Managing Internal Audit Function Risks - IIA Australia - PDF

Connect Support Advance White Paper Managing Internal Audit Function Risks 2024 This resource was prepared after the ‘Global Internal Audit Standards’ were published in 2024 Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235 T +61 2 9267 9155 F +61 2 9264 9240 E [email protected] www.iia.org.au © 2022 - The Institute of Internal Auditors - Australia Managing Internal Audit Function Risks Contents management framework. These entities are also required to disclose their material risks in their annual reports. Introduction 2 Similarly, entities in the Australian public sector (Federal / - Purpose 2 State and Territories / Local Government) are required to - Background 2 maintain effective risk management frameworks mandated Discussion 2 through policies, treasurers’ instructions, regulation and other mechanisms. - Issue 2 - History 2 Effective risk management is not achieved solely at the - Risks Faced by an Internal Audit Function 3 board or executive level. It requires engagement by all business units, divisions and functions of an organisation - Risks Cascaded from Other Parts of the 4 Organisation including the Internal Audit Function. - How the IIA Standards Help in Managing 4 Discussion Internal Audit Risks Issue - A Systematic, Disciplined Approach to 5 ISO 31000 ‘Risk management – Guidelines’ defines Managing Internal Audit Risks Risk as the “effect of uncertainty on objectives”. Like - Critical Success Factors 7 organisations, Internal Audit Functions also have - Considerations for Smaller Internal Audit 7 objectives impacted by uncertainty. However, Internal Functions Audit Functions spend most, if not all, their time looking - The Impact of Unmanaged Internal Audit Risks 8 at their organisation’s governance, risk management Conclusion 8 and control processes. But how often do Internal Audit - Summary 8 Functions look internally at their own function to assess - Conclusion 8 if their key risks and controls are being managed effectively? Appendix 1 – Illustrative Risk and Control Matrix 9 (Extract Only) How can an Internal Audit Function, and to quote from Bibliography and References 11 the definition of Internal Auditing in the Global Internal Purpose of White Papers 11 Audit Standards, help accomplish its own objectives Author’s Biography 11 “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, About the Institute of Internal Auditors–Australia 12 risk management and control processes” within the Copyright 12 Internal Audit Function itself. Disclaimer 12 This White Paper will explore how Internal Audit Introduction Functions can actively identify, assess and respond to Purpose risks that may impact their success. The purpose of this White Paper is to explain how Internal History Audit Functions can better manage their own risks. The concept of Internal Audit Functions managing their Background risks is not new. In 2009, the IIA released Practice Advisory Effective risk management is essential to any 2120-2 (superseded Recommended Guidance) which organisation’s success. Organisations of various types highlighted how the Internal Audit Function “is not immune actively identify and manage risks with appropriate to risks. It needs to take the necessary steps to ensure that oversight at the board level. The ASX ‘Corporate it is managing its own risks”. Governance Principles and Recommendations’ (2019), Many Internal Audit Functions adopted the Practice require listed entities to have a dedicated board committee Advisory by maintaining and periodically updating their or committees to oversee risk and review the entity’s risk own risk registers – standalone or as part of a broader © 2024 - The Institute of Internal Auditors - Australia 2 Managing Internal Audit Function Risks enterprise risk management system. In the case of larger Risks Faced by an Internal Audit Function Internal Audit Functions such as global organisations Risks the Internal Audit Function faces when delivering on or major financial institutions, dedicated individuals are its mandate may impact effectiveness and credibility of the assigned to identify, monitor and report on Internal Audit chief audit executive as well as individual internal auditors. Function risks. Risks that may affect an Internal Audit Function include: Risk Category Risk Examples Strategic › Stakeholder Management – Inability to identify and meet key stakeholder expectations. › Strategic Project and Initiatives – Failure to plan and execute major initiatives in a systematic and coordinated manner (for example new audit management system implementation, compliance with new regulatory or industry standards). › Organisational Structure – The Internal Audit Function organisational structure does not support achievement of strategic and business objectives in an efficient manner. › Internal Communication – Not understanding or responding to concerns of the internal audit team in a timely manner. › Brand and Reputation – Failure to create, promote and sustain a brand, reputation and trust aligned to the Internal Audit Function’s mission. This also includes risk of the Internal Audit Function being perceived as biased or not objective in its assessments. › Market Dynamics – Changes to external environment impacting the Internal Audit Function’s ability to deliver on its mission, for example loss of key staff or shortage of specialised service providers due to better paying clients elsewhere. Operational › Culture – Not defining and reinforcing the culture you want internal audit team members to live by in line with organisational values and the Internal Audit Function mission. › Service Catalogue – Engagement types provided by the Internal Audit Function may not suit business needs or support delivery of the internal audit mandate. › Risk Focus – Internal audit plan misalignment with the organisational strategy and key risks. Also refer IIA-Australia Factsheet ‘Neglected Audit Areas’. › Change Management – The internal audit team’s resistance to change or poorly managed change initiatives (for example change is too frequent, done without consultation, lack of training, etc). › People Management – Failure to recruit and retain qualified employees to ensure optimal staffing levels and adequate succession planning. This includes high staff turnover rates. › False Assurance – Assumption that Internal Audit Function involvement in an organisational activity is necessarily providing definitive assurance to the organisation. › Procurement – Lack of transparency or delays in appointing internal audit service providers. › Engagement Scope – Internal audit team and management scope creep or scope limitations during engagements. › Engagement Cycle Times – Long cycle times from start to end of engagements caused by burdensome documentation requirements, excessive number of report drafts issued to management, ineffective project management, etc. › Service Providers – Ineffective onboarding and oversight of internal audit service providers. › Fraud and Unethical Behaviour – Fraudulent behaviour by the internal audit team such as falsified workpapers, expense report manipulation, misrepresenting to the audit committee, etc. › Reporting Accuracy – Audit committee engagement and reporting may not be accurate or complete. © 2024 - The Institute of Internal Auditors - Australia 3 Managing Internal Audit Function Risks Financial › Budget Setting – Incomplete or inaccurate data used to estimate required financial resources during internal audit planning. › Budget Limits – Exceeding the Internal Audit Function budget approved by the audit committee. Compliance › Standards – Nonconformance with the ‘Global Internal Audit Standards’. › Laws and Regulations – Non-compliance with requirements such as: › Australian Federal/ State / Territory internal audit related requirements for the public sector. › Australian Prudential Regulation Authority (APRA) Prudential Standards applicable to internal audit such as CPS510 ‘Governance’ and CPS234 ‘Information Security’. › ASX Corporate Governance Principles and Recommendations. Risks Cascaded from Other Parts of the Organisation circumstances it would be necessary for the Internal Audit Function to ensure the presence of process and procedure Another area to consider is when business units devolve documentation to clarify organisational expectations and common controls to other business units. They may vary in behaviours. Some considerations are included below for nature and complexity, and sometimes are not applicable reference: to the Internal Audit Function due to their nature, but they require careful consideration. In most, if not all, Area Considerations Expense Depending on nature of usage (for example high frequency of travel) and maturity of expense Management and related controls within the organisation, the chief audit executive might consider additional Corporate credit controls to further safeguard the reputation of the Internal Audit Function and its staff. cards Safeguarding Chief audit executives would be responsible for their own physical space where the Internal Audit of Assets Function is located and facilities used by the Internal Audit Function. This includes but is not and Access limited to reviewing access to physical workspaces, computers, audit management system, online Management collaboration workspaces (e.g. SharePoint or Google Drive) or non-audit related information such as employee details, compensation, etc. Health and Safety Several health and safety related controls may be cascaded down to the rest of the organisation. The Internal Audit Function is not exempt from those requirements. Training and appointment of first aiders, fire wardens, review of work environment, and periodic communication of health and safety obligations are common controls to address health and safety risks. In addition, there may be considerations specific to the Internal Audit Function such as working from home and overall employee wellness such as work-life balance, response to organisational health surveys, etc. Corporate There may be organisation wide initiatives stemming form the organisation’s strategy which Initiatives may present risks to the Internal Audit Function. These initiatives may include mergers and acquisitions, divestitures, cost restructuring and other strategies which may impact internal audit team composition, resources and the internal audit plan delivery. How the IIA Standards Help in Managing Internal Audit following: Risks › Risk of not identifying or managing potential biases The ‘Global Internal Audit Standards’ state they “guide when performing audit work – addressed through the worldwide professional practice of internal auditing Standard 2.1 ‘Individual Objectivity’. and serve as a basis for evaluating and elevating the › Risk of self-review / performing management quality of the internal audit function”. While not explicit, responsibilities – addressed through Standard 2.1 the Standards provide a variety of responses to potential ‘Individual Objectivity’. risks that may face Internal Audit Functions. Consider the © 2024 - The Institute of Internal Auditors - Australia 4 Managing Internal Audit Function Risks › Risk of data loss or misuse of data by internal auditors A Systematic, Disciplined Approach to Managing – addressed through Standard 5.2 ‘Protection of Internal Audit Risks Information’, Risk management frameworks usually break down core › Risk of misalignment of internal audit activities with risk management activities into the following five steps: stakeholder expectations – addressed through Standard 8.1 ‘Board Interaction’ and Standard 11.1 ‘Building Relationships and Communicating with Stakeholders’. › Risk that internal audit’s budget, staff or technology resources may limit its ability to effectively deliver the internal audit plan – addressed through Standards 10.1 ‘Financial Resource Management’, Standard 10.2 ‘Human Resources Management’ and Standard 10.3 ‘Technological Resources’. › Risk that audit conclusions are not adequately supported – addressed through Standard 12.3 ‘Oversee and Improve Engagement Performance’ and Standard 14.1 ‘Gathering Information for Analyses and Evaluation’. These same steps can be applied to managing Internal Audit Function risks: While this does not constitute a comprehensive list of potential risks managed through conformance with the Standards, it does highlight the value of conformance with the Standards from a risk management perspective. Step 1 – Identify Action Considerations Identify all potential › Start from the purpose, definition and mandate of the Internal Audit Function (Internal risks the Internal Audit Audit Charter). Function might be › Review the strategy, objectives and goals of your organisation and list internal audit exposed to processes within the audit lifecycle that directly or indirectly contribute to it. › Ask the question – ‘what should go right’? › Ask the question - ‘what could go wrong’? › Consider workshopping risks in the identified processes (internal audit planning, engagement execution, audit committee reporting, etc) internally, with the risk team and compliance team, external industry and refer to industry literature. › Use your organisation’s risk assessment methodology (if available) to consider all risks and categorise risks identified through this process. Outcome – List of processes and associated risks in a risk register. © 2024 - The Institute of Internal Auditors - Australia 5 Managing Internal Audit Function Risks Step 2 – Assess Action Considerations Assess and categorise › Use the organisation’s own risk assessment methodology to assess risks. risks based on likelihood › A Consequence (impact) / Likelihood (probability) matrix can be used to objectively and impact to determine assess risk using impact (for example negligible to severe) and probability (for the significance example unlikely to very likely) to derive a risk rating. › As part of the assessment, consider the propensity for processes to break down and not achieve their objectives. Some factors you could consider: › Strategic significance › Regulatory significance › Process complexity and level of automation › Capability and capacity of individuals involved › Process frequency › Resiliency and sustainability › Past issues or concerns such as fraud, operational loss, errors omissions, regulatory and external audit findings, etc.) Outcome – All risks in the register have a risk rating with supporting rationale. Step 3 – Prioritise Action Considerations Rank risks based on their › Once the list is finalised, prioritise areas requiring attention. significance so that a › Test your understanding of risks with Line 2 assurance activities or subject matter risk that would cause experts. little issue to the Internal Audit Function is given a Outcome – Clarity on which risks will need to be addressed for example all risks equal to low priority and above ‘Medium’. Step 4 – Manage Action Considerations Respond to the risk by › Be open to accept insignificant risks. accepting, avoiding, › Identify and develop controls to manage risks or consider alternative strategies to managing or sharing risk address risk such as accept, avoid or share risks. › Controls can be described in a similar way to how recommendations or improvements are developed during an internal audit engagement: › Who is best placed to execute the control (e.g. capacity / capability)? › When is the best time for the control execution (preventive / detective)? › What is the best control (manual review / automated configured workflow, etc)? › Where is the best evidence of the control (e.g. checklist sign-off)? › How is the control managing the risk? For example: The Chief audit executive reviews and approves an audit file in the audit management system prior to issuing the internal audit report to confirm audit evidence is sufficient and appropriate to support the audit results. Outcome – All significant risks and controls mitigating them are identified. Where controls are absent or ineffective, Specific / Measurable / Attainable / Relevant / Time-based (SMART) action plans are in place to address the significant risks. © 2024 - The Institute of Internal Auditors - Australia 6 Managing Internal Audit Function Risks Step 5 – Monitor Action Considerations Continually monitor both › Continual monitoring is key to an effective risk management as organisations and the the operation of controls environment are dynamic and risks change. and the operational › Internal Audit Function could employ a number of strategies for effective risk environment for potential monitoring. Practices found to be useful include: new risks › Develop and monitor key risk indicators (KRIs) to assess whether risks remain within risk appetite over time. › Periodic self-assessment of existing controls (design effectiveness and operating effectiveness) to confirm whether controls continue to effectively manage risks. › Periodic review of the risk register to confirm whether recent developments such as changing regulations, risk issues, events or incidents, and external reviews require addition to, or revision of, existing risks. › Periodic reporting of open actions against agreed timeframes internally within the Internal Audit Function and to the audit committee and Line 2, particularly where there is a risk aggregation and reporting mechanism. Outcome – Continual monitoring of changing risk landscape and improvement of overall control environment of the Internal Audit Function. Appendix 1 – Illustrates how significant risks and controls effectively. Consider asking for annual confirmation of within the internal audit lifecycle can be managed and control effectiveness. monitored over time. › Take control issues seriously to continually improve and learn from past experience. Critical Success Factors › Evaluate cost versus benefit of risk responses. Unless Some factors that are likely to maximise the value derived absolutely necessary, avoid over-controlling risks from managing Internal Audit Function risks may be: and burdening the internal audit team with excessive › Like any process, Tone at the Top from the chief audit procedures or processes. executive is critical. Chief audit executives need to promote the value of actively managing Internal Considerations for Smaller Internal Audit Functions Audit Function risks and participate in brainstorming Even smaller Internal Audit Functions need to take steps to sessions. manage their own risks. Risks specific to smaller functions › Involving the whole internal audit team in the include: brainstorming process and get their input as the › Constrained budgets impacting their ability to acquire Internal Audit Function risk register is built. Engaging specialised skills, get trained on and deploy data the team in this process helps to build awareness as analytics, and provide extensive coverage of the risk well as support effective risk management. universe or audit universe. › Limiting the number of risks included in the risk › Difficulties recruiting and retaining staff as growth register helps to direct focus and right-size effort. The opportunities may be limited and larger Internal Audit number of risks will vary based on the size, operating Functions elsewhere may offer better compensation. model and nature of Internal Audit Function activities. › Challenges with engagement supervision, in › Sufficiently resource the risk management function particular for functions with a solo internal auditor, with capable staff. and maintaining an effective quality assurance › Make control owners aware of their responsibilities and improvement program (in particular, getting an and the expected result of operating a control external quality assessment). © 2024 - The Institute of Internal Auditors - Australia 7 Managing Internal Audit Function Risks From a risk management perspective, smaller Internal Conclusion Audit Functions would not necessarily require a dedicated Summary risk and control matrix for internal audit, but if used it could be adapted to their situation (for example include a fewer Like any part of the business, the Internal Audit Function number of risks, be refreshed less frequently, etc). faces risks to achieving its objectives. It is important to actively identify, assess and respond to these risks in a Smaller Internal Audit Function chief audit executives practical, sustainable way which engages and involves the need to be aware of potential risks facing the function. whole internal audit team. This can be through discussions with key stakeholders or other assurance providers for example the external Conclusion auditor to get input on how the Internal Audit Function is The Internal Audit Function is not immune to risks. As being perceived, what it is doing well, and what might be required by the Standards, internal auditors evaluate potential improvement areas. Connecting with internal whether the organisation and key business functions have audit peers and learning of their challenges can also help robust risk management practices in place. Internal Audit an Internal Audit Function consider and prepare for a Functions should apply that same evaluation mindset to particular risk. their own risks. With smaller Internal Audit Functions, many of the risks While there is no way to formally manage all the risks an described earlier may not have adequate management Internal Audit Function may face, it should take practical in place. It is critical to periodically call out to the audit steps to proactively identify, assess and respond to risk committee any limitations the Internal Audit Function and clearly communicate any limitations or significant faces. For example, if cyber security is a major risk to the unmanaged risks to the audit committee when they arise. organisation and the Internal Audit Function does not have the skills to audit it, or the budget to hire an external party The approach to doing this may be structured in the form to audit it, then this should be clearly communicated to the of a risk and control matrix (RACM) or risk register, or it audit committee and documented in relevant papers. may be less formal. Regardless, the chief audit executive and internal audit team should be on top of risks that The Impact of Unmanaged Internal Audit Risks may prevent the Internal Audit Function from achieving its mandate, strategic objectives and operational plan. The reputation of an Internal Audit Function is essential to its effectiveness. This reputation can be negatively It takes years to build an Internal Audit Function reputation impacted as a result of poorly managed risks. Unmanaged and brand, and this can be destroyed by one high-profile risks could lead to a data leak by internal audit staff, failure. Chief audit executives have been terminated for major issues that should have been picked up by the performance issues, non-compliance, poor communication internal auditors, negative results from an external quality and engagement with management, and for organisational assessment or regulator review, and other adverse events. control failures that should have been identified by the The impact of these may range from loss of credibility and Internal Audit Function. Actively managing the Internal trust in the Internal Audit Function, isolation, to termination Audit Function’s risks and embedding treatment into of the chief audit executive. methodologies and day-to-day processes will go a long way towards protecting the Internal Audit Function and In the unfortunate situation an Internal Audit Function increasing its effectiveness. does experience a major adverse event, the chief audit executive will need to conduct a retrospective review to understand root cause – ‘Why did this happen or why did we not pick this up?’ – and develop a plan to restore the Internal Audit Function reputation. © 2024 - The Institute of Internal Auditors - Australia 8 Appendix 1 – Illustrative Risk and Control Matrix (Extract Only) The following table outlines an extract of an illustrative, process based, risk and control matrix (RACM) that touches on key risks within an Internal Audit Function, common key controls, and their monitoring methodologies. Process Key Risks Control Control Type Monitoring Methodologies P1. Internal R1. Internal Audit Plan is not C1. Chief Audit Executive and Audit Preventive M1. Periodic Self-Assessment: Audit Plan risk-based and does not align Committee reviews and approves the Independent review of internal audit with the organisation strategy, Internal Audit Plan and subsequent changes planning documentation to confirm objectives, risks and regulatory to confirm that it: relevancy, reliability and sufficiency requirements. This could lead › Aligns with the organisation strategy, of the: objectives and key risks › Procedures performed to derive to non-value-adding assurance › Covers the organisation regulatory the Internal Audit Plan activities or regulatory requirements in relation to Internal › Underlying assumptions and censure that could impact the Audit performing certain periodic key rationale supporting the organisation’s reputation. engagements for example Australian Prudential Regulation Authority (APRA) Internal Audit Plan Prudential Standards, State / Territory internal audit requirements Function Risks M2. Key Risk Indicator: › Sufficiently covers human, Periodic reporting to the Audit © 2024 - The Institute of Internal Auditors - Australia technological, and financial resources Committee of progress and specific required to deliver the audit plan targets. Where targets are not met, › Is supported by relevant, reliable and analysis and reasons reported to the sufficient documentation that clearly outlines key judgements and risk- Audit Committee with specific actions based rationale to support the Internal on how to bring them in line with the Audit Plan specified targets P2. R2. Conclusions drawn C2. Prior to engagement reporting, Preventive M3. Periodic Self-Assessment: Engagement from Internal Audit Function Engagement Leads (or Chief Audit Executive Independent review of the internal Execution activities lack robust support in smaller organisations) review and audit engagement documentation Managing Internal Audit from relevant, reliable approve audit documentation such as risk to the relevancy, reliability and and sufficiently analysed and control matrix (RACM), engagement sufficiency of the audit procedures information. This could lead to work program, testing work papers etc to performed to reach the conclusions inaccurate assurances or the confirm: reached in the internal audit report. erroneous inference of control › The Internal Audit Function audit methodology was correctly applied environment effectiveness and result in loss of trust and › Documentation supports the engagement objectives and confidence in the Internal conclusions reached Function. 9 Process Key Risks Control Control Type Monitoring Methodologies P3. Hiring R3. Internal Audit Function C3. Prior to onboarding a resource, Chief Preventive M4. Periodic Self-Assessment: and Co- staff or internal audit service Audit Executive (or delegate) performs a Independent review of conflicts in sourcing providers are not or do not Conflicts of Interest assessment to confirm the conflict of interest register to appear to be independent. that there are no, in actual or appearance confirm identified conflicts have This could negatively impact of, impropriety with the relevant resource. been sufficiently and appropriately integrity, reliability and This could be because resource has assessed. credibility of internal audit previously worked with the management reports. or has first degree familial relationship with key individuals in the management. If any instances of conflicts are identified and the resource has been accepted, sufficient and appropriate independence safeguards have been identified and implemented (for example temporarily barring the resource Function Risks to work on engagements where they were previously responsible for the subject © 2024 - The Institute of Internal Auditors - Australia matter etc). All such conflicts are recorded in the organisational or Internal Audit’s Conflicts register along with determinations and any safeguards. Managing Internal Audit 10 Managing Internal Audit Function Risks Bibliography and References This White Paper also draws from the superseded document: Bibliography The Institute of Internal Auditors, 2009. Practice Advisory ASX Corporate Governance Council, 2019. Corporate 2120-2, Managing the Risk of the Internal Audit Activity. Governance Principles and Recommendations, 4th Edition. Purpose of White Papers [Online] Available at: https://www.asx.com.au/documents/asx- A White Paper is a report authored and peer reviewed by experienced practitioners to provide guidance on a compliance/cgc-principles-and-recommendations-fourth- particular subject related to governance, risk management edn.pdf or control. It seeks to inform readers about an issue and Australian Prudential Regulation Authority, 2019. Prudential present ideas and options on how it might be managed. It does not necessarily represent the position or philosophy Standard CPS 234 Information Security. [Online] of the Institute of Internal Auditors–Global and the Institute Available at: https://www.apra.gov.au/sites/default/files/ of Internal Auditors–Australia. cps_234_july_2019_for_public_release.pdf Author’s Biography Australian Prudential Regulation Authority, 2019. Prudential This White Paper written by: Standard CPS 510 Governance. [Online] Available at: https://www.apra.gov.au/sites/default/ Farah George Araj PFIIA, CIA, CRMA, QIAL, CPA, CFE files/draft_prudential_standard_cps_510_governance_ George is an experienced internal audit leader who has actively managed internal audit risks in various chief march_2019_v1_0.pdf audit executive roles. He has served as a councillor on Department of Finance (Australia), 2014. Commonwealth the IIA-Australia Western Australia and New South Wales Risk Management Policy. [Online] Chapters. George was previously a member of the IIA Global International Internal Auditing Standards Board. Available at: http://www.finance.gov.au/comcover/risk- management/ Umair Danka CIA, CRMA, CA, FCCA, CPA, CISA Umair Danka is a seasoned financial services internal International Internal Auditing Standards Board, 2024. auditor with over 15 years of experience. He has excelled Global Internal Audit Standards. [Online] in assessing and enhancing internal controls, risk Available at: https://www.theiia.org/globalassets/site/ management processes, and compliance frameworks within leading financial institutions. Umair’s expertise standards/globalinternalauditstandards_2024january9_ spans banking, insurance, and investment management. printable.pdf This White Paper edited by: International Organization for Standardization, 2018. Michael Parkinson PFIIA, CIA, CRMA, CISA, CRISC ISO 31000:2018 Risk management - Guidelines, Geneva: International Organization for Standardization. Andrew Cox MBA, MEC, GradDipSc, GradCertPA, DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA, NSW Government, 2020. Internal Audit and Risk CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA Management Policy for the General Government Sector. [Online] Available at: https://www.treasury.nsw.gov.au/documents/ tpp20-08-internal-audit-and-risk-management-policy- general-government-sector The Institute of Internal Auditors - Australia, 2023. Factsheet: Neglected Audit Areas. [Online] Available at: https://iia.org.au/technical-resources/fact- sheet/iia-australia-factsheet-neglected-audit-areas © 2024 - The Institute of Internal Auditors - Australia 11 Managing Internal Audit Function Risks About the Institute of Internal Auditors– Disclaimer Australia Whilst the Institute of Internal Auditors – Australia has The Institute of Internal Auditors (IIA) is the global attempted to ensure the information in this White Paper is professional association for Internal Auditors, with global as accurate as possible, the information is for personal and headquarters in the USA and affiliated Institutes and educational use only, and is provided in good faith without Chapters throughout the world including Australia. any express or implied warranty. There is no guarantee given to the accuracy or currency of information contained As the chief advocate of the Internal Audit profession, in this White Paper. The Institute of Internal Auditors – the IIA serves as the profession’s international standard Australia does not accept responsibility for any loss or setter, sole provider of globally accepted internal auditing damage occasioned by use of the information contained in certifications, and principal researcher and educator. this White Paper. The IIA sets the bar for Internal Audit integrity and professionalism around the world with its ’Global Internal Audit Standards’ and associated professional guidance. The IIA-Australia ensures its members and the profession as a whole are well-represented with decision-makers and influencers, and is extensively represented on a number of global committees and prominent working groups in Australia and internationally. The IIA was established in 1941 and now has more than 200,000 members from 190 countries with hundreds of local area Chapters. Generally, members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. Copyright This White Paper contains a variety of copyright material. Some of this is the intellectual property of the author, some is owned by the Institute of Internal Auditors – Global or the Institute of Internal Auditors – Australia. Some material is owned by others which is shown through attribution and referencing. Some material is in the public domain. Except for material which is unambiguously and unarguably in the public domain, only material owned by the Institute of Internal Auditors – Global and the Institute of Internal Auditors – Australia, and so indicated, may be copied, provided that textual and graphical content are not altered and the source is acknowledged. The Institute of Internal Auditors – Australia reserves the right to revoke that permission at any time. Permission is not given for any commercial use or sale of the material. © 2024 - The Institute of Internal Auditors - Australia 12

Managing Internal Audit Function Risks - IIA Australia - PDF

Document Details

Tags

Related

Summary

Full Transcript