Ch 9 studyguide Flashcards
Why is it important to place the CAE in a senior management position?
Some IA functions are placed on a senior management level allowing visibility, authority and responsibility to:
Independently evaluate management’s assessment of internal controls
Assess the organization’s ability to achieve business objectives and manage, monitor, and mitigate risks
Other organizations do not have IA functions or place the functions lower in the organization (i.e. Finance, Legal, etc.)
Unable to provide management with an evaluation of the design and effectiveness of risk management, control and governance (Why is that?)
The actual structure depends on the reporting hierarchy
What determines whether an internal audit function is effectively managed?
Organizations that recognize the importance of placing the IA function properly often assign a senior management role titled the “Chief Audit Executive.” (i.e. CAE, VP of IA, Director of IA, etc.)
IIA Standard 2000: Managing the Internal Audit Activity states,
“the CAE must effectively manage the IA activity to ensure it adds value to the organization.”
“the IA [function] is effectively managed when:
The results of the IA [function’s] work achieve the purpose and responsibility included in the internal audit charter;
The Internal Audit [function] conforms with the Definition of Internal Auditing and the Standards; and
The individuals who are part of the IA [function] demonstrate conformance with the Code of Ethics and the Standards.”
What the internal audit charter must support and what is establishes, and what often supplements the internal audit charter
-An IA charter “establishes the IA [function’s] position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of IA activities.”
- Audit committee also has a charter, separate from the IA charter. Although they are separate, there are inherent interdependencies.
- IA charter must support AC charter and not contradict it.
What supplements the IA charter?
Internal audit functions often supplement the charter with
formal vision and/or mission statements,
operating budgets and resource plans, and
policies and procedures.
These documents are used to drive and guide the IA function.
These collective documents should be shared with the Audit Committee on a periodic basis (annually).
What constitutes and does not constitute proficiency and due professional care?
IIA Standard 1200: Proficiency and Due Professional Care states simply that “engagements must be performed with proficiency and due professional care.”
IIA Standard 1210: Proficiency elaborates stating that “internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The IA activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.”
IIA Standard 1220: Due Professional Care states that “internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.”
Due professional care does not imply infallibility.
It is important to note that the interpretation of Standard 1200 defines “knowledge, skills, and other competencies [as] a collective term that refers to the professional proficiency required of internal auditors to effectively carry out their professional responsibilities.“
This interpretation further encourages internal auditors to “demonstrate their proficiency by obtaining appropriate professional certifications and qualifications” (i.e. CIA, CPA, CISA, etc.)
How would you define proficiency and due professional care? (examples)
What constitutes effective annual planning, and how the risk assessment process contributes to effective annual planning
The annual plan is developed through a process of identifying possible audit entities (business units, processes, etc. aka the “audit universe”) that mitigate risks (strategic, operational, reporting, compliance, etc.) to levels acceptable to the organization’s board of directors and senior management.
There are multiple theories for the structuring of an IA plan.
- Complex – Management and IA collaborate on formal risk assessment, prioritized risk scenarios, identify audit universe, develop rotation plans, execute audits, etc.
- Simple – Audit what the BOD & management wants.
**Maximum effectiveness is achieved when the risk assessment process is completed annually allowing the CAE to align audit resources with the risk assessment process.
- Identifying a definitive list of audit entities related to the prioritized risks allows for the creation of an internal audit plan using a top-down, risk-based approach.
What information regarding the annual plan should be reported to senior management and the board, and for what purpose?
IIA Standard 2020: Communication and Approval - After the internal audit plan has been established, the CAE must present it for approval to senior management and the board (AC) including:
- Resource requirements,
- Significant interim changes, and
- The potential implications of resource limitations.
The approved engagement work schedule, staffing plan, and financial budget, along with all significant interim changes, are to contain sufficient information to enable senior management and the board to ascertain whether the internal audit activity’s objectives and plans support those of the organization and the board and are consistent with the internal audit charter.
Why staff development is important to the internal audit function and typical minimal training and professional development requirement
Its important to achieve and maintain a balance of knowledgeable, and skilled staff – to complete the internal audit plan, without putting undue stress on the staff—while simultaneously maintaining a reasonable financial budget.
The CAE is primarily responsible for the sufficiency and management of IA resources including effective communication of resource needs.
- The CAE must ensure that the internal auditors have the skills and knowledge necessary to carry out the internal audit plan.
- The CAE also must assign human resources to engagements that they are qualified and capable to perform.
- The CAE considers the development needs of the staff and works to balance:
- The developmental opportunities a specific engagement can provide to them.
- The need to accomplish engagement objectives and complete engagements within the scheduled time frame.
How the standards apply to both small and large internal audit functions
The standard regarding the implementation of policies and procedures simply states that **“the chief audit executive must establish policies and procedures to guide the internal audit activity” (IIA Standard 2040: Policies and Procedures). **
- Practice Advisory 2040-1: Policies and Procedures recommends, “… keeping the policies and procedures consistent with the size of the internal audit function:”
–> Not all internal audit activities need formal administrative and technical audit manuals. A small internal audit activity may be managed informally. - In a large internal audit activity, more formal and comprehensive policies and procedures are essential to guide the internal audit staff in the execution of the annual audit plan.
What quality assurance and improvement process involves, and its internal and external components
Internal assessment procedures are the day-to-day QA steps typically in an internal audit manual that ensure that the Standards are followed:
- Professional qualifications
- Continuing professional training
- Staffing, supervision and work reviews
External assessment procedures are the quality assurance steps that an IA function has performed and/or has verified by a qualified, independent party (“independent peer review”).
- Internal audit functions are required to successfully complete an independent peer review every 5 years to conform with the IIA Standards.
What communication is required when there is nonconformance with the internal audit quality assurance standards, what implications occur when an internal audit function is not in conformance with the standards, and the consequences.
If the IA function is found to be significantly deficient “the overall scope or operation of the IA activity,” (IIA Standard 1322: Disclosure of Nonconformance), “the CAE must disclose the nonconformance and the impact to senior management and the board.”
At that time, a determination will typically be made regarding:
Whether said noncompliance is intentional or inadvertent, and
What, if any, corrective action will be taken.
Should senior management and the board make the decision not to take corrective action and the IA function remains noncompliant, the IA function will no longer be able to state that it conforms “with the International Standards for the Professional Practice of Internal Auditing’” (Standard 1321).
The consequences of continuing to offer services that are not conducted in accordance with the Standards can significantly inhibit IA’s relationship with interested third parties (regulators, auditors
