TIAPS ALB_Module 2D. Managing the Internal Audit Activity

  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>2D</strong>. <strong>Managing</strong> <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> <strong>Activity</strong><br />

<strong>2D</strong> Learning Outcomes<br />

On completion of this section, students will be better able to:<br />

• Differentiate between <strong>the</strong> roles and responsibilities of internal audit managers and<br />

chief audit executives.<br />

• Develop a strategic plan for internal audit function.<br />

• Promote advanced professional audit practices (e.g., agile auditing, data analytics,<br />

using digital tools, alternative reporting methods, auditing ESG, and auditing<br />

cybersecurity).<br />

<strong>2D</strong>.1 <strong>Managing</strong> <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Function<br />

IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: <strong>Internal</strong> <strong>Audit</strong> Strategic Planning and<br />

Management<br />

General Awareness: Recognize <strong>the</strong> importance of aligning <strong>the</strong> internal audit strategic plan<br />

with <strong>the</strong> organization’s strategy. Differentiate various internal audit roles, including <strong>the</strong><br />

engagement supervisor and chief audit executive. Identify key activities in supervising<br />

engagements.<br />

Applied Knowledge: Create <strong>the</strong> internal audit strategic plan in alignment with <strong>the</strong><br />

organization’s strategy, risk profile, and risk management strategy; create an effective and<br />

efficient budget for <strong>the</strong> internal audit activity. Manage internal audit personnel (including<br />

recruiting, developing, motivating, managing conflict, building teams, delegating, retaining<br />

talent, and succession planning); create policies and procedures for managing internal audit<br />

operations. Supervise engagements.<br />

Expert: Assess <strong>the</strong> internal audit strategic plan; evaluate and recommend improvements to<br />

<strong>the</strong> budget for <strong>the</strong> internal audit activity. Assess <strong>the</strong> talent management efforts of <strong>the</strong> internal<br />

audit activity; appraise policies, procedures, and administrative activities of <strong>the</strong> internal audit<br />

activity. Assess engagement supervision activities to ensure <strong>the</strong> quality of <strong>the</strong> internal audit<br />

activity. 33<br />

There are many roles a manager must adopt, and <strong>the</strong>se apply to a leadership positions<br />

within <strong>the</strong> internal audit function as much as anywhere. Henry Mintzberg, for example,<br />

identified ten key roles for managers:<br />

1. Figurehead.<br />

2. Leader.<br />

3. Liaison.<br />

4. Monitor.<br />

5. Disseminator.<br />

6. Spokesperson.<br />

7. Entrepreneur.<br />

8. Disturbance handler.<br />

9. Resource allocator.<br />

10. Negotiator. 34<br />

33<br />

<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />

34 Mintzberg, Henry Mintzberg on Management, Free Press, 1989.<br />


A manager manages tasks and activities, people, budgets, information, time, talent, and<br />

relationships by using tools like goal setting, planning, performance monitoring and<br />

evaluation, communication, training, motivation, delegation, diplomacy, and leading by<br />

example.<br />

Structures of internal audit functions can vary according to <strong>the</strong> resources available and <strong>the</strong><br />

nature of <strong>the</strong> work. In <strong>the</strong> smallest possible functions, one person acts as <strong>the</strong> chief audit<br />

executive and <strong>the</strong> sole internal auditor, perhaps supported by guest auditors or outsourced<br />

services. In this case <strong>the</strong> individual is responsible for everything, although full compliance<br />

with <strong>the</strong> requirements of <strong>the</strong> IPPF and adequate coverage of <strong>the</strong> significant risks and<br />

controls of <strong>the</strong> organization can be challenging. In larger teams <strong>the</strong> head of <strong>the</strong> function can<br />

choose to stratify roles according to an appropriate hierarchy to assist with <strong>the</strong> tasks of<br />

coordinating, directing, and leading. As <strong>the</strong> IPPF makes clear, <strong>the</strong> head of internal audit may<br />

choose to delegate but retains <strong>the</strong> ultimate responsibility (see for example Standard 2440 –<br />

Disseminating Results: “When <strong>the</strong> chief audit executive delegates <strong>the</strong>se duties, he or she<br />

retains overall responsibility.” 35 )<br />

Roles in order of ascending seniority may include:<br />

• Junior auditor.<br />

• Senior auditor.<br />

• <strong>Audit</strong> supervisor.<br />

• <strong>Audit</strong> manager or lead auditor.<br />

• <strong>Audit</strong> director.<br />

• Head of internal audit.<br />

As well as being a way of organizing activities and resources, such hierarchical structures<br />

can help with defining career paths for individuals who are ambitious. There may also be<br />

specialized positions for activities such as IT. Individuals may also be expert in key<br />

processes. Value for money (performance) audits, evaluations, and investigations are<br />

sometimes part of <strong>the</strong> audit function (although this is not required by <strong>the</strong> Standards) and in<br />

o<strong>the</strong>r situations are managed separately. The head of <strong>the</strong> function must ensure <strong>the</strong>re is<br />

sufficient expertise to cover <strong>the</strong> scope as defined in <strong>the</strong> charter and deliver <strong>the</strong> assurance<br />

engagements in <strong>the</strong> approved plan. This is stated in Standard 1210 – Proficiency:<br />

<strong>Internal</strong> auditors must possess <strong>the</strong> knowledge, skills, and o<strong>the</strong>r competencies needed to<br />

perform <strong>the</strong>ir individual responsibilities. The internal audit activity collectively must<br />

possess or obtain <strong>the</strong> knowledge, skills, and o<strong>the</strong>r competencies needed to perform its<br />

responsibilities. 36<br />

A similar point is made regarding <strong>the</strong> supervision of audit engagements in Standard 2340 –<br />

Engagement Supervision.<br />

Engagements must be properly supervised to ensure objectives are achieved, quality is<br />

assured, and staff is developed.<br />

35<br />

International Professional Practices Framework, The IIA, 2016.<br />

36<br />

International Professional Practices Framework, The IIA, 2016.<br />


Interpretation: The extent of supervision required will depend on <strong>the</strong> proficiency and<br />

experience of internal auditors and <strong>the</strong> complexity of <strong>the</strong> engagement. The chief audit<br />

executive has overall responsibility for supervising <strong>the</strong> engagement, whe<strong>the</strong>r performed<br />

by or for <strong>the</strong> internal audit activity, but may designate appropriately experienced<br />

members of <strong>the</strong> internal audit activity to perform <strong>the</strong> review. Appropriate evidence of<br />

supervision is documented and retained. 37<br />

In addition to <strong>the</strong> general managerial roles listed above, managers in internal auditing have<br />

specific responsibilities as defined by <strong>the</strong> International Standards for <strong>the</strong> Professional<br />

Practice of <strong>Internal</strong> <strong>Audit</strong>ing included within <strong>the</strong> IPPF, according to which <strong>the</strong> head of internal<br />

audit (<strong>the</strong> CAE) must:<br />

The CAE must<br />

Standard<br />

Periodically review <strong>the</strong> internal audit charter.<br />

Standard 1000 – Purpose,<br />

Authority, and Responsibility<br />

Discuss <strong>the</strong> mandatory elements of <strong>the</strong> IPPF with senior Standard 1010 – Recognizing<br />

management and <strong>the</strong> board.<br />

Mandatory Guidance in <strong>the</strong><br />

<strong>Internal</strong> <strong>Audit</strong> Charter<br />

Disclose interference in <strong>the</strong> work of internal audit to <strong>the</strong> Standard 1110 –<br />

board and discuss <strong>the</strong> implications.<br />

Organizational Independence<br />

Communicate and interact directly with <strong>the</strong> board. Standard 1110 –<br />

Organizational Independence<br />

Obtain competent advice and assistance if internal Standard 1210 – Proficiency<br />

auditors lack <strong>the</strong> competencies to perform planned<br />

assurance engagements and decline consulting<br />

engagements or obtain competent advice and assistance<br />

if internal auditors lack <strong>the</strong> competencies to perform<br />

planned advisory engagements.<br />

Develop and maintain a quality assurance and<br />

Standard 1300 – Quality<br />

improvement program (QAIP).<br />

Assurance and Improvement<br />

Discuss <strong>the</strong> form and frequency of external assessments<br />

and <strong>the</strong> qualifications and independence of assessors with<br />

<strong>the</strong> board and encourage board oversight of external<br />

assessments to reduce potential conflicts of interest.<br />

Communicate results of <strong>the</strong> QAIP to senior management<br />

and <strong>the</strong> board.<br />

Disclose any nonconformance with <strong>the</strong> Code of Ethics of<br />

Standards and its impact with senior management and <strong>the</strong><br />

board.<br />

Manage <strong>the</strong> internal audit function effectively.<br />

Establish, communicate, and seek approval for a riskbased<br />

plan of engagements in consultation with senior<br />

management and <strong>the</strong> board, adjusting <strong>the</strong> plan in<br />

response to organizational and situational changes as<br />

needed.<br />

Program<br />

Standard 1312 – External<br />

Assessments<br />

Standard 1320 – Reporting on<br />

<strong>the</strong> Quality Assurance and<br />

Improvement Program<br />

1322 – Disclosure of<br />

Nonconformance<br />

Standard 2000 – <strong>Managing</strong> <strong>the</strong><br />

<strong>Internal</strong> <strong>Audit</strong> <strong>Activity</strong><br />

Standard 2010 – Planning<br />

37<br />

International Professional Practices Framework, The IIA, 2016.<br />


Ensure sufficiency of resources to deliver <strong>the</strong> plan.<br />

Establish policies and procedures for internal auditing.<br />

Share information, coordinate activities, and consider<br />

relying on <strong>the</strong> work of o<strong>the</strong>r assurance providers.<br />

Report periodically to senior management and <strong>the</strong> board<br />

on performance relative to <strong>the</strong> plan.<br />

Set and implement policies for retention and access to<br />

engagement records.<br />

Communicate corrected information if final communication<br />

contains significant errors or omissions.<br />

Review, approve, and communicate results of audits to<br />

appropriate parties.<br />

Establish and maintain a system to monitor <strong>the</strong> disposition<br />

of results.<br />

Discuss situations with senior management where level of<br />

risk accepted by management is unacceptable and, if<br />

unresolved, communicate <strong>the</strong> matter with <strong>the</strong> board.<br />

Standard 2030 – Resource<br />

Management<br />

Standard 2040 – Policies and<br />

Procedures<br />

Standard 2050 – Coordination<br />

and Reliance<br />

Standard 2060 – Reporting to<br />

Senior Management and <strong>the</strong><br />

Board<br />

Standard 2330 – Documenting<br />

Information<br />

Standard 2421 – Errors and<br />

Omissions<br />

Standard 2440 – Disseminating<br />

Results<br />

Standard 2500 – Monitoring<br />

Progress<br />

Standard 2600 –<br />

Communicating <strong>the</strong><br />

Acceptance of Risk<br />

To carry out <strong>the</strong>se roles, <strong>the</strong> head of <strong>the</strong> function must enjoy unrestricted access to senior<br />

management and <strong>the</strong> board (Standard 1100 – Independence and Objectivity) and report to a<br />

level that allows internal audit to fulfil its responsibilities, including reporting functionally to<br />

<strong>the</strong> board (Standard 1110 – Organizational Independence). In some cases, <strong>the</strong> head of <strong>the</strong><br />

internal audit unit is <strong>the</strong> only member of <strong>the</strong> team. In such situations <strong>the</strong> head does not have<br />

responsibility for managing o<strong>the</strong>r people but is expected to plan, perform, and communicate<br />

engagements as well as fulfil <strong>the</strong> duties listed above. The most important of <strong>the</strong>se relate to<br />

<strong>the</strong> relationship with senior management and <strong>the</strong> governing body, safeguarding<br />

independence, and managing <strong>the</strong> quality assurance and improvement program.<br />

<strong>2D</strong>.1: Reflection<br />

Consider <strong>the</strong> 10 manager roles listed by Mintzberg given above.<br />

Are all <strong>the</strong>se roles appropriate for <strong>the</strong> head of an internal audit unit, and if not, why not?<br />

Of <strong>the</strong> 10 roles listed, which do you see yourself currently fulfilling as part of your job?<br />

Identify all that apply.<br />

Of <strong>the</strong> 10 roles listed, for which do currently have <strong>the</strong> necessary competency to fulfil?<br />

Of <strong>the</strong> 10 roles listed, for which do you most need to develop your competency to fulfil<br />

successfully?<br />


<strong>2D</strong>.2 <strong>Internal</strong> <strong>Audit</strong> Strategic Planning<br />

There are three important levels at which planning should take place:<br />

• Individual engagements (work program).<br />

• Multiple engagements (audit plan).<br />

• <strong>Internal</strong> audit strategy (strategic plan).<br />

<strong>2D</strong>.2.1 Engagement Work Program<br />

Creating <strong>the</strong> work program is usually a task for <strong>the</strong> internal auditor. It describes <strong>the</strong> process,<br />

resources, and timelines needed to fulfil <strong>the</strong> audit objectives, and it should be approved by<br />

<strong>the</strong> head of internal audit or a designee. The requirements for <strong>the</strong> work program are<br />

described in Standard 2201 – Planning Considerations and Standard 2240 – Engagement<br />

Work Program.<br />

<strong>2D</strong>.2.2 <strong>Internal</strong> <strong>Audit</strong> Plan<br />

IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: <strong>Audit</strong> Plan and Coordinating Assurance<br />

Efforts<br />

General Awareness: Identify sources of potential engagements, including industry trends<br />

and emerging risks. Describe coordination of internal audit efforts with <strong>the</strong> external auditor,<br />

regulatory oversight bodies, and o<strong>the</strong>r internal assurance functions, and potential reliance on<br />

o<strong>the</strong>r assurance providers.<br />

Applied Knowledge: Conduct a risk assessment, prioritize engagements, develop a riskbased<br />

internal audit plan, and obtain board approval. Prepare a risk assurance map.<br />

Expert: Evaluate and revise a risk-based internal audit plan to meet <strong>the</strong> organization’s<br />

evolving needs. Coordinate assurance efforts with o<strong>the</strong>r providers to ensure proper coverage<br />

and minimize duplication of efforts. 38<br />

The audit plan is often created for a 12-month period although <strong>the</strong> Standards do not require<br />

it to be an annual plan. Increasingly, internal audit functions are developing shorter plans to<br />

allow for greater flexibility and responsiveness. As part of <strong>the</strong> audit plan, resources and<br />

timelines are allocated to individual engagements. The requirements for <strong>the</strong> audit plan,<br />

including that it be risk-based, are defined in Standard 2010 – Planning. The head must also<br />

ensure sufficiency of resources (Standard 2030 – Resource Management). As part of <strong>the</strong><br />

audit plan, <strong>the</strong> head of internal audit may identify opportunities for using <strong>the</strong> findings of o<strong>the</strong>r<br />

internal and external assurance providers to avoid unnecessarily repeating work. There is<br />

also an important role to play in coordinating assurance across an entity to ensure<br />

sufficiency and efficiency of coverage (see Standard 2050 – Coordination and Reliance).<br />

However, <strong>the</strong> opportunity to use <strong>the</strong> work of o<strong>the</strong>r assurance providers may be limited if<br />

<strong>the</strong>re are no risk and compliance functions performance audits. Even where such audits<br />

have been conducted, internal audit must first determine <strong>the</strong> reliability by considering factors<br />

such as relevance, use of standards, competence, degree of independence of <strong>the</strong> provider<br />

from <strong>the</strong> activity under review, and objectivity of <strong>the</strong> auditors deployed. The due diligence<br />

required to confirm <strong>the</strong> reliability of <strong>the</strong> work of o<strong>the</strong>r providers can be time-consuming.<br />

38<br />

<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />


A more agile approach to internal audit planning with a span shorter than 12 months requires<br />

more frequent review and updating of <strong>the</strong> plan to keep <strong>the</strong> upcoming period in view. This is<br />

possible in practical terms if <strong>the</strong> approvals process for <strong>the</strong> audit plan (by <strong>the</strong> audit committee<br />

or governing body) is similarly agile. Sometimes bureaucratic processes necessitate a more<br />

traditional approach to planning, often within an annual cycle. The head of <strong>the</strong> internal audit<br />

unit can advocate for change on <strong>the</strong> basis of <strong>the</strong> benefits an agile approach can provide in<br />

terms of greater responsiveness and relevance to changing conditions, and greater value to<br />

support management oversight and decisions.<br />

<strong>2D</strong>.2.3 <strong>Internal</strong> <strong>Audit</strong> Strategic Plan<br />

The Standards do not refer to a strategic plan for internal audit. However, Implementation<br />

Guidance for Standard 2000 – <strong>Managing</strong> <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> <strong>Activity</strong> gives a very clear<br />

direction in stating that “<strong>the</strong> CAE develops an internal audit strategy and approach that<br />

aligns with <strong>the</strong> goals and expectations of <strong>the</strong> organization’s leadership.” 39 A strategic plan is<br />

not simply a multi-year audit plan. It represents a medium- to long-term program for<br />

enhancing and improving <strong>the</strong> internal audit function and <strong>the</strong> services it delivers to better<br />

serve <strong>the</strong> current and future needs of <strong>the</strong> organization. To prepare for this, <strong>the</strong> head of <strong>the</strong><br />

function should consider <strong>the</strong> following:<br />

• The internal audit function’s purpose and responsibility as defined in <strong>the</strong> charter or by<br />

legislation.<br />

• The organization’s structure, reporting relationships, and resources.<br />

• Organizational stakeholders and <strong>the</strong>ir needs and expectations, most notably:<br />

o The governing body.<br />

o Senior management.<br />

o Unit managers.<br />

o Line ministries or equivalent where applicable as well as central government<br />

priorities.<br />

o External audit (comprising <strong>the</strong> Supreme <strong>Audit</strong> Institution and any o<strong>the</strong>r<br />

external audit service providers).<br />

o Service users (individuals, organizations).<br />

o Suppliers.<br />

• The organization’s vision, mission, goals, and strategies.<br />

• Risks in relation to <strong>the</strong> organization’s vision, mission, goals, and strategies, taking<br />

account of trends and emerging issues.<br />

• The International Professional Practices Framework.<br />

• Risk management maturity.<br />

• The current strengths and weaknesses of <strong>the</strong> internal audit function.<br />

• O<strong>the</strong>r information about <strong>the</strong> organization, its position and activities, <strong>the</strong> sector in<br />

which it operates, its culture, and so on.<br />

39<br />

International Professional Practices Framework, The IIA, 2016.<br />


Common tools for analyzing <strong>the</strong> internal and external environment include:<br />

• A SWOT analysis for <strong>the</strong> organization:<br />

o Strengths and weaknesses of <strong>the</strong> organization, its current performance,<br />

position, and prospects.<br />

o Opportunities and threats (which collectively may be considered as risks) that<br />

may impact future performance, position, and prospects.<br />

• A SWOT analysis for <strong>the</strong> internal audit function.<br />

• A PESTEL analysis, covering <strong>the</strong> following classes of local, regional, national, and<br />

international factors, trends, and shifts:<br />

o Political (election cycles, leadership, political factions, policies).<br />

o Environmental (natural resources, waste disposal, pollution).<br />

o Social (demographics, opinions, habits, rule of law, education, poverty).<br />

o Technological (innovation, adoption, hazards).<br />

o Economic (GDP, inflation, unemployment).<br />

o Legislation.<br />

When developing a strategy for internal audit, it is very useful to create a vision statement.<br />

This is designed to capture and communicate a succinct expression of ambition. Examples<br />

of internal audit vision statements are given below:<br />

• To be known for providing superior internal audit services and to continually<br />

challenge ourselves to provide <strong>the</strong>m in a value added, best practices manner. Fairfax<br />

County.<br />

• To be recognized by VUMC management and <strong>the</strong> Board of Directors as<br />

an independent and sought after resource that actively supports <strong>the</strong> organization’s<br />

identification, evaluation and mitigation of risks and serves as a proponent for internal<br />

controls and continuous improvement. Vanderbilt University Medical Center.<br />

• To be a valued partner with MUW management by providing assurance and<br />

consulting services that help <strong>the</strong> University meet goals through building trust,<br />

partnerships, and exhibiting a high skill level and a thorough understanding of <strong>the</strong><br />

University. Mississippi University for Women.<br />

• To be a trusted and innovative internal audit service provider to public sector<br />

management and o<strong>the</strong>r stakeholders. General Department, Republic of Kenya.<br />

A vision should define a desired future state of <strong>the</strong> internal audit function.<br />

Many internal audit strategic plans also include a mission statement to describe <strong>the</strong><br />

function’s purpose and how it will reach its vision. The IPPF includes a generic mission<br />

statement for <strong>the</strong> profession and many internal audit functions adopt and adapt this:<br />

To enhance and protect organizational value by providing risk-based and objective<br />

assurance, advice, and insight. 40<br />

Critical success factors are those essential elements on which <strong>the</strong> success of <strong>the</strong> strategic<br />

plan depends. The IIA Practice Guide: Developing <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Strategic Plan offers<br />

three questions to consider that help identify those success factors:<br />

40<br />

International Professional Practices Framework, The IIA, 2016.<br />


• Positioning – Is <strong>the</strong> internal audit activity strategically positioned and supported?<br />

• Processes – Are <strong>the</strong> internal audit activity’s processes enabling and dynamic in<br />

meeting business needs?<br />

• People – Does <strong>the</strong> internal audit activity have <strong>the</strong> right people strategy to deliver its<br />

mission? 41<br />

The major portion of <strong>the</strong> internal audit strategic plan should describe key initiatives to be<br />

undertaken to support <strong>the</strong> achievement of vision and mission and continue to drive <strong>the</strong><br />

performance of <strong>the</strong> function forward. As part of <strong>the</strong> strategic (and potentially developed as a<br />

separate but related strategy), <strong>the</strong> following major areas are likely to require detailed<br />

consideration:<br />

• Talent strategy, including remuneration, recruitment, onboarding, retention, training,<br />

performance monitoring and evaluation, recognition, reward, promotion, and<br />

succession planning for key individuals. (<strong>Managing</strong> people is covered in section 2B.)<br />

• Resource strategy, including digital transformation and use of digital tools for audit<br />

planning, management, monitoring, and reporting. (Use of digital tools is covered in<br />

section <strong>2D</strong>.3 and data analytics in 2E.)<br />

• Process development strategy, including continuous evolution of policies,<br />

procedures, audit manuals, and so on.<br />

• Quality assurance strategy, incorporating self-assessment, target-setting for<br />

improvement, supervision, training, peer review, and external assessments. (Quality<br />

assurance is covered in section 2C.)<br />

Many internal audit functions consciously identify and promote a coherent brand as part of<br />

<strong>the</strong>ir strategy linked to <strong>the</strong>ir mission and goals. This may be effected through consistency in<br />

communications (emails, reports, presentations, and so on).<br />

<strong>2D</strong>.2: Reflection<br />

What is <strong>the</strong> period covered by <strong>the</strong> internal audit plan (i.e., <strong>the</strong> plan of engagements)?<br />

What are <strong>the</strong> pros and cons of creating a 12-month audit plan each year compared with<br />

something longer or shorter?<br />

Does your internal audit function have a well-defined strategy and strategic plan?<br />

If your internal audit unit has a vision and/or mission statement, share and discuss <strong>the</strong>m<br />

with your fellow students. If not, or if you are not aware of <strong>the</strong>m, how you would state <strong>the</strong><br />

vision and <strong>the</strong> mission for <strong>the</strong> internal audit unit?<br />

41<br />

Practice Guide: Developing <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Strategic Plan, The IIA, 2012.<br />


<strong>2D</strong>.3 Advanced Professional Practices<br />

IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: Communication<br />

General Awareness: Recognize <strong>the</strong> value of advocacy and <strong>the</strong> importance of maintaining<br />

stakeholder relationships (e.g., board, senior management, audit clients, o<strong>the</strong>r assurance<br />

providers, external stakeholders). Describe appropriate communications between internal<br />

auditors and stakeholders, including key performance indicators; recognize that <strong>the</strong> chief<br />

audit executive reports on <strong>the</strong> overall effectiveness of <strong>the</strong> organization’s internal control and<br />

risk management processes to senior management and <strong>the</strong> board. Recognize <strong>the</strong><br />

importance of written and verbal communication skills, including soft skills such as conflict<br />

management, influence, and persuasion.<br />

Applied Knowledge: Manage <strong>the</strong> internal audit activity’s reputation and stakeholder<br />

expectations; demonstrate sincerity, honesty, and empathy in communications with<br />

stakeholders to build trust and maintain relationships. Prepare relevant and appropriate<br />

communications for internal audit stakeholders, including reports to senior management and<br />

<strong>the</strong> board (e.g., significant risk exposures, key performance indicators, etc.). Demonstrate<br />

soft skills (conflict management, influence, and persuasion); provide insightful consultation to<br />

contribute to <strong>the</strong> organization’s effectiveness; detect opportunities for change and facilitate<br />

change.<br />

Expert: Assess stakeholder relationships and recommend actions to achieve improvements;<br />

evaluate <strong>the</strong> advocacy efforts of <strong>the</strong> internal audit activity. Assess internal audit<br />

communications with stakeholders, including key performance indicators to evaluate <strong>the</strong><br />

success of <strong>the</strong> internal audit activity, and recommend improvements. Assess <strong>the</strong> internal<br />

audit activity’s written and verbal communication skills, soft skills, and innovation;<br />

recommend improvements. 42<br />

As a profession, internal auditing and its practices continue to evolve. This does not happen<br />

at an even rate around <strong>the</strong> world. The maturity of internal auditing depends on many factors,<br />

including leadership, resources, culture, sector, organizational objectives, legislative and<br />

regulatory requirements, and <strong>the</strong> risk management maturity of <strong>the</strong> organization. <strong>Internal</strong><br />

audit leaders have a responsibility to ensure <strong>the</strong>ir clients receive <strong>the</strong> best possible service<br />

aligned to organizational needs. They should stay informed about developments in <strong>the</strong><br />

profession as well as advancing <strong>the</strong>ir own expertise. This can be achieved through<br />

networking with peers, training, reading, listening to stakeholders, and harnessing <strong>the</strong><br />

potential within <strong>the</strong>ir own team by encouraging innovation. <strong>Audit</strong> leaders should be unafraid<br />

to experiment and to challenge perceived orthodoxy in pursuit of continuous improvement.<br />

<strong>Audit</strong> functions, especially in <strong>the</strong> public sector, can be small and fully stretched in delivering<br />

internal audit services. it is a challenge to find <strong>the</strong> time and resource to commit to innovation<br />

and improvement, including experimentation with different approaches such as agile<br />

methodologies. The support and encouragement of <strong>the</strong> Central Harmonization Unit, audit<br />

committee (where such exists), and senior leadership are crucial. The head of <strong>the</strong> internal<br />

audit unit must persuade those to whom <strong>the</strong>y are accountable of <strong>the</strong> need for continuous<br />

development. Strategic goals must be realistic, but it is imperative to establish forward<br />

42<br />

<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />


momentum, to remain relevant, to keep up with <strong>the</strong> ever-changing internal and external<br />

environments, to serve <strong>the</strong> organization and its stakeholders successfully.<br />

How should a head of internal audit go about persuading whoever controls <strong>the</strong>ir budget (<strong>the</strong><br />

audit committee, governing body, senior management, central government). In a 2019 blog,<br />

Anand Bhakta, writing for <strong>Audit</strong>Board, provided some useful suggestions to help win <strong>the</strong><br />

argument for more resources. 43<br />

• Know your organization’s culture. <strong>Internal</strong> audit needs to be aligned with what<br />

matters most to those who control <strong>the</strong> budgets.<br />

• Consider your CFO’s communication style. The head of internal audit must appeal to<br />

<strong>the</strong> primary decision-maker regarding budgets by providing information in a way best<br />

suited to <strong>the</strong>ir personal preferences.<br />

• Start with prior wins. It always helps to highlight improvements that have resulted<br />

from internal audit recommendations and this is even more effective when <strong>the</strong>y are<br />

quantifiable in terms of costs saved, errors corrected, waste reduced, fraud<br />

discovered or averted, timelines shortened, higher levels of compliance, productivity<br />

increased, and user satisfaction improved. (<strong>Internal</strong> audit metrics are considered in<br />

<strong>Module</strong> 3.)<br />

• Make <strong>the</strong> business case. Speak <strong>the</strong> language of finance and link internal audit<br />

successes with financial performance. (Financial ratios are considered in <strong>Module</strong> 3.)<br />

• Show <strong>the</strong> cost comparison. If <strong>the</strong> head of internal audit is asking for an increase in<br />

resources, it is fair to ask for a comparison with <strong>the</strong> value this will add. Cost savings<br />

may be achieved by employing a new auditor ra<strong>the</strong>r than relying on outsourced<br />

expertise, for example, or investing in automation to reduce time and costs spent in<br />

manual tasks while increasing coverage and accuracy.<br />

• Keep an open mind. A process of negotiation is more likely to be successful if you<br />

are prepared to compromise.<br />

• Know how to follow up. The end of a conversation or a meeting usually requires<br />

follow agreements and actions where it is important for <strong>the</strong> head of internal audit to<br />

be proactive.<br />

The head of internal audit must be an advocate for change. <strong>Internal</strong> audit functions – whose<br />

purpose is to act as a catalyst for continuous improvement – should (subject to resources)<br />

set an example by embracing innovation. The following sections consider what may be<br />

regarded as “advanced professional practices,” reflecting some observed innovation<br />

happening in internal audit functions.<br />

<strong>2D</strong>.3.1 Using Digital Tools<br />

The use of computer assisted audit tools and techniques (sometimes abbreviated to<br />

CAATTs) continues to develop as <strong>the</strong> potential of technology advances. We can make a<br />

broad distinction between <strong>the</strong> two main uses internal auditors make of technology:<br />

• To manage audit processes (such as planning, documentation, and communication).<br />

• To test and analyze data.<br />

43<br />

7 Ways to Win <strong>the</strong> <strong>Internal</strong> <strong>Audit</strong> Budget Argument with your CFO, <strong>Audit</strong>Board, 2019.<br />


For fur<strong>the</strong>r detail, see Computer Assisted <strong>Audit</strong> Techniques (CAATS): Definition, types,<br />

advantages and disadvantages 44 .<br />

There is a wide variety of audit software designed to automate <strong>the</strong> audit process, enabling:<br />

• Collaborative, participatory, continuous, comprehensive, dynamic, and anticipatory<br />

activities, seamlessly integrating multiple perspectives and systems.<br />

• Dynamic and agile planning.<br />

• Remote auditing and supervision.<br />

• Cloud-based storage for streamlined documentation, ready access, sharing,<br />

monitoring, and review.<br />

• Easy access to and manipulation of big data.<br />

• Advanced analysis and evaluation techniques.<br />

• Continuous communication and reporting.<br />

• Integration with o<strong>the</strong>r systems, including risk and control platforms, and <strong>the</strong> potential<br />

for continuous risk assessment and continuous auditing.<br />

• Ongoing monitoring for follow-up.<br />

Increasingly organizations have digital assets (such as cryptocurrency (in environments like<br />

Blockchain) and non-fungible token (NFTs)) that form part of <strong>the</strong> audit universe, although to<br />

a lesser extent in <strong>the</strong> ublic sector compared with private sector organizations. In addition,<br />

technological innovations such as robotic process automation (RPA), machine learning (ML),<br />

natural language programming (NLP), artificial intelligence (AI) and data analytics tools offer<br />

huge potential for internal auditors, including:<br />

• Reduced costs and time.<br />

• Increased efficiency, speed, agility, accuracy, and quality.<br />

• Ability to automate mundane, laborious tasks.<br />

• Ability to evaluate much larger volumes of data.<br />

• Potential to deliver greater insights and value.<br />

• Opportunities for real-time and continuous auditing.<br />

• Improved processes for planning, creating work papers, retaining documents, testing,<br />

evaluating results, reporting, and monitoring for follow up.<br />

• Enhanced experiences for <strong>the</strong> internal auditor and <strong>the</strong> client.<br />

Many of <strong>the</strong> agile auditing practices described in <strong>the</strong> next section (<strong>2D</strong>.3.2) are enabled or<br />

greatly assisted by <strong>the</strong> use of technology.<br />

Adoption of digital tools has generally been slower in <strong>the</strong> public sector and is proportionate<br />

to internal audit maturity and available economic resources. Progress can be made<br />

incrementally, starting with small steps. Excel offers huge potential beyond offering a useful<br />

grid for holding data. IDEA is an example of a commonly used audit software with options to<br />

implement on a modular basis. Without seizing such opportunities, <strong>the</strong>re is a real danger<br />

internal auditing will be regarded as outmoded and irrelevant. However, when planning for<br />

44<br />

Computer Assisted <strong>Audit</strong> Techniques (CAATS): Definition, types, advantages and disadvantages, Accounting Hub.<br />


<strong>the</strong> introduction of CAATTs, internal audit managers should be clear about <strong>the</strong>ir objectives<br />

for doing so and consider <strong>the</strong> potential pitfalls.<br />

• There is likely to be a license cost for <strong>the</strong> desired app, software, platform, or system,<br />

plus installation and integration with existing IT.<br />

• It is very important to ensure users receive <strong>the</strong> necessary training.<br />

CAATTs can be a distraction and <strong>the</strong>re should be a plan for <strong>the</strong> introduction of additional<br />

capabilities to ensure <strong>the</strong>y genuinely improve <strong>the</strong> quality of internal audit services and meet<br />

<strong>the</strong> needs of audit clients. You can be seduced by <strong>the</strong> sophisticated modeling and<br />

visualizations but that is no guarantee <strong>the</strong> findings are relevant. There will always be a need<br />

for human judgment and insight.<br />

These tools can be used to enable automated controls testing, as described in <strong>Module</strong> 1<br />

<strong>Audit</strong> and Assurance section 1C.3.2.<br />

<strong>2D</strong>.3.2 Agile <strong>Audit</strong>ing<br />

The term “agile auditing” can be used informally to describe professional practices that are<br />

flexible and responsive. A more technical use refers to <strong>the</strong> application of <strong>the</strong> Agile manifesto<br />

and principles to internal auditing.<br />

The Agile manifesto was developed by software engineers in 2001 to define principles to<br />

optimize <strong>the</strong> value of work produced for clients with <strong>the</strong> utmost efficiency. The 12 principles<br />

are:<br />

1. Our highest priority is to satisfy <strong>the</strong> customer through early and continuous delivery of<br />

valuable software.<br />

2. Welcome changing requirements, even late in development. Agile processes harness<br />

change for <strong>the</strong> customer’s competitive advantage.<br />

3. Deliver working software frequently, from a couple of weeks to a couple of months,<br />

with a preference to <strong>the</strong> shorter timescale.<br />

4. Business people and developers must work toge<strong>the</strong>r daily throughout <strong>the</strong> project.<br />

5. Build projects around motivated individuals. Give <strong>the</strong>m <strong>the</strong> environment and support<br />

<strong>the</strong>y need, and trust <strong>the</strong>m to get <strong>the</strong> job done.<br />

6. The most efficient and effective method of conveying information to and within a<br />

development team is face-to-face conversation.<br />

7. Working software is <strong>the</strong> primary measure of progress.<br />

8. Agile processes promote sustainable development. The sponsors, developers, and<br />

users should be able to maintain a constant pace indefinitely.<br />

9. Continuous attention to technical excellence and good design enhances agility.<br />

10. Simplicity – <strong>the</strong> art of maximizing <strong>the</strong> amount of work not done – is essential.<br />

11. The best architectures, requirements, and designs emerge from self-organizing<br />

teams.<br />

12. At regular intervals, <strong>the</strong> team reflects on how to become more effective, <strong>the</strong>n tunes<br />

and adjusts<br />

its behavior accordingly. 45<br />

45<br />

www.agilemanifesto.org<br />


This can also be expressed as choosing to value:<br />

• Individuals and interactions over processes and tools.<br />

• Working software over comprehensive documentation.<br />

• Customer collaboration over contract negotiation.<br />

• Responding to change over following a plan.<br />

From <strong>the</strong> focus on reflective, self-organizing teamwork – especially in principles 11 and 12 –<br />

<strong>the</strong> idea of scrums and sprints was also developed. A daily scrum is a 15-minute team<br />

meeting to review and plan. A sprint is a session in which short term plans are created by <strong>the</strong><br />

team through which priorities and goals are set and agreed. A scrum board is a simple<br />

display providing a quick visualization of actions divided into:<br />

• To do.<br />

• Doing.<br />

• Done.<br />

Kanban is a similar framework for implementing Agile principles, relying on real-time<br />

communication of capacity and progress.<br />

The Agile approach can be applied to internal auditing. Deloitte, for example, has developed<br />

an internal audit agile manifesto.<br />

1. Outcome-driven | Value-driven.<br />

2. Just-in-time | Proactive approach to <strong>the</strong> “right projects at <strong>the</strong> right depth/focus.”<br />

3. One size does not fit all – customized project focused on value and risk.<br />

4. Collaborative approach – take <strong>the</strong> journey with our clients.<br />

5. Mix it up a little bit, break some eggs – challenge “that’s <strong>the</strong> way we’ve always done<br />

it.”<br />

6. Decisioning “as you go” with transparency and alignment.<br />

7. Continuous communication with all stakeholders.<br />

8. Be quick and iterative versus confined to a plan.<br />

9. Impact over thoroughness – “good enough” (80/20 rule). 46<br />

In practice this means:<br />

• <strong>Managing</strong> a flexible and responsive audit plan ra<strong>the</strong>r than a rigid 12-month schedule<br />

of engagements. Often an initial plan is created, perhaps with firm dates for <strong>the</strong> next<br />

period (three or six months), while <strong>the</strong> subsequent period is considered provisional<br />

so that changes can be made as circumstances, risks, and priorities evolve. (See, for<br />

example, “Planning for uncertainty: <strong>the</strong> rise of <strong>the</strong> flexible audit plan.” 47 )<br />

• Customizing processes and formats to meet <strong>the</strong> needs of <strong>the</strong> client ra<strong>the</strong>r than<br />

sticking with a standard approach and templates.<br />

• Communicating with <strong>the</strong> client continuously, sharing findings and agreeing<br />

management responses during <strong>the</strong> engagement as far as possible.<br />

• Blending assurance and advisory engagements.<br />

46<br />

Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017.<br />

47<br />

“Planning for uncertainty: <strong>the</strong> rise of <strong>the</strong> flexible audit plan,” <strong>Audit</strong>Board, 2022.<br />


• Adopting innovative styles of report, focusing on <strong>the</strong> truly essential, and dispensing<br />

with superfluous details. (See, for example, “One page audit report: maximizing<br />

efficiency, elevating impact.” 48 )<br />

<strong>2D</strong>.3.3 Lean <strong>Audit</strong>ing<br />

A close relative of agile auditing is lean auditing, as described by James Paterson in his<br />

2015 book Lean <strong>Audit</strong>ing: Driving Added Value and Efficiency in <strong>Internal</strong> <strong>Audit</strong>. 49 Lean<br />

production methods were developed in <strong>the</strong> 1980s by car manufacturer Toyota. The<br />

philosophy is a combination of just-in-time and right-first-time thinking, using only as much<br />

resource as is needed to deliver quality services. We sometimes get bogged down in<br />

following time-honored practices that we fail to see that some of <strong>the</strong> inputs are unnecessary.<br />

<strong>Internal</strong> audit’s deliverable is not <strong>the</strong> audit report but <strong>the</strong> impact on <strong>the</strong> organization. The aim<br />

of lean approaches is to reduce defects, lead times, costs, and waste while improving<br />

capacity productivity, responsiveness, and customer satisfaction.<br />

The key aims can be expressed as follows:<br />

• Understand value from <strong>the</strong> point of view of <strong>the</strong> customer.<br />

• Identify <strong>the</strong> value stream.<br />

• Create activities that flow.<br />

• Pull through to deliver “just in time”.<br />

• Aim for perfect process without waste/rework or bottlenecks. 50<br />

According to Paterson, to transfer <strong>the</strong> principles of lean production to internal auditing<br />

requires <strong>the</strong> following:<br />

• Be clear who are <strong>the</strong> key customers of our audit work.<br />

• Be clear what those customers really want (and what <strong>the</strong>y do not want).<br />

• Pay close attention to identifying Muda (waste).<br />

• Resource assignments appropriately.<br />

• Plan assignments carefully. 51<br />

Paterson also identifies four important ways in which productivity can be improved during<br />

engagements.<br />

• Testing. The key is to know how much is enough. There is a tendency to over-audit<br />

above <strong>the</strong> level of risk or desired level of assurance.<br />

• Root cause analysis. While less time may be spent in many cases on testing, more<br />

time can be usefully applied to analysis and identifying root causes. <strong>Audit</strong> reports<br />

often pull <strong>the</strong>ir punches by presenting findings but providing inadequate insight.<br />

48<br />

“One page audit report: maximizing efficiency, elevating impact,” <strong>Audit</strong>Board, 2022.<br />

49<br />

Paterson, James, Lean <strong>Audit</strong>ing: Driving Added Value and Efficiency in <strong>Internal</strong> <strong>Audit</strong>, Wiley, 2015<br />

50<br />

Lean <strong>Audit</strong>ing (Part 1): Rethinking <strong>Internal</strong> <strong>Audit</strong> Using Lean Techniques to Enhance Value and Improve Productivity,<br />

efficientlearning.com.<br />

51<br />

Lean <strong>Audit</strong>ing (Part 2): Rethinking <strong>Internal</strong> <strong>Audit</strong> Using Lean Techniques to Enhance Value and Improve Productivity,<br />

efficientlearning.com.<br />


• Driving value in effective audit reporting. Reports should focus on what is important,<br />

avoiding a common temptation to describe in detail every action taken by <strong>the</strong> auditor<br />

and every piece of evidence collected.<br />

• <strong>Audit</strong> team culture. As modeled by <strong>the</strong> head of unit, <strong>the</strong> internal audit function must<br />

be committed to <strong>the</strong> principles of lean auditing, working with pace and energy to drive<br />

organizational improvements. 52<br />

<strong>2D</strong>.3.4 New and Evolving Risk Areas<br />

The World Economic Forum publishes a list of <strong>the</strong> top ten risks every year. They are not<br />

specifically risks for organizations or any particular sector but for <strong>the</strong> world. Each<br />

organization has its own risk profile related to its objectives and circumstances. However,<br />

consideration of global risks is a useful exercise for organizations and <strong>the</strong>ir internal audit<br />

functions. The latest report for 2023 lists <strong>the</strong> following short-term and long-term risks. 53<br />

Short-term (two years)<br />

Long-term (10 years)<br />

Risk Category Risk Category<br />

1. Cost of living crisis Societal 1. Failure to mitigate climate Environmental<br />

change<br />

2. Natural disasters and Environmental 2. Failure of climate change Environmental<br />

extreme wea<strong>the</strong>r events<br />

adaptation<br />

3. Geoeconomic<br />

Geopolitical 3. Natural disasters and Environmental<br />

confrontation<br />

extreme wea<strong>the</strong>r events<br />

4. Failure to mitigate climate Environmental 4. Biodiversity loss and Environmental<br />

change<br />

ecosystem collapse<br />

5. Erosion of social<br />

Societal 5. Large-scale involuntary Societal<br />

coherence and societal<br />

polarization<br />

migration<br />

6. Large-scale<br />

environmental damage<br />

Environmental 6. Natural resource crises Environmental<br />

incidents<br />

7. Failure of climate change<br />

adaptation<br />

Environmental<br />

7. Erosion of social<br />

cohesion and societal<br />

polarization<br />

8. Widespread cybercrime<br />

and cyber insecurity<br />

8. Widespread cybercrime Technological<br />

and cyber insecurity<br />

9. Natural resource crises Environmental 9. Geoeconomic<br />

confrontation<br />

10. Large-scale involuntary Societal<br />

migration<br />

10. Large-scale<br />

environmental damage<br />

incidents<br />

Societal<br />

Technological<br />

Geopolitical<br />

Environmental<br />

As <strong>the</strong>y are not specific to objectives, we can regard <strong>the</strong>se broadly speaking as risk areas.<br />

There is a high degree of uncertainty and volatility in each of <strong>the</strong>se. We can use <strong>the</strong> WEF<br />

categories to consider areas of new and emerging risks relevant for most organizations that<br />

should be considered as part of internal audit’s risk-based planning.<br />

52<br />

Lean <strong>Audit</strong>ing (Part 3): Rethinking <strong>Internal</strong> <strong>Audit</strong> Using Lean Techniques to Enhance Value and Improve Productivity,<br />

efficientlearning.com.<br />

53<br />

Global Risks Report 2023, World Economic Forum, 2023.<br />


WEF Categories of Global<br />

Risks<br />

Societal<br />

Technological<br />

Environmental<br />

Geopolitical<br />

Economic<br />

Important Organizational Risk Areas<br />

Culture, fraud<br />

Cybersecurity, cloud computing, BYOD (bring your own<br />

device), Blockchain<br />

ESG, water and food shortages<br />

Supply chain disruption, third party vendors<br />

Rising inflation, wealth inequality<br />

Many of <strong>the</strong>se are overlapping and inter-related. For example, environmental, geopolitical,<br />

and economic factors can all impact supply chains.<br />

The European Confederation of Institutes of <strong>Internal</strong> <strong>Audit</strong>ors ECIIA also produces an annual<br />

compendium of key risks. 54<br />

For internal audit, <strong>the</strong> underlying processes for evaluating <strong>the</strong> significance of any risks to <strong>the</strong><br />

organization and its objectives are <strong>the</strong> same. The auditor would consider a series of<br />

questions regarding management’s actions:<br />

• Has <strong>the</strong> risk been correctly identified?<br />

• Has <strong>the</strong> risk been analyzed and evaluated?<br />

• Have appropriate responses to <strong>the</strong> risk been implemented?<br />

• Are those responses operating as expected?<br />

• Is <strong>the</strong> organization operating within agreed and appropriate risk appetite and<br />

tolerances or is it exposed to an unacceptable level of risk?<br />

<strong>Audit</strong>ors can use a generic model such as <strong>the</strong> COSO <strong>Internal</strong> Control – Integrated<br />

Framework as <strong>the</strong> basis for considering <strong>the</strong> effectiveness of internal control in regard to any<br />

class of risks. In addition, <strong>the</strong>re are special considerations needed. There are also tools and<br />

guidance to support this work.<br />

Culture<br />

Culture is an intangible but significant component of organizations influencing many aspects<br />

about what it does and how it does it. The IIA’s Practice Guide: <strong>Audit</strong>ing Culture quotes this<br />

definition of culture and its related element of conduct:<br />

Culture represents <strong>the</strong> invisible belief systems, values, norms, and preferences of <strong>the</strong><br />

individuals that form an organization. Conduct represents <strong>the</strong> tangible manifestation<br />

of culture through <strong>the</strong> actions, behaviors, and decisions of <strong>the</strong>se individuals. 55<br />

The audit function is required to “assess and make appropriate recommendations to improve<br />

<strong>the</strong> organization’s governance processes” in accordance with Standard 2110 – Governance.<br />

Culture is specifically referenced in <strong>the</strong> Implementation Guidance for Standard 2100 –<br />

Nature of Work:<br />

To devise an appropriate strategy for assessing <strong>the</strong> organization’s governance, risk<br />

management, and control processes, <strong>the</strong> CAE typically considers <strong>the</strong> level of<br />

54<br />

See Risk in focus 2023: more risky, uncertain, and volatile times ahead, ECIIA, 2023.<br />

55<br />

Practice Guide: <strong>Audit</strong>ing Culture, The Institute of <strong>Internal</strong> <strong>Audit</strong>ors, 2019.<br />


maturity of <strong>the</strong> three processes as well as <strong>the</strong> organization’s culture and <strong>the</strong> seniority<br />

of <strong>the</strong> individuals who maintain responsibility for <strong>the</strong> processes. 56<br />

Problems with culture can lead to significant failures. There are many well-known examples<br />

in <strong>the</strong> private sector but <strong>the</strong> same is true for public sector entities. Examples of weaknesses<br />

in culture that can precipitate risks for an organization are itemized in <strong>the</strong> Practice Guide:<br />

• Unreasonable expectations including deadlines, profitability, or levels of efficiency.<br />

• Incentives not aligned with values.<br />

• Employees (including internal auditors) lack knowledge of key risk management<br />

activities and potential risk impacts.<br />

• An inflexible hierarchy impeding <strong>the</strong> flow of information up, down, and across <strong>the</strong><br />

organization.<br />

• A pervasive environment of mistrust toward auditors and regulators including a lack<br />

of understanding of <strong>the</strong> role of controls in achieving business objectives.<br />

• An attitude of hubris (e.g., “That will not happen here.” Or “That has never happened<br />

to us before.”)<br />

• Lack of accountability, especially at senior levels of <strong>the</strong> organization.<br />

• Failure to enforce codes of conduct and related policies and procedures.<br />

• Management (and, in some cases, <strong>the</strong> board) refusing to acknowledge information<br />

contrary to <strong>the</strong>ir opinions.<br />

• Disregard of laws and regulations if <strong>the</strong>y are not conducive to <strong>the</strong> organization<br />

achieving its objectives. 57<br />

We may add that one of <strong>the</strong> weaknesses in culture can be poor organizational<br />

understanding among employees and managers. This can extend to limited awareness of<br />

organizational purpose, a lack of a sense of shared purpose, and uncertainty about <strong>the</strong> roles<br />

played by key functions. It is not uncommon for employees to misunderstand <strong>the</strong> nature and<br />

purpose of internal auditing which <strong>the</strong>y may equate with inspection or internal control.<br />

The Practice Guide also illustrates features of a healthy culture.<br />

• Positive tone from <strong>the</strong> top.<br />

• Clear communication.<br />

• Open dialogue.<br />

• Employee engagement.<br />

• Incentives aligned with core values.<br />

Culture may be intangible buts its impacts, such as conduct, are not. When assessing<br />

culture and conduct risks, <strong>the</strong>re is a wide spectrum of potential sources of information to<br />

consider. These include:<br />

• Any value statements (may be labeled mission or vision statements or contained<br />

within <strong>the</strong>se documents) published by <strong>the</strong> organization.<br />

• Top-level, business-line level, and process-level strategies, objectives, and business<br />

plans.<br />

56<br />

International Professional Practices Framework, The IIA, 2016.<br />

57<br />

Practice Guide: <strong>Audit</strong>ing Culture, The Institute of <strong>Internal</strong> <strong>Audit</strong>ors, 2019.<br />


• Risk appetite statements.<br />

• Organization charts (high level and business units) and related reporting lines.<br />

• Roles, responsibilities, and accountabilities of o<strong>the</strong>r control functions (e.g.,<br />

compliance, risk management) and senior management.<br />

• Governance framework.<br />

• Tone at <strong>the</strong> top and leadership communications with employees.<br />

• Products/services approvals and selling processes.<br />

• Risk escalation protocols.<br />

• Documentation of exceptions and management overrides.<br />

• Codes of conduct/ethics including policies and procedures on speaking up,<br />

nonretaliation, and treating customers fairly.<br />

• Ethics hotline information and training materials.<br />

• Results of culture-related training and testing programs (e.g., sexual harassment,<br />

ethics, code of conduct).<br />

• Employee survey results.<br />

• Exit interview data.<br />

• Board and relevant committee minutes (e.g., governance, risk, nomination and<br />

remuneration, and ethics committees).<br />

• Management’s risk and control self-assessments (RCSAs) including management’s<br />

action plans and <strong>the</strong>ir status.<br />

• Relevant culture-related and risk management policies including incentives and<br />

compensation policy, requirements, reports, and expectations.<br />

• Recruitment, onboarding, performance management, retention, and exiting<br />

processes.<br />

• Status of issues raised by internal audit or o<strong>the</strong>r control functions, external auditors,<br />

and regulators taking into consideration repeated and long outstanding issues and<br />

root causes that may be related to culture.<br />

• External auditor’s report on <strong>the</strong> audited financial statements and letter of<br />

representation. 58<br />

When planning <strong>the</strong> audit plan, managers may decide to include an assurance engagement<br />

with a focus on culture. Alternatively, culture can be considered as part of o<strong>the</strong>r<br />

engagements and used in aggregate to formulate an opinion.<br />

Fraud<br />

<strong>Audit</strong>ing fraud risk management is covered in <strong>Module</strong> 1 <strong>Audit</strong> and Assurance section 1A.5.<br />

Cybersecurity<br />

<strong>Audit</strong>ing IT and cybersecurity risk management is covered in <strong>Module</strong> 1 <strong>Audit</strong> and Assurance<br />

section 1A.5.<br />

58<br />

Practice Guide: <strong>Audit</strong>ing Culture, The Institute of <strong>Internal</strong> <strong>Audit</strong>ors, 2019.<br />


ESG<br />

IIA <strong>Internal</strong> <strong>Audit</strong> Competency Framework: Social Responsibility and Sustainability<br />

General Awareness: Describe corporate social responsibility and sustainability.<br />

Applied Knowledge: Examine <strong>the</strong> organization’s approach to social responsibility and<br />

sustainability.<br />

Expert: Recommend actions to improve <strong>the</strong> organization’s approach to social responsibility<br />

and sustainability. 59<br />

The term ESG (environmental, social, and governance) is used to cover a range of related<br />

risks. Often <strong>the</strong> focus is on reporting ESG-related matters and <strong>the</strong> risks associated with<br />

accuracy, compliance, and reputation. Arguably organizations, especially those in <strong>the</strong> public<br />

sector, have responsibilities beyond reporting requirements related to public service,<br />

stewardship of resources, and accountability. The Sustainable Development Goals (SDGs)<br />

were adopted by all members of <strong>the</strong> United Nations in recognition of our collective<br />

responsibility to people and <strong>the</strong> planet. The 1987 United Nations Brundtland Commission<br />

defined sustainability as “meeting <strong>the</strong> needs of <strong>the</strong> present without compromising <strong>the</strong> ability<br />

of future generations to meet <strong>the</strong>ir own needs.” Addressing profound social and<br />

environmental concerns is something that affects us all.<br />

<strong>Internal</strong> auditors can make a significant contribution to ESG by:<br />

• Staying informed.<br />

• Acting as an advocate for sustainable practices.<br />

• Helping organizational leaders understand and accept <strong>the</strong>ir economic, political,<br />

regulatory, societal, and ethical responsibilities for sustainability of operations.<br />

• Identifying legislative and regulatory requirements for sustainability and evaluating<br />

organizational risks.<br />

• Providing advisory services to support <strong>the</strong> changes needed to address <strong>the</strong><br />

management of sustainability risks, including requirements for ESG reporting. This is<br />

likely to include arrangements for ga<strong>the</strong>ring and validating data on such matters as<br />

measures for access, diversity, equity, and inclusion, water usage, waste disposal,<br />

and carbon emissions.<br />

• Providing assurance on data integrity and internal and external reporting.<br />

The IIA paper <strong>Internal</strong> <strong>Audit</strong>’s Role in ESG Reporting identifies <strong>the</strong> following assurance and<br />

advisory roles:<br />

• Assurance roles:<br />

o Review reporting metrics for relevancy, accuracy, timeliness, and consistency<br />

o Review reporting for consistency with formal financial disclosure filings.<br />

o Conduct materiality or risk assessments on ESG reporting.<br />

o Incorporate ESG into audit plans.<br />

• Advisory roles:<br />

o Build an ESG control environment.<br />

o Recommend reporting metrics.<br />

o Advise on ESG governance. 60<br />

59<br />

<strong>Internal</strong> <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />


Third-Party Risks<br />

Unless an organization is entirely self-sufficient (which is practically impossible), it needs to<br />

leverage and rely upon <strong>the</strong> services of o<strong>the</strong>rs. In doing so, it is exposing itself to risks related<br />

to downstream consequences if <strong>the</strong> expected supply of goods and services fails, including<br />

when <strong>the</strong> vendor itself fails. There are also risks associated with <strong>the</strong> potential for <strong>the</strong> third<br />

party knowingly or unknowingly to abuse <strong>the</strong> relationship, for example by misusing or<br />

exposing confidential or personal data. Reputational and sometimes legal damages can<br />

occur by association with an organization that misbehaves.<br />

To help auditors evaluate <strong>the</strong> risks and controls associated with third party relationships, <strong>the</strong><br />

IIA has released a Practice Guide: <strong>Audit</strong>ing Third Party Risk Management. This includes <strong>the</strong><br />

following questions to be considered:<br />

• Does <strong>the</strong> organization have a comprehensive inventory of its third-party providers?<br />

• Does <strong>the</strong> organization’s third-party risk management program align with its risk<br />

appetite?<br />

• Does <strong>the</strong> organization have a list of <strong>the</strong> types of risks (reputational, strategic,<br />

compliance, financial, human resources, IT, etc.) third parties may pose?<br />

• How does <strong>the</strong> organization identify, define, and manage third-party risks?<br />

• What are <strong>the</strong> appropriate assessment criteria for third-party risks (e.g., impact and<br />

likelihood scales)?<br />

• How does <strong>the</strong> organization gauge <strong>the</strong> impact individual third parties may have on its<br />

business continuity strategy?<br />

• How far down <strong>the</strong> supply chain should third parties be considered? Should<br />

subservice or fourth-party providers be monitored?<br />

• What metrics should be reviewed to ensure a third-party provider is performing within<br />

<strong>the</strong> organization’s risk tolerance?<br />

• Will <strong>the</strong> organization have recourse to recover damages from a third party if problems<br />

arise?<br />

• Do contracts with third parties include <strong>the</strong> right for <strong>the</strong> contracting organization’s<br />

internal audit activity or o<strong>the</strong>r control functions to conduct audits if <strong>the</strong>re is a need or<br />

desire to do so?<br />

• Is <strong>the</strong> third party handling data that requires a specific level of control? How does <strong>the</strong><br />

organization validate that <strong>the</strong> third party is following all relevant laws, regulations, and<br />

technical requirements for data security?<br />

• How does internal audit coordinate with <strong>the</strong> organization’s second line of defense<br />

(e.g., legal, compliance, procurement) that may be performing risk management<br />

activities regarding third parties?<br />

• How does <strong>the</strong> organization ensure ethical behavior by <strong>the</strong> third parties? 61<br />

Common controls include conducting due diligence in advance of entering into an agreement<br />

with a vendor, considering alternative providers, ensuring contracts offer sufficient<br />

60<br />

<strong>Internal</strong> <strong>Audit</strong>’s Role in ESG Reporting, The IIA, 2021.<br />

61<br />

Practice Guide: <strong>Audit</strong>ing Third Party Risk Management, The IIA, 2018.<br />


protections and rights, maintaining regular communication and continued monitoring, and<br />

reviewing and renewing agreements on a cyclical basis.<br />

Fur<strong>the</strong>r consideration relates to <strong>the</strong> ability of <strong>the</strong> organization to cope with an unexpected<br />

disruption to supplies which may be caused by failures of <strong>the</strong> vendor or o<strong>the</strong>r event and<br />

circumstances outside of <strong>the</strong> vendor’s control. What contingencies are in place to draw<br />

essential goods and services from alternative sources? How quickly could such a switch be<br />

achieved?<br />

<strong>2D</strong>.3: Reflection<br />

Does your internal audit function use digital tools for audit planning, management, and<br />

data analytics? What are <strong>the</strong> biggest inhibitors in making greater use of <strong>the</strong>se tools?<br />

Are <strong>the</strong> principles and practices of Agile auditing well-suited to your organization? Does<br />

your internal audit function have plans to introduce innovations such as: flexible, responsive<br />

planning; continuous auditing; continuous client engagement; audit dashboards; and shorter,<br />

non-traditional reporting formats?<br />

Which of <strong>the</strong> following groups of risks are included in your audit plan: sustainability, thirdparty<br />

contracts, artificial intelligence, cybersecurity, and organizational culture? How do<br />

senior management and <strong>the</strong> governing body currently receive assurance regarding control<br />

over <strong>the</strong>se risks?<br />

Can your internal audit function do more as an advisor to help senior management and <strong>the</strong><br />

governing body anticipate, identify, and manage new and emerging risks?<br />


Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!