</strong> point of view of <strong>the</strong> customer.<br />
• Identify <strong>the</strong> value stream.<br />
• Create activities that flow.<br />
• Pull through to deliver “just in time”.<br />
• Aim for perfect process without waste/rework or bottlenecks. 50<br />
According to Paterson, to transfer <strong>the</strong> principles of lean production to internal auditing<br />
requires <strong>the</strong> following:<br />
• Be clear who are <strong>the</strong> key customers of our audit work.<br />
• Be clear what those customers really want (and what <strong>the</strong>y do not want).<br />
• Pay close attention to identifying Muda (waste).<br />
• Resource assignments appropriately.<br />
• Plan assignments carefully. 51<br />
Paterson also identifies four important ways in which productivity can be improved during<br />
engagements.<br />
• Testing. The key is to know how much is enough. There is a tendency to over-audit<br />
above <strong>the</strong> level of risk or desired level of assurance.<br />
• Root cause analysis. While less time may be spent in many cases on testing, more<br />
time can be usefully applied to analysis and identifying root causes. <strong>Audit</strong> reports<br />
often pull <strong>the</strong>ir punches by presenting findings but providing inadequate insight.<br />
48<br />
“One page audit report: maximizing efficiency, elevating impact,” <strong>Audit</strong>Board, 2022.<br />
49<br />
Paterson, James, Lean <strong>Audit</strong>ing: Driving Added Value and Efficiency in <strong>Internal</strong> <strong>Audit</strong>, Wiley, 2015<br />
50<br />
Lean <strong>Audit</strong>ing (Part 1): Rethinking <strong>Internal</strong> <strong>Audit</strong> Using Lean Techniques to Enhance Value and Improve Productivity,<br />
efficientlearning.com.<br />
51<br />
Lean <strong>Audit</strong>ing (Part 2): Rethinking <strong>Internal</strong> <strong>Audit</strong> Using Lean Techniques to Enhance Value and Improve Productivity,<br />
efficientlearning.com.<br />
62
• Driving value in effective audit reporting. Reports should focus on what is important,<br />
avoiding a common temptation to describe in detail every action taken by <strong>the</strong> auditor<br />
and every piece of evidence collected.<br />
• <strong>Audit</strong> team culture. As modeled by <strong>the</strong> head of unit, <strong>the</strong> internal audit function must<br />
be committed to <strong>the</strong> principles of lean auditing, working with pace and energy to drive<br />
organizational improvements. 52<br />
<strong>2D</strong>.3.4 New and Evolving Risk Areas<br />
The World Economic Forum publishes a list of <strong>the</strong> top ten risks every year. They are not<br />
specifically risks for organizations or any particular sector but for <strong>the</strong> world. Each<br />
organization has its own risk profile related to its objectives and circumstances. However,<br />
consideration of global risks is a useful exercise for organizations and <strong>the</strong>ir internal audit<br />
functions. The latest report for 2023 lists <strong>the</strong> following short-term and long-term risks. 53<br />
Short-term (two years)<br />
Long-term (10 years)<br />
Risk Category Risk Category<br />
1. Cost of living crisis Societal 1. Failure to mitigate climate Environmental<br />
change<br />
2. Natural disasters and Environmental 2. Failure of climate change Environmental<br />
extreme wea<strong>the</strong>r events<br />
adaptation<br />
3. Geoeconomic<br />
Geopolitical 3. Natural disasters and Environmental<br />
confrontation<br />
extreme wea<strong>the</strong>r events<br />
4. Failure to mitigate climate Environmental 4. Biodiversity loss and Environmental<br />
change<br />
ecosystem collapse<br />
5. Erosion of social<br />
Societal 5. Large-scale involuntary Societal<br />
coherence and societal<br />
polarization<br />
migration<br />
6. Large-scale<br />
environmental damage<br />
Environmental 6. Natural resource crises Environmental<br />
incidents<br />
7. Failure of climate change<br />
adaptation<br />
Environmental<br />
7. Erosion of social<br />
cohesion and societal<br />
polarization<br />
8. Widespread cybercrime<br />
and cyber insecurity<br />
8. Widespread cybercrime Technological<br />
and cyber insecurity<br />
9. Natural resource crises Environmental 9. Geoeconomic<br />
confrontation<br />
10. Large-scale involuntary Societal<br />
migration<br />
10. Large-scale<br />
environmental damage<br />
incidents<br />
Societal<br />
Technological<br />
Geopolitical<br />
Environmental<br />
As <strong>the</strong>y are not specific to objectives, we can regard <strong>the</strong>se broadly speaking as risk areas.<br />
There is a high degree of uncertainty and volatility in each of <strong>the</strong>se. We can use <strong>the</strong> WEF<br />
categories to consider areas of new and emerging risks relevant for most organizations that<br />
should be considered as part of internal audit’s risk-based planning.<br />
52<br />
Lean <strong>Audit</strong>ing (Part 3): Rethinking <strong>Internal</strong> <strong>Audit</strong> Using Lean Techniques to Enhance Value and Improve Productivity,<br />
efficientlearning.com.<br />
53<br />
Global Risks Report 2023, World Economic Forum, 2023.<br />
63
WEF Categories of Global<br />
Risks<br />
Societal<br />
Technological<br />
Environmental<br />
Geopolitical<br />
Economic<br />
Important Organizational Risk Areas<br />
Culture, fraud<br />
Cybersecurity, cloud computing, BYOD (bring your own<br />
device), Blockchain<br />
ESG, water and food shortages<br />
Supply chain disruption, third party vendors<br />
Rising inflation, wealth inequality<br />
Many of <strong>the</strong>se are overlapping and inter-related. For example, environmental, geopolitical,<br />
and economic factors can all impact supply chains.<br />
The European Confederation of Institutes of <strong>Internal</strong> <strong>Audit</strong>ors ECIIA also produces an annual<br />
compendium of key risks. 54<br />
For internal audit, <strong>the</strong> underlying processes for evaluating <strong>the</strong> significance of any risks to <strong>the</strong><br />
organization and its objectives are <strong>the</strong> same. The auditor would consider a series of<br />
questions regarding management’s actions:<br />
• Has <strong>the</strong> risk been correctly identified?<br />
• Has <strong>the</strong> risk been analyzed and evaluated?<br />
• Have appropriate responses to <strong>the</strong> risk been implemented?<br />
• Are those responses operating as expected?<br />
• Is <strong>the</strong> organization operating within agreed and appropriate risk appetite and<br />
tolerances or is it exposed to an unacceptable level of risk?<br />
<strong>Audit</strong>ors can use a generic model such as <strong>the</strong> COSO <strong>Internal</strong> Control – Integrated<br />
Framework as <strong>the</strong> basis for considering <strong>the</strong> effectiveness of internal control in regard to any<br />
class of risks. In addition, <strong>the</strong>re are special considerations needed. There are also tools and<br />
guidance to support this work.<br />
Culture<br />
Culture is an intangible but significant component of organizations influencing many aspects<br />
about what it does and how it does it. The IIA’s Practice Guide: <strong>Audit</strong>ing Culture quotes this<br />
definition of culture and its related element of conduct:<br />
Culture represents <strong>the</strong> invisible belief systems, values, norms, and preferences of <strong>the</strong><br />
individuals that form an organization. Conduct represents <strong>the</strong> tangible manifestation<br />
of culture through <strong>the</strong> actions, behaviors, and decisions of <strong>the</strong>se individuals. 55<br />
The audit function is required to “assess and make appropriate recommendations to improve<br />
<strong>the</strong> organization’s governance processes” in accordance with Standard 2110 – Governance.<br />
Culture is specifically referenced in <strong>the</strong> Implementation Guidance for Standard 2100 –<br />
Nature of Work:<br />
To devise an appropriate strategy for assessing <strong>the</strong> organization’s governance, risk<br />
management, and control processes, <strong>the</strong> CAE typically considers <strong>the</strong> level of<br />
54<br />
See Risk in focus 2023: more risky, uncertain, and volatile times ahead, ECIIA, 2023.<br />
55<br />
Practice Guide: <strong>Audit</strong>ing Culture, The Institute of <strong>Internal</strong> <strong>Audit</strong>ors, 2019.<br />
64
maturity of <strong>the</strong> three processes as well as <strong>the</strong> organization’s culture and <strong>the</strong> seniority<br />
of <strong>the</strong> individuals who maintain responsibility for <strong>the</strong> processes. 56<br />
Problems with culture can lead to significant failures. There are many well-known examples<br />
in <strong>the</strong> private sector but <strong>the</strong> same is true for public sector entities. Examples of weaknesses<br />
in culture that can precipitate risks for an organization are itemized in <strong>the</strong> Practice Guide:<br />
• Unreasonable expectations including deadlines, profitability, or levels of efficiency.<br />
• Incentives not aligned with values.<br />
• Employees (including internal auditors) lack knowledge of key risk management<br />
activities and potential risk impacts.<br />
• An inflexible hierarchy impeding <strong>the</strong> flow of information up, down, and across <strong>the</strong><br />
organization.<br />
• A pervasive environment of mistrust toward auditors and regulators including a lack<br />
of understanding of <strong>the</strong> role of controls in achieving business objectives.<br />
• An attitude of hubris (e.g., “That will not happen here.” Or “That has never happened<br />
to us before.”)<br />
• Lack of accountability, especially at senior levels of <strong>the</strong> organization.<br />
• Failure to enforce codes of conduct and related policies and procedures.<br />
• Management (and, in some cases, <strong>the</strong> board) refusing to acknowledge information<br />
contrary to <strong>the</strong>ir opinions.<br />
• Disregard of laws and regulations if <strong>the</strong>y are not conducive to <strong>the</strong> organization<br />
achieving its objectives. 57<br />
We may add that one of <strong>the</strong> weaknesses in culture can be poor organizational<br />
understanding among employees and managers. This can extend to limited awareness of<br />
organizational purpose, a lack of a sense of shared purpose, and uncertainty about <strong>the</strong> roles<br />
played by key functions. It is not uncommon for employees to misunderstand <strong>the</strong> nature and<br />
purpose of internal auditing which <strong>the</strong>y may equate with inspection or internal control.<br />
The Practice Guide also illustrates features of a healthy culture.<br />
• Positive tone from <strong>the</strong> top.<br />
• Clear communication.<br />
• Open dialogue.<br />
• Employee engagement.<br />
• Incentives aligned with core values.<br />
Culture may be intangible buts its impacts, such as conduct, are not. When assessing<br />
culture and conduct risks, <strong>the</strong>re is a wide spectrum of potential sources of information to<br />
consider. These include:<br />
• Any value statements (may be labeled mission or vision statements or contained<br />
within <strong>the</strong>se documents) published by <strong>the</strong> organization.<br />
• Top-level, business-line level, and process-level strategies, objectives, and business<br />
plans.<br />
56<br />
International Professional Practices Framework, The IIA, 2016.<br />
57<br />
Practice Guide: <strong>Audit</strong>ing Culture, The Institute of <strong>Internal</strong> <strong>Audit</strong>ors, 2019.<br />
65
• Risk appetite statements.<br />
• Organization charts (high level and business units) and related reporting lines.<br />
• Roles, responsibilities, and accountabilities of o<strong>the</strong>r control functions (e.g.,<br />
compliance, risk management) and senior management.<br />
• Governance framework.<br />
• Tone at <strong>the</strong> top and leadership communications with employees.<br />
• Products/services approvals and selling processes.<br />
• Risk escalation protocols.<br />
• Documentation of exceptions and management overrides.<br />
• Codes of conduct/ethics including policies and procedures on speaking up,<br />
nonretaliation, and treating customers fairly.<br />
• Ethics hotline information and training materials.<br />
• Results of culture-related training and testing programs (e.g., sexual harassment,<br />
ethics, code of conduct).<br />
• Employee survey results.<br />
• Exit interview data.<br />
• Board and relevant committee minutes (e.g., governance, risk, nomination and<br />
remuneration, and ethics committees).<br />
• Management’s risk and control self-assessments (RCSAs) including management’s<br />
action plans and <strong>the</strong>ir status.<br />
• Relevant culture-related and risk management policies including incentives and<br />
compensation policy, requirements, reports, and expectations.<br />
• Recruitment, onboarding, performance management, retention, and exiting<br />
processes.<br />
• Status of issues raised by internal audit or o<strong>the</strong>r control functions, external auditors,<br />
and regulators taking into consideration repeated and long outstanding issues and<br />
root causes that may be related to culture.<br />
• External auditor’s report on <strong>the</strong> audited financial statements and letter of<br />
representation. 58<br />
When planning <strong>the</strong> audit plan, managers may decide to include an assurance engagement<br />
with a focus on culture. Alternatively, culture can be considered as part of o<strong>the</strong>r<br />
engagements and used in aggregate to formulate an opinion.<br />
Fraud<br />
<strong>Audit</strong>ing fraud risk management is covered in <strong>Module</strong> 1 <strong>Audit</strong> and Assurance section 1A.5.<br />
Cybersecurity<br />
<strong>Audit</strong>ing IT and cybersecurity risk management is covered in <strong>Module</strong> 1 <strong>Audit</strong> and Assurance<br />
section 1A.5.<br />
58<br />
Practice Guide: <strong>Audit</strong>ing Culture, The Institute of <strong>Internal</strong> <strong>Audit</strong>ors, 2019.<br />
66
ESG<br />
IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: Social Responsibility and Sustainability<br />
General Awareness: Describe corporate social responsibility and sustainability.<br />
Applied Knowledge: Examine <strong>the</strong> organization’s approach to social responsibility and<br />
sustainability.<br />
Expert: Recommend actions to improve <strong>the</strong> organization’s approach to social responsibility<br />
and sustainability. 59<br />
The term ESG (environmental, social, and governance) is used to cover a range of related<br />
risks. Often <strong>the</strong> focus is on reporting ESG-related matters and <strong>the</strong> risks associated with<br />
accuracy, compliance, and reputation. Arguably organizations, especially those in <strong>the</strong> public<br />
sector, have responsibilities beyond reporting requirements related to public service,<br />
stewardship of resources, and accountability. The Sustainable Development Goals (SDGs)<br />
were adopted by all members of <strong>the</strong> United Nations in recognition of our collective<br />
responsibility to people and <strong>the</strong> planet. The 1987 United Nations Brundtland Commission<br />
defined sustainability as “meeting <strong>the</strong> needs of <strong>the</strong> present without compromising <strong>the</strong> ability<br />
of future generations to meet <strong>the</strong>ir own needs.” Addressing profound social and<br />
environmental concerns is something that affects us all.<br />
<strong>Internal</strong> auditors can make a significant contribution to ESG by:<br />
• Staying informed.<br />
• Acting as an advocate for sustainable practices.<br />
• Helping organizational leaders understand and accept <strong>the</strong>ir economic, political,<br />
regulatory, societal, and ethical responsibilities for sustainability of operations.<br />
• Identifying legislative and regulatory requirements for sustainability and evaluating<br />
organizational risks.<br />
• Providing advisory services to support <strong>the</strong> changes needed to address <strong>the</strong><br />
management of sustainability risks, including requirements for ESG reporting. This is<br />
likely to include arrangements for ga<strong>the</strong>ring and validating data on such matters as<br />
measures for access, diversity, equity, and inclusion, water usage, waste disposal,<br />
and carbon emissions.<br />
• Providing assurance on data integrity and internal and external reporting.<br />
The IIA paper <strong>Internal</strong> <strong>Audit</strong>’s Role in ESG Reporting identifies <strong>the</strong> following assurance and<br />
advisory roles:<br />
• Assurance roles:<br />
o Review reporting metrics for relevancy, accuracy, timeliness, and consistency<br />
o Review reporting for consistency with formal financial disclosure filings.<br />
o Conduct materiality or risk assessments on ESG reporting.<br />
o Incorporate ESG into audit plans.<br />
• Advisory roles:<br />
o Build an ESG control environment.<br />
o Recommend reporting metrics.<br />
o Advise on ESG governance. 60<br />
59<br />
<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
67
Third-Party Risks<br />
Unless an organization is entirely self-sufficient (which is practically impossible), it needs to<br />
leverage and rely upon <strong>the</strong> services of o<strong>the</strong>rs. In doing so, it is exposing itself to risks related<br />
to downstream consequences if <strong>the</strong> expected supply of goods and services fails, including<br />
when <strong>the</strong> vendor itself fails. There are also risks associated with <strong>the</strong> potential for <strong>the</strong> third<br />
party knowingly or unknowingly to abuse <strong>the</strong> relationship, for example by misusing or<br />
exposing confidential or personal data. Reputational and sometimes legal damages can<br />
occur by association with an organization that misbehaves.<br />
To help auditors evaluate <strong>the</strong> risks and controls associated with third party relationships, <strong>the</strong><br />
IIA has released a Practice Guide: <strong>Audit</strong>ing Third Party Risk Management. This includes <strong>the</strong><br />
following questions to be considered:<br />
• Does <strong>the</strong> organization have a comprehensive inventory of its third-party providers?<br />
• Does <strong>the</strong> organization’s third-party risk management program align with its risk<br />
appetite?<br />
• Does <strong>the</strong> organization have a list of <strong>the</strong> types of risks (reputational, strategic,<br />
compliance, financial, human resources, IT, etc.) third parties may pose?<br />
• How does <strong>the</strong> organization identify, define, and manage third-party risks?<br />
• What are <strong>the</strong> appropriate assessment criteria for third-party risks (e.g., impact and<br />
likelihood scales)?<br />
• How does <strong>the</strong> organization gauge <strong>the</strong> impact individual third parties may have on its<br />
business continuity strategy?<br />
• How far down <strong>the</strong> supply chain should third parties be considered? Should<br />
subservice or fourth-party providers be monitored?<br />
• What metrics should be reviewed to ensure a third-party provider is performing within<br />
<strong>the</strong> organization’s risk tolerance?<br />
• Will <strong>the</strong> organization have recourse to recover damages from a third party if problems<br />
arise?<br />
• Do contracts with third parties include <strong>the</strong> right for <strong>the</strong> contracting organization’s<br />
internal audit activity or o<strong>the</strong>r control functions to conduct audits if <strong>the</strong>re is a need or<br />
desire to do so?<br />
• Is <strong>the</strong> third party handling data that requires a specific level of control? How does <strong>the</strong><br />
organization validate that <strong>the</strong> third party is following all relevant laws, regulations, and<br />
technical requirements for data security?<br />
• How does internal audit coordinate with <strong>the</strong> organization’s second line of defense<br />
(e.g., legal, compliance, procurement) that may be performing risk management<br />
activities regarding third parties?<br />
• How does <strong>the</strong> organization ensure ethical behavior by <strong>the</strong> third parties? 61<br />
Common controls include conducting due diligence in advance of entering into an agreement<br />
with a vendor, considering alternative providers, ensuring contracts offer sufficient<br />
60<br />
<strong>Internal</strong> <strong>Audit</strong>’s Role in ESG Reporting, The IIA, 2021.<br />
61<br />
Practice Guide: <strong>Audit</strong>ing Third Party Risk Management, The IIA, 2018.<br />
68
protections and rights, maintaining regular communication and continued monitoring, and<br />
reviewing and renewing agreements on a cyclical basis.<br />
Fur<strong>the</strong>r consideration relates to <strong>the</strong> ability of <strong>the</strong> organization to cope with an unexpected<br />
disruption to supplies which may be caused by failures of <strong>the</strong> vendor or o<strong>the</strong>r event and<br />
circumstances outside of <strong>the</strong> vendor’s control. What contingencies are in place to draw<br />
essential goods and services from alternative sources? How quickly could such a switch be<br />
achieved?<br />
<strong>2D</strong>.3: Reflection<br />
Does your internal audit function use digital tools for audit planning, management, and<br />
data analytics? What are <strong>the</strong> biggest inhibitors in making greater use of <strong>the</strong>se tools?<br />
Are <strong>the</strong> principles and practices of Agile auditing well-suited to your organization? Does<br />
your internal audit function have plans to introduce innovations such as: flexible, responsive<br />
planning; continuous auditing; continuous client engagement; audit dashboards; and shorter,<br />
non-traditional reporting formats?<br />
Which of <strong>the</strong> following groups of risks are included in your audit plan: sustainability, thirdparty<br />
contracts, artificial intelligence, cybersecurity, and organizational culture? How do<br />
senior management and <strong>the</strong> governing body currently receive assurance regarding control<br />
over <strong>the</strong>se risks?<br />
Can your internal audit function do more as an advisor to help senior management and <strong>the</strong><br />
governing body anticipate, identify, and manage new and emerging risks?<br />
69