Managing the Internal Audit Function
Source: Mckonly & Asbury
In our previous article that explored the domains of the IIA’s Global Internal Audit Standards (GIAS), we focused on Domain III which outlines the role of the Board (or the organizations equivalent senior management) in the Internal Audit (IA) function. In this article, we will discuss Domain IV: Managing the Internal Audit Function. This domain focuses exclusively on the role of the Chief Audit Executive (CAE). We will explore the four principles in this Domain which will outline the extensive responsibilities, experience, and skills that the CAE must possess to support their organization. Considering the fact that there are four Principles and seventeen Standards, each with their own rigorous guidelines within this Domain, you can likely sense the importance placed upon the role of the CAE.
Principle 9: Plans Strategically
Principle 9 is quite extensive. It contains six Standards that lay out the foundational knowledge that the CAE should have with the core of these being: Governance, Risk Management, and Control Processes. This knowledge will be key in developing appropriate methodologies, coordinating with the Board to develop IA strategies, and creating the IA Charter. The IA Charter is an important internal document that states the purpose of IA, commits the IA function to adhering to GIAS, shows organizational positions, and reports relationships and many other details that flesh out the goals of the IA function.
The CAE should, through discussion with the Board, have a firm grasp of what their organization’s strategic objectives are. Based on the organization’s objectives, strategies, and risk appetite, the CAE should then develop an Internal Audit Plan, which (in simple terms) offers the organization a document that says, “here is what we do and how we will do it.” The plan should also emphasize any limitations or conflicting demands that would impede the execution of the plan.
The CAE should act as the nexus of coordination for internal and external services and assurance providers. This includes developing a methodology for evaluating other providers of assurance and advisory services, which includes a basis for relying upon their work.
Principle 10: Manages Resources
The CAE is the steward of the IA function’s resources. The three primary resources are: Financial, Technological, and Human Resources. One of the most important aspects of this principle is the ability to develop and present a budget to the Board which includes the resources required to complete the plan, resource resources, and recommendations to fill any gaps. The gaps may be technological or staff qualifications. These gaps may also be filled by purchasing technology, training staff, or outsourcing external resources. If the IA function has insufficient access to the resources needed, the CAE must communicate to the Board detailed information on the impacts of not filling the gaps and costs to fill the gaps.
Principle 11: Communicates Effectively
As the face of the IA function, the CAE is the relationship builder and primary communicator when discussing organizational interests and concerns with stakeholders and the board, promoting a sense of trust and understanding of the IA function and its members. The CAE is also responsible for ensuring all communications on behalf of the IA function follows seven rules; they must be: accurate, objective, clear, concise, constructive, complete, and timely.
These rules apply particularly when communicating acceptance of risks, engagement conclusions, themes developed from the findings of multiple engagements, and conclusions at the level of the business unit or organization. When errors or omissions occur, the CAE ensures that all concerned parties who received inaccurate or incomplete information receive a corrected copy of that information.
Principle 12: Enhances Quality
The CAE ensures conformance with the standards and uses performance measures to continuously improve the performance of the IA function. The CAE establishes performance objectives and a methodology which includes measuring progress toward performance objectives, conformance with Standards, and periodic self-assessments. The self-assessments must be performed by persons within the organization with appropriate knowledge of the Standards and IA practices. The results of the self-assessments will drive the development of an action plan which addresses nonconformance with standards and identifies improvement opportunities. The CAE must also be the guiding hand in helping internal auditors achieve their objectives with the larger goal of improving engagement performance through proper supervision and verifying that the Standards are being followed. The CAE is also responsible for ensuring that a Quality Assurance and Improvement (QAIP) assessment is performed by a qualified third party.
For more information on QAIP and regarding McKonly & Asbury's internal audit experience, be sure to visit their Internal Audit Services page and don’t hesitate to reach out to a member of their internal audit team, such as Elaine Nissley.