Guide to Internal Audit

Guide to Internal Audit

Second Edition

Frequently Asked Questions

About Developing and Maintaining

an Effective Internal Audit Function

in Australia

Introduction 1

Overview of the Requirement for an Internal Audit Function 1

1 What is internal auditing? 1

2 How does CLERP 9 relate to the ASX Principles? 1

3 Does CLERP 9 have any specific requirements in relation to internal audit? 1

4 What do ASX Principles require? 1

5 How does a company demonstrate compliance with the ASX Principles? 1 6 Does the ASX provide listed companies with any instructions or guidance beyond the

Principles? 1

7 Do the ASX Principles apply to private companies? 1

8 What other issues should management consider in ensuring compliance with Principle 7? 1 9 Do the ASX Principles require a company to hire new internal audit employees? 1 10 What is required if a company already has an internal audit function? 1

11 Are part-time internal auditors sufficient? 1

12 Is a written internal audit charter required? 1

13 What should be in a charter? Is there a model charter? 1

14 Do the ASX Principles require that the IIA Standards be followed? 1 15 Is there any minimum amount of expenditure or effort required under the ASX Principles? 1 16 What additional guidance is available for specific industry sectors? 1

17 What are specific requirements for the public sector? 1

18 Is there a preferred internal control / enterprise risk management framework to be

utilised by the internal audit function? 1

The Internal Audit Profession 1

19 How is the internal audit profession regulated? 1

20 Is continuing professional education (CPE) required for internal auditors? 1

21 Are internal auditors required to be certified? 1

22 Are there professional standards that govern the practice of internal auditing? 1 23 Are internal audit functions required to follow the IIA Standards? 1

24 What are the IIA Practice Advisories? 1

25 Are Australian Auditing Standards relevant to internal auditors? 1 26 What jurisdiction does the ASX and ASIC have over internal auditors? 1

Index

Index continued

27 Can existing employees become internal auditors? 1

28 What personal qualities, knowledge and skills should internal auditors possess? 1 29 How much should a company spend on internal auditors?

30 Are there industry groups for internal auditors? 1

31 Isn’t internal auditing a duplication of what external auditors do? 1 32 How is independence achieved if internal auditors are appointed by management? 1 33 What role and responsibility do internal auditors have for fraud? 1

34 Are there university programs in internal auditing? 1

35 How do we start an internal function? 1

36 How should an internal audit function be staffed? 1

37 To whom should the head of internal audit report? 1

38 Can employees in the company participate in internal audits? 1 39 What are the pros and cons of outsourcing/co-sourcing internal audit? 1

40 Where do I get more information on internal auditing? 1

The Process of Internal Auditing 1

41 How is internal audit work actually performed? 1

42 Should an internal audit function consider information technology risks? 1 43 What types of IT audit skills should be included in an internal audit department? 1

44 Should Internal Audit report provide a rating? 1

45 What is control self-assessment (CSA)? 1

46 Is there a standard definition for internal controls? 1

47 Are internal auditors required to follow COSO? 1

48 Are there specific performance measures for internal auditing? 1

Management and Audit Committee Considerations 1

49 How can management utilise internal audit most effectively? 1 50 What is an audit committee’s role with respect to an internal audit function? 1 51 Should executive sessions (without management present) be held with the internal

auditors as part of an audit committee meeting? 1

52 What should internal audit report to the audit committee? 1 53 How should the audit committee evaluate the effectiveness of the internal audit function? 1 54 Should internal audit functions receive a quality assurance review (QAR) periodically? 1

External Auditor Considerations 1 55 Can we use our external auditors to perform internal audit work? 1 56 Can external auditors rely on the work of internal auditors in connection with

their financial statement audit? 1

57 Do all internal audit reports need to be reviewed by the external auditor? 1

About Protiviti Pty. Ltd. 1

About The Institute of Internal Auditors 1

Internal Audit-Related Organisations and Links 1

Glossary of Commonly Used Acronyms and Terms 1

Appendix A Appendix B

Index continued

Internal audit is a key pillar of good governance. It is concerned with the adequacy of risk management and internal control systems, efficiency and effectiveness of operations, asset

safeguarding and regulatory compliance. It provides an organisation’s audit committee and executive management with an independent view on whether the organisation has an appropriate risk and internal control environment while also acting as a catalyst for a strong risk and compliance culture within an organisation.

Overview of the Requirement for an Internal Audit Function

1. What is internal auditing?

The IIA provides the following internationally recognised definition:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

This definition is part of the IIA’s International Professional Practices Framework (IPPF). Conformance with the IIA Standards necessarily includes adherence to this definition.

There are limited regulatory requirements on how an organisation should define its internal audit activity. However, given the authoritative and widespread nature of the IIA’s definition, it would be logical to assume that regulatory bodies would adopt this definition.

2. How does CLERP 9 relate to the ASX Principles?

One of the outcomes of the Australian Federal Government’s Corporate Law Economic Reform Program (CLERP) was the establishment of the ASX Corporate Governance Council. This Council was established on 1 August 2002 and subsequently produced both the ‘Principles of Good Corporate Governance and Best Practice Recommendations’ (March 2003) and the ‘Corporate Governance Principles and Recommendations’ (August 2007).

3. Does CLERP 9 have any specific requirements in relation to internal audit?

There are no specific provisions relating to internal audit. However, there is an implied impact on internal audit as discussed below. ASX Corporate Governance council, a body that represents CLERP has issued a revised Principle 7 ‘Good Corporate Principles and Recommendations’ (August 2007).

The revised Principle 7 requires the board to disclose if it has received assurance from the

management that the material business risks are effectively managed. The revised Principle 7 also requires the board to disclose if it has received assurance from the CEO and the CFO (or equivalents) that the declaration provided in accordance with section 295A of the Corporations Act is based on a sound system of risk management and internal control and that the system is operating effectively in all material respects in relation to financial reporting risks.

Introduction

In order for the CEO and CFO to attest to the integrity of the financial statements and provide such assurance on the effective management of material business risks, by implication there would generally be an evaluation of the company’s risk management and internal control and compliance framework. Many companies now use internal audit functions to assist with this attestation process.

4. What do the ASX Principles require?

ASX Principle 7, Recognise and Manage Risk, states that listed companies should establish a sound system of risk oversight, risk management and internal control. Further guidance contained within the Principle states:

Companies should require management to design and implement a risk management and internal control system to manage the company’s material business risks and report to the Board on whether those risks are being managed effectively. An internal audit function will generally carry out the analysis and independent appraisal of the adequacy and effectiveness of the company’s risk management and internal control system. A company should therefore consider having an internal audit function.

An alternative mechanism may be used to achieve the same outcome depending on the company’s size and complexity and the types of risk involved. …. The audit committee should recommend to the board the appointment, and if necessary the dismissal of the head of internal audit. ….The internal audit function should be independent of the external auditor. The internal audit function and the audit committee should have direct access to each other and should have all necessary access to management and the right to seek information and explanations. …. The audit committee should oversee the scope of the internal audit and should have access to the head of internal audit without management present.

ASX Principle 4, Safeguard Integrity in Financial Reporting, also states that listed companies should have a structure to independently verify and safeguard the integrity of their financial reporting. The Principle recommends that the board should establish an audit committee. Added commentary states:

In accordance with ASX Listing Rule 12.7, an entity included in the S&P All Ordinaries Index at the beginning of its financial year is required to have an audit committee during that year. All entities in the top 300 of the Index must comply with all recommendations under Principle 4, Safeguard Integrity in Financial Reporting, by way of the composition, operation and responsibilities of the audit committee.

Principle 4 provides further recommendations and guidance on the structure of the audit committee and the formal charter that the audit committee should have.

The ASX Principles and Recommendations are not mandatory and are intended only to provide a reference point. Under ASX Listing Rule 4.10, companies are required to provide a statement in their annual report disclosing the extent to which they have followed the good practice recommendations in the reporting period. Where companies have not followed all the recommendations, they must identify the recommendations that have not been followed and give reasons for not following them.

5. How does a company demonstrate compliance with the ASX Principles?

The recommendations contained in the ASX Principles are not mandatory, however, any departures are required to be explained and justified (full disclosure) in a company’s annual report.

Recommendation 7.4 states that companies should provide information indicated in the Guide to reporting on Principle 7 which requires any departures from Principal 7 to be included in the corporate governance section of the annual report.

ASX listing rule 4.10.3 requires listed companies to disclose any departures from Principles and Recommendations during the reporting period and require explanation for departures.

6. Does the ASX provide listed companies with any instructions or guidance beyond the Principles?

The ASX issued its own Frequently Asked Questions document, which addresses interpretative issues, general issues and usability queries relating to the Principles. The ASX Corporate Governance Council has also provided a supplementary guidance document specifically in relation to the interpretation of Principle 7.

7. Do the ASX Principles apply to private companies?

No, the Principles and Recommendations currently apply only to ASX-listed companies. However, private companies may find that developing an effective internal audit function will assist them in maintaining, validating and improving internal controls; identifying opportunities to reduce costs and improve processes; and enhancing their corporate governance.

Many large Australian private companies have recognised the benefits an effective internal audit function can bring to their operations and compliance efforts, and have created such functions with positive and measurable results.

8. What other issues should management consider in ensuring compliance with Principle 7?

Based on the 2nd edition of Corporate Governance Principles and Recommendation and the guidance of the Group of 100 publication ‘Guide to Compliance with ASX Principle 7: Recognise and Manage Risk’, management should ensure that the following issues are considered:

• Each company should establish risk management policies outlining all elements of risk management and internal controls system and any internal audit function. Summary of these policies should be disclosed

• Roles, responsibilities and accountability of the board, management, audit committees and/or other committees should be clearly defined in the risk management policy

• The Board should require management to implement the risk management and internal control system to manage material business risks and require management to report on the effectiveness of risk management and internal controls to address material business risks

• Management should design and implement a sound risk management and internal control model to identify, assess, monitor and manage financial and nonfinancial risk. Management should review the appropriateness of the risk management system

• The board assumes the ultimate responsibility for risk oversight / management and should meet its responsibility for assessing the effectiveness of the company’s system by review in the effectiveness of the system periodically (at least annually)

• A reasonable level of assurance should be obtained from testing. Testing processes adopted are a matter of professional judgement and will vary from company to company. Analysis and assessment of effectiveness of risk management and controls system are generally performed by internal audit;

a company may use an alternative approach based on size, complexity and nature of risks involved

• All subsidiaries must be included and all material associates and joint ventures should be included within the scope of Principle 7’s compliance activities. Where material associates and joint

ventures are not included within the scope this should be disclosed in the compliance statement to the annual report

The internal audit function of an organisation will provide valuable advice in relation to the above issues, including determining what is considered a reasonable level of testing and conducting the testing.

9. Do the ASX Principles require a company to hire new internal audit employees?

No, the ASX Principles do not require new internal audit employees to be hired. To the extent that the company already employs qualified professionals who can serve effectively in the capacity of internal auditors, those individuals could be transferred to the internal audit function. Existing functions should be examined for risk-based audit planning, technical competency, and independence in areas such as reporting lines and scope coverage.

The Institute of Internal Auditors (IIA) Policy Agenda issued in February 2010 suggests that all Internal Auditors must be at a minimum IIA certified.

Outsourcing and co-sourcing is an attractive option for many companies that find they need to quickly establish an internal audit function or have had difficulty maintaining a high quality function.

Companies that find they do not have the appropriate level of resources and talent internally and that do not want to spend time on a long search process may find outsourcing allows for accelerated start-up. There is also potential for greater independence and objectivity, access to substantially greater skills than a full in-house function, and more flexibility to increase or decrease internal audit activities to meet changing risks and conditions.

Additionally, outsourcing allows a company to curtail or halt internal audit work at certain times of the year when there may be conflicting priorities such as plant closings, mandatory vacations, year- end reporting, annual planning and budgeting, etc.

Many companies find that some form of “rotation” in and out of an internal audit function can be beneficial to both the employee and the organisation. Under this approach, a company utilises full-time professionals with important knowledge and understanding of the company’s business and operations. These individuals gain valuable experience in seeing, understanding, evaluating and helping to improve many areas within the organisation. Also, once their rotation is completed, these employees are better prepared to identify, understand and deal with internal control and risk management-related issues. This type of program, in a sense, “fertilises” the organisation with professionals who gain practical knowledge and background regarding internal controls and business risks.

The IIA provides useful guidance in connection with resources through their position paper entitled IIA Position Paper on Resourcing Alternatives for the Internal Audit Function, which is available on www.theiia.org.

10. What is required if a company already has an internal audit function?

Whilst there are no mandatory requirements for internal audit contained in the ASX Principles, if a company has an existing internal audit function, it should determine the adequacy of the existing internal audit function. We recommend that companies with existing internal audit functions review their appropriateness and adequacy by asking themselves the following questions:

• Do we have an adequately resourced internal audit function?

• Do we have appropriate reporting lines for the head of Internal Audit?

• How does our function compare to other companies in our industry?

• Does our internal audit function meet The IIA Standards?

• Has our internal audit function undergone a quality assurance or peer review recently?

• Do the board, management, audit committee and key process owners believe internal audit is a value-added activity to the organisation? If not, how should the function change to be more effective?

The Institute of Internal Auditors’ Policy Agenda (Feb 2010) suggests internal audit be required in all sectors where there is a separation of ownership/stewardship from management.

11. Are part-time internal auditors sufficient?

As long as individuals can maintain objectivity, part-time internal auditors could meet the recommendations of the ASX Principles. At smaller organisations, the extent of key business risks and therefore the amount of appropriate time and effort required to address such risks may not justify full-time resources. Independence and objectivity of resources should be strongly considered.

Similarly, the capability of individuals should be considered. There are a number of qualifications available for internal audit such as the Certified Internal Auditor (CIA). It is recommended that internal auditors at a minimum are an IIA member and should be encouraged to obtain further certifications.

However, care should be taken to ensure part-time internal auditors do not audit areas that they themselves supervise, or in which they initiate, complete, approve, record or reconcile transactions.

Also, if part-time internal audit employees with other organisational duties are required to audit areas for which their own supervisors have responsibility, it could impair their objectivity either in fact or appearance and bring into question the value or veracity of their audit findings.

In most cases, part-time resources would not fulfil the spirit of internal audit requirements, and would not be in management’s, the audit committee’s or the shareholders’ best interests.

12. Is a written internal audit charter required?

Attribute Standard 1000 of the Standards requires the following:

The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

(For additional information refer to www.theiia.org/guidance/standards-and-guidance/ippf/standards/

standards-items.)

There are no specific requirements to disclose the internal audit charter (or whether such a charter exists) in the ASX CGC Principles or Listing Rules. However, the commentary to Recommendation 7.2 in the ASX CGC Principles provides that an internal audit activity will generally carry out the analysis and independent appraisal of the adequacy and effectiveness of the company’s risk management and internal control system.

Irrespective of whether there is a regulatory requirement, a charter greatly assists to drive the internal audit activity and therefore in most cases is a useful investment of time and effort.

13. What should be in a charter? Is there a model charter?

The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organisation; authorises access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.

Attribute Standards 1000.A1 and 1000.C1 also provide that the nature of the assurance and consulting services must be defined in the internal audit charter.

For a sample internal audit charter refer to www.theiia.org/guidance/standards-and-guidance/audit- committees-board-of-directors/internal-audit-department-charter.

14. Do the ASX Principles require that the IIA Standards be followed?

The ASX CGC Principles do not explicitly require companies to adhere to the IIA’s Standards. However, the commentary to Principle 7 notes that ‘guidance on the internal audit function is found in the Technical Information and Guidance section’ of The IIA’s website.

Internal auditing is conducted in diverse legal and cultural environments; within organisations that vary in purpose, size, complexity, and structure; and by persons within or outside the organisation.

While differences may affect the practice of internal auditing in each environment, conformance with the IIA’s Standards is essential in meeting responsibilities of internal auditors and the internal audit activity.

The Standards also establish the basis for the evaluation of internal audit performance, and facilitate optimal coordination with the external auditor by ensuring consistency and thus maximum reliance placed on the results of internal audit procedures.

In addition, the IIA’s By-Law 104 states that:

All members are bound by the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics, as published. This binding is given authority by the Articles for Agreement for National Institutes, the Constitution, and by applicants for membership signing the membership application form.

15. Is there any minimum amount of expenditure or effort required under the ASX Principles?

No, there is no minimum specified. However, it is wise and prudent for boards, management and their audit committees to consider the following factors when allocating resources for an internal audit department.

Evaluate the results of the entity-level risk assessment

• What key risks have been identified and how should internal audit be involved in those areas?

• What level of effort does the risk assessment seem to indicate?

Understand internal audit investment made by comparable companies

• What is the level of expenditure and effort of similarly sized companies in your industry?

• Are there some obvious differences that would support spending less or more? (For example, obvious or significant differences in business model, organisation, degree of centralisation or decentralisation, regulation, scope of services, etc.)

The board and management’s preferences

• What role and scope has management and the audit committee established for its internal audit function?

Past, present and future

• Have there been, are there or will there be events, issues, risks or major changes that would warrant more or less investment in internal audit?

Other complementary functions

• Are there other functions within the company that serve to evaluate key areas and risks objectively, such as:

• Quality control and loss prevention?

• Regulatory and legal compliance?

• Risk management and insurance?

• Operational and financial control units?

• If so, are these risk mitigation and control efforts already performed to a degree that a professional internal audit function might otherwise perform? Is there inherent conflict of interest in performance feedback for existing functions?

16. What additional guidance is available for specific industry sectors?

In Australia there are various industry specific regulators that have made pronouncements relating to internal audit. The majority of such guidance pronouncements have been made in the financial services sector by the Australian Prudential Regulatory Authority (APRA). Examples of these pronouncements are provided in Appendix A. It is recommended to check the latest requirements as these are subject to frequent change.

17. What are specific requirements for the public sector?

The internal audit requirements in the public sector in Australia are generally more comprehensive and prescriptive than that of the private sector. Key governance requirements are contained in the legislation at the Federal, State/Territory, and Local Governments levels. These requirements are detailed in Appendix B. It is recommended to check the latest requirements as these are subject to frequent change.

18. Is there a preferred internal control / enterprise risk management framework to be utilised by the internal audit function?

While responsibility for the risk management framework within an organisation is that of management, the internal audit activity performs an important role in the internal control and risk management framework of an organisation. The definition of internal auditing and Performance Standard 2120 in the IPPF require the internal audit activity to evaluate the effectiveness and contribute to the improvement of risk management processes.

Released in November 2009, ISO 31000 is the world’s first international standard on risk management.

Intended for use by the widest range of organisations and practitioners, it is expected that over time the ISO 31000 standard will have other subordinate standards and will become universally accepted as the authoritative standard on risk management replacing existing diverse national or industry specific standards. The standard is supported by ISO Guide 73 which provides definitions of risk management terms, and ISO/IEC 31010 which provides guidance on the selection and application of techniques for risk assessment.

The two internal control frameworks available are the COSO Integrated Framework and the CoCo Control Framework.

Further guidance on internal controls and risk management are available from the following resources:

• IIA (2007): Guidance on implementing Principle 7: ‘Recognise and Manage Risk’ of the 2007 Edition of the ASX Corporate Governance Principles and Recommendations

• Standards Australia (2006): HB158-2006 Delivering assurance based on AS/NZS 4360:2004 Risk Management (soon to be replaced with equivalent handbook based on ISO 31000)

• Group of 100 (2008): Recognise and manage risk – A Guide to compliance with ASX Principle 7

The Internal Audit Profession

19. How is the internal audit profession regulated?

The internal audit profession presently is not regulated by the Australian Federal Government. The IIA is the self-governing professional body that includes the Internal Auditing Standards Board (IASB), which is charged with evaluating and developing practice standards that are issued in draft form and subject to a public comment period, much like other professional standards and accounting pronouncements.

The IIA promulgates internal audit standards and practice advisories. Effective January 2004, The IASB is responsible for revising and updating the International Standards for the Professional Practice of Internal Auditing (Standards). The Standards are updated to reflect current risk management and governance requirements. Ongoing updates incorporate numerous comments on issues received through a worldwide solicitation and public exposure process, upon which the IASB approves the Standards for implementation.

It is worth noting that in some jurisdictions around the world, there is a move toward the regulation of Internal Audit. For example, the Governments of both Canada and South Africa have introduced regulation relating to the Internal Audit profession in the government sector.

The IIA Standards include a code of ethics that members must follow or face disciplinary action, including expulsion.

Self-regulated

Role of the IIA HQ (IPPF, Standards) Role of IIA-Aus By-Laws

20. Is continuing professional education (CPE) required for internal auditors?

All members are required to undertake Continuing Professional Education (CPE) to a minimum of 60 hours every two years, with a minimum of 15 hours in any one year.

This requirement differs for certified members (80 hours every two years) or retired members.

The types of activities which qualify include: attendance at technical sessions, seminars and conferences; college or university courses; formal correspondence programs; reading books, articles and research papers. Full details of the CPE requirement can be found in section 209 of the IIA’s Constitution.

Attribute Standard 1230 of the Standards also states that ‘internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development’.

21. Are internal auditors required to be certified?

No. However, the IIA Standards require technical competence and training that can be demonstrated by various certifications, depending upon expertise and professional experience. The IIA also sponsors several additional certifications beyond the CIA, such as:

• CFSA® – Certified Financial Services Auditor

• CCSA® – Certification in Control Self-Assessment

• CGAP® – Certified Government Auditing Professional

Additional internal audit-related certifications supported by other independent professional organisations include:

• CISA – Certified Information Systems Auditor

• CFE – Certified Fraud Examiner

Effective internal audit functions require most existing professionals and new hires to obtain and then maintain at least one certification including, but not limited to, the CIA® ,CPA, CA, CISA and CFE. All certifications require annual CPE training. Skill sets, experience and industry familiarity are crucial in order to exhibit competence, identify and address risks appropriately, and perform in a manner that provides value to the organisation.

Strong internal auditors bring various skills together ranging from specialised industry and technical knowledge to seasoned business acumen that includes advanced degrees in business administration, finance and even law. It is not uncommon for internal auditors to possess professional designations from other disciplines beyond accounting. After all, internal audit functions examine all aspects of a business entity, especially in today’s complex business climate.

Therefore, while not required or mandated specifically, it is considered best practice for internal auditors to possess and maintain professional certifications applicable to their focus and responsibilities.

22. Are there professional standards that govern the practice of internal auditing?

Internal auditors follow professional standards that advise them how best to perform their work.

The IPPF is a set of authoritative guidance produced by IIA Global which apply to 160,000 internal auditors worldwide. The IPPF includes both mandatory and strongly recommended guidance. The mandatory guidance consists of the Definition of Internal Auditing, International Standards and Code of Ethics.

23. Are internal audit functions required to follow the IIA Standards?

All IIA members and Certified Internal Auditors (CIAs) agree to abide by the Code of Ethics, which requires internal auditors to perform internal auditing services in accordance with the Standards.

Therefore, the Standards are mandatory for all internal auditors who are CIAs or members of the IIA.

This mandatory requirement also applies to entities that provide internal auditing services.

Many internal auditing activities are required by their charters to provide services in accordance with the Standards, and compliance with the Standards is also written into legislation or regulation in some jurisdictions.

All internal auditors, whether or not they are members of the IIA, are highly encouraged to adopt the Standards and the Code of Ethics.

Practice professionals usually look to the Practice Advisories for the IIA’s recommendations on matters related to situations that are not covered directly in the Standards. Concepts of due professional care permeate all practice activity and apparent violations are investigated by the IIA.

24. What are the IIA Practice Advisories?

Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the Standards and in promoting good practices. Practice Advisories address internal auditing’s approach, methodologies, and consideration, but not detailed processes or procedures.

They include practices relating to international, country, or industry-specific issues; specific types of engagements; and legal or regulatory issues.

25. Are Australian Auditing Standards relevant to internal auditors?

The primary purpose of Standards issued by the AUASB is to provide guidance to auditors who are professional accountants in public practice. They are not designed to meet either the needs of the internal audit profession or an organisation’s internal audit function.

Accordingly, while AUASB Standards may provide guidance on generic audit matters, they should not be used as the basis for operating an internal audit function and conducting internal audit activity.

The IPPF promulgated by the IIA provides such a basis and is specifically designed to meet the needs of the internal audit profession.

26. What jurisdiction does the ASX and ASIC have over internal auditors?

The ASX and ASIC have no direct jurisdiction over internal auditors. The internal audit profession, like the legal profession, continues to be self-regulated.

27. Can existing employees become internal auditors?

Yes, provided protocols are put in place to ensure independence and objectivity are not compromised.

These aspects are covered in the Standards.

Transferring employees would be expected to comply with all IPPF requirements, including the Definition of Internal Auditing, the Code of Ethics, and the Standards.

28. What personal qualities, knowledge and skills should internal auditors possess?

Internal auditors should possess and demonstrate through their work, actions and communication a number of traits, including but not limited to:

• A commitment to and demonstration of competence in the field of internal auditing

• Strong financial and operational background in accounting, IT, regulatory compliance or the industry in which a company operates

• Honesty and integrity

• Strong work ethic and attention to detail

In general, internal auditors should develop and maintain a healthy level of professional skepticism, objectivity and independence to assist in evaluating information and making judgments. Additionally, internal audit professionals should possess exceptional verbal and written communication skills, and be proficient in negotiating and reasoning with a variety of departments and groups over which internal audit may have no formal authority. Finally, personal integrity, professional due diligence and curiosity are important traits for individuals tasked with conducting internal audit work.

29. How much should a company spend on an internal audit function?

The amount invested should depend on the level and complexity of risks a company faces and the responsibilities given to the internal audit function. IIA Global has identified a general range of between 0.02 percent and 0.14 percent of revenues for an internal audit budget. The percentage is higher for companies with less than $1 billion in annual revenues. This covers a very broad range of companies in many different industries and of varying sizes. However, the costs should be driven by risk and complexity of the overall business environment, including potential exposures to business failure.

General guidance provided from The IIA Global Audit Information Network (GAIN) Report is illustrated below:

There are well-established practices and benchmarks tracked by The IIA that provide average internal audit costs based upon revenue, although these often vary by industry (e.g., banking versus manufacturing or high-tech).

Although these are estimations, they provide a general guideline for expenditures and number of auditors. Keep in mind that this represents average internal audit costs of in-house resources – depending on the strategy, risks and scope of the internal audit work, it is not uncommon for costs to fluctuate based upon significant events or changes that expose an organisation to additional risks. Again, costs, focus and size of an internal audit function should be tailored to each company’s individual needs.

Average Audit Costs by Company Revenue Size ($USD)

Revenue Average Audit Average Revenue Average Average Range Staff Count (Millions) Internal Audit Internal Audit

(Thousands) as % of Revenue

under $500M 8.89 274 948 0.41%

$500M - $1B 6.96 736 929 0.13%

$1B - $5B 14.35 2,446 2,123 0.09%

$5B - $15B 39.29 8,550 5,310 0.06%

$15B - $25B 41.67 18,507 6,960 0.04%

$25B > 107.34 69,099 19,519 0.03%

Source: IIA GLOBAL AUDITING INFORMATION NETWORK (GAIN) 2006 survey. Includes the results of 662 companies. For more information, visit www.gain2.org.

30. Are there industry groups for internal auditors?

The IIA is the professional body for all internal auditors. There are also a number of self-organised interest groups in areas including:

• Financial services

• Universities

• Local government

• State government

• Credit unions and mutuals

Their size and degree of formality vary widely.

31. Isn’t internal auditing a duplication of what external auditors do?

No, not at all. Internal auditors are often confused with external auditors, but there are significant differences between the two groups. Internal auditors look at all the risks facing an organisation and what is being done to manage these risks. External auditors on the other hand look at financial risks and accounts.

32. How is independence achieved if internal auditors are appointed by management?

Internal audit must be structurally independent and free from coercion by management to be

effective in its role. Accordingly, appropriate reporting lines for the activity and CAE must be inplace to achieve independence.

Functional reporting to an appropriately constituted audit committee on key issues ensures that the CAE is able to report objectively without fear and favour and to know that action will be taken by the governing body if required.

In particular, the IIA recommends that where an effective and appropriately structured audit committee is in place:

• Hiring and firing of the CAE should be a decision reserved by the governing body on recommendation by the audit committee

• Remuneration of the CAE should be a decision reserved by the audit committee

• The scope and budget of internal audit should be a decision reserved by the audit committee on recommendation by the CAE

• All internal audit work should be required to be reported to the audit committee and the audit committee should periodically request confirmation that all required reports have been tabled

• The audit committee should meet privately during the year with the CAE. The audit committee should also meet at least annually wit the CAE without management present

33. What role and responsibility do internal auditors have for fraud?

Performance standard 2120.A2 in the Standards requires the internal audit activity to evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk, while Performance Standard 2210.A2 requires the consideration of the probability of fraud when developing engagement objectives.

In addition, Attribute Standard 1210.A2 in the Standards provides the following:

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

There is also a ‘Practice Guide Internal Auditing and Fraud’ published by IIA Global in December 2009 that outlines typical roles and responsibilities for fraud management and detection.

34. Are there university programs in internal auditing?

Internal auditors are in high demand, as companies are rapidly addressing financial and other business risks. Internal auditing concepts may be incorporated into general accounting, auditing and corporate governance subjects in Australian Universities, although a career in internal auditing is possible through a broad range of educational backgrounds.

Deakin University commenced a Graduate Certificate of Internal Audit (GCIA) in 2010 which will be available off-campus and on a part-time basis.

The GCIA is a professionally oriented course, aligned with the IIA’s professional development program. The overall aim of the course is to prepare graduates with a solid understanding of internal audit and risks. It will enable graduates to successfully enter the profession and undertake the CIA examinations.

At present, the GCIA is the only award program in Australia specifically provided for graduates who wish to undertake the CIA professional qualification and to develop a career in the highly regarded global profession of internal audit.

35. How do we start an internal function?

A suggested set of guidelines for starting an internal audit function includes:

• Clarify expectations with senior management, the board and audit committee, including required ASX listing rules and best practice Principles. Non-ASX listed organisations should consider voluntary compliance

• Develop an audit charter, with audit committee input and approval

• Consider the appropriate budget and staffing model (e.g., in-house, co-sourced or outsourced). As part of this process, research actions taken by similar companies in your industry

• Formulate reporting responsibilities of the internal audit function

• Identify the “universe” of auditable entities within the organisation

• Complete an initial risk assessment with company management and audit committee involvement.

Consider using recognised approaches and frameworks for this effort, such as the COSO Internal Control and COSO Enterprise Risk Management frameworks

• Develop an internal audit plan, responsive to the risk assessment

• Plan and execute audit work called for in the audit plan, including a system to monitor and follow up on audit recommendations

• Update the risk assessment for changing circumstances during the year

• Continuously enhance and modify the internal audit function to meet changing needs of management and the audit committee

Refer to www.theiia.org/guidance/additional-resources/establishing-an-audit-shop for a listing of 16 steps, developed by The IIA, for creating an internal audit function.

36. How should an internal audit function be staffed?

Internal audit functions must be resourced adequately to ensure an effective evaluation of internal controls, associated risks and execution of the internal audit plan to provide assurance desired by the company directors. The annual audit plan is based upon a risk assessment at both the entity and process levels, and should be approved by the audit committee and board.

Companies should look to their individual risk profiles to drive staffing decisions. A business facing a significant number of risks or particularly complex risks will require a range of specialists and expertise. Most internal audit departments are headed by a chief audit executive and include layers of staff such as managers, senior auditors and auditors. Yet many companies also rely on other in-house professionals or tap into the specialised skill sets of outside providers.

37. To whom should the head of internal audit report?

The IIA Policy Agenda lists five policies developed by the IIA that are applicable to all organisations, irrespective of industry sector. The third principle states that Reporting lines for the head of internal audit should be appropriate. Furthermore:

• Principle 3.4 states that ‘All internal audit work should be required to be reported to the audit committee and the audit committee should periodically request confirmation that all required reports have been tabled’.

• Principle 3.5 states that ‘The audit committee chair should meet privately during the year with the head of internal audit. The audit committee should also meet at least annually with the head of internal audit without management present’.

Unlike the company’s external audit firm, which is effectively hired by and reports to shareholders, internal audit has a broader role to play through serving as a resource for both the audit committee and company management. Though this dual reporting is a somewhat sensitive arrangement and can be tricky in practice, it nevertheless provides important benefits to the company as a whole, including helping to achieve its overall corporate governance objectives as well as management’s objectives for reliable financial reporting, compliance with applicable laws and regulations, and efficiency and effectiveness of operations (the COSO objectives of internal control).

38. Can employees in the company participate in internal audits?

Yes, as long as the employee is able to maintain objectivity. Many companies choose to source management-training programs, employees with specific experience or guest internal auditor programs as part of resource planning. Some organisations have established two- to four-year rotation programs to assist management in better understanding the internal control environment and other operational areas, and to provide individuals with management-training experience and career progression.

We believe this type of flexibility and training enhances organisational understanding of risk management and internal controls systems, and motivates program candidates to strive for excellence. Conversely, internal audit management should be aware, in every instance, of the same conflicts of interest that arise naturally from such relationships in considering these candidates for potential positions in operations. For example, there may be a conflict of interest for individuals that join the IA department from an existing corporate function that would preclude them from auditing their former colleagues. Other situations include a natural tendency by a rotating internal auditor to hold a favourable bias in evaluating a business unit or function in which he or she may be seeking a full-time position.

39. What are the pros and cons of outsourcing/co-sourcing internal audit?

Throughout the 1980s, most company internal audit functions were staffed primarily in-house with full-time, dedicated employees. This structure worked adequately and can still be effective today, but only if full-time internal auditors possess all of the skills needed to address key business risks faced by the organisation. If this is not the case, then the internal audit function places its employer company at risk by not being able to address adequately the key risks that it has been asked to audit.

During the 1980s, the concept of “core competency” gained more attention. Companies evaluated many of their business functions and the potential for outsourcing them. Payroll, benefits, real estate, printing, information systems operation and maintenance, and even aspects of design or manufacturing, among other functions, were considered. Many companies found clear and tangible benefits, positive return on investment (ROI), and improved service levels as a result of outsourcing.

In some cases, capital expenditures were reduced and the cost of these functions became more variable rather than fixed. Internal audit functions were a part of this analysis, and several new internal audit outsourcing and co-sourcing organisations, including the large accounting firms, created new structures to provide such services.

Today, all businesses, government and not-for-profit organisations face a myriad of risks due to the dynamic operating climates in which they operate. New and fast-changing regulations; significant technology-related risks such as security, business continuity, application and data integrity;

heightened instances of or opportunities for fraud and abuse. These professionals must be able to

address, react to and effectively audit and report on this more complex and faster-changing risk universe.

Given this dynamic risk environment, it is unlikely that a majority of internal audit functions have the in-house capability to adequately address every risk they and their organisations must face. Thus contracting, partnering or working with outside organisations that can provide specialised resources improves an internal audit function’s ability to address risks and meet customer expectations.

Additionally, many times these co-sourcing arrangements assist in the knowledge transfer process to in-house resources, raising the level of competency of the function’s full-time employees.

Likewise, many listed companies working with the new ASX Principles – and for that matter,

companies on other exchanges, large and diverse private companies, and even governmental entities and not-for-profit organisations – may find that full or partial outsourcing of their internal audit functions makes sense, is cost-effective and provides significant short- and long-term benefits.

Benefits of outsourcing include:

• Quick start-up of the function and execution of work, including already-developed methodologies and audit tools provided by the outsourcing organisation

• A variable cost arrangement rather than a fixed cost function

• Access to a greater number and range of resources than the organisation would have on its own

• Potentially greater objectivity and independence

Ultimately, it’s not a matter of what the pros and cons are of outsourcing, but a matter of asking:

• If we currently do not have an internal audit function, are we better off taking the time and effort to start our own in-house internal audit function? Or should we initially outsource it to gain quick start-up and access to a greater level of expertise and broader level of resources, and then monitor this decision and delivery model to ensure it is effective?

• If we already have an internal audit function, do we have the resources we need to effectively address all of the key risks we face and in which internal audit should be involved? Do we need to have all of these resources in-house all of the time? Might we be better off considering an arrangement to have one or more outside organisations assist us with addressing our risks?

There are many excellent internal audit functions consisting of primarily in-house, fully dedicated employee resources. What makes these functions most valuable, effective and appropriate, however, is a recognition of their own limitations. Many large internal audit functions (greater than 25 full- time employees) recognise they do not have, nor do they need, all of the right resources all of the time because to do so can be cost-prohibitive in today’s complex business environment. They also understand that various forms of co-sourcing arrangements have benefited them greatly along with the companies, management and audit committees they serve.

40. Where do I get more information on internal auditing?

The primary information resource on internal auditing is The IIA. Other sources include consulting companies, various online information portals and universities with related programs.

There are additional resources of internal audit information on the web, including www.

knowledgeleader.com, an online subscription-based repository from Protiviti (with free trials) that provides practice guidance, topical work programs, and white papers on internal audit, business risk and technology risk.

The Process of Internal Auditing

41. How is internal audit work actually performed?

Once a company forms an internal audit function, completes the risk-assessment process and develops an internal audit plan that is responsive to the risk assessment, it can initiate individual internal audit assignments.

A framework for initiating and executing internal audit projects should include the following actions:

• Confirm the audit assignment (timing, purpose, scope, etc.) with the area or process to be audited (in some cases, it may be appropriate to not announce the audit, but to perform the work on a surprise or unannounced basis).

• Complete appropriate planning for the audit assignment. This can include the following:

• Risk assess the specific area to be reviewed • Develop a written work program

• Agree on scope, locations, sample sizes and period under review • Develop a report format that will be effective

• Request and receive certain advance information from the area to be reviewed • Access operating information, performance measures, etc., on the area to be reviewed • Review any prior audits of this area by internal audit or other parties such as regulators,

external auditors, consultants, etc

• Hold joint planning discussions with management and process owners of the area to be reviewed to obtain their areas of interest and concern

• Consider if self-assessment activities would be helpful • Gather outside information on best practices

• Identify the internal audit resources to be assigned to the audit and ensure they have an appropriate level of experience and competency

• Determine if outside resources or guest auditors should be utilised, including information technology resources

• Consider formal entrance and closing meetings

• Execute actual internal audit work including testing methods such as inquiry, observation, examination and re-performance. Discuss and clear items noted and potential findings with management and process owners.

• Develop a report or other appropriate communication method responsive to the work completed and findings made. Example report areas which might be considered include:

• Executive summary of major issues and findings • Background, objectives and scope

• Audit findings with supporting root cause analysis, management’s response and plan for addressing audit findings (ensure that management’s response/action plans address audit findings)

• Other analysis and information, including appendices

The actual format of internal audit reports may vary between companies. What is most important is to create an approach that is effective at communicating key issues and achieving positive change and resolution to the issues reported. For example, some companies may find that using single-page reports are effective. Others may find that management should respond separate and apart from the audit report itself. One size does not fit all.

In addition, many times the circulation of a draft report for discussion is an appropriate and effective approach to refine wording and ensure the accuracy of all information in the report.

• Develop an effective method for tracking and following up on audit findings and agreed-upon actions by management. This may include recording all findings into a database, scheduling follow-up audits or conference calls, or requesting status from the auditee. It may even include management of the area audited reporting to senior management and the audit committee. Internal audit should also determine the extent to which resolution of auditing findings should be validated independently.

Again, there is no one-size-fits-all approach to the execution and completion of internal audit work.

Internal audit leadership, management and the audit committee should work together to create an approach that is most effective for their respective organisations. The IIA Standards and Practice Advisories can also provide guidance and a framework to follow.

42. Should an internal audit function consider information technology risks?

Absolutely. In fact, not considering the impact of information technology will result in an incomplete or less-than-effective internal audit function. An internal audit function should be driven by risk, and technology in today’s business has a direct relationship to risk. Technology both enables key controls in the business process or function, and brings along with it certain inherent risks that surround the use of technology. Technology enables controls such as segregation of duties and limiting the execution of transactions to only those intended by management (through application security and its appropriate administration). In addition, technology provides critical controls through the programmed logic in the applications, which validates transactions, performs appropriate calculations accurately and completely, and handles error and reasonableness checks. The inherent risks around technology include the security of the company’s network and data; computer networks; and related data that are subject to internal and external risks from hackers, disgruntled employees, corporate espionage and individuals who may want to disrupt the business or learn its secrets. Other inherent risks include the introduction of viruses or other damaging programs into the computer environment that may cause business interruption or corruption of programs or data, and having the appropriate technology to meet the needs of the organisation.

Therefore, information technology is an integral part of any internal audit function’s focus and capability. Generally speaking, all internal audit functions should have a measurable part of their activities concentrated on information technology-related risks and issues. These activities should include stand-alone initiatives and initiatives that integrate technology risks and controls into the business-process audit work. There are certain instances where the entire business process may be automated and the business-process audit, therefore, would be related entirely to the technology involved. Coordinating these efforts with a company’s CIO is critical.

Given the breadth and rapid change of technology and its related risks, internal audit functions should consider what outside resources, if any, are needed to supplement their own skill bases in this area. In some cases, it may be prudent to avoid increasing full-time staff levels for certain forms of information technology risks and issues, and instead rely on outside resources for recurring assistance.

43. What types of IT audit skills should be included in an internal audit department?

While specific skills required for IT audit may differ by industry and an entity’s applications, there are a number of technology skills customarily needed for an IT audit department:

• Application risk and controls skills – Knowledge of how applications function is critical.

Applications have programmed procedures and logic that provide for control and operation. Critical programmed controls include data validation and error-checking routines, reasonableness checks around certain key processing points, logical segregation of duties, and limitation on who can initiate and view transactions. Skills are needed around how these programmed controls interact with the manual procedures. In addition there are specific industry application skills as well as ERP-specific skills needed to audit industry-specific and ERP applications.

• Technology component skills – These include knowledge of critical technology infrastructure such as networks, databases and platforms. A number of these skills relate to complex security requirements and require high technical skills in these areas in order to be able to assess these technical requirements.

• IT process skills – The IT processes within an IT organisation are important to the proper functioning of technologies. There are a number of processes that need the process skills in order to audit those areas. These include security administration in both the application and technical component areas, business-continuity and disaster-recovery planning, data-centre operations, application-change management, infrastructure-change management, asset and service management, and several others.

• Data Mining and Analysis skills – Data mining enables auditors to discover meaningful correlations and identify patterns and trends from large volumes of data. Analysis of data trends and patterns is playing a vital role in detection and deterrence of fraudulent activities.

To a degree, all internal auditors should have a base-level capability related to information technology risks and controls. In many cases, deeper specialists are needed in specific applications, ERP systems and specific component (network, database, infrastructure security) reviews. In these cases, many organisations choose to develop an information technology specialty practice within their department given the magnitude and recurring nature of certain information technology-related issues and risks.

Again, internal audit functions should evaluate the depth, breadth and frequency of their information technology audit resource needs, and consider when and how external resources and organisations can be of assistance to achieve the best balance of people and skills to address information technology risks and issues.

44. Should Internal Audit report provide a rating?

While not universal, it is common for internal audit reports to provide some form of qualitative/

quantitative “rating” associated with the subject matter of the audit. Ratings can be attributed to individual findings or to the overall area subject to review. The most common forms of rating model include:

• A rating based on perceived level of risk to the organisation. Using this approach, individual issues may often be assigned a High, Medium or Low risk ranking based on the nature of the findings and the potential impact on the organisation.

• A rating based on control effectiveness. This model focuses on evaluating the effectiveness of internal controls or processes and assigning a rating to reflect the findings arising from the internal audit review. Such ratings typically are categorised in such terms as Highly Effective, Effective, Partly Effective or Not Effective. Some organisations use a capability maturity model to rank the “maturity” of internal control.

• Some rating models combine an assessment of control effectiveness and risk, given the

Rating systems have benefits in that they aid comparability of the quality of internal controls across different areas of the organisation. However, there are a number of important aspects to be considered before a rating system is adopted:

• Limitations in relation to the scope and/or nature of internal audit work conducted may reduce the ability of the internal auditor to reliably determine a rating. This needs to be carefully considered as ratings based on limited testing could potentially result in inappropriate conclusions being drawn;

• The criteria used to determine ratings should be clearly defined and articulated. Rating levels should use consistent terminology and reflect relevant business objectives;

• Any rating model should be understood by management and approved by the audit committee. Use of ratings in internal audit reports is not an “exact science” and is primarily intended to improve the usefulness of reports and help focus attention on key areas. Use of such a model should be considered in the context of the organisational culture, the requirements of key stakeholders and the expectations on the internal audit function.

45. What is control self-assessment (CSA)?

CSA is a process through which internal control effectiveness is examined and assessed by management. The objective is to provide reasonable assurance that all business objectives will be met.

The responsibility for the process is shared among all employees in an organisation. CSA is conducted within a structured environment in which the process is thoroughly documented and is repetitive as an incentive for continuous improvement. The CSA process allows management and work teams directly responsible for a business function to:

• Participate in the assessment of internal control

• Evaluate risk

• Develop action plans to address identified weakness

• Assess the likelihood of achieving business objectives

The IIA believes CSA is a process that generates information on internal control that is useful to management and internal auditors in judging the quality of control. It can also provide a positive influence on the control environment. As operating staff buys into the process, control consciousness increases.

46. Is there a standard definition for internal controls?

There are a number of acceptable definitions of internal control. These include guidance provided by COSO (US), Turnbull Guidance on the Combined Code (UK) and CoCo (Canada).

COSO Internal Control – Integrated Framework

The ASX have acknowledged that the COSO framework is a suitable framework for purposes of evaluating internal control.

Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations

Key Concepts

• Internal control is a process. It is a means to an end, not an end in itself

• Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of an organisation

• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board

Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process. Although the components apply to all entities, small and midsize companies may implement them differently than large ones. Although controls may be less formal and structured, a small company can still have effective internal controls.

The components are:

• Control Environment – Sets the tone of an organisation, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure

• Risk Assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed

• Control Activities – Includes the policies and procedures that help ensure management directives are carried out

• Information and Communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities

• Monitoring – Consists of the processes that assess the quality of internal control performance over time

COSO Internal Control – Integrated Framework