3. Internal Audit Roles

8/11/2019 3. Internal Audit Roles

1/20

STUDY UNIT THREE

INTERNAL AUDIT ROLES I

3.1 Nature of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3.2 Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.3 Regulatory Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.4 Study Unit 3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

This study unit is the first of two that address the scope of workof internal auditors. The scope of

work is defined in the pronouncements of The IIA. They elaborate on the description of the services

performed by the internal audit activity provided in thedefinition of internal auditing. The definition

stresses the improvement of risk management, control, and governance processes. However, the

internal auditors work regardingcontrolis such a vital part of their responsibilities that it is treated

separately in Study Units 5 and 6.

Core Concepts

The IAAs work focuses on the risk management, control, and governance processes of the

organization.

The IAA appraises the overall management process.

Governance is the structure implemented by the board to inform, direct, manage, and monitor the

activities of the organization toward the achievement of its objectives.

The CAE establishes and maintains a system to monitor the disposition of results communicated to

management.

Compliance is conformity and adherence to policies, plans, procedures, laws, regulations,

contracts, or other requirements.

1

Copyright 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
http://www.gleim.com/http://www.gleim.com/


2/20

3.1 NATURE OF WORK

1. This subunit is brief but important. It consists of one General Performance Standard andone Practice Advisory. Standard 2100 reflects the scope of work described in the definitionof internal auditing. PA 2100-1 provides frequently tested guidance regarding themanagement process and its relationship to internal auditing.

2. 2100 Nature of Work The internal audit activity evaluates and contributes to theimprovement of risk management, control, and governance processes using asystematic and disciplined approach.

a. PRACTICE ADVISORY 2100-1: NATURE OF WORK

1. The scope of internal auditing work encompasses a systematic, disciplinedapproach to evaluating and improving the adequacy and effectiveness of riskmanagement, control, and governance processes and thequality ofperformance in carrying out assigned responsibilities. Thepurpose ofevaluating the adequacyof the organizations existing risk management,control, and governance processes is to provide reasonable assurance thatthese processes are functioning as intended and will enable the organizationsobjectives and goals to be met. They alsoprovide recommendationsforimproving the organizations operations, in terms of both efficient and effectiveperformance. Senior management and the board might also provide generaldirection as to the scope of work and the activities to be audited.

2. Adequacyof risk management, control, and governanceprocessesis presentif management hasplanned and designedthem to provide reasonableassurance that the organizations objectives and goals will be achievedefficiently and economically. Efficient performanceaccomplishes objectivesand goals in an accurate, timely, and economical fashion. Economicalperformanceaccomplishes objectives and goals with minimal use of resources(i.e., cost) commensurate with the risk exposure. Reasonable assuranceisprovided if the most cost-effective measures are taken in the design andimplementation stages to reduce risks and restrict expected deviations to atolerable level. Thus, thedesign processbegins with the establishment ofobjectives and goals. This is followed by connecting or interrelating concepts,parts, activities, and people to operate together to achieve the establishedobjectives and goals.

3. Effectivenessof risk management, control, and governanceprocessesispresent if managementdirectsprocesses to provide reasonable assurance thatthe organizationsobjectives and goals will be achieved. In addition toaccomplishing the objectives and planned activities,management directsbyauthorizing activities and transactions, monitoring resulting performance, andverifying that the organizations processes are operating as designed.

2 SU 3: Internal Audit Roles I



3/20

4. Broadly, management is responsible for thesustainabilityof the wholeorganization andaccountabilityfor the organizations actions, conduct, andperformance to the owners, other stakeholders, regulators, and general public.Specifically, the primary objectives of theoverall management processare toachieve:

Relevant, reliable, and credible financial and operating information. Effective and efficient use of the organizations resources.

Safeguarding of the organizations assets.

Compliance with laws, regulations, ethical and business norms, andcontracts.

Identification of risk exposures and use of effective strategies to controlthem.

Established objectives and goals for operations or programs.

5. Management plans, organizes, and directsperformance to providereasonable assurance that objectives and goals will be achieved. Managementperiodicallyreviewsits objectives and goals andmodifies its processesto

accommodate changes in internal and external conditions. Management alsoestablishes and maintains anorganizational culture, including anethicalclimatethat fosters control.

6. Controlis any action taken by management to enhance the likelihood thatestablished objectives and goals will be achieved. Controls may bepreventive(to deter undesirable events from occurring),detective(to detect and correctundesirable events which have occurred), ordirective(to cause or encourage adesirable event to occur). Asystem of controlis the integrated collection ofcontrol components and activities that are used by an organization to achieve itsobjectives and goals.

7. Internal auditorsevaluate thewhole management processof planning,organizing, and directing to determine whether reasonable assurance exists that

objectives and goals will be achieved. Internal auditors should be alert toactualor potential changesin internal or external conditions that affect the ability toprovide assurance from a forward-looking perspective. In those cases, internalauditors should address the risk that performance may deteriorate.

8. These internal auditing evaluations, in the aggregate, provide information toappraise the overall management process. All business systems, processes,operations, functions, and activities within the organization are subject to theinternal auditors evaluations. Thecomprehensive scope of work of internalauditingshould provide reasonable assurance that managements

Risk management system is effective.

System of internal control is effective and efficient.

Governance process is effective by establishing and preserving values,setting goals, monitoring activities and performance, and defining themeasures of accountability.

SU 3: Internal Audit Roles I 3



4/20

PA Summary

Thescope of internal auditing encompasses a systematic, disciplined approachto evaluating and improving the adequacy and effectiveness of risk management,

control, and governance processes (RCG)and thequality of performance.The purpose of evaluating theadequacyof RCG is to provide reasonableassurance that they are functioning as intended and will enable objectives to bemet. Internal auditors alsoprovide recommendationsfor improving operations.Senior management and the board also might provide general direction about thescope of work.

Adequacyof RCG is present if management has planned and designed them toprovide reasonable assurance that objectives will be achieved efficiently andeconomically. Efficientmeans accomplishing objectives in an accurate, timely,and economical fashion. Economicalmeans accomplishing objectives withminimal resource use (cost) in proportion to the risk. Reasonable assuranceistaking the most cost-effective measures to reduce risk and restrict deviations to atolerable level. Designbegins with objectives. It is followed by connectingconcepts, parts, activities, and people to achieve the objectives.

Effectivenessof RCG is present if management directsprocesses to providereasonable assurance thatobjectives will be achieved.Management alsodirectsby authorizing activities and transactions, monitoring performance, andverifying that processes are operating as designed.

Management is responsible for the sustainabilityof the organization and itsaccountability to stakeholders. The objectives of theoverall managementprocessare to achieve (1) relevant, reliable, and credible financial and operatinginformation; (2) effective and efficient use of resources; (3) safeguarding of assets;(4) compliance with laws, regulations, ethical and business norms, and contracts;(5) identification of risks and use of effective control strategies; and (6) establishedobjectives for operations or programs.

Management periodicallyreviewsits objectives and modifies its processesasconditions change. It also maintains anorganizational culture.

Controlis any action by management to enhance the likelihood that objectives willbe achieved. Controls may bepreventive(to deter undesirable events),detective (to detect and correct undesirable events), or directive(to cause orencourage a desirable event). Asystem of control is the integrated set ofcomponents and activities used to achieve organizational objectives.

Internal auditorsevaluate themanagement processof planning, organizing, anddirecting. Internal auditors should be alert tochanges in conditions that affect theability to provide forward-looking assurance. In those cases, internal auditorsshould address the risk that performance may deteriorate.

Internal auditing evaluations provide information toappraise the overallmanagement process. Thescope of work of internal auditing should providereasonable assurance that managements (1) risk management system iseffective; (2) system of internal control is effective and efficient; and(3) governance process is effective by establishing and preserving values, settinggoals, monitoring activities and performance, and defining accountability.




5/20

3.2 GOVERNANCE

1. Governance is the combination of processes and structures implemented by the board toinform, direct, manage, and monitor the activities of the organization toward theachievement of its objectives (Glossary). It is a fundamental element of the definition ofinternal auditing. This subject is covered in two General Performance Standards, one

Specific Performance Standard, two Assurance Implementation Standards, two ConsultingImplementation Standards, and five Practice Advisories.

2. 2130 Governance The internal audit activity should assess and make appropriaterecommendations for improving the governance process in its accomplishment ofthe following objectives:

Promoting appropriate ethics and values within the organization.

Ensuring effective organizational performance management andaccountability.

Effectively communicating risk and control information to appropriate areasof the organization.

Effectively coordinating the activities of and communicating information

among the board, external and internal auditors, and management.a. PRACTICE ADVISORY 2130-1: ROLE OF THE INTERNAL AUDIT ACTIVITY AND

INTERNAL AUDITOR IN THE ETHICAL CULTURE OF AN ORGANIZATION

1. This Practice Advisoryunderscores the importance of organizational culturein establishing the ethical climate of an enterprise and suggests the role thatinternal auditors could play in improving that ethical climate. Specifically, thePractice Advisory

Describes the nature of thegovernance process.

Links it to theethical cultureof the organization.

States that all people associated with the organization, and specificallyinternal auditors, should assume the role ofethics advocates.

Lists the characteristics of anenhanced ethical culture.

2. Responsibilities. An organization uses various legal forms, structures,strategies, and procedures to ensure that it

Complies with societys legal and regulatoryrules.

Satisfies thegenerally acceptedbusiness norms, ethical precepts, andsocial expectations of society.

Providesoverall benefit to societyand enhances the interests of thespecific stakeholders in both the long- and short-term.

Reports fully and truthfully to its owners, regulators, other stakeholders,and general public to ensureaccountabilityfor its decisions, actions,conduct, and performance.

The way in which an organization chooses to conduct its affairs to meetthose four responsibilities is commonly referred to as its governanceprocess. The organizations governing body (such as a board of directors ortrustees or a managing board) and its senior management are accountable forthe effectiveness of the governance process.




6/20

3. An organizationsgovernance practicesreflect a unique and ever-changingculturethat affects roles, specifies behavior, sets goals and strategies,measures performance, and defines the terms of accountability. That cultureaffects thevalues, roles, and behaviorthat will be articulated and tolerated bythe organization and determines how sensitive -- thoughtful or indifferent -- theenterprise is in meeting its responsibilities to society. Thus, how effective the

overall governance process is in performing its expected function largelydepends on the organizations culture.

4. All peopleassociated with the organization share someresponsibilityfor thestate of its ethical culture. Because of the complexity and dispersion ofdecision-making processes in most enterprises, each individual should beencouraged to be anethics advocate, whether the role is delegated officially ormerely conveyed informally. Codes of conductandstatements of vision andpolicyare important declarations of the organizations values and goals, thebehavior expected of its people, and the strategies for maintaining a culture thataligns with its legal, ethical, and societal responsibilities. A growing number oforganizations have designated achief ethics officeras counselor ofexecutives, managers, and others and as champion within the organization for

doing the right thing.

5. Internal auditors and the internal audit activityshould take an active role insupport of the organizations ethical culture. They possess a high level of trustand integrity within the organization and the skills to be effective advocates ofethical conduct. They have the competence and capacity to appeal to theenterprises leaders, managers, and other employees to comply with the legal,ethical, and societal responsibilities of the organization.

6. The internal audit activity may assume one of several differentroles as anethics advocate. Those roles include chief ethics officer (ombudsperson,compliance officer, management ethics counselor, or ethics expert), member ofan internal ethics council, or assessor of the organizations ethical climate. Insome circumstances, the role of chief ethics officer may conflict with theindependence attribute of the internal audit activity.

7. At a minimum, the internal audit activity shouldperiodically assessthe stateof the ethical climate of the organization and the effectiveness of its strategies,tactics, communications, and other processes in achieving the desired level oflegal and ethical compliance. Internal auditors should evaluate the effective-ness of the following features of an enhanced, highly effective ethical culture:

Formal Code of Conduct, which is clear and understandable, and relatedstatements, policies (including procedures covering fraud and corruption),and other expressions of aspiration.

Frequent communications and demonstrations of expected ethicalattitudes and behavior by theinfluential leadersof the organization.

Explicit strategiesto support and enhance the ethical culture with regularprograms to update and renew the organizations commitment to anethical culture.

Several easily accessible ways for people toconfidentially reportallegedviolations of the Code, policies, and other acts of misconduct.

Regular declarationsby employees, suppliers, and customers that theyare aware of the requirements for ethical behavior in transacting theorganizations affairs.




7/20

Clear delegation of responsibilitiesto ensure that ethical consequencesare evaluated, confidential counseling is provided, allegations ofmisconduct are investigated, and case findings are properly reported.

Easy access to learningopportunities to enable all employees to beethics advocates.

Positive personnel practicesthat encourage every employee tocontribute to the ethical climate of the organization.

Regular surveysof employees, suppliers, and customers to determinethe state of the ethical climate in the organization.

Regular reviewsof the formal and informal processes within theorganization that could potentially create pressures and biases that wouldundermine the ethical culture.

Regular reference and background checksas part of hiring procedures,including integrity tests, drug screening, and similar measures.

PA Summary

This PA (1) describes thegovernance process, (2) links it to theethical culture,(3) states that everyone in the organization should be anethics advocate, and(4) describes anenhanced ethical culture.

Thegovernance processconsists of the way in which four responsibilitiesaremet: (1)compliancewith legal and regulatory rules, (2) satisfaction of generallyaccepted norms and social expectations, (3) providing benefits to societyandspecific stakeholders, and (4) reporting fully and truthfully to ensureaccountability. The organizations governing body and senior management areaccountable for the process.

Governance practicesreflect the organizations unique, dynamic culture andlargely depend on it for effectiveness. The culture sets values, objectives, andstrategies; defines roles and behaviors; measures performance; and specifiesaccountability. Thus, the culture determines the degree of sensitivity to socialresponsibility.

All individuals should beethics advocates, codes of conduct and vision statementsare often issued, and a chief ethics officer may be appointed.

Because of their skills and position in the organization, auditors should activelysupport the ethical culture. Rolesmay include chief ethics officer, member of anethics council, or assessor of the ethical climate.

Theminimum IAA role is assessor of the ethical climate and the effectiveness ofprocesses to achieve legal and ethical compliance. Internal auditors shouldevaluate the effectiveness of the following features of an enhanced, highlyeffective ethical culture: (1) aformal Code of Conduct; (2) frequentcommunications byinfluential leaders; (3)explicit strategiesto enhance theethical culture with regular programs; (4) easily accessible ways to confidentiallyreport alleged violations; (5)regular declarationsby employees, suppliers, andcustomers about the requirements for ethical behavior; (6) clear delegation ofresponsibilities for providing counsel, investigation, and reporting; (7) easyaccess to learningopportunities; (8)positive personnel practicesthatencourage every employee to contribute; (9) regular surveysto determine thestate of the ethical climate; (10) regular reviewsof the processes that underminethe ethical culture; and (11)regular reference and background checks.




8/20

3. 2130.A1 The internal audit activity should evaluate the design, implementation, andeffectiveness of the organizations ethics-related objectives, programs, and activities.

4. 2130.C1 Consulting engagement objectives should be consistent with the overall valuesand goals of the organization.

a. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FOR

FORMAL CONSULTING ENGAGEMENTSThe following is the portion of this comprehensive Practice Advisory relevant toStandard 2130.C1:

9. The internal auditor should exercisedue professional carein conducting aformal consulting engagement by understanding the following:

Needs of managementofficials, including the nature, timing, andcommunicationof engagementresults.

Possiblemotivations and reasonsof those requesting the service.

Extent of workneeded to achieve the engagements objectives.

Skills and resourcesneeded to conduct the engagement.

Effect on thescope of the audit planpreviously approved by the auditcommittee.

Potential impacton future audit assignments and engagements.

Potential organizationalbenefitsto be derived from the engagement.

10. Other considerations. In addition to the independence and objectivityevaluation and due professional care considerations, the internal auditor should

Conduct appropriate meetings and gather necessary information toassess the nature and extent of the serviceto be provided.

Confirm thatthose receiving the serviceunderstand andagree with therelevant guidancecontained in the internal audit charter, internal auditactivitys policies and procedures, and other related guidance governingthe conduct of consulting engagements. The internal auditor shoulddecline to perform consultingengagements that are prohibited by theterms of the internal audit charter, conflict with the policies and proceduresof the internal audit activity, or do not add value and promote the bestinterests of the organization.

Evaluatethe consulting engagement forcompatibilitywith the internalaudit activitysoverall planof engagements. The internal audit activitysrisk-based plan of engagements may incorporate and rely on consultingengagements, to the extent deemed appropriate, to provide necessaryaudit coverage to the organization.

Documentgeneral terms, understandings, deliverables, and other keyfactors of theformal consulting engagementin awrittenagreement orplan. It is essential that both the internal auditor and those receiving theconsulting engagement understand and agree with the reporting andcommunication requirements.




9/20

PA Summary

Due professional carefor aformal consulting engagement requires anunderstanding of the (1) needs of management, (2) reasons for the service,(3) extent of work, (4) resources required, (5) effect on the audit plan, (6) effect on

future engagements, and (7) engagement benefits. The auditor should assess thenature and extent of the service.

The auditor should confirm that service recipientsagree with related guidance(e.g., the IAAs charter, policies, and procedures). Engagements should not beperformed when they (1) are prohibited by the charter, (2) conflict with policy, or(3) do not add value.

An engagement should be compatible with the IAAsoverall plan ofengagements. In appropriate circumstances, consulting engagements mayprovide necessary audit coverage.

Key engagement factorsshould bedocumentedin awritten agreement.

5. 2500 Monitoring Progress The chief audit executive should establish and maintain asystem to monitor the disposition of results communicated to management.

a. PRACTICE ADVISORY 2500-1: MONITORING PROGRESS

1. The chief audit executive should establishproceduresto include the following:

A time frame within which managements response to the engagementobservations and recommendations is required.

An evaluation ofmanagements response.

Averificationof the response (if appropriate).

Afollow-upengagement (if appropriate).

Acommunications procedurethat escalates unsatisfactory responses/

actions, including the assumption of risk, to the appropriate levels ofmanagement.

2. Certain reported observations and recommendations may be so significant as torequireimmediate actionby management. These conditions should bemonitoredby the internal audit activityuntil correctedbecause of the effectthey may have on the organization.

3. Techniques used to monitor progresseffectively include:

Addressing engagement observations and recommendations to theappropriate levels of managementresponsible for taking correctiveaction.

Receiving and evaluating managementresponsesto engagement

observations and recommendationsduring the engagementorwithin areasonable timeperiod after the engagement results are communicated.Responses are more useful if they include sufficient information for thechief audit executive to evaluate theadequacy and timeliness ofcorrective action.

Receivingperiodic updatesfrom management in order to evaluate thestatus of managements efforts to correct previously communicatedconditions.




10/20

Receiving and evaluating information fromother organizational unitsassigned responsibility for procedures of a follow-up or corrective nature.

Reporting to senior management or the board on thestatus ofresponsesto engagement observations and recommendations.

PA Summary

The CAE establishesproceduresto monitor the disposition of reported results.They include (1) a time frame for managements response, (2) an evaluation andverification of the response (if appropriate), (3) a follow-up(if appropriate), and(4) acommunications procedurefor dealing with unsatisfactory responses.

Observations and recommendations needingimmediate actionshould bemonitoreduntil corrected.

Observations and recommendations should be addressed to managersresponsible for corrective action.

Management responsesshould be received and evaluated during theengagement or within a reasonable time afterward. Responses should besufficient for the CAE to evaluate the adequacy and timeliness of correctiveaction.

Management should giveperiodic updates.

Information should be received and evaluated fromother unitsinvolved infollow-up or correction.

Thestatus of responsesshould be reported to senior management or the board.

6. 2500.A1 The chief audit executive should establish a follow-up process to monitor andensure that management actions have been effectively implemented or that seniormanagement has accepted the risk of not taking action.

a. PRACTICE ADVISORY 2500.A1-1: FOLLOW-UP PROCESS1. Internal auditors should determine thatcorrective action was takenand is

achieving the desired results or that senior management or the board hasassumed the riskof not taking corrective action on reported observations.

2. Follow-upby internal auditors is defined as a process by which they determinethe adequacy, effectiveness, and timeliness of actions taken by management onreported engagement observations and recommendations, including thosemade byexternal auditors and others.

3. Responsibility for follow-upshould be defined in the internal audit activityswrittencharter. Thenature, timing, and extentof follow-up should bedetermined by the chief audit executive. Factors that should be considered indetermining appropriate follow-up procedures are:

The significance of the reported observation or recommendation. The degree of effort and cost needed to correct the reported condition. The impacts that may result should the corrective action fail. The complexity of the corrective action. The time period involved.




11/20

4. In some instances, the chief audit executive may judge that managements oralor writtenresponse shows that action already taken is sufficientwhenweighed against the relative importance of the engagement observation orrecommendation. On such occasions, follow-up may be performed as part ofthe next engagement.

5. Internal auditors should ascertain thatactions takenon engagementobservations and recommendationsremedythe underlyingconditions.

6. The chief audit executive is responsible forscheduling follow-upactivities aspart of developing engagementwork schedules. Scheduling of follow-upshould be based on theriskand exposure involved, as well as the degree ofdifficultyand the significance oftimingin implementing corrective action.

PA Summary

Auditors follow up by determining whether (1) effectivecorrective actionhas beentaken or (2) senior management or the board has assumed the riskof not taking

action. Follow-upshould address the adequacy, effectiveness, and timeliness of actions

on reported observations and recommendations, including those by otherauditors.

TheIAAs charterdefinesresponsibility for follow-up. The CAE defines itsnature, timing, and extent after considering (1) the significance of what is reported,(2) the effort and cost of correction, (3) the effect of failure of correction, (4) thecomplexity of correction, and (5) the time involved.

Ifaction already taken suffices, follow-up may be part of the next engagement.

Auditors should verify that actionsremedyunderlying conditions.

The CAE includes follow-up as part of thework schedule. Scheduling depends ontherisk involved and the difficulty and timing of corrective action.

7. 2500.C1 The internal audit activity should monitor the disposition of results of consultingengagements to the extent agreed upon with the client.

a. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FORFORMAL CONSULTING ENGAGEMENTS

The following is the portion of this Practice Advisory relevant to Standard 2500.C1:

20. The internal audit activity shouldmonitor the results of consultingengagementsto the extent agreed upon with the client. Varying types ofmonitoring may be appropriate for differing types of consulting engagements.The monitoring effort may depend on various factors, such as managements

explicit interest in the engagement or the internal auditors assessment of theprojects risks or value to the organization.

PA Summary

The IAA monitors results of consulting as agreed with the client. The type ofmonitoring may depend on factors such as managements interest in theengagement or the assessment of risk.




12/20

8. 2600 Resolution of Managements Acceptance of Risks When the chief auditexecutive believes that senior management has accepted a level of residual riskthat may be unacceptable to the organization, the chief audit executive shoulddiscuss the matter with senior management. If the decision regarding residual riskis not resolved, the chief audit executive and senior management should report thematter to the board for resolution.

a. PRACTICE ADVISORY 2600-1: MANAGEMENTS ACCEPTANCE OF RISKS

1. Managementis responsible for deciding theappropriate actionto be taken inresponse to reported engagement observations and recommendations. Thechief audit executive is responsible forassessingsuch management action forthetimely resolutionof the matters reported as engagement observations andrecommendations. In deciding the extent of follow-up, internal auditors shouldconsider procedures of afollow-upnatureperformed by othersin theorganization.

2. As stated in Section 2060 of the Standards, paragraph 3 of PracticeAdvisory 2060-1, senior management may decide to assume the risk of notcorrecting the reported condition because of cost or other considerations. Theboard should be informed of senior managements decision onall significantengagement observations and recommendations.

PA Summary

Management decides theaction takenin response to engagement results. TheCAE assesses this action for timely resolution. The extent of follow-up also is afunction of follow-up work done by others.

Senior managementmay assumethe risk of noncorrection. The decisions onallsignificant engagement observations and recommendationsshould bereported to the board.

9. Follow-up

a. Theinternal auditorshould

1) Receive all replies by the engagement client to the engagement communications2) Evaluate the adequacy of those replies3) Be convinced that the action taken will cure the defects

b. The internal auditor is in thebest positionto carry out this responsibility. (S)he is

1) Better acquainted with thefactsthan senior management or other controlcenters in the organization.

2) Moreobjectivethan the operating manager who must take the correctiveaction.

c. The responsibility for determining whether correctiveaction is adequateshould becoupled with theauthorityto evaluate the adequacy of replies to engagementcommunications. The internal auditor should

1) Report to management when corrective actions arenot timely or effective.

2) Submitperiodic reportsto management on open engagement observationsand recommendations.




13/20

d. Theadequacy of a response depends on the circumstances in each case. Ingeneral, a satisfactory response

1) Addresses itself to thecomplete problem, not just to specific items included inthe internal auditors sample.

2) Shows that action also has been taken toprevent a recurrence of the deficient

condition.e. Inevaluating the reply, the internal auditor should be satisfied that the action

promised is actually taken. The auditor should

1) Obtaincopies of revised procedures issued to correct conditions.

2) Make anyfield testsneeded to provide assurance that the condition has beencorrected.

f. Aformal systemshould be designed to keep engagements openuntil adequatecorrective action is assured. For example,

1) Provisions should be made forformal opening and closing of engagements.

2) The internal auditors should issue aformal statement of closure, supported bycopies of replies to engagement communications and explanations of the action

taken to ensure the adequacy and effectiveness of corrective measures.a) Closure reportsare directed to the chief audit executive.

3) Engagements should not be removed from the IAAsopen engagements listinguntil all required corrective actions have been taken and evaluated.

3.3 REGULATORY COMPLIANCE

1. Internal auditors shouldassess compliance in specific areas as part of their role inorganizational governance. They also should conduct follow-up and report onmanagements response to regulatory body reviews. Given the ever-expanding scope ofgovernmental regulation, these duties of internal auditors have assumed increasedimportance.

Caution Internal auditors are encouraged toconsult legal counselin all mattersinvolving legal issues as requirements may vary significantly in different jurisdictions.

2. TheGlossaryprovides the following definition of Compliance:

Conformity and adherence to policies, plans, procedures, laws, regulations,contracts, or other requirements.

3. 2100 Nature of Work The internal audit activity evaluates and contributes to theimprovement of risk management, control, and governance processes using asystematic and disciplined approach.

NOTE: The following Practice Advisory has been slightly modified to eliminate any implicationthat it applies only to a specific country.

a. PRACTICE ADVISORY 2100-5: LEGAL CONSIDERATIONS IN EVALUATINGREGULATORY COMPLIANCE PROGRAMS

1. Compliance programsassist organizations in preventing inadvertent employeeviolations, detecting illegal activities, and discouraging intentional employeeviolations. They can also help prove insurance claims, determine director andofficer liability, create or enhance corporate identity, and decide theappropriateness of punitive damages. Internal auditors shouldevaluate anorganizations regulatory compliance programsin light of the followingsuggested steps for effective compliance programs.




14/20

2. The organization shouldestablish compliance standards and procedurestobe followed by its employees and other agents who are reasonably capable ofreducing the prospect of criminal conduct.

The organization should develop awritten business code of conductthat clearly identifies prohibited activities. This code should be written in

language that all employees can understand, avoiding legalese. A good code providesguidance to employees on relevant issues.

Checklists, a question and answer section, and reference to additionalsources for further information all help make the code user-friendly.

The organization should create anorganizational chartidentifying boardmembers, senior officers, senior compliance officer, and departmentpersonnel who are responsible for implementing compliance programs.

Codes of conduct that are viewed as legalistic and one-sided byemployees may increase the risk that employees will engage in unethicalor illegal behavior, but codes that are viewed asstraightforward and fairtend to decrease the risk that employees will engage in such activity.

Organizations using reward systems that attach financialincentivesto

apparentlyunethical or illegal behaviorcan expect a poor complianceenvironment.

Organizations with international operations should institute a complianceprogram on aglobal basis, not just for selected geographic locations.Such programs should reflect appropriate local conditions, laws, andregulations.

3. Specificindividual(s) withinhigh-level personnelof the organization should beassignedoverall responsibilityto oversee regulatory compliance withstandards and procedures.

High-level personnel of the organization means individuals who havesubstantial controlof the organization or who have asubstantial role inthe making of policywithin the organization.

High-level personnel of the organization include a director; an executiveofficer; an individual in charge of a major business or functional unit of theorganization, such as sales, administration, or finance; and an individualwith a substantial ownership interest.

To be fully effective, theCEO and other senior managementmust havesignificant involvementin the program.

In some organizations, assigning chief compliance responsibilities to theorganizationsgeneral counselmay convince employees thatmanagement is not committed to the program, that the program isimportant to the legal department only and not the organization as awhole. In other organizations, the opposite may be true.

In a large organization with several business units, complianceresponsibilities should be assigned to high-level personnelin each unit.

It is not enough for the organization to create the position of chiefcompliance officer and to select the rest of the compliance unit. Theorganization should also ensure that those personnel areappropriatelyempowered and suppliedwith the resources necessary for carrying outtheir mission. Compliance personnel should have adequate access tosenior management. The chief compliance officer should report directly tothe CEO.




15/20

4. The organization should usedue carenot to delegate substantial discretionaryauthority to individuals the organization knows, or should know through theexercise ofdue diligence, have apropensity to engage in illegal activities.

Organizations shouldscreen applicantsfor employment at all levels forevidence of past wrongdoing, especially wrongdoing within the

organizations industry. Employmentapplicationsshould inquire as to past criminal convictions.

Professionals should be asked about any history of discipline by licensingboards.

NOTE: Disciplinary actions by licensing boards may be a matter of publicrecord.

Care should be taken to ensure that the organization does not infringeupon employees and applicantsprivacy rights under any applicablelaws. Many jurisdictions have laws limiting the amount of information anorganization can obtain in performing background checks on employees.

5. The organization should take steps tocommunicate effectively its standards

and proceduresto all employees and other agents, e.g., by requiringparticipation in training programs or by disseminating publications that explain ina practical manner what is required.

The effectiveness of a compliance program will depend upon the ways inwhich it is communicated to employees. Generally, aninteractive formatworks better than a lecture. Programs communicated in person tend towork better than programs communicated entirely through video or gameformats. Programs that areperiodically repeatedwork better thanone-time presentations.

The best programs includeemployee trainingthat allows employees topractice new techniques and use new information. Such activities areparticularly appropriate with regard to management training but are

effective with regard to employees at all levels. Thelanguageused by an organizations code of conduct and employee

manual should beeasy to understand. Alternative methods ofcommunicating the code and the employee manual to employees lackingmore formal education must be found and implemented.

Compliance tips, statements, and warnings should be disseminated toemployees through avariety of available media: newsletters, posters,e-mail, questionnaires, and presentations.

Organizations should present the program onmultiple occasionstodifferent sets of employees, targeting the information presented to theareas important to each functional group of employees. Theinformationshould be tailoredto that groups job requirements. For example,

environmental compliance information should be directed to thosedepartments, such as manufacturing or real property management, thathave an increased likelihood of violating or detecting violations of suchlaws and regulations. On the other hand, providing such training to adepartment with no such responsibilities could be detrimental, inspiringemployee apathy or a belief that the program was not well constructed.

New employeesshould receivebasic compliance trainingas part oftheir orientation. Later, they can be incorporated into ongoing complianceefforts in their departments.




16/20

Agentsof the organization should be asked to attend a presentationspecifically geared toward them. It is important that an organization informits agents of theorganizations core values, and that the actions of itsagents that are attributable to the organization will bemonitoredinconnection with the compliance program. The organization should beprepared to cease doing business with agents who fail to adhere to the

organizations compliance standards. Organizations shouldrequire employees to periodically certifythat they

have read, understood, and complied with the companys code ofconduct. This information should be related annually to seniormanagement and the board of directors.

Allethics-related documents codes of conduct, human resourcespolicies/manuals, etc. should bereadily availableto all employees.Continuous access availability, such as through the organizationsintranet, is strongly encouraged.

6. The organization should take reasonable steps to achieve compliance with itsstandards, e.g., by usingmonitoring and auditing systemsreasonablydesigned to detect criminal conduct by its employees and other agents and byhaving in place and publicizing areporting systemwhereby employees andother agents could report criminal conduct by others within the organizationwithout fear of retribution.

The organization should devote an amount of resources to theinternalaudit planthat is appropriate given the size of the company and thedifficulty of the audit task. The audit plan should concentrate on theorganizationsactivities in each of its businesses.

The audit plan should also include areview of the organizationscompliance program and its procedures, including reviews todetermine whether written materials are effective, communications havebeen received by employees, detected violations have been appropriately

handled, discipline has been even-handed, any protections afforded toinformants by local law have not been violated, and the compliance unithas fulfilled its responsibilities. The auditors should review the complianceprogram to determine whether it can be improved and should solicitemployee input in that regard.

Each program should have ahotline or other reporting systemunderwhich employees can report activity that they believe to be unethical,illegal, or against the organizations code of conduct. Employees must befree to report such behavior without fear of reprisal.

In some countries, attorney-client and attorney work-product privilegesmay be legally recognized. These privileges protect certain informationdisclosed to (or produced by) an attorney from being used by an adverseparty in a legal proceeding. In these countries, anattorneymonitoring thehotline is best able to protect the privileges. However, one study observedthat employees have little confidence in hotlines answered by the legaldepartment or by an outside service. The same study showed thatemployees have even less confidence in write-in reports or an off-siteombudsperson, but have the most confidence inhotlines answered byan in-house representative and backed by a nonretaliation policy.




17/20

Use of an on-site ombudsperson is more effective if theombudspersonreports directlyto the chief compliance officer or the board of directors, ifthe ombudsperson cankeep the names of informants secret, if theombudsperson providesguidanceto informants, and if the ombudspersonundertakesfollow-upreview to ensure that retaliation has not occurred.Additionally, some jurisdictions now recognize alimited ombudsperson

privilegeunder which the ombudsperson is protected from disclosingconfidential communications made by informants to the ombudsperson.

An effective tool for uncovering unethical or illegal activity is theethicsquestionnaire. Each employee of the organization should receive aquestionnaire, which asks whether the employee is aware of kickbacks,bribes, or other wrongdoing. Toprotect any available privileges, thequestionnaire should be sent by organization counsel; contain a statementthat the questionnaire is protected by privilege; require the employee tocomplete, sign, and return the questionnaire without making a copy; andcontain a statement that the organization retains the right to discloseinformation provided to it to government agencies or in litigation. But aprivilege may be lost if the questionnaire is disclosed to outside parties.

7. The standards should beconsistently enforcedthrough appropriatedisciplinary mechanisms, including, as appropriate, discipline of individualsresponsible for the failure to detect an offense. Adequate disciplineofindividuals responsible for an offense is a necessary component of enforcement;however, the form of discipline that will be appropriate will be case specific.

The compliance program should contain a disciplinary system under whichthose who violate the organizations code of conduct receivepunishmentappropriate to the offense, such as warning, loss of pay, suspension,transfer, or termination. If an employee is found to have committed someillegal act, the organization might have to terminate that employee, inkeeping with the organizations obligation to use due care not to delegatesubstantial discretionary authority to individuals whom the organization

knew, or should have known through the exercise of due diligence, had apropensity to engage in illegal activities(see paragraph 4).

Discipline under the program must befair. The program has slight chanceof succeeding if unethical or illegal activity goes unpunished, especially iftied to the activities of senior management or big producers. Ignoredwrongdoing by such persons will encourage such behavior in the rest ofthe workforce.

Termination or otherdiscipline of employees may be limitedby whistle-blower laws, exceptions to the employee-at-will doctrine, employee orunion contracts, and employer responsibilities with regard todiscrimination, wrongful discharge, and employer bad faith laws/doctrines.

The program should provide for thediscipline of managers and other

responsible personswho knew or should have known of misconduct anddid not report it. Failure of the program to do so may cause a court to findthat the program is not effective.

8. Organizations should be scrupulous and thorough indocumenting employeediscipline. The organization should be able to prove that it made its bestefforts to collect information with regard to any incident and took appropriateaction based upon the information available.




18/20

9. After an offense has been detected, the organization should take all reasonablesteps torespond appropriatelyto the offense and toprevent further similaroffenses-- including any necessary modifications to its program to prevent anddetect violations of law.

The organization should respond appropriately to each offense detected

by the compliance program. Appropriate responses includedisciplinaryactiontaken with regard to those who engaged in misconduct.

In some circumstances, an appropriate response could requireself-reportingthe violation to the government,cooperationwithgovernmental investigations, and theacceptance of responsibilityforthe violation. Note that maintaining an effective compliance program andmaking appropriate responses could result in more lenient punishmentafter violations of the law.

Failure to detect or prevent a serious violationcould indicate that thecompliance program needs a major overhaul. At a minimum, after anyviolation is detected, compliance personnel should examine the programto determine whether changes need to be made.

One change that may be required in light of a violation could be thereplacement or shuffling of compliance personnel. In fact, the organ-ization may need to discipline or replace any manager who fails to detector prevent misconduct in the areas under the managers supervision,especially if the violation is one that the manager should have detected.

PA Summary

Compliance programshelp to prevent unintentional violations, detect illegality,deter intentional violations, prove insurance claims, determine liability, enhancecorporate identity, and decide the appropriateness of punitive damages. Internalauditorsevaluatethese programs.

Compliance standards and proceduresshould be established, including aclearly written, straightforward, and fair business code of conduct thatprovidesguidance to employees on relevant issuesand is user-friendly. Also,anorganizational chartshould identify personnel responsible for complianceprograms. Moreover,financial incentivesshould not reward misconduct, andinternational organizations should have a compliance program on a global basisthat reflects local conditions and laws.

Specific high-level personnelwho are properly empowered and supplied withnecessary resources should have overall responsibility for the complianceprogram. Senior management also should be involved. High-level personnelhavesubstantial controlof the entity or a substantial role in making policy.Furthermore, compliance personnel should have adequate access to senior

management, and the chief compliance officer should report directly to the CEO. Due careshould be used not to delegate authority to those with a tendency to

illegality. Applicationsshould inquire about criminal convictions or discipline bylicensing boards, and applicants should bescreenedin a lawful manner that doesnot infringe uponprivacy rights.




19/20

Standards and procedures, including readily availableethics-related documents,should becommunicated effectively, preferably in an interactive format and onmultiple occasions. Training programs and publications are typical methods. Thebest training allows employees to practice new techniques and use newinformation. Compliance information should be conveyed through a variety of

available media. Moreover, the program should be presented to different sets ofemployees,targeting the informationto the areas important to each functionalgroup and its job requirements. New employeesshould receivebasiccompliance trainingas part of their orientation, andagentsof the entity shouldbe given a presentation specifically for them. Agents should understand theentityscore valuesand that their actions will be monitored. Organizations alsoshouldrequire employees to certify periodically that they have read,understood, and complied with the code of conduct. This information should berelayed annually to senior management and the board.

Monitoring and auditing systemsfor detecting illegality and employee hotlinereporting systemsshould be used. For example, theinternal audit plan shouldbe given appropriate resources and apply to all of the entitys businesses. Also, itshould include areview of the compliance program. The review considerseffectiveness of written materials, employee receipt of communications; handlingofviolations, fairness of discipline, observance of any protections afforded toinformants, and fulfillment of compliance unit responsibilities.

Attorney-client and attorney work-product privilegesprotect certain informationdisclosed to (or produced by) an attorney from being used by an adverse party ina legal proceeding. Anattorneymonitoring the hotline is best able to protect theprivileges. However, employees may have little confidence in such hotlines or inwrite-in reports or an off-site ombudsperson. But they may have confidence inhotlines answered by an in-house representative and backed by anonretaliation policy.

Anon-site ombudspersonis more effective if (s)he (1) reports directlyto thechief compliance officer or the board, (2) can keep the names of informants

secret, (3) providesguidanceto informants, and (4) undertakesfollow-uptoensure that retaliation has not occurred.

Anethics questionnaireshould be sent to each employee asking whether theemployee is aware of kickbacks, bribes, or other wrongdoing.

Compliance standards should beconsistently enforcedby adequate, fair, case-specific discipline. Punishment should be appropriate to the offense, such asa warning, loss of pay, suspension, transfer, or termination. Furthermore, theprogram should provide for thediscipline of managers and other responsiblepersons who knew or should have known of misconduct and did not report it.Failure to do so may cause a court to find that the program is not effective.

Employee discipline should be thoroughlydocumentedso that the entity will beable to prove that it made its best effort to collect information and took appropriate

action. After detection, the response should be appropriate and designed toprevent other

similar offenses. In some circumstances, an appropriate response could requireself-reportingthe violation to the government, cooperationwith investigations,and theacceptance of responsibility. But an effective compliance program andappropriate responses could result in more lenient punishment.

Failure to detect or prevent a serious violationcould indicate that thecompliance program needs a major overhaul. One change that may be requiredcould be thereplacement or transfer of compliance personnel.




20/20

3.4 STUDY UNIT 3 SUMMARY

1. The internal audit activity evaluates and contributes to the improvement of risk management,control, and governance processes using a systematic and disciplined approach.

2. The IAA evaluates the adequacy and effectiveness of risk management, control, andgovernance processes. These processes should provide reasonable assurance that

objectives will be met.

3. Management is responsible for the sustainability of the organization and is accountable tostakeholders. Thus, it plans, organizes, and directs and establishes an organizationalculture.

4. Because the IAA evaluates the whole management process, its scope of work extends to allsystems, processes, operations, functions, and activities.

5. The internal audit activity should assess and make appropriate recommendations forimproving the governance process in its accomplishment of the following objectives:

a. Promoting appropriate ethics and values within the organization.

b. Ensuring effective organizational performance management and accountability.

c. Effectively communicating risk and control information to appropriate areas of theorganization.

d. Effectively coordinating the activities of and communicating information among theboard, external and internal auditors, and management.

6. The chief audit executive should establish and maintain a system to monitor the dispositionof results communicated to management. Thus, the chief audit executive should establisha follow-up process to monitor and ensure that management actions have been effectivelyimplemented or that senior management has accepted the risk of not taking action.

7. Internal auditors should assess compliance in specific areas as part of their role inorganizational governance. They also should conduct follow-up and report onmanagements response to regulatory body reviews.


Documents

3. Internal Audit Roles