The International Professional Practices Framework (IPPF) and underlying International Standards for the Professional Practice of Internal Auditing (Standards) provide guidance to the internal audit activity. The Standards are applicable to all internal audit departments regardless of size, level of resources, complexity, or objectives and scope. Small audit activities face some unique challenges when implementing the Standards. Typically, a small audit activity has one or more of the following characteristics:
- One to five auditors
- Productive internal audit hours below 7,500 a year
- Limited level of co-sourcing or out-sourcing
Standards with a High Degree of Challenge for Small Audit Activities
The Practice Guide notes the following standards for which small internal audit activities face a high level of challenge when implementing:
- 1100 – Independence and Objectivity
- 1300 – Quality Assurance/Improvement Program
- 2000 – Managing the Internal Audit Activity
- 2200 – Engagement Planning
- 2300 – Performing the Engagement
These challenges are most likely to affect small internal audit activities, but they may affect internal audit activities of any size. This paper will review each of these standards, identify challenges to meeting the standard, and provide guidance to mitigate these challenges.
1100 - Independence and Objectivity
Standard: The internal audit activity must be independent, and internal auditors must be objective in performing their work.
Challenge: Auditors may have operational responsibilities such as records management, compliance, IT security, risk management, or other finance and accounting activities. The Chief Audit Executive (CAE) may report to an individual who has direct responsibility for areas that are subject to audits.
Guidance: Internal audit should explain to the board the difficulties involved with auditing areas where operational responsibilities or chain of command cause independence issues. They should recommend alternatives for audits such as, using external resources, and verifying only auditors that are not involved with the operational activity complete and review the audit. The CAE should discuss any challenges relating to the reporting structure or operational duties with the board and/or senior management when establishing the audit plan. If internal audit issues a report where there is a lack of independence and objectivity, the audit report must disclose this condition along with the related impacts.
1300 – Quality Assurance/Improvement Program
Standard: The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
Challenge: Lack of financial resources may limit the ability to perform an external or internal quality assessment (QA) in accordance with the Standards. The performance of an internal QA may be challenging due to time and staff constraints.
Guidance: Small organizations may use peer organization reviews or self-assessment with external validation to satisfy the external QA requirement. These approaches will have a lower monetary cost but will require a larger amount of internal audit staff hours. Organizations may consider utilizing employees outside of the internal audit activity for internal assessments if they have prior audit experience or QA training.
2000 – Managing the Internal Audit Activity
Standard: The CAE must effectively manage the internal audit activity to ensure it adds value to the organization.
Challenge: It may be difficult for the CAE of a small internal audit activity to demonstrate that the activity adds value to the organization if the priorities of the department differ from management’s priorities. If the internal audit activity is overworked or has frequent management requests to perform ad hoc engagements, they may not have the resources to fulfill the internal audit charter requirements.
Guidance: The CAE should verify the internal audit charter clearly sets forth the mission of the department, senior management endorses the charter, and the board approves it. In addition, the CAE should obtain feedback to verify the internal audit activity continues to perform value-added audits and the audit plan remains aligned with the strategic objectives and key risks facing the organization.
2200 – Engagement Planning
Standard: Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.
Challenge: Completing a risk assessment is a key component of planning an audit. Internal auditors may not have the skill level or available time to complete a risk assessment. In addition, they may not formally document their engagement planning.
Guidance: The CAE should develop planning checklists for common engagement types. Key components of the planning process include defining engagement objectives, scope, and audience. Internal audit should leverage any available risk documentation relevant to the audit including management’s own risk self-assessments, management’s risk tolerances or appetites, and findings from prior internal and external audit reports. The higher the associated risk of an engagement, the greater the level of formal documentation required.
2300 – Performing the Engagement
Standard: Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives. In addition, the CAE must assure proper supervision of engagements to achieve objectives, audit quality, and staff development.
Challenge: The CAE may not be able to supervise all engagements and they may perform some engagements. It may be a challenge for audit activities using manual workpapers to maintain appropriate evidence of engagement supervision.
Guidance: CAEs are encouraged to have a more involved role in high-risk or complex engagements. If the CAE or another staff member performs a lower risk engagement, an experienced audit staff can review the engagement. If the CAE performs a complex engagement, they should have a peer review performed by someone else in the organization with the suitable audit background and adequate independence. Engagement supervisors should sign off on engagement workpapers to document evidence of review.
Conclusion:
All CAEs should assess the current level of conformance with each standard and determine if there are any conformance gaps. They should incorporate elements of the Standards into the internal audit activity’s vision, mission, and charter.
McKonly & Asbury is available for consultation on this or other Internal Audit matters. Please do not hesitate to contact, Elaine Nissley, MBA, CISA, PMP, CRISC, Principal, in charge of the Risk Management Services group. ENissley@macpas.com.
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
maintain appropriate evidence of engagement supervision.
Guidance: CAEs are encouraged to have a more involved role in high-risk or complex engagements. If the CAE or another staff member performs a lower risk engagement, an experienced audit staff can review the engagement. If the CAE performs a complex engagement, they should have a peer review performed by someone else in the organization
Posted by: Cheap Air Max sale | 12/29/2011 at 02:02 AM