Embed Size (px)
DESCRIPTION
Internal Audit, CIA, Unisa
Citation preview
Question 1
1.1 List the characteristics of sound governance and describe the nature
thereof.
The King Report on Corporate Governance for South Africa identified seven primary characteristics of good governance: Discipline – this is the commitment by the organisation’s senior management to widely accepted standards of correct and proper behaviour that is universally accepted. Transparency – is the measure of ease with which an outsider can meaningfully analyse the organisation’s actions and performance Companies should make this information available in timely and accurate press releases to give outsiders a true picture of what is happening within the company. Independence - the extent to which conflicts of interest are avoided, such that the organisation’s best interests prevail at all times. For good corporate governance, it is important that all decisions are made objectively with the best interest of the organisation in mind and without any undue influence from large shareholders or an overbearing chief executive officer. This requires putting in place mechanisms such as having a diversified board of directors and external auditors to avoid any potential conflict of interest. Accountability - addressing shareholders’ rights to receive, and if necessary query, information relating to the stewardship of the organisation’s assets and its performance. Those people who make decisions in the organisation should be held accountable for their decisions, and mechanisms must exist to allow effective accountability. Responsibility – this is the acceptance of all consequences of the organisation’s behaviour and actions, including a commitment to improvement where required Management must be responsible for their behaviour and must have means for penalising mismanagement. It also means putting in place a system that puts the company on the right path when things go wrong. Fairness – This is the acknowledgement of, respect for and balances between the rights and interests of the organisation’s various stakeholders The organisation should be fair and balanced and take into account the interests of all the company’s stakeholders. The rights of each of the organisations stakeholders must be recognised and respected.
AUI4861 – Advanced Internal Audit Practice
ASSIGNMENT 02
Due date: 5 August 2013
Unique number: 716653
Student number: 46433597
Name and last name: Byron Jason
Social responsibility – this is the organisation’s demonstrable commitment to ethical standards and its appreciation of the social, environmental, and economic impact of its activities on the communities in which it operates A well-managed organisation must also be ethical and responsible with regard to environmental and human rights issues. A socially responsible organisation would be non-exploitative and non-discriminatory.
1.2 Discuss whether Biggest Trucks Ltd should strive to comply with the
recommendations of the King 3 report, with particular reference to the
regulatory requirements and also indicate which principles will then be
achieved.
Yes, Biggest Trusts should strive to comply with King 3.
All companies that are listed on the Johannesburg Securities Exchange must comply
with King 3 or explain why they have not.
Because Biggest Trucks is listed on the JSE there are mandatory requirements that
it needs to comply with.
There must be a policy detailing the procedures for the appointment of board
members
The appointments must be formal and transparent and a matter for the board
as a whole, assisted where appropriate by a nomination committee
If a nomination committee is appointed the committee must only consist of
independent non-executive directors
There must be a policy evidencing a clear balance of power and authority at
board level to ensure that no one director has unfettered powers.
The company must have a CEO and a Chairman, and must not be held by the
same person.
The chairman must be an independent non-executive
The board must appoint an audit committee
The board must appoint a remuneration committee
The composition of the committee must be disclosed with a description of the
mandate
A CV of each director standing election or re-election must be accompany
relevant notice of meeting
Capacity of non-executive and executive directors must be categorised and
disclosed in the relevant documentation
There must be a full time executive financial director
The audit committee must on an annual basis consider and satisfy itself of the
appropriateness of experience of the financial director and it should be
reported in the annual report.
By striving to comply with the governance principle of King 3, the board will
create a strong culture in which investors like and would invest in Biggest Trucks
Ltd, it will also satisfy the shareholders.
The key principles that should be met is Leadership, Corporate Citizenship and
Sustainability.
1.3 With reference to the King 3 report, make recommendations for the
establishment of an appropriate governance structure for Biggest Trucks Ltd.
King 3 states:
1. Ethical Leadership and corporate citizenship
The board should provide effective leadership based on an ethical foundation
The board should ensure that the company is and is seen to be a responsible
corporate citizen
The board should ensure that the company’s ethics are managed effectively
2. Board and Directors
The board should act as the focal point for and custodian of corporate
governance
The board should appreciate that strategy, risk, performance and
sustainability are inseparable
The board should provide effective leadership based on an ethical foundation
The board should ensure that the company is and is seen to be a responsible
corporate citizen
The board should ensure that the company’s ethics are managed effectively
The board should ensure that the company has an effective and independent
audit committee
The board should be responsible for the governance of risk
The board should be responsible for information technology (IT) governance
The board should ensure that the company complies with applicable laws
and considers adherence to non-binding rules, codes and standards
The board should ensure that there is an effective risk-based internal audit
The board should appreciate that stakeholders perceptions affect the
company’s reputation
The board should ensure the integrity of the company’s integrated report
The board should report on the effectiveness of the company’s system of
internal controls
The board and its directors should act in the best interests of the company
The board should consider business rescue proceedings or other turnaround
mechanisms as soon as the company is financially distressed as defined in
the Act
The board should elect a chairman of the board who is an independent non-
executive director. The CEO of the company should not also fulfil the role of
chairman of the board.
The board should appoint the chief executive officer and establish a
framework for the delegation of authority
The board should comprise a balance of power, with a majority of non-
executive directors. The majority of non-executive directors should be
independent
Directors should be appointed through a formal process
The induction of and on-going training and development of directors should be
conducted through formal processes
The board should be assisted by a competent, suitably qualified and
experienced company secretary
The evaluation of the board, its committees and the individual directors should
be performed every year
The board should delegate certain functions to well-structured committees but
without abdicating its own responsibilities
A governance framework should be agreed between the group and its
subsidiary boards
Companies should remunerate directors and executives fairly and responsibly
Companies should disclose the remuneration of each individual director and
certain senior executives
Shareholders should approve the company’s remuneration policy
3. Audit Committee
With regards to the Audit Committee, King 3 states that all members of the
audit committee must be independent non-executive directors. Biggest truck
Ltd has the former CEO, the Managing director and the financial director on
the audit committee therefore the Audit Committee is not independent.
The audit committee must consist of at least 3 member s no more than six,
and all members must be independent non-executive directors.
Each member should be independent and financially literate and one member
of the board should be designated a financial expert.
Biggest Trucks Ltd will have to appoint non-executive directors.
Mr Lightning Macqueen should not be a member of the audit committee, even
though he is no longer the CEO of Biggest Trucks, He would not be
considered independent as he was the CEO in the prior financial year.
As the Audit committee stands at present, the audit committee can serve no
useful purpose and therefore does not contribute to corporate governance
because of its lack of independence.
The audit committee should be chaired by an independent non-executive
director
The audit committee should oversee integrated reporting
The audit committee should ensure that a combined assurance model is
applied to provide a coordinated approach to all assurance activities
The audit committee should satisfy itself of the expertise, resources and
experience of the company’s finance function
The audit committee should be responsible for overseeing of internal audit
The audit committee should be an integral component of the risk management
process
The audit committee is responsible for recommending the appointment of the
external auditor and overseeing the external audit process
The audit committee should report to the board and shareholders on how it
has discharged its duties
4. The Governance of Risk
The board should be responsible for the governance of risk
The board should determine the levels of risk tolerance.
The risk committee or audit committee should assist the board in carrying out
its risk responsibilities
The board should delegate to management the responsibility to design,
implement and monitor the risk management plan
The board should ensure that risk assessments are performed on a continual
basis
The board should ensure that frameworks and methodologies are
implemented to increase the probability of anticipating unpredictable risks
The board should ensure that management considers and implements
appropriate risk responses
The board should ensure continual risk monitoring by management
The board should receive assurance regarding the effectiveness of the risk
management process
The board should ensure that there are processes in place enabling complete,
timely, relevant, accurate and accessible risk disclosure to stakeholders
5. The Governance of Information Technology
The board should be responsible for information technology (IT) governance
IT should be aligned with the performance and sustainability objectives of the
company
The board should delegate to management the responsibility for the
implementation of an IT governance framework
The board should monitor and evaluate significant IT investments and
expenditure
IT should form an integral part of the company’s risk management
The board should ensure that information assets are managed effectively
A risk committee and audit committee should assist the board in carrying out
its IT responsibilities
6. Compliance with laws, codes, rules, and standards
The board should ensure that the company complies with applicable laws and
considers adherence to nonbinding rules codes and standards
The board and each individual director should have a working understanding
of the effect of the applicable laws, rules, codes and standards on the
company and its business
Compliance risk should form an integral part of the company’s risk
management process
The board should delegate to management the implementation of an effective
compliance framework and processes
7. Internal Audit
The board should ensure that there is an effective risk based internal audit
Internal audit should follow a risk based approach to its plan
Internal audit should provide a written assessment of the effectiveness of the
company’s system of internal controls and risk management
The audit committee should be responsible for overseeing internal audit
Internal audit should be strategically positioned to achieve its objectives
8. Governing Stakeholder Relationships
The board should appreciate that stakeholders’ perceptions affect a
company’s reputation
The board should delegate to management to proactively deal with
stakeholder relationships
The board should strive to achieve the appropriate balance between its
various stakeholder groupings, in the best interests of the company
Companies should ensure the equitable treatment of shareholders
Transparent and effective communication with stakeholders is essential for
building and maintaining their trust and confidence
The board should ensure that disputes are resolved as effectively, efficiently
and expeditiously as possible
9. Integrated Reporting and disclosure
The board should ensure the integrity of the company’s integrated report
Sustainability reporting and disclosure should be integrated with the
company’s financial reporting
Sustainability reporting and disclosure should be independently assured
1.4 With reference to the International Professional Practice Framework (IPPF),
indicate what the CAE’s responsibilities are with regards to the planning of the
internal audit activity.
Standard 2010 – Planning states that the chief audit executive must establish risk
based plans to determine the priorities of the internal audit activity, consistent with
the organisations goals.
The CAE is responsible for developing a risk based plan.
The CAE must take into account the organisations risk management framework,
including using risk appetite levels set by management for different activities or parts
of the organisation.
If a framework does not exist the CAE should use their own judgement of risks after
consultation with senior management and the board.
The chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other
conclusions.
The CAE must communicate the internal audit activities plans and resource
requirements to senior management and the board.
CAE’s are appointed in organisations are charged with the overall management
responsibility for the IAA. The appointment of the CAE is the responsibility of the
audit committee and board of directors. The CAE should have dual reporting
responsibility, reporting administratively to the CEO and functionally to the audit
committee. The purpose and authority of the IAA should be defined in the internal
audit charter
Aligning IAA objectives with the organisation objectives
The CAE is expected to ensure that the objectives of the IIA are fully consistent with
those of the organisation. In this way the CAE, will be ensuring that the IAA is
relevant to the organisation and working towards the achievement of the overall
organisational objectives. The IAA cannot afford to find itself having conflicting
objectives with the overall objectives of the organisation, IF the IAA is to be taken
seriously by management, it should be viewed to be contributing to the overall
achievement of the organisations objectives.
Developing the Internal Audit Charter
The CAE should prepare an internal audit charter which sets out the scope, reporting
lines and status of the IAA. This charter should be approved by the audit committee
and the board of directors and it should be communicated to management in order to
manage the different expectations from management as to what the IAA is expected
to do.
Developing the internal audit manual
The CAE should develop the internal audit manual which sets out the required
standards of performance and the audit processes. This manual can also be used as
a means of monitoring quality of performance.
Continuous responsibilities of the CAE involve the following:
Planning: The CAE has to plan the activities of the IAA and also he individual
internal audit engagements.
Audit Risk Assessment: The prime responsibility for assessing and managing risks
lies with top management of the organisation and is delivered through the actions of
executive managers, The risk assessment here refers to the internal audit planning,
but if internal audit has been involved with risk assessment on behalf of the board
there can be one risk assessment for all purposes.
It is equally important for the CAE to understand the risk management processes.
The CAE may assist management to identify and assess risks.
Staff and management resource: The CAE should ensure that internal audit staff
are being taken care of and are well managed. Effective management of the internal
audit staff can result in an effective IAA, which is highly regarded within a
organisation. The success of an IAA is based on the quality and motivation of its
staff. It is for the CAE to establish an organisation which recognises and deals with
these important aspects.
Training and Development: The CAE should ensure that the IAA is equipped with
skilled and sufficiently trained internal auditors. The CAE should ensure that his staff
component has sufficient understanding of management principles, business risks
and business processes, and that they understand the essentials of accounting, law ,
taxation and finance and that all auditors are computer literate.
Performance Management: For the IAA to be effective there should be systems and
processes in place to identify poor performance and manage and improve
performance. The CAE is responsible for he IAA’s performance management.
Co-ordination with external audit and other assurance providers: The CAE should
ensure , jointly with the external auditor or other assurance providers such as quality
auditors, that the internal audit and other assurance providers work is properly co-
ordinated to achieve the best coverage and avoid duplication.
1.5 Discuss the requirements of the International Professional Practice
Framework (IPPF) with regard to resource management that should be kept in
mind when appointing three new internal audit members.
2030 (Resource Management) – The chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan. The chief audit executive (CAE) is primarily responsible for the sufficiency and management of internal audit resources in a manner that ensures the fulfilment of internal audit’s responsibilities, as detailed in the internal audit charter. This includes effective communication of resource needs and reporting of status to senior management and the board. Internal audit resources may include employees, external service providers, financial support, and technology-based audit techniques. Ensuring the adequacy of internal audit resources is ultimately a responsibility of the organization’s senior management and board; the CAE should assist them in discharging this responsibility Standard 2030 – Resources in the IPPF states that the chief audit executive must
ensure that internal audit resources are appropriate, sufficient, and effectively
deployed to achieve the approved plan.
This means that there should be an appropriate mix of knowledge and skills needed
to perform the plan and sufficient quantity of resources needed to accomplish the
plan. Resources are effectively deployed when they are used in a way that optimizes
the achievement of the approved plan.
The skills, capabilities, and technical knowledge of the internal audit staff are to be
appropriate for the planned activities.
The CAE must conduct a periodic skills assessment to determine the specific skills
required to perform the internal audit activities. The skills assessment should be
based on and consider various needs identified in the risk assessment and audit
plan.
The CAE needs to assign internal auditors who are competent and qualified for
specific assignments.
The CAE should ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.
The internal audit staff should possess all the different skills, knowledge and
competencies. Internal auditors should be selected on qualifications and
competencies regarding the areas audited and cannot be placed in a position without
considering the evaluation of the nature and complexity of the engagement
assignment, time constraints, and available resources.
Training needs of internal auditors should be considered since each engagement
serves as a basis for meeting developmental needs of the IIA.
Consideration should be given to the use of external resources in instances where
additional knowledge, skills, and other competencies are needed.
1.6 With reference to the supervisory responsibilities addressed in Standard
2340: Engagement Supervision, discuss whether or not the CAE can delegate
this supervisory responsibility to the new internal audit staff members.
Standards 2340 – Engagement Supervision states that: Engagements must be
properly supervises to ensure objectives are achieved, quality is assured, and staff is
developed.
The extent of supervision will depend on the proficiency and experience of internal
auditors and the complexity of the engagement.
The chief audit executive has overall responsibility for supervising the engagement,
whether performed by or for the internal audit activity, but may be designate
appropriately experienced members of the internal audit activity to perform the
review. Appropriate evidence of supervision must be documented and retained.
When the CAE delegates his duties he/she is still held responsible.
Question 2
Part A
2.1 Discuss arguments favouring outsourcing the internal audit activity as well
as arguments favouring an in-house internal audit activity.
Outsourcing Internal Audit
1. The organisation will have immediate service to internal audit.
2. The organisation will have more resources to spend on its core business
function, instead of hiring full time internal audit staff.
3. Outsourced internal auditors may be more independent and unaffected by
office politics and therefore, may be discharging their responsibility more
effectively.
4. By outsourcing the IAA, the organisation will pay only for the services they
utilise; therefore costs become a variable instead of a constant. (i.e. if
company pays for what it needs and uses)
5. Using outsourced contractors (especially multinational service providers) can
provide greater flexibility, especially for a company that is geographically
dispersed.
6. Outsourcing is often performed by reputable professionals who can provide a
reasonable degree of quality.
7. Specialist consultancy firms can give you the range of skills that you won’t find in one person. For example, you may not only need an accountant but also an information technology or human resources expert
8. Easy replacement of internal auditor in case of results not being achieved
In-House Internal Audit
1. By having an in house IAA, the company accountability is enhanced as issues
are attended to on a regular basis.
2. To ensure independence the in house IAA is separated from operational
departments.
3. In house internal auditors immediately notify management if and when serious
findings and observations are made.
4. In case of an in house IAA, the audit documentation is on site. This minimises
the risk of losing valuable company information.
5. In house IAA also allows for the flexibility to change audit focus with a
changing risk environment.
6. Employees earn a salary instead of paid hourly; therefore, staff costs can be
predicted in advance.
2.2 Explain to Mr Sebola why you regard the outsourcing of the internal audit
activity to be the best option.
It would be best to outsource the internal audit activity, because the
stakeholders are requesting that organisation establishes one, and since the
organisation has never had an internal audit function, it will take a while to set
up the function and get the required skill that the internal audit activity needs.
With an outsourced internal audit activity it is easy to establish authority and
independence.
By outsourcing the internal audit activity, Kgosi Limited, will be able to get
immediate service from a specialist consulting firm.
Outsourcing will expose the organisation to a greater degree of quality and
best practices that the service provider would have attained elsewhere.
Then internal audit expenditure will be a variable and not a fixed cost and the
service provider will be more independent and objective.
By outsourcing the internal audit activity, the internal audit projects may
actually improve the quality of the audit because companies can employ
external individuals/ firms that have advanced degrees and technological
specialisation to provide the required service.
By outsourcing the internal audit activity Kgosi Ltd can get internal auditors
with specific knowledge of departments and functions from the outsourced
firm based on the function being audited.
Also the replacement of internal auditor in case of results not being achieved
is easier than having to fire permanent staff.
The fact that Mr Sebola’s company is still at its early days of operation. It
would be the best option to outsource the internal audit activity. Mr Sebola is
probably still learning the dynamics of the business and industry that he is in
The company is relatively new and can benefit significantly from established outsourced internal audit providers, as they can bring in the best practice experiences learnt elsewhere.
Owing to the size of the company, it will be compelled to establish a one-person or two-person internal audit activity, and it will therefore be difficult to build internal audit expertise.
The company can save money, as it will not incur the cost of training internal auditors. The cost of outsourced internal audit service is variable and not constant.
The external service providers will be able to cover a broader scope of work, such as operational audits, information system audits and forensic audits, whereas a small in-house activity may not.
Top management will be released to focus on key business activities while they are growing the business. Management will not have to deal with internal audit staff issues such as payroll administration.
The independence and administration of the internal audit activity may be compromised in a small organisation, as there are no proper governance structures in place. Outsourced internal audit providers may be more independent and not be affected by office politics.
Part B
Violated Standard or Component of the Code
of Ethics
Explanation of the violation
Professional practice requirement
1. Confidentiality
Peter informs family and friends about confidential information.
Internal auditors should respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. The Code of ethics states: Internal auditors
Shall be prudent in the use and protection of information acquired in the course of their duties.
Shall not use information for any personal gain in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation.
2. Objectivity and Integrity
George does not report fraudulent activities and he is willing to accept a bribe.
Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. Internal Auditors:
Exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgement.
Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation.
Shall not accept anything that may impair or be presumed to impair their professional judgement.
Internal Auditors Shall observe the law and make
disclosures expected by the law and the profession.
Shall not knowingly be a party to any illegal activity, or engage in any acts that are discreditable to the profession of internal auditing
Shall respect and contribute to the legitimate and ethical objectives of the organisation
Shall perform their work with honesty, diligence and responsibility
3. Performance Standard 2000 and Competence
The Chief Audit Executive was appointed because of nepotism and the Chief Audit Executive does not have the necessary competencies to perform the role.
The Chief Audit Executive must effectively manage the Internal Audit Activity to ensure it adds value to the organisation. The internal audit activity is effectively managed when.
The results of the internal audit activities work achieve the purpose and responsibility included in the internal audit charter
The internal audit activity conforms to the definition of internal auditing and the standards;
The individuals who are part of the internal audit activity demonstrate conformance with the code of ethics and the standards:
o Code of ethics Integrity, Objectivity,
Confidentiality and Competency.
The code of ethics requires all internal auditors to be competent in their duties. Internal auditors:
Shall engage only in those services for which they have the necessary knowledge, skills and experience
Shall perform internal audit services in accordance with the international standards for the professional practice of internal auditing
Shall continually improve their proficiency, and the effectiveness and quality of their services.
4. Objectivity Frans Khumalo’s, wife is the head of the department in which he is overseeing as the
Internal Auditors:
Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
internal audit manager. His wife could have unduly influence on him, therefore compromising his objectivity.
assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation.
Exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgement.
Shall not accept anything that may impair or be presumed to impair their professional judgement.
5. Standard 2430 – Use of “Conducted in conformance with the international standards for the professional practice of internal auditors” And Standard 1321 Use of “Conducted in conformance with the international standards for the professional practice of internal auditors”
The Chief Audit Executive used Conducted in conformance with the international standards for the professional practice of internal auditors even though the internal audit activity has never been subject to a quality assurance assessment
The Chief Audit Executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing ONLY if the results of the quality assurance and improvement support this statement.
6. Standard 1000 – ‘Purpose, Authority and Responsibility”
The Internal Audit Activity is performing Internal Auditing without a charter. The Chief Audit Executive does not see the need for a charter,
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the definition of internal auditing, the code of ethics, and the standards.
The Chief Audit Executive must periodically review the internal audit charter and present It to senior
therefore the purpose, authority, and responsibility of the internal audit activity is not formally defined. The board has not raised any concerns/question about not ever approving an internal audit charter,
management and the board for approval.
The internal audit charter establishes the internal audit activity’s position in the organisation =, including nature of the chief audit executives functional reporting relationship with the board. Authorizes access to record, personnel and physical properties relevant to the performance of engagements
7. Standard 1110 – Organisational Independence
The Chief Audit Executive reports to the Chief Financial Officer and not the Board of Directors
The Chief Audit Executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities.
The Chief Audit Executive must confirm to the board, at least annually, the organisational independence of the internal audit activity
Organisational independence is achieved when the Chief Audit Executive reports functionally to the board.
8. Standard 2120 – Risk Management
The Chief Audit Executive sees no need to know about the company’s risk assessment They only audit the finance department.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk management processes.
Part C
Authority
1. The current charted states that the internal auditors shall only have access to the
chairman of the board, and the audit committee upon receiving authorisation from
the chief executive officer.
The internal auditors should have free and unrestricted access to the entire board
and should not have to get authorisation.
Recommendation: The internal audit activity should have free and unrestricted
access to the entire board.
Organisation
The current charter states that the Chief Audit Executive shall report administratively
to the Managing Director and functionally to the Chief Executive Officer.
The internal audit activity must be free from interference in determining the scope of
internal audit, performing work, and communicating results.
The Chief Audit Executive shall report administratively to the managing director and
functionally to the CEO of the company.
Recommendation: The Chief Audit Executive should report administratively to the
CEO and functionally to the board of directors.
Independence
Internal Auditors should refrain from assessing specific operations for which they
were previously responsible.
Objectivity is presumed to be impaired if an internal auditor provides assurance
services for an activity for which the internal auditor has responsibility for in the
prior/current year.
Recommendation: Internal Auditors will have no direct operational responsibility or
authority over any of the activities audited. Accordingly, they will not implement
internal controls, develop procedures, install systems, prepare records, or engage in
any other activity that may impair the internal auditor’s judgement.
Audit Scope
The internal audit activity adds value to the organisation and its stakeholders when it
provides objective and relevant assurance, and contributes to the effectiveness and
efficiency of governance, risk management, and control processes.
The internal auditor must evaluate the effectiveness and contribute to the
improvement of risk management processes
The scope of the engagement must include consideration of relevant system,
records, personnel, and physical properties, including those under the control of 3rd
parties.
The internal audit activity must be free from interference in determining the scope of
internal audit, performing work, and communicating results.
Recommendation: The scope of internal auditing encompasses, but is not limited to
the examination of the adequacy and effectiveness of the organisations governance,
risk management, and internal process as well as the quality of performance in
carrying out its assigned responsibilities to achieve the organisations stated goals
and objectives. This includes:
Evaluating the reliability and integrity of information and the means used to
identify measure, classify, and report such information.
Audit Plan
The Chief audit executive must communicate the audit activity’s plans and resource
requirements, including significant changes, to senior management and the board for
review and approval. The chief audit executive must also communicate the impact of
resources.
Recommendation: At least annually, the Chief Audit Executive must submit to senior
management and the board an internal audit plan for review and approval. The
internal audit plan will consist of a work schedule as well as a budget and resource
requirements for the next calendar year. The Chief Audit Executive will communicate
the impact of resource limitations and significant interim changes to senior
management and the board.
