Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Organizational independence
To perform their role effectively, internal auditors require organizational
independence from management, to enable unrestricted evaluation of
management activities and personnel. Although internal auditors are part of
company management and paid by the company, the primary customer of
internal audit activity is the entity charged with oversight of management's
activities. This is typically the Audit Committee, a sub-committee of the Board
of Directors. To provide independence, most Chief Audit Executives report to
the Chairperson of the Audit Committee and can only be replaced with the
concurrence of that individual.
Under the COSO enterprise risk management (ERM) Framework, risks fall
under strategic, operational, financial reporting, and legal/regulatory
categories. Management performs risk assessment activities as part of the
ordinary course of business in each of these categories. Examples include:
strategic planning, marketing planning, capital planning, budgeting, hedging,
incentive payout structure, and credit/lending practices. Sarbanes-Oxley
regulations also require extensive risk assessment of financial reporting
processes. Corporate legal counsel often prepares comprehensive assessments
of the current and potential litigation a company faces. Internal auditors may
evaluate each of these activities, or focus on the processes used by
management to report and monitor the risks identified. For example, internal
auditors can advise management regarding the reporting of forward-looking
operating measures to the Board, to help identify emerging risks.
In larger organizations, major strategic initiatives are implemented to achieve
objectives and drive changes. As a member of senior management, the Chief
Audit Executive (CAE) may participate in status updates on these major
initiatives. This places the CAE in the position to report on many of the major
risks the organization faces to the Audit Committee, or ensure management's
reporting is effective for that purpose.
Internal auditors may help companies establish and maintain Enterprise Risk
Management processes. Internal auditors also play an important role in
helping companies execute a SOX 404 top-down risk assessment. In these
latter two areas, internal auditors typically are part of the project team in an
advisory role.
1. Establish and communicate the scope and objectives for the audit to
appropriate management.
3. Describe the key risks facing the business activities within the scope of the
audit.
4. Identify control procedures used to ensure each key risk and transaction
type is properly controlled and monitored.
This effort helps ensure the audit activity is aligned with the organization’s
objectives, by answering two key questions: First, what goals are the
organization trying to accomplish in the upcoming period? Second, how can
the Internal Audit Department assist the organization in achieving these
goals?
Plan completion: This is a measure of the degree to which the annual plan
of engagements is completed, measured at a point in time. This may be
measured using the number of projects completed, weighted by the planned
size of each project, with estimates for projects in-progress. Measured
throughout the year, it is compared against the percentage of the year elapsed.
While the internal auditor may clear minor matters which do not indicate a
consistent or systematic weakness with members of staff directly involved,
matters of consequence should be reported formally in writing to
management.
The internal auditor should produce clear, constructive and concise written
reports based on sufficient, relevant and reliable evidence, which should:
state the scope, purpose, extent and conclusions of the internal audit
assignment;
make recommendations which are appropriate and relevant, and which
flow from the conclusions; and
acknowledge the action taken, or proposed, by management.
The internal auditor should normally meet with management to discuss the
audit findings at the completion of field work for each internal audit
assignment and the formal written report should be presented to management
as soon as possible thereafter.
Before issuing the final report, the internal auditor should normally discuss
the contents with the appropriate levels of management, and may submit a
draft report to them, for confirmation of factual accuracy.
If the internal auditor and management disagree about the relevance of the
factual content of the draft audit report, the internal auditor should consider
whether reference should be made to this in the final report.