Module 3B Managing Resources
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
controlled in other ways rather than the head of internal audit deciding how to spend the<br />
function’s budget.<br />
• Staff positions and salaries, for example, may be set according to departmental or<br />
central government decree and policies.<br />
• Office furniture and equipment (including IT) may also be handled separately from the<br />
budget allocated to the internal audit function.<br />
• The training budget may be held centrally by the Central Harmonization Unit.<br />
The requirement for the head of internal audit to develop, seek approval for, and manage a<br />
budget may be limited in practice. Even with delegated budgetary responsibility, many of the<br />
costs associated with the function may not be discretionary (i.e., a matter for the budget holder<br />
to decide). Salaries (aside from performance-related bonuses), for example, are pre-determined<br />
and need only to be tracked.<br />
Setting such difficulties to one side, in order to seek approval for a budget, the head of the<br />
function needs to produce a proposal aligned with the strategy and plan of engagements. A<br />
good starting point is the previous year’s budget although it is not simply a matter of adding a<br />
percentage to allow for inflation. Prior levels of resourcing may have been insufficient.<br />
Conditions, requirements, and expectations change, and the head of internal audit should<br />
always be seeking improvements that may require utilizing resources in a different way.<br />
The IIA’s paper “Budgeting the Internal Audit Function: How Much is Enough?” addresses these<br />
questions. Benchmarking is sometimes used to help determine what is the appropriate level of<br />
resourcing, but no two organizations are completely identical. The paper suggests following a<br />
five-step process.<br />
Step 1: Define the audit universe. This is a description of all auditable entities (“departments,<br />
divisions, systems, processes, subsidiaries, programs, activities, and even accounts”).<br />
Step 2: Assess the risks. It is highly unlikely an internal audit function has sufficient<br />
resources to audit the entire audit universe. Besides, this approach would be highly<br />
inefficient by applying resources to low likelihood, low impact risks where assurance and<br />
advice may have limited value. The audit plan needs to prioritize engagements based on<br />
organizational objectives and risks because “while internal audit can audit anything, it can’t<br />
audit everything.” Assurance mapping may be part of this process to avoid unnecessary<br />
overlap and duplication with the work of other assurance providers on which internal audit<br />
can place reliance.<br />
Step 3: Develop the audit plan. Identifying which audits must be undertaken as a matter of<br />
highest urgency helps determine the major part of the budget based on estimated staff<br />
hours needed, although some allowance should be made for ad hoc engagements and<br />
reactive assurance and advisory engagements for new and emerging risks and<br />
43