Honours in Internal Auditing - Advanced Internal Auditing PDF

Chat with Document Download Quiz & Flashcards

Document Details

SAIIH

Uploaded by SAIIH

2025

Tags

internal auditing risk management governance accounting

Related

Summary

This module document covers Honours in Internal Auditing for the Advanced Internal Auditing course in 2025. It details the management of the internal audit function, covering topics such as risk management, governance, and internal controls. The document also discusses quality assurance, benchmarking, and the Global Audit Information Network.

Full Transcript

ACCOUNTANCY@UJ AIAX800 DEPARTMENT OF ACCOUNTANCY HONOURS IN INTERNAL AUDITING ADVANCED INTERNAL AUDITING 2025 MANAGING THE INTERNAL AUDIT FUNCTION 1 ACCOUNTANCY@UJ AIAX800 Content...

ACCOUNTANCY@UJ AIAX800 DEPARTMENT OF ACCOUNTANCY HONOURS IN INTERNAL AUDITING ADVANCED INTERNAL AUDITING 2025 MANAGING THE INTERNAL AUDIT FUNCTION 1 ACCOUNTANCY@UJ AIAX800 Contents...................................................................................................................................................1 1. STUDY METHOD..................................................................................................................3 2. STUDY RESOURCES............................................................................................................4 3. PRIOR KNOWLEDGE...........................................................................................................4 4. GLOBAL INTERNAL AUDIT STANDARDS...............................................................................4 5. LEARNING OUTCOMES.......................................................................................................4 6. ADDITIONAL NOTES............................................................................................................5 2 ACCOUNTANCY@UJ AIAX800 1. STUDY METHOD Step 5: Self-reflection & correction: o Students need to be able to self-reflect by going through all the content and reflecting on whether they understand all that was covered. o Some of the questions to reflect on are in the slides. o Students must record videos on their self-reflection (the videos should include the self-reflection questions in the slides and additional self- reflection). o Students should upload the self-reflection videos on Moodle after a week of completing a block (the self-reflection videos are per block, not per topic). o After the self-reflection, students should be able to identify problems they are struggling with by attempting questions. o After identifying the problem and still not able to solve the problem, students will consult with the lecturing team. Step 4: Solve the problem: o Students need to be able to solve the problem and discuss it in a class setting. Step 3: Understand the theory: o Students must understand the theory since they have identified and understood the problem (Steps 1 and 2). Step 2: Understand the problem: o Students need to understand the problem and consequences that stem from the identified problem (Step 1). Step 1: Problem discovery: o Students should identify the problem given to them. 3 ACCOUNTANCY@UJ AIAX800 2. STUDY RESOURCES Slides Module Global Internal Audit Standards: Question Banks Videos Practical Questions 3. PRIOR KNOWLEDGE Students are not expected to have any knowledge of these topics from previous modules or units. 4. GLOBAL INTERNAL AUDIT STANDARDS The Global Internal Audit Standards™, established by The Institute of Internal Auditors (IIA), provide a comprehensive framework guiding the professional practice of internal auditing worldwide. Global Internal Audit Standards. NB!!!! Students should study and understand the GIAS in-depth and be able to relate them to every topic. 5. LEARNING OUTCOMES Understand the concept of governance, risk management and control (GRC). Understand the concepts/components, purpose and application for internal auditing for governance, risk management and control. Understand the roles and responsibilities of GRC. Understand and explain the annual internal audit plan. 4 ACCOUNTANCY@UJ AIAX800 Understand and explain the role of Chief Audit Executive (CAE) with regard to the management of the internal audit activity. Understand and explain the different structures of an internal audit activity (in-house, outsourced and co-sourced). Understand and explain the role of the CAE with regards to the Quality Assurance and Improvement Program (QAIP), managing the resources of the internal audit activity, quality management and benchmarking. 6. ADDITIONAL NOTES A. PRINCIPLE 9 – PLAN STRATEGICALLY Standard 9.1 UNDERSTANDING GOVERNANCE, RISK MANAGEMENT, AND CONTROL PROCESSES (GRC) To develop an effective internal audit strategy and plan, the chief audit executive must understand the organization’s governance, risk management, and control processes. I. GOVERNANCE PROCESSES To understand governance processes, the chief audit executive must consider how the organization: Establishes strategic objectives and makes strategic and operational decisions. Oversees risk management and control. Promotes an ethical culture. Delivers effective performance management and accountability. Structures its management and operating functions. Communicates risk and control information throughout the organization. Coordinates activities and communications among the board, internal and external providers of assurance services, and management. 5 ACCOUNTANCY@UJ AIAX800 Governance refers to the highest level of decision making in any organisation and determines the strategic objectives and subsequently how the organisation will be directed and controlled (risk management and control system) to achieve these objectives - the umbrella covering the organisation and setting the tone at the top. Governance is the most important aspect in GRC and impacts risk management and control. Without sound governance, risk management and subsequent control, an organisation will not function. There are many definitions for governance, for example the Cadbury Report defines governance as: "Governance is the way in which organisations are directed and controlled." When considering this definition, it can be interpreted that: the way refers to how; organisations include any type of organisation; whether a government department, a company, a school or a sports club; directed means taking or guiding the organisation towards its strategic objectives; and controlled refers is done or implemented to ensure the objectives are achieved (to, among other, address risks that can prevent the achievement of objectives by implementing controls). Internal auditor’s role in governance As governance developed and gained prominence, increasing pressures to strengthen corporate accountability and financial transparency are part of a broad-based evolution towards a more integrated best-practices approach to managing GRC. These changes have resulted in substantial implications for lAFs in respect of their responsibilities and roles in governance worldwide. Internal auditors have a dual role pertaining to governance. First, the IAF forms part of the governance structure (one of the cornerstones of governance) within the organisation by providing assurance to the governing body on governance matters within the organisation. 6 ACCOUNTANCY@UJ AIAX800 Secondly, the lAF is responsible for performing assurance and advisory services on governance-related matters in the organisation. The latter responsibility entails the performance of governance assessments where the internal auditor evaluates the adequacy and effectiveness of the governance structures, systems and processes of the organisation. The IA should always consider the relationship between governance, risk and control when performing engagements. Example Seton Technologies is a leading cybersecurity firm that provides cloud-based security solutions for businesses, financial institutions, and government agencies. The company is known for its cutting-edge AI-driven threat detection system, Anexnet AI, which helps organizations detect and prevent cyber threats in real-time. The following is how the company is governed: Strategic Objective: Seton recently expanded market share in Southeast Asia by 20%. Strategic Decision: Seton acquired a local competitor in Zambia to strengthen market presence. Operational Decision: Seton hired 50 new sales representatives and increased digital marketing spending in the region. Ethical Culture Promotion: Seton implemented a zero-tolerance policy for workplace discrimination and harassment. Oversees risk management and control: Seton’s management plays a crucial role by establishing a comprehensive risk framework, identifying potential threats and monitoring the controls in the business. Effective performance management and accountability: Seton implemented a Key Performance Indicator (KPI) system to track employee productivity. Communication of risk and control throughout the organisation: Seton holds quarterly risk assessment meetings with executives and department heads and 7 ACCOUNTANCY@UJ AIAX800 gets reports from the CAE regarding the effectiveness of controls in the organisation. Coordinates activities and communications among the board, internal and external providers of assurance services, and management: Internal Audit Team- evaluates the risk and ensures compliance. External Auditors- reviews Seton’s financial and security compliance. Regulators & Compliance Bodies- enforce cybersecurity laws like GDPR. Please note that Governance will be studied in great detail in the second semester, our focus for governance is based on the nature of internal audit work (Standards). II. RISK MANAGEMENT PROCESSES The chief audit executive should understand globally accepted risk management principles, frameworks and models as well as professional guidance specific to the industry and sector within which the organization operates. The chief audit executive should gather information to assess the maturity of the organization’s risk management processes, including identifying whether the organization has defined its risk appetite and implemented a risk management strategy and/or framework. Discussions with the board and senior management help the chief audit executive understand their perspectives and priorities related to the organization’s risk management. To gather risk information, the chief audit executive should review recently completed risk assessments and related communications issued by senior and operational management, those charged with risk management, external auditors, regulators, and other internal and external providers of assurance services. With the ever-changing landscape that organisations are operating in, an organisation's existence is threatened by many current and new risks. It is thus important for the internal auditor to understand how the organisation manages the risks that threaten the 8 ACCOUNTANCY@UJ AIAX800 achievement of strategic and operational organisational objectives as well as the objectives of the activity under review. Risk management is linked to internal auditing on three levels, namely: by ensuring that the risk management strategy (the overarching term that encompasses all aspects of risk management within an organisation) that aims to mitigate the risks threatening the organisation in achieving its objectives, is in line with what management is prepared to accept (risk tolerance). Apart from having a risk management strategy that is embedded in the organisation, the organisation's governing body must ensure that their governance demands are adhered to. This is achieved by obtaining assurance from various assurance providers. For risk management, the lAF must provide such assurance; by using the outcome of the strategic risk management process (strategic risks in the risk register) to develop an internal audit annual plan; and by using the outcome of the operational risk management process (operational risks in the risk register for the activity under review) to develop the engagement plan and related work programme. If the risk management strategy and related risk management process has been audited by the lAF, and assurance cannot be provided that these processes are sufficient (adequate and effective) for managing the risk levels that management is prepared to accept for the organisation, the chief audit executive (CAE) (for the internal audit annual plan) and the engagement manager (for the engagement plan) should perform a risk assessment to determine what to include in the respective plans. Example Seton Technologies is a leading cybersecurity firm that provides cloud-based security solutions for businesses, financial institutions, and government agencies. The company is known for its cutting-edge AI-driven threat detection system, Anexnet AI, which helps 9 ACCOUNTANCY@UJ AIAX800 organizations detect and prevent cyber threats in real time. The company has an in-house internal audit department. There is a board meeting, and amongst the attendees is Emma Waynes, the Chief Audit Executive; Jackie Cage, the Chief Risk Officer; and Chris Taner, the board’s chairperson. The following is a dialogue between the CAE and, the board, and senior management in one of the board meetings: Emma: Our recent audit uncovered cybersecurity vulnerabilities in our cloud system. If exploited, these could expose customer data and lead to regulatory fines under GDPR. Additionally, 40% of our third-party vendors do not meet our security standards. Emma: To mitigate these risks, I recommend immediate security patches and mandatory testing every quarter. For vendor risks, we should enforce stricter cybersecurity policies before contract renewals. Emma: Addressing these risks proactively will strengthen our reputation as a cybersecurity leader, ensure regulatory compliance, and prevent costly breaches. Chris: Thank you, Emma, for this critical update. We agree that cybersecurity is a top priority. Let’s ensure IT implements these controls immediately and that we receive an update at the next board meeting. Emma has ample knowledge of globally accepted risk management principles, models and frameworks like the Enterprise Risk Management (ERM) and Three Lines Defense Model. The risk division is responsible for risk identification headed by Jackie. After a risk maturity assessment by the IAF, they report their findings to Emma. Emma then reviews the completed risk assessments. Emma has a discussion with the board and senior management, communicating the audit findings as depicted in the dialogue. 10 ACCOUNTANCY@UJ AIAX800 Please note that Risk Management will be studied in great detail in the second semester, our focus for risk is based on the nature of internal audit work (Standards). III. CONTROL PROCESSES The chief audit executive should become familiar with globally accepted control frameworks and consider those used by the organization. For each identified organizational objective, the chief audit executive should develop and maintain a broad understanding of the organization’s control processes and their effectiveness. The chief audit executive may develop an organisation wide risk and control matrix to: Document identified risks that may affect the ability to achieve organizational objectives. Indicate the relative significance of risks. Understand key controls in organizational processes. Understand which controls have been reviewed for design adequacy and deemed to be operating as intended. The third element in GRC is control, which is one of the main areas that internal auditors should focus their efforts on. Before control activities within an organisational environment is explained, it is important to understand that control is part of everyday life. When a person buys something, pays cash for it and receives change, the checking of whether it is the correct amount is referred to as control. When a refrigerator has a thermostat, the regulation of the temperature is referred to as control. Numerous definitions for the term internal control exist. Some of these definitions are: “Internal control is a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance” Source: COSO 11 ACCOUNTANCY@UJ AIAX800 Internal control measures are those methods and procedures which have been accepted by the management of an entity to help in the achievement of management's goal to ensure that the business of the entity is properly conducted in an orderly and efficient manner. Source: SAICA. These definitions enable the assumption of a few common factors related to control; namely control is either a process or an action taken; management is responsible for implementing the overall control system with its individual control activities, but other parties may also be involved; and controls are implemented to minimise risks, thus ensuring that an organisation's objectives are met. However, only reasonable assurance in the minimisation of risks and the achievement of objectives can be provided by effective controls. Control forms part of any organisation's backbone, as weaknesses and the total absence of control activities may result in chaos and the organisation's eventual demise. The Internal Auditor’s function According to the definition of internal auditing, control represents one of the three major elements that an lAF should focus on - if not the most important element. The internal auditor should first assess the adequacy of the comprehensive control system and individual control activities (are they "good enough" to prevent risk form occurring). Thereafter the internal auditor should test the effectiveness of the adequate control activities only (are they 'working as planned'). If control activities are not in place (lack of adequate control) or the control activities are insufficient in managing risks (inadequate), this is reported as a finding to senior management and the board. Please note that Controls will be studied in great detail in Block 2, our focus for controls is based on the nature of internal audit work (Standards). Example 12 ACCOUNTANCY@UJ AIAX800 Seton Technologies is a leading cybersecurity firm that provides cloud-based security solutions for businesses, financial institutions, and government agencies. The company is known for its cutting-edge AI-driven threat detection system, Anexnet AI, which helps organizations detect and prevent cyber threats in real-time. The company has an in-house internal audit department. Emma Waynes is the Chief Audit Executive. Emma has ample knowledge of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technology (COBIT). Emma developed an organisation wide risk and control matrix to: Document identified risks that may affect the ability to achieve organizational objectives. Indicate the relative significance of risks. Understand key controls in organizational processes. Understand which controls have been reviewed for design adequacy and deemed to be operating as intended. Standard 9.2 INTERNAL AUDIT STRATEGY The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders. An internal audit strategy is a plan of action designed to achieve a long-term or overall objective. The internal audit strategy must include a vision, strategic objectives, and supporting initiatives for the internal audit function. An internal audit strategy helps guide the internal audit function toward the fulfillment of the internal audit mandate. 13 ACCOUNTANCY@UJ AIAX800 The chief audit executive must review the internal audit strategy with the board and senior management periodically. Organisational Level Most organisations are divided into two main areas, namely a strategic level and an operational level. The strategic level determines the direction of the organisation, including aspects such as what the organisation's business entails (what is made, sold or types of services provided), and how this is executed to ensure that the overall organisational vision is achieved. The operational level implements the strategic direction. Strategic Level The overall organisational direction is reflected in the strategic plan. A clear set of strategic objectives and strategies, supported by sub-objectives, are fundamental to success. Senior management (the board) drives the development and updating of the strategic plan, as well as the implementation thereof. The strategic plan is usually revised every three to five years to ensure that changes within the bigger environment are incorporated. Operational Level Management uses the strategic plan as a point of departure in developing organisational operational direction, in other words, the day-to-day operations of the organisation driven by operational objectives. This direction is implemented and communicated in various ways. For example, the organisation has a specific structure that consists of divisions, sections, hierarchy reporting etc. Furthermore, documentation on what management wants, what is allowed (or not), how it must be implemented etc. are communicated in various ways. Organisational Objectives 14 ACCOUNTANCY@UJ AIAX800 Where senior management is responsible for developing the strategic plan for the organisation, including the strategic organisational objectives, each organisational unit manager will assist in the process of setting specific operational objectives for a specific unit or process. Operational objectives must consider the specific organisation, the industry and economic environment within which the organisation functions. The objectives must, for example, be relevant in terms of the realities of the organisational environment and market expectations and ensure that objectives are defined in measurable terms. According to the definition of internal auditing, the role of the internal audit function (IAF) is to assist an organisation to accomplish its objectives, hence the internal auditor must obtain a sound understanding of the organisation's objectives before an engagement can be performed. The internal audit engagement plan should thus be structured in such a way that the engagement objectives relate to the achievement of the organisational objectives - both at strategic and operational levels Standard 9.3 METHODOLOGIES The chief audit executive must establish methodologies to guide the internal audit function in a systematic and disciplined manner to implement the internal audit strategy, develop the internal audit plan, and conform with the Standards. The chief audit executive must evaluate the effectiveness of the methodologies and update them as necessary to improve the internal audit function and respond to significant changes that affect the function. The chief audit executive must provide internal auditors with training on the methodologies. (See also Principles 13 Plan Engagements Effectively, 14 Conduct Engagement Work, and 15 Communicate Engagement Results and Monitor Action Plans, and their standards.) The following must be conducted or considered by the chief audit executive when managing the internal audit activity : setting the activity’s plan for the various engagements to be performed; 15 ACCOUNTANCY@UJ AIAX800 communicating the activity’s plans to senior management and the board for review and their approval; guiding the internal audit activity by setting policies and procedures (usually in a procedure manual); reporting to senior management and the board on the activity’s performance; and considering the organisational responsibilities when an external service provider serves as the internal audit activity (out-sourced or co-sourced internal audit activity). The internal audit charter sets the stage by identifying the terms of reference (role, responsibility and authority) of the internal audit activity. The document is authorised by senior management and the board (including the audit committee). Risk assessments and other forms of evaluation performed by management are studied to determine the strategies of top management (what the organisation sees as important). The internal audit activity’s strategic (3/5 years) plan is drawn up and approved by senior management and the board. Engagement work programmes are developed to perform the individual engagements according to the annual internal audit plan. 16 ACCOUNTANCY@UJ AIAX800 Standard 9.4 INTERNAL AUDIT PLAN The chief audit executive must create an internal audit plan that supports the achievement of the organization’s objectives. This assessment must be informed by input from the board and senior management as well as the chief audit executive’s understanding of the organization’s governance, risk management, and control processes. The assessment must be performed at least annually. The internal audit plan must: Consider the internal audit mandate and the full range of agreed-to internal audit services. Specify internal audit services that support the evaluation and improvement of the organization’s governance, risk management, and control processes. Consider coverage of information technology governance, fraud risk, the effectiveness of the organization’s compliance and ethics programs, and other high- risk areas. Identify the necessary human, financial, and technological resources necessary to complete the plan. Be dynamic and updated timely in response to changes in the organization’s business, risks operations, programs, systems, controls, and organizational culture. The chief audit executive must review and revise the internal audit plan as necessary and communicate timely to the board and senior management: The impact of any resource limitations on internal audit coverage. The rationale for not including an assurance engagement in a high-risk area or activity in the plan. Conflicting demands for services between major stakeholders, such as high-priority requests based on emerging risks and requests to replace planned assurance engagements with advisory engagements. 17 ACCOUNTANCY@UJ AIAX800 Limitations on scope or restrictions on access to information. The chief audit executive must discuss the internal audit plan, including significant interim changes, with the board and senior management. The plan and significant changes to the plan must be approved by the board. The annual internal audit plan is a document that sets out all the individual engagements (assurance and advisory engagements) to be performed in a specific time period. This internal audit plan shows: when engagements should be performed (high risk areas first); what engagements should be performed (first the high risk areas, second the medium risk areas, and if possible the low risk areas); and what resources are needed to perform the engagement, for example, time, human resources and money. This plan should complement the overall goals and objectives of the internal audit activity as well as those of the organisation. Usually the internal audit activity does not have sufficient resources to perform all the assurance and consulting services possible or needed. This problem is addressed by establishing priorities for the internal audit activity based on risk (risk-based plans). Standard 9.5 COORDINATION AND RELIANCE The chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers. If unable to achieve an appropriate level of coordination, the chief audit executive must raise any concerns with senior management and, if necessary, the board. 18 ACCOUNTANCY@UJ AIAX800 When the internal audit function relies on the work of other assurance service providers, the chief audit executive must document the basis for that reliance and is still responsible for the conclusions reached by the internal audit function. Coordinating Activities Periodic meetings between the internal and external auditors should be held to discuss the following points: Audit coverage: Planned audit activities should be discussed to assure that audit coverage is co-ordinated and duplicate efforts are minimised. Access to each other's work programmes and working papers: Access should be given so that both parties can be satisfied as to the propriety for their purposes of relying on the other party's work. Confidentiality is essential in working through each other's files. Exchange of audit reports and management letter: Internal audit reports can assist external auditors in determining and adjusting the scope of work. External audit reports can assist internal auditors in planning the areas of emphasis in future internal audit work. The CAE should ensure that appropriate follow-up and corrective action has been taken. Common understanding of audit techniques, methods and terminology: The CAE should understand the scope of work planned by the external auditor. The CAE should understand the external auditor's techniques/methods and terminology to ensure effective co-ordination, evaluation of external audit work and effective communication with external auditors. The CAE should provide sufficient information so that the external auditors can understand the techniques, methods and terminology of the internal auditors. It may be more effective for the internal and external auditors to use the same audit techniques, methods and terminology. Reliance on the work of internal auditors 19 ACCOUNTANCY@UJ AIAX800 According to the governing standards of the external audit profession, known as the ISA, in particular ISA 610, the external auditors must consider the following aspects before they can rely on the work of the internal auditors: Organisational status: Independence and objectivity; for example, do internal auditors report to the highest level of authority? Any limitations on the scope of the work performed by the lAF. Internal auditors should have the freedom to communicate with the external auditors. Scope of function: The scope of the work performed by the internal auditors. Management's reactions to recommendations made by the internal auditors. Technical competency: The internal auditors' training, qualifications and abilities. The experience of the internal audit team. Due professional care: How the internal auditors execute the audit engagement. The quality of the working papers. The quality of the documentation of their work. B. PRINCIPLE 10 – MANAGE RESOURCES The chief audit executive manages resources to implement the internal audit function’s strategy and achieve its plan and mandate. Managing resources requires obtaining and deploying financial, human, and technological resources effectively. The chief audit executive needs to obtain the resources required to perform internal audit responsibilities and deploy the resources according to the methodologies established for the internal audit function. 20 ACCOUNTANCY@UJ AIAX800 Standard 10.1 FINANCIAL RESOURCE MANAGEMENT The chief audit executive must manage the internal audit function’s financial resources. The chief audit executive must develop a budget that enables the successful implementation of the internal audit strategy and achievement of the plan. The budget includes the resources necessary for the function’s operation, including training and acquisition of technology and tools. The chief audit executive must manage the day-to-day activities of the internal audit function effectively and efficiently, in alignment with the budget. The chief audit executive must seek budget approval from the board. The chief audit executive must communicate promptly the impact of insufficient financial resources to the board and senior management. The CAE is a guardian of financial integrity when it comes to managing the financial resources of the internal audit function. The CAE is to responsible to confirm that resources required are determined and matched with the resources available. Standard 10.2 HUMAN RESOURCE MANAGEMENT The chief audit executive must establish an approach to recruit, develop, and retain internal auditors who are qualified to successfully implement the internal audit strategy and achieve the internal audit plan. The chief audit executive must strive to ensure that human resources are appropriate, sufficient, and effectively deployed to achieve the approved internal audit plan. Appropriate refers to the mix of knowledge, skills, and abilities; sufficient refers to the quantity of resources; and effective deployment refers to assigning resources in a way that optimizes the achievement of the internal audit plan. 21 ACCOUNTANCY@UJ AIAX800 The chief audit executive must communicate with the board and senior management regarding the appropriateness and sufficiency of the internal audit function’s human resources. If the function lacks appropriate and sufficient human resources to achieve the internal audit plan, the chief audit executive must determine how to obtain the resources or communicate timely to the board and senior management the impact of the limitations. (See also Standard 8.2 Resources.) The chief audit executive must evaluate the competencies of individual internal auditors within the internal audit function and encourage professional development. The chief audit executive must collaborate with internal auditors to help them develop their individual competencies through training, supervisory feedback, and/or mentoring. (See also Standard 3.1 Competency.) Different Structures of the Internal Audit Activity According to the Institute of Internal Auditors (IIA), an internal audit activity is a department, division, team of consultants or other practitioners that perform internal audit services. The internal audit activity can be either: an in-house department or division (all the internal auditors are employed by the organisation on a full-time basis); outsourced (all the people performing internal audit services are working for the organisation on a consulting/part-time basis for a specific task or period of time) e.g PwC; or co-sourced (combination of the previous two forms). It could also happen that a full in-house department lacks specific knowledge or skills needed to perform a certain engagement. In such cases consultants may be used to obtain these skills or knowledge. It is important to remember whether full-time employees or external consultants are used to perform the internal audit engagement work, the IIA Standards are applicable at all times. 22 ACCOUNTANCY@UJ AIAX800 Staff of the internal audit activity (in-house) The chief audit executive heads the internal audit activity. The internal audit charter sets the position of internal auditing within the organisation. The chief audit executive uses this document as a foundation and mandate to determine how the internal audit activity should operate and thus sets the rights and responsibilities for the internal audit activity. The internal audit activity is normally divided into two distinct functions (refer to figure below) namely, the line function (the people performing the internal audit engagements) and the service and personnel function/administrative function (the people supporting the line personnel, for example, administrative support and human resources support). The internal audit activity could differ from one organisation to another, depending on the size of the organisation and the internal audit activity, types of services performed and personnel employed. The composition of a typical in-house internal audit activity is illustrated in the figure below: The Chief Audit Executive The job description of the chief audit executive should be comprised of at least the following: 23 ACCOUNTANCY@UJ AIAX800 Establishing the overall objectives of the internal audit activity. This should be in line with the organisation’s objectives as well as the internal audit charter (internal audit mandate/terms of reference). Establishing and reviewing on a regular basis the policies and procedures of the internal audit activity (usually in a procedure manual document). Developing and monitoring the internal audit activity’s plans (usually five-year, three- year and annual plans). Incorporating special and ad hoc audit engagements as requested by management in the internal audit activity’s plan. Examining the effectiveness of the internal audit activity’s plan in reaching the objectives of the activity and ultimately the organisation. Determining whether the resources allocated to the internal audit activity are effectively and efficiently utilised. Authorising (signing off) all internal audit reports. Monitoring progress on recommendations in internal audit reports. Internal Audit Manager The internal audit manager is responsible for developing a comprehensive plan to cover all the operations of the specific function or department allocated to the internal auditor. The internal audit manager’s duties are to administer a specific section of the internal audit activity, for example: all head office audit engagements; or to act as head of the operational audit division. Supervisor The senior supervisor will not be responsible for performing the actual audit engagement procedures, but will periodically visit the various audit engagement teams, giving advice and 24 ACCOUNTANCY@UJ AIAX800 making sure all the engagement activities are under control and within the budget. The senior supervisor will also review the internal audit reports. The senior supervisor usually heads a sub-section or portion of the engagement in a specific section, for example: all compliance and financial engagements performed at the head office. The supervisor, assisted by internal auditors and internal audit trainees, will be responsible for a specific engagement performed, for example: the compliance audit engagement of the payroll at head office. Standard 10.2 TECHNOLOGICAL RESOURCES The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process. The chief audit executive must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency. When implementing new technology, the chief audit executive must implement appropriate training for internal auditors in the effective use of technological resources. The chief audit executive must collaborate with the organization’s information technology and information security functions to implement technological resources properly. The chief audit executive must communicate the impact of technology limitations on the effectiveness or efficiency of the internal audit function to the board and senior management. C. PRINCIPLE 11 – COMMUNICATE EFFECTIVELY 25 ACCOUNTANCY@UJ AIAX800 The chief audit executive guides the internal audit function to communicate effectively with its stakeholders. Effective communication requires building relationships, establishing trust, and enabling stakeholders to benefit from the results of internal audit services. The chief audit executive is responsible for helping the internal audit function establish ongoing communication with stakeholders to build trust and foster relationships. Additionally, the chief audit executive oversees the internal audit function’s formal communications with the board and senior management to enable quality and provide insights based on the results of internal audit services. Standard 11.1 BUILDING RELATIONSHIPS AND COMMUNICATING WITH STAKEHOLDERS The chief audit executive must develop an approach for the internal audit function to build relationships and trust with key stakeholders, including the board, senior management, operational management, regulators, and internal and external assurance providers and other consultants. The chief audit executive must promote formal and informal communication between the internal audit function and stakeholders, contributing to the mutual understanding of: Organizational interests and concerns. Approaches for identifying and managing risks and providing assurance. Roles and responsibilities of relevant parties and opportunities for collaboration. Relevant regulatory requirements. Significant organizational processes, including financial reporting. Building relationships and communicating with stakeholders is very important because it allows one to understand their needs, expectations, and concerns, which helps them to make informed decisions. 26 ACCOUNTANCY@UJ AIAX800 Use of Experts Organisations and specifically the IAF, may use the work of internal (within the organisation but outside the IAF) or external (outside the organisation) service providers to assist with assurance and/or advisory services - also referred to as experts. Experts may be used when the lAF does not have the competencies within the staff compliment to perform the audit engagement with due professional care. Reliance on the work of such service providers may extend to: professional knowledge and experience; knowledge of the organisation's industry; independence; availability of specialised services; anticipation of and responsiveness to the needs of the organisation; reasonable continuity of key engagement personnel; maintenance of appropriate working relationships; achievement of contract commitments; and delivery of overall value to the organisation. The CAE then needs to understand the work performed by the service provider by considering the nature, extent, and timing thereof, the assessment of risks, as well as the techniques, methods and terminology used to enable the CAE to: co-ordinate the lAFs and service providers' work; evaluate, for the purposes of reliance placed on the work performed; and communicate effectively with such service providers. Standard 11.2 EFFECTIVE COMMUNICATION 27 ACCOUNTANCY@UJ AIAX800 The chief audit executive must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications. Effective communication is critical for internal auditors as it ensures clear understanding, fosters trust, and facilitates the resolution of issues, ultimately leading to more accurate and impactful audit outcomes. Standard 11.3 COMMUNICATING RESULTS The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate. The chief audit executive must understand the expectations of the board and senior management regarding the nature and timing of communications. The results of internal audit services can include: Engagement conclusions. Themes such as effective practices or root causes. Conclusions at the level of the business unit or organization. It is important to first understand the purpose of reporting. Internal auditors make use of reporting to communicate the results of an audit engagement, this essentially is the main form of output for any audit engagement. This report must give assurance to the user (reader) that: The information is reliable. The recommendations are valid and worthwhile (practical and useable) Communicating Results will be discussed further in Block 2, our focus is communicating results based on the managing the internal audit activity (Standards). Standard 11.4 ERRORS AND OMISSIONS 28 ACCOUNTANCY@UJ AIAX800 If a final engagement communication contains a significant error or omission, the chief audit executive must communicate corrected information promptly to all parties who received the original communication. Significance is determined according to criteria agreed upon with the board. Communicating errors and omissions is imperative because, if not done, the entire audit process can be undermined by failing to convey critical information about an engagement effectively. For the considerations for implementation and examples of evidence of conformance for Errors and Omissions refer to Standard 11.4 Standard 11.5 COMMUNICATING THE ACCEPTANCE OF RISKS The chief audit executive must communicate unacceptable levels of risk. When the chief audit executive concludes that management has accepted a level of risk that exceeds the organization’s risk appetite or risk tolerance, the matter must be discussed with senior management. If the chief audit executive determines that the matter has not been resolved by senior management, the matter must be escalated to the board. It is not the responsibility of the chief audit executive to resolve the risk. For the considerations for implementation and examples of evidence of conformance for Communicating the Acceptance of Risks refer to Standard 11.5 D. PRINCIPLE 12 – ENHANCE QUALITY The chief audit executive is responsible for the internal audit function’s conformance with the Global Internal Audit Standards and continuous performance improvement. Quality is a combined measure of conformance with the Global Internal Audit Standards and the achievement of the internal audit function’s performance objectives. Therefore, a quality 29 ACCOUNTANCY@UJ AIAX800 assurance and improvement program is designed to evaluate and promote the internal audit function’s conformance with the Standards, achievement of performance objectives, and pursuit of continuous improvement. The program includes internal and external assessments. (See also Standards 8.3 Quality and 8.4 External Quality Assessment.) The chief audit executive is responsible for ensuring that the internal audit function is continuously seeking improvement. This requires developing measures to assess the performance of internal audit engagements, internal auditors, and the internal audit function. These measures form the basis for evaluating progress toward performance objectives including continuous improvement. Quality assurance is a programme by which the chief audit executive evaluates the operations of the internal audit activity. The purpose of the quality assurance programme is to provide reasonable assurance to senior management, the board of directors, the audit committee and external auditors that the internal audit work conforms to the IIA Standards, the internal audit activity’s charter, and other applicable standards. According to the IIA Standards the quality programme should include the following quality assurance review processes: appropriate supervision; periodic internal assessments and ongoing monitoring of quality assurance; and external reviews. Standard 8.3 QUALITY The chief audit executive must develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program includes two types of assessments: External assessments. (See also Standard 8.4 External Quality Assessment.) 30 ACCOUNTANCY@UJ AIAX800 Internal assessments. (See also Standard 12.1 Internal Quality Assessment.) At least annually, the chief audit executive must communicate the results of the internal quality assessment to the board and senior management. The results of the external quality assessments must be reported when completed. In both cases, such communications include: The internal audit function’s conformance with the Standards and achievement of performance objectives. If applicable, compliance with laws and/or regulations relevant to internal auditing. If applicable, plans to address the internal audit function’s deficiencies and opportunities for improvement. Essential Conditions Board Discuss with the chief audit executive the quality assurance and improvement program, as outlined in Domain IV: Managing the Internal Audit Function. Approve the internal audit function’s performance objectives at least annually. (See also Standard 12.2 Performance Management.) Assess the effectiveness and efficiency of the internal audit function. Such an assessment includes: ▪ Reviewing the internal audit function’s performance objectives, including its conformance with the Standards, laws and regulations; ability to meet the internal audit mandate; and progress towards completion of the internal audit plan. ▪ Considering the results of the internal audit function’s quality assurance and improvement program. ▪ Determining the extent to which the internal audit function’s performance objectives are being met. Senior Management Provide input on the internal audit function’s performance objectives. 31 ACCOUNTANCY@UJ AIAX800 Participate with the board in an annual assessment of the chief audit executive and internal audit function. Standard 12.1 INTERNAL QUALITY ASSESSMENT The chief audit executive must develop and conduct internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards and progress toward performance objectives. The chief audit executive must establish a methodology for internal assessments, as described in Standard 8.3 Quality, that includes: Ongoing monitoring of the internal audit function’s conformance with the Standards and progress toward performance objectives. Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices to evaluate conformance with the Standards. Communication with the board and senior management about the results of internal assessments. Ongoing Monitoring Ongoing monitoring involves day-to-day supervision, review, and measurement of the internal audit function. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit function and includes the processes, tools, and information necessary to evaluate conformance with the Standards. The internal audit function’s progress toward performance objectives and conformance with the Standards is monitored primarily through methodologies such as supervisory reviews of engagement planning, workpapers, and final communications. These methodologies enable the identification of weaknesses or areas in need of improvement and action plans to address them. The chief audit executive may develop templates or automated 32 ACCOUNTANCY@UJ AIAX800 workpapers for internal auditors to use throughout engagements to promote standardization and consistency in the application of the work practices. Adequate engagement supervision is a fundamental element of quality assurance and improvement programs. Supervision begins with planning and continues throughout the engagement. Supervision may include setting expectations, encouraging communications among team members throughout the engagement, and reviewing and signing off on workpapers timely. (See also Standard 12.3 Oversee and Improve Engagement Performance.) For additional mechanisms commonly used for ongoing monitoring refer to Standard 12.1 Periodic Self-Assessments Periodic self-assessments provide a more holistic, comprehensive review of the Standards and the internal audit function. Periodic self-assessments address conformance with every standard, whereas ongoing monitoring may focus on the standards relevant to performing engagements. Periodic self-assessments may be conducted by senior members of the internal audit function, a dedicated quality assurance team, individuals within the internal audit function who have attained the Certified Internal Auditor® designation or have extensive experience with the Standards, or individuals with audit competencies from elsewhere in the organization. The chief audit executive should consider including internal auditors in the periodic self-assessment process to improve their understanding of the Standards. Periodic self-assessments enable the internal audit function to validate its conformance with the Standards. When a periodic self-assessment is performed shortly before an external assessment, the time and effort required to complete the external assessment may be reduced. 33 ACCOUNTANCY@UJ AIAX800 Periodic self-assessments evaluate: The adequacy of the internal audit function’s methodologies. How well the internal audit function supports the achievement of the organization’s objectives. The quality of internal audit services performed and supervision provided. The degree to which the stakeholder’s expectations are met and performance objectives are achieved. Standard 8.4 EXTERNAL QUALITY ASSESSMENT The chief audit executive must develop a plan for an external quality assessment and discuss the plan with the board. The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external quality assessment may also be met through a self-assessment with independent validation. When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation. Essential Conditions Board Discuss with the chief audit executive the plans to have an external quality assessment of the internal audit function conducted by an independent, qualified assessor or assessment team. Collaborate with senior management and the chief audit executive to determine the scope and frequency of the external quality assessment. Consider the responsibilities and regulatory requirements of the internal audit function and the chief audit executive, as described in the internal audit charter, when defining the scope of the external quality assessment. Review and approve the chief audit executive’s plan for the performance of an external quality assessment. Such approval should cover, at a minimum: ✓ The scope and frequency of assessments. 34 ACCOUNTANCY@UJ AIAX800 ✓ The competencies and independence of the external assessor or assessment team. ✓ The rationale for choosing to conduct a self-assessment with independent validation instead of an external quality assessment. Require receipt of the complete results of the external quality assessment or self- assessment with independent validation directly from the assessor. Review and approve the chief audit executive’s action plans to address identified deficiencies and opportunities for improvement, if applicable. Approve a timeline for completion of the action plans and monitor the chief audit executive’s progress. Senior Management Collaborate with the board and the chief audit executive to determine the scope and frequency of the external quality assessment. Review the results of the external quality assessment, collaborate with the chief audit executive and board to agree on action plans that address identified deficiencies and opportunities for improvement, if applicable, and agree on a timeline for completion of the action plans. Standard 12.2 PERFORMANCE MEASUREMENT The chief audit executive must develop objectives to evaluate the internal audit function’s performance. The chief audit executive must consider the input and expectations of the board and senior management when developing the performance objectives. The chief audit executive must develop a performance measurement methodology to assess progress toward achieving the function’s objectives and to promote the continuous improvement of the internal audit function. When assessing the internal audit function’s performance, the chief audit executive must solicit feedback from the board and senior management as appropriate. 35 ACCOUNTANCY@UJ AIAX800 The chief audit executive must develop an action plan to address issues and opportunities for improvement. For the considerations for implementation and examples of evidence of conformance for performance measurement refer to Standard 12.2 Standard 12.3 OVERSEE AND IMPROVE ENGAGEMENT PERFORMANCE The chief audit executive must establish and implement methodologies for engagement supervision, quality assurance, and the development of competencies. The chief audit executive or an engagement supervisor must provide internal auditors with guidance throughout the engagement, verify work programs are complete, and confirm engagement workpapers adequately support findings, conclusions, and recommendations. To assure quality, the chief audit executive must verify whether engagements are performed in conformance with the Standards and the internal audit function’s methodologies. To develop competencies, the chief audit executive must provide internal auditors with feedback about their performance and opportunities for improvement. The extent of supervision required depends on the maturity of the internal audit function, the proficiency and experience of internal auditors, and the complexity of engagements. The chief audit executive is responsible for supervising engagements, whether the engagement work is performed by the internal audit staff or by other service providers. Supervisory responsibilities may be delegated to appropriate and qualified individuals, but the chief audit executive retains ultimate responsibility. The chief audit executive must ensure that evidence of supervision is documented and retained, according to the internal audit function’s established methodologies. 36 ACCOUNTANCY@UJ AIAX800 For the considerations for implementation and examples of evidence of conformance for oversee and improve engagement performance measurement refer to Standard 12.3 Maturity of quality programme Quality maturity refers to the level of quality assessment that occurs within a specific internal audit activity. For example, if an organisation has implemented only sufficient supervision, it will imply that the organisation is quality immature or naive. If, however, an organisation has implemented all the above quality elements it will imply that the organisation is quality mature. IIA has issued a document termed The Path to Quality which is a step-by-step approach to world-class internal audit quality assessment. Internal audit activities exist in all shapes and sizes and internal auditors and service providers have different levels of experience, knowledge and sophistication. To support this diversity, the step-by- step guide (refer to table B) assists chief audit executives to progress to full maturity. Level Action Implemented Task Introductory Internal audit charter has to be Value that internal auditing developed could add should be documented, communicated Policies and procedures must and marketed be approved Emerging Maintenance of the quality Periodic internal assessments programme is demonstrated are performed and by: communicated to senior internal assessments; and management and the board of ongoing monitoring directors 37 ACCOUNTANCY@UJ AIAX800 The CAE must report the implementation of action plans to senior management and the board of directors Established Independent validation of self- Periodic internal (self) assessments is obtained assessments are performed and communicated to senior management and the board of directors The CAE must report the implementation of action plans to senior management and the board of directors Progressive The internal audit activity An external quality assurance implements best practices in review should be conducted terms of the Standards every five years A well-established quality assurance and improvement programme is established Advanced The internal audit activity is an An external quality assurance innovator of best practice. The review should be conducted conduct of the internal audit every three years activity exceeds the requirements of the Standards and stakeholders 38 ACCOUNTANCY@UJ AIAX800 Quality Maturity Table Importance of Quality Programmes Internal auditors should be respected and highly regarded by their engagement clients. Internal auditors must thus ensure that they provide an acceptable quality of service to their organisation. The IIA also feels strongly about the quality of the internal audit work of its members as this creates a perception, whether good or bad, of the profession as a whole. The chief audit executive has the responsibility to implement processes that are designed to provide reasonable assurance to the stakeholders of the internal audit activity that: Internal audit engagements are performed in accordance with the Standards; It functions in an effective and efficient manner; and It is regarded and respected by the stakeholders as a value-adding function that improves the operations of the organisation. Internal auditors can perform their duties efficiently (with least possible resources) and yet not effectively (not achieving the objective). Performing effectively is the essential quality that is sought in all aspects of the internal audit activity. The quality assessment of the internal audit activity should be guided by the following two aspects: Internal auditors need to know what effect their internal audit engagements had on the organisation as a whole; and Internal audit engagements should have an objective and this objective should be measurable. These two aspects should always be part of internal audit engagement programmes. The degree of accomplishment of this objective, based on the measurement criteria described in the engagement programme should be determined or measured after completion of every internal audit engagement. The success of the internal audit engagement should be linked to the achievement of the goals and objectives of the engagement client. 39 ACCOUNTANCY@UJ AIAX800 It is important to note that if something cannot be measured, it cannot be managed. This forms the basis of why it is necessary to perform quality assurance reviews. What is benchmarking Benchmarking is the process of comparing the business processes and performance of one organisation (or internal audit activity) to that of another that is widely regarded as an acceptable industry norm or standard. In the end, benchmarking allows the chief audit executive to gauge the internal audit activity with another (or various) activity(ies) in order to obtain a snapshot of the performance of his or her internal audit activity. Benchmarking assists the internal auditor in understanding what the position in terms of status and quality of the internal audit activity is in comparison with a particular norm or standard. Another term used in conjunction with benchmarking is best practice. The term best practice refers to a technique, method, process or activity that is regarded as being more effective than others in the achievement of particular objectives. Best practice also implies that a desired outcome or objective is achieved most efficiently through the application of appropriate processes, checks and testing in the performance of internal audit engagements. Types of benchmarking Several types of benchmarking exist in the internal audit environment. Some of these are listed and briefly explained: Process benchmarking – The internal audit activity will focus its observation of the processes of another internal audit activity with an emphasis on best practices. 40 ACCOUNTANCY@UJ AIAX800 Financial benchmarking – This includes a financial analysis in an effort to determine effective resource allocation within the activity (for example, budgets). Performance benchmarking – This type of benchmarking allows the internal audit activity to assess its status or standing in the organisation in relation to that of other (similar) internal audit activities. Strategic benchmarking – This type of benchmarking refers to industry-specific matters. The chief audit executive will compare the internal audit activity with other internal audit activities in similar industries (for example, the financial services industry). Operational benchmarking – This type of benchmarking includes all operational aspects such as recruitment, administrative effectiveness and analysis of functional procedures followed. Benefits of Benchmarking The following direct quotes obtained from the IIA’s website explain the benefits of benchmarking: “Benchmarking gives me a way of sharing to non-audit audiences how we compare against other groups in similar industries of similar size and approach.” Benjamin Moore Paints “We use benchmarking to gauge our audit department practices against best practice and provide assurance that we are productive and leading-edge audit organisation.” Canada Post Corporation “Benchmarking provides baseline, independent information to support resource negotiation.” Microsoft Corporation Cost of Benchmarking 41 ACCOUNTANCY@UJ AIAX800 Benchmarking is regarded as a fairly expensive process. Internal audit activities that have applied benchmarking are, however, of the opinion that the benefits thereof outweigh the costs. The three main types of costs associated with a benchmarking project include: Subsistence and travelling costs – These costs refer to the expenses incurred in respect of travelling and living-out costs when visiting other internal audit activities during the benchmarking process. Time costs – Refer to “time lost” (and the cost associated with it) when a team of internal auditors spend time assessing and researching another internal audit activities away from their office or workplace. Benchmarking database costs – A database of best practices and the internal audit activities associated with the best practices is sometimes kept which leads to some costs being incurred. The cost of benchmarking can be reduced through utilising the IIA’s Global Audit Information Network (GAIN) and is briefly discussed in the following section. Global Audit Information Network (GAIN) The internal audit profession strongly advocates the sharing of knowledge within the profession. This is embodied in the IIA’s motto: “progress through sharing”. Global Audit Information Network is the best-known term for benchmarking amongst the members of the IIA globally. Global Audit Information Network is a forum through which internal auditors throughout the world can share information on best practices. In addition to the sharing of information, Global Audit Information Network also allows internal auditors to: share, compare and validate their internal audit activities; network with internal auditors from other organisations; learn about challenges, mistakes and solutions from their peers; obtain leading internal audit practices from the top organisations in the world; and 42 ACCOUNTANCY@UJ AIAX800 enhance the operational effectiveness and efficiency of the internal audit activity. In summary the internal audit activity should provide the highest quality service to their organisation. Benchmarking, through Global Audit Information Network, provides a tool for all internal auditors to ensure their internal audit activities are managed, and engagements are conducted, on a level that is on par with the best in the world. Example Azra Manufacturing Inc. is a leading provider of high-quality automotive components, specializing in the production of precision-engineered parts for major automobile manufacturers. With over five decades of experience, they have managed to build a reputation for excellence in engineering, quality assurance and customer service. Azra has an in-house internal audit department. The internal audit function is headed by the CAE, Loki. Loki recognizes the need to enhance the internal audit activity's effectiveness and ensure compliance with the Global Internal Audit Standards (GIAS). To achieve this, the CAE initiates the development of a comprehensive QAIP. Loki is also proposing a benchmarking initiative to assess the department’s performance relative to peers in the manufacturing industry. Steps Taken: 1. Establishing the QAIP Framework: Loki leads a task force to develop the QAIP, outlining key components such as internal assessments, external assessments, continuous monitoring, and feedback mechanisms. 2. Internal Assessments: 43 ACCOUNTANCY@UJ AIAX800 Ongoing Monitoring: The internal audit team implements regular supervision and review of audit engagements to ensure quality and adherence to the GIAS. Periodic Self-Assessments: The senior member of the internal audit function, a dedicated quality assurance team, individuals within the internal audit function who have attained the Certified Internal Auditor designation conducts comprehensive evaluations focusing on adherence to standards, the effectiveness of audit processes, and the quality of audit reports. 3. External Assessments: Loki schedules an external quality assessment to be conducted by an independent assessor every five years, as recommended by the Institute of Internal Auditors (IIA). He also selects an independent assessor who holds an active Certified Internal Auditor designation. Benchmarking Loki selects comparable organizations within the manufacturing industry that have similar revenue sizes and operational scopes. Through industry associations, research and benchmarking surveys, the internal audit team gathers data on the selected KPIs from benchmarking partners. The internal audit function then compares industry metrics against the collected data to identify performance gaps. Conclusion The core focus of this module is on the nature of internal audit work (governance, risk and control) as outlined in the GIAS. It also described the management aspects of an internal audit activity, namely the structure and staff employed. The importance of an annual 44 ACCOUNTANCY@UJ AIAX800 internal audit plan with regard to managing the resources of the internal audit activity was also explained. We also highlighted the importance of the internal audit activity providing a high-quality service to the organisation as a whole. Quality assurance and improvements programme is designed to enable an evaluation of the internal audit activity’s conformance with the definition of internal auditing and the GIAS, an evaluation of whether internal auditors comply with the code of ethics, and an assessment of the efficiency and effectiveness of internal audit activity. The internal audit activity can also benchmark its performance against other reputable internal audit activities and use the IIA-developed Global Audit Information Network to ensure the quality of their internal auditing.. 45