Module 3B Managing Resources

More documents

Recommendations

Info

must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. 2010.A1 – The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. 2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions. 2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Accepted engagements must be included in the plan. 22 Standard 2030 – Resource Management The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. Interpretation: Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. 23 Strategic, operational, and engagement planning and managing people are discussed in Module 2. In this section we focus on managing financial resources and performance management. 3B.1.2 Financial Management for Internal Audit Functions According to Standard 2030, resources must be “appropriate, sufficient, and effectively deployed to achieve the approved plan.” Resources available to an internal function should be approved by the audit committee (if there is one) or the governing body when the audit plan is approved. In an ideal scenario in which the internal audit function enjoys a high degree of organizational independence, resources to support the internal audit strategic and operational plans may be allocated in the form of a financial budget with which the head of internal audit can decide how many full-time, part-time, and outsourced auditors to engage and at what level, as well as obtaining other resources, such as training, memberships and subscriptions, office furniture and equipment (including IT), and auditing software. However, some of these expenses may be 22 International Professional Practices Framework (2017 Edition), The IIA, 2016. 23 International Professional Practices Framework (2017 Edition), The IIA, 2016. 42
controlled in other ways rather than the head of internal audit deciding how to spend the function’s budget. • Staff positions and salaries, for example, may be set according to departmental or central government decree and policies. • Office furniture and equipment (including IT) may also be handled separately from the budget allocated to the internal audit function. • The training budget may be held centrally by the Central Harmonization Unit. The requirement for the head of internal audit to develop, seek approval for, and manage a budget may be limited in practice. Even with delegated budgetary responsibility, many of the costs associated with the function may not be discretionary (i.e., a matter for the budget holder to decide). Salaries (aside from performance-related bonuses), for example, are pre-determined and need only to be tracked. Setting such difficulties to one side, in order to seek approval for a budget, the head of the function needs to produce a proposal aligned with the strategy and plan of engagements. A good starting point is the previous year’s budget although it is not simply a matter of adding a percentage to allow for inflation. Prior levels of resourcing may have been insufficient. Conditions, requirements, and expectations change, and the head of internal audit should always be seeking improvements that may require utilizing resources in a different way. The IIA’s paper “Budgeting the Internal Audit Function: How Much is Enough?” addresses these questions. Benchmarking is sometimes used to help determine what is the appropriate level of resourcing, but no two organizations are completely identical. The paper suggests following a five-step process. Step 1: Define the audit universe. This is a description of all auditable entities (“departments, divisions, systems, processes, subsidiaries, programs, activities, and even accounts”). Step 2: Assess the risks. It is highly unlikely an internal audit function has sufficient resources to audit the entire audit universe. Besides, this approach would be highly inefficient by applying resources to low likelihood, low impact risks where assurance and advice may have limited value. The audit plan needs to prioritize engagements based on organizational objectives and risks because “while internal audit can audit anything, it can’t audit everything.” Assurance mapping may be part of this process to avoid unnecessary overlap and duplication with the work of other assurance providers on which internal audit can place reliance. Step 3: Develop the audit plan. Identifying which audits must be undertaken as a matter of highest urgency helps determine the major part of the budget based on estimated staff hours needed, although some allowance should be made for ad hoc engagements and reactive assurance and advisory engagements for new and emerging risks and 43
Page 1: 3B. Managing Resources (20%) 3B Lea
Page 5 and 6: • Individuals are responsible for
Page 7 and 8: • Empower the people: 6. Emphasiz
Page 9 and 10: • Variance analysis provides usef
Page 11 and 12: The balanced scorecard approach nee
Page 13 and 14: outputs are useful for monitoring p

Module 3B Managing Resources

Create successful ePaper yourself

Delete template?

Save as template?