Role and Responsibility of the Internal Audit Function and the Internal auditor’s involvement in the operational activities of the organization cannot be emphasized enough. Key operational tasks of the internal audit are as follows:
Formulate Policies and Procedures for the Planning, Organizing, Directing, and Monitoring of Internal Audit Operations
After the audit charter, the audit manual is the most important document for the internal audit department. The audit manual provides a guide to existing and new members of the internal auditing activity about the activity’s objectives and the way these objectives will be accomplished. The Chief Audit Executive is responsible for ensuring that an audit manual is created and maintained, that it is distributed throughout the internal auditing activity, and that the policies and procedures carried in the audit manual are constantly enforced.
Role and Responsibility of the Internal Audit Function Purpose
The purpose of the audit manual is mainly to:
- Guide activity members to support adherence to the profession’s Code of Ethics and professional standards.
- Define a high level of performance expectations for staff that will enable the activity to fulfil its role in supporting the organization’s governance, risk management, and strategic objectives.
- Focus activity members on key objectives and values. For example, an activity may focus on assuring controls or adding value to the organization by recognizing moments for greater efficiency and quality or it may weigh both roles equally.
- Coordinate roles and responsibilities within the activity and concerning other internal and external bodies.
- Codify critical processes such as the steps involved in performing different types of engagements and policies such as protection of confidential information as well as communication about and monitoring of engagement results.
- And lastly, to provide the basis on which to evaluate the internal auditing activity’s performance.
Role of the Internal Audit Function within the Risk Management Framework
Internal auditors are expected to point out and assess important risk exposures in the routine course of their duties. The internal audit activity’s role in the risk management process of an organization can change over time and may be found at some stage along a continuum that ranges from:
- no role
- auditing the risk management process as part of the internal audit plan;
- providing insight and historical data on risk events identified by internal audit findings;
- continuous support and involvement in the risk management process such as participation on oversight committees, monitoring activities, and status reporting; and
- managing and coordinating the risk management process.
Senior management and the board determine the role the internal audit activity will play in the organizational risk management process. In most organizations, internal auditors have a key role in evaluating the effectiveness of enterprise risk management and recommending improvements.
However, there are roles that internal auditors cannot undertake in enterprise risk management. The roles are:
- Setting risk appetite
- Imposition of the risk management processes
- Management assurance on risks
- Taking decisions on risk responses
- Implementing risk responses on management’s behalf
- Accountability for risk management
Providing assurance is the core contribution of the internal audit activity to risk management. The internal auditor typically provides assurance on:
- Risk management processes including their design and how well they are working;
- Management of key risks including the effectiveness of the controls and other activities; and
- Reliable and appropriate assessment of risks and reporting of risk and control status.
Providing assurance requires the internal auditor to formulate an opinion on whether the organization’s risk management methodology is understood by key groups or individuals involved in corporate governance including the board and the audit committee. The internal auditor should also ascertain if risk management processes are enough to guard the assets, reputation, and ongoing operations of the entity. The internal audit activity should assess the effectiveness and contribute to the enhancement of risk management processes.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:
- Organizational objectives support and align with the organization’s mission;
- Significant risks are identified and assessed;
- Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
- Relevant risk information is captured and communicated promptly across the organization, enabling staff, management, and the board to carry out their responsibilities.
Risk management processes are observed through ongoing management activities, separate assessments, or both.
Auditors often must perform consultative roles. Possibilities for consulting engagements include:
- Educating management about the risk and control tools and techniques used by the internal audit activity and sharing those tools;
- Being a champion for introducing Enterprise Risk Management into the organization and sharing the internal audit activity’s expertise;
- Providing advice, facilitating workshops, and coaching the organization on risk and control;
- Acting as the central point for coordinating, monitoring, and reporting on risks; and
- Supporting managers as they work to identify the best way to mitigate risk.
The extent to which the internal audit activity provides risk management consulting services is a function of various factors such as:
- Resource availability,
- The risk maturity of the organization, and
- The objectivity of the internal auditor
When the internal audit activity expands its services to include consulting engagements, safeguards must be in place to preserve its independence and objectivity. It should be clear that management remains in charge of risk management.
To preserve the integrity of the internal audit function within the organization’s risk management framework, it is recommended that:
- Internal auditors provide advice and challenge or support management’s decisions on risk as opposed to making risk-management decisions, and
- The nature of internal auditing’s responsibilities be documented in the audit charter and approved by the board.
Direct Administrative Activities of the Internal Audit Department
The chief audit executive is primarily responsible for the administrative activities of the internal audit function, which include:
- Planning. It includes activities such as developing a risk-based audit plan and reviewing staff competency needs and planning for hiring and development.
- Organizing. This is an operational activity that involves designing structures and processes aimed at achieving activity objectives and overall goals of efficiency and effectiveness. This may include assigning auditors to specific engagements, allocating time for separate engagement activities, including planning, developing, implementing the audit program, conducting fieldwork, and writing reports.
The chief audit executive may develop processes to support engagement work such as engagement initiation or transition meetings and report review processes, processes for qualifying and contracting with external service providers, structures for communicating different types of activity information, monitoring processes aimed at maintaining quality and budget adherence, and channels for gathering this data such as timesheets.
- Directing. This includes the many tasks involved in leading the internal audit activity. Communication must be maintained within the organization and with external bodies. External audit service providers must be selected. A new workforce should be interviewed and hired. Performance management systems must be implemented including appraisals at the end of engagements and annually. Motivation can be sustained by being mindful of staff stress levels and offering both rewards and career development opportunities.
- Controlling. The CAE is ultimately responsible for ensuring that policies and procedures are followed, the activity is meeting its strategic objectives, budgets are monitored and assessed, and that the audit committee, senior management, and engagement clients are satisfied.
Have a Blend of Expertise and Knowledge
As an entity, the internal audit activity must “possess or obtain” the necessary knowledge, skills, and competencies. The explanation for the standard points to professional certifications as an indication of proficiency. Furthermore, internal auditors should have sufficient knowledge to evaluate the risk of fraud and the effectiveness of fraud management. They should have sufficient knowledge—not necessarily expertise—in key information technology risks, controls, and audit techniques.
Consequently, the internal auditors hired should have a blend of expertise and experience needed as a whole. This implies that internal auditor needs not to be only financial experts. An audit team might also comprise of engineers, information technology experts, legal advisors, and more.
Effectiveness of Corporate Risk Management Processes to Senior Management and the Board
Assessing the Adequacy of Risk Management Processes implies that the responsibility for managing organizational risk lies with senior management and the board. Internal audit may be called upon to support senior management and the board in fulfilling this responsibility by “examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes.” The chief audit executive discusses the role of internal audit with senior management and the board, and the role is codified in the audit charter.
Through planned engagements, internal audit may provide assurance on a macro level by assessing the organization’s design and implementation of the risk management process. On a micro-level, they will provide assurance by assessing management assertions about the effectiveness of risk identification and treatment in separate areas of the organization.
The internal audit gives assurance for the complete risk management process by investigating:
- Risk management’s role in the organization. Does it have adequate management support? Have sufficient resources been forecasted for the process? Is risk management part of the decision-making process, particularly at higher levels in the organization?
- The risk management framework and the criteria used to assess risks. Are the framework and criteria appropriate for the organization’s structure and external environment?
- The ability to implement the risk management processes. Are aims and criteria for assessing risks been conveyed? Are employees trained for their roles? Are employees held accountable for their parts in the process?
- Communication. Does the process allow feedback about the outcomes of risk management throughout the organization? Does the process include its risk management practices when communicating with external stakeholders? Does the process support compliance with external reporting requirements?
- Monitoring and reporting. Are risk identification and treatment activities monitored and reported regularly to senior management and the board? Can the process itself be measured against key performance indicators so that it can be improved continually?
- Consistency of implementation. Are definitions, criteria, and activities consistently carried out throughout the organization?
- And responsiveness to change. Does the process recognize the need for revaluating the organization’s risk environment? Are risks revaluated with a frequency appropriate to the organization’s business and environment?
Report on the Effectiveness of the Internal Control and Risk Management Frameworks
The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. The criteria for effective risk management processes are:
- Organizational objectives that support and align with the organization’s mission;
- That significant risks can be identified and assessed;
- That appropriate risk responses, which align risks with the organization’s risk appetite, are selected; and
- Relevant risk information can be captured and communicated promptly across the organization, enabling staff, management, and the board to carry out their responsibilities.
The internal audit activity must:
- Evaluate risk exposures relating to the organization’s governance, operations, and information systems;
- Evaluate the potential for fraud and management of fraud risks;
- During consulting engagements, address risk according to engagement objectives, but be alert to the existence of other significant risks;
- Apply knowledge regarding risks from consulting engagements to assessing the organization’s risk management processes; and
- Refrain from assuming management’s responsibility for managing risk. Although during consulting engagements, internal auditing may comment on and recommend improvements to risk management processes, the responsibility to manage organizational risk belongs to management alone.
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. As with the responsibility for evaluating risk exposure, internal auditing must also apply knowledge concerning the adequacy of controls from consulting engagements to the evaluation of the effectiveness of the organization’s control processes.
Effective Quality Assurance and Improvement Program
Organizations are continually changing. Operations undergo refinement, and internal processes change and evolve. As an organization changes, auditing services should keep updated. How can the internal auditor meet ever-changing management requirements for auditing services and still assure that the audit activity results are of the highest quality? The internal audit function is required to have a quality assurance and improvement program (QAIP) in place to make sure that the quality of internal audit activities is consistent.
Even an internal audit department that is fully out-sourced is required to have a QAIP regardless of whether the out-source provider has completed one for its overall activities. For example, PricewaterhouseCooper completes a QAIP for its activities annually, but each of its clients still need one as well.
The internal auditing standards require that the chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The quality assurance and improvement program are designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also evaluates the efficiency and effectiveness of the internal audit activity and points out the opportunities for improvement.
Quality assurance and improvement plans are divided into two main parts, internal and external.
Internal Quality assurance and improvement plan:
Ongoing internal assessments are practices put into place by the CAE to do a routine assessment of the practices and policies of performing individual audits. The type and amount of these assessments will vary depending on the nature of the organization. Specific processes and tools should be developed for each organization. Conclusions should be developed on an ongoing basis, and proper actions must be taken to improve the quality of the ongoing audit activities.
Periodic reviews are another important part of the internal evaluation process. This is more of a scheduled self-assessment approach to determine if the right activities are being performed should changes be made to the internal audit practices and procedures to enhance the quality of the programs. This periodic self-assessment process is also used by many organizations to perform their evaluation of conformance to standards. Numerous organizations use this kind of review to perform their evaluation before an external quality assessment is performed.
Such assessments should include:
- Routine and continuous supervision, testing of the performance of the audit, and consulting work.
- Ongoing measurements and analyses of performance metrics (for example, audit plan accomplishment, cycle time, recommendations accepted, and customer satisfaction).
- Periodic validations of compliance with applicable laws, regulations, and government or industry standards.
- Periodic validations of compliance with the Standards and Code of Ethics, including timely corrective actions to remedy any significant instances of noncompliance.
- Evaluation of the adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures.
- Assessment of contribution to the organization’s governance, risk management, and control processes.
- Evaluation of the effectiveness of continuous improvement activities and adoption of best practices.
- Determining whether the auditing activity adds value, improves operations, and helps the organization achieve its objectives.
It is the CAE’s responsibility to develop a structure for reporting results of periodic reviews that maintains proper credibility and objectivity. Typically, those individuals organizing ongoing and periodic reviews should report to the CAE while performing the reviews and communicate their findings directly to the CAE.
External Quality assurance and improvement plan:
External evaluations can be in the form of a complete external assessment or a self-assessment with independent external validation. In it, a qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and using varying levels of technology are more valuable than less relevant experience.
In the case of an assessment team, not all members of the team need to have all the competencies; it is the team that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates adequate competence to be qualified.
An independent assessor or assessment team means not having either a real or an apparent conflict of interest and not being a part of or under the control of, the organization to which the internal audit activity belongs.
External quality assessment reviews can be conducted by:
- A team that is independent of the organization that is being reviewed.
- Self-assessment with independent validation by an independent reviewer.
- A peer review team made of members from at least three different organizations.
External assessment consists of a broad scope of coverage that includes the following elements of the internal audit activity:
- Conformance with the definition of internal auditing; code of ethics; standards; and the internal audit activity’s charter, plans, policies, procedures, practices, and applicable legislative and regulatory requirements;
- Expectations of the internal audit activity expressed by the board, senior management, and operational managers;
- Integration of the internal audit activity into the organization’s governance process, including the relationships between and among the key groups involved in the process;
- Tools and techniques employed by the internal audit activity;
- A mix of knowledge, experience, and disciplines within the staff, including staff focus on process improvement; and
- Determining if the internal audit activity adds value and improves the organization’s operation.
The results of the quality assurance and improvement program, whether it be internal or external, need to be reported to relevant stakeholders. For internal assessments, the CAE must share the findings, required action plans, and their successful execution with stakeholders such as senior management, the board, and external auditors.
For external assessments, the initial findings of the review must be discussed with the CAE during and at the end of the evaluation process. Results must be communicated in a formal report to the CAE or other official who authorized the review for the organization, ideally with copies sent directly to respective members of senior management and the board.
The formal report for external assessments should:
- Contain an opinion on the internal audit activity’s compliance with the definition of internal auditing, the code of ethics, and the standards based on a structured rating process,
- Assess and evaluate best practice usage, both observed during the assessment and others potentially applicable to the activity, and
- Provide appropriate recommendations for improvement.
The CAE must also inform the specifics of planned remedial actions for important issues and subsequent information as to the accomplishment of those planned actions.
Final Thoughts
Internal auditors deal with issues that are critical to any organization’s survival and prosperity. Unlike external auditors, they look beyond financial risks and statements to consider broader issues such as the organization’s reputation, growth, environmental impact, and employee treatment.
To summarize, internal auditors contribute to the success of organizations. This is accomplished through a combination of assurance and consulting. The assurance component of our work entails informing managers and governors about the effectiveness of the systems and processes designed to keep the organization on track. Then, as needed, we provide consulting services to help improve those systems and processes.