You are on page 1of 8


A look at the profession & corporate governance


in the boardroom or
occupy the CEO’s chair to
recognize the rapid-fire changes
going on in today’s business arena.
• Continuing globalization will
increase the complexity of
principles, regulations, and the
cultures in which organizations
News outlets regularly report on cor- • Ever-growing competition will put
porate scandals and frauds, privacy even more pressure on organiza-
invasions, compromised ethics, and tions to increase productivity.
governance lapses. These events and • Reengineering, deregulation, and
the resulting laws and regulations, other change-related activities will
coupled with electronic commerce break down traditional hierarchical
and other information technology structures and change organiza-
breakthroughs; mergers, acquisi- tional reporting relationships and
tions, and other organizational management responsibilities.
restructuring; and issues related to
the global marketplace all suggest Each of these phenomena suggests
that things are likely to get even new demands, challenges, and oppor-
more chaotic. tunities for management and the
board. And each one also points to the
Thought leaders in the business necessity for competent internal audit-
community forecast still more ing. Today, more than ever, internal
changes and increased organiza- auditing is critical to strong corporate
tional risks: governance, risk management, effec-
• Increasing litigation, legislation, tive internal control, and efficient
and regulations will carry impor- operations.
tant compliance implications.
• Information security manage-
ment for critical infrastructure
areas such as financial services,
transportation, telecommunica-
tion, defense, utilities, and fuel
will continue to require individ-
ual and collective business
commitment, planning, and

independent, objective,
assurance and consulting
activity that adds value to and
improves an organization’s opera-
they review. They also monitor
organizational ethics.

Evaluating emerging technologies,

analyzing opportunities, assessing
tions. It helps an organization quality, economy, and efficiency,
accomplish its objectives by bring- and providing accurate and timely
ing a systematic, disciplined communication are just some of the
approach to evaluate and improve activities internal auditors conduct
the effectiveness of risk manage- on a daily basis. The comprehensive
ment, control, and governance scope of their responsibilities pro-
processes. vides them with a broad perspective
on the organization. And that, in
The internal audit activity provides turn, makes them a valuable
assurance to management and the resource to executive management
audit committee that risks to the and the board of directors in accom-
organization are understood and plishing overall goals and objectives,
managed appropriately. And it as well as strengthening internal
serves as an in-house consultant control and governance. This might
on many areas of interest. be a lot to ask from one organiza-
tional resource, but for internal
Every organization, regardless of auditors — it’s all in a day’s work.
its size, should have some type of
internal control system or process
in place. The Institute of Internal
Auditors (IIA) believes that an
organization is best served by a
fully resourced and professionally
competent internal audit staff that
provides value-added services
critical to efficient and effective
organizational management.

Internal audit practitioners are

charged with assisting the organi-
zation in the effective discharge of
responsibilities, promoting the
establishment of cost-effective
controls, assessing risks, and rec-
ommending measures to mitigate
those risks. An integral part of the
management team, internal audi-
tors furnish top management with
analyses, appraisals, counsel,
and information on the activities



is accepted and acknowl-
edged by an organization’s
leaders as a management activity,
internal auditors can fulfill their
management: “Because we are in a
dynamic environment – we’ve got
new people, new technology, a new
marketplace, new competitors, and
a new regulation – we need to be
most fundamental role — support- very vigilant about the fundamen-
ing management and the board in tals of this business. And that’s a
achieving organizational objectives. role corporate auditing plays…the
And competent internal audit ability to collect information and
professionals bring to the table impart that knowledge on pro-
objectivity, integrity, expertise in cesses as well as control issues
communication, the ability to iden- and to do it constantly through all
tify enterprise wide risks, and the of this change. It’s easy to see
skill to assess the effectiveness of how incredibly important that is
controls put in place by manage- to the fundamental stability of
ment to mitigate those risks. this business.”

As partners to management, inter- Of increasing concern to manage-

nal auditors are positioned to help ment today are the risks associated
protect the organization against with information technology and
both traditional and emerging risks; the control and auditability specifi-
CORPORATE GOVERNANCE provide consultation about how cations of new systems. Internal
RESOURCES opportunities and vulnerabilities auditors’ independent review of
FREE BROCHURES can be balanced; and make information systems and other
• All in a Day’s Work valuable recommendations for high-tech projects can help ensure
• Building Quality into Practice assessing and strengthening corpo- a controlled and reliable IT environ-
• Guidance for the Profession rate governance. The internal ment. And their consulting services
• What Does It Take to Be a auditors’ broad understanding of add value to the decision-making
Professional? the organization and its culture process when management must
prepares them for effectively moni- consider the cost and benefit trade-
FREE NEWSLETTER toring risks associated with new off of IT control implementation.
• Tone at the Top business lines; mergers, acquisi-
tions, joint ventures and other
PRODUCTS AND REPORTS partnerships; new systems deploy-
• 20 Questions Directors Should ments; restructuring; management
Ask About Internal Audit estimates, budgets, and forecasts;
• Audit Committee Handbook, environmental issues; and regula-
4th Edition tory compliance. In order for the
• Tone at the Top internal audit activity to achieve all
of this and add the most value to an organization, best-practice
reporting relationships should be
followed. (See pg. 4)
BellSouth Corporation Chairman
and Chief Executive Officer Duane
Ackerman clearly recognizes the
value internal auditing brings to

diverse capabilities bring
tremendous value to the
board and the audit committee in
their corporate governance
— allowing them to target high-
impact areas, appropriately allo-
cate scarce resources, and be well
positioned to advise management
on vulnerabilities and corrective
responsibilities and risk manage- actions.
ment oversight. It is critical that
the chief audit executive (CAE), Implementing a risk-based
senior management, and the approach can uncover potential
audit committee have sufficient organizational risks that may other-
contact and communication to wise go undetected and provide
ensure that the parties under- management with a critical tool for
stand and accept their individual gauging and assessing enterprise-
and collective responsibilities for wide risk. This allows management
risk management. to allocate the greatest amount of
resources to the areas that will
Today’s audit committees must yield the highest return on invest-
deal with complex and diverse ment and ensures that the
issues and ever-increasing respon- organization has dedicated audit
sibilities. As a result of laws and coverage for high-risk areas.
regulations, such as the U.S.
Sarbanes-Oxley Act of 2002,
audit committees are being asked
to monitor such areas as: man-
agement’s assessment of internal
controls over financial reporting;
A its oversight responsibilities, the audit
committee should:

• Review and concur the chief audit executive

ethical complaint hotlines; enter-
(CAE) appointment, replacement, reassign-
prise-wide risk management; and
ment, and dismissal.
governance reviews, to name a
• Review/approve the internal audit charter and
few. It is critical, therefore, that
ensure its compatibility with that of the audit
internal auditors apply risk-based
audit approaches to the organiza-
• Review the audit plan and any significant
tion’s internal control system and
provide comprehensive reports to
• Ensure internal auditor neutrality and
the audit committee.
• Review the internal audit department’s budget
The risk-based approach toward
and staffing.
auditing is mandated by The IIA’s
• Encourage internal auditor certification and
International Standards for the
other professional development.
Professional Practice of Internal
• Meet privately with the CAE.
Auditing (Standards) and is the
• Receive reports from the CAE on audit
only way to ensure that the priori-
findings and information on technological
ties of the internal audit activity
advances and trends.
are consistent with the organiza-
• Review internal auditing’s compliance with
tion’s goals. Such an approach
The IIA’s Standards.
provides internal auditors with the
opportunity to become intimately
knowledgeable of the organiza- 33
tion’s risk appetite and tolerance

A N ACTIVE and knowledge-

able audit committee is
fundamental to achieving
and maintaining an effective
control environment. And an
and appropriate compliance
• Presentations should drive
toward discussion of control
issues rather than audit
atmosphere of mutual trust and findings, and additional
respect between the internal audit material should accompany
activity and the audit committee presentations to provide
is critical to the committee’s contextual insight about the
independent oversight role. control issues under
World-class internal audit • In addition to regular audit
departments at JCPenney committee meetings, the CAE
Company, Asea Brown Boveri, should have periodic meet-
Ford Motor Company, and ings with the audit committee
BellSouth Corporation offer these chairman and recurring
KEY IIA MESSAGES ON BEST-PRACTICE tips for building a strong relation-
ship between internal auditing
closed sessions with the
committee itself to discuss
and the audit committee for broader issues facing the
• To ensure transparency and
enhanced corporate governance: organization.
thwart collusion and conflicts of
interests, best practice indicates • Internal auditing should focus
that the internal audit activity • To avoid any significant on delivering results and
should have a dual reporting rela- surprises, there should be implementing preventive
tionship. The CAE should report straightforward, open, hon- actions, rather than simply
to executive management for est, accurate, and timely uncovering problems
establishing direction, support,
communication between after the
and administrative interface; and
to the organization’s most senior
internal auditing and the fact.
oversight group — typically the audit committee. • As suggested by The IIA
audit committee — for validation, • Internal auditing should keep Research Foundation, internal
reinforcement, and accountability. the audit committee mem- auditing should perform
• The audit committee of the board bers up to date on new laws, periodic surveys to determine
of directors and the internal trends, and other important the specific needs of the audit
auditors are interdependent and information and resources so committee.
should be mutually accessible,
they can effectively discharge
with the internal auditors
providing objective opinions, their duties.
information, support, and educa- • Internal auditing should
tion to the audit committee; and provide the audit committee
the audit committee providing with a plan to address key
validation and oversight to the governance issues.
internal auditors. • A corporate governance
• The internal auditors keep the program should provide a
audit committee informed and
mechanism for business
up to date on the state of the
organization in regard to risk, process improvement,
control, governance, and the integrity standards, training,
coordination and effectiveness of a “hotline” and other
monitoring activities. reporting processes,


demand that today’s
organizations squeeze
the most they can from all their
resources — and as this brochure
indicates, the internal audit pro-
emerging technologies, detecting
and deterring fraud, analyzing the
effectiveness of policies and pro-
cedures, and identifying opportu-
nities to save you and your
shareholders money.
cess is clearly among the most
critical. In addition to their When it comes to adding value
responsibility for assessing and across the board, there’s no better
recommending internal controls, resource than internal auditing.
internal auditors’ skills in risk
management and their broad-
based perspective of the organi-
on the importance of their relationship with the audit
zation uniquely position them as committee:
a valuable resource for strong
Internal auditing is the primary resource of the
corporate governance.
audit committee in carrying out its duties and
responsibilities. With those responsibilities increasing
As a result, informed senior and continued pressure from the SEC for financial
managers and boards are relying reporting integrity, a functioning partnership of the
on internal auditors for advice and audit committee and internal auditing is vital.
counsel on everything from analy- – BellSouth Corporation
sis of operations and assessment Internal auditors should not have to report through
of risk to recommendations for layers upon layers of management as this could
improved corporate governance. compromise or dilute recommendations and their
Moreover, internal audit practi- effectiveness. Audit services’ relationship with the
tioners are increasingly being audit committee is critical and contributes to the
success of our company.
challenged to apply their expertise – Carolina Power & Light Company
in much broader ways than ever
before — such as evaluating Internal auditing’s relationship to the audit committee
is important to assure there are no organizational levels
below the board of directors that could prevent neces-
sary actions or appropriate decisions from taking place
or being made to enhance business opportunities and
mitigate risks.
– Asea Brown Boveri

An active and informed audit committee provides the

ultimate independent and objective oversight of the
corporate control environment, including focus on
emerging trends and risks. Internal auditing is the
primary agent of the audit committee within the
– Ford Motor Company

The relationship affords auditing with some degree of

independence from the organization and management.
In certain cases, it can be used to ensure management
addresses key findings. It is our main vehicle to
communicate important issues to the entire board.
– JCPenney Company
(IIA) is the internal audit
profession's global voice, recog-
nized authority, acknowledged
leading-edge educational
products through the IIARF
Bookstore. The Institute’s Web
site,, is rich
with professional guidance and
leader, chief advocate, and information on IIA programs,
principal educator worldwide. products, and services, as
Established in 1941, The IIA well as resources for IT audit
serves members from all professionals.
around the world in internal
auditing, governance, internal The IIA also brings great value
control, IT auditing, education, to its members through
and security. Internal Auditor, an award-
winning professional maga-
The world’s leader in certifica- zine, and through other
tion, education, research, and outstanding periodicals that
technological guidance for the address the profession’s most
profession, The Institute sets pressing issues and challenges
the International Standards for and present viable solutions
the Professional Practice of and exemplary practices.
Internal Auditing and provides
various levels of accompanying And in support of quality,
guidance; certifies profession- professionalism, and ethical
als through the globally recog- practices, The Institute
nized Certified Internal Auditor® provides internal audit
(CIA®) and specialty certifica- practitioners, executive
tions in government, control management, boards of direc-
self-assessment, and financial tors, and audit committees
services; presents leading-edge with guidance for internal
conferences, seminars for auditing and governance best
professional development, and practices.
Web-based training; produces
forward-looking educational The IIA is dedicated to
products; offers quality assur- providing extensive support
ance reviews, benchmarking, and services to its members,
and consulting services; and so they can continue to add
creates growth and networking value across the board. For
opportunities for specialty additional information, contact

The IIA Research Foundation

(IIARF) works in partnership
with experts from around the
globe conducting valuable
research projects on the top
issues affecting the business 247 Maitland Avenue
world today. It also delivers Altamonte Springs, FL 32701-4201 U.S.A.
Fax: +1-407-937-1101
Tel: +1-407-937-1100

9/05249 th/pd
Printed on recycled paper in the U.S.A.