CIA Internal Audit Operations PDF

# CIA Learning System v7.0: Part 2 ## Managing: ### 1. Internal Audit Operations The internal audit activity plays a critical role at an operational level. ### Internal Audit Policies and Procedures #### Managing the Internal Audit Activity Performance Standard 2000 states that the chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization. #### Managing the Internal Audit Activity *Performance Standard 2000*, "Managing the Internal Audit Activity", states that the chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization. Interpretation tells us that "the internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management and control processes; and objectively provides relevant assurance." From a strategic perspective, the CAE must ensure the establishment of a risk-based plan for managing the internal audit function's activity. This will require that internal audit leaders: * Manage internal audit changes needed to implement and support the organization's strategy. * Establish relationships throughout the organization to foster communication and cooperation. * Assess and promote an ethical climate and good governance. * Develop an appropriate system to measure the efficiency and effectiveness of the internal audit function and report performance to senior management and the board. * Manage interactions with external auditors, regulatory bodies, and other internal assurance functions. From an operational perspective, the CAE must ensure that the function is managed in a professional manner and that: * Policies and procedures are in place to plan, organize, direct, and monitor internal audit operations. * The function is administered to make the best use of internal audit resources. * The function is staffed appropriately for its tasks. * A risk-based audit plan is used to identify potential engagements and prioritize engagements. * Senior management is informed about the effectiveness of the organization's internal control and risk management frameworks. * The quality of internal audit work is monitored, assessed, and reported to senior management, and a quality assurance and improvement program is in place. #### Managing the Internal Audit Activity *Performance Standard 2040*, "Policies and Procedures" The chief audit executive must establish policies and procedures to guide the internal audit activity. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work: * Large, mature internal audit activities may have a formal internal audit operations manual that includes policies and procedures. * Smaller or less mature activities may not have a formal manual and instead may publish policies and procedures as separate documents or as part of an audit management software program. In addition to policies and procedures, the internal audit manual (or other documentation method) may include information on the quality assurance and improvement program and other administrative matters. Policies and procedures are one type of tool the CAE has to ensure that internal audit follows a systematic and disciplined approach. They can help everyone involved in the internal audit activity to consistently deliver high-quality service. They are important to ensure that internal audit is meeting the expectations laid out by the Standards and senior management. Policies and procedures should be reviewed periodically, and changes may be communicated: * In writing. * During internal audit staff meetings. * Through training. When reviewing policies and procedures, the CAE should also consider whether existing policies and procedures, including the internal audit charter, accurately reflect the Core Principles, the Code of Ethics, and the Standards. Documentation of policies and procedures and evidence that they have been clearly communicated to internal audit personnel may be used to demonstrate conformance with Standard 2040. #### Policies and Procedures Per *Performance Standard 2040*, "Policies and Procedures", the CAE develops and maintains appropriate policies and procedures for the internal audit activity. ##### Policies Internal audit policies include such things as adherence to the IPPF and the purpose and responsibilities of the internal audit activity. ##### Policies Examples of internal audit policies may include: * The overall purpose and responsibilities of the internal audit activity. * Adherence to the mandatory guidance of the International Professional Practices Framework (IPPF). * Independence and objectivity. * Ethics. * Protecting confidential information. * Record retention. ##### Procedures Internal audit procedures include such things as preparing a risk-based audit plan and documenting audit engagements. ##### Procedures Examples of internal audit procedures may include: * Preparing a risk-based audit plan. * Planning an audit and preparing the engagement work program. * Performing audit engagements. * Documenting audit engagements. * Communicating results/reporting. * Monitoring and follow-up process. ## - Internal Audit Administration ### Administrative Activities Per *Performance Standard 2030*, "Resource Management," the CAE develops an understanding of resources, identifies gaps, considers rotational plans, sources resources, and develops a schedule. ### Administrative Activities *Performance Standard 2030,* "Resource Management" The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. The *Implementation Guidance* for Standard 2030 recommends that the CAE usually begin by gaining a deeper understanding of the resources available to the internal audit activity in the board-approved internal audit plan. This may include: * The number of internal audit staff. * The number of productive work hours available. (Productive work hours excludes factors such as paid time off, time spent on training, and administrative tasks.) * The internal audit activity's collective knowledge, skills, and other competencies. (This information may be found in a documented skills assessment, employees' performance appraisals, and post-audit or regularly scheduled surveys.) * Approved budget and funds available for training, technology, or additional staffing. Identified gaps in the quality or quantity of available resources should be addressed by the CAE. This can be accomplished by: * Providing training for existing staff. * Hiring additional staff. * Hiring an external service provider. * Cosourcing or outsourcing engagements. * Using one or more guest auditors, for example, an expert from within the organization. * Developing a rotational audit plan. Rotational plans can use both inbound and outbound rotation. * Inbound rotation involves filling certain internal audit job positions with employees from the business for a limited period of time. * Outbound rotation involves moving internal auditors into business job positions either permanently or for a limited time period, usually between six and 24 months. Rotational plans can be used to train middle-level management and executives, to train other members of the business, and to bring specialized skills to the internal audit team. Note that a program using guest internal auditors may be similar to a rotation program, except the duration of guest auditor involvement is generally for a shorter term. It is important that the skill sets of the existing internal audit resources do not become a constraint in how internal audit addresses the risks of the organization. As part of resource management, it is recommended that the CAE establish a program for selecting and developing the human resources for the internal audit activity. For the internally staffed portion of the audit group, this program should include: * Developing written job descriptions for each level of audit staff. * Selecting qualified and competent individuals. * Training and providing continuing educational opportunities for each auditor. * Appraising each internal auditor's performance at least annually. * Providing counsel to internal auditors on their performance and professional development. * Considering succession planning for management of internal auditing. For the externally sourced portion of the audit group, the program should include: * Selecting qualified and competent individuals aligned to the overall risks and resource needs. * Reflecting on the provider's performance. * Developing expectations that sustain strengths, proactively address areas for improvement, and help ensure service excellence. Across all elements of the internal audit activity, including sourcing of resources, the CAE should define the skill set needs based on: * The organization's risks. * The internal audit plan. * Value drivers of key stakeholders. The CAE's role in coordination of assurance work is rapidly evolving with increased demands across the organization. Many CAEs are taking a more systematic approach to assurance across the organization because of: * Increased demands from the organization, board, and senior management. * The assurance fatigue that may impact line managers when dealing with uncoordinated assurance processes. CAEs may embrace this systematic approach when generating a schedule for internal audit engagements. In order to develop a schedule for internal audit engagements as part of the internal audit plan, the CAE must consider: * The organization's schedule. * The schedule of individual internal auditors. * The availability of auditable entities. By paying attention to the organization's schedule and the availability of auditable entities, internal audit may be able to schedule audits during less-busy times of the year for business units and the organization as a whole. This may help avoid assurance fatigue and promote stronger cooperation efforts from the entities that are being audited. ## 2. Risk-Based Internal Audit Plan To be truly value-added to the organization, the annual audit plan and specific engagements must focus on significant risks. #### Potential Engagement Sources Per *Performance Standard 2010*, "Planning," and related standards, the CAE considers the needs of stakeholders and both internal and external risks when forming a risk-based internal audit plan. #### Planning *Performance Standard 2010,* "Planning" The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals. Planning is done by the CAE working with senior management and the board to understand: * Organizational strategies. * Key business objectives. * Associated risks. * Risk management processes. #### Implementation Standard 2010.A1 (Assurance Engagements) The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. The internal audit activity typically reviews and corroborates the key risks that were identified by senior management. * As Standard 2010.A1 indicates, this process must be undertaken at least annually. * In some sectors, annually may not be frequently enough, requiring documented risk assessments to take place much more frequently, such as every quarter. * Risks are measured in terms of impact and likelihood. #### Implementation Standard 2010.A2 (Assurance Engagements) The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and conclusions. The internal audit plan is developed using: * The expectations and requests of senior management, the board, and other stakeholders. * The internal audit activity's ability to rely on the work of other internal and external assurance providers. This also applies to individual engagement opinions or ratings, as it is important that the CAE and key stakeholders are aligned on expectations of the level of assurance provided by the internal audit. #### Implementation Standard 2010.C1 (Consulting Engagements) The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Accepted engagements must be included in the plan. Both internal and external risks must be examined and linked to specific objectives and business processes to organize and prioritize the risks. * Internal risks may affect key products and services, personnel, and systems. * Relevant risk factors include the degree of change in risk since the area was last audited, the quality of controls, and others. * External risks may be related to competition, suppliers, or other industry issues. * Relevant risk factors may include pending regulatory or legal changes and other political and economic factors. * Impacts may be felt through organizational reputation in addition to typical financial impacts. Once all information is gathered, the CAE develops an internal audit plan, which may include: * A list of proposed audit engagements and specifications regarding whether the engagements are assurance or consulting in nature. * The rationale for selecting each proposed engagement. * Objectives and scope of each proposed engagement. * A list of initiatives or projects that result from the internal audit strategy but may not be directly related to an internal audit. Examples of initiatives or projects arising from internal audit strategy but that may not be directly related to internal audit include things like monitoring an ethics hotline or conducting fraud awareness training. Once the plan is created, the CAE discusses it with the board, senior management, and other stakeholders to create alignment among their priorities. The discussion will also acknowledge material risk areas that are not addressed in the plan. #### Sources of Potential Engagements Sources of potential engagements make up the audit universe. The strategic plan, SWOT analysis, management and employees, regulations, and trends must also be considered. #### Sources of Potential Engagements The Audit Universe Not all organizations will use the term "audit universe". Generally speaking, however, the audit universe includes: * Major functions. * Operations. * Operating units. * Subsidiaries. * Third parties. * IT. * Business, service, and product lines. Each of these is considered an "auditable unit". The audit universe also includes: * Any applicable areas (e.g., financial reporting or compliance) that have a pervasive, organization-wide impact and fall under the internal audit "umbrella" from an assurance coverage perspective. * Relevant regulatory mandates in highly regulated industries. * Independent compliance assessments of high-risk areas as mandated by government agency examiners, even in the absence of specific laws and regulations requiring them. There will be a number of functional areas or auditable units that may or may not need auditing in a given audit cycle. The audit universe is not defined solely by operating entities, their overarching processes, and their related functional activities. It also encompasses the organization's strategic plan and the controls management has in place to mitigate risks, achieve organizational goals and objectives, and ensure that stakeholder needs are being met. #### The Organization's Strategic Plan Strategic plans are based on some degree of environmental analysis (environmental scanning) that provides intelligence on what is and what will potentially be happening inside and outside the organization. Organizations may use a strengths, weaknesses, opportunities, and threats analysis (SWOT analysis) to identify and classify elements that can help or hinder the organization or its strategic plans or activities. * Strength and weakness reviews in SWOT analyses look at the organization's internal capabilities (or lack thereof). * Opportunities and threats in a SWOT analysis are then focused mostly on external factors that can impact organizational success for good or for ill (perhaps also considering some related internal opportunities or risks). * Opportunity and threat reviews may look at the following factors: * Legal factors * Regulatory factors * Market forces, industry trends, and the competition * Stakeholder groups * Technology trends and related internal capabilities * Customers #### Management and Employees The risk perspective of executives and key operational managers is important, as they are responsible for: * Establishing plans. * Defining risk tolerances. * Allocating resources to achieve the plans. * Monitoring the activities being done to achieve the plans. * Reviewing results. The employees' perspectives are also important, as employees are closest to the business activities. Both parties can offer valuable insights on the risks the organization faces. Management may have special projects that should be included in the audit universe. However, the internal audit function must have the competencies and resources required to perform such work for it to be accepted. Information can be solicited from management and employees in different ways. Three of the most common techniques are: * Interviews. * Focus groups. * Questionnaires/surveys. #### Regulatory Mandates While compliance with some regulations is voluntary, many regulations have the force of law. Some regulatory mandates cut across a variety of industries (such as environmental protection regulations restricting pollution or occupational safety and health regulations protecting workers). Industries may also have unique regulations (such as aviation, banking, or forestry). Privacy regulations, such as the EU's GDPR (General Data Protection Regulation), regulate how companies handle things like customer data. Regulatory factors can also arise from self-regulating bodies and professional societies. #### Relevant Market and Industry Trends Risk issues posed by current industry or economic situations could be valid sources for potential engagements. For example, organizations that are investing heavily in new technologies like artificial intelligence are also creating new risks. The market for a given product or service has a life cycle, and an industry that produces the product or service will be facing certain trends depending on whether demand needs to be built up, is growing rapidly, is steady, or is in decline. These changes can be driven by: * Technology changes. * Customer preference changes. * Societal shifts. Internal auditors need to understand the root causes of these changes and what types of pressures these are creating in the areas of risk, governance, and controls, especially in times of rapid growth or times of decline. #### Emerging Issues In the world in which modern organizations operate, there are constantly emerging threats that originate from changes and trends in: * Technology. * The environment. * Society. * Health and safety (i.e., pandemics). * Governance. When identifying sources of potential engagements, the CAE should consider whether emerging issues such in these and other areas are a factor in the organization and its industry. #### Other Sources In some organizations, internal assurance functions (e.g., security, quality, health and safety) or external assurance providers (e.g., external auditors, regulators, partners) may be sources of potential engagements. Internal audit may review areas of weakness identified by these assurance functions and may also evaluate the quality of the assurance functions as part of the audit universe. ## - Leveraging Risk Management Frameworks #### Organizational Risk Management Frameworks The internal audit activity uses the organization's risk management framework to assess risks or identifies an appropriate one if none exists. #### Organizational Risk Management Frameworks The internal audit activity can work in close cooperation with the risk management function. However, not every organization will have a stand-alone risk management function, so the ability for internal audit to work with risk management will vary from organization to organization. The first step internal audit should take when identifying a risk management framework is to examine other risk management frameworks in use throughout the organization, to avoid the need to create or deploy one from scratch. If there aren't other viable frameworks in use, the organization can choose from several options, including: * Using third-party frameworks such as COSO ERM. * Developing their own framework in-house. It is important to remember that the internal audit activity cannot give objective assurance on any part of a risk management framework it has designed. #### Prioritizing Audit Engagements The internal audit activity prioritizes audit engagements based on the results of a risk assessment, perhaps using an assurance map. #### Prioritizing Audit Engagements Most internal audit functions perform annual and engagement risk-based assessment activities to help prioritize risks according to their potential impacts on the organization's achievement of goals and objectives. * At the macro level, these activities help with developing a proposed audit plan to submit to the board. * At the micro level, these activities help prioritize the scope of audit work and assurance being provided by internal audit engagements. The risk assessment activities may be used to prioritize audit engagements through the use of an assurance map. An assurance map is a matrix comprising a visual representation of the organization's risks and all the internal and external providers of assurance services that cover those risks. It may be used to coordinate the timing and scope of activities or as a basis for discussing whether reliance on the work of other assurance providers would be appropriate. Senior management may also use the map to ensure that risk management and internal control functions are properly aligned and effectively monitored. Assurance mapping steps include: 1. Identifying sources of risk information. 2. Organizing risks into categories for consolidated viewing. 3. Identifying assurance providers. 4. Gathering information and documenting assurance activities by risk categories. 5. Periodically reviewing, monitoring, and updating the assurance map. Exhibit 2-1 shows a pared-down example of an assurance map. An actual assurance map may feature more rows and columns and additional risk category groupings. **Exhibit 2-1: Assurance Map** <br> | Risk Categories | Functional Oversight 2nd Line | Independent 3rd Line | |--------------------------|-----------------------------|-----------------------| | Regulatory Compliance & Reporting | Finance | Internal Audit | | Disclosure | Human Resources | Outside quality auditors | | Environmental | Treasury | - | | Information Privacy | Risk Management Processes | - | | Technology | Performance Review Committee | - | | Data Security | Safety Review Board | - | | Hardware Availability & Effectiveness | - | - | | Software Usability & Efficiency | - | - | | **Total Risk Coverage** | **Limited or no risk coverage** | - | | **Partial Risk Coverage** | **Risk area outside functions' mandate** | - | <br> ## - Assurance Engagements #### Types of Assurance Engagements Operational, security, financial/financial reporting, compliance, performance, external business relationships, privacy, quality, and due diligence are types of assurance engagements. Assurance services are an objective examination of the evidence for the purpose of providing an independent assessment on governance, risk management, and control processes of the organization. The following are types of assurance engagements: | Type: | |-----------| | Operational | | Security | | Financial/Financial Reporting | | Compliance | | Performance | | External Business Relationships | | Privacy | | Quality | | Due Diligence | #### Operational Engagements Operational audit engagements address the efficiency and effectiveness of operations as well as GRC issues. Operational audits are focused on providing assurance on governance, risk management, and controls in regard to the effectiveness and efficiency of operations. They are not focused on finance or compliance in particular, although those types of risks may be included, and they may examine anything about the organization with an underlying business process. Such engagements may be referred to as management audits in government environments. #### Objectives Specific objectives will depend on the organization, process, or activity under audit. Three key considerations in reaching an evaluation of the overall effectiveness of the governance, risk management, and control processes associated with a given business process are: * Were significant discrepancies or weaknesses discovered from the audit work performed and other assessment information gathered? * If so, were corrections or improvements made after the discoveries? * Do the discoveries and their consequences lead to the conclusion that a pervasive condition exists resulting in an unacceptable level of business risk? #### Stakeholders Stakeholders include: * The board and management who are ultimately responsible for oversight. * Specific business process owners who will be responsible for addressing audit recommendations. #### Risks Risks related to operational effectiveness include business processes that fail to work toward or are counterproductive to organizational objectives. Risks related to inefficiency involve achieving goals in a manner that is more costly than the value that is added or a selected benchmark.

CIA Internal Audit Operations PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue